<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>S32KのトピックRe: S32K314 HSE SHE SecureBoot CMAC Update</title>
    <link>https://community.nxp.com/t5/S32K/S32K314-HSE-SHE-SecureBoot-CMAC-Update/m-p/2314381#M56664</link>
    <description>&lt;P&gt;Hi&amp;nbsp;&lt;a href="https://community.nxp.com/t5/user/viewprofilepage/user-id/259182"&gt;@Daniel_Park&lt;/a&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;BOOT_MAC_KEY can be used only for CMAC verify operation. All attempts to run different operation will lead to an error. It is also not possible to export BOOT_MAC_KEY in any way – this would violate SHE specification.&lt;/P&gt;
&lt;P&gt;I can see two workarounds:&lt;/P&gt;
&lt;OL&gt;
&lt;LI&gt;Load the same key also to normal key slot in NVM catalog and use this one to generate new CMAC. &amp;nbsp;&lt;/LI&gt;
&lt;LI&gt;New application should be distributed with CMAC calculated offline because I don’t think it is good idea to distribute an application without any signature. &amp;nbsp;BOOT_MAC should not be calculated in runtime during the update. To calculate it offline, you can either use tools like OpenSSL or you can let the HSE to calculate it in development setup.&lt;/LI&gt;
&lt;/OL&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;Regards,&lt;/P&gt;
&lt;P&gt;Lukas&lt;/P&gt;</description>
    <pubDate>Mon, 09 Feb 2026 06:30:23 GMT</pubDate>
    <dc:creator>lukaszadrapa</dc:creator>
    <dc:date>2026-02-09T06:30:23Z</dc:date>
    <item>
      <title>S32K314 HSE SHE SecureBoot CMAC Update</title>
      <link>https://community.nxp.com/t5/S32K/S32K314-HSE-SHE-SecureBoot-CMAC-Update/m-p/2314193#M56660</link>
      <description>&lt;P&gt;i try to use SHE secureboot.&lt;/P&gt;&lt;P&gt;&lt;span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Daniel_Park_0-1770547436262.png" style="width: 400px;"&gt;&lt;img src="https://community.nxp.com/t5/image/serverpage/image-id/375972iAD6292A989E3BBFA/image-size/medium?v=v2&amp;amp;px=400" role="button" title="Daniel_Park_0-1770547436262.png" alt="Daniel_Park_0-1770547436262.png" /&gt;&lt;/span&gt;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;DIV&gt;&lt;P&gt;I have loaded the &lt;STRONG&gt;MASTER_ECU_KEY&lt;/STRONG&gt; and &lt;STRONG&gt;BOOT_MAC_KEY&lt;/STRONG&gt; into the HSE’s NVM according to the reference manual.&lt;/P&gt;&lt;P&gt;As documented, when &lt;STRONG&gt;BOOT_MAC&lt;/STRONG&gt; is empty, it is automatically computed and populated.&lt;/P&gt;&lt;P&gt;My concern arises when the firmware is updated and I need to update the &lt;STRONG&gt;BOOT_MAC&lt;/STRONG&gt; for the new firmware.&lt;/P&gt;&lt;P&gt;The update procedure itself is clear and follows the same method used to load the &lt;STRONG&gt;MASTER_ECU_KEY&lt;/STRONG&gt; and &lt;STRONG&gt;BOOT_MAC_KEY&lt;/STRONG&gt;, so that part is not an issue.&lt;/P&gt;&lt;P&gt;The issue occurs during the &lt;STRONG&gt;BOOT_MAC calculation&lt;/STRONG&gt;.&lt;/P&gt;&lt;P&gt;Specifically, when I set pFastCMacSrv-&amp;gt;keyHandle to the &lt;STRONG&gt;BOOT_MAC_KEY&lt;/STRONG&gt; handle,&lt;/P&gt;&lt;P&gt;I receive the error shown below. I assume this is due to restrictions related to the special nature of SHE keys.&lt;/P&gt;&lt;P&gt;0xA5AA52B4UL&lt;BR /&gt;/**&amp;lt; @brief The key usage flags (provided using the key handle) don't allow to perform the requested crypto operation (the key flags don't match the crypto operation;&lt;BR /&gt;e.g. the key is configured to be used for decryption, and the host requested an encryption).&lt;BR /&gt;In SHE, the key ID provided is either invalid or non-usable due to some flag restrictions. */&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&lt;STRONG&gt;Question:&lt;/STRONG&gt; In the CMAC update flow, how should I obtain and use the appropriate &lt;STRONG&gt;CMAC key&lt;/STRONG&gt; for the calculation if I cannot directly use the &lt;STRONG&gt;BOOT_MAC_KEY&lt;/STRONG&gt; handle? Could you advise on the correct approach for computing the CMAC that will be used to update &lt;STRONG&gt;BOOT_MAC&lt;/STRONG&gt;?&lt;/P&gt;&lt;/DIV&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;</description>
      <pubDate>Sun, 08 Feb 2026 10:52:20 GMT</pubDate>
      <guid>https://community.nxp.com/t5/S32K/S32K314-HSE-SHE-SecureBoot-CMAC-Update/m-p/2314193#M56660</guid>
      <dc:creator>Daniel_Park</dc:creator>
      <dc:date>2026-02-08T10:52:20Z</dc:date>
    </item>
    <item>
      <title>Re: S32K314 HSE SHE SecureBoot CMAC Update</title>
      <link>https://community.nxp.com/t5/S32K/S32K314-HSE-SHE-SecureBoot-CMAC-Update/m-p/2314381#M56664</link>
      <description>&lt;P&gt;Hi&amp;nbsp;&lt;a href="https://community.nxp.com/t5/user/viewprofilepage/user-id/259182"&gt;@Daniel_Park&lt;/a&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;BOOT_MAC_KEY can be used only for CMAC verify operation. All attempts to run different operation will lead to an error. It is also not possible to export BOOT_MAC_KEY in any way – this would violate SHE specification.&lt;/P&gt;
&lt;P&gt;I can see two workarounds:&lt;/P&gt;
&lt;OL&gt;
&lt;LI&gt;Load the same key also to normal key slot in NVM catalog and use this one to generate new CMAC. &amp;nbsp;&lt;/LI&gt;
&lt;LI&gt;New application should be distributed with CMAC calculated offline because I don’t think it is good idea to distribute an application without any signature. &amp;nbsp;BOOT_MAC should not be calculated in runtime during the update. To calculate it offline, you can either use tools like OpenSSL or you can let the HSE to calculate it in development setup.&lt;/LI&gt;
&lt;/OL&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;Regards,&lt;/P&gt;
&lt;P&gt;Lukas&lt;/P&gt;</description>
      <pubDate>Mon, 09 Feb 2026 06:30:23 GMT</pubDate>
      <guid>https://community.nxp.com/t5/S32K/S32K314-HSE-SHE-SecureBoot-CMAC-Update/m-p/2314381#M56664</guid>
      <dc:creator>lukaszadrapa</dc:creator>
      <dc:date>2026-02-09T06:30:23Z</dc:date>
    </item>
  </channel>
</rss>

