S32K344 HSE-B - Booting from encrypted Secure Memory Region not possible

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

S32K344 HSE-B - Booting from encrypted Secure Memory Region not possible

540 Views
jthelemann
Contributor II

Hello everyone,

currently I am trying to implement an "Advanced Secure Boot" mechanism on a S32K344 by configuring "Secure Memory Regions" (SMRs). I am already able to configure my bootloader software as SMR and link it to a corresponding "Core Reset" (CR) table entry. In the CR entry I defined a start address which lies in the SMR. After installing the SMR and CR the HSE boots my bootloader in a secure way from the given start address. 

Now I want to verify and boot from an encrypted SMR. I am also able to configure an encrypted version of my bootloader software with the corresponding HSE service. But now the problem is that nothing happens during the boot phase after I successfully configured the SMR and CR . 

Among other things my question is if it is possible to boot from an encrypted SMR and if the corresponding start address is executed in Flash or RAM.

In both cases (unencrypted and encrypted) I defined a destination RAM address where the SMR is loadedat first before it is verified and so on.

Hope you can help me to solve this problem.

Thanks!

 

0 Kudos
Reply
2 Replies

485 Views
davidtosenovjan
NXP TechSupport
NXP TechSupport

I am forwarding related FAQ. Hope it helps

Q: Can I boot encrypted application images securely?
Yes. SMR supports an encryption scheme such confidentiality is also provided for the secure memory
region. The encryption can be carried out in two ways:
• Using AEAD-GCM with null AAD. In this scheme, the generated GMAC tag over the encrypted
image must also be provided with the SMR.
• Using AES-CTR. In this case HSE will generate at installation time the authenticity over the
encrypted image. The pGmacTag field is not used.
The encrypted SMR is a generic mechanism and works for any memory region that is loaded
(pSmrDest address is provided), independent of the scope (i.e. not only for boot images).
For more details, checkout hseSmrDecrypt_t structure and its usage within hseSmrEntry_t in the HSE
interface, along with SMR chapter in HSE RM.

0 Kudos
Reply

434 Views
jthelemann
Contributor II
Hi,

your approach does not solve my problem.
As I already mentioned: I am able to install encrypted SMRs but in my case, HSE only can boot from unencrypted boot images and not from encrypted. Currently I boot an uncrypted bootloader which carrys out a decryption from an encrypted application.
My goal is to boot this bootloader when its stored encrypted in flash memory.
0 Kudos
Reply