UFS 15 - UFS RPMB操作
UFS 1-UFS架构简介1
UFS 2 -UFS架构简介2
UFS 3 - UFS RPMB
UFS 4 - UFS Boot
UFS 5 - UFS UIC Layer: MIPI M-PHY
UFS 6 - UAP – SCSI Commands(1)
UFS 7 - UAP – SCSI Commands(2)
UFS 8 - UAP – SCSI Commands(3)
UFS 9 - UAP – SCSI Commands(4)
UFS 10 - UAP – SCSI Commands(5)
UFS 11 - UFS RPMB分区功能验证
UFS 12 - UAP – SCSI Commands(6)
UFS 13 - Logical Unit Management
UFS 14 - UFS RPMB安全读写命令
在本篇博文中将介绍RPMB的Authentication Key Programming、Read Counter Value、Authenticated Data Write、Authenticated Data Read等操作
1 Request Type Message Delivery(请求类型消息传递)
- Only one RPMB operation can be executed at any time.
- 任何时候只能执行一个 RPMB 操作。
- An initiator sends request type message to RPMB well known logical unit to request the execution of an operation.
- 发起者将请求类型消息发送到RPMB W-LUN以请求执行操作。
- To deliver a request type message, the initiator sends a SECURITY PROTOCOL OUT command with SECURITY PROTOCOL field is set to ECh (i.e., the JEDEC Universal Flash Storage) and indicating the target RPMB region in the SECURITY PROTOCOL SPECIFIC field.
- 为了传递请求类型消息,发起者发送SECURITY PROTOCOL OUT命令,其中SECURITY PROTOCOL字段设置为ECh(即,JEDEC通用闪存存储)并在SECURITY PROTOCOL SPECIFIC字段中指示目标RPMB区域。
- For an authenticated data write request, the data to be written into the RPMB data area is included in the request message. The maximum data size in a single Authenticated Data Write request is equal to bRPMB_ReadWriteSize × 256 bytes; multiple Authenticated Data Write operations should be executed if the desired data size exceeds this value.
- 对于经过验证的数据写入请求,要写入RPMB数据区域的数据包含在请求消息中。单次Authenticated Data Write请求的最大数据大小等于bRPMB_ReadWriteSize × 256字节;如果所需的数据大小超过此值,则应执行多个已验证数据写入操作。
- For SECURITY PROTOCOL OUT command, the Flags.W in the COMMAND UPIU is set to one since data is transferred from the host to the device.
- 对于 SECURITY PROTOCOL OUT 命令,COMMAND UPIU 中的 Flags.W 设置为 1,因为数据从主机传输到设备。
- Table 12.17 defines the Expected Data Transfer Length field value in the COMMAND UPIU for the various cases.
- 表 12.17 定义了各种情况下 COMMAND UPIU 中的预期数据传输长度字段值。
- The device indicates to the host that it is ready to receive the request type message sending READY TO TRANSFER UPIU. If the Expected Data Transfer Length is 512 byte, then Data Buffer Offset field shall be set to a value of zero and Data Transfer Count field shall be set to a value of 512.
- 设备向主机指示它已准备好接收请求类型消息,发送 READY TO TRANSFER UPIU。如果预期数据传输长度为 512 字节,则数据缓冲区偏移字段应设置为 0 值,数据传输计数字段应设置为 512 值。
- The number of bytes requested in a single READY TO TRANSFER UPIU shall not be greater than the value indicated by bMaxDataOutSize attribute. A single READY TO TRANSFER UPIU may request the transfer of one or more RPMB Messages.
- 单个 READY TO TRANSFER UPIU 中请求的字节数不得大于 bMaxDataOutSize 属性指示的值。单个准备传输 UPIU 可以请求传输一个或多个 RPMB 消息。
- In response to each READY TO TRANSFER UPIU, the host delivers the requested portion of the message sending DATA OUT UPIU.
- 响应于每个 READY TO TRANSFER UPIU,主机传送发送 DATA OUT UPIU 的消息的请求部分。
- To complete the SECURITY PROTOCOL OUT command, the device returns a RESPONSE UPIU with the status.
- 为了完成 SECURITY PROTOCOL OUT 命令,设备返回带有状态的 RESPONSE UPIU。
- Figure 12.2 depicts a request type message delivery. The application client loads the RPMB Message in the Data Out Buffer and indicates the target RPMB Region in SECURITY PROTOCOL SPECIFIC field.
- 图 12.2 描述了请求类型的消息传递。应用程序客户端将 RPMB 消息加载到数据输出缓冲区中,并在安全协议特定字段中指示目标 RPMB 区域。
该说明对应于ufs-utils开源工具中的struct sec_proto_cdb结构,对应到scsi_security_out和scsi_security_in接口中的sec_out_cmd和sec_in_cmd。
#define SEC_PROTOCOL_CMD_SIZE (12)
#define SEC_PROTOCOL_UFS (0xEC)
#define SECURITY_PROTOCOL_IN 0xa2
#define SECURITY_PROTOCOL_OUT 0xb5
unsigned char sec_out_cmd[SEC_PROTOCOL_CMD_SIZE] = {
SECURITY_PROTOCOL_OUT, SEC_PROTOCOL_UFS,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0};
unsigned char sec_in_cmd[SEC_PROTOCOL_CMD_SIZE] = {
SECURITY_PROTOCOL_IN, SEC_PROTOCOL_UFS,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0};
/*
* CDB format of SECURITY PROTOCOL IN/OUT commands
* (JEDEC Standard No. 220D, Page 264)
*/
struct sec_proto_cdb {
/*
* OPERATION CODE = A2h for SECURITY PROTOCOL IN command,
* OPERATION CODE = B5h for SECURITY PROTOCOL OUT command.
*/
uint8_t opcode;
/* SECURITY PROTOCOL = ECh (JEDEC Universal Flash Storage) */
uint8_t sec_proto;
/*
* The SECURITY PROTOCOL SPECIFIC field specifies the RPMB Protocol ID.
* CDB Byte 2 = 00h and CDB Byte 3 = 01h for RPMB Region 0.
*/
uint8_t cdb_byte_2;
uint8_t cdb_byte_3;
/*
* Byte 4 and 5 are reserved.
*/
uint8_t cdb_byte_4;
uint8_t cdb_byte_5;
/* ALLOCATION/TRANSFER LENGTH in big-endian */
uint32_t length;
/* Byte 9 is reserved. */
uint8_t cdb_byte_10;
/* CONTROL = 00h. */
uint8_t ctrl;
} __packed;
2 Response Type Message Delivery(响应类型消息传递)
- A initiator requests the RPMB well known logical unit to send a response type message to retrieve the result of a previous operation, to retrieve the Write Counter, to retrieve data from the RPMB data area, or to retrieve the contents of a Secure Write Protect Configuration Block.
- 发起者请求 RPMB 众所周知的逻辑单元发送响应类型消息以检索先前操作的结果、检索写计数器、从 RPMB 数据区域检索数据或检索安全写保护配置块。
- To request the delivery of a response type message, the host sends a SECURITY PROTOCOL IN command with SECURITY PROTOCOL field is set to ECh (i.e., the JEDEC Universal Flash Storage) and indicating the RPMB region in the SECURITY PROTOCOL SPECIFIC field.
- 为了请求传送响应类型消息,主机发送 SECURITY PROTOCOL IN 命令,其中 SECURITY PROTOCOL 字段设置为 ECh(即,JEDEC 通用闪存存储)并在 SECURITY PROTOCOL SPECIFIC 字段中指示 RPMB 区域。
- For an authenticated data read the data from the RPMB data area is included in the response message.
- 对于已验证的数据读取,来自 RPMB 数据区域的数据包含在响应消息中。
- For SECURITY PROTOCOL IN command, the Flags.R in the COMMAND UPIU is set to one since data is transferred from the device to the host.
- 对于 SECURITY PROTOCOL IN 命令,COMMAND UPIU 中的 Flags.R 设置为 1,因为数据从设备传输到主机。
- Table 12.18 defines the Expected Data Transfer Length field value in the COMMAND UPIU for the various cases.
- 表 12.18 定义了各种情况下 COMMAND UPIU 中的预期数据传输长度字段值。
- The device returns the result or data requested in the RPMB message. The RPMB message is delivered by sending one or more DATA IN UPIU in the data phase. A single DATA IN UPIU may deliver one or more RPMB Messages.
- 设备返回 RPMB 消息中请求的结果或数据。 RPMB消息是通过在数据阶段发送一个或多个DATA IN UPIU来传递的。单个 DATA IN UPIU 可以传送一个或多个 RPMB 消息。
- The data size in DATA IN UPIU shall not exceed the value indicated by bMaxDataInSize attribute.
- DATA IN UPIU 中的数据大小不得超过 bMaxDataInSize 属性指示的值。
- To complete the SECURITY PROTOCOL IN, the device sends a RESPONSE UPIU with the status.
- 为了完成 SECURITY PROTOCOL IN,设备发送带有状态的 RESPONSE UPIU。
- Figure 12.3 depicts a response type message delivery. An application client requests a RPMB Region to transfer the RPMB Message in the Data In Buffer specifying the RPMB Region ID in SECURITY PROTOCOL SPECIFIC field of the CDB.
- 图 12.3 描述了响应类型消息传递。应用程序客户端请求 RPMB 区域传输缓冲区中数据中的 RPMB 消息,并在 CDB 的安全协议特定字段中指定 RPMB 区域 ID。
和上一章的部分一样,命令格式一样,但是OPERATION CODE为A2h
#define SEC_PROTOCOL_CMD_SIZE (12)
#define SEC_PROTOCOL_UFS (0xEC)
#define SECURITY_PROTOCOL_IN 0xa2
#define SECURITY_PROTOCOL_OUT 0xb5
unsigned char sec_out_cmd[SEC_PROTOCOL_CMD_SIZE] = {
SECURITY_PROTOCOL_OUT, SEC_PROTOCOL_UFS,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0};
unsigned char sec_in_cmd[SEC_PROTOCOL_CMD_SIZE] = {
SECURITY_PROTOCOL_IN, SEC_PROTOCOL_UFS,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0};
/*
* CDB format of SECURITY PROTOCOL IN/OUT commands
* (JEDEC Standard No. 220D, Page 264)
*/
struct sec_proto_cdb {
/*
* OPERATION CODE = A2h for SECURITY PROTOCOL IN command,
* OPERATION CODE = B5h for SECURITY PROTOCOL OUT command.
*/
uint8_t opcode;
/* SECURITY PROTOCOL = ECh (JEDEC Universal Flash Storage) */
uint8_t sec_proto;
/*
* The SECURITY PROTOCOL SPECIFIC field specifies the RPMB Protocol ID.
* CDB Byte 2 = 00h and CDB Byte 3 = 01h for RPMB Region 0.
*/
uint8_t cdb_byte_2;
uint8_t cdb_byte_3;
/*
* Byte 4 and 5 are reserved.
*/
uint8_t cdb_byte_4;
uint8_t cdb_byte_5;
/* ALLOCATION/TRANSFER LENGTH in big-endian */
uint32_t length;
/* Byte 9 is reserved. */
uint8_t cdb_byte_10;
/* CONTROL = 00h. */
uint8_t ctrl;
} __packed;
3 Authentication Key Programming
3.1 Authentication Key Programming
- The Authentication Key programming is initiated by a SECURITY PROTOCOL OUT command
- 身份验证密钥编程由 SECURITY PROTOCOL OUT 命令启动
- An initiator sends the SECURITY PROTOCOL OUT command with SECURITY PROTOCOL field set to ECh and indicating the RPMB region in the SECURITY PROTOCOL SPECIFIC field. The RPMB data frame includes the Request Message Type = 0001h and the Authentication Key.
- 发起者发送 SECURITY PROTOCOL OUT 命令,其中 SECURITY PROTOCOL 字段设置为 ECh,并在 SECURITY PROTOCOL SPECIFIC 字段中指示 RPMB 区域。 RPMB 数据帧包括请求消息类型 = 0001h 和身份验证密钥。
- The device returns GOOD status in status response when Authentication Key programming is completed.
- 当验证密钥编程完成时,设备在状态响应中返回 GOOD 状态。
- The Authentication Key programming verification process starts by issuing a SECURITY PROTOCOL OUT command
- 身份验证密钥编程验证过程通过发出 SECURITY PROTOCOL OUT 命令开始
- An initiator sends a SECURITY PROTOCOL OUT command with SECURITY PROTOCOL field set to ECh and indicating the RPMB region in the SECURITY PROTOCOL SPECIFIC field. The RPMB data frame contains the Request Message Type = 0005h (Result read request). Note that any request other than the Result read request from any initiator will overwrite the Result register of the RPMB Region.
- 发起者发送 SECURITY PROTOCOL OUT 命令,其中 SECURITY PROTOCOL 字段设置为 ECh,并在 SECURITY PROTOCOL SPECIFIC 字段中指示 RPMB 区域。 RPMB 数据帧包含请求消息类型 = 0005h(结果读取请求)。请注意,除了来自任何发起者的结果读取请求之外的任何请求都将覆盖 RPMB 区域的结果寄存器。
- The device returns GOOD status in status response when the operation result is ready for retrieval.
- 当操作结果可供检索时,设备在状态响应中返回 GOOD 状态。
- An initiator retrieves the operation result by issuing a SECURITY PROTOCOL IN command.
- 发起者通过发出SECURITY PROTOCOL IN命令来检索操作结果。
- The SECURITY PROTOCOL field is set to ECh and the SECURITY PROTOCOL SPECIFIC field indicates the RPMB region.
- 安全协议字段被设置为ECh并且安全协议特定字段指示RPMB区域。
- Device returns the RPMB data frame containing the Response Message Type = 0100h and the Result code.
- 设备返回包含响应消息类型 = 0100h 和结果代码的 RPMB 数据帧。
- If programming of Authentication Key failed then returned result is “Write failure” (0005h). If some other error occured during Authentication Key programming then returned result is “General failure” (0001h).
- 如果验证密钥编程失败,则返回结果为“写入失败”(0005h)。如果在验证密钥编程期间发生一些其他错误,则返回的结果是“一般失败”(0001h)。
Access to RPMB data area is not possible before the Authentication Key is programmed in the corresponding RPMB region. The state of the device can be checked by trying to write/read data to/from the RPMB data area: if the Authentication Key is not programmed then the Result field in the response message will be set to “Authentication Key not yet programmed” (0007h).
在将验证密钥编程到相应的 RPMB 区域之前,无法访问 RPMB 数据区域。可以通过尝试向 RPMB 数据区域写入数据或从 RPMB 数据区域读取数据来检查设备的状态:如果身份验证密钥未编程,则响应消息中的结果字段将设置为“身份验证密钥尚未编程”( 0007h)。
3.2 报文示例
3.2.1 Authentication Key Programming Request
报文的数据对应于从196Byte开始的数据
d0 81 c5 44 b1 9d 6b e6 c5 37 cb 17 c4 00 f8 f1 74 25 e4 ab 98 6d 1f 1d db b1 c0 69 1f 68 94 b5
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01
3.2.2 Result Read Request
报文的数据对应于从196Byte开始的数据
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 05
3.2.3 Result Read Response
报文的数据对应于从196Byte开始的数据
4 Read Counter Value
4.1 Read Counter Value
- The Read Counter Value sequence is initiated by a SECURITY PROTOCOL OUT command.
- 读取计数器值序列由安全协议输出命令启动。
- An initiator sends the SECURITY PROTOCOL OUT command with SECURITY PROTOCOL field set to ECh and indicating the RPMB region in the SECURITY PROTOCOL SPECIFIC field. The RPMB data frame includes the Request Message Type = 0002h and the Nonce.
- 发起者发送 SECURITY PROTOCOL OUT 命令,其中 SECURITY PROTOCOL 字段设置为 ECh,并在 SECURITY PROTOCOL SPECIFIC 字段中指示 RPMB 区域。 RPMB 数据帧包括请求消息类型 = 0002h 和 Nonce。
- When a GOOD status in the status response is received, the write counter value is retrieved sending a SECURITY PROTOCOL IN command.
- 当收到状态响应中的 GOOD 状态时,将通过发送 SECURITY PROTOCOL IN 命令来检索写入计数器值。
- An initiator sends the SECURITY PROTOCOL IN command with the SECURITY PROTOCOL field is set to ECh and indicating the RPMB region in the SECURITY PROTOCOL SPECIFIC field.
- 发起方发送 SECURITY PROTOCOL IN 命令,其中 SECURITY PROTOCOL 字段设置为 ECh,并在 SECURITY PROTOCOL SPECIFIC 字段中指示 RPMB 区域。
- The device returns a RPMB data frame with Response Message Type = 0200h, a copy of the Nonce received in the request, the Write Counter value, the MAC and the Result.
- 器件返回响应消息类型 = 0200h 的 RPMB 数据帧、请求中收到的 Nonce 的副本、写入计数器值、MAC 和结果。
If reading of the counter value fails then returned result is “Read failure” (0006h/0086h).
如果读取计数器值失败,则返回结果为“读取失败”(0006h/0086h)。
If some other error occurs then Result is “General failure” (0001h/0081h).
如果发生其他错误,则结果为“一般故障”(0001h/0081h)。
If counter has expired also bit 7 is set to 1 in returned results.
如果计数器已过期,则返回结果中的位 7 也会设置为 1。
4.2 Read Counter Value报文示例
4.2.1 Write Counter Read Request
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ee 8f e0 77 be 32 c7 69 24 c0 32 f2 da a7 66 2c 00 00 00 00 00 00 00 00 00 00 00 02
4.2.2 Write Counter Read Response
d8 4a 3e 0a 7e 1e a9 e7 cb 10 4b 03 b4 df 5d 79 80 e8 eb c3 1f a6 d0 e5 ec 7a 30 80 ad f5 63 5d
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ee 8f e0 77 be 32 c7 69 24 c0 32 f2 da a7 66 2c 00 00 00 b7 00 00 00 00 00 00 02 00
5 Authenticated Data Write(验证数据写入)
5.1 Authenticated Data Write
- The Authenticated Data Write sequence is initiated by a SECURITY PROTOCOL OUT command.
- 已验证数据写入序列由SECURITY PROTOCOL OUT命令启动。
- An initiator sends the SECURITY PROTOCOL OUT command with SECURITY PROTOCOL field set to ECh and indicating the RPMB region in the SECURITY PROTOCOL SPECIFIC field. The RPMB message is composed of one or more RPMB message data frames, each of which includes: Request Message Type = 0003h, Block Count, Address, Write Counter, Data and MAC.
- 发起者发送 SECURITY PROTOCOL OUT 命令,其中 SECURITY PROTOCOL 字段设置为 ECh,并在 SECURITY PROTOCOL SPECIFIC 字段中指示 RPMB 区域。 RPMB 消息由一个或多个 RPMB 消息数据帧组成,每个 RPMB 消息数据帧包括:Request Message Type = 0003h、Block Count、Address、Write Counter、Data 和 MAC。
- When the device receives the RPMB message, it first checks whether the write counter has expired. If the write counter is expired then the device sets the Result to “Write failure, write counter expired” (0085h). No data is written to the RPMB data area.
- 当设备收到RPMB消息时,它首先检查写计数器是否已过期。如果写入计数器过期,则器件将结果设置为“写入失败,写入计数器过期”(0085h)。没有数据写入 RPMB 数据区。
- Next the address is checked. If the Address value is equal to or greater than the size of target RPMB region which is defined as bRPMBRegion0Size – bRPMBRegion3Size parameter value in the RPMB Unit Descriptor, then the Result is set to “Address failure” (0004h). No data is written to the RPMB data area.
- 接下来检查地址。如果地址值等于或大于 RPMB 单元描述符中定义为 bRPMBRegion0Size – bRPMBRegion3Size 参数值的目标 RPMB 区域的大小,则结果设置为“地址失败”(0004h)。没有数据写入 RPMB 数据区。
- If the Address value plus the Block Count value is greater than the size of target RPMB region which is defined as bRPMBRegion0Size – bRPMBRegion3Size parameter value, then the Result is set to “Address failure” (0004h). No data is written to the RPMB data area.
- If the Block Count indicates a value greater than bRPMB_ReadWriteSize, then the authenticated data write operation fails and the Result is set to “General failure” (0001h).
- 如果块计数指示值大于 bRPMB_ReadWriteSize,则经过验证的数据写入操作失败,并且结果设置为“一般失败”(0001h)。
- If the write counter was not expired then the device calculates the MAC of request type, block count, write counter, address and data, and compares this with the MAC in the request. If the two MAC’s are different, then the device sets the Result to ”Authentication failure” (0002h). No data is written to the RPMB data area.
- 如果写入计数器未过期,则设备计算请求类型的 MAC、块计数、写入计数器、地址和数据,并将其与请求中的 MAC 进行比较。如果两个 MAC 不同,则设备将结果设置为“身份验证失败”(0002h)。没有数据写入 RPMB 数据区。
- If the MAC in the request and the calculated MAC are equal then the device compares the write counter in the request with the write counter stored in the device. If the two counters are different then the device sets the Result to “Counter failure” (0003h). No data is written to the RPMB data area.
- 如果请求中的 MAC 和计算出的 MAC 相等,则设备将请求中的写入计数器与设备中存储的写入计数器进行比较。如果两个计数器不同,则设备将结果设置为“计数器失败”(0003h)。没有数据写入 RPMB 数据区。
- If the MAC and write counter comparisons are successful then the write request is considered to be authenticated. The data is written to the address indicated in the request.
- 如果 MAC 和写计数器比较成功,则认为写请求已通过验证。数据被写入请求中指定的地址。
- The write counter is incremented by one if the write operation is successfully executed.
- 如果写操作成功执行,则写计数器加一。
- If write fails then returned result is “Write failure” (0005h).
- 如果写入失败,则返回结果为“写入失败”(0005h)。
- If some other error occurs during the write procedure then returned result is “General failure” (0001h).
- 如果在写入过程中发生其他错误,则返回结果为“General failure”(0001h)。
- In an authenticated data write request with Block Count greater than one
- 在块计数大于 1 的经过身份验证的数据写入请求中
- the MAC is included only in the last RPMB message data frame. The MAC field is zero in all previous data frames. The device behavior is undefined if a MAC field is non-zero in any but the last RPMB message data frame.
- MAC 仅包含在最后一个 RPMB 消息数据帧中。所有先前数据帧中的 MAC 字段均为零。如果除最后一个 RPMB 消息数据帧之外的任何帧中的 MAC 字段均非零,则设备行为未定义。
- In each data frame, the write counter indicates the current counter value, the address is the start address of the full access (not address of the individual logical block) and the block count is the total count of the blocks (not the block numbers).
- 在每个数据帧中,写计数器指示当前计数器值,地址是完全访问的起始地址(不是单个逻辑块的地址),块计数是块的总数(不是块编号) 。
- When the authenticated data write operation is completed, the device may return GOOD status in response to the SECURITY PROTOCOL OUT command regardless of whether the Authenticated data write was successful or not.
- 当认证数据写入操作完成时,无论认证数据写入是否成功,设备都可以响应于 SECURITY PROTOCOL OUT 命令返回 GOOD 状态。
- The authenticated data write verification process starts by issuing a SECURITY PROTOCOL OUT command.
- 经过身份验证的数据写入验证过程通过发出 SECURITY PROTOCOL OUT 命令开始。
- An initiator sends a SECURITY PROTOCOL OUT command with SECURITY PROTOCOL field set to ECh and indicating the RPMB region in the SECURITY PROTOCOL SPECIFIC field. The RPMB data frame contains the Request Message Type = 0005h (Result read request). Note that any request other than the Result read request from any initiator will overwrite the Result register of the RPMB Region.
- 发起者发送 SECURITY PROTOCOL OUT 命令,其中 SECURITY PROTOCOL 字段设置为 ECh,并在 SECURITY PROTOCOL SPECIFIC 字段中指示 RPMB 区域。 RPMB 数据帧包含请求消息类型 = 0005h(结果读取请求)。请注意,除了来自任何发起者的结果读取请求之外的任何请求都将覆盖 RPMB 区域的结果寄存器。
- The device returns GOOD status when the operation result is ready for retrieval.
- 当操作结果可供检索时,设备返回 GOOD 状态。
- An initiator retrieves the operation result by issuing a SECURITY PROTOCOL IN command.
- 发起者通过发出SECURITY PROTOCOL IN命令来检索操作结果。
- The SECURITY PROTOCOL field is set to ECh and the SECURITY PROTOCOL SPECIFIC field indicates the RPMB region.
- 安全协议字段被设置为ECh并且安全协议特定字段指示RPMB区域。
- Device returns the RPMB data frame containing the Response Message Type = 0300h, the counter value (incremented if the write operation is successfully executed), the address received in the Authenticated data write request, the MAC and result of the authenticated data write operation.
- 器件返回 RPMB 数据帧,其中包含响应消息类型 = 0300h、计数器值(如果成功执行写入操作则递增)、在经过验证的数据写入请求中收到的地址、经过验证的数据写入操作的 MAC 和结果。
5.2 Authenticated Data Write报文示例
5.2.1 Authenticated Data Write Request
f7 99 d2 87 e9 b6 ba 6e b7 10 3a 24 05 a6 80 22 97 72 76 4c d3 bf f0 5b b9 63 cf 03 fb f2 c3 ad
86 da 70 1a 2c a0 a6 2a b1 34 1a d9 9e 58 4e 53 09 22 1c 57 38 c4 62 60 2e 40 22 88 7a 76 73 e1
62 64 30 66 33 35 63 37 63 31 65 31 30 64 37 34 35 64 32 39 66 39 37 65 61 63 35 63 33 39 64 63
64 64 65 38 64 63 63 63 33 63 39 33 66 62 36 32 30 61 39 61 64 64 34 65 63 34 37 36 32 66 34 63
38 33 31 61 33 32 36 33 35 39 64 35 34 30 30 63 66 32 34 34 31 32 36 32 38 33 61 32 32 61 66 30
63 66 39 66 39 61 31 37 30 62 34 30 63 63 66 63 33 31 36 64 39 66 66 33 35 65 32 33 36 65 61 66
61 66 37 31 30 61 61 36 38 61 66 36 39 65 30 62 31 61 62 33 34 63 33 62 38 65 32 35 61 62 63 37
66 62 39 37 65 39 64 31 30 38 30 30 33 33 31 61 38 33 35 30 30 36 34 39 61 64 38 61 36 33 65 35
37 62 61 61 66 31 36 31 62 35 39 35 62 30 63 35 31 33 32 61 31 64 65 61 64 32 32 30 64 38 61 39
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b7 00 00 00 01 00 00 00 03
5.2.2 Result Read Request
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 05
5.2.3 Result Read Response
46 11 20 35 25 c6 2a 07 c8 e4 56 1f 03 c6 93 f3 90 df 4d 19 cd 52 a6 3b 25 cc 2b 32 d8 43 ac b3
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 00 00 00 00 00 00 03 00
6 Authenticated Data Read(验证数据读取)
6.1 Authenticated Data Read
- The Authenticated Data Read sequence is initiated by a SECURITY PROTOCOL OUT command.
- 已验证数据读取序列由 SECURITY PROTOCOL OUT 命令启动。
- An initiator sends the SECURITY PROTOCOL OUT command with SECURITY PROTOCOL field set to ECh and indicating the RPMB region in the SECURITY PROTOCOL SPECIFIC field. The RPMB data frame includes the Request Message Type = 0004h, the nonce, the data address, and the block count.
- 发起者发送 SECURITY PROTOCOL OUT 命令,其中 SECURITY PROTOCOL 字段设置为 ECh,并在 SECURITY PROTOCOL SPECIFIC 字段中指示 RPMB 区域。 RPMB 数据帧包括请求消息类型 = 0004h、随机数、数据地址和块计数。
- When the device receives this request it first checks the address. If the Address value is equal to or greater than the size of target RPMB region which is defined as bRPMBRegion0Size – bRPMBRegion3Size parameter value in the RPMB Unit Descriptor, then Result is set to “Address failure” (0004h/0084h). The data read is not valid.
- 当设备收到此请求时,它首先检查地址。如果地址值等于或大于 RPMB 单元描述符中定义为 bRPMBRegion0Size – bRPMBRegion3Size 参数值的目标 RPMB 区域的大小,则结果设置为“地址失败”(0004h/0084h)。读取的数据无效。
- If the Address value plus the Block Count value is greater than the size of target RPMB region which is defined as bRPMBRegion0Size – bRPMBRegion3Size parameter value, then the Result is set to “Address failure” (0004h/0084h). No data is read from the RPMB data area.
- 如果地址值加上块计数值大于目标 RPMB 区域的大小(定义为 bRPMBRegion0Size – bRPMBRegion3Size 参数值),则结果将设置为“地址失败”(0004h/0084h)。没有从 RPMB 数据区读取任何数据。
- After successful data fetch the MAC is calculated from response type, nonce, address, data and result. If the MAC calculation fails then returned result is “Authentication failure” (0002h/0082h).
- 成功获取数据后,将根据响应类型、随机数、地址、数据和结果计算 MAC。如果 MAC 计算失败,则返回结果为“验证失败”(0002h/0082h)。
- If the SECURITY PROTOCOL OUT command completes with GOOD status, data can be retrieved sending a SECURITY PROTOCOL IN command.
- 如果 SECURITY PROTOCOL OUT 命令以 GOOD 状态完成,则可以通过发送 SECURITY PROTOCOL IN 命令来检索数据。
- An initiator sends the SECURITY PROTOCOL IN command with SECURITY PROTOCOL field set to ECh and indicating the RPMB region in the SECURITY PROTOCOL SPECIFIC field.
- 发起者发送 SECURITY PROTOCOL IN 命令,其中 SECURITY PROTOCOL 字段设置为 ECh,并在 SECURITY PROTOCOL SPECIFIC 字段中指示 RPMB 区域。
- The device returns a RPMB message with Response Message Type = 0400h, the block count, a copy of the nonce received in the request, the address received in the Authenticated data read request, the data, the MAC and the result.
- 设备返回一条 RPMB 消息,其中响应消息类型 = 0400h、块计数、请求中收到的随机数副本、经过验证的数据读取请求中收到的地址、数据、MAC 和结果。
- In an authenticated data read response with Block Count greater than one,
- 在块计数大于 1 的经过身份验证的数据读取响应中,
- the MAC is included only in the last RPMB message data frame. The MAC field is zero in all previous data frames.
- MAC 仅包含在最后一个 RPMB 消息数据帧中。所有先前数据帧中的 MAC 字段均为零。
- In each data frame, the Nonce contains a copy of the received nonce, the address is the start address of the full access (not address of the individual logical block) and the block count is the total count of the blocks (not the sequence number of blocks).
- 在每个数据帧中,Nonce 包含接收到的 Nonce 的副本,地址是完全访问的起始地址(不是单个逻辑块的地址),块计数是块的总计数(不是序列号)块)。
- When the authenticated data read operation is completed, the device may return GOOD status in response to the SECURITY PROTOCOL IN command regardless of whether the Authenticated data read was successful or not.
- 当认证数据读取操作完成时,无论认证数据读取是否成功,设备都可以响应于 SECURITY PROTOCOL IN 命令返回 GOOD 状态。
- If data fetch from addressed location inside device fails then returned result is “Read failure” (0006h/0086h). If some other error occurs during the read procedure then returned result is “General failure” (0001h/0081h).
- 如果从设备内的寻址位置获取数据失败,则返回结果为“读取失败”(0006h/0086h)。如果在读取过程中发生其他错误,则返回结果为“General failure”(0001h/0081h)。
6.2 Authenticated Data Read报文示例
6.2.1 Authenticated Data Read Request
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
14 77 4e 6b 2c a9 06 88 cf 71 bf e0 7c e4 c3 2d 00 00 00 00 00 00 00 01 00 00 00 04
6.2.2 Authenticated Data Read Response
c8 51 39 bd 63 54 8c 7c e1 d5 cf bf 7a 3d 1f 82 32 61 17 75 71 c2 f0 5a fb 61 d7 90 b0 c3 76 fe
86 da 70 1a 2c a0 a6 2a b1 34 1a d9 9e 58 4e 53 09 22 1c 57 38 c4 62 60 2e 40 22 88 7a 76 73 e1
62 64 30 66 33 35 63 37 63 31 65 31 30 64 37 34 35 64 32 39 66 39 37 65 61 63 35 63 33 39 64 63
64 64 65 38 64 63 63 63 33 63 39 33 66 62 36 32 30 61 39 61 64 64 34 65 63 34 37 36 32 66 34 63
38 33 31 61 33 32 36 33 35 39 64 35 34 30 30 63 66 32 34 34 31 32 36 32 38 33 61 32 32 61 66 30
63 66 39 66 39 61 31 37 30 62 34 30 63 63 66 63 33 31 36 64 39 66 66 33 35 65 32 33 36 65 61 66
61 66 37 31 30 61 61 36 38 61 66 36 39 65 30 62 31 61 62 33 34 63 33 62 38 65 32 35 61 62 63 37
66 62 39 37 65 39 64 31 30 38 30 30 33 33 31 61 38 33 35 30 30 36 34 39 61 64 38 61 36 33 65 35
37 62 61 61 66 31 36 31 62 35 39 35 62 30 63 35 31 33 32 61 31 64 65 61 64 32 32 30 64 38 61 39
14 77 4e 6b 2c a9 06 88 cf 71 bf e0 7c e4 c3 2d 00 00 00 00 00 00 00 01 00 00 04 00