The HSE Firmware Reference Manual and HSE Firmware Service Description Reference Manual, available on NXP DocStore, provide more information about HSE Firmware. The HSE Firmware will be available in two variants: Standard package and Premium package Figure 3. HSE Firmware Offering 3.0 Supported Targets
NDA is required for to access other HSE documents. Page 2. PUBLIC. © NXP Semiconductors N.V.. Uncontrolled copy if printed.
Hardware Security Engine (HSE) – Product Brief
NXP Semiconductors AP Software Software Development Hardware Security Engine Firmware V1.3 4/19/2021 Page 1 of 6 HSE Firmware Product Brief NDA is required for to access other HSE documents. All information hereunder is per NXP's best knowledge. This document does not provide for any representation or warranty express or implied by NXP. NXP makes no representation or warranty that customer's applications or design will be suitable for customers' specified use without further testing or modification. Customers are responsible for the design and operation of their applications and products using NXP products, and NXP accepts no liability for any assistance with applications or customer product design. Customers should provide appropriate design and operating safeguards to minimize the risks associated with their applications and products. For reliable information on the NXP product please consult the respective NXP data sheet. Unless otherwise recorded in a written agreement, all sales transactions by NXP are subject to our general terms and conditions of commercial sale. These are published at http://www.nxp.com/about/about-nxp/ourterms-and-conditions-of-commercial-sale:TERMSCONDITIONSSALE PUBLIC © NXP Semiconductors N.V. Uncontrolled copy if printed NXP Semiconductors AP Software Software Development Hardware Security Engine Firmware V1.3 4/19/2021 Page 2 of 6 1.0 Software Product Overview The Hardware Security Engine (HSE) is a security subsystem, which aims at running relevant security functions for applications having stringent confidentiality and/or authenticity requirements, with the following foremost objectives: · Isolating security-sensitive information (e.g., secret keys) from the application (the host) · Offloading the application from processing cryptographic operations · Accelerating cryptographic operations with dedicated coprocessors · Enforcing security measures on the application, during run-time and system startup The HSE firmware is a software product specifically designed to run in the HSE subsystem. It essentially serves the host (application cores) with a set of native security services: · Administration services are provided to install, configure and test the HSE firmware · Key management services are available for the application to manage different set of keys that are handled by the HSE firmware via e.g., the cryptographic services · Cryptographic services provide the application with cryptographic primitives that are used by high-level security stacks in the application · Random number services generate random streams that can be used in various security protocols · Memory verification services allow the application to verify different memory areas at start-up (after reset) and during run-time · Monotonic counter services provide the application with a set of monotonic counters that can be read and only incremented · Secure time services allow the configuration of a secure tick to be signaled to the application · Network services provide support for acceleration the network security protocols (IPsec, SSL/TLS) An overview of NXP's native services supported by HSE firmware are highlighted in Figure 1. It contains also services and interfaces for SHE+ specification emulation. Figure 1. NXP's native services PUBLIC © NXP Semiconductors N.V. Uncontrolled copy if printed NXP Semiconductors AP Software Software Development Hardware Security Engine Firmware V1.3 4/19/2021 Page 3 of 6 Upgradable in the field, the HSE firmware comprises all the required security functions to fulfill a broad set of automotive security requirements and use cases (AUTOSAR® SecOC, SSL/TLS, IPsec, etc.). The services are accessed over a flexible and configurable communication interface which allows simultaneously asynchronous requests, ensuring at the same time Freedom from Interference between applications/cores. The basic enablement (Common Security API) allows the customers integrating the HSE subsystem into different security stacks. Figure 2. NXP's Security Components in Play PUBLIC © NXP Semiconductors N.V. Uncontrolled copy if printed NXP Semiconductors AP Software Software Development Hardware Security Engine Firmware V1.3 4/19/2021 Page 4 of 6 2.0 Software Content The HSE Security Firmware is delivered in executable form, encrypted and signed by NXP. The below table provides an overview of services/features supported by the HSE Firmware. Service Cryptography Category Ciphers Feature AES: ECB, CBC, CFB, CTR, XTS 3DES: CBC, ECB, CFB, OFB RSAES: PKCS1-v1_5, OAEP Key Management Boot and Memory Verification Message Authentication Code (MAC) Hashing Authenticated ciphers Digital signature generation and verification Max key sizes Key generation Key import Key derivation Key exchange Certificate handling Supported authentication AES: CMAC, GMAC, XCBC-MAC HMAC SHA1 SHA224, SHA256, SHA384, SHA512 SHA3_224, SHA3_256, SHA3_384, SHA3_512 MD5 Miyaguchi-Preneel Compression AES: CCM, GCM RSASSA_PSS RSASSA_PKCS1-v1_5 ECDSA ECC over GF(p) with all prime standard curve supported EdDSA - Ed25519 pre-hashed curve AES: 256 bits RSA: 4096 bits ECC: 521 bits Permanent and ephemeral RSA and ECC key pair generation Plain or encrypted form, with optional authentication tag SHE key update protocol NIST 800-108, PBKDF2 ECDH and Classic DH Key Installation for x.509 and CVC certificates Certificate installation for Root of Trust establishment. AES CMAC XCBC-MAC HMAC GMAC RSA and ECC signatures Monotonic Counter Verification flow Sanctions Counter management Before application startup (strict secure boot) In parallel of the application startup On demand by the application No startup (strict secure boot) Device reset Key usage restrictions Incrementing and reading volatile and nonvolatile counters PUBLIC © NXP Semiconductors N.V. Uncontrolled copy if printed NXP Semiconductors AP Software Software Development Hardware Security Engine Firmware V1.3 4/19/2021 Page 5 of 6 Network Offloading Services Random Number Dual purpose ciphers Pseudo random generation Combined cipher and hash services for IPsec and TLS throughput enhancement Based on a True Random Number AIS31 Class P2 high and FIPS 140-2 compliant Secure Time Administration Services Secure Tick Application interrupts at configurable frequency HSE administration Firmware installation / update Subsystem configuration and testing Table 1. HSE Firmware Services and Features The HSE Firmware Reference Manual and HSE Firmware Service Description Reference Manual, available on NXP DocStore, provide more information about HSE Firmware. The HSE Firmware will be available in two variants: Standard package and Premium package Figure 3. HSE Firmware Offering 3.0 Supported Targets The software described in this document is intended to be used with the following devices of NXP Semiconductors: o S32G2 PUBLIC © NXP Semiconductors N.V. Uncontrolled copy if printed NXP Semiconductors AP Software Software Development Hardware Security Engine Firmware V1.3 4/19/2021 Page 6 of 6 4.0 Quality, Standards Compliance and Testing Approach The HSE Firmware product is developed according to NXP Software Development Processes that is Automotive-SPICE, IATF16949 and ISO 9001 compliant. PUBLIC © NXP Semiconductors N.V. Uncontrolled copy if printedMicrosoft Word for Microsoft 365