5.13.2. Key Rotation using PUF¶
This example demonstrates how to use PUF to manage PlatformSCP keys and rotate the keys using PUF. For details on PUF and usage with LPC55S, refer to SCP03 with PUF.
Before running this example, be sure that correct PlatformSCP keys are already provisioned in PUF. For details on how to provision keys in PUF, refer Section 5.13.1 Key Injection to PUF.
In this example, we first open a session with default PlatformSCP keys and perform an RNG operation, then we rotate the keys in SE and PUF, reopen session with new keys and perform RNG operation again to demonstrate that the keys have been rotated. Finally, we revert to the old keys.
Warning
We are using randomized keys for key rotation. Make sure that the demo runs completely without any power interruptions. In case of failure, SE050 could be using the new keys and re-running the demo will fail.
5.13.2.1. Pre-requisites¶
Build Plug & Trust middleware stack. (Refer Building / Compiling)
PUF must be enrolled first and original SCP03 keys must be provisioned and ActivationCode and KeyCodes must be updated in
ex_scp03_puf.h
. SBL and secure app should be compiled with the correct AC and KCs. See Section 5.13.1 Key Injection to PUF on how to provision PUF with PlatformSCP03 keys.
5.13.2.2. How to build¶
Make sure that you compile the secure example first. The non-secure example links to the secure example.
Compile the secure example with the following CMake options:
Host=lpcxpresso55s_s
SCP=SCP03_SSS
SE05X_Auth=PlatfSCP03
Project:
puf_rotate_scp03_s
Compile the non-secure example with the following CMake options:
Host=lpcxpresso55s_ns
SCP=SCP03_SSS
SE05X_Auth=PlatfSCP03
Project:
puf_rotate_scp03_ns
5.13.2.3. How to run¶
Follow the steps given below to flash secure and non-secure binaries on LPC55S board.
Import secure and non-secure projects into MCUXpresso IDE
Update
Makefile
target for both projectsBuild the projects.
Note
Be sure that you build the secure project first and then the non-secure project.
Start
GUI Flash Tool
Note
You can program the binary by debugging the project also. If you want to debug, go to step 6.
On successful operation you should see the following message
To start debugging into the project, simply select the project that you want to debug and press the
Debug
button in QuickStart Menu.Make sure that in the
Debug Configuration
underGUI Flash Tool
tab, you have selected Program.
Perform the last two steps for both the projects (order does not matter). While debugging, flash the program that you want to debug second.
When you have flashed both the projects, reset the board. On successful execution you would be able to see the following log in terminal
App :INFO :PlugAndTrust_v02.15.00_20200522
sss :INFO :atr (Len=35)
01 A0 00 00 03 96 04 03 E8 00 FE 02 0B 03 E8 00
01 00 00 00 00 64 13 88 0A 00 65 53 45 30 35 31
00 00 00
sss :INFO :atr (Len=35)
01 A0 00 00 03 96 04 03 E8 00 FE 02 0B 03 E8 00
01 00 00 00 00 64 13 88 0A 00 65 53 45 30 35 31
00 00 00
App :INFO :Applet selection successful!
App :INFO :Random test 1 was successful, with default SCP03 keys!
sss :INFO :atr (Len=35)
01 A0 00 00 03 96 04 03 E8 00 FE 02 0B 03 E8 00
01 00 00 00 00 64 13 88 0A 00 65 53 45 30 35 31
00 00 00
App :INFO :Applet deselection successful!
App :INFO :Key Rotation was successful!
sss :INFO :atr (Len=35)
01 A0 00 00 03 96 04 03 E8 00 FE 02 0B 03 E8 00
01 00 00 00 00 64 13 88 0A 00 65 53 45 30 35 31
00 00 00
App :INFO :Applet selection successful!
App :INFO :Applet is now using PUF keys!
App :INFO :Random test 2 was successful, with new PUF keys!
sss :INFO :atr (Len=35)
01 A0 00 00 03 96 04 03 E8 00 FE 02 0B 03 E8 00
01 00 00 00 00 64 13 88 0A 00 65 53 45 30 35 31
00 00 00
App :INFO :Applet deselection successful!
App :INFO :Key Rotation was successful!
App :INFO :Rotation back to default keys was successful!
App :INFO :Entering normal world.
Welcome in normal world (SIMW)!