HOW TO INTEGRATE AND USE HSE API

ashwini2024 · ‎10-16-2024

I am using bsp 40 and s32g399ardb3 board.
I have enabled hse and sd card boot mode is successful.[A core as a standalone.]

Now i am supposed to use the hse api to perform hashing on A53 core and other cryptographic operations.
I am referring to the HSE_DEMOAPP_S32G3XX_0_2_22_0 provided by NXP.
How should i move further should i create a custom application or how can i integrate this into my yocto package and compile the main.c ?
Could u please provide some assistance.

chenyin_h · ‎11-19-2024

Hello, @ashwini2024

Sorry for the late reply.

I suggest developing the code based on libpkcs for hash related operation.

And I will update your support case in 1-2 days with examples based on libpkcs. you may check the status there no later than this Thursday.

BR

Chenyin

chenyin_h · ‎11-14-2024

Hello, @ashwini2024

I have some updates from your case.

Thanks

BR

Chenyin

ashwini2024 · ‎11-14-2024

I am encountering the above error and would like to understand the meaning of the firmware status 0x0920 and the associated error code. Could you please explain these and suggest potential solutions to resolve these issues?

Thank you very much for your assistance.

chenyin_h · ‎11-12-2024

Hello, @ashwini2024

Thanks for submitting support case, it is relatively easy for us to share the patch via that channel.

BR

Chenyin

ashwini2024 · ‎11-18-2024

Hello @chenyin_h
There is a code in the yocto package from the git inside the libhse examples but when i execute it i get the following error why is it so please help me.

root@s32g399ardb3:/usr/bin# ./hse-encrypt
[   65.254605] hse-uio 40210000.mu0b: device hse-uio v2.1 open, instances: 1
libhse:[   65.261898] hse-uio 40210000.mu0b: device hse-uio v2.1 released, instances: 0
initialized, firmware status 0x0920
DEMO: using NVM key group 1, slot 5
libhse: service response 0x55A5A399 on channel 1
libhse: read reply failed on channel 1
DEMO: generate key request failed: error 53
libhse: closed

I am getting read reply failed please help to resolve .

Thank you.

ashwini2024 · ‎11-12-2024

Please do update here if u have responded to my ticket created.

Thank you.

chenyin_h · ‎11-12-2024

Hello, @ashwini2024

Thanks for your reply.

I have roughly finished checking the HSE lib/driver in the BSP, currently, libhse could provide low level APIs of HSE for user application, The application could initializes the HSE service descriptor and requests an HSE service via the LIBHSE, as following:

If your application could use this kind of APIs to communicate with HSE, then it is relatively easy for the application development.

For hash operation, you may reference the code pkcs-msg-digest.c from https://github.com/nxp-auto-linux/pkcs11-hse/blob/release/bsp42.0/examples/pkcs-msg-digest/pkcs-msg-....

I made a few modifications on this code and found that the results seems correct with the prints of openssl(done by CPU) from the same inputs, while the HSE is indeed called by the appllication

[ 3960.223129] hse-uio 40210000.mu0b: device hse-uio v2.1 open, instances: 1
[ 3960.237253] hse-uio 40210000.mu0b: device hse-uio v2.1 released, instances: 0

But if your application could not use such kind of APIs(for example, you have to use the openssl APIs), then other additional code development would be necessary.

Hope it will help.

BR

Chenyin

ashwini2024 · ‎11-12-2024

Thank you for the prompt reply.

https://github.com/nxp-auto-linux/pkcs11-hse/blob/release/bsp42.0/examples/hse-encrypt/hse-encrypt.c

I have used the above code as a reference modified the code by applying the patch to it as per my requirements to compute the hash.
It has generated the binary.

The below is the logic i have implemented :
Could you please let me know if the implemented logic is right and if there is any error .And if it will generate the hash correctly using hse .
#include <stdio.h>
#include <stdint.h>
#include <string.h>
#include <errno.h>

#include "libhse.h"
#include "hse_interface.h"

#define HASH_SIZE 32 // Size for SHA-256 hash output

int main()
{
    DECLARE_SET_ZERO(hseSrvDescriptor_t, srvDesc);
    uint32_t hashLength = HASH_SIZE;
    uint8_t hashOutput[HASH_SIZE];
    int err;
    char *inputData = "Hello, World!";
    size_t inputLength = strlen(inputData); // Length of input data

    // Open HSE device
    err = hse_dev_open();
    if (err) {
        printf("DEMO: failed to open HSE device: error %d\n", err);
        return err;
    }

    // Fill in hashing service descriptor
    hseHashSrv_t *hashService = &srvDesc.hseSrv.hashReq; // Correctly assign to pointer
    memset(&srvDesc, 0, sizeof(srvDesc)); // Zero out the service descriptor

    hashService->accessMode = HSE_ACCESS_MODE_ONE_PASS; // Set to one-pass mode
    hashService->hashAlgo = HSE_HASH_ALGO_SHA2_256;     // Use SHA-256
    hashService->inputLength = inputLength;              // Length of input data
    hashService->pInput = (uintptr_t)(uintptr_t)inputData; // Pointer to input data (cast to uintptr_t)
    hashService->pHash = (uintptr_t)(uintptr_t)hashOutput; // Pointer to output buffer
    hashService->pHashLength = (uintptr_t)(uintptr_t)&hashLength; // Pointer to output length

    // Issue hash service request
    err = hse_srv_req_sync(HSE_CHANNEL_ANY, &srvDesc, sizeof(srvDesc));
    if (err) {
        printf("DEMO: hash request failed: error %d\n", err);
        hse_dev_close();
        return err;
    }

    // Print the resulting hash
    printf("DEMO: hash operation successful\n");
    printf("Hash (SHA-256): ");
    for (uint32_t i = 0; i < hashLength; i++) {
        printf("%02x", hashOutput[i]);
    }
    printf("\n");

    // Close HSE device
    hse_dev_close();
    return 0;
}

chenyin_h · ‎11-05-2024

Hi, @ashwini2024

I noticed that you have created another post for this topic, I will update the status there.

BR

Chenyin

chenyin_h · ‎10-27-2024

Hi, @ashwini2024

Thanks for you reply.

I could understand that you want to develop user space application to calculate hash the would be offloaded to the HSE.

But since it is a specific request and no example existed, directly supporting to write it is beyond our forum support scope, I do apologize for your inconvenience. Currently:

1. The Hash computing is supported by HSE.

2. There is no examples that could direct fulfill your needs, you may have to develop it yourself.

3. As is shown in Chapter 10 of BSP UM, the PKCS11 and HSE driver are supported, it could be a valuable reference to develop your own user space application, currently, the HSE could be loaded as a openssl engine, the corresponding openssl operations could be done by HSE instead of using the CPU.

BR

Chenyin

ashwini2024 · ‎11-04-2024

How do i load the hse as an openssl engine ?

ashwini2024 · ‎11-04-2024

How could i do the 3 point u mentioned could you please elaborate more ?
THank you.

chenyin_h · ‎10-22-2024

Hello, @ashwini2024

Thanks for the reply.

About your new question, from my experience, as I have listed before, two path that may fulfill your requirements:

1. If you are willing to develop kernel driver/kernel module, theoretically you may directly use the hash API of HSE driver for your own use, no document nor example code existed, you may have to learn the HSE kernel driver in details and develop your own kernel code to use the Hash APIs from the following:

https://github.com/nxp-auto-linux/linux/blob/release/bsp41.0-6.6.25-rt/drivers/crypto/hse/hse-ahash....

2. If you are willing to develop a Linux user space code, you may reference the pkcs11-hse project from the path I shared, combine the chapter 10 of BSP 41.0 UM, your own user application could directly use the common openssl API to finally access the HSE. The advantage of this way is that there are already BSP UM existed, you may learn it and use the openssl application to directly call the existing functions, for them to do the hash by the HSE, but you may have to reference the current openssl application to learn how to integrate it to your own user space application.

I hope the information above could help on your questions.

BR

Chenyin

ashwini2024 · ‎11-11-2024

q1)The first option, can u tell me how hse driver is integrated and how can i use it ?How do i enable the driver ?
q2)To access the headers in the kernel source it is possible only through a kernel driver module is that correct ?

chenyin_h · ‎11-11-2024

Hello, @ashwini2024

Thanks for you reply.

1. The HSE driver is enabled when builing the BSP following:

It is under driver/crypto/hse/, you may read the code for details for how it integrated to the corresponding kernel, there are not detailed document to introduce the source code of it.

2. I understand that you indeed want to implement a user application taking use of HSE directly, accordng to the BSP UM, it is supported.

I suggest reference this part to write your own application.

In order for best tracking the issue, I suggest discussing it in the other thread, sorry for your inconvenience.

BR

Chenyin

ashwini2024 · ‎11-12-2024

I have created a new ticket.
https://support.nxp.com/s/case/500KA0000039llN/hse-to-perform-hashing-on-bsp-40

PL

Please check.
Thank you.

ashwini2024 · ‎11-11-2024

Thank you for the reply.

I am working with Yocto BSP 40 and have successfully generated the libhse.so.2.1 library. The examples folder provided with the library contains an example program, hse-encrypt.c, which demonstrates encryption and decryption functionality.

I would like to achieve the following:

Develop a Hash Example Program:
- I intend to create a new C program, hse-hash.c, which will compute hashes using the HSE (Hardware Security Engine) library.
- Can hse-encrypt.c serve as a suitable reference for developing this program?
Location and Integration:
- Where should I place hse-hash.c within the project structure to ensure proper integration with the Yocto build system?
Building and Running on Target:
- How can I modify the Yocto recipe to compile hse-hash.c into an executable binary (hse-hash)?
- Once built, how do I execute this binary on the target machine to compute hashes, ensuring libhse.so.2.1 is accessible?

I would appreciate guidance on the best approach to achieve these steps.

ashwini2024 · ‎10-24-2024

#include <stdio.h>
#include <string.h>
#include <sys/socket.h>
#include <linux/if_alg.h>
#include <unistd.h>

int main() {
    int sockfd, hashfd;
    struct sockaddr_alg sa = {
        .salg_family = AF_ALG,
        .salg_type = "hash",
        .salg_name = "sha256"
    };

    sockfd = socket(AF_ALG, SOCK_SEQPACKET, 0);
    bind(sockfd, (struct sockaddr *)&sa, sizeof(sa));
    hashfd = accept(sockfd, NULL, 0);

char *data = "test data";
write(hashfd, data, strlen(data));

char hash[32];
read(hashfd, hash, 32);

close(hashfd);
close(sockfd);

    printf("Hash: ");
    for (int i = 0; i < 32; i++) {
        printf("%02x", hash[i]);
    }
    printf("\n");

return 0;
}

The above is the code i have used to compute hashing. But it uses the computer for computing the hash.I want the cryptographic operation to get offloaded to the hse engine how can i do that How could i modify the code to include that?

chenyin_h · ‎10-21-2024

Hi, @ashwini2024

Thanks for your reply.

The file you mentioned could be found from the interface directory of HSE firmware installation path. you may find it once finish installing the HSE FW package which could be downloaded from your account or the following path:

https://www.nxp.com/app-autopackagemgr/automotive-software-package-manager:AUTO-SW-PACKAGE-MANAGER

I hope it will help.

BR

Chenyin

chenyin_h · ‎10-21-2024

Hello, @ashwini2024

Thanks for your reply.

As stated before, the 1st option may be theoretically implemented, there should be addtional development work based on current BSP, but I feel sorry that there are not example code nor document related that done by NXP, the users have to study and develop it themselves.

For the second option, the current BSP could support it by using openssl applications.

For the file you mentioned, as displayed from the Makefile "obj-$(CONFIG_CRYPTO_USER_API_HASH) += algif_hash.o", it is user-spaces interface for hash algorithms, while enabled, from my view, this application could be run in user space and directly use the hash algorithms to calculate Hash from kernel functions, it is not to directly use the HSE to offload the Hash operation but using the CPU to calculate the Hash via A53 cores.

BR

Chenyin