cancel
Showing results for 
Search instead for 
Did you mean: 

Specific format for an SFI image, specifically how to decrypt it.

msj
Associate II

We;re looking at using SFI as part of the manufacturing for a product based on STM32U5. One of the concerns we have is that STM32TrustedPackageCreator only supports a bare (not big-iron HSM) protected. One of the simplest ways for us to accomplish this is to used TPC to create the package using a well-known key and IV, and then decrypt the SFI package and re-encrypt it using a purpose built tool that uses PKCS11 to talk to an HSM for the encryption.

Figure 2 of UM2238 plus some of the text provided me with a starting place, and I was able to parse the general format of an SFI. I did find that the area header also includes a 16 byte left truncated hash of the plain text being encrypted - and that's not mentioned in figure 2.

I was able to "decrypt" and verify the file header, but I'm running into trouble doing the same with each of the body parts/areas.

I *have* confirmed I'm using the right nonce. The text says "nonce plus area number", but that actually means to treat bytes 8:11 of the nonce as a little endian int and increment that - basically resulting in incrementing the 8th byte rather than the 11th.

I've tried:

>> Header minus the tag and with and without the hash as the input AAD.

>>> Assuming the GCM tag follows the data rather than preceeding it and with and without the hash being included in the AAD.

So the question is: What exactly goes into the AAD for a SFI section, and where is the GCM tag placed in the file?

Is there a manual or software that describe the above in sufficient detail?

Thanks!

1 ACCEPTED SOLUTION

Accepted Solutions
msj
Associate II

Ignore the above question. I was finally able to decrypt/reencrypt an SFI image. My problem above was figuring including too much data accidentally in one of the area encryptions.

View solution in original post

1 REPLY 1
msj
Associate II

Ignore the above question. I was finally able to decrypt/reencrypt an SFI image. My problem above was figuring including too much data accidentally in one of the area encryptions.