Hi @STea ,
I have below queries regarding usage of OBK/secure storage area and how we can use this feature in our product.
1) When you say DHUK can be used to encrypt keys, is this encryption done through software running on the controller ? If that is the case I am not checking encryption using software running on the controller.
I wanted to encrypt my secure data using HUK/DHUK/RHUK and program into the controller during production.
Is it possible and how ?
2) Also If a hacker wants to read the secure data in OBK Area If he can mimic as secure application then he can read the secure data decrypt and read the secure data as he is running the application in secure zone and the same hardware. How can we avoid this situation?
3) In the wiki page Security:Secure Storage for STM32H5 - stm32mcu. it is given that DHUK's are different for every HDPL level and is based on RHUK. I guess using DHUK to encrypt the secure data is also through software running on the controller not during production or provisioning (writing secure data in OBK area by encrypting using HUK/DHUK/RHUK). Please confirm.
Hi ,
I was going through the UM2238 User manual for STM32 Trusted Package Creator tool software description and found that the xml file used to config the obk has doencryption parameter based on which DHUK key will be used for encrypting and decrypting the secure data by RSS Lib present in the controller RSS-system boot. Please confirm if my understanding is correct ?
Also using the attached example xml file we can download the authentication secure, non-secure and encryption keys in OBK area.
So if user wants he can edit the xml files to provide data inputs to create his own obk file ?
