winIDEA HelpRenesas RH850: Challenge & Response Authentication
In this topic:
•winIDEA version 9.21.8 and newer
•winIDEA version 9.17.146 – 9.21.7
Introduction
This topic describes how to enable PE and ICUM debugging using Python scripts, when the Challenge & Response Authentication is enabled. Intelligent Cryptographic Unit Master (ICUM) is a RH850 HSM core that can run secure cryptographic operations. The ICUM is disabled at device shipment. For a debug access the ID code authentication must be performed by a debugger. When the ICUM is enabled and connected to a debugger, a security level can be raised with the addition of the Challenge-Response authentication.
The BlueBox debugger can unlock the debug interface for PE core(s) and ICUM, by using a Python script as an authenticator interface between winIDEA and a user authentication software.
Requirements
•winIDEA 9.17.146 or newer
•BlueBox iC5700, iC5000
•RH850 Debug Adapter
Supported MCU Families
Supported authentication targets - PE and ICUM debug authentication:
•RH850/F1KM
•RH850/F1KH
•RH850/P1H-C
Supports ICUM debug authentication:
•RH850/F1H
Python script examples
|
Contact technical support for Python script examples. |
Configuration
After downloading the Python scripts, specify the external user app in the attached Python file(s) and save it in the same folder as the winIDEA workspace. Use the following steps to run the script in winIDEA. Configuration procedure depends on your winIDEA version. Both procedures are described below:
•winIDEA version 9.21.8 and newer
•winIDEA version 9.17.146 – 9.21.7
winIDEA version 9.21.8 and newer
|
Add a custom script via Hardware / CPU Options / Reset. |
|
Press arrow button to: |
•Add the script RH850: Unlock Debug Interface using Challenge Response.
•Select Parameters for RH850_ConnectToSecuredSoC.cpp.
|
Press "..." button and add the Python scripts. |
•AuthenticateDebugPE.py in the ChallengeResponseExecutable_PE field.
•AuthenticateDebugICUM.py in the ChallengeResponseExecutable_ICUM field.
Note that the forward slashes are recommended. The concatenated command string should look something like this:
$(SFR_FILE_DIR)/RH850_ConnectToSecuredSoC.cpp("ChallengeResponseExecutable_PE=$(WORKSPACE_DIR)/AuthenticateDebugPE.py","ChallengeResponseExecutable_ICUM=$(WORKSPACE_DIR)/AuthenticateDebugPE.py")
Challenge will be passed to executable as a hex string. Response should also be returned from executable as a hex string. After the next download authenticated cores will be unlocked for debug.
The provided sample scripts need to be adapted to specific customer needs. See the following notes:
•For example, if the CPU presents these Challenge hex-words[0..3]: 0x11111112, 0x22222223, 0x33333334, 0x44444445, then the 16-byte string strChallenge is laid out as follows, in little-endian format: '12111111232222223433333345444444'
•The same format is expected for the Response string strResponse passed back to winIDEA simply via STDOUT. An external temporary file is not needed.
If the authenticator software calculates Response words[0..3] = 0x33221100, 0x77665544, 0xBBAA9988, 0xFFEEDDCC, it should then return the string strResponse = '00112233445566778899AABBCCDDEEFF'.
•If the AES library is not in the same folder as the scripts, then this should be handled correctly by the scripts.
winIDEA version 9.17.146 – 9.21.7
|
Open dialog Hardware / CPU Options / Challenge – Response page. |
|
To unlock debug access to PE core(s) check Authenticator 0. |
|
Press "..." button and specify AuthenticateDebugPE.py. |
|
To unlock debug access to ICUM core check Authenticator 1. |
|
Press "..." button and specify AuthenticateDebugICUM.py. |
After the next download authenticated cores will be unlocked for debug.
