• State Verified Answer
  • Locked Locked
  • Replies 5 replies
  • Subscribers 91 subscribers
  • Views 1153 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 287343
Options
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Where is QSPI Encryption function and registers ((ENC.KEY, ENC.NONCE. ENC.ENABLE, and etc)) in nrf5340

Jaewook

Dear, 

Based on the material (https://infocenter.nordicsemi.com/index.jsp?topic=%2Fps_nrf5340%2Fqspi.html), Encryption should be enabled independently for XIP and EasyDMA, with separate keys and nonce like as shown in Figure 3. Steam Cipher. 

However, I couldn't find any related function or registers (like ENC.KEY, ENC.NONCE, ENC.ENABLE in Figure 3.) for this Encryption feature.

Where are they?    How can I use the Encryption feature indepentaly?

Also, in the hal/nordic/nrfx/hal/nrf_qspi.h, I could find only XIP and EasyDMA functions only as shown blow:

#if NRF_QSPI_HAS_XIP_ENC
NRF_STATIC_INLINE void nrf_qspi_xip_encryption_configure(NRF_QSPI_Type * p_reg,
nrf_qspi_encryption_t const * p_cfg)
{
p_reg->XIP_ENC.KEY0 = p_cfg->key[0];
p_reg->XIP_ENC.KEY1 = p_cfg->key[1];
p_reg->XIP_ENC.KEY2 = p_cfg->key[2];
p_reg->XIP_ENC.KEY3 = p_cfg->key[3];
p_reg->XIP_ENC.NONCE0 = p_cfg->nonce[0];
p_reg->XIP_ENC.NONCE1 = p_cfg->nonce[1];
p_reg->XIP_ENC.NONCE2 = p_cfg->nonce[2];
}

NRF_STATIC_INLINE void nrf_qspi_xip_encryption_set(NRF_QSPI_Type * p_reg, bool enable)
{
p_reg->XIP_ENC.ENABLE =
(enable ? QSPI_XIP_ENC_ENABLE_ENABLE_Enabled << QSPI_XIP_ENC_ENABLE_ENABLE_Pos
: QSPI_XIP_ENC_ENABLE_ENABLE_Disabled << QSPI_XIP_ENC_ENABLE_ENABLE_Pos);
}
#endif

#if NRF_QSPI_HAS_DMA_ENC
NRF_STATIC_INLINE void nrf_qspi_dma_encryption_configure(NRF_QSPI_Type * p_reg,
nrf_qspi_encryption_t const * p_cfg)
{
p_reg->DMA_ENC.KEY0 = p_cfg->key[0];
p_reg->DMA_ENC.KEY1 = p_cfg->key[1];
p_reg->DMA_ENC.KEY2 = p_cfg->key[2];
p_reg->DMA_ENC.KEY3 = p_cfg->key[3];
p_reg->DMA_ENC.NONCE0 = p_cfg->nonce[0];
p_reg->DMA_ENC.NONCE1 = p_cfg->nonce[1];
p_reg->DMA_ENC.NONCE2 = p_cfg->nonce[2];
}

NRF_STATIC_INLINE void nrf_qspi_dma_encryption_set(NRF_QSPI_Type * p_reg, bool enable)
{
p_reg->DMA_ENC.ENABLE =
(enable ? QSPI_DMA_ENC_ENABLE_ENABLE_Enabled << QSPI_DMA_ENC_ENABLE_ENABLE_Pos
: QSPI_DMA_ENC_ENABLE_ENABLE_Disabled << QSPI_DMA_ENC_ENABLE_ENABLE_Pos);
}
#endif

Regards,

Jae

  • 0

    Updated:  I guess there is the specific Encryption module but it should be a general idea to explain XIP_ENC and DMA_ENC.  I was confused with them. 

    BTW, if so, how to secure the AES key to setup ENC.KEY without put the key into the source code?   For security purpose, can we use KMU instead?  If you put the AES key into source code, can everyone easily hack the source code?

  • 0

    As continuing, can we use HUK (hardware unique key) like HUK_KEYSLOT_MEXT for qspi encryption?  So, CPU can't access the key directly for security reason.  If so, how can we use it?  Can nrf_qspi_dma_encryption_configure be used with HUK?

  • 0

    Hi Jae

    What exactly are you missing in terms of explanation of the XIP_ENC and DMA_ENC modules? I'm not sure what you're expecting that is not mentioned in the Encryption paragraph of the PS and the QSPI HAL regarding the functions. Let me know what it is that needs further explanation and I'll forward it to our documentation team. 

    Regarding your security concerns. AES is an encryption scheme, while KMU is a HW peripheral to store the keys somewhere the CPU can't access them. I don't see any reason you shouldn't be able to use KMU to store the AES key in. As long as readback protection is enabled on the nRF5340, and the external flash is encrypted, I don't see how "everyone" should easily hack the source code. HUK is the library to use the KMU, if there's any confusion there.

    Best regards,

    Simon

  • 0 in reply to Simonr

    First of all, at the beginning, I was confused with three modules such as ENC, XIP_ENC and DMA_ENC as read the spec. Now, I just figured out there are two module like XIP_ENC and DMA_ENC only while ENC should be a general concept over them.    Now, it should be fine to me.

    However, still, I am not sure how XIP_ENC and DMA_ENC can use KMU for the AES key.  Do you have any example on this application?   Since CPU can't access the keys stored at KMU, how firmware can assign the keys stored at KMU to XIP_ENC and DMA_ENC module? 

  • +1

    Hi

    The Hardware unique key sample uses the KMU and shows how a key can be used to derive an encryption key through psa_crypto APIs.

    The KMU peripheral description should explain how it pushes key values over a dedicated secure APB to pre-configured secure locations within the memory map.

    Best regards,

    Simon

Related
Terms of service