FAQs
English (US) 日本語 | Japanese 中文 | Chinese (Simplified)

Request for PC-side GMAC example for S32K344 Basic Secure Boot

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED
Jump to solution

Request for PC-side GMAC example for S32K344 Basic Secure Boot

Jump to solution
‎08-22-2025 09:26 AM
1,382 Views
mws
Contributor I

Hello NXP Team,

I’m testing Basic Secure Boot on S32K344. I have extended the sample image S32K344_SecureBootBlinky.bin (AppBootHeader + App) to 0x40 + 0x1000 bytes. I’m trying to write a PC-side GMAC calculation tool so that the tag I compute matches what HSE produces, but so far I cannot obtain the same GMAC tag as HSE.

Could you please provide a PC-side reference implementation (any language is fine; C or Python would be ideal) that reproduces the HSE GMAC for Basic Secure Boot?

Because I cannot share my actual IV and ADKP, please feel free to choose arbitrary test values. A minimal package with:

  • Short test payload (binary),

  • Example ADKP (16 bytes) and the exact key derivation used by Basic Secure Boot,

  • IV (12 bytes),

  • Expected GMAC tag (16 bytes),

  • And the required image layout (including where/how to place IV and tag at the end)
    would be perfect.

Attachment: my extended S32K344_SecureBootBlinky binary (AppBootHeader + App = 0x40 + 0x1000).

If there is already an official PC-side example or a validated test vector for S32K344 Basic Secure Boot, a link or zip would be greatly appreciated.

Thank you for your support!

S32K344_SecureBootBlinky_Full.bin
0 Kudos
Reply
1 Solution

Jump to solution
‎08-25-2025 04:58 AM
1,328 Views
lukaszadrapa
NXP TechSupport
NXP TechSupport

Hi @mws 

This is not something what we should provide but I spent some time on this because it's useful for me too. See attached python script. It contains ADKP (it's the same as in HSE_DemoExamples because I have already programmed this on my board). Then it expects file image.bin (pure binary format). It should contain the header+image+IV. The result can be found in generated gmac_tag.txt. 

It works on my side, I got the same GMAC as generated by HSE using service hseBootDataImageSignSrv_t. I reused example S32K344_Basic_SecureBoot which uses hseBootDataImageSignSrv_t to generate IV and GMAC. And it also programs it behind the image. Then I just exported header+image+IV to binary file and use that to develop the script. When calculating GMAC externally, user needs to provide the IV. You can either provide IV in the bin file as I did or you can change the script as necessary. 

Regards,

Lukas

View solution in original post

generate_gmac.txt
0 Kudos
Reply
2 Replies

Jump to solution
‎08-25-2025 04:58 AM
1,329 Views
lukaszadrapa
NXP TechSupport
NXP TechSupport

Hi @mws 

This is not something what we should provide but I spent some time on this because it's useful for me too. See attached python script. It contains ADKP (it's the same as in HSE_DemoExamples because I have already programmed this on my board). Then it expects file image.bin (pure binary format). It should contain the header+image+IV. The result can be found in generated gmac_tag.txt. 

It works on my side, I got the same GMAC as generated by HSE using service hseBootDataImageSignSrv_t. I reused example S32K344_Basic_SecureBoot which uses hseBootDataImageSignSrv_t to generate IV and GMAC. And it also programs it behind the image. Then I just exported header+image+IV to binary file and use that to develop the script. When calculating GMAC externally, user needs to provide the IV. You can either provide IV in the bin file as I did or you can change the script as necessary. 

Regards,

Lukas

generate_gmac.txt
0 Kudos
Reply

Jump to solution
‎09-01-2025 05:43 PM
1,192 Views
mws
Contributor I
it's work! thanks
0 Kudos
Reply
%3CLINGO-SUB%20id%3D%22lingo-sub-2156856%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3ERequest%20for%20PC-side%20GMAC%20example%20for%20S32K344%20Basic%20Secure%20Boot%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2156856%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3E%3CP%3EHello%20NXP%20Team%2C%3C%2FP%3E%3CP%3EI%E2%80%99m%20testing%20%3CSTRONG%3EBasic%20Secure%20Boot%3C%2FSTRONG%3E%20on%20%3CSTRONG%3ES32K344%3C%2FSTRONG%3E.%20I%20have%20extended%20the%20sample%20image%20%3CSTRONG%3ES32K344_SecureBootBlinky.bin%3C%2FSTRONG%3E%20(AppBootHeader%20%2B%20App)%20to%20%3CSTRONG%3E0x40%20%2B%200x1000%3C%2FSTRONG%3E%20bytes.%20I%E2%80%99m%20trying%20to%20write%20a%20%3CSTRONG%3EPC-side%20GMAC%20calculation%20tool%3C%2FSTRONG%3E%20so%20that%20the%20tag%20I%20compute%20matches%20what%20HSE%20produces%2C%20but%20so%20far%20I%20cannot%20obtain%20the%20same%20GMAC%20tag%20as%20HSE.%3C%2FP%3E%3CP%3ECould%20you%20please%20provide%20a%20%3CSTRONG%3EPC-side%20reference%20implementation%3C%2FSTRONG%3E%20(any%20language%20is%20fine%3B%20C%20or%20Python%20would%20be%20ideal)%20that%20reproduces%20the%20HSE%20GMAC%20for%20Basic%20Secure%20Boot%3F%3C%2FP%3E%3CP%3EBecause%20I%20cannot%20share%20my%20actual%20IV%20and%20ADKP%2C%20please%20feel%20free%20to%20%3CSTRONG%3Echoose%20arbitrary%20test%20values%3C%2FSTRONG%3E.%20A%20minimal%20package%20with%3A%3C%2FP%3E%3CUL%3E%3CLI%3E%3CP%3EShort%20test%20payload%20(binary)%2C%3C%2FP%3E%3C%2FLI%3E%3CLI%3E%3CP%3EExample%20%3CSTRONG%3EADKP%3C%2FSTRONG%3E%20(16%20bytes)%20and%20the%20exact%20%3CSTRONG%3Ekey%20derivation%3C%2FSTRONG%3E%20used%20by%20Basic%20Secure%20Boot%2C%3C%2FP%3E%3C%2FLI%3E%3CLI%3E%3CP%3E%3CSTRONG%3EIV%3C%2FSTRONG%3E%20(12%20bytes)%2C%3C%2FP%3E%3C%2FLI%3E%3CLI%3E%3CP%3EExpected%20%3CSTRONG%3EGMAC%20tag%3C%2FSTRONG%3E%20(16%20bytes)%2C%3C%2FP%3E%3C%2FLI%3E%3CLI%3E%3CP%3EAnd%20the%20%3CSTRONG%3Erequired%20image%20layout%3C%2FSTRONG%3E%20(including%20where%2Fhow%20to%20place%20IV%20and%20tag%20at%20the%20end)%3CBR%20%2F%3Ewould%20be%20perfect.%3C%2FP%3E%3C%2FLI%3E%3C%2FUL%3E%3CP%3E%3CSTRONG%3EAttachment%3A%3C%2FSTRONG%3E%20my%20extended%20S32K344_SecureBootBlinky%20binary%20(AppBootHeader%20%2B%20App%20%3D%200x40%20%2B%200x1000).%3C%2FP%3E%3CP%3EIf%20there%20is%20already%20an%20official%20PC-side%20example%20or%20a%20validated%20test%20vector%20for%20S32K344%20Basic%20Secure%20Boot%2C%20a%20link%20or%20zip%20would%20be%20greatly%20appreciated.%3C%2FP%3E%3CP%3EThank%20you%20for%20your%20support!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2161638%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%20translate%3D%22no%22%3ERe%3A%20Request%20for%20PC-side%20GMAC%20example%20for%20S32K344%20Basic%20Secure%20Boot%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2161638%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3Eit's%20work!%20thanks%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2157544%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%20translate%3D%22no%22%3ERe%3A%20Request%20for%20PC-side%20GMAC%20example%20for%20S32K344%20Basic%20Secure%20Boot%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2157544%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fcommunity.nxp.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F254028%22%20target%3D%22_blank%22%3E%40mws%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThis%20is%20not%20something%20what%20we%20should%20provide%20but%20I%20spent%20some%20time%20on%20this%20because%20it's%20useful%20for%20me%20too.%20See%20attached%20python%20script.%20It%20contains%20ADKP%20(it's%20the%20same%20as%20in%20HSE_DemoExamples%20because%20I%20have%20already%20programmed%20this%20on%20my%20board).%20Then%20it%20expects%20file%26nbsp%3Bimage.bin%20(pure%20binary%20format).%20It%20should%20contain%20the%20header%2Bimage%2BIV.%20The%20result%20can%20be%20found%20in%20generated%20gmac_tag.txt.%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIt%20works%20on%20my%20side%2C%20I%20got%20the%20same%20GMAC%20as%20generated%20by%20HSE%20using%20service%20hseBootDataImageSignSrv_t.%20I%20reused%20example%26nbsp%3BS32K344_Basic_SecureBoot%20which%20uses%26nbsp%3BhseBootDataImageSignSrv_t%20to%20generate%20IV%20and%20GMAC.%20And%20it%20also%20programs%20it%20behind%20the%20image.%20Then%20I%20just%20exported%20header%2Bimage%2BIV%20to%20binary%20file%20and%20use%20that%20to%20develop%20the%20script.%20When%20calculating%20GMAC%20externally%2C%20user%20needs%20to%20provide%20the%20IV.%20You%20can%20either%20provide%20IV%20in%20the%20bin%20file%20as%20I%20did%20or%20you%20can%20change%20the%20script%20as%20necessary.%26nbsp%3B%3C%2FP%3E%0A%3CP%3ERegards%2C%3C%2FP%3E%0A%3CP%3ELukas%3C%2FP%3E%3C%2FLINGO-BODY%3E