nrf5340 QSPI decryption integrity check

Question

Hi, 
 Does the nrf5340 perform any integrity checking on the QSPI on-the-fly decryption? Are there any details available on the specific algorithm used? The datasheet only says AES-128. 
 Am I correct in my understanding that secure boot is not really compatible with the QSPI XIP (whether using encryption or not) as an attacker could simply replace the code after it has been authenticated (ie TOCTOU attack) ? 
 Thanks.

Kenneth · Accepted Answer

Hello, 
 The supported stream cipher mode is AES-CTR using 128 bit key size and nounce. There is no support for authenticated XIP, only encryption. If QSPI XIP is used as part of secure boot, then time-of-check, time-of-use (TOCTOU) is an attack vector. The recommend way around this limitation is to partition external code in logical blocks which do not rely on branching to other external regions in flash, and which are signed with a key only available internally. These blocks can then be fetched using QSPI to internal RAM, verified and then executed directly from RAM. 
 Hope that help, Kenneth

nrf5340 QSPI decryption integrity check

Top Replies