Hi,
from the manual refer on UM-WI-056, on section Appendix C SDK Memory Maps, on page: 96 I have notice that serial flash memory (SFLASH) can be used both for code execution and for storing application data. Since I have to store confidential information in the external memory, I want to ensure that it is protected from unauthorised access and attacks.
1.How can I protect the external flash memory from unauthorized read/write access?
2.Are there hardware-level protections (e.g., secure boot, memory access control) to prevent firmware extraction or modification?
I have seen that there is a command "sflash write 3AD000 10" to write in sflah memory. The data that I have tried to written come from predefined values or memory buffers in the firmware.
[MROM] sflash write 3AD000 10[MROM] sflash read 3AD000 10[003AD000] : 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
3. Is there any way to be able to write the data that I want?
HI There,Thank you for posting your question online.Let me try to answer your questions:
DonatoC said:1.How can I protect the external flash memory from unauthorized read/write access?
There are answers to DA16200 security questions.
DonatoC said:2.Are there hardware-level protections (e.g., secure boot, memory access control) to prevent firmware extraction or modification?
Please refer on UM-WI-015 DA16200 DA16600 Security Tool User ManualPlease also check on DA16200 DatasheetAnd also check on UM-WI-046 DA16200 DA16600 FreeRTOS SDK Programmer Guide section 16 Crypto Examples.Best Regards,OV_Renesas
thank for your support!
I am using security tool to encrypt the secure asset such as the AES key.
I tried to securely store data in flash using the Secure Asset .The first thing to do is the device provisioning that stores the provisioning keys (Kcp or Kpicv) in the OTP memory. I should use provisioning key, used to encrypt assets that need to be decrypted securely on the device. Using secury tool to generate assets, I encountered the following error, that I believe is due to the fact that I skipped the provisioning phase. So, the error was:
Kcp
Kpicv
I understood that Krtl is used to encrypt sensitive assets such as Chip Master Keys (Kcm) and Device Master Keys (Kdm) . The Security Tool derives a key from Krtl to secure these provisioning assets. Should I request Krtl key to generate enc.kcp.bin ?
Hi There,Thank you for the reply.Let me check on this with the Wi-Fi Team and I will get back to you as soon as possible.Best Regards,OV_Renesas
thank for your support, see you soon.
Hi There,Thank you for the reply and apologies for the delay.1) Please do not raise the same questions here and directly on your local FAE. We have both created internal ticket for the same issue. That is not efficient.2)You want to store the user data securely in SFLASH
Secure storage and NVRAM features support full services to encrypt raw data and decrypt secure data.But Secure Asset only supports a one-way function used to decrypt assets.
Secure Storage and NVRAM can use two key types depending on applying the Secure boot process.
The secure boot provides high security but each DA16200 device should apply the Secure boot process when the device mass production.It will increase the mass production resources. The User key case doesn't need the Secure boot process but the customer should manage it in a specific way.
SDK v3.2.9.1 supports Secure NVRAM with User key case but v3.2.8.1 needs the patch as follow.Security_DA16200.zipPlease let us know if you have any other questions or requests.Best Regards,OV_Renesas
thank you for your support! I apologize for the incovient due to the double ticket on your portals. I'm working on a project where I have to store confidential information in the external memory. First I encrypted the data and then I should written them into the Serial Flash. I used the sflash write command , but the write command didn't work properly, as you seen in the image.
sflash write
Hi there,Thank you for the reply.It will not work with the sflash write command.Please follow the instructions and apply the patch on your project.You will be able to write encrypted data via the NVRAM menu on UART0 or via the APIs on FreeRTOS SDK.Best Regards,OV_Renesas
thank you for your support! I have understood that applying the patch I could write and read nvram in a secure way. I could perform these operations directly in the code with SDK API;
1 ) I can't understand how to perform this operation via UART0 console.
These are the commands I have found on UART0 menu.... How could perform write with one of NVRAM commands? Which NVRAM address is allowed to be written to? Are there no WiFi configurations in this memory? How do I avoid corrupting them with our writes? Is the User Area encrypted like NVRAM?
2 ) Looking at the NVRAM API from the manual "REN_UM-WI-046-DA16200_DA16600_FreeRTOS_SDK_Programmer_Guide_Rev_2v4.pdf" I see that it accepts ‘ITEMs’ and not addresses as parameters..... should I write to NVRAM in terms of ITEMs and not addresses? Not clear....
Best Regards
Hi There,Apologies for the delay.I am checking on this internally and I will get back to you as soon as possible.Best Regards,OV_Renesas