PRF function in HSE

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

PRF function in HSE

5,516 Views
ashwini2024
Contributor II

Hello
 
I am working on BSP 43 and I have enabled HSE I am using the HSE version : HSE_FW_S32G3XX_0_2_64_0. I am able to generate the pre-master successfully , I am trying to generate the master key by using the PRF function for TLS 1.2 , but its failing to generate it. I am following the HSE_API_REFERENCE_MANUAL , in order to generate the master key. Could you please let me know whether the inputs I am passing is valid.

The below is my code attached.

0 Kudos
Reply
20 Replies

5,498 Views
alejandro_e
NXP TechSupport
NXP TechSupport

Hello @ashwini2024 ,

Thanks for reaching out to us again. Please share the following information:

- The HSE response you are getting when executing the service

- the contents of srv_desc.hseSrv.keyDeriveReq.sch.TLS12Prf, preferably in text or bin format, but in image it can also work.

 

Thanks!

0 Kudos
Reply

5,456 Views
ashwini2024
Contributor II

1. The HSE service response is as attached in the image1.png.
2. Regarding the contents of the PRF function I have attached the master.c program above.

0 Kudos
Reply

5,443 Views
alejandro_e
NXP TechSupport
NXP TechSupport

Hello @ashwini2024,

Thanks for the information, I see that the error is just "general error" so we cannot get much details following that. 

About the contents of srv_desc.hseSrv.keyDeriveReq.sch.TLS12Prf, sorry for not asking more clearly, I meant the contents of the structure at run time, this is to get the actual information that is being sent to the HSE.

 

Thanks in advance.

0 Kudos
Reply

5,401 Views
ashwini2024
Contributor II

Thank you for the clarification. 
I will attach the output in image3.png.

0 Kudos
Reply

5,396 Views
alejandro_e
NXP TechSupport
NXP TechSupport

Hello @ashwini2024

Thanks for the information, here are my findings, some are just recommendations since I do not know your setup:

You are usgin the following parameter as "not used", while the API manual indicates that for "master secret" is needed

alejandro_e_0-1753214852050.png

Ensure the key handle (0x00020600) has the required flags

alejandro_e_1-1753214956373.png

Please use a different key handle than pskKeyHandle, since they have different requirements

alejandro_e_2-1753215005417.png

Please ensure that the targetKeyHandle (0x00000000) has the required flags

alejandro_e_3-1753215119726.png

 

 

Please check the noes above and let me know if the behavior changes, if you receive a different error, please let me know.

 

Thanks!

 

 

0 Kudos
Reply

5,378 Views
ashwini2024
Contributor II

Hello

Thank you for the reply.

As per your inputs I have updated my code and is as attached I am still facing the same issue.
I have also attached the flags that are set for each key handle.

0 Kudos
Reply

5,373 Views
ashwini2024
Contributor II

Here is the updated code.

0 Kudos
Reply

5,374 Views
ashwini2024
Contributor II

Here are the attached files.

0 Kudos
Reply

5,124 Views
alejandro_e
NXP TechSupport
NXP TechSupport

Hello @ashwini2024,

Thanks for the test, Please test using different key slots for pskKeyHandle and srcKeyHandle. Please ensure the requirements detailed in the API ref manual are met:

alejandro_e_0-1753738868551.png

alejandro_e_1-1753738877551.png

 

Please let me know if the behavior changes,
Thanks

 

0 Kudos
Reply

5,012 Views
ashwini2024
Contributor II

Hello 

Please have a look at my service descriptor values that I am passing I have updated the key handles. But still I am facing the general error , I do not understand why i dont get invalid parameters error if the inputs I pass are invalid.

0 Kudos
Reply

4,881 Views
alejandro_e
NXP TechSupport
NXP TechSupport

Hello @ashwini2024,

did you mean yo attach another version of your service descriptor? I cannot see any file. 

About the error, this might be because it the params are "valid values" but invalid at a "logic level".

 

Let me know if you meant to attach another file or you meant the original one

Thanks

0 Kudos
Reply

4,837 Views
ashwini2024
Contributor II

Hello , 
Here is my updated code.
Also I have generated a AES-128 bit key in NVM slot and set the usage flag for the key handle as :HSE_KF_USAGE_DERIVE

Please let me know what is the issue with my service descriptor and why I am facing the general error.

0 Kudos
Reply

4,823 Views
alejandro_e
NXP TechSupport
NXP TechSupport

Hello @ashwini2024,

Please share the output of the prints you have in your program and the key flags you have for the the three key slots you are using:

GET_KEY_HANDLE(HSE_KEY_CATALOG_ID_RAM, 6, 0)
GET_KEY_HANDLE(HSE_KEY_CATALOG_ID_NVM, 1, 3)
GET_KEY_HANDLE(HSE_KEY_CATALOG_ID_RAM, 7, 0)

 

Also please use memcpy instead of the assignment operator, as done in the demo app to avoid any problems:

alejandro_e_0-1754075663505.png

 

 

Thanks

0 Kudos
Reply

4,688 Views
ashwini2024
Contributor II

Hello @alejandro_e,
Would you be able to reproduce the master key generation process on your end and let me know if it works for you?

0 Kudos
Reply

4,372 Views
alejandro_e
NXP TechSupport
NXP TechSupport

Hello @ashwini2024,

I have not tested, I been somewhat overloaded the pasts weeks and setting up a Linux Configuration with HSE might take some time which I cannot fit in my schedule at the moment. For now I can only guide you following the information you share and the documentation available.

Have you done other test which might help us narrow down the problem?

 

Thanks. 

0 Kudos
Reply

4,277 Views
ashwini2024
Contributor II

I have attached the usage flags for the key handles.

0 Kudos
Reply

4,279 Views
ashwini2024
Contributor II

Thank you very much for your response. I’ve updated the code based on your suggestions, but I’m still encountering the same error.

0 Kudos
Reply

4,249 Views
alejandro_e
NXP TechSupport
NXP TechSupport

Hello @ashwini2024,

I contacted the internal team in parallel and they gave me relevant information, there is a sample project (of which I was not aware until now) , it includes examples on how to use HSE fo TLS, you can download it from FlexNet, it is under Automotive SW – S32G Reference Software and it is named Automotive SW - S32G - mbedTLS, after downloading and installing the exe installer, SW32G3XX_MbedTLS(wHSE)_RTM_1.0.0_230224.exe, you will have the sample project in C:\NXP\SW32G3XX_MbedTLS(wHSE)_RTM_1.0.0.

 

Please let me know if you need anything else

0 Kudos
Reply

5,019 Views
ashwini2024
Contributor II

Could you please let me know which key handle i must use from the HSE firmware version :HSE_FW_S32G3XX_0_2_64_0 for psk handle , src handle and target handle in the global_defs.h for hse standard firmware.

0 Kudos
Reply

5,022 Views
ashwini2024
Contributor II

Hi @alejandro_e,

I've noticed that in pkcs11, the following mechanisms are defined:
#define CKM_TLS_PRE_MASTER_KEY_GEN (0x374UL)
#define CKM_TLS_MASTER_KEY_DERIVE (0x375UL)
#define CKM_TLS_KEY_AND_MAC_DERIVE (0x376UL)

However, I couldn't find any implementation for these mechanisms. Could you please guide me on where I can add my own custom implementations for them?Is it possible to send a custom implementation for the same?

Thanks!

0 Kudos
Reply