S32K314 HSE SHE SecureBoot CMAC Update

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

S32K314 HSE SHE SecureBoot CMAC Update

653 Views
Daniel_Park
Contributor I

i try to use SHE secureboot.

Daniel_Park_0-1770547436262.png

 

I have loaded the MASTER_ECU_KEY and BOOT_MAC_KEY into the HSE’s NVM according to the reference manual.

As documented, when BOOT_MAC is empty, it is automatically computed and populated.

My concern arises when the firmware is updated and I need to update the BOOT_MAC for the new firmware.

The update procedure itself is clear and follows the same method used to load the MASTER_ECU_KEY and BOOT_MAC_KEY, so that part is not an issue.

The issue occurs during the BOOT_MAC calculation.

Specifically, when I set pFastCMacSrv->keyHandle to the BOOT_MAC_KEY handle,

I receive the error shown below. I assume this is due to restrictions related to the special nature of SHE keys.

0xA5AA52B4UL
/**< @brief The key usage flags (provided using the key handle) don't allow to perform the requested crypto operation (the key flags don't match the crypto operation;
e.g. the key is configured to be used for decryption, and the host requested an encryption).
In SHE, the key ID provided is either invalid or non-usable due to some flag restrictions. */

 

Question: In the CMAC update flow, how should I obtain and use the appropriate CMAC key for the calculation if I cannot directly use the BOOT_MAC_KEY handle? Could you advise on the correct approach for computing the CMAC that will be used to update BOOT_MAC?

 

 

 

Tags (1)
0 Kudos
Reply
1 Reply

622 Views
lukaszadrapa
NXP TechSupport
NXP TechSupport

Hi @Daniel_Park 

 

BOOT_MAC_KEY can be used only for CMAC verify operation. All attempts to run different operation will lead to an error. It is also not possible to export BOOT_MAC_KEY in any way – this would violate SHE specification.

I can see two workarounds:

  1. Load the same key also to normal key slot in NVM catalog and use this one to generate new CMAC.  
  2. New application should be distributed with CMAC calculated offline because I don’t think it is good idea to distribute an application without any signature.  BOOT_MAC should not be calculated in runtime during the update. To calculate it offline, you can either use tools like OpenSSL or you can let the HSE to calculate it in development setup.

 

Regards,

Lukas

0 Kudos
Reply