- Forums
- Product Forums
- General Purpose MicrocontrollersGeneral Purpose Microcontrollers
- i.MX Forumsi.MX Forums
- QorIQ Processing PlatformsQorIQ Processing Platforms
- Identification and SecurityIdentification and Security
- Power ManagementPower Management
- Wireless ConnectivityWireless Connectivity
- RFID / NFCRFID / NFC
- Advanced AnalogAdvanced Analog
- Neural Processing UnitsNeural Processing Units
- MCX Microcontrollers
- S32G
- S32K
- S32V
- MPC5xxx
- Other NXP Products
- S12 / MagniV Microcontrollers
- Powertrain and Electrification Analog Drivers
- Sensors
- Vybrid Processors
- Digital Signal Controllers
- 8-bit Microcontrollers
- ColdFire/68K Microcontrollers and Processors
- PowerQUICC Processors
- OSBDM and TBDML
- S32M
- S32Z/E
-
- Solution Forums
- Software Forums
- MCUXpresso Software and ToolsMCUXpresso Software and Tools
- CodeWarriorCodeWarrior
- MQX Software SolutionsMQX Software Solutions
- Model-Based Design Toolbox (MBDT)Model-Based Design Toolbox (MBDT)
- FreeMASTER
- eIQ Machine Learning Software
- Embedded Software and Tools Clinic
- S32 SDK
- S32 Design Studio
- GUI Guider
- Zephyr Project
- Voice Technology
- Application Software Packs
- Secure Provisioning SDK (SPSDK)
- Processor Expert Software
- Generative AI & LLMs
-
- Topics
- Mobile Robotics - Drones and RoversMobile Robotics - Drones and Rovers
- NXP Training ContentNXP Training Content
- University ProgramsUniversity Programs
- Rapid IoT
- NXP Designs
- SafeAssure-Community
- OSS Security & Maintenance
- Using Our Community
-
- Cloud Lab Forums
-
- Knowledge Bases
- ARM Microcontrollers
- i.MX Processors
- Identification and Security
- Model-Based Design Toolbox (MBDT)
- QorIQ Processing Platforms
- S32 Automotive Processing Platform
- Wireless Connectivity
- CodeWarrior
- MCUXpresso Suite of Software and Tools
- MQX Software Solutions
- RFID / NFC
- Advanced Analog
- Neural Processing Units
-
- NXP Tech Blogs
Hello NXP Team,
I’m testing Basic Secure Boot on S32K344. I have extended the sample image S32K344_SecureBootBlinky.bin (AppBootHeader + App) to 0x40 + 0x1000 bytes. I’m trying to write a PC-side GMAC calculation tool so that the tag I compute matches what HSE produces, but so far I cannot obtain the same GMAC tag as HSE.
Could you please provide a PC-side reference implementation (any language is fine; C or Python would be ideal) that reproduces the HSE GMAC for Basic Secure Boot?
Because I cannot share my actual IV and ADKP, please feel free to choose arbitrary test values. A minimal package with:
Short test payload (binary),
Example ADKP (16 bytes) and the exact key derivation used by Basic Secure Boot,
IV (12 bytes),
Expected GMAC tag (16 bytes),
And the required image layout (including where/how to place IV and tag at the end)
would be perfect.
Attachment: my extended S32K344_SecureBootBlinky binary (AppBootHeader + App = 0x40 + 0x1000).
If there is already an official PC-side example or a validated test vector for S32K344 Basic Secure Boot, a link or zip would be greatly appreciated.
Thank you for your support!
已解决! 转到解答。
lukaszadrapa
Hi @mws
This is not something what we should provide but I spent some time on this because it's useful for me too. See attached python script. It contains ADKP (it's the same as in HSE_DemoExamples because I have already programmed this on my board). Then it expects file image.bin (pure binary format). It should contain the header+image+IV. The result can be found in generated gmac_tag.txt.
It works on my side, I got the same GMAC as generated by HSE using service hseBootDataImageSignSrv_t. I reused example S32K344_Basic_SecureBoot which uses hseBootDataImageSignSrv_t to generate IV and GMAC. And it also programs it behind the image. Then I just exported header+image+IV to binary file and use that to develop the script. When calculating GMAC externally, user needs to provide the IV. You can either provide IV in the bin file as I did or you can change the script as necessary.
Regards,
Lukas
lukaszadrapa
Hi @mws
This is not something what we should provide but I spent some time on this because it's useful for me too. See attached python script. It contains ADKP (it's the same as in HSE_DemoExamples because I have already programmed this on my board). Then it expects file image.bin (pure binary format). It should contain the header+image+IV. The result can be found in generated gmac_tag.txt.
It works on my side, I got the same GMAC as generated by HSE using service hseBootDataImageSignSrv_t. I reused example S32K344_Basic_SecureBoot which uses hseBootDataImageSignSrv_t to generate IV and GMAC. And it also programs it behind the image. Then I just exported header+image+IV to binary file and use that to develop the script. When calculating GMAC externally, user needs to provide the IV. You can either provide IV in the bin file as I did or you can change the script as necessary.
Regards,
Lukas
