Key derivation provider plugin for Secure Binary 3.1 and 4.0

Key derivation provider plugin for Secure Binary 3.1 and 4.0#

The process of encrypting SB 3.1 and 4.0 does not involve the user’s CUST_MK_SK key directly. Instead, it uses a derived key generated through a specific key derivation process.

Customer’s (plugins) responsibility to provide basic CMAC operation. SPSDK takes care of the key derivation flow and data. Thus the key never leaves the customer’s infrastructure.

Custom HSM setup#

For demonstration purposes, we have a simple HSM Flask demo application. To run the demo, open HSM notebook and follow the instructions. Please note that the HSM demo must stay running on order to continue with this notebook.

Here’s a simple code block to set up the HSM connection:

import requests

response = requests.get("http://127.0.0.1:5010/api/cmac/0", json={"data": "AB CD EF 01"})
print(response.json())

{'data': '253e7b704ff7781c695736919a62fb7c'}

Key Derivation Provider Implementation#

This plugin allows SPSDK to delegate parts of the key derivation process to a custom infrastructure.

Each Key derivation plugin must be derived from spsdk.sbfile.utils.key_derivator.SB31KeyDerivator and implement the core abstract methods:

  • remote_cmac(data: bytes) -> bytes

In folder plugins/spsdk_sbkdp is an example of a plugin that implements the key derivation interface. The plugin uses the custom HSM setup described above.

To install the plugin, you can use the following code:

!{sys.executable} -m pip install plugins/spsdk_sbkdp

Looking in indexes: https://pypi.org/simple, https://nl2-nxrm.sw.nxp.com/repository/spsdk_pypi/simple/
Processing plugins/spsdk_sbkdp
  Installing build dependencies: started
  Installing build dependencies: finished with status 'done'
  Getting requirements to build wheel: started
  Getting requirements to build wheel: finished with status 'done'
  Preparing metadata (pyproject.toml): started
  Preparing metadata (pyproject.toml): finished with status 'done'
Requirement already satisfied: spsdk>3.0 in c:\users\nxa17573\repos\spsdk-work2\venv\lib\site-packages (from spsdk_sbkdp==0.1.0) (3.0.1.dev137+g2b4c1081c)
Requirement already satisfied: asn1crypto<2,>=1.2 in c:\users\nxa17573\repos\spsdk-work2\venv\lib\site-packages (from spsdk>3.0->spsdk_sbkdp==0.1.0) (1.5.1)
Requirement already satisfied: bincopy<21,>=17.14.5 in c:\users\nxa17573\repos\spsdk-work2\venv\lib\site-packages (from spsdk>3.0->spsdk_sbkdp==0.1.0) (20.1.0)
Requirement already satisfied: bitstring<5,>=3.1 in c:\users\nxa17573\repos\spsdk-work2\venv\lib\site-packages (from spsdk>3.0->spsdk_sbkdp==0.1.0) (4.3.1)
Requirement already satisfied: click-command-tree<2 in c:\users\nxa17573\repos\spsdk-work2\venv\lib\site-packages (from spsdk>3.0->spsdk_sbkdp==0.1.0) (1.2.0)
Requirement already satisfied: click-option-group<1,>=0.3.0 in c:\users\nxa17573\repos\spsdk-work2\venv\lib\site-packages (from spsdk>3.0->spsdk_sbkdp==0.1.0) (0.5.7)
Requirement already satisfied: click!=8.1.4,<9,>=7.1 in c:\users\nxa17573\repos\spsdk-work2\venv\lib\site-packages (from spsdk>3.0->spsdk_sbkdp==0.1.0) (8.2.1)
Requirement already satisfied: colorama<1,>=0.4.6 in c:\users\nxa17573\repos\spsdk-work2\venv\lib\site-packages (from spsdk>3.0->spsdk_sbkdp==0.1.0) (0.4.6)
Requirement already satisfied: crcmod<2 in c:\users\nxa17573\repos\spsdk-work2\venv\lib\site-packages (from spsdk>3.0->spsdk_sbkdp==0.1.0) (1.7)
Requirement already satisfied: cryptography<46,>=42.0.0 in c:\users\nxa17573\repos\spsdk-work2\venv\lib\site-packages (from spsdk>3.0->spsdk_sbkdp==0.1.0) (45.0.5)
Requirement already satisfied: deepmerge<3 in c:\users\nxa17573\repos\spsdk-work2\venv\lib\site-packages (from spsdk>3.0->spsdk_sbkdp==0.1.0) (2.0)
Requirement already satisfied: fastjsonschema<3,>=2.15.1 in c:\users\nxa17573\repos\spsdk-work2\venv\lib\site-packages (from spsdk>3.0->spsdk_sbkdp==0.1.0) (2.21.1)
Requirement already satisfied: filelock<4,>=3 in c:\users\nxa17573\repos\spsdk-work2\venv\lib\site-packages (from spsdk>3.0->spsdk_sbkdp==0.1.0) (3.18.0)
Requirement already satisfied: hexdump<4 in c:\users\nxa17573\repos\spsdk-work2\venv\lib\site-packages (from spsdk>3.0->spsdk_sbkdp==0.1.0) (3.3)
Requirement already satisfied: importlib-metadata<7 in c:\users\nxa17573\repos\spsdk-work2\venv\lib\site-packages (from spsdk>3.0->spsdk_sbkdp==0.1.0) (6.11.0)
Requirement already satisfied: libusbsio<3,>=2.1.12 in c:\users\nxa17573\repos\spsdk-work2\venv\lib\site-packages (from spsdk>3.0->spsdk_sbkdp==0.1.0) (2.1.13)
Requirement already satisfied: libuuu<2 in c:\users\nxa17573\repos\spsdk-work2\venv\lib\site-packages (from spsdk>3.0->spsdk_sbkdp==0.1.0) (1.5.182.post1)
Requirement already satisfied: oscrypto<2 in c:\users\nxa17573\repos\spsdk-work2\venv\lib\site-packages (from spsdk>3.0->spsdk_sbkdp==0.1.0) (1.3.0)
Requirement already satisfied: packaging<26,>=23.2 in c:\users\nxa17573\repos\spsdk-work2\venv\lib\site-packages (from spsdk>3.0->spsdk_sbkdp==0.1.0) (25.0)
Requirement already satisfied: platformdirs<5,>=3.9.1 in c:\users\nxa17573\repos\spsdk-work2\venv\lib\site-packages (from spsdk>3.0->spsdk_sbkdp==0.1.0) (4.3.8)
Requirement already satisfied: prettytable<4,>=3.12 in c:\users\nxa17573\repos\spsdk-work2\venv\lib\site-packages (from spsdk>3.0->spsdk_sbkdp==0.1.0) (3.16.0)
Requirement already satisfied: pyasn1<1,>=0.6 in c:\users\nxa17573\repos\spsdk-work2\venv\lib\site-packages (from spsdk>3.0->spsdk_sbkdp==0.1.0) (0.6.1)
Requirement already satisfied: pyserial<4,>=3.1 in c:\users\nxa17573\repos\spsdk-work2\venv\lib\site-packages (from spsdk>3.0->spsdk_sbkdp==0.1.0) (3.5)
Requirement already satisfied: requests<3,>=2.32.3 in c:\users\nxa17573\repos\spsdk-work2\venv\lib\site-packages (from spsdk>3.0->spsdk_sbkdp==0.1.0) (2.32.4)
Requirement already satisfied: ruamel.yaml<1,>=0.17 in c:\users\nxa17573\repos\spsdk-work2\venv\lib\site-packages (from spsdk>3.0->spsdk_sbkdp==0.1.0) (0.18.14)
Requirement already satisfied: setuptools-scm<9 in c:\users\nxa17573\repos\spsdk-work2\venv\lib\site-packages (from spsdk>3.0->spsdk_sbkdp==0.1.0) (8.3.1)
Requirement already satisfied: setuptools<81,>75 in c:\users\nxa17573\repos\spsdk-work2\venv\lib\site-packages (from spsdk>3.0->spsdk_sbkdp==0.1.0) (80.9.0)
Requirement already satisfied: sly<1 in c:\users\nxa17573\repos\spsdk-work2\venv\lib\site-packages (from spsdk>3.0->spsdk_sbkdp==0.1.0) (0.5)
Requirement already satisfied: spsdk-mcu-link<1,>=0.3.2 in c:\users\nxa17573\repos\spsdk-work2\venv\lib\site-packages (from spsdk>3.0->spsdk_sbkdp==0.1.0) (0.6.5)
Requirement already satisfied: spsdk-pyocd<1,>=0.2.0 in c:\users\nxa17573\repos\spsdk-work2\venv\lib\site-packages (from spsdk>3.0->spsdk_sbkdp==0.1.0) (0.3.2)
Requirement already satisfied: typing-extensions<5 in c:\users\nxa17573\repos\spsdk-work2\venv\lib\site-packages (from spsdk>3.0->spsdk_sbkdp==0.1.0) (4.14.1)
Requirement already satisfied: x690<2,>=1.0 in c:\users\nxa17573\repos\spsdk-work2\venv\lib\site-packages (from spsdk>3.0->spsdk_sbkdp==0.1.0) (1.0.0.post1)
Requirement already satisfied: humanfriendly in c:\users\nxa17573\repos\spsdk-work2\venv\lib\site-packages (from bincopy<21,>=17.14.5->spsdk>3.0->spsdk_sbkdp==0.1.0) (10.0)
Requirement already satisfied: argparse_addons>=0.4.0 in c:\users\nxa17573\repos\spsdk-work2\venv\lib\site-packages (from bincopy<21,>=17.14.5->spsdk>3.0->spsdk_sbkdp==0.1.0) (0.12.0)
Requirement already satisfied: pyelftools in c:\users\nxa17573\repos\spsdk-work2\venv\lib\site-packages (from bincopy<21,>=17.14.5->spsdk>3.0->spsdk_sbkdp==0.1.0) (0.32)
Requirement already satisfied: bitarray<4.0,>=3.0.0 in c:\users\nxa17573\repos\spsdk-work2\venv\lib\site-packages (from bitstring<5,>=3.1->spsdk>3.0->spsdk_sbkdp==0.1.0) (3.4.2)
Requirement already satisfied: cffi>=1.14 in c:\users\nxa17573\repos\spsdk-work2\venv\lib\site-packages (from cryptography<46,>=42.0.0->spsdk>3.0->spsdk_sbkdp==0.1.0) (1.17.1)
Requirement already satisfied: zipp>=0.5 in c:\users\nxa17573\repos\spsdk-work2\venv\lib\site-packages (from importlib-metadata<7->spsdk>3.0->spsdk_sbkdp==0.1.0) (3.23.0)
Requirement already satisfied: wcwidth in c:\users\nxa17573\repos\spsdk-work2\venv\lib\site-packages (from prettytable<4,>=3.12->spsdk>3.0->spsdk_sbkdp==0.1.0) (0.2.13)
Requirement already satisfied: charset_normalizer<4,>=2 in c:\users\nxa17573\repos\spsdk-work2\venv\lib\site-packages (from requests<3,>=2.32.3->spsdk>3.0->spsdk_sbkdp==0.1.0) (3.4.2)
Requirement already satisfied: idna<4,>=2.5 in c:\users\nxa17573\repos\spsdk-work2\venv\lib\site-packages (from requests<3,>=2.32.3->spsdk>3.0->spsdk_sbkdp==0.1.0) (3.10)
Requirement already satisfied: urllib3<3,>=1.21.1 in c:\users\nxa17573\repos\spsdk-work2\venv\lib\site-packages (from requests<3,>=2.32.3->spsdk>3.0->spsdk_sbkdp==0.1.0) (2.5.0)
Requirement already satisfied: certifi>=2017.4.17 in c:\users\nxa17573\repos\spsdk-work2\venv\lib\site-packages (from requests<3,>=2.32.3->spsdk>3.0->spsdk_sbkdp==0.1.0) (2025.7.14)
Requirement already satisfied: ruamel.yaml.clib>=0.2.7 in c:\users\nxa17573\repos\spsdk-work2\venv\lib\site-packages (from ruamel.yaml<1,>=0.17->spsdk>3.0->spsdk_sbkdp==0.1.0) (0.2.12)
Requirement already satisfied: wasmtime~=24.0.0 in c:\users\nxa17573\repos\spsdk-work2\venv\lib\site-packages (from spsdk-mcu-link<1,>=0.3.2->spsdk>3.0->spsdk_sbkdp==0.1.0) (24.0.0)
Requirement already satisfied: pyusb~=1.2.1 in c:\users\nxa17573\repos\spsdk-work2\venv\lib\site-packages (from spsdk-mcu-link<1,>=0.3.2->spsdk>3.0->spsdk_sbkdp==0.1.0) (1.2.1)
Requirement already satisfied: hidapi~=0.14.0.post2 in c:\users\nxa17573\repos\spsdk-work2\venv\lib\site-packages (from spsdk-mcu-link<1,>=0.3.2->spsdk>3.0->spsdk_sbkdp==0.1.0) (0.14.0.post4)
Requirement already satisfied: libusb_package in c:\users\nxa17573\repos\spsdk-work2\venv\lib\site-packages (from spsdk-mcu-link<1,>=0.3.2->spsdk>3.0->spsdk_sbkdp==0.1.0) (1.0.26.3)
Requirement already satisfied: pyocd<0.37,>=0.35.1 in c:\users\nxa17573\repos\spsdk-work2\venv\lib\site-packages (from spsdk-pyocd<1,>=0.2.0->spsdk>3.0->spsdk_sbkdp==0.1.0) (0.36.0)
Requirement already satisfied: capstone<5.0,>=4.0 in c:\users\nxa17573\repos\spsdk-work2\venv\lib\site-packages (from pyocd<0.37,>=0.35.1->spsdk-pyocd<1,>=0.2.0->spsdk>3.0->spsdk_sbkdp==0.1.0) (4.0.2)
Requirement already satisfied: cmsis-pack-manager<1.0,>=0.5.2 in c:\users\nxa17573\repos\spsdk-work2\venv\lib\site-packages (from pyocd<0.37,>=0.35.1->spsdk-pyocd<1,>=0.2.0->spsdk>3.0->spsdk_sbkdp==0.1.0) (0.5.3)
Requirement already satisfied: importlib-resources in c:\users\nxa17573\repos\spsdk-work2\venv\lib\site-packages (from pyocd<0.37,>=0.35.1->spsdk-pyocd<1,>=0.2.0->spsdk>3.0->spsdk_sbkdp==0.1.0) (6.5.2)
Requirement already satisfied: intelhex<3.0,>=2.0 in c:\users\nxa17573\repos\spsdk-work2\venv\lib\site-packages (from pyocd<0.37,>=0.35.1->spsdk-pyocd<1,>=0.2.0->spsdk>3.0->spsdk_sbkdp==0.1.0) (2.3.0)
Requirement already satisfied: intervaltree<4.0,>=3.0.2 in c:\users\nxa17573\repos\spsdk-work2\venv\lib\site-packages (from pyocd<0.37,>=0.35.1->spsdk-pyocd<1,>=0.2.0->spsdk>3.0->spsdk_sbkdp==0.1.0) (3.1.0)
Requirement already satisfied: lark<2.0,>=1.1.5 in c:\users\nxa17573\repos\spsdk-work2\venv\lib\site-packages (from pyocd<0.37,>=0.35.1->spsdk-pyocd<1,>=0.2.0->spsdk>3.0->spsdk_sbkdp==0.1.0) (1.2.2)
Requirement already satisfied: natsort<9.0,>=8.0.0 in c:\users\nxa17573\repos\spsdk-work2\venv\lib\site-packages (from pyocd<0.37,>=0.35.1->spsdk-pyocd<1,>=0.2.0->spsdk>3.0->spsdk_sbkdp==0.1.0) (8.4.0)
Requirement already satisfied: pylink-square<2.0,>=1.0 in c:\users\nxa17573\repos\spsdk-work2\venv\lib\site-packages (from pyocd<0.37,>=0.35.1->spsdk-pyocd<1,>=0.2.0->spsdk>3.0->spsdk_sbkdp==0.1.0) (1.6.0)
Requirement already satisfied: pyyaml<7.0,>=6.0 in c:\users\nxa17573\repos\spsdk-work2\venv\lib\site-packages (from pyocd<0.37,>=0.35.1->spsdk-pyocd<1,>=0.2.0->spsdk>3.0->spsdk_sbkdp==0.1.0) (6.0.2)
Requirement already satisfied: six<2.0,>=1.15.0 in c:\users\nxa17573\repos\spsdk-work2\venv\lib\site-packages (from pyocd<0.37,>=0.35.1->spsdk-pyocd<1,>=0.2.0->spsdk>3.0->spsdk_sbkdp==0.1.0) (1.17.0)
Requirement already satisfied: appdirs<2.0,>=1.4 in c:\users\nxa17573\repos\spsdk-work2\venv\lib\site-packages (from cmsis-pack-manager<1.0,>=0.5.2->pyocd<0.37,>=0.35.1->spsdk-pyocd<1,>=0.2.0->spsdk>3.0->spsdk_sbkdp==0.1.0) (1.4.4)
Requirement already satisfied: sortedcontainers<3.0,>=2.0 in c:\users\nxa17573\repos\spsdk-work2\venv\lib\site-packages (from intervaltree<4.0,>=3.0.2->pyocd<0.37,>=0.35.1->spsdk-pyocd<1,>=0.2.0->spsdk>3.0->spsdk_sbkdp==0.1.0) (2.4.0)
Requirement already satisfied: psutil>=5.2.2 in c:\users\nxa17573\repos\spsdk-work2\venv\lib\site-packages (from pylink-square<2.0,>=1.0->pyocd<0.37,>=0.35.1->spsdk-pyocd<1,>=0.2.0->spsdk>3.0->spsdk_sbkdp==0.1.0) (7.0.0)
Requirement already satisfied: t61codec<2.0,>=1.0.1 in c:\users\nxa17573\repos\spsdk-work2\venv\lib\site-packages (from x690<2,>=1.0->spsdk>3.0->spsdk_sbkdp==0.1.0) (1.0.1)
Requirement already satisfied: pycparser in c:\users\nxa17573\repos\spsdk-work2\venv\lib\site-packages (from cffi>=1.14->cryptography<46,>=42.0.0->spsdk>3.0->spsdk_sbkdp==0.1.0) (2.22)
Requirement already satisfied: pyreadline3 in c:\users\nxa17573\repos\spsdk-work2\venv\lib\site-packages (from humanfriendly->bincopy<21,>=17.14.5->spsdk>3.0->spsdk_sbkdp==0.1.0) (3.5.4)
Building wheels for collected packages: spsdk_sbkdp
  Building wheel for spsdk_sbkdp (pyproject.toml): started
  Building wheel for spsdk_sbkdp (pyproject.toml): finished with status 'done'
  Created wheel for spsdk_sbkdp: filename=spsdk_sbkdp-0.1.0-py3-none-any.whl size=2550 sha256=f3d64ac953de77d1c1a32014aac74afef47a24455a0f9c14f83021f06f4ff4d5
  Stored in directory: C:\Users\nxa17573\AppData\Local\Temp\pip-ephem-wheel-cache-j7nc7p26\wheels\0c\00\49\d22ae6efa7ceaea17382bbffeba1ce36a624ba79be9ea5bc48
Successfully built spsdk_sbkdp
Installing collected packages: spsdk_sbkdp
  Attempting uninstall: spsdk_sbkdp
    Found existing installation: spsdk_sbkdp 0.1.0
    Uninstalling spsdk_sbkdp-0.1.0:
      Successfully uninstalled spsdk_sbkdp-0.1.0
Successfully installed spsdk_sbkdp-0.1.0
Contents