My customer has the following issues with S32K148 and CSEc Module, please find below his questions:
1) CSEc key attributes
Are the attributes for each key persistent when a key is updated or do I need to re-define them for the updated key?
2) Signing tools
According to AN5401 the toolchain for firmware signing is a combination of executables and Perl scripts. The product is an automotive ECU with a very long lifespan, so we want the signing key to be secure as much as possible. One of the options is to store this key in an HSM and not as a file/soft token in the built environment. The CMAC calculation tool that is provided is open source, but we wish to avoid the development effort for integrating an HSM (through its PKCS#11 interface). Does NXP provide a better toolchain for firmware signing or is this toolchain from AN5401 the only one? Can we get some test vectors if we want to implement a python script instead of the NXP-provided toolchain?
3) What is the exact process for key provisioning? currently, the following process is defined:
1) 1st Power-on
2) Initial MCU firmware signing key provisioning via JTAG
3) MCU FW flashing
4) 2nd Power-on (Secure Boot is now activated)
5) Additional key provisioning via application-level API
6) Key validation using the application-level API for key checksum readout
7) Rework as needed
Is this process accurate? Is it only possible to provide the initial signing key via JTAG or is there another recommended method?
Please advise back, Thanks in advance and stay safe.
“An example perl script which has been used in the binary image generation, is available in AN4235SW. Note that this is for demonstration of the concept being discussed here only and is not intended for production purpose.”
For offline calculation, https://www.openssl.org/ can be used.
Test vectors for CMAC can be found, for example, here:
It’s available also in SHE specification but I can’t share it.
Thanks for your detailed answer, Regarding the 4th question, a decent application note or example scripts with some generic JTAG tool would be helpful. The group that will do it in production is a team from China, that needs very detailed guidance.
Please advise back, Thanks in advance.
my recommendation is to check the steps provided in AN5401.
... that's, in fact, the procedure you need to perform in a factory. Either via JTAG or by configuration application as I mentioned before. Unfortunately I do not have other materials because this is highly dependent on used tools.