Using Cryptographic Service Engine 2 (CSE2)

Transcription

1 NXP Semiconductors Document Number: AN5418 Application Note Rev. 0, 03/2017 Using Cryptographic Service Engine 2 (CSE2) An introduction to CSE2 module and its working 1 Introduction This application note describes the usage of Cryptographic Services Engine2 (CSE2). The module can be used to authenticate or to encrypt/ decrypt any kind of data. All the features supported by CSE2 are compliant to Secure Hardware Extension (SHE) functional specification version 1.1. After reading this application note, reader should be able to understand the basic functionality of CSE2 and the usage of various commands of CSE2. This application note will not explain SHE specification and assumes the reader to have information on the same. 1.1 Introduction to CSE2 The CSE2 is a peripheral module that implements the security functions described in the SHE Functional Specification Version 1.1. The CSE2 design includes a host interface with a set of memory mapped registers that are used by the CPU to issue commands and a system bus interface that allows the CSE2 to directly access system memory. There is dedicated secure memory flash block for the storage of CSE2 firmware and secure keys. Its basic features are: - Secure Storage Contents 1 Introduction Introduction to CSE AES-128 encryption and decryption CMAC Secure boot Secure memory Secure storage for cryptographic keys Key attributes CSE2 commands CSE2 error handling How to use CSE Execution of Secure Boot CSE2 Commands with example code APPENDIX A Memory update protocol Example Code For Updating a Key In Secure Memory APPENDIX B Resetting the secure flash to its factory state APPENDIX C Standard output of predefined data as per SHE Spec APPENDIX D Brief steps to operate CSE AES-128 Encryption/Decryption AES-128 CMAC calculation and Authentication True Random Generation Secure Boot Modes of operation CSE2 supports operation in normal as well as in debug mode. Use of secure keys is controlled based on the flags set on the keys. These flags may restrict the usage of key as per debugger connection or secure boot failure. For details refer Security flags on page 6. CSE2 has an internal low power mode in which the access to register interface is allowed. This means only registers interface can be accessed in CSE2 s low power mode but none of the operation is supported.

2 Introduction AES-128 encryption and decryption Block diagram CSE2 contains command processor, host interface, system bus interface, local memory, AES logic and True random number generator as shown in the figure below. Figure 1. CSE block diagram 1.2 AES-128 encryption and decryption CSE2 supports AES-128 encryption and decryption in ECB and CBC modes. AES stands for Advanced Encryption Standard. This algorithm was selected and specified by the US National Institute of Standard and Technology (NIST)[FIPS197] after a public championship. The AES algorithm is symmetric cipher, that means encryption and decryption uses the same key. CSE2 supports two of its cipher modes, i.e. ECB and CBC Electronic Codebook (ECB) This cipher mode is the simplest cipher mode as each block to encrypted or decrypted has no relationship with another block. 2 NXP Semiconductors

3 Introduction CMAC Figure 2. ECB block Diagram Cipher-block Chaining (CBC) Cipher-block Chaining (CBC) mode invented in 1976, is one of the most important cipher modes. In this mode, the output of last encoding step is xor ed with the input block of actual encoding step. Because of this, addition is required for first encoding step that is known as initializing vector (IV). Figure 3. CBC Block Diagram 1.3 CMAC CMAC is basically a technique used for authenticity of messages and data. It uses the AES algorithm. This algorithm takes a secret key and arbitrary-length message that is to be authenticated as inputs, and returns a CMAC value as output. The CMAC value protects the message data integrity as well as its authenticity, by allowing verifiers (who also possess the secret key) to detect any changes to the message content. NXP Semiconductors 3

4 Introduction Secure boot Figure 4. Explanation of CMAC operation 1.4 Secure boot CSE2 has a secure boot mechanism which allows users to authenticate boot code in flash. The MCU can be configured in such a way that, on every reset cycle a section of code is authenticated. Authentication follows the process of MAC generation and the generated MAC will be compared with a value previously stored in secure flash. This is supported only for flash boot modes. It is not supported for other boot modes (serial download, wakeup to RAM) as this may present a potential security issue. The key to authenticate the boot code is BOOT_MAC_KEY. A value for comparison is stored in secure flash and is called BOOT_MAC. Details on secure boot can be found in Execution of Secure Boot on page 10. There can be different modes of secure boot that can be configured through Device Configuration Format (DCF s). These different secure boot configurations will decide the gating of main core with secure boot Parallel secure boot mode In this boot mode, main core is released in parallel with CSE2. It can also be said that SECURE_BOOT command will be executed by CSE2 in parallel to main core. In this booting mode, system frequency can be switched to PLL without interrupting CSE2. Due to this, this booting mode is much faster in authentication than any other booting mode Sequential secure boot mode In this boot mode, main core is release after CSE2 has finished executing SECURE_BOOT command. Core logic is clock gated from hardware until SECURE_BOOT has been finished by CSE2. Core SWT will be running in background that will generate reset if authentication taken longer time or in case SECURE_BOOT command is stuck due to unfavorable conditions. SWT configured timeout may vary from device to device so it if preferable to refer SoC specific chapter for this information. In this booting mode, system frequency will be on default IRC, i.e. 16MHz, so this booting mode is slower in authentication that parallel booting mode Strict sequential boot mode This boot mode is same as of sequential boot mode. The only difference between both the boot modes is that in sequential boot mode core clock gating logic will be released once the SECURE_BOOT command is completed by CSE2. It doesn t matter whether secure boot is passed or failed in this case (MAC generated matches with reference MAC or no). If secure boot is passed then all the secure keys will be available, but if secure boot fails, in that case keys with BOOT_PROT (refer to Boot Protection Flag (BP) on page 6 for details on BOOT_PROT) flag set will not be available for use. Whereas, in case of strict sequential boot mode, core clock gating logic will never be released if secure boot fails. Device can boot up successfully only if secure boot is passed. 4 NXP Semiconductors

5 Introduction Secure memory 1.5 Secure memory CSE2 has a dedicated secure memory flash block where secure firmware (CSE2 firmware) and secure keys are stored. When parts are received from the factory, these are populated with secure firmware, Unique Identification Number (UID) and a secret key. Secret key is a random number whose value is never disclosed to anyone. User can store user keys in the same memory. 1.6 Secure storage for cryptographic keys The CSE2 provides secure, nonvolatile storage for cryptographic keys as described in the SHE Functional Specification. The keys are stored in 25 memory slots, with one ROM slot, 23 nonvolatile slots, and one RAM slot as shown in Table 1. Memory slots on page 5. The first four slots have a dedicated use; the other slots are available for application specific keys. The CSE2 extends the SHE specification by providing 10 extra application key slots (KEY_11 KEY_20) which are enabled by setting the CSE_CR[KBS] bit. The BOOT_MAC slot is loaded with a MAC value used by the secure boot process. All other slots are used for encryption or message authentication keys. The SECRET_KEY slot is programmed with a random value during device fabrication. All CSE2 encryption and message authentication commands specify a key by its Key ID. Table 1. Memory slots Slot name KBS Key ID Type SECRET_KEY x 0x0 ROM MASTER_ECU_KEY x 0x1 non volatile BOOT_MAC_KEY x 0x2 non volatile BOOT_MAC x 0x3 non volatile KEY_1-KEY_10 0 0x4-0xD non volatile KEY_11-KEY_20 1 0x4-0xD non volatile RAM_KEY x 0xE RAM In addition to the 25 memory slots, the CSE2 holds a 120-bit read-only UID that is programmed during device fabrication. The UID is used in the memory update procedure and is available for application-specific uses. 1.7 Key attributes There are different attributes of secure key. It includes Security flags, counter value, KEY_ID and so on. Every key has its own Key_ID and counter value. Security flags are set by user. The table below defines the structure of secure key. Table 2. Physical memory slot format Offset 0x00 0x04 Value Key W0 Key W1 Table continues on the next page... NXP Semiconductors 5

6 Introduction Key attributes Table 2. Physical memory slot format (continued) Offset 0x08 0x0C Value Key W2 Key W3 0x10 Key ID Reserved Flags 0x14 0x18 0x1C Counter Reserved Checksum Security flags Each key has six flags associated to it that defines the usage of key in different conditions. Table 3. Memory slot security flags Flag name VERIFY_ONLY WRITE_PROT BOOT_PROT Description If set, the memory slot key cannot be used by the GENERATED_MAC command, only by the VERIFY_MAC command. This bit has no effect if KEY_USAGE =0 If set, the memory slot can be updated If set, the memory slot is disabled if CSE_SR[BOK] =0 or CSE_SR[BFN]=0 DEBUG_PROT If set, the memory slot is disabled if CSE_SR[EDB] = 1 KEY_USAGE WILDCARD If set, the memory slot holds a MAC key; otherwise, it holds an encryption key If set, the memory slot the memory slot cannot be updated with wildcard UID Write Protection Flag (WP) Setting this flag prevents the key from being updated even if an authorization key is known. Also, this flag prevents to reset the part to factory settings (See Resetting the secure flash to its factory state on page 31). NOTE As setting this flag is an irreversible step, so precaution is suggested while setting this flag Boot Protection Flag (BP) If this flag is set, then this key cannot be used if secure boot fails. By secure boot fails it means if the MAC value calculated in the SECURE_BOOT step did not match the reference MAC value stored in secure Flash Debugger Usage Protection Flag (DP) If this flag is set, then this key cannot be used if an external debugger is (or has ever been) connected to the MCU since it was last reset. 6 NXP Semiconductors

7 Introduction CSE2 commands Wildcard Protection Flag (WC) If this flag is set, then this key cannot be updated using a special wildcard UID(UID=0) Key Usage Flag (KU) This flag determines if a key can be used for encryption/decryption or for MAC generation/verification (CMAC). If the flag is set, the key is used for MAC generation/verification. If the flag is clear, the key is used for encryption VERIF_ONLY Flag If this flag is set, then this key can be used only for VERIFY_MAC command. This key can not be used for GEN_MAC command. The VERIF_ONLY security flag is a CSE2-specific feature that is not defined in the SHE specification. If the CSE_CR[SFE] bit is set when the LOAD_KEY command is executed, the security flag field (FID) in the M2 message is extended by one bit with the VERIF_ONLY flag and the adjacent zero fill field is reduced to 94-bits. The CSE_CR[SFE] bit has no effect on the enforcement of the VERIF_ONLY flag for commands issued after the LOAD_KEY. Table 4. Information to be stored with Keys as per SHE spec Slot Name Key ID Write_Prot Boot_Prot Debug_Pro Wildcard Key_Usage Counter MASTER_ECU_KE Y 0x1 Yes Yes Yes Yes - Yes Boot_MAC_KEY 0x2 Yes - Yes Yes - Yes BOOT_MAC 0x3 Yes - Yes Yes - Yes KEY<n> 0x4-0xD Yes Yes Yes Yes Yes Yes RAM KEY 0xE Key counter Each user key has a 28-bit long counter that must be increased on every time key is updated. The new counter value is used in the derivation of M2 when a key is being updated (See Generate M2 on page 27) Key ID Each key has an identifying number associated with it. This number is used to identify the key being updated and the key authorizing the update. Table 1. Memory slots on page 5 shows the Key_ID for each key. 1.8 CSE2 commands There are different commands of CSE2 that are used to perform different types of operations. The below table describes different commands available for CSE2 and its corresponding command ID. Table 5. List of Available commands along with Command ID Sr. No Command Name Command ID 1 ENC_ECB 0x01 Table continues on the next page... NXP Semiconductors 7

8 Introduction CSE2 error handling Table 5. List of Available commands along with Command ID (continued) Sr. No Command Name Command ID 2 ENC_CBC 0x02 3 DEC_ECB 0x03 4 DEC_CBC 0x04 5 GENERATE_MAC 0x05 6 VERIFY_MAC 0x06 7 LOAD_KEY 0x07 8 LOAD_PLAIN_KEY 0x08 9 EXPORT_RAM_KEY 0x09 10 INIT_RNG 0x0A 11 EXTEND_SEED 0x0B 12 RND 0x0C 13 SECURE_BOOT 0x0D 14 BOOT_FAILURE 0x0E 15 BOOT_OK 0x0F 16 GET_ID 0x10 17 CANCEL 0x11 18 DEBUG_CHAL 0x12 19 DEBUG_AUTH 0x13 20 TRNG_RND 0x14 21 INIT_CSE 0x15 22 MP_COMPRESS 0x16 For detailed description of each command along with example code, refer to CSE2 Commands with example code on page CSE2 error handling When the CSE2 command processor encounters an error condition, it stops processing and returns an error code as described in Table 6. The CSE_SR[BSY] and CSE_SR[EX] bits are cleared and interrupt request is generated same as of generated during command had completed successfully. In most cases, error conditions are detected before data processing begins and no output values are written. Intermediate or invalid output data is never written to the parameter registers or system memory. However, it is possible for outputs to system memory to be partially written when an error occurs. The CSE does not zero out this partially written data. 8 NXP Semiconductors

9 Introduction CSE2 error handling Error Code No. Error Description Error Conditions Table 6. Error code summary 0x0 No error 1. Command successfully executed with no errors encountered. 0x2 0x3 0x4 Command sequence error Key not available Invalid key 1. Command issued (except for CANCEL) before the SECURE_BOOT or INIT_CSE command. 2. The DEBUG_AUTH command issued before the DEBUG_CHAL command. 3. SECURE_BOOT or INIT_CSE command issued after an initial SECURE_BOOT or INIT_CSE is issued. 1. A required key is not available due to a BOOT_PROT or DEBUG_PROT security flag restriction. 1. The specified key slot is not valid for the command. (See the SHE specification) 2. The specified key slot is not available due to a KEY_USAGE security flag restriction 0x5 Empty key 1. The specified key slot is empty. 0x6 0x7 0x8 0x9 No secure boot Key write protected Key update error Random number seed not initialized 1. SECURE_BOOT issued when secure boot is disabled or the BOOT_MAC_KEY slot is empty. 2. BOOT_FAIL or BOOT_OK issued with incorrect settings for either the CSE_SR[SB], CSE_SR[BFN] or CSE_SR[BOK] flag. 1. Attempt to load a key slot with the WRITE_PROT security flag set. 2. Attempt to enter internal debug mode (DEBUG_CHAL, DEBUG_AUTH) with a WRITE_PROT security flag set in one or more key slots. The LOAD_KEY command failed due to one of the following conditions: 1. The M3 MAC value is invalid. 2. The wildcard UID is specified with the WILDCARD flag set. 3. The specified UID does not match the device UID. 4. The update counter or security flag values are not zero when loading the RAM_KEY slot. 5. The specified update counter value is not greater than the current counter value for the slot. (Counter value is zero for an empty slot) 1. RND, EXTEND_SEED or DEBUG_CHAL command issued before the INIT_RNG command. Table continues on the next page... NXP Semiconductors 9

10 How to use CSE2 Execution of Secure Boot Error Code No. 0x0A 0x0B 0x0C 0x10 0x11 Error Description Internal debug not allowed Command issued while busy System memory error Internal memory error Invalid command Error Conditions Table 6. Error code summary (continued) 1. DEBUG_AUTH command issued with invalid MAC value. 1. Command issued when the CSE_SR[BSY] bit is set. 1. A system memory error was encountered while executing the command. (The CSE flash memory block error code is generated for bus errors encountered when accessing the CSE flash memory blocks) 1. An internal memory error was encountered while executing the command. 1. Value written to CSE_CMD register is out of range. 0x12 TRNG error 1. One or more statistical tests run on the TRNG output failed. 0x13 0x14 0x15 CSE flash block error Internal command processor error Length error 1. Error reading, programming, or erasing one of the CSE flash memory blocks. 2. UID or SECRET_KEY required but not available. 1. MAC length for VERIFY_MAC command is greater than Message length for GENERATE_MAC, VERIFY_MAC, or MP_COMPRESS command is greater than 0x7FFFFFFFF (4GB). 1. MAC length for VERIFY_MAC command is greater than Message length for GENERATE_MAC, VERIFY_MAC, or MP_COMPRESS command is greater than 0x7FFFFFFFF (4GB). 2 How to use CSE2 Entire functionality of CSE2 depends upon CSE2 firmware and secure keys. When part leaves from factory, it will be programmed with secure firmware, UID and Secret key. To make CSE2 functional, user need to upload its own keys. This section of application note will help the reader to understand how to execute secure boot, how to load user keys and use of all the commands of CSE Execution of Secure Boot Secure boot along with secure boot mode can be enabled from DCF s. On some of the devices it may be programmed from factory if not, then it can be enabled by user. Secure image address will be taken from RCHW and length of secure image on which MAC is to be calculated is again configurable from DCF s or RCHW on some of the devices Once done with these settings, further to execute secure boot on these, the user needs to program MASTER_ECU_KEY and BOOT_MAC_KEY. These keys can be loaded through software using LOAD_KEY command. 10 NXP Semiconductors

11 How to use CSE2 Execution of Secure Boot Once these keys are loaded successfully, give a power cycle to the device. After the reset is released, CSE2 implements the SHE secure boot protocol. In some device boot modes, the BAM or system boot logic issues the SECURE_BOOT command to the CSE2, which starts the secure boot process. For details about how and when the SECURE_BOOT command is issued on this chip, see the chip-specific CSE2 information. The first step in this process is for the CSE2 is to download the command processor firmware and memory slot data from flash memory blocks into local memory. If BOOT_MAC_KEY slot is empty, CSE_SR[SB] flag is cleared and the process is finished. Otherwise, the CSE_SR[SB] flag is set and CSE2 calculates the MAC over the specified bootloader code. If the BOOT_MAC slot is empty, the calculated MAC is loaded into the BOOT_MAC slot, the CSE_SR[BIN] and CSE_SR[BFN] flags are set, and the process is finished. Otherwise, the calculated MAC value is compared to the value in the BOOT_MAC slot. If the values match, the CSE_SR[BOK] bit is set; otherwise, the CSE_SR[BFN] bit is set. If the CSE_SR[BOK] flag is set, the user boot code can issue the BOOK_OK command which sets the CSE_SR[BFN] bit. The memory slots that have the BOOT_PROT flag set are enabled when both the CSE_SR[BFN] and CSE_SR[BOK] flags are set. The SECURE_BOOT command can run either before the user boot code is executed or in parallel with the user boot code. If the parallel mode is used, the user boot code must suspend command processing (set CSE_CR[SUS] to 1) while performing any operations such as configuring the flash controller that may interfere with the CSE2 accessing flash memory. A device-specific bit selects whether to run the SECURE_BOOT command before or in parallel with the user boot code. For details about this bit, see the chip-specific CSE2 information. The CSE2 implements an internal timer that is started when the SECURE_BOOT command is issued. The initial value of the timer is set to 0x00F4_2400 (16,000,000 CSE2 system clocks). If the timer expires before the SECURE_BOOT command completes, any application code intended to be blocked by the SECURE_BOOT process will instead see the non-completed SECURE_BOOT status of CSE_SR[BSY]=1 and CSE_SR[BOK]=0. In the event of a SECURE_BOOT timeout, the CSE2 will continue executing the SECURE_BOOT command until completion, until suspended, or until receiving the CANCEL command from the application code. There is no error code associated with a SECURE_BOOT timeout. NXP Semiconductors 11

12 How to use CSE2 CSE2 Commands with example code Figure 5. Explanation of CSE2 boot process 2.2 CSE2 Commands with example code This section of application note will help the reader to understand all the CSE2 commands in details along with the example code for all the commands. 12 NXP Semiconductors

13 2.2.1 Encrypt ECB The ENC_ECB command performs AES-128 encryption in ECB mode on any 128-bit blocks of data with the parameters specified in the table below. Table 7. ENC_ECB command parameters CSE_CMD 0x01 - CSE_P1 Key ID Input CSE_P2 Number of blocks (n) Input CSE_P3 First plain text block address Input CSE_P4 First cipher text block address Output CSE_P5 - - How to use CSE2 CSE2 Commands with example code Example code: typedef volatile unsigned int vuint32_t; vuint32_t plain_text [16]; vuint32_t cipher_text [16]; CSE.P1.R = KEY_ID; /* Key used for encryption has KEY_USAGE=0 */ CSE.P2.R = 4; /* 4 blocks of 128-bit data to be encrypted*/ CSE.P3.R = (vuint32_t) & plain_text; /*Pointer to data to be encrypted*/ CSE.P4.R = (vuint32_t) & cipher_text; /*Pointer where encrypted data to be stored*/ CSE.CMD.R = 0x01; /* ENC_ECB command ID*/ After successful command execution, output will be stored in cipher_text [4] Encrypt CBC The ENC_CBC command performs AES-128 encryption on any 128-bit blocks of data in CBC mode with the parameters specified in the table below. The number of blocks parameter is a 32-bit value. Table 8. ENC_CBC command parameters CSE_CMD 0x02 - CSE_P1 Key ID Input CSE_P2 IV Address Input CSE_P3 Number of blocks (n) Input CSE_P4 First plain text block address Input CSE_P5 First cipher text block address Output Example code: typedef volatile unsigned int vuint32_t; NXP Semiconductors 13

14 How to use CSE2 CSE2 Commands with example code vuint32_t plain_text [16]; vuint32_t cipher_text [16]; vuint32_t IV_ARRAY[4]; CSE.P1.R = KEY_ID; /* Key used for encryption has KEY_USAGE=0 */ CSE.P2.R = (vuint32_t) & IV_ARRAY; /* Pointer to IV array*/ CSE.P3.R = 4; /* 4 blocks of 128-bit data to be encrypted*/ CSE.P4.R = (vuint32_t) & plain_text; /*Pointer to data to be encrypted*/ CSE.P5.R = (vuint32_t) & plain_text; /*Pointer where encrypted data to be stored*/ CSE.CMD.R = 0x02; /* ENC_CBC command ID*/ while(cse.sr.b.bsy==1) {}; After successful command execution, output will be stored in cipher_text [4] Decrypt ECB The DEC_ECB command performs AES-128 ECB decryption on any 128-bit blocks of data with the parameters specified in the table below. Table 9. DEC_ECB command parameters CSE_CMD 0x03 - CSE_P1 Key ID Input CSE_P2 Number of blocks (n) Input CSE_P3 First cipher text block address Input CSE_P4 First plain text block address Output CSE_P5 - - Example code typedef volatile unsigned int vuint32_t; vuint32_t plain_text [16]; vuint32_t cipher_text [16]; CSE.P1.R = KEY_ID; /* Key used for encryption has KEY_USAGE=0 */ CSE.P2.R = 4; /* 4 blocks of 128-bit data to be encrypted*/ CSE.P3.R = (vuint32_t) & plain_text; /*Pointer to data to be encrypted*/ CSE.P4.R = (vuint32_t) & plain_text; /*Pointer where encrypted data to be stored*/ CSE.CMD.R = 0x03; /* DEC_ECB command ID*/ while(cse.sr.b.bsy==1) {}; After successful command execution, output will be stored in plain_text [4] Decrypt CBC The DEC_CBC command performs AES-128 decryption in CBC mode on any 128-bit blocks of data with the parameters specified in the table below. The number of blocks parameter is a 32-bit value. 14 NXP Semiconductors

15 How to use CSE2 CSE2 Commands with example code Table 10. DEC_CBC command parameters CSE_CMD 0x04 - CSE_P1 Key ID Input CSE_P2 IV address Input CSE_P3 Number of blocks (n) Input CSE_P4 First cipher text block address Input CSE_P5 First plain text block address Output Example code typedef volatile unsigned int vuint32_t; vuint32_t plain_text [16]; vuint32_t cipher_text [16]; vuint32_t IV_ARRAY[4]; CSE.P1.R = KEY_ID; /* Key used for encryption has KEY_USAGE=0 */ CSE.P2.R = (vuint32_t) & IV_ARRAY; /* Pointer to IV array*/ CSE.P3.R = 4; /* 4 blocks of 128-bit data to be encrypted*/ CSE.P4.R = (vuint32_t) & plain_text; /*Pointer to data to be encrypted*/ CSE.P5.R = (vuint32_t) & plain_text; /*Pointer where encrypted data to be stored*/ CSE.CMD.R = 0x04; /* DEC_CBC command ID*/ while(cse.sr.b.bsy==1) {}; After successful command execution, output will be stored in plain_text [4] Generate MAC The GENERATE_MAC command calculates the MAC of a given message with the parameters specified in the table below. The AES CMAC algorithm is used to calculate a 128-bit MAC output. The message length input is a 64-bit value that specifies the length of the message in bits. A length error (EC = 0x15) is returned if the message length is greater than 0x7ffffffff (4 GB). Table 11. GENERATE_MAC command parameters CSE_CMD 0x05 - CSE_P1 Key ID Input CSE_P2 Message length(bits) address Input CSE_P3 Message start address Input CSE_P4 MAC address Output CSE_P5 - - Example code: typedef volatile unsigned int vuint32_t; unsigned long long int length =256; NXP Semiconductors 15

16 How to use CSE2 CSE2 Commands with example code vuint32_t MSG_ARRAY [8]; vuint32_t MAC_VALUE [4]; CSE.P1.R = KEY ID; /* KEY has KEY_USAGE=1 (CMAC) */ CSE.P2.R = (unsigned long long int)&length ); /* MAC to be calculated of 256 bits*/ CSE.P3.R = (vuint32_t) & MSG_ARRAY; /*Message of which MAC is to be calculated*/ CSE.P4.R = (vuint32_t) & MAC_VALUE; /*Pointer where MAC will be stored*/ CSE.CMD.R = 0x5 /* Command ID of Generate MAC*/ if (CSE.ECR.R!= 0) fail_count++; After successful command execution, output MAC will be stored in MAC_VALUE [4] VERIFY_MAC The VERIFY_MAC command verifies the MAC of a given message with the parameters specified in the table below. The AES CMAC algorithm is used to calculate a 128-bit MAC that is truncated per the MAC length parameter, which specifies the number of most significant bits in the MAC to compare. A MAC length value of 0 indicates that all 128 bits are compared; a value greater than 128 returns a length error (EC = 0x15). The message length input is a 64-bit value that specifies the length of the message in bits. A length error(ec=0x15) is returned if message length is greater than 0x7fffffff(4GB). If the input MAC matched the MAC calculated over the message, the CSE.P5 register is set to 0, otherwise it is set to 1. Table 12. VERIFY_MAC command parameters CSE_CMD 0x06 - CSE_P1 Key ID Input CSE_P2 Message length(bits) address Input CSE_P3 Message start address Input CSE_P4 MAC address Input CSE_P5 MAC length (bits) / Verification status Input / Output Example Code: typedef volatile unsigned int vuint32_t; unsigned long long int length =256; unsigned long long int bits_to_validate =128; compared*/ vuint32_t MSG_ARRAY [8]; vuint32_t MAC_VALUE [4]; /*can be 0 or 128 if all the bits are to be CSE.P1.R = KEY ID; /* KEY has KEY_USAGE=1 (CMAC) */ CSE.P2.R = (unsigned long long int)&length ); /* MAC to be calculated of 256 bits*/ CSE.P3.R = (vuint32_t) & MSG_ARRAY; /*Message of which MAC is to be calculated*/ CSE.P4.R = (vuint32_t) & MAC_VALUE; /*Pointer where MAC will be stored*/ CSE.P5.R = (unsigned long long int) & bits_to_validate); /*Bits to be compared*/ CSE.CMD.R = 0x6 /* Command ID of Generate MAC*/ if (CSE.ECR.R!= 0) fail_count++; if (CSE.P5.R!= 0) fail_count++; After successful command execution, verification status can be read in CSE.P5 register. 16 NXP Semiconductors

17 2.2.7 LOAD_KEY The LOAD_KEY command updates a memory slot using parameters specified in the table below per SHE memory slot update protocol. The 128-bit M1 message contains the UID, Key ID and authentication Key ID. The 256-bit M2 message contains the new security flag, counter and the key value all encrypted using a key derived from the Authentication key. The 128-bit M3 message is a MAC generated over M1 and M2 messages. The 256-bit M4 message is the concatenation of UID, Key ID, Authorization Key ID and encrypted counter value. The 128-bit M5 message is the MAC calculated over message M4. For details on how to generate M1-M5 messages, refer to Memory update protocol on page 26. Table 13. LOAD_KEY command parameters CSE_CMD 0x07 - CSE_P1 M1 address Input CSE_P2 M2 address Input CSE_P3 M3 address Input CSE_P4 M4 address Output CSE_P5 M5 address Output How to use CSE2 CSE2 Commands with example code Example Code typedef volatile unsigned int vuint32_t; vuint32_t M1 [4]; vuint32_t M2 [8]; vuint32_t M3 [4]; vuint32_t M4 [8]; vuint32_t M5 [4]; CSE.P1.R = (vuint32_t) & M1; /* Pointer to M1 */ CSE.P2.R= (vuint32_t) & M2; /* Pointer to M2 */ CSE.P3.R= (vuint32_t) & M3; /* Pointer to M3 */ CSE.P4.R = (vuint32_t) & M4; /* Pointer to M4 */ CSE.P5.R = (vuint32_t) & M5; /* Pointer to M5 */ CSE.CMD.R = 0x7 /* Command ID of LOAD_KEY*/ LOAD_PLAIN_KEY The LOAD_PLAIN_KEY command updated the RAM key memory slot with 128-bit plain text key with the parameters shown in below table. Table 14. LOAD_PLAIN_KEY command parameters CSE_CMD 0x08 - CSE_P1 Plain Key address Input Table continues on the next page... NXP Semiconductors 17

18 How to use CSE2 CSE2 Commands with example code Table 14. LOAD_PLAIN_KEY command parameters (continued) CSE_P2 - - CSE_P3 - - CSE_P4 - - CSE_P5 - - Example code: typedef volatile unsigned int vuint32_t; /*User specific key*/ vuint32_t KEY_TO_BE_LOADED [4] = {0xABABABAB, 0xCDCDCDCD, 0xEFEFEFEF, 0x }; CSE.P1.R = (vuint32_t) & KEY_TO_BE_LOADED; /* Pointer to key to be loaded */ CSE.CMD.R = 0x8 /* Command ID of LOAD_PLAIN_KEY*/ /*Polling for busy bit to get clear*/ After successful execution of command, RAM_KEY (KEY_ID =0xE) will be loaded EXPORT_RAM_KEY The EXPORT_RAM_KEY command exports the RAM key data with the parameters in the table below. Only keys loaded with the LOAD_PLAIN_KEY command may be exported. The output messages are compatible with the messages used for LOAD_KEY. Table 15. EXPORT_RAM_KEY command parameters CSE_CMD 0x09 - CSE_P1 M1 address Output CSE_P2 M2 address Output CSE_P3 M3 address Output CSE_P4 M4 address Output CSE_P5 M5 address Output Example Code typedef volatile unsigned int vuint32_t; vuint32_t M1 [4]; vuint32_t M2 [8]; vuint32_t M3 [4]; vuint32_t M4 [8]; vuint32_t M5 [4]; CSE.P1.R = (vuint32_t) & M1; /* Pointer to M1 */ CSE.P2.R = (vuint32_t) & M2; /* Pointer to M2 */ CSE.P3.R = (vuint32_t) & M3; /* Pointer to M3 */ 18 NXP Semiconductors

19 How to use CSE2 CSE2 Commands with example code CSE.P4.R = (vuint32_t) & M4; /* Pointer to M4 */ CSE.P5.R = (vuint32_t) & M5; /* Pointer to M5 */ CSE.CMD.R = 0x9 /* Command ID of EXPORT_RAM_KEY*/ All the parameters of this command will be generated as output. Once this command is executed successfully, these M1-M5 messages can be used as input to LOAD_KEY command Initialize RNG INIT_TRNG command initializes the internal PRNG state with a seed value generated by the TRNG and sets the CSE.SR[RIN] flag. It takes 2048 TRNG clock cycles to generate a seed value. Divider in CSE.CR[DIV] register must be set properly before executing this command. There is a very small probability that this command will return TRNG error (EC =0x12). INIT_TRNG command must be issued after each reset before RND command is issued. This command has no parameters to be passed. Table 16. INIT_TRNG command parameters CSE_CMD 0x0A - CSE_P1 - - CSE_P2 - - CSE_P3 - - CSE_P4 - - CSE_P5 - - Example Code: Refer to example code of Generate random number on page Extended PRNG Seed EXTENDED_SEED command extends the state of the PRNG using a 128-bit entropy input value. The current PRNG state and the input data are compressed into a new PRNG state value. This command is issued with parameters shown in below table. Table 17. EXTENDED_PRNG command parameters CSE_CMD 0x0B - CSE_P1 Entropy Value Address input CSE_P2 - - CSE_P3 - - CSE_P4 - - CSE_P5 - - Example Code: NXP Semiconductors 19

20 How to use CSE2 CSE2 Commands with example code Refer to example code of section Generate random number on page Generate random number RND command generates 128-bit random value and updates the state of the internal PRNG. The PRNG state must be initialized after reset using INIT_TRNG command before this command can be issued. This command can be issued with parameters shown in below table: Table 18. RND command parameters CSE_CMD 0x0C - CSE_P1 Random Value address Output CSE_P2 - - CSE_P3 - - CSE_P4 - - CSE_P5 - Example Code typedef volatile unsigned int vuint32_t; vuint32_t entropy [4]; vuint32_t random_number [4]; // Setting the divider value CSE.CR.B.DIV = k; description*/ // Initializing TRNG CSE.CMD.R = 0x0A; while(cse.sr.b.rin==0) {}; /*For value of K, refer CR register /*Command ID for INIT_TRNG*/ /*Polling RIN flag to get set*/ // Extending Entropy (This command is optional if extended entropy is required to be added) CSE.P1.R = (vuint32_t) & entropy; CSE.CMD.R = 0x0B; /*Command ID for EXTENDED_SEED*/ // Generating Random number CSE.P1.R = (vuint32_t) & random_number; CSE.CMD.R = 0x0C; /*Command ID for RND*/ 20 NXP Semiconductors

21 SECURE_BOOT The SECURE_BOOT command loads the command processor firmware and memory slot data from the CSE flash memory blocks, and then it executes the SHE secure boot protocol using the parameters shown in the table below. For details on SECURE_BOOT, refer Execution of Secure Boot on page 10. Table 19. SECURE_BOOT command parameters CSE_CMD 0x0D - CSE_P1 Bootloader size Input CSE_P2 Bootloader start address Input CSE_P3 Firmware Version Output CSE_P4 - - CSE_P5 - - How to use CSE2 CSE2 Commands with example code BOOT_FAILURE BOOT_FAILURE command sets the CSE.SR[BFN] flag and clears the CSE.SR[BOK] flag. Once CSE.SR[BOK] flag is cleared, keys with BOOT_PROT flag set will be disabled for use. This command has no parameters to be passed as shown in the table below. Table 20. BOOT_FAILURE command parameters CSE_CMD 0x0E - CSE_P1 - - CSE_P2 - - CSE_P3 - - CSE_P4 - - CSE_P5 - - Example code: CSE.CMD.R= 0x0E /*Command ID for BOOT_FAILURE*/ BOOT_OK BOOT_OK command sets the CSE.SR[BFN] flag and leaves the CSE.SR[BOK] flag set to confirm the successful completion of secure boot process. This enabled the use of keys with BOOT_PROT flag set if they are not disabled for some other reason. This command has no parameters to be passed as shown in the table below. NXP Semiconductors 21

22 How to use CSE2 CSE2 Commands with example code Table 21. BOOT_OK command parameters CSE_CMD 0x0F - CSE_P1 - - CSE_P2 - - CSE_P3 - - CSE_P4 - - CSE_P5 - - Example code: CSE.CMD.R = 0x0F /*Command ID for BOOT_OK*/ GET_ID GET_UID command returns the UID, CSE_SR [24:31] and 128-bit MAC calculated over the concatenation of a 128-bit input challenge value, UID and CSE_SR [24:31]. MASTER_ECU_KEY is used for MAC calculation. A value of zero is returned for the MAC if MASTER_ECU_KEY slot is empty. UID output is 128-bit value with eight least significant bits set to zero. This command is issued with parameters as shown in the table below. Table 22. GET_UID command parameters CSE_CMD 0x10 - CSE_P1 Challenge address Intput CSE_P2 UID output address Output CSE_P3 CSE_SR [24:31] Output CSE_P4 MAC address Output CSE_P5 - - Example Code typedef volatile unsigned int vuint32_t; char get_id_challenge[16] = {0xE6,0xFE,0x09,0x7D,0xBC,0x72,0x3E,0x2C,0xF0,0xEA, 0x41,0x6F, 0xE6,0x8A, 0xD3,0x3E}; /* user selects these values*/ vuint32_t GET_ID_UID [4]; vuint32_t UID_MAC [4]; CSE.P1.R = (vuint32_t) & get_id_challenge; /*Pointer to ID challenge*/ CSE.P2.R = (vuint32_t) & GET_ID_UID; /*Pointer to location, UID to be stored at*/ CSE.P3.R = 0; CSE.P4.R = (vuint32_t) & UID_MAC; /*Pointer to location, MAC to be stored at*/ CSE.CMD.R = 0x10; /*Command ID of GET_ID */ 22 NXP Semiconductors

23 How to use CSE2 CSE2 Commands with example code After successful completion of this command, UID will be stored in GET_ID_UID [4] CANCEL The CANCEL command aborts processing of the current command and clears the CSE_SR[BSY] flag. This command is issued with no parameters as shown in the table below. Table 23. CANCEL command parameters CSE_CMD 0x11 - CSE_P1 - - CSE_P2 - - CSE_P3 - - CSE_P4 - - CSE_P5 - - Example code CSE.CMD.R = 0x11 /*Command ID for CANCEL*/ DEBUG_CHALLENGE The DEBUG_CHAL command generates a 128-bit random challenge output value that is used in conjunction with the DEBUG_AUTH command. The PRNG state must be initialized after reset using the INIT_RNG command before this command can be issued. This command is issued with the parameter shown in the table below. Table 24. DEBUG_CHAL command parameters CSE_CMD 0x12 - CSE_P1 Challenge Address Output CSE_P2 - - CSE_P3 - - CSE_P4 - - CSE_P5 - - Example Code Example code can be seen in Resetting the secure flash to its factory state on page 31 NXP Semiconductors 23

24 How to use CSE2 CSE2 Commands with example code DEBUG_AUTHORIZATION The DEBUG_AUTH command erases all user keys and sets the CSE_SR[IDB] flag which enables internal debugging, if the 128-bit authorization input value is valid and no memory slots are write protected. The authorization input is generated using the DEBUG_CHAL command output and the UID as described in the SHE Functional Specification. If the DEBUG_CHAL command is not issued before the DEBUG_AUTH command, a command sequence error (EC = 0x02) is returned. However, other commands may be issued between the DEBUG_CHAL and DEBUG_AUTH commands. This command is issued with the parameter shown in the table below. Table 25. DEBUG_AUTH command parameters CSE_CMD 0x13 - CSE_P1 Authorization Address Input CSE_P2 - - CSE_P3 - - CSE_P4 - - CSE_P5 - - Example Code Example code can be seen in Resetting the secure flash to its factory state on page Generate TRNG Random Number The TRNG_RND command generates a 128-bit random output value using the TRNG. It takes 2048 TRNG clock cycles to generate a random value. The CSE_CR[DIV] field must be properly configured before this command is executed. This command takes much longer to execute than the RND command that should normally be used to generate random values. There is a very small probability that this command may return a TRNG error (EC = 0x12) even when the TRNG is operating properly. This command is issued with the parameter shown in the table below. Table 26. TRNG_RAND command parameters CSE_CMD 0x14 - CSE_P1 Random Value Address Output CSE_P2 - - CSE_P3 - - CSE_P4 - - CSE_P5 - - Example Code typedef volatile unsigned int vuint32_t; vuint32_t entropy [4]; vuint32_t random_number [4]; // Setting the divider value 24 NXP Semiconductors

25 How to use CSE2 CSE2 Commands with example code CSE.CR.B.DIV = k; /*For value of K, refer CR register description*/ // Initializing TRNG CSE.CMD.R = 0x0A; while(cse.sr.b.rin==0) {}; /*Command ID for INIT_TRNG*/ /*Polling RIN flag to get set*/ // Extending Entropy (This command is optional if extended entropy is required to be added) CSE.P1.R = (vuint32_t) & entropy; CSE.CMD.R = 0x0B; /*Command ID for EXTENDED_SEED*/ // Generating Random number CSE.P1.R = (vuint32_t) & random_number; CSE.CMD.R = 0x14; /*Command ID for TRNG_RND*/ After successful execution of this command, output will be stored in random_number[4] INITIALIZE_CSE The INIT_CSE command loads the command processor firmware and memory slot data from the CSE2 flash memory blocks into local memory. It does not execute the secure boot protocol. The CSE2 firmware version is loaded into the CSE_P1 register as shown in the table below. This command must be issued before any other command when secure boot is not enabled. Table 27. INIT_CSE command parameters CSE_CMD 0x15 - CSE_P1 Firmware Version Output CSE_P2 - - CSE_P3 - - CSE_P4 - - CSE_P5 - - Example code CSE.CMD.R = 0x15 /*Command ID for INIT_CSE*/ Miyaguchi-Preneel (MP) Compression The MP_COMPRESS command is a one-way compression function used to derive a 128-bit output from a given message with the parameters specified in the below table. The AES ECB algorithm is used to derive the 128-bit output as described NXP Semiconductors 25

26 APPENDIX A Memory update protocol in the SHE specification. The message length input is a 64-bit value which specifies the length of the message in bits. A length error (EC=0x15) is returned if the message length is greater than 0x7ffffffff (4GB). Table 28. MP_COMPRESS command parameters CSE_CMD 0x16 - CSE_P1 Message length(bits) Address Input CSE_P2 Message start address Input CSE_P3 Output address Output CSE_P4 - - CSE_P5 - - Example Code typedef volatile unsigned int vuint32_t; unsigned long long int length =176; internal padding by MP_COMPRESS function*/ vuint32_t MSG_ARRAY [8]; vuint32_t MP_COMPRESS_VALUE [4]; CSE.P1.R = (unsigned long long int) & length ); CSE.P2.R = (vuint32_t) & MSG_ARRAY; calculated*/ CSE.P4.R = (vuint32_t) & MP_COMPRESS_VALUE; CSE.CMD.R = 0x16 /*Length is 176 rather than 256 because of /*Message of which MP_COMPRESS to be /*Pointer where MP_COMPRESS will be stored*/ /* Command ID of Generate MAC*/ After successful execution of this command, output will be stored in MP_COMPRESS_VALUE 3 APPENDIX A 3.1 Memory update protocol By memory update protocol, we mean loading user keys to secure memory. To load user keys to secure memory using LOAD_KEY command, we need to have M1, M2, M3, M4 and M5 ready. In this section of application note, generation of M1- M5 is explained along with example of LOAD_KEY command Generating M1, M2, M3 In order, to generate M1, M2 and M3 the following steps must be performed Generate K1 K1 = KDF (KAuthID, KEY_UPDATE_ENC_C) KDF is key derivation function which derives a secret key (K1) from a secret value. KAuthID Authorizing key value. In the case where a part from the factory has no keys programmed (the Secure Flash is erased) the value stored in flash does not have a valid checksum and CSE2 does not copy it to RAM at initialization, 26 NXP Semiconductors

27 APPENDIX A Memory update protocol hence this value, in the CSE2 s RAM, is zero. In this case, we are using AuthID =KEY_ID (i.e. the authorizing key will be the key itself). KEY_UPDATE_ENC_C Constant value defined by SHE as: 0x _ _ _000000B Generate K2 K2 = KDF(KAuthID,KEY_UPDATE_MAC_C) KEY_UPDATE_MAC_C Constant value defined by SHE as: 0x _ _ _000000B Generate M1 M1 = UID ID AuthID AuthID can be either ID (number of key being updated) or MASTER_ECU_KEY number (0x1) UID can be 0 (Wildcard value) because WC flag = 0 on parts from the factory UID is 120 bit and ID and AuthID are four bits each Generate M2 M2 = ENCCBC,K1,IV=0(CID FID 0...0"95 KID ) Run a CBC encryption using K1 (as defined previously) with Initial Value (IV) =0 The message for encryption is a concatenation of: CID - the new counter value (28 bits). 0x in this case FID - New Protection flags - WP BP DP KU WC (5 bits) 95 zeros to fill first 128-bit block with zeros 4. KID - The new key value (128 bits) Generate M3 M3 = CMACK2(M1 M2) A CMAC is performed over M1 and M2 using key K Generating M4, M5 When the CSE_LOAD_KEY command is issued CSE2 derives M4 and M5. These values can be independently generated offline and compared against those generated by the CSE Generating K3 K3 = KDF(KEYID,KEY_UPDATE_ENC_C) KEY_UPDATE_ENC_C Constant value defined by SHE as: 0x _ _ _000000B Generate M4 M4 = UID ID AuthID M4* M4 is a concatenation of: 1. UID Unique ID (120 bits) 2. ID number of key updated (4 bits) NXP Semiconductors 27

28 APPENDIX A Example Code For Updating a Key In Secure Memory 3. AuthID number of key authorizing the update (4 bits) M4* - the encrypted counter value; prior to encryption the counter value (28 bits) is padded with a 1 and 99 0 s. The key for the ECB encryption is K3 (derived as above) Generate M5 M5 = CMACK4(M4) K4 = KDF (KEYID,KEY_UPDATE_MAC_C) If M4 and M5 match to what was calculated offline and CSE2 returns NO_ERROR in the CSE_ECR (Error Code Register) then the LOAD_KEY command was successful. NOTE If a key has it s Write Protect (WP) attribute set, the key cannot ever be updated or erased. Write Protection should only be used when the user is certain that the key never needs to be changed or erased. Setting Write Protection on any single key will mean that the part cannot be reset to its factory state using the DEBUG CHALLENGE/AUTHORIZATION sequence. See section Appendix B Resetting the Secure flash to its Factory State. 3.2 Example Code For Updating a Key In Secure Memory In this example, we will update key with ID=0x1(MASTER_ECU_KEY) for the first time. /* KDF function definition*/ void KDF (char *key, char *constant, char *d_key) { char mpc_in[32]; unsigned long long mpc_len = 176; // copy key + constant to mpc_in, 32 bits at a time *(vuint32_t *) &mpc_in[0] = *(vuint32_t *) &key[0]; *(vuint32_t *) &mpc_in[4] = *(vuint32_t *) &key[4]; *(vuint32_t *) &mpc_in[8] = *(vuint32_t *) &key[8]; *(vuint32_t *) &mpc_in[12] = *(vuint32_t *) &key[12]; *(vuint32_t *) &mpc_in[16] = *(vuint32_t *) &constant[0]; *(vuint32_t *) &mpc_in[20] = *(vuint32_t *) &constant[4]; *(vuint32_t *) &mpc_in[24] = *(vuint32_t *) &constant[8]; *(vuint32_t *) &mpc_in[28] = *(vuint32_t *) &constant[12]; CSE.P1.R = (vuint32_t) &mpc_len; /* message length (bits) address */ CSE.P2.R = (vuint32_t) &mpc_in; /* message start address */ CSE.P3.R = (vuint32_t) d_key; /* output address of derived key */ CSE.CMD.R = CSE_MP_COMPRESS; /* issue MP_COMPRESS command */ /*wait until CSE is idle*/ } /* function to upload key*/ Void key_update() { vuint32_t M1[4], m2_input[8], M2[8], m3_input[12], M3[4], m4_input_1[4], m4_input[4], M4[8], M4_OUTPUT[8], M5[4],K1[4],k_authid[4]; vuint32_t id, authid, cid, fid; char K2[16], K3[16], K4[16]; 28 NXP Semiconductors

29 APPENDIX A Example Code For Updating a Key In Secure Memory /*User specific Values*/ vuint32_t new_key[4]={0x , 0x , 0x , 0x }; /*If UID is not known, use GET_UID command also if UID for UID value*/ /* In this example, below mentioned UID is used*/ vuint32_t uid[4]={0x , 0x ,0x ,0x }; /*Constants Values*/ vuint32_t KEY_UPDATE_ENC_C[4] = {0x ,0x ,0x ,0x000000B0}; vuint32_t KEY_UPDATE_MAC_C[4] = {0x ,0x ,0x ,0x000000B0}; vuint32_t initial_value_cbc[4] = {0,0,0,0}; unsigned long long length = 384; unsigned long long length2 =256; /*Generating K1, K2, K3, K4*/ /* k_authid will be all 0 in case key is being loaded for the first time*/ /*If key is being updated, means there is already key updated in memory with same KEY_ID, then in that case k_authid will be either MASTER_ECU_KEY or 128-bit key value that is already loaded in memory*/ KDF((char *)k_authid, (char *)KEY_UPDATE_ENC_C, (char *)K1); KDF((char *)k_authid, (char *)KEY_UPDATE_MAC_C, (char *)K2); KDF((char *)new_key, (char *)KEY_UPDATE_ENC_C, (char *)K3); KDF((char *)new_key, (char *)KEY_UPDATE_MAC_C, (char *)K4); /*Generating M1 */ id=0x1; auth_id=0x1; M1[0] = uid[0] ; M1[1] = uid[1] ; M1[2] = uid[2] ; M1[3] = uid[3] + (id <<4) + authid; /*Generating M2*/ cid= 0x1; time*/ fid = 0; is set*/ if(verif_only_flag) { m2_input[0] = (cid <<4) (fid>>2) ; m2_input[1] = (fid <<30); } else { m2_input[0] = (cid <<4) (fid>>1) ; m2_input[1] = (fid <<31); } m2_input[2] = 0 ; m2_input[3] = 0 ; m2_input[4] = new_key[0] ; m2_input[5] = new_key[1] ; m2_input[6] = new_key[2] ; m2_input[7] = new_key[3] ; /*Key ID*/ /* Authorization Key ID*/ /* counter value 1 as loading for first /*flag to be set on key, here no flag / *if verif only flag is to be set*/ CSE.P1.R = (vuint32_t) &K1; CSE.CMD.R= 0x8; /*LOAD_PLAIN_KEY*/ while (CSE.SR.B.BSY ==1){} ; /*wait until CSE is idle*/ CSE.P1.R = 0xE ; /*RAM Key */ NXP Semiconductors 29

30 APPENDIX A Example Code For Updating a Key In Secure Memory CSE.P2.R = (vuint32_t)&initial_value_cbc; CSE.P3.R = 2; /* number of blocks */ CSE.P4.R = (vuint32_t) &m2_input; CSE.P5.R = (vuint32_t) & M2; CSE.CMD.R= 0x2; /*CSE_ENC_CBC*/ /*wait until CSE is idle*/ /* Generating M3*/ m3_input[0] = M1[0]; m3_input[1] = M1[1]; m3_input[2] = M1[2]; m3_input[3] = M1[3]; m3_input[4] = M2[0]; m3_input[5] = M2[1]; m3_input[6] = M2[2]; m3_input[7] = M2[3]; m3_input[8] = M2[4]; m3_input[9] = M2[5]; m3_input[10] = M2[6]; m3_input[11] = M2[7]; CSE.P1.R = (vuint32_t) &K2; CSE.CMD.R= 0x8; while (CSE.SR.B.BSY ==1){} ; /*LOAD_PLAIN_KEY*/ /*wait until CSE is idle*/ CSE.P1.R = 0xE; /* RAM key */ CSE.P2.R = (unsigned long long) & length; /* msg length */ CSE.P3.R = (vuint32_t)&m3_input; CSE.P4.R = (vuint32_t)m3; CSE.CMD.R= 0x5; while (CSE.SR.B.BSY ==1){}; /*wait until CSE is idle*/ /*Generating M4*/ m4_input_1[0]=(cid <<4) +8; m4_input_1[1]=0; m4_input_1[2]=0; m4_input_1[3]=0; CSE.P1.R = (uint32_t) &K3; CSE.CMD.R= 0x8; while (CSE.SR.B.BSY ==1){}; /*cid is counter value*/ /*LOAD_PLAIN_KEY*/ /*wait until CSE is idle*/ CSE.P1.R = 0xE ; /*RAM key*/ CSE.P2.R = 1; /* number of blocks */ CSE.P3.R = (vuint32_t) &m4_input_1; CSE.P4.R = (vuint32_t) m4_input; CSE.CMD.R= 0x2; /*ENC_CBC*/ while (CSE.SR.B.BSY ==1){}; /*wait until CSE is idle*/ M4[0]=uid[0]; M4[1]=uid[1]; M4[2]=uid[2]; M4[3]=uid[3] + (id <<4) + authid; M4[4]=m4_input[0]; M4[5]=m4_input[1]; M4[6]=m4_input[2]; M4[7]=m4_input[3]; /*Generating M5*/ CSE.P1.R = (vuint32_t) &K4; 30 NXP Semiconductors