3.18. SCP03 with PUF¶
To keep Platform SCP03 keys secure, on the LPC55S e.g. PUF can be used. PUF will have the actual keys stored and we can perform cryptographic operations with it using HashCrypt block.
3.18.1. Activation Code¶
The Activation Code (AC) is a 1192-byte code used to start
PUF. The AC is generated during PUF_Enroll
operation.
This must be generated once for the lifetime of the device
and stored in PFR region of flash.
Each PUF has a different AC and cannot be used with any other device.
Note
For testing, we use pre-compiled activation code from
ex_scp03_puf.h
instead of reading from PFR. In actual
use case, it MUST be stored and read from PFR.
3.18.2. Key Code¶
For every key stored in PUF, we get a Key Code (KC) which is used to access the key. Hardware keys stored in PUF cannot be exported. SCP03 keys must be stored as hardware keys.
3.18.3. Using with LPC55S¶
PUF is integrated with sss_session_open()
in the supplied LPC55S example.
Use the following CMake configurations to compile with PUF
on LPC55S:
Host=lpcxpresso55s_s
SCP=SCP03_SSS
SE05X_Auth=PlatfSCP03
When we compile any application on LPC55S secure zone, it will try to read HW keys provisioned in PUF. If in case the keys are not provisioned in PUF, the implementation will fallback on software implementation.
Note
You need to pass keyCodes in connectionData to sss_session_open
instead of actual keys provisioned in PUF.
Only the static SCP03 keys are injected inside the PUF. Dynamic keys are derived from the static keys using CMAC operations with Hashcrypt module.
For example on how to enroll PUF and store SCP03 keys, refer Key Injection to PUF.