Store User Specific value in the secure NVM

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Store User Specific value in the secure NVM

Jump to solution
1,467 Views
shravani
Contributor II

Hi,

I want to store some user specific data such as HASH and CMAC Tag to secure NVM. Is it possible to store? If yes, how could I achieve this?

0 Kudos
Reply
1 Solution
1,367 Views
lukaszadrapa
NXP TechSupport
NXP TechSupport

Yes, this can be done also with SHE secure boot.
In case of SHE secure boot, you can define one region only. So, first option is to have everything in one block to be checked by the SHE secure boot - i.e. bootloader + secure data, for example.
Second option is to create a chain of trust. That means the autonomous SHE secure boot will check bootloader only. Then the bootloader can check CMAC of your secure data (and probably also CMAC of your application). If the check passes, execute CMD_BOOT_OK command to finish the SHE secure boot. If the check fails, execute CMD_BOOT_FAILURE.
This is defined by SHE specification - first stage of the secure boot is autonomous and the others can be done manually. The final status is then provided to SHE by CMD_BOOT_OK or CMD_BOOT_FAILURE commands.

View solution in original post

0 Kudos
Reply
10 Replies
1,447 Views
lukaszadrapa
NXP TechSupport
NXP TechSupport

Hi @shravani 

I already wrote to your colleague:

"Please don't use the import/export key to save the data,  import key when the key slot is not empty is required to encrypt the plain data of the key value. The export key value is also encrypted and needs decrypted it if needed to get the plain text. It's a rather troublesome operation, and the keys may be damaged because of some ECC error trigger by unexpected reset or power down.

A workaround could be to use HSE to encrypt a defined NVM region and use SMR services for verification."

Regards,

Lukas

0 Kudos
Reply
1,437 Views
shravani
Contributor II

Hi @lukaszadrapa 

Thanks for the reply.
My question here is for user specific data not for keys. Lets say I want to store hash value to secure NVM, is it possible ? How could I save it?

Tags (1)
0 Kudos
Reply
1,412 Views
lukaszadrapa
NXP TechSupport
NXP TechSupport

That's what I wrote - we don't recommend this. Please use described workaround.

Regards,

Lukas

0 Kudos
Reply
1,408 Views
shravani
Contributor II

Hi @lukaszadrapa ,

Can you please elaborate more?  Actually, I am not getting the workaround you have suggested.

0 Kudos
Reply
1,394 Views
lukaszadrapa
NXP TechSupport
NXP TechSupport

Well, you can designate some flash area for the secure data. When you are going to program the data to flash, encrypt the data first. Once the data are programmed, you can configure SMR (for advanced secure boot mode) to cover this region for verification of the data.
When you want to read the data - just read it and decrypt it.
When you want to update the data - encrypt new data, erase the flash, program the encrypted data, update SMR.

For more details about the advanced secure boot, take a look at Secure Boot application note:
https://www.nxp.com/products/processors-and-microcontrollers/s32-automotive-platform/s32k-auto-gener...
Application note can be found here:
Documentation -> Secure Files -> Secure Boot Application note v0.1.1.0 (AN744511)
Associated demo project can be downloaded here:
Design Resources -> Software -> Secure Files -> SecureBootAppNoteDemo (SW745310)

0 Kudos
Reply
1,389 Views
shravani
Contributor II
Hi @lukaszadrapa,

I am using SHE based secure boot. Can we perform same operation with SHE based secure boot?
0 Kudos
Reply
1,368 Views
lukaszadrapa
NXP TechSupport
NXP TechSupport

Yes, this can be done also with SHE secure boot.
In case of SHE secure boot, you can define one region only. So, first option is to have everything in one block to be checked by the SHE secure boot - i.e. bootloader + secure data, for example.
Second option is to create a chain of trust. That means the autonomous SHE secure boot will check bootloader only. Then the bootloader can check CMAC of your secure data (and probably also CMAC of your application). If the check passes, execute CMD_BOOT_OK command to finish the SHE secure boot. If the check fails, execute CMD_BOOT_FAILURE.
This is defined by SHE specification - first stage of the secure boot is autonomous and the others can be done manually. The final status is then provided to SHE by CMD_BOOT_OK or CMD_BOOT_FAILURE commands.

0 Kudos
Reply
1,240 Views
shravani
Contributor II

Hi @lukaszadrapa,

Can we use crypto key element persist feature to store user values to secure NVM?

shravani_0-1715161489713.pngshravani_1-1715161543209.png

 

I was checking Crypto driver persistent information in the RTD_CRYPTO_UM.pdf document. But I am confused. Please let me know your thoughts on this.

Tags (1)
0 Kudos
Reply
1,209 Views
lukaszadrapa
NXP TechSupport
NXP TechSupport

Hi @shravani 

this is how the CryptoKeyElementPersist works:

lukaszadrapa_0-1715243848956.png

You use HSE keys, so CryptoKeyElementPersist is ignored and you can load a key only to NVM or to RAM key catalog as usual.

Regards,

Lukas

0 Kudos
Reply
1,360 Views
shravani
Contributor II
Thank you so much for the solution
0 Kudos
Reply