We;re looking at using SFI as part of the manufacturing for a product based on STM32U5. One of the concerns we have is that STM32TrustedPackageCreator only supports a bare (not big-iron HSM) protected. One of the simplest ways for us to accomplish this is to used TPC to create the package using a well-known key and IV, and then decrypt the SFI package and re-encrypt it using a purpose built tool that uses PKCS11 to talk to an HSM for the encryption.
Figure 2 of UM2238 plus some of the text provided me with a starting place, and I was able to parse the general format of an SFI. I did find that the area header also includes a 16 byte left truncated hash of the plain text being encrypted - and that's not mentioned in figure 2.
I was able to "decrypt" and verify the file header, but I'm running into trouble doing the same with each of the body parts/areas.
I *have* confirmed I'm using the right nonce. The text says "nonce plus area number", but that actually means to treat bytes 8:11 of the nonce as a little endian int and increment that - basically resulting in incrementing the 8th byte rather than the 11th.
I've tried:
>> Header minus the tag and with and without the hash as the input AAD.
>>> Assuming the GCM tag follows the data rather than preceeding it and with and without the hash being included in the AAD.
So the question is: What exactly goes into the AAD for a SFI section, and where is the GCM tag placed in the file?
Is there a manual or software that describe the above in sufficient detail?
Thanks!
