• State TI Thinks Resolved
  • Locked Locked
  • Replies 10 replies
  • Answers 2 answers
  • Subscribers 51 subscribers
  • Views 431 views
  • Users 0 members are here
Support feedback
Options
Options
Related

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

Original question:

CC2642R: Secure Key Storage Memory

CC2642R: API for key storage memory usage

Shuyang Zhong
Expert 4920 points
Part Number: CC2642R
Other Parts Discussed in Thread: CC2674R10,

Where can I find the API and document to write to the key storage memory and to read from it? Thanks.

Best regards,

Shuyang

  • 0
    TI__Guru** 101460 points

    Hi Shuyang,

    Thank you for reaching out.

    May I kindly ask if the API gapBondMgrReadBondRec could help? If yes, please refer to "Extract Bonding Information" in the Users' Guide: https://software-dl.ti.com/simplelink/esd/simplelink_cc13xx_cc26xx_sdk/7.10.00.98/exports/docs/ble5stack/ble_user_guide/html/ble-stack-5.x/gapbondmngr-cc13xx_cc26xx.html#extract-bonding-information

    I hope this will help,

    Best regards,

  • 0 in reply to Clément
    TI__Expert 4920 points

    Hi Clement,

    Thanks for the prompt response.

    Is the bonding record stored in the key storage memory? From the API’s description it looks it stores the boning record in the NV.

    Best regards,

    Shuyang

  • 0 in reply to Shuyang Zhong
    TI__Expert 4920 points

    Add more background: the goal is to use the key store memory to save the key in AES encryption.

    I looked into TI Drivers APIs document CryptoKey.h and CryptoKeyPlaintext.h, also the Advanced Security Features in SimpleLink Academy, the academy provides an example using plaintext to initiate the cryptokey, I assume I should change CryptoKey->encoding to CryptoKey_BLANK_KEYSTORE to use the key store memory, but did not find the corresponding API.

    KeyStore_PSA_initKey() seems the right API to do this but it only supports CC13x4/26x4 from the TI Drivers API document. Can you please confirm if CC2642 supports this API?

    Best regards,

    Shuyang

  • 0 in reply to Shuyang Zhong
    TI__Guru** 101460 points

    Hi Shuyang,

    Shuyang Zhong said:
    Is the bonding record stored in the key storage memory? From the API’s description it looks it stores the boning record in the NV.

    The bonding information contains among others the keys (LTK, IRK, SRK). Bonding information is stored in NV as it should be able to survive a reboot.

    Shuyang Zhong said:
    the goal is to use the key store memory to save the key in AES encryption

    I am not totally sure I understand this, but with my suggestion you can access the encryption key, so you should be good.

    Shuyang Zhong said:
    KeyStore_PSA_initKey() seems the right API to do this but it only supports CC13x4/26x4 from the TI Drivers API document. Can you please confirm if CC2642 supports this API?

    The CC2642 and CC13x4/CC26x4 have different PKA accelerators

    I hope this will help,

    Best regards,

  • 0 in reply to Clément
    TI__Expert 4920 points

    Hi Clement,

    The purpose is not to access the encryption key, but to use the key store memory to protect the key from being accessed from an attack.

    In CC26x2 TRM chapter 12.5.6, the key area(or key store) is introduced, which is a dedicated area of memory storing the keys and allowing only access from DMA:

    My customer's goal is to use this key area to protect their AES keys from outside attacks, but could not find an example to demonstrate how to enable it.

    Could you please help check with our driver's team to see if we have an example for this? And please let me know if you need more information about the use case, thanks!

    Best regards,

    Shuyang

  • 0 in reply to Shuyang Zhong
    TI__Guru** 101460 points

    Hi Shuyang,

    Thank you for the additional information provided.

    Please refer to the functions AESWriteToKeyStore() and AESReadFromKeyStore() within the file <SDK>\source\ti\devices\cc13x2_cc26x2\driverlib\aes.c

    Best regards,

  • 0 in reply to Clément
    TI__Expert 4920 points

    Hi Clement,

    Thanks for the guidance. The customer has tried the APIs and still has 2 following questions:

    1. From the comment of AESReadFromKeyStore(), it transfers a key from the keyStoreArea to the internal buffer of the module. But I cannot find where the buffer is located and how to leverage the buffer to perform an AES encryption/decryption:

    2. Is the key store memory located in the RAM? Does it survive a power cycle? If it's not in the RAM, where is it? The customer's goal is to find a safe place to store their keys, if the key store memory is in the RAM I guess it cannot achieve this goal. Can you please elaborate on the design purpose of the key store momery and its typical use case?

    Best regards,

    Shuyang

  • 0 in reply to Shuyang Zhong
    TI__Guru** 101460 points

    Hi Shuyang,

    1- Please refer to the AES driver for details on the way to use the functions mentioned. These drivers are located in <SDK>\source\ti\drivers\aesxxxx

    2- The key memory is located in the Key Store RAM (as described in https://www.ti.com/lit/swcu185f §12.5.1). They can run a test to see if a reset will erase the Key Store RAM. In parallel, I'll ask this question to the R&D team.

    Best regards,

  • 0 in reply to Clément
    TI__Expert 4920 points

    Hi Clement,

    I found a description of the key store in AESCBCCC26XX.h and it says that the key store is only used to load keys into the AES accelerator rather than store keys:

    https://dev.ti.com/tirex/explore/content/simplelink_cc13xx_cc26xx_sdk_7_10_01_24/docs/drivers/doxygen/html/_a_e_s_c_b_c_c_c26_x_x_8h.html

    If my understanding is right, the key store RAM is only used as a temporary buffer by TI Drivers, not for the users to store keys. Can you please confirm if I am understanding it correctly? If yes I still don't understand why we need this specific area of RAM to be the buffer, as normally the keys are already in the RAM, why does the AES module not load the key directly from the RAM?

    Best regards,

    Shuyang

  • 0 in reply to Shuyang Zhong
    TI__Guru** 101460 points

    Hi Shuyang,

    You are correct. In the end, the CC2642R does NOT offer Secure Key Storage like CC2674R10 would do.

    Best regards,