Implementation of RSA in the X-CUBE-SBSFU example application for STM32H7B3I-DK board

Ikbal · ‎2022-08-31

Hello,

I am exploring the example application of X-CUBE-SBSFU for STM32H7B3I-DK board. I have successfully compile the given example application for 1_Image.

I have tried to understand the 1_Image_SEcoreBin application for cryptography and key generation. The example application is used ECC cryptographic schemes for firmware authentication. I have checked the se_crypto_config.h for changing the scheme but there is only ECC defined.

My question is I need to change the ECC cryptographic schemes to RSA schemes. How can I change or add the support for RSA cryptographic schemes for the STM32H7B31-DK board?

Looking forward for your support.

Thanks,

Ikbal

Jocelyn RICARD · ‎2022-09-01

Hello @Ikbal,

to get support of RSA you need to add a new crypto scheme.

This involves

1) Adding the scheme in the secure engine: Update signature check function

2) Adding a new header structure to contain the RSA public key : This will change the offset of the application

3) Adapting python scripts to generate the signature with RSA and build the new signed header

Best regards

Jocelyn

Ikbal · ‎2022-09-12

Hello Ricard,

Thanks for your response. It was really helpful to understanding the changes required to add a new crypto scheme.

Currently I am started changing in the prebuild and python scripts to add the RSA support.

I have generated 2048 bit private key and public key using openSSL for testing my RSA crypto scheme. The prebuild script is invoke the python script with trans command to generate se_key.s file.

I have modified the python's scripts for RSA as followed:

I am directly importing the RSA public key as 'DER' format, which is in binary.
Now the key is pass through translate script for se_key.s file generation, but it doesn't work. As per my understanding, the translate section is hard coded for ECC key length i.e. 16, 32 and 64. But in my case I am getting very long RSA length i.e. 294.

Please help me to solve this problem.

Also I am searching for any reference to implement RSA crypto in SBSFU but I am unable to find any guidance. Please share if any reference is available.

Thanks and regards

Ikbal

Jocelyn RICARD · ‎2022-09-12

Hello @Ikbal ,

You have 2 solutions

1) you get rid of this encoding and put directly the public key in an array: simplest solution. The key will be in clear in the code which is not an issue as it is a public key. Also, it will be protected thanks to the activation of the secure area.

2) you change the translate_key.py to support this new input.

The principle of this script is to transform the key into a function without any data access.

So, registers are filled up 16 bits by 16 bits using MOV instruction, and then once 4 registers are filled, they are "dumped" to RAM.

There is no reference implementation of RSA crypto in SBSFU as far as I know.

Now, there is an implementation of a secure boot on STM32U5 with cortex M33 using MCU boot which supports RSA. But we don't have any porting available on H7...

Best regards

Jocelyn