KW45 EdgeLock Secure Enclave questions/concerns

BobMaiKaiVa · ‎01-09-2025

I'm new to the EdgeLock Secure Enclave ("ELE" in the KW45 reference manual) and I have several questions I couldn't find answers in various NXP resources online:

1) Where can I find more detailed documentation for the KW45Z41083 CPU's implementation of ELE and the specific commands/responses that can be sent via the MU interface to the ELE from the Cortex-M33?

I found a "RM00284 EdgeLock Enclave Hardware Security Module API Rev. 3.2 — 16 December 2024" PDF somewhere but it seems pretty specific to the i.MX family. I'm looking for something specific to the Kinetis KW family.

2) What is the firmware in nxp\secure-subsystem\firmware\ele_200_fw.h? I'm not currently using it or doing any sort of firmware downloading to the ELE. I need TRNG and crypto (AES CBC and GCM) in my app and all of that seems to work out of the box, so the ELE already seems to be flashed with some sort of NXP default firmware.

I see there are a few examples in the SDK that download the ele_200_fw.h firmware. Why do they need to do that? Is that download just overriding the built-in ELE ROM firmware with a newer version that runs out of RAM and overrides the ROM code?

3) Is there a github where you release new KW45 ELE firmware updates along with release notes for each release? Or are they only available in SDK updates?

4) For crypto functions, my app runs MU commands that allocate and deallocate various key and context structures in the ELE. Some of the deallocate functions mention "defragmentation" of the ELE memory on freeing the resources. If the Cortex-M33 reboots through a watchdog or software reset, is the ELE also guaranteed to reboot and free up any resources I previously allocated? If not, is there a way to command the ELE to reboot? I'm concerned that if the ELE CPU doesn't reboot, it's memory could fill up over time or become too fragmented to allocate new resources.

5) In some of the crypto examples in the SDK, various data structures are purposely aligned on 8-byte boundaries with the SDK_ALIGN() macro:

  SDK_ALIGN(static const uint8_t s_GcmKey[16], 8u) =
      {  0xfe, 0xff, 0xe9, 0x92, 0x86, 0x65, 0x73, 0x1c, 0x6d, 0x6a, 0x8f, 0x94, 0x67, 0x30, 0x83, 0x08};

Other examples don't do this. I have a test app that does thousands of CBC and GCM encrypt/decrypt sequences and all of the tests pass without using the SDK_ALIGN() macro. Is it really needed? If not, I think it should be deleted from the SDK examples because it adds complexity and confusion.

6) There exists a set of test vectors for AES GCM at https://csrc.nist.gov/CSRC/media/Projects/Cryptographic-Algorithm-Validation-Program/documents/mac/g.... I created a test app for the gcmEncryptExtIV128.rsp in that zip. My test runs each encryption, verifies the ciphertext and tag, then decrypts and verifies the original plaintext is recovered.

All of the thousands of GCM test vectors work using the KW45 ELE except test vectors with a Tag less than 12 bytes. Is this restriction documented somewhere? One thing that is concerning is that if you try to encrypt and request an 8-byte tag, 16 bytes of tag data are returned in the tag buffer provided to the encryption function. This is a buffer overrun error and could easily crash an application.

luis_maravilla · ‎02-05-2025

The ele_200_fw.h file is used for other examples in the SDK, the Example you are using does not require it.

Related the reboot topic, could you please take a look for Figure 19 in Security Reference Manual , this shows the Boot flow for starting a Reset, where the Release ELE process is made.

Also There isn't a command for direct ELE to reboot.

If this is not what you are referring to, let me know.

About the align, it is a recommendation to align the Data Length to avoid buffer overflows, but we will take that commentary in consideration to make a note about . Please refer to Security Description in Cipher_one_go and aead_one_go commands section. Chapter 7.6.6 and 7.6.8

View solution in original post

BobMaiKaiVa · ‎01-22-2025

I received an email from NXP asking to mark this accepted but it is still unresolved. Here's the status for each item in my original posting:

1) Resolved. I had to select an option for requesting higher security docs to see the docs I was after.

2) Not resolved. I don't understand the reply from Luis about the firmware. The example SDK code I based my software on does not load this firmware file. It doesn't use it at all. So what is the purpose of this firmware and when is it required to be loaded?

3) Resolved.

4) Not resolved. Your response did not answer my questions about when the ELE CPU resets and I'm not seeing an answer in the doc you mentioned. Here's the specific questions again:

"If the Cortex-M33 reboots through a watchdog or software reset, is the ELE also guaranteed to reboot and free up any resources I previously allocated? If not, is there a way to command the ELE to reboot?"

5) Not resolved. Still waiting for an answer from Luis' testing.

6) Not resolved. Luis did not respond to this one.

luis_maravilla · ‎02-05-2025

The ele_200_fw.h file is used for other examples in the SDK, the Example you are using does not require it.

Related the reboot topic, could you please take a look for Figure 19 in Security Reference Manual , this shows the Boot flow for starting a Reset, where the Release ELE process is made.

Also There isn't a command for direct ELE to reboot.

If this is not what you are referring to, let me know.

About the align, it is a recommendation to align the Data Length to avoid buffer overflows, but we will take that commentary in consideration to make a note about . Please refer to Security Description in Cipher_one_go and aead_one_go commands section. Chapter 7.6.6 and 7.6.8

BobMaiKaiVa · ‎01-14-2025

1) Regarding the link you posted, Secure Access Rights | NXP Semiconductors, we have previously completed steps 1 and 2 a few years ago. Step 3 loads this page ... https://www.nxp.com/webapp-signup/updateDocstoreReg, but I don't see any option for accessing KW45 docs, Kinetis docs, or specifically a "KW45 Security Reference Manual" in the list of checkboxes presented. Can you provide additional info on how to request this exact document?

luis_maravilla · ‎01-14-2025

Hi Bob,

You may need to add these technologies [Bluetooth Low Energy and Wireless Microcontrollers] in the checkboxes that you mentioned and fill the reason.

Also, you can check on Secure Access Rights FAQs | NXP Semiconductors In "How Can I request additional access to secure information" and then look for the Documentation in the KW45 Main page

Regards

Luis

BobMaiKaiVa · ‎01-14-2025

5) SDK version SDK_2.x_KW45Z41083xxxA v2.16.000

luis_maravilla · ‎01-13-2025

Hi Bob,

For more detailed documentation about your topic, I recommend checking the KW45 Security Reference Manual. Chapter 7 and 10.
This file is under Secure Files. Secure Access Rights | NXP Semiconductors
Follow the process in order to download the File in the KW45 main page-Documents. Also, I would recommend checking the Secure Access Rights FAQs | NXP Semiconductors
This file is an initialization it is highly recommended to don’t delete it, as of the examples on the SDKs are for guarantee a function in the code.
There is an official NXP GitHub, on this link MCUXpresso Software and Tools | NXP Semiconductors you can enter the GitHub and see other tools if you need them.
And as of Now the only distribution for firmware and release notes are available through the SDKs Updates.
For more detailed documentation on ELEMU Commands please refer to the KW45 Security Reference Manual Chapter 7.6.
Please let me know the SDK Version and what example you are testing so I can search for more specific information about the 8-byte boundaries.

Hope this information works for your project.

Best Regards