29.4.10 Cryptographic Key Bus
The first 512-byte page of each user signature block, including the OTP block, can be used to store cryptographic keys to be transferred through the key bus to the AES engine.
If the cryptographic key is stored in a user signature area to which read and write accesses have been disabled and locked until a hardware reset as programmed in EEFC_USR, then the CPU has no direct access to the cryptographic key. However, the CPU can still command the transfer of this key from the user signature area to the private key register of the AES or of the AESB engine through the key bus.
Transfer through the key bus can also be disabled until hardware reset and per each user signature block x by writing a 1 in the bit KBTLUSBx of the SEFC Key Bus Lock register (EEFC_KBLR).
The sequence to transfer a cryptographic key to the AES engine through the key bus is the following:
- Execute the ‘Send Cryptographic Key’ command by writing EEFC_FCR.FCMD with the SCK value. At the same time, write the selected destination (AES or AESB), the source user signature block, the start address offset in the first page of this block and the length of the key in EEFC_FCR.FARG.
- When transfer is completed, the bit EEFC_FSR.FRDY rises. If an interrupt was enabled by setting the bit EEFC_FMR.FRDY, the corresponding interrupt line of the interrupt controller is activated.
Two errors can be detected in EEFC_FSR after this sequence:
- Command error: a wrong keyword was written in EEFC_FCR.
- Write Protect error: the transfer from this user signature block is
locked in the SEFC Key Bus Lock register.Note: The cryptographic key to be transferred must fit entirely into the first page of the selected user signature block, otherwise a Command error is flagged. Access to the Flash in read is permitted when a SCK command is executed.
Also check the AES engine Write Protection Status register for any key bus transfer error.