PRF function in HSE

ashwini2024 · ‎07-18-2025

Hello

I am working on BSP 43 and I have enabled HSE I am using the HSE version : HSE_FW_S32G3XX_0_2_64_0. I am able to generate the pre-master successfully , I am trying to generate the master key by using the PRF function for TLS 1.2 , but its failing to generate it. I am following the HSE_API_REFERENCE_MANUAL , in order to generate the master key. Could you please let me know whether the inputs I am passing is valid.

The below is my code attached.

alejandro_e · ‎07-18-2025

Hello @ashwini2024 ,

Thanks for reaching out to us again. Please share the following information:

- The HSE response you are getting when executing the service

- the contents of srv_desc.hseSrv.keyDeriveReq.sch.TLS12Prf, preferably in text or bin format, but in image it can also work.

Thanks!

ashwini2024 · ‎07-20-2025

1. The HSE service response is as attached in the image1.png.
2. Regarding the contents of the PRF function I have attached the master.c program above.

alejandro_e · ‎07-21-2025

Hello @ashwini2024,

Thanks for the information, I see that the error is just "general error" so we cannot get much details following that.

About the contents of srv_desc.hseSrv.keyDeriveReq.sch.TLS12Prf, sorry for not asking more clearly, I meant the contents of the structure at run time, this is to get the actual information that is being sent to the HSE.

Thanks in advance.

ashwini2024 · ‎07-22-2025

Thank you for the clarification.
I will attach the output in image3.png.

alejandro_e · ‎07-22-2025

Hello @ashwini2024,

Thanks for the information, here are my findings, some are just recommendations since I do not know your setup:

You are usgin the following parameter as "not used", while the API manual indicates that for "master secret" is needed

Ensure the key handle (0x00020600) has the required flags

Please use a different key handle than pskKeyHandle, since they have different requirements

Please ensure that the targetKeyHandle (0x00000000) has the required flags

Please check the noes above and let me know if the behavior changes, if you receive a different error, please let me know.

Thanks!

ashwini2024 · ‎07-23-2025

Hello

Thank you for the reply.

As per your inputs I have updated my code and is as attached I am still facing the same issue.
I have also attached the flags that are set for each key handle.

ashwini2024 · ‎07-23-2025

Here is the updated code.

ashwini2024 · ‎07-23-2025

Here are the attached files.

alejandro_e · ‎07-28-2025

Hello @ashwini2024,

Thanks for the test, Please test using different key slots for pskKeyHandle and srcKeyHandle. Please ensure the requirements detailed in the API ref manual are met:

Please let me know if the behavior changes,
Thanks

ashwini2024 · ‎07-29-2025

Hello

Please have a look at my service descriptor values that I am passing I have updated the key handles. But still I am facing the general error , I do not understand why i dont get invalid parameters error if the inputs I pass are invalid.

alejandro_e · ‎07-29-2025

Hello @ashwini2024,

did you mean yo attach another version of your service descriptor? I cannot see any file.

About the error, this might be because it the params are "valid values" but invalid at a "logic level".

Let me know if you meant to attach another file or you meant the original one

Thanks

ashwini2024 · ‎07-29-2025

Hello ,
Here is my updated code.
Also I have generated a AES-128 bit key in NVM slot and set the usage flag for the key handle as :HSE_KF_USAGE_DERIVE

Please let me know what is the issue with my service descriptor and why I am facing the general error.

alejandro_e · ‎08-01-2025

Hello @ashwini2024,

Please share the output of the prints you have in your program and the key flags you have for the the three key slots you are using:

GET_KEY_HANDLE(HSE_KEY_CATALOG_ID_RAM, 6, 0)

GET_KEY_HANDLE(HSE_KEY_CATALOG_ID_NVM, 1, 3)

GET_KEY_HANDLE(HSE_KEY_CATALOG_ID_RAM, 7, 0)

Also please use memcpy instead of the assignment operator, as done in the demo app to avoid any problems:

Thanks

ashwini2024

Hello @alejandro_e,
Would you be able to reproduce the master key generation process on your end and let me know if it works for you?

alejandro_e

Hello @ashwini2024,

I have not tested, I been somewhat overloaded the pasts weeks and setting up a Linux Configuration with HSE might take some time which I cannot fit in my schedule at the moment. For now I can only guide you following the information you share and the documentation available.

Have you done other test which might help us narrow down the problem?

Thanks.

ashwini2024

I have attached the usage flags for the key handles.

ashwini2024

Thank you very much for your response. I’ve updated the code based on your suggestions, but I’m still encountering the same error.

alejandro_e

Hello @ashwini2024,

I contacted the internal team in parallel and they gave me relevant information, there is a sample project (of which I was not aware until now) , it includes examples on how to use HSE fo TLS, you can download it from FlexNet, it is under Automotive SW – S32G Reference Software and it is named Automotive SW - S32G - mbedTLS, after downloading and installing the exe installer, SW32G3XX_MbedTLS(wHSE)_RTM_1.0.0_230224.exe, you will have the sample project in C:\NXP\SW32G3XX_MbedTLS(wHSE)_RTM_1.0.0.

Please let me know if you need anything else

ashwini2024 · ‎07-29-2025

Could you please let me know which key handle i must use from the HSE firmware version :HSE_FW_S32G3XX_0_2_64_0 for psk handle , src handle and target handle in the global_defs.h for hse standard firmware.

ashwini2024 · ‎07-29-2025

Hi @alejandro_e,

I've noticed that in pkcs11, the following mechanisms are defined:
#define CKM_TLS_PRE_MASTER_KEY_GEN (0x374UL)
#define CKM_TLS_MASTER_KEY_DERIVE (0x375UL)
#define CKM_TLS_KEY_AND_MAC_DERIVE (0x376UL)

However, I couldn't find any implementation for these mechanisms. Could you please guide me on where I can add my own custom implementations for them?Is it possible to send a custom implementation for the same?

Thanks!