Data Encryption and Decryption
To ensure the security of user data stored in Flash memories (such as the user data and sensor sampling data that require secured storage), the security modules of GR5xx SoCs support lightweight symmetric encryption based on PRESENT-128.
The process for data encryption and decryption is shown in Figure 4.
To encrypt/decrypt data:
- The symmetric data keys for PRESENT-128 are stored in eFuse, and are loaded to the KEYRAM module during system startup and initialization. The symmetric private key can hardly be obtained for undesired use thanks to the random number generator and eFuse.
- In data encryption, load the data key to the PRESENT-128 module, and the key will be encrypted and stored in Flash.
- In data decryption, load the data key to the XIP_DEC module, so that the data on Flash can be decrypted automatically.
-
Firmware keys and data keys are stored in eFuse separately. When encrypted firmware runs on more than one chip, the chips shall be programmed with the same firmware keys while differences between data keys are allowed, so that one data key is for one device/chip only.
-
Flash APIs support encrypted read/write, and can automatically check whether the SoC is in security mode, based on which encrypt/decrypt the written/read data with data keys. Users can also disable encrypted read/write by calling the corresponding API, and write plaintext to/read plaintext from Flash.
-
Encrypted read/write through Flash APIs with firmware keys is not supported. Firmware keys are only used to decrypt the code area in the Flash of the XIP_DEC module.
-
To store data in Flash under encryption, users can also call the corresponding Non-volatile Data Storage (NVDS) API. For details about NVDS, see the developer guide of the specific GR5xx SoC.
