- Forums
- Product Forums
- General Purpose MicrocontrollersGeneral Purpose Microcontrollers
- i.MX Forumsi.MX Forums
- QorIQ Processing PlatformsQorIQ Processing Platforms
- Identification and SecurityIdentification and Security
- Power ManagementPower Management
- Wireless ConnectivityWireless Connectivity
- RFID / NFCRFID / NFC
- MCX Microcontrollers
- S32G
- S32K
- S32V
- MPC5xxx
- Other NXP Products
- S12 / MagniV Microcontrollers
- Powertrain and Electrification Analog Drivers
- Sensors
- Vybrid Processors
- Digital Signal Controllers
- 8-bit Microcontrollers
- ColdFire/68K Microcontrollers and Processors
- PowerQUICC Processors
- OSBDM and TBDML
- S32M
-
- Solution Forums
- Software Forums
- MCUXpresso Software and ToolsMCUXpresso Software and Tools
- CodeWarriorCodeWarrior
- MQX Software SolutionsMQX Software Solutions
- Model-Based Design Toolbox (MBDT)Model-Based Design Toolbox (MBDT)
- FreeMASTER
- eIQ Machine Learning Software
- Embedded Software and Tools Clinic
- S32 SDK
- S32 Design Studio
- GUI Guider
- Zephyr Project
- Voice Technology
- Application Software Packs
- Secure Provisioning SDK (SPSDK)
- Processor Expert Software
-
- Topics
- Mobile Robotics - Drones and RoversMobile Robotics - Drones and Rovers
- NXP Training ContentNXP Training Content
- University ProgramsUniversity Programs
- Rapid IoT
- NXP Designs
- SafeAssure-Community
- OSS Security & Maintenance
- Using Our Community
-
- Cloud Lab Forums
-
- Knowledge Bases
- ARM Microcontrollers
- i.MX Processors
- Identification and Security
- Model-Based Design Toolbox (MBDT)
- QorIQ Processing Platforms
- S32 Automotive Processing Platform
- Wireless Connectivity
- CodeWarrior
- MCUXpresso Suite of Software and Tools
- MQX Software Solutions
-
- Home
- :
- i.MX Forums
- :
- i.MX Processors
- :
- Dose Data encryption done with help of black blob involve hardware key?
Dose Data encryption done with help of black blob involve hardware key?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I have closed config the board and could encapsulate and decacpsulate black blob on it in secure mode.
The questions are,
- Does it involve the OTPMK during encryption and decryption when black blob is used?
- If yes, should the encrypted data differ on two boards.
- If both boards are closed config.
- Input data for both boards are same.
- Input key is same while creating black key & black blob for data encryption.
how to chage security configuration of a SOC from fab configuration to closed configuration? This board is already closed config enabled.
Solved! Go to Solution.
Yuri
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
The unique OTP Master Key (OTPMK) is used to encrypt and wrap the DEK (Data Encryption Key) in a blob.
The OTMPK is protected by the hardware and can be accessed only by CAAM. Consequently, this step has to
be executed on the target processor with software capable of using CAAM.
The fact that the OTPMK can only be accessed by CAAM means that the blob can only be decrypted by the
same processor that encrypted it. To further add to the security of the DEK, the blob is decapsulated and decrypted
inside a secure memory partition that can only be accessed by CAAM.
Regards,
Yuri
Yuri
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
In order to generate a blob with the CAAM OTPMK, a secure boot with HAB should be
in closed config, otherwise the blob will be created using CAAM default master key.
OTPMK, when burned (“the OTPMK are burned by Freescale prior to shipping the device”),
is unique and is used as the Key Encryption Key, therefore for different boards encrypted
data may be the same, if the same Key is applied for encryption, but encrypted key part
of the blob should differ.
One can determine if a valid OTPMK has been burned by checking the OTPMK_ZERO
bit in the SNVS_HP Status Register.
Best regards
Yuri
-----------------------------------------------------------------------------------------------------------------------
Note: If this post answers your question, please click the Correct Answer button. Thank you!
-----------------------------------------------------------------------------------------------------------------------
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Thanks for prompt response.
HAB is closed config, which signifies OTPMK is involved in BLOB generation. If the data encrypted from black blob created from same user key, is going to be same;
Then what is the role of OTPMK in encryption/decryption. The assumption was, as OTPMK is unique per SOC, both blob genrarted along with encrypted data will be unique per SOC and can not be decrypted on other SOC, which in this case is happening when I am creating Black blob using same user key and successfully decrypting data encrypted from other board.
And is there any way to do hardware specific en/decryption?
Thanks again,
Swapnil
Yuri
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
The unique OTP Master Key (OTPMK) is used to encrypt and wrap the DEK (Data Encryption Key) in a blob.
The OTMPK is protected by the hardware and can be accessed only by CAAM. Consequently, this step has to
be executed on the target processor with software capable of using CAAM.
The fact that the OTPMK can only be accessed by CAAM means that the blob can only be decrypted by the
same processor that encrypted it. To further add to the security of the DEK, the blob is decapsulated and decrypted
inside a secure memory partition that can only be accessed by CAAM.
Regards,
Yuri
