2022-04-19 01:30 AM - last edited on 2023-07-11 10:28 AM by Kevin HUBER
Hi,
In both SSP documents:
1) AN5510 - Overview of the secure secret provisioning (SSP) on STM32MP1 Series
2) AN5054 - Secure programming using STM32CubeProgrammer
It is written that "SSP" & "HSM" tabs expect:
""" Encryption key and nonce files: The encryption key and nonce file can be selected by entering their paths (absolute or relative), or by selection with the Open button. Notice that sizes must be respected (16 bytes for the key and 12 bytes for nonce). """
But when I try to do this process ("SSP" tab, still waiting for STHSMv2 to arrive)
I get "Size of ssp_nonce.bin is expected to be 16 bytes"
both in GUI & in CLI modes -- latest tool version (2.10)
note1: when I provide a 16 byte nonce, it works
note2: There are a couple of locations in AN5510 where it is written that nonce is 16 bytes or 128 bit, the rest say it is 12 bytes.
Is this an error with the STM32 Trusted Package Creator tool or with the Documentation ??
Side question,
how does one create AES128GCM key + nonce ? can't find any help in google
currently I just use openssl command for aes128cbc key gen, and use the "IV" as nonce
Is this ok ?
Thanks,
Michael
Solved! Go to Solution.
2022-04-26 09:52 AM
Hi MVass.1 (Community Member)
Thanks for your post, I agree it is confusingly stated in AN5510, The nonce file is fixed 16bytes total with the 4 last bytes must be zero. Only the 96 bits (12 bytes) of the nonce are used in the AES128 GCM algorithm.
For the side question, you can use the Keygen tool (included in the install of STM32CubeProgrammer) you can generate the AES key for the AES128GCM
https://wiki.st.com/stm32mpu/wiki/KeyGen_tool
STM32MP_KeyGen_CLI -abs /home/user/keyFolder/ -pwd azerty -pe aes128
Regards,
Olivier
2022-04-26 09:52 AM
Hi MVass.1 (Community Member)
Thanks for your post, I agree it is confusingly stated in AN5510, The nonce file is fixed 16bytes total with the 4 last bytes must be zero. Only the 96 bits (12 bytes) of the nonce are used in the AES128 GCM algorithm.
For the side question, you can use the Keygen tool (included in the install of STM32CubeProgrammer) you can generate the AES key for the AES128GCM
https://wiki.st.com/stm32mpu/wiki/KeyGen_tool
STM32MP_KeyGen_CLI -abs /home/user/keyFolder/ -pwd azerty -pe aes128
Regards,
Olivier
2022-04-26 11:57 PM
Hi,
Thanks for the clarification
Regarding your second answer, I don't think you are correct
The STM32MP_KeyGen_CLI tool's documentation writes:
"STM32 KeyGen is a tool that generates the ECC key pairs needed for signing binary images. "
I also tried the command you provided, and it just created ECC keys (with aes128 encryption for the private key)
not AES128GCM key + nonce
BR,
Michael
2022-04-27 01:40 AM
Hi;
Yes my mistake, the output of keygen is used in Trusted Package Creator for the OEM public key.
On the current version of Trusted Package creator, it is not possible to generate the AES Encryption key file and Nonce file. So you have to generate them by hand or using openssl as you did.
Next version of Trusted Package Creator (v2.11.0, release end of june this year), will include a generate tab to optionally generate the AES key and nonce.
Best Regards,
Olivier
2022-07-27 09:07 AM
Hi @Community member , I see you have mentioned "STM32 Trusted Package Creator tool", I would like to download the tool eith command line or GUI. I did google search but not find a link.
Thank you!
Nancy
2022-07-27 10:14 AM
Found "STM32 Trusted Package Creator tool". It comes with STM32CubeProgrammer. I reinstall it with tick the option “STM32 Trusted Package Creator�? during the installation of STM32CubeProgrammer.