This repository contains instructions on how to build and run a Proof of Concept (PoC) Trusted Service for secure PUF Authentication based on the ZK-PUF scheme.
For Trusted service itself, theoretical background and verification please take a look at crosscon/ZK-PUF-Zephyr-Demo (PUF_VM).
python3-venvmakeLinkServerarm-none-eabi-objdumplua- (optional)
tiov3.8
As of now the demo fails to start on A3 revision of LPC55s69, more details
about the issue
here.
To run the project on this revision use the following command after
everything has been built and flashed:
lpcbuilder/run.sh bash -c 'scripts/gdb_start.sh'This command launches gdb inside a Docker container, as the NXP LinkServer
is required for debugging.
Due to NXP’s software license restrictions, redistribution of their binaries and packages is not permitted. You must manually provide the respective NXP software components for the Docker image
To install dependencies, build everything, and flash the image to the board in one command:
Important: Ensure the LPCxpresso55S69 board is connected via the P6 Debug Link port before running this command, as both enrollment and flashing steps require an active connection.
make allAfter cloning the repository, initialize the virtual machines (VMs), the enrollment app, and the hypervisor submodules:
git clone https://github.com/crosscon/UC1.1-Manifest.git
cd UC1.1-Manifest
git submodule update --init --recursiveTo not install west utility requirements globally using a python virtual
environment is suggested. This can be overriden by passing USE_VENV=0 to
make.
python3 -m venv .venv
source .venv/bin/activateTo install python dependencies and Zephyr SDK run:
make install-depsAnd to fetch required code for all zephyr targets run:
make updateThe PUF implementation for the LPCxpresso55S69 requires two non-secret values to reconstruct the PUF response:
- Activation Code
- Key Code
For this reason a Enrollment App has been created. It extracts these values and prints them over a serial connection, after which they are saved and transformed into binaries for use in the final PUF_VM image.
Important: For this step connect the LPCxpresso55S69 board to your host machine using a USB cable through the P6 Debug Link port.
make enrollTwo scripts are provided within this step that are chosen based on users environment and input:
capture_enroll.lua- Automatically captures output and creates neccessary files.
fallback_capture_enroll.lua- Requires manual parsing of the serial output from the enrollment app.
(...)
Activation code hex saved to /tmp/activation_code.hex
Activation code bin saved to /tmp/activation_code.bin
Intrinsic key hex saved to /tmp/intrinsic_key.hex
Intrinsic key bin saved to /tmp/intrinsic_key.bin
renamed '/tmp/activation_code.bin' -> '/home/user/UC1.1-Manifest/build/enrollment_data/activation_code.bin'
renamed '/tmp/activation_code.hex' -> '/home/user/UC1.1-Manifest/build/enrollment_data/activation_code.hex'
renamed '/tmp/intrinsic_key.bin' -> '/home/user/UC1.1-Manifest/build/enrollment_data/intrinsic_key.bin'
renamed '/tmp/intrinsic_key.hex' -> '/home/user/UC1.1-Manifest/build/enrollment_data/intrinsic_key.hex'
Output moved to build/enrollment_data/Enrollment must be performed once per device. The resulting binaries will be
reused in all future builds. Re-enrolling the device will make all previous
To build all components, apply the enrollment data and align VM start-points within hypervisor:
make buildTo clean build output simply run:
make cleanConnect the LPCxpresso55S69 board to your host machine using a USB cable through
the P6 Debug Link port. Currently the script works only with the LinkServer
utility. Then simply run:
make flashGUEST_VM occupies flexcomm 3/UART 3 while PUF_VM occupies flexcomm 2/UART 2.
- UART 2
RX-P1_24TX-P0_27
- UART 3
RX-P0_3TX-P0_2
See LICENSE file.
The work presented in this repository is part of the CROSSCON project that received funding from the European Union’s Horizon Europe research and innovation programme under grant agreement No 101070537.
