QSPI encryption key

Since the nRF70 Series device is a companion to a host Microcontroller Unit (MCU) (or Microprocessor Unit (MPU)) with the MAC functionality fully contained in the nRF70 Series device, the traffic over the Quad Serial Peripheral Interface (QSPI)/Serial Peripheral Interface (SPI) is not protected by any of the Wi-FiĀ® security measures.

As such, this interface (that is, pins and Printed Circuit Board (PCB) tracks) is potentially vulnerable to a physical attack, where the unencrypted payload data could be observed. If application-level security is employed, this risk is mitigated.

The nRF70 Series device includes hardware AES128 encryption/decryption as part of QSPI/SPI which is described in the Product Specification. By using equivalent AES128 encryption/decryption on the host, all traffic over the physical QSPI/SPI can be protected. This is invisible to all layers of the Wi-Fi stack and can be enabled at any time. Once enabled, it cannot be disabled without a reboot.

To use this protection, matching keys need to be programmed into both the nRF70 Series device and the host MCU. The key for the nRF70 Series device is configured through the One Time Programmable (OTP) memory. If hardware support exists on the host side, QSPI encryption can be enabled using the qspi_enable_encryption API with a key passed to it. See the Wi-Fi Station sample in the nRF Connect SDK. For host devices without hardware encryption/decryption support, it is feasible to implement this encryption/decryption in software if needed.