FAQs
English (US) 日本語 | Japanese 中文 | Chinese (Simplified)

Store User Specific value in the secure NVM

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED
Jump to solution

Store User Specific value in the secure NVM

Jump to solution
‎04-28-2024 09:57 PM
732 Views
shravani
Contributor II

Hi,

I want to store some user specific data such as HASH and CMAC Tag to secure NVM. Is it possible to store? If yes, how could I achieve this?

0 Kudos
Reply
1 Solution

Jump to solution
‎05-03-2024 04:17 AM
632 Views
lukaszadrapa
NXP TechSupport
NXP TechSupport

Yes, this can be done also with SHE secure boot.
In case of SHE secure boot, you can define one region only. So, first option is to have everything in one block to be checked by the SHE secure boot - i.e. bootloader + secure data, for example.
Second option is to create a chain of trust. That means the autonomous SHE secure boot will check bootloader only. Then the bootloader can check CMAC of your secure data (and probably also CMAC of your application). If the check passes, execute CMD_BOOT_OK command to finish the SHE secure boot. If the check fails, execute CMD_BOOT_FAILURE.
This is defined by SHE specification - first stage of the secure boot is autonomous and the others can be done manually. The final status is then provided to SHE by CMD_BOOT_OK or CMD_BOOT_FAILURE commands.

View solution in original post

0 Kudos
Reply
10 Replies

Jump to solution
‎04-29-2024 06:40 AM
712 Views
lukaszadrapa
NXP TechSupport
NXP TechSupport

Hi @shravani 

I already wrote to your colleague:

"Please don't use the import/export key to save the data,  import key when the key slot is not empty is required to encrypt the plain data of the key value. The export key value is also encrypted and needs decrypted it if needed to get the plain text. It's a rather troublesome operation, and the keys may be damaged because of some ECC error trigger by unexpected reset or power down.

A workaround could be to use HSE to encrypt a defined NVM region and use SMR services for verification."

Regards,

Lukas

0 Kudos
Reply

Jump to solution
‎04-29-2024 08:19 PM
702 Views
shravani
Contributor II

Hi @lukaszadrapa 

Thanks for the reply.
My question here is for user specific data not for keys. Lets say I want to store hash value to secure NVM, is it possible ? How could I save it?

Tags (1)
0 Kudos
Reply

Jump to solution
‎05-01-2024 11:47 PM
677 Views
lukaszadrapa
NXP TechSupport
NXP TechSupport

That's what I wrote - we don't recommend this. Please use described workaround.

Regards,

Lukas

0 Kudos
Reply

Jump to solution
‎05-01-2024 11:53 PM
673 Views
shravani
Contributor II

Hi @lukaszadrapa ,

Can you please elaborate more?  Actually, I am not getting the workaround you have suggested.

0 Kudos
Reply

Jump to solution
‎05-02-2024 10:19 PM
659 Views
lukaszadrapa
NXP TechSupport
NXP TechSupport

Well, you can designate some flash area for the secure data. When you are going to program the data to flash, encrypt the data first. Once the data are programmed, you can configure SMR (for advanced secure boot mode) to cover this region for verification of the data.
When you want to read the data - just read it and decrypt it.
When you want to update the data - encrypt new data, erase the flash, program the encrypted data, update SMR.

For more details about the advanced secure boot, take a look at Secure Boot application note:
https://www.nxp.com/products/processors-and-microcontrollers/s32-automotive-platform/s32k-auto-gener...
Application note can be found here:
Documentation -> Secure Files -> Secure Boot Application note v0.1.1.0 (AN744511)
Associated demo project can be downloaded here:
Design Resources -> Software -> Secure Files -> SecureBootAppNoteDemo (SW745310)

0 Kudos
Reply

Jump to solution
‎05-02-2024 10:31 PM
654 Views
shravani
Contributor II
Hi @lukaszadrapa,

I am using SHE based secure boot. Can we perform same operation with SHE based secure boot?
0 Kudos
Reply

Jump to solution
‎05-03-2024 04:17 AM
633 Views
lukaszadrapa
NXP TechSupport
NXP TechSupport

Yes, this can be done also with SHE secure boot.
In case of SHE secure boot, you can define one region only. So, first option is to have everything in one block to be checked by the SHE secure boot - i.e. bootloader + secure data, for example.
Second option is to create a chain of trust. That means the autonomous SHE secure boot will check bootloader only. Then the bootloader can check CMAC of your secure data (and probably also CMAC of your application). If the check passes, execute CMD_BOOT_OK command to finish the SHE secure boot. If the check fails, execute CMD_BOOT_FAILURE.
This is defined by SHE specification - first stage of the secure boot is autonomous and the others can be done manually. The final status is then provided to SHE by CMD_BOOT_OK or CMD_BOOT_FAILURE commands.

0 Kudos
Reply

Jump to solution
‎05-08-2024 02:47 AM
505 Views
shravani
Contributor II

Hi @lukaszadrapa,

Can we use crypto key element persist feature to store user values to secure NVM?

shravani_0-1715161489713.pngshravani_1-1715161543209.png

 

I was checking Crypto driver persistent information in the RTD_CRYPTO_UM.pdf document. But I am confused. Please let me know your thoughts on this.

Tags (1)
0 Kudos
Reply

Jump to solution
‎05-09-2024 01:38 AM
474 Views
lukaszadrapa
NXP TechSupport
NXP TechSupport

Hi @shravani 

this is how the CryptoKeyElementPersist works:

lukaszadrapa_0-1715243848956.png

You use HSE keys, so CryptoKeyElementPersist is ignored and you can load a key only to NVM or to RAM key catalog as usual.

Regards,

Lukas

0 Kudos
Reply

Jump to solution
‎05-03-2024 04:47 AM
625 Views
shravani
Contributor II
Thank you so much for the solution
0 Kudos
Reply