LPC55S69 DICE

simon_ott · ‎04-16-2019

Our goal is to use DICE with the LPC55S69 in secure IoT applications. According to the DICE specification, the DICE should combine the UDS with the measurement of "the first mutable code" to be executed to generate the CDI. Our goal would have been, that DICE measures the first piece of our code in the secure world and creates the CDI out of the UDS and this code.

However, in the user manual I found nothing on how DICE can measure the first mutable code. The only possibilities I found to adjust the behaviour are the configuration possibilities to specify to "Include NXP Area", "Include CFPA page and key store area" and to "Include security epoch area" in the DICE computation.

The NXP Area and CFPA page are not "the first mutable code" according to my understanding. About the "security epoch area" I did not find another mention in the user manual or in any application note.

My questions therefore are 1) what is the "Security Epoch Area" and where can I find documentation about it 2) Is there any documentation I am missing about DICE apart from the few lines in the user manual 3) Is it possible to include the first piece of user code in the flash in the DICE computation?

ZhangJennie · ‎04-17-2019

Hi Simon Ott

I checked with application team. LPC55S69 is a very new chip. So far besides user manual, we don’t have other article document the usage of DICE. There is no demo code either.

What I know is that Microsoft developed a set of DICE package code, if you want to know more about its usage, you can check here:

https://www.microsoft.com/en-us/research/project/dice-device-identifier-composition-engine/

Yes, We can use user code image to generate Hash code, using this hash code with UDS key to generate DICE CDI.

Regarding to "Security Epoch Area", I checked there is no place documenting it. I will check it with design. If I get feedback, I will let you know.

Have a great day,
Jun Zhang

-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!

- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

ZhangJennie · ‎04-18-2019

"Security Epoch Area" is mentioned in the UM.

The original plan is not open DICE function to end customer. The register should part of DICE.So you may ignore it. user can still use DICE to generate CDI without problem.

If this information is necessary for you, please let me now why you need know this for your project. thus we can ask designer for it.

Have a great day,
Jun Zhang

-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!

- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

simon_ott · ‎05-06-2019

Regarding your answer "Yes, We can use user code image to generate Hash code, using this hash code with UDS key to generate DICE CDI.":

Is it correct, that DICE can only be used in combination with secure boot and a signed image, and that this signed image is used to generate the hash code for the CDI (in combination with UDS)?

ZhangJennie · ‎05-06-2019

Yes, right.

There is an important formula for DICE:

CDI = HMAC( UDSKey, SHA2(SBL_IMG));

Here,

   SBL_IMG = L0_IMG without L0_Signature
    CDI allows a host to verify the trustworthiness of an embedded device
    UDS is index 15 key retrieved using key code from key store (generated during provisioning/manufacturing)

Have a great day,
Jun Zhang

-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!

- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

LPC55S69 DICE

LPC55S69 DICE

LPC55xx