帮助
英语(美国) | English (US) 日本語 | Japanese 中文 | Chinese (Simplified)

Store User Specific value in the secure NVM

取消
开启建议
自动建议可通过在您键入时建议可能的匹配,而快速缩小您的搜索结果范围。
显示结果 
显示  仅  | 搜索替代 
您的意思是: 
已解决
跳至解决方案

Store User Specific value in the secure NVM

跳至解决方案
‎04-28-2024 09:57 PM
739 次查看
shravani
Contributor II

Hi,

I want to store some user specific data such as HASH and CMAC Tag to secure NVM. Is it possible to store? If yes, how could I achieve this?

0 项奖励
回复
1 解答

跳至解决方案
‎05-03-2024 04:17 AM
639 次查看
lukaszadrapa
NXP TechSupport
NXP TechSupport

Yes, this can be done also with SHE secure boot.
In case of SHE secure boot, you can define one region only. So, first option is to have everything in one block to be checked by the SHE secure boot - i.e. bootloader + secure data, for example.
Second option is to create a chain of trust. That means the autonomous SHE secure boot will check bootloader only. Then the bootloader can check CMAC of your secure data (and probably also CMAC of your application). If the check passes, execute CMD_BOOT_OK command to finish the SHE secure boot. If the check fails, execute CMD_BOOT_FAILURE.
This is defined by SHE specification - first stage of the secure boot is autonomous and the others can be done manually. The final status is then provided to SHE by CMD_BOOT_OK or CMD_BOOT_FAILURE commands.

在原帖中查看解决方案

0 项奖励
回复
10 回复数

跳至解决方案
‎04-29-2024 06:40 AM
719 次查看
lukaszadrapa
NXP TechSupport
NXP TechSupport

Hi @shravani 

I already wrote to your colleague:

"Please don't use the import/export key to save the data,  import key when the key slot is not empty is required to encrypt the plain data of the key value. The export key value is also encrypted and needs decrypted it if needed to get the plain text. It's a rather troublesome operation, and the keys may be damaged because of some ECC error trigger by unexpected reset or power down.

A workaround could be to use HSE to encrypt a defined NVM region and use SMR services for verification."

Regards,

Lukas

0 项奖励
回复

跳至解决方案
‎04-29-2024 08:19 PM
709 次查看
shravani
Contributor II

Hi @lukaszadrapa 

Thanks for the reply.
My question here is for user specific data not for keys. Lets say I want to store hash value to secure NVM, is it possible ? How could I save it?

标记 (1)
0 项奖励
回复

跳至解决方案
‎05-01-2024 11:47 PM
684 次查看
lukaszadrapa
NXP TechSupport
NXP TechSupport

That's what I wrote - we don't recommend this. Please use described workaround.

Regards,

Lukas

0 项奖励
回复

跳至解决方案
‎05-01-2024 11:53 PM
680 次查看
shravani
Contributor II

Hi @lukaszadrapa ,

Can you please elaborate more?  Actually, I am not getting the workaround you have suggested.

0 项奖励
回复

跳至解决方案
‎05-02-2024 10:19 PM
666 次查看
lukaszadrapa
NXP TechSupport
NXP TechSupport

Well, you can designate some flash area for the secure data. When you are going to program the data to flash, encrypt the data first. Once the data are programmed, you can configure SMR (for advanced secure boot mode) to cover this region for verification of the data.
When you want to read the data - just read it and decrypt it.
When you want to update the data - encrypt new data, erase the flash, program the encrypted data, update SMR.

For more details about the advanced secure boot, take a look at Secure Boot application note:
https://www.nxp.com/products/processors-and-microcontrollers/s32-automotive-platform/s32k-auto-gener...
Application note can be found here:
Documentation -> Secure Files -> Secure Boot Application note v0.1.1.0 (AN744511)
Associated demo project can be downloaded here:
Design Resources -> Software -> Secure Files -> SecureBootAppNoteDemo (SW745310)

0 项奖励
回复

跳至解决方案
‎05-02-2024 10:31 PM
661 次查看
shravani
Contributor II
Hi @lukaszadrapa,

I am using SHE based secure boot. Can we perform same operation with SHE based secure boot?
0 项奖励
回复

跳至解决方案
‎05-03-2024 04:17 AM
640 次查看
lukaszadrapa
NXP TechSupport
NXP TechSupport

Yes, this can be done also with SHE secure boot.
In case of SHE secure boot, you can define one region only. So, first option is to have everything in one block to be checked by the SHE secure boot - i.e. bootloader + secure data, for example.
Second option is to create a chain of trust. That means the autonomous SHE secure boot will check bootloader only. Then the bootloader can check CMAC of your secure data (and probably also CMAC of your application). If the check passes, execute CMD_BOOT_OK command to finish the SHE secure boot. If the check fails, execute CMD_BOOT_FAILURE.
This is defined by SHE specification - first stage of the secure boot is autonomous and the others can be done manually. The final status is then provided to SHE by CMD_BOOT_OK or CMD_BOOT_FAILURE commands.

0 项奖励
回复

跳至解决方案
‎05-08-2024 02:47 AM
512 次查看
shravani
Contributor II

Hi @lukaszadrapa,

Can we use crypto key element persist feature to store user values to secure NVM?

shravani_0-1715161489713.pngshravani_1-1715161543209.png

 

I was checking Crypto driver persistent information in the RTD_CRYPTO_UM.pdf document. But I am confused. Please let me know your thoughts on this.

标记 (1)
0 项奖励
回复

跳至解决方案
‎05-09-2024 01:38 AM
481 次查看
lukaszadrapa
NXP TechSupport
NXP TechSupport

Hi @shravani 

this is how the CryptoKeyElementPersist works:

lukaszadrapa_0-1715243848956.png

You use HSE keys, so CryptoKeyElementPersist is ignored and you can load a key only to NVM or to RAM key catalog as usual.

Regards,

Lukas

0 项奖励
回复

跳至解决方案
‎05-03-2024 04:47 AM
632 次查看
shravani
Contributor II
Thank you so much for the solution
0 项奖励
回复