- Forums
- Product Forums
- General Purpose MicrocontrollersGeneral Purpose Microcontrollers
- i.MX Forumsi.MX Forums
- QorIQ Processing PlatformsQorIQ Processing Platforms
- Identification and SecurityIdentification and Security
- Power ManagementPower Management
- Wireless ConnectivityWireless Connectivity
- RFID / NFCRFID / NFC
- Advanced AnalogAdvanced Analog
- Neural Processing UnitsNeural Processing Units
- MCX Microcontrollers
- S32G
- S32K
- S32V
- MPC5xxx
- Other NXP Products
- S12 / MagniV Microcontrollers
- Powertrain and Electrification Analog Drivers
- Sensors
- Vybrid Processors
- Digital Signal Controllers
- 8-bit Microcontrollers
- ColdFire/68K Microcontrollers and Processors
- PowerQUICC Processors
- OSBDM and TBDML
- S32M
- S32Z/E
-
- Solution Forums
- Software Forums
- MCUXpresso Software and ToolsMCUXpresso Software and Tools
- CodeWarriorCodeWarrior
- MQX Software SolutionsMQX Software Solutions
- Model-Based Design Toolbox (MBDT)Model-Based Design Toolbox (MBDT)
- FreeMASTER
- eIQ Machine Learning Software
- Embedded Software and Tools Clinic
- S32 SDK
- S32 Design Studio
- GUI Guider
- Zephyr Project
- Voice Technology
- Application Software Packs
- Secure Provisioning SDK (SPSDK)
- Processor Expert Software
- Generative AI & LLMs
-
- Topics
- Mobile Robotics - Drones and RoversMobile Robotics - Drones and Rovers
- NXP Training ContentNXP Training Content
- University ProgramsUniversity Programs
- Rapid IoT
- NXP Designs
- SafeAssure-Community
- OSS Security & Maintenance
- Using Our Community
-
- Cloud Lab Forums
-
- Knowledge Bases
- ARM Microcontrollers
- i.MX Processors
- Identification and Security
- Model-Based Design Toolbox (MBDT)
- QorIQ Processing Platforms
- S32 Automotive Processing Platform
- Wireless Connectivity
- CodeWarrior
- MCUXpresso Suite of Software and Tools
- MQX Software Solutions
- RFID / NFC
- Advanced Analog
- Neural Processing Units
-
- NXP Tech Blogs
- Home
- :
- Translated Content
- :
- Multi Source Translation Content
- :
- 2361267_en-US
2361267_en-US
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
2361267_en-US
2361267_en-US
HI,
I am facing an issue while importing keys into NVM during LC = SIMULATED_FIELD
I first imported an authentication key into NVM with the key owner set to
HSE_KEY_OWNER_CUST , using key slot (0,0). The key flags were:
HSE_KF_USAGE_VERIFY | HSE_KF_USAGE_KEY_PROVISION | HSE_KF_USAGE_SIGN | HSE_KF_USAGE_ENCRYPT | HSE_KF_USAGE_DECRYPT
The key was written successfully. But with that Key which is written with the above flags. When I try to encrypt or calculate MAC. I received INVALID_KEY.
After moving the lifecycle to SIMULATED FIELD, I want to update/change the key in the different key slot (0,4) using the authentication key. However, I am not sure about the correct procedure.
Should the new key be encrypted before importing it, or should it be authenticated and sent directly? Also, when using a key container, which fields are required?
Currently, I receive an NOT_ALLOWED error.
I have attached the import function and its parameters and let me know where is the issue.
Hi @kerti1
“The key was written successfully. But with that Key which is written with the above flags. When I try to encrypt or calculate MAC. I received INVALID_KEY.”
- That’s correct behavior. The key flag HSE_KF_USAGE_KEY_PROVISION is the reason. If this flag is set, the key can be used only for key import and export operations. If you need to use the same key for other operations (encrypt, decrypt, sign, verify), you need to import it to another key slot while HSE_KF_USAGE_KEY_PROVISION is not set. You can read “Table 35. Key usage flags” in HSE firmware reference manual for details.
“Should the new key be encrypted before importing it, or should it be authenticated and sent directly?”
- Take a look at “Table 48. Key provisioning usage when updating a key (non-empty slot) in the NVM Key Catalog” in HSE firmware reference manual. It summarizes when authentication and encryption is needed. In short: if you have SU rights, authentication is always needed and encryption is either optional or it does not apply to public keys. I recommend to start with authentication only. Once it is working, you can add encryption if needed. With user rights, encryption is mandatory.
“Also, when using a key container, which fields are required?”
- For authentication, whole structure hseImportKeySrv_t.keyContainer must be initialized. When authKeyHandle is different from HSE_INVALID_KEY_HANDLE, HSE will use all the values.
KeyContainer has no defined structure. But the idea is simple – it’s just an array somewhere in RAM. You are supposed to copy KeyInfo structure and the Key itself to the array. The size of array must be large enough for KeyInfo + Key. It can be bigger, it’s not limited.
Then you need to generate a signature of the container/array.
When importing authenticated key, fill mentioned structure hseImportKeySrv_t.keyContainer – there’s pointer to the container, length of the container, keyhandle for verification, pointer to signature…
Pointer to the key and to the KeyInfo is configured in hseImportKeySrv_t. That’s the reason why no specific structure is needed for the container. HSE itself will check if the key and KeyInfo fall within the container.
I have an example for update of ECC public key. This operation requires authentication. I used HSE framework from HSE DemoExamples SW package. If you are interested, please create a case here and I will share it:
https://support.nxp.com/s/?language=en_US
Write something like “Assign to Lukas Zadrapa” to the description.
Regards,
Lukas
Dear @lukaszadrapa ,
I am still unable to successfully import keys into NVM using authorization. I always receive the error “command not allowed.”
I referred to the ECC key pair import example, where the request includes the parameters:
uint8_t *pAuthContainer;
uint16_t authContainerLen;
However, these parameters are not available in ImportAuthSymKeyReq, so I am not sure how the authorization container should be passed for AES/symmetric key import.
Could you please help me understand the correct procedure for importing an AES key into NVM using authorization? I can also share my current example code for reference.