帮助
英语(美国) | English (US) 日本語 | Japanese 中文 | Chinese (Simplified)

HSE isntallSMR API question

取消
开启建议
自动建议可通过在您键入时建议可能的匹配,而快速缩小您的搜索结果范围。
显示结果 
显示  仅  | 搜索替代 
您的意思是: 

HSE isntallSMR API question

‎07-20-2023 02:50 AM
1,295 次查看
JasonChou
Contributor II

Hi NXP,

I am trying to use C code to test SMR install API(service ID:

HSE_SRV_ID_SMR_ENTRY_INSTALL

), However, I always got service response A5AAA399 which meas parameter is incorrect.

there is so many Argument in this API, could someone help me to check?

the signature and address have benn vailded is this test.

the HSE FW version is  0.2.6

    memcpy(
		(void *)&IVT,
		(const void *)BLOCK0_IVT_ADDRESS,
		0x100);

	uint32_t AppAddress = (uint32_t) app_start_real;

	SmrEntry[4].pSmrsrc=AppAddress; /* Start of APP code */
	SmrEntry[4].smrSize = 1024UL;     /* Length of APP code */
	SmrEntry[4].authKeyHandle = aaa_pub_HANDLE;
	SmrEntry[4].authScheme.sigScheme.signSch = HSE_SIGN_RSASSA_PSS;
	SmrEntry[4].authScheme.sigScheme.sch.rsaPss.hashAlgo = HSE_HASH_ALGO_SHA2_256;
	SmrEntry[4].authScheme.sigScheme.sch.rsaPss.saltLength = 32UL;
	SmrEntry[4].pInstAuthTag[0] = test_sign_real; /* signature tag address */
	SmrEntry[4].pInstAuthTag[1] = (uint32_t)NULL;             /* In this example, AES keys is used hence 2nd tag address is NULL */

	/**** RSA ****/
	srvResponse = RsaPssSignSrv(
		aaa_pri_HANDLE,
		32UL,
		HSE_HASH_ALGO_SHA2_256,
		SmrEntry[4].smrSize,
		(const uint8_t *)SmrEntry[4].pSmrSrc,
		FALSE,
		0U,
		&signLength,
		outputSig);
		
	debug_print("%s RsaPssSignSrv(1) = %x\r\n", sl_tag, srvResponse);
	if(FLASH_Erase(FLS_SWAP_OFFSET, S32K312_SECTOR_SIZE, MAX_ERASE_TIME) == E_OK){
		if(FLASH_Write(FLS_SWAP_OFFSET, sizeof(outputSig), outputSig, MAX_ERASE_TIME) == E_OK){
			debug_print("%s FLASH_Write = OK\r\n", sl_tag);
		}
		else{
			debug_print("%s FLASH_Write = NG\r\n", sl_tag);
		}
	}
	else{
		debug_print("%s FLASH_Erase = NG\r\n", sl_tag);
	}


	srvResponse = RsaPssVerSrv(
		aaa_pub_HANDLE,
		32UL,
		HSE_HASH_ALGO_SHA2_256,
		SmrEntry[4].smrSize,
		(const uint8_t *)SmrEntry[4].pSmrSrc,
		FALSE,
		0U,
		&signLength,
		(const uint8_t *)test_sign_real);
	debug_print("%s RsaPssVerSrv(1) = %x\r\n", sl_tag, srvResponse);




	srvResponse = HSE_InstallSmrEntry((4),
										(const hseSmrEntry_t *)&SmrEntry[4],
										(const uint8_t *)SmrEntry[4].pSmrSrc,
										SmrEntry[4].smrSize,
										(const uint8_t *)tag_addr[0][4],
										(const uint8_t *)tag_addr[1][4],
										tag_len[4],
										tag_len[4]);

	debug_print("%s HSE_InstallSmrEntry(0) = %x\r\n", sl_tag, srvResponse);

And, here is result.

JasonChou_0-1689846564219.png

 

 Also, I refer to demo_app\services\src\secure_boot\hse_secure_boot.c which is below(Snippet)

        srvResponse = HSE_InstallSmrEntry((Index),
                                          (const hseSmrEntry_t *)&smrEntry[Index],
                                          (const uint8_t *)smrEntry[Index].pSmrSrc,
                                          smrEntry[Index].smrSize,
                                          (const uint8 *)tag_addr[0][Index],
                                          (const uint8 *)tag_addr[1][Index],
                                          tag_len[Index],
                                          tag_len[Index]);
                smrEntry[i].configFlags = HSE_SMR_CFG_FLAG_INSTALL_AUTH; /* Indicate that verification should be done on provided signature */
                smrEntry[i].pSmrDest = 0U;                               /* destination address shall be NULL for flashed based devices */
                smrEntry[i].checkPeriod = 0U;
                    smrEntry[i].pSmrsrc=AppAddress; /* Start of APP code */
                    smrEntry[i].smrSize = 1024UL;     /* Length of APP code */
                    smrEntry[i].authKeyHandle = HSE_DEMO_NVM_RSA2048_PUB_CUSTAUTH_HANDLE0;
                    smrEntry[i].authScheme.sigScheme.signSch = HSE_SIGN_RSASSA_PSS;
                    smrEntry[i].authScheme.sigScheme.sch.rsaPss.hashAlgo = HSE_HASH_ALGO_SHA2_256;
                    smrEntry[i].authScheme.sigScheme.sch.rsaPss.saltLength = SALT_LENGTH;
                    smrEntry[i].pInstAuthTag[0] = RSA_TAG_CODE_FLASH_ADDRESS; /* signature tag address */
                    smrEntry[i].pInstAuthTag[1] = (uint32_t)NULL;             /* In this example, AES keys is used hence 2nd tag address is NULL */

 

标记 (2)
0 项奖励
回复
6 回复数

‎07-24-2023 07:19 PM
1,205 次查看
JasonChou
Contributor II

Moreover, I print arguments before send HSE. I'm not sure if it is any help.

 

JasonChou_0-1690251512898.png

 

0 项奖励
回复

‎07-21-2023 12:37 AM
1,260 次查看
JasonChou
Contributor II

Hi @lukaszadrapa,

Thanks for reply,

sorry for missing definition of argument. this parameter(test_sign_real) is follow on demo code(hse_secure_boot.c), here is the definitions

My test code

 

#define app_start_real             0x500000UL
#define test_sign_real             0x440000UL
#define test_HANDLE         GET_KEY_HANDLE(HSE_KEY_CATALOG_ID_NVM,3,0)
static const uint32_t tag_addr[2U][5U] =
{
    {0, 0, 0, 0, test_sign_real},
    {0, 0, 0, 0, 0}};
static const uint32_t tag_len[] =
    {
        16U, 16U, 16U, 32U, 512U};

 

 

demo code(hse_secure_boot.c)

 

#define RSA_TAG_CODE_FLASH_ADDRESS 0x00454100UL
static const uint32_t tag_addr[2U][5U] =
    {
        {CMAC_TAG_CODE_FLASH_ADDRESS, GMAC_TAG_CODE_FLASH_ADDRESS, HMAC_TAG_CODE_FLASH_ADDRESS, ECC_TAG1_CODE_FLASH_ADDRESS, RSA_TAG_CODE_FLASH_ADDRESS},
        {0, 0, 0, ECC_TAG2_CODE_FLASH_ADDRESS, 0}};

static const uint32_t tag_len[] =
    {
        16U, 16U, 16U, 32U, 256U};

 

Basically, It's the same except the value.

I try demo code in Trace32, and it's work, but I still don't know the different between my test code and demo code...

0 项奖励
回复

‎07-24-2023 12:51 AM
1,229 次查看
lukaszadrapa
NXP TechSupport
NXP TechSupport

Hi @JasonChou 

One more thing that comes into my mind - most of similar issues when it does not work in own project is caused by cache memory.
It is important to force descriptors/data sent to/from Messaging Unit to non-cacheable region. To check if it is related to the cache memory, you can try to disable the cache by DC bit in core register CCR Configuration and Control Register. Please let me know if it helps or not.
Regards,
Lukas

0 项奖励
回复

‎07-24-2023 07:07 PM
1,208 次查看
JasonChou
Contributor II
Hi @lukaszadrapa
All I get document doesn't mention about core register CCR Configuration and Control Register

However, I found there are three function called "sys_m7_cache_xxx" which will be called when defined MPU_ENABLE/D_CACHE_ENABLE/I_CACHE_ENABLE in system.c file.
And, I tried to call comment sys_m7_cache_init() which wanted to disable the cache. the result is still the same...
0 项奖励
回复

‎07-25-2023 12:47 AM
1,198 次查看
lukaszadrapa
NXP TechSupport
NXP TechSupport

Hi @JasonChou 

it's core registers, so it's described in the core manuals:

lukaszadrapa_0-1690271071155.png

http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.ddi0489d/index.html

http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.dui0646b/index.html

 

hseSmrEntry_t (your SmrEntry[4]) has more items which I can't see in the code. You can find details in API RM. Could you check how those items are initialized?

And maybe you can take a look also at these examples:

https://www.nxp.com/webapp/Download?colCode=S32K3_HSE_DemoExamples

This one could help:

c:\NXP\S32K3_HSE_DemoExamples_1_0_0\S32K3_HSE_DemoExamples\Secure_Boot\S32K344_Advanced_SecureBoot\

Regards,

Lukas

0 项奖励
回复

‎07-20-2023 11:34 PM
1,266 次查看
lukaszadrapa
NXP TechSupport
NXP TechSupport

Hi @JasonChou 

SmrEntry[4].pInstAuthTag[0] = test_sign_real; /* signature tag address */

 

This should be a pointer to the signature only, not directly the value. Could you check this?

Thanks,

Lukas

0 项奖励
回复