SE050 authentication EC private key with i.MX6ULL

fvjdxe · ‎02-18-2022

Hello,

we are currently using the SE050 together with the i.MX6UL. We are using the CAAM blobs to securely store the authentication EC private key for the SE050 on the flash.

For another project we want to use the i.MX6ULL, which doesn't have the CAAM module and we are discussing what would be the best way to store the authentication EC private key for the SE050 there. We understand that we can'r reach the same level of security as on the i.MX6UL.

Our current idea is to store an AES key in the CPU fuses that we then use to encrypt the authentication EC private key for the SE050 on the flash similarly to what the CAAM module would do. We think that the CPU fuses are better protected against offline attacks than the flash.

Can someone from NXP give us some feedback on our approach?

Best regards

Kan_Li · ‎02-22-2022

Hi @fvjdxe ,

I checked with the i.MX expert and please kindly have the feedback as below:

Due to Errata ERR011163, GP3, GP4 can't be programed, so customer can't use GP keys to encrypt their data by DCP.

But customer can try OTP key(Key select 0xFF in control context 1), it will use the key from OTPMK to encrypt their secret and it will be unique per device like CAAM in closed LC.

Hope that helps,

Have a great day,
Kan

-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

View solution in original post

Kan_Li · ‎02-22-2022