Where is QSPI Encryption function and registers ((ENC.KEY, ENC.NONCE. ENC.ENABLE, and etc)) in nrf5340

RE: Where is QSPI Encryption function and registers ((ENC.KEY, ENC.NONCE. ENC.ENABLE, and etc)) in nrf5340

Simonr — Tue, 19 Apr 2022 13:51:20 GMT

The Hardware unique key sample uses the KMU and shows how a key can be used to derive an encryption key through psa_crypto APIs.

The KMU peripheral description should explain how it pushes key values over a dedicated secure APB to pre-configured secure locations within the memory map.

Best regards,

Simon

RE: Where is QSPI Encryption function and registers ((ENC.KEY, ENC.NONCE. ENC.ENABLE, and etc)) in nrf5340

Jaewook — Mon, 11 Apr 2022 16:40:52 GMT

First of all, at the beginning, I was confused with three modules such as ENC, XIP_ENC and DMA_ENC as read the spec. Now, I just figured out there are two module like XIP_ENC and DMA_ENC only while ENC should be a general concept over them. Now, it should be fine to me.

However, still, I am not sure how XIP_ENC and DMA_ENC can use KMU for the AES key. Do you have any example on this application? Since CPU can't access the keys stored at KMU, how firmware can assign the keys stored at KMU to XIP_ENC and DMA_ENC module?

RE: Where is QSPI Encryption function and registers ((ENC.KEY, ENC.NONCE. ENC.ENABLE, and etc)) in nrf5340

Simonr — Mon, 11 Apr 2022 09:21:19 GMT

Hi Jae

What exactly are you missing in terms of explanation of the XIP_ENC and DMA_ENC modules? I'm not sure what you're expecting that is not mentioned in the Encryption paragraph of the PS and the QSPI HAL regarding the functions. Let me know what it is that needs further explanation and I'll forward it to our documentation team.

Regarding your security concerns. AES is an encryption scheme, while KMU is a HW peripheral to store the keys somewhere the CPU can't access them. I don't see any reason you shouldn't be able to use KMU to store the AES key in. As long as readback protection is enabled on the nRF5340, and the external flash is encrypted, I don't see how "everyone" should easily hack the source code. HUK is the library to use the KMU, if there's any confusion there.

Best regards,

Simon

RE: Where is QSPI Encryption function and registers ((ENC.KEY, ENC.NONCE. ENC.ENABLE, and etc)) in nrf5340

Jaewook — Fri, 08 Apr 2022 17:20:52 GMT

As continuing, can we use HUK (hardware unique key) like HUK_KEYSLOT_MEXT for qspi encryption? So, CPU can't access the key directly for security reason. If so, how can we use it? Can nrf_qspi_dma_encryption_configure be used with HUK?

RE: Where is QSPI Encryption function and registers ((ENC.KEY, ENC.NONCE. ENC.ENABLE, and etc)) in nrf5340

Jaewook — Fri, 08 Apr 2022 16:54:24 GMT

Updated: I guess there is the specific Encryption module but it should be a general idea to explain XIP_ENC and DMA_ENC. I was confused with them.

BTW, if so, how to secure the AES key to setup ENC.KEY without put the key into the source code? For security purpose, can we use KMU instead? If you put the AES key into source code, can everyone easily hack the source code?