How encrypt FW for programming PSoC 6 generated by Creator

Tip / Sign in to post questions, reply, level up, and achieve exciting badges. Know more

cross mob
Anonymous
Not applicable

Hello,

When we use cryptographic for encryption of user FW, how should we do for generating the encrypted FW with Creator?

I read the below application note, but I could not find.

http://www.cypress.com/file/385866/download

Best regards,

0 Likes
1 Solution
MeenakshiR_71
Employee
Employee
100 likes received 50 likes received 25 likes received

Hello user_474444345​,

PSoC 6 does not support encrypting FW execution from internal flash i.e. there is no 'on-the-fly' decryption to run an encrypted firmware directly from internal flash. In addition, there is no direct method to encrypt the firmware from PSoC Creator. Indirectly, you can extract the data from hex files, use online tools to encrypt the data as per the encryption requirement and then update the hex data with encrypted data in hex file (you can use J-Flash tool from Segger J-Link for the purpose of updating the hex data in hex files)

That said, you have the below options to run encrypted firmware -

  1. Using QSPI and external memory: You can use QSPI's on-the-fly decryption functionality (128-bit AES) to decrypt the firmware stored in external memory. This decryption is available in QSPI's XIP mode. You can generate the encrypted firmware using the method I mentioned above. Optionally, you can also use the HW crypto block to encrypt the firmware before storing in external flash.
  2. Using HW Crypto and internal SRAM: Define a separate section for encrypted firmware in RAM (through linker), say '.encryptedFW'. Place all the code that should be encrypted in this section using "CY_SECTION(".encryptedFW")" macro before the functions. In addition to mapping the section to RAM, you need to make sure the code is placed in flash as well. This can be done using ": AT (FLASH_ADDR)" in GCC when you define the RAM area in GCC linker script. Now this will make sure the FW to be encrypted gets placed @FLASH_ADDR location while the linker uses the RAM location for calling the functions. You will have to copy the code from Flash to RAM on boot for the code to function properly. Now you need to make sure you replace the firmware present at @FLASH_ADDR with the encrypted version as I mentioned earlier. Now in your code, you can do decryption using the HW Crypto block before you copy the encrypted fw to the RAM location.

E.g.

.EncryptedFw 0x08030000 : AT (0x10050000)

{

     __encrypt_start__ =.;

     KEEP(*(.encryptedFW))

     __encrypt_end__=.;

} > ram

The above area keeps ".encryptedFW" at 0x10050000 and relocates that to 0x08030000 in RAM i.e. function calls will be made to RAM location. In your copy code, you can use "&__encrypt_start__" to extract the start of RAM where you need to copy the code and "&__encrypt_end__" to find the last location in RAM to be copied. The data to copy will be from 0x10050000 and will be of the size "&__encrypt_end__ - &__encrypt_start__".

Regards,

Meenakshi Sundaram R

View solution in original post

0 Likes
1 Reply
MeenakshiR_71
Employee
Employee
100 likes received 50 likes received 25 likes received

Hello user_474444345​,

PSoC 6 does not support encrypting FW execution from internal flash i.e. there is no 'on-the-fly' decryption to run an encrypted firmware directly from internal flash. In addition, there is no direct method to encrypt the firmware from PSoC Creator. Indirectly, you can extract the data from hex files, use online tools to encrypt the data as per the encryption requirement and then update the hex data with encrypted data in hex file (you can use J-Flash tool from Segger J-Link for the purpose of updating the hex data in hex files)

That said, you have the below options to run encrypted firmware -

  1. Using QSPI and external memory: You can use QSPI's on-the-fly decryption functionality (128-bit AES) to decrypt the firmware stored in external memory. This decryption is available in QSPI's XIP mode. You can generate the encrypted firmware using the method I mentioned above. Optionally, you can also use the HW crypto block to encrypt the firmware before storing in external flash.
  2. Using HW Crypto and internal SRAM: Define a separate section for encrypted firmware in RAM (through linker), say '.encryptedFW'. Place all the code that should be encrypted in this section using "CY_SECTION(".encryptedFW")" macro before the functions. In addition to mapping the section to RAM, you need to make sure the code is placed in flash as well. This can be done using ": AT (FLASH_ADDR)" in GCC when you define the RAM area in GCC linker script. Now this will make sure the FW to be encrypted gets placed @FLASH_ADDR location while the linker uses the RAM location for calling the functions. You will have to copy the code from Flash to RAM on boot for the code to function properly. Now you need to make sure you replace the firmware present at @FLASH_ADDR with the encrypted version as I mentioned earlier. Now in your code, you can do decryption using the HW Crypto block before you copy the encrypted fw to the RAM location.

E.g.

.EncryptedFw 0x08030000 : AT (0x10050000)

{

     __encrypt_start__ =.;

     KEEP(*(.encryptedFW))

     __encrypt_end__=.;

} > ram

The above area keeps ".encryptedFW" at 0x10050000 and relocates that to 0x08030000 in RAM i.e. function calls will be made to RAM location. In your copy code, you can use "&__encrypt_start__" to extract the start of RAM where you need to copy the code and "&__encrypt_end__" to find the last location in RAM to be copied. The data to copy will be from 0x10050000 and will be of the size "&__encrypt_end__ - &__encrypt_start__".

Regards,

Meenakshi Sundaram R

0 Likes