问题 客户想使用SDK软件库中的dcp例程实现ECB加密,其中加密Key为OTPMK,但是在多块MIMXRT1050开发板测试后发现,明文经加密而产生的密文居然都是一样的 (如图2所示),这样反推可得各开发板芯片所对应的OTPMK值相同,而这与前面的描述明显不符,那到底是哪里出了差错呢? 分析与解决经过进一步测试发现,上述相同的密文与Key全为0加密产生的密文一致,表明OTPMK并未真正参与ECB加密,最后通过与AE同事交流,知道原因是eFuse中的SEC_CONFIG未使能HAB Closed mode (如图3所示). 在得知原因后,小编使用dcp例程在曾经做过HAB Signed Image boot启动测试的MIMXRT1050开发板上进行测试,具体代码如下,工程会打印出Key分别为OTMPK和全为0进行ECB加密后的密文,比较后会发现使用OTMPK加密的密文明显有别于Key全为0的密文。 测试代码- /*
- * Copyright 2017 NXP
- * All rights reserved.
- *
- *
- * SPDX-License-Identifier: BSD-3-Clause
- */
- /*******************************************************************************
- * Includes
- ******************************************************************************/
- #include "fsl_device_registers.h"
- #include "fsl_debug_console.h"
- #include "board.h"
- #include "fsl_dcp.h"
- #include "pin_mux.h"
- #include "clock_config.h"
- /*******************************************************************************
- * Definitions
- ******************************************************************************/
- #define DCP_TEST_USE_OTP_KEY 1 /* Set to 1 to select OTP key for AES encryption/decryption. */
- #define TEST_ASSERT(a) \
- if (!(a)) \
- { \
- PRINTF("error\r\n"); \
- do \
- { \
- } while (1); \
- }
- #if DCP_TEST_USE_OTP_KEY
- typedef enum _dcp_otp_key_select
- {
- kDCP_OTPMKKeyLow = 1U, /* Use [127:0] from snvs key as dcp key */
- kDCP_OTPMKKeyHigh = 2U, /* Use [255:128] from snvs key as dcp key */
- kDCP_OCOTPKeyLow = 3U, /* Use [127:0] from ocotp key as dcp key */
- kDCP_OCOTPKeyHigh = 4U /* Use [255:128] from ocotp key as dcp key */
- } dcp_otp_key_select;
- #endif
- /*******************************************************************************
- * Prototypes
- ******************************************************************************/
- /*******************************************************************************
- * Code
- ******************************************************************************/
- #if DCP_TEST_USE_OTP_KEY
- status_t DCP_OTPKeySelect(dcp_otp_key_select keySelect)
- {
- if (keySelect == kDCP_OTPMKKeyLow)
- {
- IOMUXC_GPR->GPR3 &= ~(1 << IOMUXC_GPR_GPR3_DCP_KEY_SEL_SHIFT);
- IOMUXC_GPR->GPR10 &= ~(1 << IOMUXC_GPR_GPR10_DCPKEY_OCOTP_OR_KEYMUX_SHIFT);
- }
- else if (keySelect == kDCP_OTPMKKeyHigh)
- {
- IOMUXC_GPR->GPR3 |= (1 << IOMUXC_GPR_GPR3_DCP_KEY_SEL_SHIFT);
- IOMUXC_GPR->GPR10 &= ~(1 << IOMUXC_GPR_GPR10_DCPKEY_OCOTP_OR_KEYMUX_SHIFT);
- }
- else if (keySelect == kDCP_OCOTPKeyLow)
- {
- IOMUXC_GPR->GPR3 &= ~(1 << IOMUXC_GPR_GPR3_DCP_KEY_SEL_SHIFT);
- IOMUXC_GPR->GPR10 |= (1 << IOMUXC_GPR_GPR10_DCPKEY_OCOTP_OR_KEYMUX_SHIFT);
- }
- else if (keySelect == kDCP_OCOTPKeyHigh)
- {
- IOMUXC_GPR->GPR3 |= (1 << IOMUXC_GPR_GPR3_DCP_KEY_SEL_SHIFT);
- IOMUXC_GPR->GPR10 |= (1 << IOMUXC_GPR_GPR10_DCPKEY_OCOTP_OR_KEYMUX_SHIFT);
- }
- else
- {
- return kStatus_InvalidArgument;
- }
- return kStatus_Success;
- }
- #endif
- void TestAesEcb(void)
- {
- static const uint8_t keyAes128[] __attribute__((aligned)) = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
- 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0};
- static const uint8_t plainAes128[] = {0x6b, 0xc1, 0xbe, 0xe2, 0x2e, 0x40, 0x9f, 0x96,
- 0xe9, 0x3d, 0x7e, 0x11, 0x73, 0x93, 0x17, 0x2a};
- // static const uint8_t cipherAes128[] = {0x3a, 0xd7, 0x7b, 0xb4, 0x0d, 0x7a, 0x36, 0x60,
- // 0xa8, 0x9e, 0xca, 0xf3, 0x24, 0x66, 0xef, 0x97};
- #if DCP_TEST_USE_OTP_KEY
- #warning Please update cipherAes128 variables to match expected AES ciphertext for your OTP key.
- #endif
- uint8_t cipher[16];
- uint8_t output[16];
- status_t status;
- uint8_t i;
- dcp_handle_t m_handle;
- m_handle.channel = kDCP_Channel0;
- m_handle.swapConfig = kDCP_NoSwap;
- #if DCP_TEST_USE_OTP_KEY
- m_handle.keySlot = kDCP_OtpUniqueKey;
- #else
- m_handle.keySlot = kDCP_KeySlot0;
- #endif
- status = DCP_AES_SetKey(DCP, &m_handle, keyAes128, 16);
- TEST_ASSERT(kStatus_Success == status);
- DCP_AES_EncryptEcb(DCP, &m_handle, plainAes128, cipher, 16);
- for(i=0; i < 16 ; i++ )
- PRINTF("ciphertext %d value is %x \r\n", i, cipher[i]);
- // TEST_ASSERT(memcmp(cipher, cipherAes128, 16) == 0);
- //
- DCP_AES_DecryptEcb(DCP, &m_handle, cipher, output, 16);
- TEST_ASSERT(memcmp(output, plainAes128, 16) == 0);
- PRINTF("AES ECB Unique KeyTest pass\r\n\r\n");
- m_handle.keySlot = kDCP_KeySlot0;
- status = DCP_AES_SetKey(DCP, &m_handle, keyAes128, 16);
- TEST_ASSERT(kStatus_Success == status);
- DCP_AES_EncryptEcb(DCP, &m_handle, plainAes128, cipher, 16);
- for(i=0; i < 16 ; i++ )
- PRINTF("ciphertext %d value is %x \r\n", i, cipher[i]);
- PRINTF("AES ECB Key All 0 pass\r\n");
- }
- /*!
- * @brief Main function
- */
- int main(void)
- {
- dcp_config_t dcpConfig;
- /* Init hardware*/
- BOARD_ConfigMPU();
- BOARD_InitPins();
- BOARD_BootClockRUN();
- BOARD_InitDebugConsole();
- /* Data cache must be temporarily disabled to be able to use sdram */
- SCB_DisableDCache();
- PRINTF("DCP Driver Example\r\n\r\n");
- /* Initialize DCP */
- DCP_GetDefaultConfig(&dcpConfig);
- #if DCP_TEST_USE_OTP_KEY
- /* Set OTP key type in IOMUX registers before initializing DCP. */
- /* Software reset of DCP must be issued after changing the OTP key type. */
- DCP_OTPKeySelect(kDCP_OTPMKKeyLow);
- #endif
- /* Reset and initialize DCP */
- DCP_Init(DCP, &dcpConfig);
- /* Call DCP APIs */
- TestAesEcb();
- /* Deinitialize DCP */
- DCP_Deinit(DCP);
- while (1)
- {
- }
- }
复制代码 运行结果- DCP Driver Example
- ciphertext 0 value is 38
- ciphertext 1 value is ee
- ciphertext 2 value is 85
- ciphertext 3 value is 6a
- ciphertext 4 value is 5e
- ciphertext 5 value is 51
- ciphertext 6 value is bd
- ciphertext 7 value is cb
- ciphertext 8 value is 3c
- ciphertext 9 value is 93
- ciphertext 10 value is f9
- ciphertext 11 value is 3a
- ciphertext 12 value is 1
- ciphertext 13 value is b0
- ciphertext 14 value is fe
- ciphertext 15 value is 92
- AES ECB Unique KeyTest pass
- ciphertext 0 value is cf
- ciphertext 1 value is 2e
- ciphertext 2 value is a3
- ciphertext 3 value is 8a
- ciphertext 4 value is 12
- ciphertext 5 value is 3b
- ciphertext 6 value is e2
- ciphertext 7 value is 7
- ciphertext 8 value is 65
- ciphertext 9 value is eb
- ciphertext 10 value is 8c
- ciphertext 11 value is 5c
- ciphertext 12 value is 56
- ciphertext 13 value is ca
- ciphertext 14 value is f2
- ciphertext 15 value is 24
- AES ECB Key All 0 pass
复制代码
|