2022-02-22 12:34 AM
Hi All,
Currently I used SBFU solution to develop project , I had checked the AN2262 that descript SBSFU support below picture.
1.
My question is how to enhance below encryption strength or any application I could reference, does it need modify SE engine(as I know user could not modify this Images_SECoreBin project)?
Confidentiality - change to AES 256bit (original is 128bit)
Authentication - change to SHA2-384
Cryptographic - change to AES 256bit (original is 128bit)
2.
Could user revoking previously signed firmware in this SBSFU solution?
Sam
2022-02-22 12:41 AM
Hi,
you can implement your own cryptography.
Basically, the SECoreBin project "instantiates" the Secure Engine middleware.
In this project, you can update: "se_crypto_bootloader.c".
The idea is of course to use it as a "wrapper" to a proven crypto library (ST cryptolib, mbedTLS...)
For instance, you may replace SE_CRYPTO_SHA256_HASH_DigestCompute by your calls to a SHA2-384 service.
But, if you do so, you also need to update the tools preparing the .sfb file so that it works with your crypto scheme. You also need to provide appropriate keys and change the tooling injecting them in the software.
Rather than replacing the existing crypto schemes, I would recommend introducing a new one.
Of course, all this must be implemented with lots of care as you are changing the crypto services running in the secure enclave.
Thanks & Regards,
Fred
P.S. : for the tooling you can observe
"STM32CubeExpansion_SBSFU_V2.6.0\Projects\NUCLEO-L476RG\Applications\2_Images\2_Images_SECoreBin\STM32CubeIDE\prebuild.sh"
This will install the postbuild.sh in the user application and will leverage the tooling provided in:
"STM32CubeExpansion_SBSFU_V2.6.0\Middlewares\ST\STM32_Secure_Engine\Utilities\KeysAndImages"
2022-02-24 01:55 AM
Hi Fred,
thank for your reply! I will study it first.