HSE S32K312 SHE based secure boot

キャンセル
次の結果を表示 
表示  限定  | 次の代わりに検索 
もしかして: 

HSE S32K312 SHE based secure boot

ソリューションへジャンプ
3,239件の閲覧回数
shravani
Contributor II

Hi,

I am trying to achieve SHE based secure boot using S32K312 microcontroller. My aim is to load the keys to secure NVM of HSE. For loading the keys, I am generating M1, M2 and M3 messages using Miyaguchi-Preneel Compression protocol and AES encryption. I am getting HSE_SRV_RSP_INVALID_PARAM as a response from HSE. 
Please check below details.
1) Microcontroller : S32K312_100MQFP

2) IDE: S32DS 3.5

 3) SDK Version: PlatformSDK_S32K3_2022_03

Steps I am following :

1) Key Catalogue Formatting -> Getting  HSE_SRV_RSP_OK 

2) Load She keys to Secure NVM

            2.1. Loading ECU_MASTER_KEY

                   2.1.1 Miyaguchi-Preneel Compression

                   API : Crypto_Exts_MPCompression(constArr, (uint32)(AES_BLOCK_SIZE * 2), K1, ConstOutLen)

                   Parameters: constArr -> const uint8_t *constArr This is input data

                                        (uint32)(AES_BLOCK_SIZE * 2) -> Size of input data which is 32 bytes.

                                        K1 ->  const uint8_t K1[AES_BLOCK_SIZE * 2]; -> output

                                       ConstOutLen -> const uint32_t *ConstOutLen -> length of the output

Any help on this topic is highly recommended.

Thanks in advance.

 

      

 

 

 

 

0 件の賞賛
返信
1 解決策
3,204件の閲覧回数
lukaszadrapa
NXP TechSupport
NXP TechSupport

Hi @shravani 

I got attached test code which shows how to generate M1-M3 values using Crypto layer. There's a function Crypto_CalculatedM1M2M3().

Regards,

Lukas

元の投稿で解決策を見る

0 件の賞賛
返信
15 返答(返信)
3,196件の閲覧回数
shravani
Contributor II

Hi @lukaszadrapa 

 

Thank you so much for providing me with test code. I will try this.

 

Regards

Shravani

0 件の賞賛
返信
3,205件の閲覧回数
lukaszadrapa
NXP TechSupport
NXP TechSupport

Hi @shravani 

I got attached test code which shows how to generate M1-M3 values using Crypto layer. There's a function Crypto_CalculatedM1M2M3().

Regards,

Lukas

0 件の賞賛
返信
3,190件の閲覧回数
shravani
Contributor II
Hi @lukaszadrapa,

I got HSE_SRV_RSP_OK for Crypto_CalculatedM1M2M3(). but while calling Crypto_KeyElementSet(ECU_MASTER_KEY_ID, SHE_KEY_MATERIAL_ELEMENT_ID, KeyPram, SHE_M1M2M3_SIZE) I am getting HSE_SRV_RSP_KEY_INVALID.
ECU_MASTER_KEY_ID = 0
SHE_KEY_MATERIAL_ELEMENT_ID = 1
I have set HSE flag as VERIFY.
What could be the reason? Can you please guide me?
0 件の賞賛
返信
3,174件の閲覧回数
lukaszadrapa
NXP TechSupport
NXP TechSupport

ECU_MASTER_KEY_ID is defined as 1 in the SHE spec. Isn't this the problem?

0 件の賞賛
返信
3,170件の閲覧回数
shravani
Contributor II

@lukaszadrapa ,

I tried with 1 as well but no change in results. Please check below configuration.

shravani_0-1712824534149.png

shravani_1-1712824600203.png

 

0 件の賞賛
返信
3,153件の閲覧回数
lukaszadrapa
NXP TechSupport
NXP TechSupport

I'm not sure about this, I'm checking with SW team. It may take some time.

0 件の賞賛
返信
3,143件の閲覧回数
shravani
Contributor II

@lukaszadrapa Okay. Please let me know if you got anything on this topic. It's a bit urgent.

3,136件の閲覧回数
shravani
Contributor II

Hi @lukaszadrapa ,

 

What attributes should we set while loading SHE key to secure NVM. In the RM758221-HSE-B Firmware Reference Manual - V2.1(2.1).pdf it is mentioned as below. 

shravani_0-1712904659148.png

 However, In the configurator I cannot see the WILDCARD and KEY_USAGE flag.

shravani_1-1712904774091.png

 

Can you please guide me on this?

 

タグ(1)
0 件の賞賛
返信
2,926件の閲覧回数
lukaszadrapa
NXP TechSupport
NXP TechSupport

You can set required flags when calculating M1-M3 values. The function is:

void Crypto_CalculatedM1M2M3(CONST(uint8, AUTOMATIC) authKey[16], uint8 authKeyId, uint8 keyId, CONST(uint8, AUTOMATIC) key[16], uint32 counter, CONST(uint8, AUTOMATIC) uid[15], uint8 flags, VAR(uint8, AUTOMATIC) KeyPram[64])

Parameter 'uint8 flags' should be used. The order of bits is:

lukaszadrapa_0-1713159539711.png

For example, if you want to set VERIFY_ONLY, the 'flags' should be 0x01.

There are no general rules which flags should be set, it depends on your requirements and on your application.

Regards,

Lukas

PS. Still waiting for response from SW team...

0 件の賞賛
返信
2,921件の閲覧回数
shravani
Contributor II

Hi @lukaszadrapa,
Thank you for the clarification.
I am getting HSE_SRV_RSP_KEY_INVALID while caling RetVal = Crypto_KeyElementSet(ECU_MASTER_KEY_ID, SHE_KEY_MATERIAL_ELEMENT_ID, KeyPram, 64)

for this error it says in SHE, the key ID provided is either invalid or non-usable due to some flag restrictions. */

I am following example which you shared Crypto_CalculatedM1M2M3 and giving the flag value as 0 and configured the value as VERIFY ONLY from the configurator for the key. I tried by changing these 0 values to 1 for but still error is same.

P.S. I am able to load the key in plain format. But when encryption is applied, error is coming.

0 件の賞賛
返信
2,804件の閲覧回数
lukaszadrapa
NXP TechSupport
NXP TechSupport

Some update: provided code was intended mainly for S32K1 and its CSEc. So, make sure that "CSEC" is not defined because EmptyKey needs to be all '0' for HSE:


#ifdef CSEC
static uint8 au8EmptyKey[SHE_KEY_SIZE] =
{
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff
};
#else
/* Array to be passed to Crypto driver during various operations as output buffer */
static uint8 au8EmptyKey[SHE_KEY_SIZE] =
{
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
};
#endif


And next thing - CSEc on S32K1 has either 5 or 6 attribute key flags. SHE define 5 flags and there could be one more flag enabled (VERIFY_ONLY). HSE always expects 6 flags. But I can see that the code expects 5 flags only:

aM2Plain[3] |= (flags & 0x1e) >> 1U;
aM2Plain[4] |= (flags & 0x01) << 7U;

You can update it to this:
aM2Plain[3] |= (flags & 0x3c) >> 2U;
aM2Plain[4] |= (flags & 0x03) << 6U;

To understand where it goes - there's 28bit counter in M2 value and then the flags...

lukaszadrapa_0-1713363015197.png

But if you used flags=0, I don't think this will make a difference.

0 件の賞賛
返信
2,860件の閲覧回数
shravani
Contributor II

Hi @lukaszadrapa 

 

Have you got any update?

0 件の賞賛
返信
2,820件の閲覧回数
lukaszadrapa
NXP TechSupport
NXP TechSupport

Still waiting... I'm also checking if there's an option to provide direct support from local FAE team.

0 件の賞賛
返信
2,767件の閲覧回数
shravani
Contributor II

Hi @lukaszadrapa,

 

Can you share configuration file (.mex) for the SHE memory update protocol? So that I could check what I am doing wrong?

0 件の賞賛
返信
2,414件の閲覧回数
shravani
Contributor II

@lukaszadrapa 

 

I am able to load keys to secure NVM by adding key data in non-cacheable memory.

タグ(1)
0 件の賞賛
返信