2025-03-11 6:11 PM
I am conducting operational verification of the sample application of X-CUBE-SAFEA1 by connecting NUCLEO-L476RG and X-NUCLEO-SAFEA1B.
I have some questions regarding the operation of the sample application "STSAFEA1_WRAP_UNWRAP".
My questions are as follows:
Below are the steps I have taken:
I created a project on STM32CubeIDE via STM32CubeMX and executed the sample application "STSAFEA1_WRAP_UNWRAP" from X-CUBE-SAFEA1. The UART output results appear to be functioning without errors.
I performed step execution of the sample application "STSAFEA1_WRAP_UNWRAP" with a debugger and observed the encryption and decryption processes.
It appears that the encryption process is executed in the StSafeA_DataEncryption function at line 2618 of "stsafea_core.c". Similarly, the decryption process seems to be executed in the StSafeA_DataDecryption function at line 2747 of "stsafea_core.c".
StSafeA_ResponseCode_t StSafeA_WrapLocalEnvelope(
StSafeA_Handle_t *pStSafeA,
uint8_t InKeySlotNum,
uint8_t *pInData,
uint16_t InDataSize,
StSafeA_LVBuffer_t *pOutLVResponse,
uint8_t InMAC,
uint8_t InHostEncryption)
{
// ...
/* Encrypt data */
if (((uint8_t)InHostEncryption & (uint8_t)STSAFEA_ENCRYPTION_COMMAND) == (uint8_t)STSAFEA_ENCRYPTION_COMMAND)
{
status_code = StSafeA_DataEncryption(pStSafeA);
}
// ...
}
StSafeA_ResponseCode_t StSafeA_UnwrapLocalEnvelope(
StSafeA_Handle_t *pStSafeA,
uint8_t InKeySlotNum,
uint8_t *pInLocalEnvelope,
uint16_t InLocalEnvelopeSize,
StSafeA_LVBuffer_t *pOutLVResponse,
uint8_t InMAC,
uint8_t InHostEncryption)
{
// ...
/* Decrypt data */
if (((uint8_t)InHostEncryption & (uint8_t)STSAFEA_ENCRYPTION_RESPONSE) == (uint8_t)STSAFEA_ENCRYPTION_RESPONSE)
{
status_code = StSafeA_DataDecryption(pStSafeA);
}
// ...
}
During the execution of each function, I could not observe I2C communication between NUCLEO-L476RG and STSAFE-A110, and it seems that the encryption and decryption processes are performed on the NUCLEO-L476RG side.
I referred to the STSAFE-A110 datasheet.
According to Figure 12 "Wrap/Unwrap Local Envelop command flow" on page 21 of the datasheet, it seems that the encryption and decryption of plaintext are processed on the local host(here, NUCLEO-L476RG) side.
On the other hand, the command set list on page 23 includes Encrypt and Decrypt, indicating that STSAFE-A110 seems to provide encryption and decryption functions. Are there commands not implemented in the software of X-CUBE-SAFEA1?
Thank you for your confirmation and response.
2025-03-17 12:54 AM
Hi @y_yamamoto,
The Wrap/Unwrap use case is encrypting a data with a key known only by the STSAFE-A110.
In order to perform this operation in a secure way, the I2C link shall be protected.
Therefore, the Wrap command mandate to encrypt the data with the local pairing key.
For the Unwrap, it's the response of the command which is protected by the local pairing key.
Yes, there is some encryption/decryption on the STM32L4 side but this is related to the local pairing key to protect the I2C bus.
The envelop return by the wrap command is encrypted with a internal key of the STSAFE-A110.
Best Regards,
Benjamin
2025-03-26 7:38 PM
Hi, @Benjamin BARATTE -san, @y_yamamoto -san.
I apologize for interrupting, but I'm interrested this topic too, especially processing encryption and decryption inside STSAFE-A110.
According to the datasheet, page 22, STSAFE-A110 provides us Encrypt and Decrypt commands.
Additionally, in stsafea_core.c program, I found StSafeA_RawCommand. I understand this function provides us to call the command directly.
StSafeA_ResponseCode_t StSafeA_RawCommand(
StSafeA_Handle_t *pStSafeA,
const StSafeA_TLVBuffer_t *pInRawCommand,
uint16_t InRespDataLen,
StSafeA_TLVBuffer_t *pOutTLVResponse,
uint32_t DelayMs,
uint8_t InMAC)
Therefore, I beleive we can process an encryption inside STSAFE-A110 with the above combination.
However, I couldn't find the detail information and specifications of Encrypt command in open data.
Could you show me the example program of calling Encrypt command, or detail specifications of Encrypt command?
Best regards
2025-03-28 1:55 AM
Hi @YUTA1 ,
on STSAFE-A110, the encrypt/decrypt API are not accessible as you can't store the key you need in the symmetric key table.
For this feature, you have to use STSAFE-A120 which has different way of loading a symmetric key and supports more AES variant.
Best Regards,
Benjamin
2025-03-28 2:34 AM
Thank you for your quick response, @Benjamin BARATTE -san.
I've come to understand that -A110 doesn't support the function, but -A120 can do that. Now I'm having the much interested in the product of -A120.
I found the datasheet of -A120 here. However, it's still unrevealed for me that the detail specification and information of related "Symmetric key table commands" thourgh I2C.
How do I get more details? Does it require NDA?
Best regards.