Skip to main content
PJose.4
PJose.4
Senior
November 13, 2023
Question

Changing the signature padding in TF-M SBSFU Boot for B-U585-IOT2A

  • November 13, 2023
  • 3 replies
  • 1747 views

Hi @ST Community @Jocelyn RICARD ,
Greetings

Iam implementing using the reference from TF-M SBSFU for secure boot and secure firmware update service. As per UM2851 the signature scheme that is used is RSA 3072/2048 using RSA-OAEP padding.
1. My requirement is to use RSASSA-PSS padding. how can i get this implementation done without altering the SBSFU Implementation. 
2. I also have a requirement to decrypt the firmware - during the firmware update process - in the application using AES256. 
3. one more clarification -. when executing the TFM_update.sh script the plain application is being dumped into the controller instead of the encrypted_signed_firmware.bin file, on the other hand when doing a firmware update the encrypted-signed_firmware.bin file is downloaded to the controller. please suggest how to download the encrypted_signed_firmware.bin directly using the TFM_update.sh script.


I require sincere support and help in these 3 aspects and the steps on how these can be implemented. Requesting team to support in this regard at the earliest.
Thanks and regards
Philip

This topic has been closed for replies.

3 replies

S
STea
ST Employee
November 14, 2023

Hello @PJose.4 

answering your questions

"My requirement is to use RSASSA-PSS padding. how can i get this implementation done without altering the SBSFU Implementation. I also have a requirement to decrypt the firmware - during the firmware update process - in the application using AES256. "

SBSFU offers 3 crypto_shemes defined in SBSFU_Boot\\Inc\\mcuboot_config\\mcuboot_config.h

#define CRYPTO_SCHEME_RSA2048    0x0 /* RSA-2048 signature, AES-CTR-128 encryption with key RSA-OAEP encrypted */
      #define CRYPTO_SCHEME_RSA3072    0x1 /* RSA-3072 signature, AES-CTR-128 encryption with key RSA-OAEP encrypted */
      #define CRYPTO_SCHEME_EC256      0x2 /* ECDSA-256 signature, AES-CTR-128 encryption with key ECIES-P256 encrypted */
      #define CRYPTO_SCHEME            CRYPTO_SCHEME_RSA2048  /* Select one of available crypto schemes */
so to implement a new cryptographic scheme like  RSASSA-PSS changes need to be done on the SBSFU implementation to add the support for this scheme the same applies to your second request using AES 256 as an encryption algorithm the support for this algorithms needs to be added to the MbedTLS wrappers and support for hardware acceleration for this algorithms needs to added.
 
when executing the TFM_update.sh script the plain application is being dumped into the controller instead of the encrypted_signed_firmware.bin file, on the other hand when doing a firmware update the encrypted-signed_firmware.bin file is downloaded to the controller"
this is expected and normal behavior on the initial installation because if the image of the initial installation is encrypted there is no TFM_SBSFU_Boot to be executed to decrypt it so the script TFM_update.sh programs the TFM_SBSFU_Boot binary, the clear signed TFM_Appli Secure image for initial installation, the clear signed TFM_Appli Non Secure image for initial installation, and TFM_Loader image into internal flash as part of initial installation.
 
BR 
 
PJose.4
PJose.4Author
Senior
November 15, 2023

Hi @STea 
Greetings

Thanks for your quick reply in this regard.
Point 1 - Regarding to the changes that are to be implemented is the step like to add the implementation of RSAPSS-PS through mbedtls -> configure mcuboot to use the RSAPSS-PS padding for signature. In this case i believe it is a big effort to bootloader for the implementation to be done.
point 2 and Point 3 are clear. thanks for your valuable time. Can we use mcuboot for adding AES256 encryption for the firmware update process? Could you please suggest the implementation requirement for adding aes256 support in the TF-M Appli for firmware update process.
One more additional query - In the TF-M Appli folder - how can i access a secure service from the non secure area because it does not have a non-secure callable function(nsc.c). Can you please suggest a look out of how can i implement an adc(in the secure zone of the TF-M Appli) and call the voltage value from the channel in the non secure code of the appli.

Grateful for your support in this regard.
Thanks
Philip

S
STea
ST Employee
November 15, 2023

Hello again @PJose.4 ,

adding the AES256 (changing the AES -CTR-128) can be done by implementing a the desired algorithm in the update process of SBSFU unfortunately there is not a detailed guide on this specific manipulation.

this is can be quite challenging as the keys used by the SBSFU boot for the AES-CTR-128 is encrypted with RSA-2048 key as explained in the UM2851 table 6 in the 12.2Minimal customization section so the hole process should be redone and this can be quit the effort .

if you want to have answers on your additional query i suggest to have a new threat for better visibility.

BR

 

    PJose.4
    PJose.4Author
    Senior
    November 16, 2023

    Hi @STea 
    Greetings

    Thanks for your support.
    Will look more into the details that you have provided.
    Will create a new thread for the additional query that was posted here.
    Thanks again for your time

    Best Regards
    Philip

    Terms & ConditionsAccessibility statement