Dose Data encryption done with help of black blob involve hardware key?

キャンセル
次の結果を表示 
表示  限定  | 次の代わりに検索 
もしかして: 

Dose Data encryption done with help of black blob involve hardware key?

ソリューションへジャンプ
1,630件の閲覧回数
swapnilpendhare
Contributor III

Hi,

I have closed config the board and could encapsulate and decacpsulate black blob on it in secure mode.

The questions are,

  1. Does it involve the OTPMK during encryption and decryption when black blob is used?
  2. If yes, should the encrypted data differ on two boards.
    • If both boards are closed config.
    • Input data for both boards are same.
    • Input key is same while creating black key & black blob for data encryption.

how to chage security configuration of a SOC from fab configuration to closed configuration? This board is already closed config enabled.

ラベル(2)
0 件の賞賛
返信
1 解決策
1,271件の閲覧回数
Yuri
NXP Employee
NXP Employee

Hello,

  The unique OTP Master Key (OTPMK) is used to encrypt and wrap the DEK (Data Encryption Key) in a blob.
The OTMPK is protected by the hardware and can be accessed only by CAAM. Consequently, this step has to
be executed on the target processor with software capable of using CAAM. 

  The fact that the OTPMK can only be accessed by CAAM means that the blob can only be decrypted by the
same processor that encrypted it. To further add to the security of the DEK, the blob is decapsulated and decrypted
inside a secure memory partition that can only be accessed by CAAM.

Regards,

Yuri

元の投稿で解決策を見る

3 返答(返信)
1,271件の閲覧回数
Yuri
NXP Employee
NXP Employee

Hello,

  In order to generate a blob with the CAAM OTPMK, a secure boot with HAB should be

in closed config, otherwise the blob will be created using CAAM default master key.

OTPMK, when burned (“the OTPMK are burned by Freescale prior to shipping the device”),

is unique and is used as the Key Encryption Key, therefore for different boards encrypted

data may be the same, if the same Key is applied for encryption, but encrypted key part

of the blob should differ.    

One can determine if a valid OTPMK has been burned by checking the OTPMK_ZERO
bit in the SNVS_HP Status Register.

Best regards

Yuri

-----------------------------------------------------------------------------------------------------------------------

Note: If this post answers your question, please click the Correct Answer button. Thank you!

-----------------------------------------------------------------------------------------------------------------------

0 件の賞賛
返信
1,271件の閲覧回数
swapnilpendhare
Contributor III

Hi,

Thanks for prompt response.

HAB is closed config, which signifies OTPMK is involved in BLOB generation. If the data encrypted from black blob created from same user key, is going to be same;

Then what is the role of OTPMK in encryption/decryption. The assumption was, as OTPMK is unique per SOC, both blob genrarted along with encrypted data will be unique per SOC and can not be decrypted on other SOC, which in this case is happening when I am creating Black blob using same user key and successfully decrypting data encrypted from other board.

And is there any way to do hardware specific en/decryption?

Thanks again,
Swapnil

0 件の賞賛
返信
1,272件の閲覧回数
Yuri
NXP Employee
NXP Employee

Hello,

  The unique OTP Master Key (OTPMK) is used to encrypt and wrap the DEK (Data Encryption Key) in a blob.
The OTMPK is protected by the hardware and can be accessed only by CAAM. Consequently, this step has to
be executed on the target processor with software capable of using CAAM. 

  The fact that the OTPMK can only be accessed by CAAM means that the blob can only be decrypted by the
same processor that encrypted it. To further add to the security of the DEK, the blob is decapsulated and decrypted
inside a secure memory partition that can only be accessed by CAAM.

Regards,

Yuri