The idea design to secure blob data using iMX7 master key is
1) normal system power loss, no matter how long, shall not cause blob data inaccessible after power back on. But 2) after security violation, the blobs should not accessible even after POR.
However, ZMK register in LP-SNVS, cannot hold its value after power loss of LP. That is, if ZMK is selected as a component for the master key for CAAM, then the blobs the master key eventually protected (through blob-key encryption key and blob keys) will become inaccessible due to previous power loss of Low power source, even without any security violation. So having ZMK as component in Master key (either ZMK only or ZMK and OTPMK combination) will fail above 1).
Obviously OTPMK only master key selection will fail 2).
Is there anyway to get around this?
Thank you!
Hualing
Hello,
Sorry, but the information, involved here, is treated as confidential info at this time and requires a signed
NDA. We cannot discuss this with you in public anyway, this requires to be handled as a Service Request (SR).
Have a great day,
Yuri
------------------------------------------------------------------------------
Note: If this post answers your question, please click the Correct Answer
button. Thank you!
Hello Yuri,
Thank you for the response.
We do have NDA with NXP. However we are not at that point yet. We just need some high level understanding of the features of iMX7 security.
I know I sounded like asking for a solution in my original post, but actually this is what we really like to know -
Is ZMK definitely lost after SNVS_LP lost power?
This just to confirm what we understand about the iMX7 SRM. So please reply to confirm such.
Thanks!
Hualing
Hello,
Yes, ZMK is definitely lost after SNVS_LP power down.
Regards,
Yuri.
Hi,
I want to confim if only CAAM can read this 256-bit master key from SNVS? If not, except CAAM, who else can read this 256-bit master key from SNVS?
I am worrying if other modules can read this 256-bit master key form SNVS, then the Blob Key Encryption Key(BKEK) in CAAM is not confidentiality anymore.
This is the confirmation we need. Thank you.