Dose Data encryption done with help of black blob involve hardware key?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Dose Data encryption done with help of black blob involve hardware key?

Jump to solution
2,309 Views
swapnilpendhare
Contributor III

Hi,

I have closed config the board and could encapsulate and decacpsulate black blob on it in secure mode.

The questions are,

  1. Does it involve the OTPMK during encryption and decryption when black blob is used?
  2. If yes, should the encrypted data differ on two boards.
    • If both boards are closed config.
    • Input data for both boards are same.
    • Input key is same while creating black key & black blob for data encryption.

how to chage security configuration of a SOC from fab configuration to closed configuration? This board is already closed config enabled.

Labels (2)
0 Kudos
Reply
1 Solution
1,950 Views
Yuri
NXP Employee
NXP Employee

Hello,

  The unique OTP Master Key (OTPMK) is used to encrypt and wrap the DEK (Data Encryption Key) in a blob.
The OTMPK is protected by the hardware and can be accessed only by CAAM. Consequently, this step has to
be executed on the target processor with software capable of using CAAM. 

  The fact that the OTPMK can only be accessed by CAAM means that the blob can only be decrypted by the
same processor that encrypted it. To further add to the security of the DEK, the blob is decapsulated and decrypted
inside a secure memory partition that can only be accessed by CAAM.

Regards,

Yuri

View solution in original post

3 Replies
1,950 Views
Yuri
NXP Employee
NXP Employee

Hello,

  In order to generate a blob with the CAAM OTPMK, a secure boot with HAB should be

in closed config, otherwise the blob will be created using CAAM default master key.

OTPMK, when burned (“the OTPMK are burned by Freescale prior to shipping the device”),

is unique and is used as the Key Encryption Key, therefore for different boards encrypted

data may be the same, if the same Key is applied for encryption, but encrypted key part

of the blob should differ.    

One can determine if a valid OTPMK has been burned by checking the OTPMK_ZERO
bit in the SNVS_HP Status Register.

Best regards

Yuri

-----------------------------------------------------------------------------------------------------------------------

Note: If this post answers your question, please click the Correct Answer button. Thank you!

-----------------------------------------------------------------------------------------------------------------------

0 Kudos
Reply
1,950 Views
swapnilpendhare
Contributor III

Hi,

Thanks for prompt response.

HAB is closed config, which signifies OTPMK is involved in BLOB generation. If the data encrypted from black blob created from same user key, is going to be same;

Then what is the role of OTPMK in encryption/decryption. The assumption was, as OTPMK is unique per SOC, both blob genrarted along with encrypted data will be unique per SOC and can not be decrypted on other SOC, which in this case is happening when I am creating Black blob using same user key and successfully decrypting data encrypted from other board.

And is there any way to do hardware specific en/decryption?

Thanks again,
Swapnil

0 Kudos
Reply
1,951 Views
Yuri
NXP Employee
NXP Employee

Hello,

  The unique OTP Master Key (OTPMK) is used to encrypt and wrap the DEK (Data Encryption Key) in a blob.
The OTMPK is protected by the hardware and can be accessed only by CAAM. Consequently, this step has to
be executed on the target processor with software capable of using CAAM. 

  The fact that the OTPMK can only be accessed by CAAM means that the blob can only be decrypted by the
same processor that encrypted it. To further add to the security of the DEK, the blob is decapsulated and decrypted
inside a secure memory partition that can only be accessed by CAAM.

Regards,

Yuri