PSoC 6 Securely store in external flash

RaKa_4725271 · ‎Jun 23, 2020

Hi,

I am new to PSoC 6 and am trying to make sure that data stored in external flash is encrypted. In section 3.5 of AN228740, it says:

The QSPI block includes a Cryptography Component to make sure data can be securely stored in external memory. The encryption and decryption are based on the AES-128 forward block cypher. A 128-bit key, stored in dedicated write-only QSPI registers SMIF_CRYPTO_KEY3, ..., SMIF_CRYPTO_KEY0, is used with a 128-bit plaintext to generate a cyphertext. The method of generating the cyphertext depends on whether the QSPI block is in Command or XIP mode.

The Serial Flash Library does not support encryption, so the PDL functions for encryption must be used. If you prefer the Serial Flash Library for configuration and data transfers, a combination of Serial Flash Library and PDL can be used.

I don't have the XIP mode turned on.

I have a few questions:

1. How are SMIF_CRYPTO_KEY3, ..., SMIF_CRYPTO_KEY0 programmed (apologies, still new here)

2. What is the performance/energy penalty of using Cy_SMIF_Encrypt?

Any help will be appreciated.

Rajesh

DheerajK_81 · ‎Jun 28, 2020

Please refer to the following code example to understand how encryption is done in the SMIF block:

https://www.cypress.com/documentation/code-examples/ce227032-psoc-6-mcu-smif-fly-encryption-mmio-and...

The code example will have answers to your first question.

Regarding the second question, when you call Cy_SMIF_Encrypt, it basically writes into the SMIF0_CRYPTO_CMD register which starts the AES-128 forward block cipher operation. Note that the cryptography component in the SMIF block is a hardware component and definitely has significant performance gains than a software-only implementation. The operation takes roughly 13 clk_hf clock cycles.

For more information on the API usage, please refer to the PDL API Reference Guide. For Cy_SMIF_Encrypt, we have the following snippet available which should be helpful.

cy_stc_smif_context_t SMIF_context;  /* This is a shared context structure.
  * It must be global
  */
  #define MEMTEST_AES_KEY_SIZE (16U)  /* The AES key length */
  #define PACKET_SIZE (32U)  /* The memory Read/Write packet */
   /* Data to encrypt */
  uint8_t txBuffer[PACKET_SIZE] = {1U, 2U, 3U, 4U, 5U, 6U, 7U, 8U,
  9U, 10U, 11U, 12U, 13U, 14U, 15U, 16U,
  17U, 18U, 19U, 20U, 21U, 22U, 23U, 24U,
  25U, 26U, 27U, 28U, 29U, 30U, 31U, 32U};
  uint32_t address = 0x2000UL;  /* The address to write data to */
   /* The AES key.
  * Writing of the AES key should be from secure area of the code  
  */
  uint8_t key[MEMTEST_AES_KEY_SIZE] = {0x54U, 0x68U, 0x61U, 0x74U, 0x73U, 0x20U, 0x6DU, 0x79U,
  0x20U, 0x4BU, 0x75U, 0x6EU, 0x67U, 0x20U, 0x46U, 0x75U};
   /* Fill the key field in secure area of the code. */
  SMIF->CRYPTO_KEY0 = Cy_SMIF_PackBytesArray(&key[CY_SMIF_CRYPTO_FIRST_WORD], true);
  SMIF->CRYPTO_KEY1 = Cy_SMIF_PackBytesArray(&key[CY_SMIF_CRYPTO_SECOND_WORD], true);
  SMIF->CRYPTO_KEY2 = Cy_SMIF_PackBytesArray(&key[CY_SMIF_CRYPTO_THIRD_WORD], true);
  SMIF->CRYPTO_KEY3 = Cy_SMIF_PackBytesArray(&key[CY_SMIF_CRYPTO_FOURTH_WORD], true);
   /* Encrypt data in txBuffer */
   if (CY_SMIF_SUCCESS != Cy_SMIF_Encrypt(SMIF, address, txBuffer, sizeof(txBuffer), &SMIF_context))
  {
   /* Insert error handling */
  }
   
   /* The second call of Cy_SMIF_Encrypt() decrypts data in txBuffer */
   if (CY_SMIF_SUCCESS != Cy_SMIF_Encrypt(SMIF, address, txBuffer, sizeof(txBuffer), &SMIF_context))
  {
   /* Insert error handling */
  }

Let me know if you have any further queries.

Regards,

Dheeraj

View solution in original post

DheerajK_81 · ‎Jun 28, 2020