ヘルプ
英语(美国) | English (US) 日本語 | Japanese 中文 | Chinese (Simplified)

Store User Specific value in the secure NVM

キャンセル
提案をオンにする
自動提案では、入力時に可能な一致が提案されるので検索結果を素早く絞り込むことができます。
次の結果を表示 
表示  限定  | 次の代わりに検索 
もしかして: 
解決済み
ソリューションへジャンプ

Store User Specific value in the secure NVM

ソリューションへジャンプ
‎04-28-2024 09:57 PM
864件の閲覧回数
shravani
Contributor II

Hi,

I want to store some user specific data such as HASH and CMAC Tag to secure NVM. Is it possible to store? If yes, how could I achieve this?

0 件の賞賛
返信
1 解決策

ソリューションへジャンプ
‎05-03-2024 04:17 AM
764件の閲覧回数
lukaszadrapa
NXP TechSupport
NXP TechSupport

Yes, this can be done also with SHE secure boot.
In case of SHE secure boot, you can define one region only. So, first option is to have everything in one block to be checked by the SHE secure boot - i.e. bootloader + secure data, for example.
Second option is to create a chain of trust. That means the autonomous SHE secure boot will check bootloader only. Then the bootloader can check CMAC of your secure data (and probably also CMAC of your application). If the check passes, execute CMD_BOOT_OK command to finish the SHE secure boot. If the check fails, execute CMD_BOOT_FAILURE.
This is defined by SHE specification - first stage of the secure boot is autonomous and the others can be done manually. The final status is then provided to SHE by CMD_BOOT_OK or CMD_BOOT_FAILURE commands.

元の投稿で解決策を見る

0 件の賞賛
返信
10 返答(返信)

ソリューションへジャンプ
‎04-29-2024 06:40 AM
844件の閲覧回数
lukaszadrapa
NXP TechSupport
NXP TechSupport

Hi @shravani 

I already wrote to your colleague:

"Please don't use the import/export key to save the data,  import key when the key slot is not empty is required to encrypt the plain data of the key value. The export key value is also encrypted and needs decrypted it if needed to get the plain text. It's a rather troublesome operation, and the keys may be damaged because of some ECC error trigger by unexpected reset or power down.

A workaround could be to use HSE to encrypt a defined NVM region and use SMR services for verification."

Regards,

Lukas

0 件の賞賛
返信

ソリューションへジャンプ
‎04-29-2024 08:19 PM
834件の閲覧回数
shravani
Contributor II

Hi @lukaszadrapa 

Thanks for the reply.
My question here is for user specific data not for keys. Lets say I want to store hash value to secure NVM, is it possible ? How could I save it?

タグ(1)
0 件の賞賛
返信

ソリューションへジャンプ
‎05-01-2024 11:47 PM
809件の閲覧回数
lukaszadrapa
NXP TechSupport
NXP TechSupport

That's what I wrote - we don't recommend this. Please use described workaround.

Regards,

Lukas

0 件の賞賛
返信

ソリューションへジャンプ
‎05-01-2024 11:53 PM
805件の閲覧回数
shravani
Contributor II

Hi @lukaszadrapa ,

Can you please elaborate more?  Actually, I am not getting the workaround you have suggested.

0 件の賞賛
返信

ソリューションへジャンプ
‎05-02-2024 10:19 PM
791件の閲覧回数
lukaszadrapa
NXP TechSupport
NXP TechSupport

Well, you can designate some flash area for the secure data. When you are going to program the data to flash, encrypt the data first. Once the data are programmed, you can configure SMR (for advanced secure boot mode) to cover this region for verification of the data.
When you want to read the data - just read it and decrypt it.
When you want to update the data - encrypt new data, erase the flash, program the encrypted data, update SMR.

For more details about the advanced secure boot, take a look at Secure Boot application note:
https://www.nxp.com/products/processors-and-microcontrollers/s32-automotive-platform/s32k-auto-gener...
Application note can be found here:
Documentation -> Secure Files -> Secure Boot Application note v0.1.1.0 (AN744511)
Associated demo project can be downloaded here:
Design Resources -> Software -> Secure Files -> SecureBootAppNoteDemo (SW745310)

0 件の賞賛
返信

ソリューションへジャンプ
‎05-02-2024 10:31 PM
786件の閲覧回数
shravani
Contributor II
Hi @lukaszadrapa,

I am using SHE based secure boot. Can we perform same operation with SHE based secure boot?
0 件の賞賛
返信

ソリューションへジャンプ
‎05-03-2024 04:17 AM
765件の閲覧回数
lukaszadrapa
NXP TechSupport
NXP TechSupport

Yes, this can be done also with SHE secure boot.
In case of SHE secure boot, you can define one region only. So, first option is to have everything in one block to be checked by the SHE secure boot - i.e. bootloader + secure data, for example.
Second option is to create a chain of trust. That means the autonomous SHE secure boot will check bootloader only. Then the bootloader can check CMAC of your secure data (and probably also CMAC of your application). If the check passes, execute CMD_BOOT_OK command to finish the SHE secure boot. If the check fails, execute CMD_BOOT_FAILURE.
This is defined by SHE specification - first stage of the secure boot is autonomous and the others can be done manually. The final status is then provided to SHE by CMD_BOOT_OK or CMD_BOOT_FAILURE commands.

0 件の賞賛
返信

ソリューションへジャンプ
‎05-08-2024 02:47 AM
637件の閲覧回数
shravani
Contributor II

Hi @lukaszadrapa,

Can we use crypto key element persist feature to store user values to secure NVM?

shravani_0-1715161489713.pngshravani_1-1715161543209.png

 

I was checking Crypto driver persistent information in the RTD_CRYPTO_UM.pdf document. But I am confused. Please let me know your thoughts on this.

タグ(1)
0 件の賞賛
返信

ソリューションへジャンプ
‎05-09-2024 01:38 AM
606件の閲覧回数
lukaszadrapa
NXP TechSupport
NXP TechSupport

Hi @shravani 

this is how the CryptoKeyElementPersist works:

lukaszadrapa_0-1715243848956.png

You use HSE keys, so CryptoKeyElementPersist is ignored and you can load a key only to NVM or to RAM key catalog as usual.

Regards,

Lukas

0 件の賞賛
返信

ソリューションへジャンプ
‎05-03-2024 04:47 AM
757件の閲覧回数
shravani
Contributor II
Thank you so much for the solution
0 件の賞賛
返信