https://community.nxp.com/t5/S32G/S32N55-HSE2-CRS-APP-Domain-Secure-Debug-Authentication-using/m-p/2387055#M16491 <P>Hi</P><P>We are working on Secure Debug authentication for the S32N55 platform and have successfully implemented FSS domain debug authorization using ADKP (HSE_OTP_FOEM_ADKP_ATTR_ID) via SDC-600.</P><P>We are now trying to extend this to the CRS domain (HSE_DEBUG_DOMAIN_APP = 0x1B) and have the following questions:</P><P>---</P><P>[Q1] Is ADKP usable for CRS domain Secure Debug authentication?</P><P>After provisioning ADKP via HSE_OTP_FOEM_ADKP_ATTR_ID, is it possible to use the same ADKP for CRS domain (APP) Secure Debug authentication via HSE_DEBUG_CMD_APP_CHALLENGE?</P><P>---</P><P>[Q2] Does SetOwnerDebugKeyMap() need to be called separately per MU (FSS MU vs CRS MU)?</P><P>Per the RM description of hseOwnerDebugKeyMapConfig_t:<BR />"This service is called for each installed device owner individually from an owning MU.<BR />HSE FW assumes the owner identity based on the MU this service request is sent to."</P><P>Our current implementation calls SetOwnerDebugKeyMap() (HSE_SRV_ID_DEBUG_KEY_MAPPING) only through FSS MU (MU0), mapping aOwnerAuthRef[0] = HSE_OTP_KEY_FOEM_ADKP.</P><P>- Is a separate SetOwnerDebugKeyMap() call required through the CRS MU for CRS domain authentication?<BR />- If so, which MU number should be used for the CRS domain on S32N55?</P><P>---</P><P>[Q3] Does SetOwnerDebugKeyMap() need to be called on every boot?</P><P>The RM states:<BR />"Only the numOfAuthorizationRefEntries and numOfAuthenticationRefEntries are logged,<BR />rest of the entries are ignored."</P><P>This implies the key mapping is volatile and not stored in NVM. Does this mean SetOwnerDebugKeyMap() must be called on every boot (after SU rights are granted) for both FSS and CRS domains?</P><P>---</P><P>[Q4] Correct keyRef value for APP_CHALLENGE</P><P>In hseDebugAuthorizeStartCmd_t, the keyRef field references the index mapped via hseOwnerDebugKeyMapConfig_t. Since we map aOwnerAuthRef[0] = HSE_OTP_KEY_FOEM_ADKP, we send keyRef = 0x00 for CRS domain authentication. Is this correct?</P><P>---</P><P>[Q5] Response size and packet structure for APP_CHALLENGE</P><P>Per hseDebugAuthorizeProofProvCmd_t byte map, the packet structure is always 32 bytes (2 packets x 8 words). HSE_CR_APP_RESPONSE_SIZE = 16U vs HSE_CR_FSS_OR_HSE_RESPONSE_SIZE = 32U.</P><P>For APP_CHALLENGE, should the host send:<BR />- 16 bytes of AES-encrypted response + 16 bytes of zero padding = 32 bytes total?<BR />- Or only 16 bytes?</P><P>Currently, after sending FLAG_START + DebugSignalMap(4 bytes) + Response(16 bytes) + FLAG_END, HSE2 does not respond and T32 hangs waiting indefinitely. When we send 32 bytes (16-byte response + 16-byte zero padding), we observe the same hang.</P><P>---</P><P>For reference:<BR />- Sherpa_Cdd_AllocateChannel() always allocates MU0 (FSS)<BR />- SetOwnerDebugKeyMap(): aOwnerAuthRef[0] = HSE_OTP_KEY_FOEM_ADKP (0x00000302), called with SU rights<BR />- crs_auth.cmm: DEBUG_TARGET=0x1B, OID=0xFF*16, keyRef=0x00<BR />- AUTH_MODE_REQ passes successfully (HSE_DEBUG_WAITING_RESPONSE_TO_CHG received)<BR />- Challenge received: 32 bytes<BR />- After sending Response, no ACK (0x4A4A4A4A) received from HSE2</P><P>Please see the attached CMM script and log for reference.</P><P>Thank you in advance.</P> Fri, 26 Jun 2026 13:05:55 GMT EddiePark 2026-06-26T13:05:55Z https://community.nxp.com/t5/S32G/S32N55-HSE2-CRS-APP-Domain-Secure-Debug-Authentication-using/m-p/2387055#M16491 <P>Hi</P><P>We are working on Secure Debug authentication for the S32N55 platform and have successfully implemented FSS domain debug authorization using ADKP (HSE_OTP_FOEM_ADKP_ATTR_ID) via SDC-600.</P><P>We are now trying to extend this to the CRS domain (HSE_DEBUG_DOMAIN_APP = 0x1B) and have the following questions:</P><P>---</P><P>[Q1] Is ADKP usable for CRS domain Secure Debug authentication?</P><P>After provisioning ADKP via HSE_OTP_FOEM_ADKP_ATTR_ID, is it possible to use the same ADKP for CRS domain (APP) Secure Debug authentication via HSE_DEBUG_CMD_APP_CHALLENGE?</P><P>---</P><P>[Q2] Does SetOwnerDebugKeyMap() need to be called separately per MU (FSS MU vs CRS MU)?</P><P>Per the RM description of hseOwnerDebugKeyMapConfig_t:<BR />"This service is called for each installed device owner individually from an owning MU.<BR />HSE FW assumes the owner identity based on the MU this service request is sent to."</P><P>Our current implementation calls SetOwnerDebugKeyMap() (HSE_SRV_ID_DEBUG_KEY_MAPPING) only through FSS MU (MU0), mapping aOwnerAuthRef[0] = HSE_OTP_KEY_FOEM_ADKP.</P><P>- Is a separate SetOwnerDebugKeyMap() call required through the CRS MU for CRS domain authentication?<BR />- If so, which MU number should be used for the CRS domain on S32N55?</P><P>---</P><P>[Q3] Does SetOwnerDebugKeyMap() need to be called on every boot?</P><P>The RM states:<BR />"Only the numOfAuthorizationRefEntries and numOfAuthenticationRefEntries are logged,<BR />rest of the entries are ignored."</P><P>This implies the key mapping is volatile and not stored in NVM. Does this mean SetOwnerDebugKeyMap() must be called on every boot (after SU rights are granted) for both FSS and CRS domains?</P><P>---</P><P>[Q4] Correct keyRef value for APP_CHALLENGE</P><P>In hseDebugAuthorizeStartCmd_t, the keyRef field references the index mapped via hseOwnerDebugKeyMapConfig_t. Since we map aOwnerAuthRef[0] = HSE_OTP_KEY_FOEM_ADKP, we send keyRef = 0x00 for CRS domain authentication. Is this correct?</P><P>---</P><P>[Q5] Response size and packet structure for APP_CHALLENGE</P><P>Per hseDebugAuthorizeProofProvCmd_t byte map, the packet structure is always 32 bytes (2 packets x 8 words). HSE_CR_APP_RESPONSE_SIZE = 16U vs HSE_CR_FSS_OR_HSE_RESPONSE_SIZE = 32U.</P><P>For APP_CHALLENGE, should the host send:<BR />- 16 bytes of AES-encrypted response + 16 bytes of zero padding = 32 bytes total?<BR />- Or only 16 bytes?</P><P>Currently, after sending FLAG_START + DebugSignalMap(4 bytes) + Response(16 bytes) + FLAG_END, HSE2 does not respond and T32 hangs waiting indefinitely. When we send 32 bytes (16-byte response + 16-byte zero padding), we observe the same hang.</P><P>---</P><P>For reference:<BR />- Sherpa_Cdd_AllocateChannel() always allocates MU0 (FSS)<BR />- SetOwnerDebugKeyMap(): aOwnerAuthRef[0] = HSE_OTP_KEY_FOEM_ADKP (0x00000302), called with SU rights<BR />- crs_auth.cmm: DEBUG_TARGET=0x1B, OID=0xFF*16, keyRef=0x00<BR />- AUTH_MODE_REQ passes successfully (HSE_DEBUG_WAITING_RESPONSE_TO_CHG received)<BR />- Challenge received: 32 bytes<BR />- After sending Response, no ACK (0x4A4A4A4A) received from HSE2</P><P>Please see the attached CMM script and log for reference.</P><P>Thank you in advance.</P> Fri, 26 Jun 2026 13:05:55 GMT https://community.nxp.com/t5/S32G/S32N55-HSE2-CRS-APP-Domain-Secure-Debug-Authentication-using/m-p/2387055#M16491 EddiePark 2026-06-26T13:05:55Z