Part Number: AM2632
Please review the solution below for BLE key encryption/decryption via HSM. If acceptable, can we use keys stored in CPFROM for encryption/decryption?
Could you also propose an
encryption/decryption process for the HSM server?
This thread has been locked.
If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.
Part Number: AM2632
Please review the solution below for BLE key encryption/decryption via HSM. If acceptable, can we use keys stored in CPFROM for encryption/decryption?
Could you also propose an
encryption/decryption process for the HSM server?
Hi,
From the flow above, Are you creating a HSM Service to encrypt/decrypt a BLE pairing keys which is fed from R5 -> sent it to the HSM and then HSM encrypts the same using the Root of Trust keys to which it has access to and give back the cipher text from the AES engine?
If yes, then this looks ok.
How is the R5 keys stored? Is it wrapped in any certificate or is it raw keys that is sent to HSM?
On the HSM side (i.e. the server). from the above i see you that you only need to call the AES engine at the other end if no certificate is involved.
Thanks and Regards,
Nikhil Dasan
Hello Dasan,
Yes, we plan to create an HSM service to encrypt/decrypt text strings using the root-of-trust keys stored in CPFROM (e.g., BLE keys or other sensitive data).
The process is as follows:
A text string is first encrypted via the HSM service, then stored by the R5 in external SNOR. When the string is later read from SNOR, it is decrypted by calling the HSM service before being used in the application system.
Typically, this text string consists of BLE pairing keys (exceeding 800 bytes in length). According to cybersecurity requirements, such keys must be protected and must not be susceptible to external compromise.
Could you help propose encrypt/decrypt process on HSM server? like AES engine in HSM server and call root of trust keys in CPFROM.
thank you.
Hi,
First you can create a new HSM service for this operation, by referring to our existing services.
Then in the service handler on the HSM side, you can call the AES encrypt/decrypt operation. You can refer this functionality in the DTHE examples present in TIFS SDK, which runs on M4 core.
In HSM end, the dthe example gives hardcoded keys, instead you can point to the Root of Trust keys present in HSM in the variable gKeyringAsymmKey[0] and gKeyringSymmKey[0], i.e. index 0 consists of RoT keys.
This should serve the purpose.
Thanks and Regards,
Nikhil Dasan