FAQs
English (US) 日本語 | Japanese 中文 | Chinese (Simplified)

HSE isntallSMR API question

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

HSE isntallSMR API question

‎07-20-2023 02:50 AM
1,357 Views
JasonChou
Contributor II

Hi NXP,

I am trying to use C code to test SMR install API(service ID:

HSE_SRV_ID_SMR_ENTRY_INSTALL

), However, I always got service response A5AAA399 which meas parameter is incorrect.

there is so many Argument in this API, could someone help me to check?

the signature and address have benn vailded is this test.

the HSE FW version is  0.2.6

    memcpy(
		(void *)&IVT,
		(const void *)BLOCK0_IVT_ADDRESS,
		0x100);

	uint32_t AppAddress = (uint32_t) app_start_real;

	SmrEntry[4].pSmrsrc=AppAddress; /* Start of APP code */
	SmrEntry[4].smrSize = 1024UL;     /* Length of APP code */
	SmrEntry[4].authKeyHandle = aaa_pub_HANDLE;
	SmrEntry[4].authScheme.sigScheme.signSch = HSE_SIGN_RSASSA_PSS;
	SmrEntry[4].authScheme.sigScheme.sch.rsaPss.hashAlgo = HSE_HASH_ALGO_SHA2_256;
	SmrEntry[4].authScheme.sigScheme.sch.rsaPss.saltLength = 32UL;
	SmrEntry[4].pInstAuthTag[0] = test_sign_real; /* signature tag address */
	SmrEntry[4].pInstAuthTag[1] = (uint32_t)NULL;             /* In this example, AES keys is used hence 2nd tag address is NULL */

	/**** RSA ****/
	srvResponse = RsaPssSignSrv(
		aaa_pri_HANDLE,
		32UL,
		HSE_HASH_ALGO_SHA2_256,
		SmrEntry[4].smrSize,
		(const uint8_t *)SmrEntry[4].pSmrSrc,
		FALSE,
		0U,
		&signLength,
		outputSig);
		
	debug_print("%s RsaPssSignSrv(1) = %x\r\n", sl_tag, srvResponse);
	if(FLASH_Erase(FLS_SWAP_OFFSET, S32K312_SECTOR_SIZE, MAX_ERASE_TIME) == E_OK){
		if(FLASH_Write(FLS_SWAP_OFFSET, sizeof(outputSig), outputSig, MAX_ERASE_TIME) == E_OK){
			debug_print("%s FLASH_Write = OK\r\n", sl_tag);
		}
		else{
			debug_print("%s FLASH_Write = NG\r\n", sl_tag);
		}
	}
	else{
		debug_print("%s FLASH_Erase = NG\r\n", sl_tag);
	}


	srvResponse = RsaPssVerSrv(
		aaa_pub_HANDLE,
		32UL,
		HSE_HASH_ALGO_SHA2_256,
		SmrEntry[4].smrSize,
		(const uint8_t *)SmrEntry[4].pSmrSrc,
		FALSE,
		0U,
		&signLength,
		(const uint8_t *)test_sign_real);
	debug_print("%s RsaPssVerSrv(1) = %x\r\n", sl_tag, srvResponse);




	srvResponse = HSE_InstallSmrEntry((4),
										(const hseSmrEntry_t *)&SmrEntry[4],
										(const uint8_t *)SmrEntry[4].pSmrSrc,
										SmrEntry[4].smrSize,
										(const uint8_t *)tag_addr[0][4],
										(const uint8_t *)tag_addr[1][4],
										tag_len[4],
										tag_len[4]);

	debug_print("%s HSE_InstallSmrEntry(0) = %x\r\n", sl_tag, srvResponse);

And, here is result.

JasonChou_0-1689846564219.png

 

 Also, I refer to demo_app\services\src\secure_boot\hse_secure_boot.c which is below(Snippet)

        srvResponse = HSE_InstallSmrEntry((Index),
                                          (const hseSmrEntry_t *)&smrEntry[Index],
                                          (const uint8_t *)smrEntry[Index].pSmrSrc,
                                          smrEntry[Index].smrSize,
                                          (const uint8 *)tag_addr[0][Index],
                                          (const uint8 *)tag_addr[1][Index],
                                          tag_len[Index],
                                          tag_len[Index]);
                smrEntry[i].configFlags = HSE_SMR_CFG_FLAG_INSTALL_AUTH; /* Indicate that verification should be done on provided signature */
                smrEntry[i].pSmrDest = 0U;                               /* destination address shall be NULL for flashed based devices */
                smrEntry[i].checkPeriod = 0U;
                    smrEntry[i].pSmrsrc=AppAddress; /* Start of APP code */
                    smrEntry[i].smrSize = 1024UL;     /* Length of APP code */
                    smrEntry[i].authKeyHandle = HSE_DEMO_NVM_RSA2048_PUB_CUSTAUTH_HANDLE0;
                    smrEntry[i].authScheme.sigScheme.signSch = HSE_SIGN_RSASSA_PSS;
                    smrEntry[i].authScheme.sigScheme.sch.rsaPss.hashAlgo = HSE_HASH_ALGO_SHA2_256;
                    smrEntry[i].authScheme.sigScheme.sch.rsaPss.saltLength = SALT_LENGTH;
                    smrEntry[i].pInstAuthTag[0] = RSA_TAG_CODE_FLASH_ADDRESS; /* signature tag address */
                    smrEntry[i].pInstAuthTag[1] = (uint32_t)NULL;             /* In this example, AES keys is used hence 2nd tag address is NULL */

 

Tags (2)
0 Kudos
Reply
6 Replies

‎07-24-2023 07:19 PM
1,267 Views
JasonChou
Contributor II

Moreover, I print arguments before send HSE. I'm not sure if it is any help.

 

JasonChou_0-1690251512898.png

 

0 Kudos
Reply

‎07-21-2023 12:37 AM
1,322 Views
JasonChou
Contributor II

Hi @lukaszadrapa,

Thanks for reply,

sorry for missing definition of argument. this parameter(test_sign_real) is follow on demo code(hse_secure_boot.c), here is the definitions

My test code

 

#define app_start_real             0x500000UL
#define test_sign_real             0x440000UL
#define test_HANDLE         GET_KEY_HANDLE(HSE_KEY_CATALOG_ID_NVM,3,0)
static const uint32_t tag_addr[2U][5U] =
{
    {0, 0, 0, 0, test_sign_real},
    {0, 0, 0, 0, 0}};
static const uint32_t tag_len[] =
    {
        16U, 16U, 16U, 32U, 512U};

 

 

demo code(hse_secure_boot.c)

 

#define RSA_TAG_CODE_FLASH_ADDRESS 0x00454100UL
static const uint32_t tag_addr[2U][5U] =
    {
        {CMAC_TAG_CODE_FLASH_ADDRESS, GMAC_TAG_CODE_FLASH_ADDRESS, HMAC_TAG_CODE_FLASH_ADDRESS, ECC_TAG1_CODE_FLASH_ADDRESS, RSA_TAG_CODE_FLASH_ADDRESS},
        {0, 0, 0, ECC_TAG2_CODE_FLASH_ADDRESS, 0}};

static const uint32_t tag_len[] =
    {
        16U, 16U, 16U, 32U, 256U};

 

Basically, It's the same except the value.

I try demo code in Trace32, and it's work, but I still don't know the different between my test code and demo code...

0 Kudos
Reply

‎07-24-2023 12:51 AM
1,291 Views
lukaszadrapa
NXP TechSupport
NXP TechSupport

Hi @JasonChou 

One more thing that comes into my mind - most of similar issues when it does not work in own project is caused by cache memory.
It is important to force descriptors/data sent to/from Messaging Unit to non-cacheable region. To check if it is related to the cache memory, you can try to disable the cache by DC bit in core register CCR Configuration and Control Register. Please let me know if it helps or not.
Regards,
Lukas

0 Kudos
Reply

‎07-24-2023 07:07 PM
1,270 Views
JasonChou
Contributor II
Hi @lukaszadrapa
All I get document doesn't mention about core register CCR Configuration and Control Register

However, I found there are three function called "sys_m7_cache_xxx" which will be called when defined MPU_ENABLE/D_CACHE_ENABLE/I_CACHE_ENABLE in system.c file.
And, I tried to call comment sys_m7_cache_init() which wanted to disable the cache. the result is still the same...
0 Kudos
Reply

‎07-25-2023 12:47 AM
1,260 Views
lukaszadrapa
NXP TechSupport
NXP TechSupport

Hi @JasonChou 

it's core registers, so it's described in the core manuals:

lukaszadrapa_0-1690271071155.png

http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.ddi0489d/index.html

http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.dui0646b/index.html

 

hseSmrEntry_t (your SmrEntry[4]) has more items which I can't see in the code. You can find details in API RM. Could you check how those items are initialized?

And maybe you can take a look also at these examples:

https://www.nxp.com/webapp/Download?colCode=S32K3_HSE_DemoExamples

This one could help:

c:\NXP\S32K3_HSE_DemoExamples_1_0_0\S32K3_HSE_DemoExamples\Secure_Boot\S32K344_Advanced_SecureBoot\

Regards,

Lukas

0 Kudos
Reply

‎07-20-2023 11:34 PM
1,328 Views
lukaszadrapa
NXP TechSupport
NXP TechSupport

Hi @JasonChou 

SmrEntry[4].pInstAuthTag[0] = test_sign_real; /* signature tag address */

 

This should be a pointer to the signature only, not directly the value. Could you check this?

Thanks,

Lukas

0 Kudos
Reply