Encrypted boot

Hi Sara,

I am assuming that you are referring to csf.bin.  And that the [Decrypt Data] command is the last command on your CSF.

When in the presence of [Decrypt Data], CST will encrypt the data blocks in-place(data blocks in the input file are replaced by their encrypted version), using the data encryption key. And it also generates a MAC tag of the file and appends it to the CSF.

However, at boot time HAB  needs to know what algorithm and what size use to authenticate the MAC.  Let's take the following example of  csf.bin:

AC 00 24 41  00 0C 00 10  54 46 4E 21 27 6D C9 16  CA A0 BE 70  11 DE 64 1A  F2 20 D4 93  B1 DB C3 75  98 72 E5 F3

If we parse the HAB data structure, it would be like this:

AC 00 24 41

[HAB_TAG_MAC] [LENGTH][VERSION]

HAB_TAG_MAC = 0xAC

length = 0x0024

version = 0x41

So this part of the structure is the 4 byte pattern that you probably are looking at.

HAB uses CBC-MAC, therefore a nonce and a length are required .Then the next word is divded in two.

00 0C 00 10

[NONCE LENGTH][MAC LENGTH]

NONCE LENGTH = 0x000C

MAC LENGTH = 0x0010

Then by intuition, we can tell that the nonce is:

54 46 4E 21 27 6D C9 16  CA A0 BE 70

and that the mac is

11 DE 64 1A  F2 20 D4 93  B1 DB C3 75  98 72 E5 F3

if you need more information about on the parameters and algorithms. I would read the Security Reference manual for your target board

Regards,

Ulises Cardenas