S32K344 HSE-B - Booting from encrypted Secure Memory Region not possible

キャンセル
次の結果を表示 
表示  限定  | 次の代わりに検索 
もしかして: 

S32K344 HSE-B - Booting from encrypted Secure Memory Region not possible

578件の閲覧回数
jthelemann
Contributor II

Hello everyone,

currently I am trying to implement an "Advanced Secure Boot" mechanism on a S32K344 by configuring "Secure Memory Regions" (SMRs). I am already able to configure my bootloader software as SMR and link it to a corresponding "Core Reset" (CR) table entry. In the CR entry I defined a start address which lies in the SMR. After installing the SMR and CR the HSE boots my bootloader in a secure way from the given start address. 

Now I want to verify and boot from an encrypted SMR. I am also able to configure an encrypted version of my bootloader software with the corresponding HSE service. But now the problem is that nothing happens during the boot phase after I successfully configured the SMR and CR . 

Among other things my question is if it is possible to boot from an encrypted SMR and if the corresponding start address is executed in Flash or RAM.

In both cases (unencrypted and encrypted) I defined a destination RAM address where the SMR is loadedat first before it is verified and so on.

Hope you can help me to solve this problem.

Thanks!

 

0 件の賞賛
返信
2 返答(返信)

523件の閲覧回数
davidtosenovjan
NXP TechSupport
NXP TechSupport

I am forwarding related FAQ. Hope it helps

Q: Can I boot encrypted application images securely?
Yes. SMR supports an encryption scheme such confidentiality is also provided for the secure memory
region. The encryption can be carried out in two ways:
• Using AEAD-GCM with null AAD. In this scheme, the generated GMAC tag over the encrypted
image must also be provided with the SMR.
• Using AES-CTR. In this case HSE will generate at installation time the authenticity over the
encrypted image. The pGmacTag field is not used.
The encrypted SMR is a generic mechanism and works for any memory region that is loaded
(pSmrDest address is provided), independent of the scope (i.e. not only for boot images).
For more details, checkout hseSmrDecrypt_t structure and its usage within hseSmrEntry_t in the HSE
interface, along with SMR chapter in HSE RM.

0 件の賞賛
返信

472件の閲覧回数
jthelemann
Contributor II
Hi,

your approach does not solve my problem.
As I already mentioned: I am able to install encrypted SMRs but in my case, HSE only can boot from unencrypted boot images and not from encrypted. Currently I boot an uncrypted bootloader which carrys out a decryption from an encrypted application.
My goal is to boot this bootloader when its stored encrypted in flash memory.
0 件の賞賛
返信