ヘルプ
英语(美国) | English (US) 日本語 | Japanese 中文 | Chinese (Simplified)

HSE isntallSMR API question

キャンセル
提案をオンにする
自動提案では、入力時に可能な一致が提案されるので検索結果を素早く絞り込むことができます。
次の結果を表示 
表示  限定  | 次の代わりに検索 
もしかして: 

HSE isntallSMR API question

‎07-20-2023 02:50 AM
2,780件の閲覧回数
JasonChou
Contributor II

Hi NXP,

I am trying to use C code to test SMR install API(service ID:

HSE_SRV_ID_SMR_ENTRY_INSTALL

), However, I always got service response A5AAA399 which meas parameter is incorrect.

there is so many Argument in this API, could someone help me to check?

the signature and address have benn vailded is this test.

the HSE FW version is  0.2.6

    memcpy(
		(void *)&IVT,
		(const void *)BLOCK0_IVT_ADDRESS,
		0x100);

	uint32_t AppAddress = (uint32_t) app_start_real;

	SmrEntry[4].pSmrsrc=AppAddress; /* Start of APP code */
	SmrEntry[4].smrSize = 1024UL;     /* Length of APP code */
	SmrEntry[4].authKeyHandle = aaa_pub_HANDLE;
	SmrEntry[4].authScheme.sigScheme.signSch = HSE_SIGN_RSASSA_PSS;
	SmrEntry[4].authScheme.sigScheme.sch.rsaPss.hashAlgo = HSE_HASH_ALGO_SHA2_256;
	SmrEntry[4].authScheme.sigScheme.sch.rsaPss.saltLength = 32UL;
	SmrEntry[4].pInstAuthTag[0] = test_sign_real; /* signature tag address */
	SmrEntry[4].pInstAuthTag[1] = (uint32_t)NULL;             /* In this example, AES keys is used hence 2nd tag address is NULL */

	/**** RSA ****/
	srvResponse = RsaPssSignSrv(
		aaa_pri_HANDLE,
		32UL,
		HSE_HASH_ALGO_SHA2_256,
		SmrEntry[4].smrSize,
		(const uint8_t *)SmrEntry[4].pSmrSrc,
		FALSE,
		0U,
		&signLength,
		outputSig);
		
	debug_print("%s RsaPssSignSrv(1) = %x\r\n", sl_tag, srvResponse);
	if(FLASH_Erase(FLS_SWAP_OFFSET, S32K312_SECTOR_SIZE, MAX_ERASE_TIME) == E_OK){
		if(FLASH_Write(FLS_SWAP_OFFSET, sizeof(outputSig), outputSig, MAX_ERASE_TIME) == E_OK){
			debug_print("%s FLASH_Write = OK\r\n", sl_tag);
		}
		else{
			debug_print("%s FLASH_Write = NG\r\n", sl_tag);
		}
	}
	else{
		debug_print("%s FLASH_Erase = NG\r\n", sl_tag);
	}


	srvResponse = RsaPssVerSrv(
		aaa_pub_HANDLE,
		32UL,
		HSE_HASH_ALGO_SHA2_256,
		SmrEntry[4].smrSize,
		(const uint8_t *)SmrEntry[4].pSmrSrc,
		FALSE,
		0U,
		&signLength,
		(const uint8_t *)test_sign_real);
	debug_print("%s RsaPssVerSrv(1) = %x\r\n", sl_tag, srvResponse);




	srvResponse = HSE_InstallSmrEntry((4),
										(const hseSmrEntry_t *)&SmrEntry[4],
										(const uint8_t *)SmrEntry[4].pSmrSrc,
										SmrEntry[4].smrSize,
										(const uint8_t *)tag_addr[0][4],
										(const uint8_t *)tag_addr[1][4],
										tag_len[4],
										tag_len[4]);

	debug_print("%s HSE_InstallSmrEntry(0) = %x\r\n", sl_tag, srvResponse);

And, here is result.

JasonChou_0-1689846564219.png

 

 Also, I refer to demo_app\services\src\secure_boot\hse_secure_boot.c which is below(Snippet)

        srvResponse = HSE_InstallSmrEntry((Index),
                                          (const hseSmrEntry_t *)&smrEntry[Index],
                                          (const uint8_t *)smrEntry[Index].pSmrSrc,
                                          smrEntry[Index].smrSize,
                                          (const uint8 *)tag_addr[0][Index],
                                          (const uint8 *)tag_addr[1][Index],
                                          tag_len[Index],
                                          tag_len[Index]);
                smrEntry[i].configFlags = HSE_SMR_CFG_FLAG_INSTALL_AUTH; /* Indicate that verification should be done on provided signature */
                smrEntry[i].pSmrDest = 0U;                               /* destination address shall be NULL for flashed based devices */
                smrEntry[i].checkPeriod = 0U;
                    smrEntry[i].pSmrsrc=AppAddress; /* Start of APP code */
                    smrEntry[i].smrSize = 1024UL;     /* Length of APP code */
                    smrEntry[i].authKeyHandle = HSE_DEMO_NVM_RSA2048_PUB_CUSTAUTH_HANDLE0;
                    smrEntry[i].authScheme.sigScheme.signSch = HSE_SIGN_RSASSA_PSS;
                    smrEntry[i].authScheme.sigScheme.sch.rsaPss.hashAlgo = HSE_HASH_ALGO_SHA2_256;
                    smrEntry[i].authScheme.sigScheme.sch.rsaPss.saltLength = SALT_LENGTH;
                    smrEntry[i].pInstAuthTag[0] = RSA_TAG_CODE_FLASH_ADDRESS; /* signature tag address */
                    smrEntry[i].pInstAuthTag[1] = (uint32_t)NULL;             /* In this example, AES keys is used hence 2nd tag address is NULL */

 

タグ(2)
0 件の賞賛
返信
6 返答(返信)

‎07-24-2023 07:19 PM
2,690件の閲覧回数
JasonChou
Contributor II

Moreover, I print arguments before send HSE. I'm not sure if it is any help.

 

JasonChou_0-1690251512898.png

 

0 件の賞賛
返信

‎07-21-2023 12:37 AM
2,745件の閲覧回数
JasonChou
Contributor II

Hi @lukaszadrapa,

Thanks for reply,

sorry for missing definition of argument. this parameter(test_sign_real) is follow on demo code(hse_secure_boot.c), here is the definitions

My test code

 

#define app_start_real             0x500000UL
#define test_sign_real             0x440000UL
#define test_HANDLE         GET_KEY_HANDLE(HSE_KEY_CATALOG_ID_NVM,3,0)
static const uint32_t tag_addr[2U][5U] =
{
    {0, 0, 0, 0, test_sign_real},
    {0, 0, 0, 0, 0}};
static const uint32_t tag_len[] =
    {
        16U, 16U, 16U, 32U, 512U};

 

 

demo code(hse_secure_boot.c)

 

#define RSA_TAG_CODE_FLASH_ADDRESS 0x00454100UL
static const uint32_t tag_addr[2U][5U] =
    {
        {CMAC_TAG_CODE_FLASH_ADDRESS, GMAC_TAG_CODE_FLASH_ADDRESS, HMAC_TAG_CODE_FLASH_ADDRESS, ECC_TAG1_CODE_FLASH_ADDRESS, RSA_TAG_CODE_FLASH_ADDRESS},
        {0, 0, 0, ECC_TAG2_CODE_FLASH_ADDRESS, 0}};

static const uint32_t tag_len[] =
    {
        16U, 16U, 16U, 32U, 256U};

 

Basically, It's the same except the value.

I try demo code in Trace32, and it's work, but I still don't know the different between my test code and demo code...

0 件の賞賛
返信

‎07-24-2023 12:51 AM
2,714件の閲覧回数
lukaszadrapa
NXP TechSupport
NXP TechSupport

Hi @JasonChou 

One more thing that comes into my mind - most of similar issues when it does not work in own project is caused by cache memory.
It is important to force descriptors/data sent to/from Messaging Unit to non-cacheable region. To check if it is related to the cache memory, you can try to disable the cache by DC bit in core register CCR Configuration and Control Register. Please let me know if it helps or not.
Regards,
Lukas

0 件の賞賛
返信

‎07-24-2023 07:07 PM
2,693件の閲覧回数
JasonChou
Contributor II
Hi @lukaszadrapa
All I get document doesn't mention about core register CCR Configuration and Control Register

However, I found there are three function called "sys_m7_cache_xxx" which will be called when defined MPU_ENABLE/D_CACHE_ENABLE/I_CACHE_ENABLE in system.c file.
And, I tried to call comment sys_m7_cache_init() which wanted to disable the cache. the result is still the same...
0 件の賞賛
返信

‎07-25-2023 12:47 AM
2,683件の閲覧回数
lukaszadrapa
NXP TechSupport
NXP TechSupport

Hi @JasonChou 

it's core registers, so it's described in the core manuals:

lukaszadrapa_0-1690271071155.png

http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.ddi0489d/index.html

http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.dui0646b/index.html

 

hseSmrEntry_t (your SmrEntry[4]) has more items which I can't see in the code. You can find details in API RM. Could you check how those items are initialized?

And maybe you can take a look also at these examples:

https://www.nxp.com/webapp/Download?colCode=S32K3_HSE_DemoExamples

This one could help:

c:\NXP\S32K3_HSE_DemoExamples_1_0_0\S32K3_HSE_DemoExamples\Secure_Boot\S32K344_Advanced_SecureBoot\

Regards,

Lukas

0 件の賞賛
返信

‎07-20-2023 11:34 PM
2,751件の閲覧回数
lukaszadrapa
NXP TechSupport
NXP TechSupport

Hi @JasonChou 

SmrEntry[4].pInstAuthTag[0] = test_sign_real; /* signature tag address */

 

This should be a pointer to the signature only, not directly the value. Could you check this?

Thanks,

Lukas

0 件の賞賛
返信