Hi,
I want to store some user specific data such as HASH and CMAC Tag to secure NVM. Is it possible to store? If yes, how could I achieve this?
Solved! Go to Solution.
Yes, this can be done also with SHE secure boot.
In case of SHE secure boot, you can define one region only. So, first option is to have everything in one block to be checked by the SHE secure boot - i.e. bootloader + secure data, for example.
Second option is to create a chain of trust. That means the autonomous SHE secure boot will check bootloader only. Then the bootloader can check CMAC of your secure data (and probably also CMAC of your application). If the check passes, execute CMD_BOOT_OK command to finish the SHE secure boot. If the check fails, execute CMD_BOOT_FAILURE.
This is defined by SHE specification - first stage of the secure boot is autonomous and the others can be done manually. The final status is then provided to SHE by CMD_BOOT_OK or CMD_BOOT_FAILURE commands.
Hi @shravani
I already wrote to your colleague:
"Please don't use the import/export key to save the data, import key when the key slot is not empty is required to encrypt the plain data of the key value. The export key value is also encrypted and needs decrypted it if needed to get the plain text. It's a rather troublesome operation, and the keys may be damaged because of some ECC error trigger by unexpected reset or power down.
A workaround could be to use HSE to encrypt a defined NVM region and use SMR services for verification."
Regards,
Lukas
Thanks for the reply.
My question here is for user specific data not for keys. Lets say I want to store hash value to secure NVM, is it possible ? How could I save it?
That's what I wrote - we don't recommend this. Please use described workaround.
Regards,
Lukas
Hi @lukaszadrapa ,
Can you please elaborate more? Actually, I am not getting the workaround you have suggested.
Well, you can designate some flash area for the secure data. When you are going to program the data to flash, encrypt the data first. Once the data are programmed, you can configure SMR (for advanced secure boot mode) to cover this region for verification of the data.
When you want to read the data - just read it and decrypt it.
When you want to update the data - encrypt new data, erase the flash, program the encrypted data, update SMR.
For more details about the advanced secure boot, take a look at Secure Boot application note:
https://www.nxp.com/products/processors-and-microcontrollers/s32-automotive-platform/s32k-auto-gener...
Application note can be found here:
Documentation -> Secure Files -> Secure Boot Application note v0.1.1.0 (AN744511)
Associated demo project can be downloaded here:
Design Resources -> Software -> Secure Files -> SecureBootAppNoteDemo (SW745310)
Yes, this can be done also with SHE secure boot.
In case of SHE secure boot, you can define one region only. So, first option is to have everything in one block to be checked by the SHE secure boot - i.e. bootloader + secure data, for example.
Second option is to create a chain of trust. That means the autonomous SHE secure boot will check bootloader only. Then the bootloader can check CMAC of your secure data (and probably also CMAC of your application). If the check passes, execute CMD_BOOT_OK command to finish the SHE secure boot. If the check fails, execute CMD_BOOT_FAILURE.
This is defined by SHE specification - first stage of the secure boot is autonomous and the others can be done manually. The final status is then provided to SHE by CMD_BOOT_OK or CMD_BOOT_FAILURE commands.
Hi @lukaszadrapa,
Can we use crypto key element persist feature to store user values to secure NVM?
I was checking Crypto driver persistent information in the RTD_CRYPTO_UM.pdf document. But I am confused. Please let me know your thoughts on this.
Hi @shravani
this is how the CryptoKeyElementPersist works:
You use HSE keys, so CryptoKeyElementPersist is ignored and you can load a key only to NVM or to RAM key catalog as usual.
Regards,
Lukas