Request for PC-side GMAC example for S32K344 Basic Secure Boot

取消
显示结果 
显示  仅  | 搜索替代 
您的意思是: 
已解决

Request for PC-side GMAC example for S32K344 Basic Secure Boot

跳至解决方案
285 次查看
mws
Contributor I

Hello NXP Team,

I’m testing Basic Secure Boot on S32K344. I have extended the sample image S32K344_SecureBootBlinky.bin (AppBootHeader + App) to 0x40 + 0x1000 bytes. I’m trying to write a PC-side GMAC calculation tool so that the tag I compute matches what HSE produces, but so far I cannot obtain the same GMAC tag as HSE.

Could you please provide a PC-side reference implementation (any language is fine; C or Python would be ideal) that reproduces the HSE GMAC for Basic Secure Boot?

Because I cannot share my actual IV and ADKP, please feel free to choose arbitrary test values. A minimal package with:

  • Short test payload (binary),

  • Example ADKP (16 bytes) and the exact key derivation used by Basic Secure Boot,

  • IV (12 bytes),

  • Expected GMAC tag (16 bytes),

  • And the required image layout (including where/how to place IV and tag at the end)
    would be perfect.

Attachment: my extended S32K344_SecureBootBlinky binary (AppBootHeader + App = 0x40 + 0x1000).

If there is already an official PC-side example or a validated test vector for S32K344 Basic Secure Boot, a link or zip would be greatly appreciated.

Thank you for your support!

0 项奖励
回复
1 解答
232 次查看
lukaszadrapa
NXP TechSupport
NXP TechSupport

Hi @mws 

This is not something what we should provide but I spent some time on this because it's useful for me too. See attached python script. It contains ADKP (it's the same as in HSE_DemoExamples because I have already programmed this on my board). Then it expects file image.bin (pure binary format). It should contain the header+image+IV. The result can be found in generated gmac_tag.txt. 

It works on my side, I got the same GMAC as generated by HSE using service hseBootDataImageSignSrv_t. I reused example S32K344_Basic_SecureBoot which uses hseBootDataImageSignSrv_t to generate IV and GMAC. And it also programs it behind the image. Then I just exported header+image+IV to binary file and use that to develop the script. When calculating GMAC externally, user needs to provide the IV. You can either provide IV in the bin file as I did or you can change the script as necessary. 

Regards,

Lukas

在原帖中查看解决方案

0 项奖励
回复
2 回复数
233 次查看
lukaszadrapa
NXP TechSupport
NXP TechSupport

Hi @mws 

This is not something what we should provide but I spent some time on this because it's useful for me too. See attached python script. It contains ADKP (it's the same as in HSE_DemoExamples because I have already programmed this on my board). Then it expects file image.bin (pure binary format). It should contain the header+image+IV. The result can be found in generated gmac_tag.txt. 

It works on my side, I got the same GMAC as generated by HSE using service hseBootDataImageSignSrv_t. I reused example S32K344_Basic_SecureBoot which uses hseBootDataImageSignSrv_t to generate IV and GMAC. And it also programs it behind the image. Then I just exported header+image+IV to binary file and use that to develop the script. When calculating GMAC externally, user needs to provide the IV. You can either provide IV in the bin file as I did or you can change the script as necessary. 

Regards,

Lukas

0 项奖励
回复
96 次查看
mws
Contributor I
it's work! thanks
0 项奖励
回复