PKCS11-HSE demos issue on SDK BSP38/39

hittzt · ‎03-27-2024

Hi,

Recently, I tested PKCS11-HSE demos based on SDK BSP38/39 release, but there is error when I test the demos as following:

root@nxp-s32g:~# hse-secboot -f -o -d /dev/mmcblk0
[INFO] Fo[ 534.873915] hse-uio 40210000.mu0b: device hse-uio v2.1 open, instances: 1
rmatting HSE key catalog
libhse: initialized, firmware status 0x0b20
[INFO] Retrieving IVT from device /dev/mmcblk0
[INFO] Enabling MUs
[INFO] Formatting NVM and RAM key cat[ 534.903786] hse-uio 40210000.mu0b: device hse-uio v2.1 released, instances: 0
alogs
[INFO] Retrieving SYSIMG size
[INFO] Publishing SYSIMG
[INFO] Writing SYSIMG to /dev/mmcblk0
libhse: closed
root@nxp-s32g:~# rm -rf /etc/pkcs-hse-objs
root@nxp-s32g:~# pkcs11-tool --module /usr/lib64/libpkcs-hse.so.1.0 --write-object privkey.pem --type privkey --id 000601 --label 'HSE-RSAPRIV-KEY'
[ 552.132517] hse-uio 40210000.mu0b: device hse-uio v2.1 open, instances: 1
libhse: initialized, firmware status 0x0b20
Using slot 0 with a present token (0x0)
error: Couldn't open file "privkey.pem"
Aborting.
[ 552.161511] hse-uio 40210000.mu0b: device hse-uio v2.1 released, instances: 0
root@nxp-s32g:~# openssl genrsa -out privkey.pem 2048
root@nxp-s32g:~# openssl rsa -in privkey.pem -pubout -out pubkey.pem
writing RSA key
root@nxp-s32g:~# hse-secboot -f -o -d /dev/mmcblk0
[INFO] F[ 594.898022] hse-uio 40210000.mu0b: device hse-uio v2.1 open, instances: 1
ormatting HSE key catalog
libhse: initialized, firmware status 0x0b20
[INFO] Retrieving IVT from device /dev/mmcblk0
[INFO] Enabling MUs
[INFO] Formatting NVM and RAM key c[ 594.927458] hse-uio 40210000.mu0b: device hse-uio v2.1 released, instances: 0
atalogs
[INFO] Retrieving SYSIMG size
[INFO] Publishing SYSIMG
[INFO] Writing SYSIMG to /dev/mmcblk0
libhse: closed
root@nxp-s32g:~# pkcs-keyop /usr/lib64/libpkcs-hse.so.1.0
[ 603.109506] hse-uio 40210000.mu0b: device hse-uio v2.1 open, instances: 1
libhse: initialized, firmware status 0x0b20

1 slots available

Using token:
Manufacturer......: NXP-Semiconductors
Description.......: NXP-HSE-Slot
Token label.......: NXP-HSE-Token

Keys available: 1

Key pair #1 stored
ERROR: NVM Slot is already occupied. Th[ 605.517744] hse-uio 40210000.mu0b: device hse-uio v2.1 released, instances: 0
e slot should be cleared, before a new key can be added
ERROR: could not store key pair #2

Keys available: 2

Key removed
libhse: closed
root@nxp-s32g:~# hse-secboot -f -o -d /dev/mmcblk0
[INFO] F[ 610.746617] hse-uio 40210000.mu0b: device hse-uio v2.1 open, instances: 1
ormatting HSE key catalog
libhse: initialized, firmware status 0x2b20
[INFO] Retrieving IVT from device /dev/mmcblk0
[INFO] Enabling MUs
[INFO] Formatting[ 610.774152] hse-uio 40210000.mu0b: device hse-uio v2.1 released, instances: 0
NVM and RAM key catalogs
[INFO] Retrieving SYSIMG size
[INFO] Publishing SYSIMG
[INFO] Writing SYSIMG to /dev/mmcblk0
libhse: closed
root@nxp-s32g:~# pkcs-key-provision /usr/lib64/libpkcs-hse.so.1.0 pubkey.pem
[INFO] Loading /usr/lib64/libpkcs-hse.so.1.0 shared library...
[INFO] Openi[ 617.380919] hse-uio 40210000.mu0b: device hse-uio v2.1 open, instances: 1
ng pubkey.pem key file...
[INFO] Retrieving function list from /usr/lib64/libpkcs-hse.so.1.0...
[INFO] Calling C_Initialize...
libhse: initialized, firmware status 0x0b20
[INFO] Getting Slot ID...
[INFO] Opening session on slot #0...
[INFO] Reading and converting key...
[INFO] Calling C_CreateObject with session ID #6...
[INFO] Calling C_FindObjects...
[INFO] Found [ 617.434447] hse-uio 40210000.mu0b: device hse-uio v2.1 released, instances: 0
Key Object with handle 010701
[INFO] Deleting Key Object with handle 010701
[INFO] Cleaning up and calling C_Finalize...
libhse: closed
root@nxp-s32g:~# hse-secboot -f -o -d /dev/mmcblk0
[INFO] F[ 625.864735] hse-uio 40210000.mu0b: device hse-uio v2.1 open, instances: 1
ormatting HSE key catalog
libhse: initialized, firmware status 0x2b20
[INFO] Retrieving IVT from device /dev/mmcblk0
[INFO] Enabling MUs
[INFO] Formatting NVM and RAM ke[ 625.893711] hse-uio 40210000.mu0b: device hse-uio v2.1 released, instances: 0
y catalogs
[INFO] Retrieving SYSIMG size
[INFO] Publishing SYSIMG
[INFO] Writing SYSIMG to /dev/mmcblk0
libhse: closed
root@nxp-s32g:~# pkcs-msg-digest -p /usr/lib64/libpkcs-hse.so.1.0 -l 1024
[INFO] Loading /usr/lib64/libpkcs-hse.so.1.0 shared library...
[INFO] Inp[ 631.527726] hse-uio 40210000.mu0b: device hse-uio v2.1 open, instances: 1
ut message length: 1024
[INFO] Retrieving function list from /usr/lib64/libpkcs-hse.so.1.0...
[INFO] Calling C_Initialize...
libhse: initialized, firmware status 0x0b20
[INFO] Getting Slot ID...
[INFO] Opening session on slot #0...
[INFO] Start digest test...
[INFO] CKM_SHA_1 Pass
[INFO] CKM_SHA224 Pass
[INFO] CKM_SHA256 Pass
[INFO] CKM_SHA512 Pass
[INFO] CKM_SHA_1 Pass
[ 631.578670] hse-uio 40210000.mu0b: device hse-uio v2.1 released, instances: 0

[INFO] CKM_SHA256 Pass
[INFO] CKM_SHA512 Pass
[INFO] Cleaning up and calling C_Finalize...
libhse: closed
root@nxp-s32g:~# hse-secboot -f -o -d /dev/mmcblk0
[INFO] F[ 639.022310] hse-uio 40210000.mu0b: device hse-uio v2.1 open, instances: 1
ormatting HSE key catalog
libhse: initialized, firmware status 0x0b20
[INFO] Retrieving IVT from device /dev/mmcblk0
[INFO] Enabling MUs
[INFO] Formatting NV[ 639.051628] hse-uio 40210000.mu0b: device hse-uio v2.1 released, instances: 0
M and RAM key catalogs
[INFO] Retrieving SYSIMG size
[INFO] Publishing SYSIMG
[INFO] Writing SYSIMG to /dev/mmcblk0
libhse: closed
root@nxp-s32g:~# rm -rf /etc/pkcs-hse-objs
root@nxp-s32g:~# pkcs11-tool --module /usr/lib64/libpkcs-hse.so.1.0 --write-object privkey.pem --type privkey --id 000601 --label 'HSE-RSAPRIV-KEY'
[ 656.823456] hse-uio 40210000.mu0b: device hse-uio v2.1 open, instances: 1
libhse: initialized, firmware status 0x0b20
Using slot 0 with a present token (0x0)
ERROR: NVM Slot is already occupied. The slot shoul[ 656.864002] hse-uio 40210000.mu0b: device hse-uio v2.1 released, instances: 0
d be cleared, before a new key can be added
libhse: closed
error: PKCS11 function C_CreateObject failed: rv = CKR_ARGUMENTS_BAD (0x7)
Aborting.
root@nxp-s32g:~# pkcs11-tool --module /usr/lib64/libpkcs-hse.so.1.0 --write-object pubkey.pem --type pubkey --id 000701 --label 'HSE-RSAPUB-KEY'
[ 680.306077] hse-uio 40210000.mu0b: device hse-uio v2.1 open, instances: 1
libhse: initialized, firmware status 0x0b20
Using slot 0 with a present token (0x0)
Created public key:
Public Key Object; RSA 0 bits
label: HSE-RSAPUB-KEY
ID: [ 680.346340] hse-uio 40210000.mu0b: device hse-uio v2.1 released, instances: 0
000701
Usage: none
Access: none
Unique ID:
libhse: closed
root@nxp-s32g:~# pkcs-cipher /usr/lib64/libpkcs-hse.so.1.0
[INFO] Loading /usr/lib64/libpkcs-hse.so.1.0 shared library...
[INFO] Re[ 687.827336] hse-uio 40210000.mu0b: device hse-uio v2.1 open, instances: 1
trieving function list from /usr/lib64/libpkcs-hse.so.1.0...
[INFO] Calling C_Initialize...
libhse: initialized, firmware status 0x2b20
[INFO] Getting Slot ID...
[INFO] Opening session on slot #0...
[INFO] Install an AES-128 RAM key ...
[INFO] Calling C_CreateObject with session ID #9...
[INFO] Calling C_FindObjects...
[INFO] Found Key Object with handle 020205
[INFO] Block ciphering...
[INFO] CKM_AES_ECB Done!
[INFO] Length: 8 + 16 + 15 + 25 (64)
[INFO] Length: 16 + 16 + 32 + 64 (128)
[INFO] Length: 5 + 7 + 65 + 19 (96)
[INFO] Length: 40 + 20 + 10 + 10 (80)
[INFO] Len[ 687.886199] hse-uio 40210000.mu0b: device hse-uio v2.1 released, instances: 0
gth: 14 + 2 + 80 + 16 (112)
[INFO] Length: 1 + 1 + 2 + 12 (16)
[INFO] Length: 32 + 15 + 14 + 3 (64)
[INFO] Length: 80 + 10 + 10 + 12 (112)
[INFO] Length: 12 + 13 + 4 + 3 (32)
[INFO] Length: 10 + 2 + 3 + 1 (16)
[INFO] Stream CKM_AES_ECB Done!
[INFO] CKM_AES_CBC Done!
[INFO] Length: 8 + 16 + 15 + 25 (64)
[INFO] Length: 16 + 16 + 32 + 64 (128)
[INFO] Length: 5 + 7 + 65 + 19 (96)
[INFO] Length: 40 + 20 + 10 + 10 (80)
[INFO] Length: 14 + 2 + 80 + 16 (112)
[INFO] Length: 1 + 1 + 2 + 12 (16)
[INFO] Length: 32 + 15 + 14 + 3 (64)
[INFO] Length: 80 + 10 + 10 + 12 (112)
[INFO] Length: 12 + 13 + 4 + 3 (32)
[INFO] Length: 10 + 2 + 3 + 1 (16)
[INFO] Stream CKM_AES_CBC Done!
[INFO] CKM_AES_CTR Done!
[INFO] Length: 8 + 16 + 15 + 25 (64)
[INFO] Length: 16 + 16 + 32 + 64 (128)
[INFO] Length: 5 + 7 + 65 + 19 (96)
[INFO] Length: 40 + 20 + 10 + 10 (80)
[INFO] Length: 14 + 2 + 80 + 16 (112)
[INFO] Length: 1 + 1 + 2 + 12 (16)
[INFO] Length: 32 + 15 + 14 + 3 (64)
[INFO] Length: 80 + 10 + 10 + 12 (112)
[INFO] Length: 12 + 13 + 4 + 3 (32)
[INFO] Length: 10 + 2 + 3 + 1 (16)
[INFO] Stream CKM_AES_CTR Done!
[INFO] CKM_AES_GCM Done!
[INFO] RSA ciphering...
[INFO] Found Key Object with handle 010700
[ERROR] Failed to find key object with Class CKO_PRIVATE_KEY
libhse: closed
root@nxp-s32g:~# hse-secboot -f -o -d /dev/mmcblk0
[INFO] F[ 697.243718] hse-uio 40210000.mu0b: device hse-uio v2.1 open, instances: 1
ormatting HSE key catalog
libhse: initialized, firmware status 0x2b20
[INFO] Retrieving IVT from device /dev/mmcblk0
[INFO] Enabling MUs
[INFO] Formatti[ 697.271221] hse-uio 40210000.mu0b: device hse-uio v2.1 released, instances: 0
ng NVM and RAM key catalogs
[INFO] Retrieving SYSIMG size
[INFO] Publishing SYSIMG
[INFO] Writing SYSIMG to /dev/mmcblk0
libhse: closed
root@nxp-s32g:~# rm -rf /etc/pkcs-hse-objs
root@nxp-s32g:~# pkcs11-tool --module /usr/lib64/libpkcs-hse.so.1.0 --write-object privkey.pem --type privkey --id 000601 --label 'HSE-RSAPRIV-KEY'
[ 710.792970] hse-uio 40210000.mu0b: device hse-uio v2.1 open, instances: 1
libhse: initialized, firmware status 0x0b20
Using slot 0 with a present token (0x0)
ERROR: NVM Slot is already occupied. The slot shoul[ 710.829280] hse-uio 40210000.mu0b: device hse-uio v2.1 released, instances: 0
d be cleared, before a new key can be added
libhse: closed
error: PKCS11 function C_CreateObject failed: rv = CKR_ARGUMENTS_BAD (0x7)
Aborting.
root@nxp-s32g:~#

Would you please help to check the issue and give the reason?

Thanks,

Zhantao

chenyin_h · ‎05-21-2024

Hello, @hittzt

Thanks for the feedback.

Yes, I have tested it on RDB3/BSP38, attached for your reference.

Best Regards

Chenyin

ashwini2024 · ‎03-12-2025

Hello @chenyin_h ,

I would like to know if i could store the generated keys in HSE RAM slot. Could you please provide me guidance on that.

Thanks in advance for your information.

hittzt · ‎07-11-2024

Hi @chenyin_h,

Sorry for delay reply.

I checked the log file you attached, it did work as your test steps, but in your stes, there was a additional command:

pkcs-keyop /usr/lib/libpkcs-hse.so.1.0

before the last command:

pkcs11-tool --module /usr/lib64/libpkcs-hse.so.1.0 --write-object privkey.pem --type privkey --id 000601 --label 'HSE-RSAPRIV-KEY'

while I did not execute the "pkcs-keyop /usr/lib/libpkcs-hse.so.1.0" command, so the error show.

I want to know why the pkcs-keyop command can help to fix the issue.

Would you please help to check it?

Thanks,

Zhantao

chenyin_h · ‎04-25-2024

Hi, @hittzt

Thanks for the feedback.

We were testing under the default combination of HSE firmware and BSP, according to the BSP document, BSP38/39 is based on HSE0.2.22, while 0.1.0.5 is relatively old, I suggest using the version that listed in the BSP release notes for your work/test, since it is carefully tested. Different version firmware used may cause issues.

Best Regards

Chenyin

hittzt · ‎05-20-2024

Hi @chenyin_h ,

Sorry for delay.

As previous comments mentioned, the issue can be reproduced on both RDB2/RDB3 boards, did you test it on RDB3? In my side, even using 0.2.22.0 version HSE for RDB3, the issue also exists.

Thanks,

Zhantao

chenyin_h · ‎04-14-2024

Hello, @hittzt

Thanks for the feedback.

I was using the following version: HSE_FW_S32G2XX_0_2_22_0
For compiling the pkcs tools, I was using the Yocto, no additional configurations added rather than the default one.

Best Regards

Chenyin

hittzt · ‎04-22-2024

Hi @chenyin_h

Thanks for your reply and sorry for delay.

Did you test the case on RDB3 v1.0/v1.1 boards with 0_2_22_0 HSE firmwares?

Because 0_2_22_0 firmware for S32G2 SOC will affact the secure boot feature, so I just used v0.1.0.5 HSE firmware for S32G2 platforms. And the issue shows as the previous comments.

Thanks,

Zhantao

chenyin_h · ‎04-08-2024

Hello, @hittzt

Thanks for the feedback.

My test is similar to yours, logs attached for you reference.

Best Regards

Chenyin

hittzt · ‎04-08-2024

Hi @chenyin_h,

Thanks for your feedback.

I tested the case again, but same error came out.

Would you please help to tell the HSE firmware version you used?

And is there any other configuration when build pkcs11 demos?

Thanks,

Zhantao

chenyin_h · ‎04-02-2024

Hello, @hittzt

Thanks for the feedback.

I just tested it on a local RDB2 with BSP39, but I did not meet the similar error attached in your logs.

Besides, I did not see obvious errors from the log, seems some of the error prints are reasonable, would you please reboot the board and test it again to capture the full logs?

Best Regards

Chenyin

hittzt · ‎04-08-2024

Hi @chenyin_h,

Please follow the steps I pasted in the ticket commets, if you just test the following case:

pkcs11-tool --module /usr/lib64/libpkcs-hse.so.1.0 --write-object privkey.pem --type privkey --id 000601 --label 'HSE-RSAPRIV-KEY'

there indeed no error shown.

And if you followed my steps and did not see error, would you please show the test log, then I can see if I used wrong parameters or something else.

Thanks,

Zhantao

chenyin_h · ‎03-31-2024

Hello, @hittzt

Thanks for the question and sorry for the delay.

Would you please help to clarify the following?

Which board you are using for the test? It is a RDB or custom board, based on G2 or G3?
The same issue could be found under both BSP38&39?

Thanks

Best Regards

Chenyin

hittzt · ‎03-31-2024

Hi @chenyin_h ,

Thanks for your reply.

I tested the case on both RDB3/RDB2 boards and they have same issue with BSP38&39 images.

Thanks,

Zhantao