S32N55 HSE2 — CRS(APP) Domain Secure Debug Authentication using ADKP

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

S32N55 HSE2 — CRS(APP) Domain Secure Debug Authentication using ADKP

558 Views
EddiePark
Contributor IV

Hi

We are working on Secure Debug authentication for the S32N55 platform and have successfully implemented FSS domain debug authorization using ADKP (HSE_OTP_FOEM_ADKP_ATTR_ID) via SDC-600.

We are now trying to extend this to the CRS domain (HSE_DEBUG_DOMAIN_APP = 0x1B) and have the following questions:

---

[Q1] Is ADKP usable for CRS domain Secure Debug authentication?

After provisioning ADKP via HSE_OTP_FOEM_ADKP_ATTR_ID, is it possible to use the same ADKP for CRS domain (APP) Secure Debug authentication via HSE_DEBUG_CMD_APP_CHALLENGE?

---

[Q2] Does SetOwnerDebugKeyMap() need to be called separately per MU (FSS MU vs CRS MU)?

Per the RM description of hseOwnerDebugKeyMapConfig_t:
"This service is called for each installed device owner individually from an owning MU.
HSE FW assumes the owner identity based on the MU this service request is sent to."

Our current implementation calls SetOwnerDebugKeyMap() (HSE_SRV_ID_DEBUG_KEY_MAPPING) only through FSS MU (MU0), mapping aOwnerAuthRef[0] = HSE_OTP_KEY_FOEM_ADKP.

- Is a separate SetOwnerDebugKeyMap() call required through the CRS MU for CRS domain authentication?
- If so, which MU number should be used for the CRS domain on S32N55?

---

[Q3] Does SetOwnerDebugKeyMap() need to be called on every boot?

The RM states:
"Only the numOfAuthorizationRefEntries and numOfAuthenticationRefEntries are logged,
rest of the entries are ignored."

This implies the key mapping is volatile and not stored in NVM. Does this mean SetOwnerDebugKeyMap() must be called on every boot (after SU rights are granted) for both FSS and CRS domains?

---

[Q4] Correct keyRef value for APP_CHALLENGE

In hseDebugAuthorizeStartCmd_t, the keyRef field references the index mapped via hseOwnerDebugKeyMapConfig_t. Since we map aOwnerAuthRef[0] = HSE_OTP_KEY_FOEM_ADKP, we send keyRef = 0x00 for CRS domain authentication. Is this correct?

---

[Q5] Response size and packet structure for APP_CHALLENGE

Per hseDebugAuthorizeProofProvCmd_t byte map, the packet structure is always 32 bytes (2 packets x 8 words). HSE_CR_APP_RESPONSE_SIZE = 16U vs HSE_CR_FSS_OR_HSE_RESPONSE_SIZE = 32U.

For APP_CHALLENGE, should the host send:
- 16 bytes of AES-encrypted response + 16 bytes of zero padding = 32 bytes total?
- Or only 16 bytes?

Currently, after sending FLAG_START + DebugSignalMap(4 bytes) + Response(16 bytes) + FLAG_END, HSE2 does not respond and T32 hangs waiting indefinitely. When we send 32 bytes (16-byte response + 16-byte zero padding), we observe the same hang.

---

For reference:
- Sherpa_Cdd_AllocateChannel() always allocates MU0 (FSS)
- SetOwnerDebugKeyMap(): aOwnerAuthRef[0] = HSE_OTP_KEY_FOEM_ADKP (0x00000302), called with SU rights
- crs_auth.cmm: DEBUG_TARGET=0x1B, OID=0xFF*16, keyRef=0x00
- AUTH_MODE_REQ passes successfully (HSE_DEBUG_WAITING_RESPONSE_TO_CHG received)
- Challenge received: 32 bytes
- After sending Response, no ACK (0x4A4A4A4A) received from HSE2

Please see the attached CMM script and log for reference.

Thank you in advance.

0 Kudos
Reply
8 Replies

81 Views
chenyin_h
NXP Employee
NXP Employee

Hello, @EddiePark 

Thanks for your patience, below are some initial comments for your reference

[Q1] Is ADKP usable for CRS domain Secure Debug authentication?

[Comments]Yes, the used key for App domain secure debug authentication is selected from the hseOwnerDebugKeyMapConfig_t->pOwnerCardAuthenticationRef, it could includes the ADKP 's keyhandle.

[Q2] Does SetOwnerDebugKeyMap() need to be called separately per MU (FSS MU vs CRS MU)?

[Comments]: SetOwnerDebugKeyMap() should bound to the Device owner , not MU. The Device owner could includes multiple cohorts which has multiple MU instances. If FSS and CRS are included in the same device owner, it could be called by the CRS MU or FSS MU.

[Q3] Does SetOwnerDebugKeyMap() need to be called on every boot?

[Comments]:  It should not be called on every boot, the configuration should be saved in the SYS-IMG or fuse, otherwise the secure debug will fail after repowering the device, it does not meet the design expectation of secure debug. However not sure where to store this configuration from the current available resource.

[Q4] Correct keyRef value for APP_CHALLENGE

In hseDebugAuthorizeStartCmd_t, the keyRef field references the index mapped via hseOwnerDebugKeyMapConfig_t. Since we map aOwnerAuthRef[0] = HSE_OTP_KEY_FOEM_ADKP, we send keyRef = 0x00 for CRS domain authentication. Is this correct?

[Comments]: Yes, if  ADKP handle is the first entry of OwnerCardAuthenticationRef and the user wants to use ADKP to authenticate CRD debug, the authKeyRef  should be 0(The index of ADKP handle entry)

[Q5] Response size and packet structure for APP_CHALLENGE

[Comments]: For App debug, besides the debug signal map and challenge response data fileds, the other unused data  in packet 1 can be filled with 0.

 

Since the corresponding documents are not yet updated fully for this topic(the S32N55 is still at early stage), there is limited information we would provide.

Sorry for your inconvenience.

 

BR

Chenyin 

0 Kudos
Reply

24 Views
EddiePark
Contributor IV

Hello,

Thank you again for your continued support. We fully understand that S32N55 is still in the pre-production phase and that documentation/resources for this topic are currently limited. We sincerely apologize for the additional questions, but as our customer delivery schedule is approaching and this is a critical blocker, we are compelled to ask for a bit more guidance.

We have applied your previous comments (Q1-Q5): keyRef=0x00, ADKP in pOwnerCardAuthenticationRef, and Packet 1 filled to 32 bytes (debugSignalMap 4B + appChallengeAuth 16B + unused 12B = 0).

However, we are still blocked at the ProofProv / CARD_REQUEST stage. Our current status:

1. AUTH_MODE_REQ (DEBUG_TARGET=0x1B) -> OK (HSE2 returns 0x4A4A4A4A)
2. APP_CHALLENGE -> OK (32-byte Challenge received)
3. ProofProv (hseDebugAuthorizeProofProvCmd_t):
- Packet 1 = debugSignalMap(4B=0) + appChallengeAuth(16B AES256-CMAC) + unused(12B=0)
- All 32 bytes transmitted successfully over SDC-600
- >>> HSE2 gives NO response after this <<<

The SDC-600 TX appears to stall shortly after ~20 bytes and HSE2 never sends any response frame.

Could you please clarify the following about the APP (CRS) domain authentication sequence:

[Q1] After the host sends ProofProv (hseDebugAuthorizeProofProvCmd_t with appChallengeAuth) for APP_CHALLENGE, does HSE2 send an intermediate response frame back to the host? Or does HSE2 remain silent and wait for the next command?

For reference, in the FSS domain, after ProofProv the HSE2 returns 0x4A4A4A4A. We observe NO such response in APP domain. Is this expected?

[Q2] What is the correct ordering between ProofProv (hseDebugAuthorizeProofProvCmd_t) and CARD_REQUEST (hseDebugCardCmd_t) for APP_CHALLENGE?

- Option A: APP_CHALLENGE -> ProofProv -> (HSE2 response?) -> CARD_REQUEST
- Option B: APP_CHALLENGE -> CARD_REQUEST directly (ProofProv skipped for APP)
- Option C: some other sequence

Since RM states debugSignalMap is 'ignored' for APP and authorization happens 'only through the debug card authentication', should ProofProv be sent at all for APP domain, or should we go directly to CARD_REQUEST after the challenge?

[Q3] Could you please provide the complete command sequence for APP (CRS) domain Secure Debug authentication from COMM_START to the final authorization response?

We would like to confirm the exact order and which commands expect a response from HSE2, specifically:
COMM_START -> AUTH_MODE_REQ -> APP_CHALLENGE -> [ProofProv?] -> [CARD_REQUEST?] -> [final response?]

Any reference flow or example for the APP/CRS domain would be extremely helpful, as the current behavior (HSE2 silent after ProofProv) does not match the FSS domain flow.

Thank you very much for your understanding and support.

Best regards,

0 Kudos
Reply

384 Views
chenyin_h
NXP Employee
NXP Employee

Hello, @EddiePark 

Thanks for your post.

Pleased to hear that the Secure Debug authentication for the S32N55 platform have successfully implemented FSS domain debug authorization using ADKP (HSE_OTP_FOEM_ADKP_ATTR_ID) via SDC-600.

I will continue to help check with the details for your new issues, sorry that I did not see the attached CMM script and log for reference, would you mind uploading them again to share with us?

 

BR

Chenyin

0 Kudos
Reply

326 Views
EddiePark
Contributor IV

Hello,

Thank you for your response. 

We have additional questions regarding hseDebugCardCmd_t implementation for CRS (APP) domain Secure Debug authentication on S32N55.

---

[Q1] Is the Owner ID (ownerId) in hseDebugCardInfo_t the same value as provisioned via hseOwnerDebugKeyMapConfig_t?

Our device is configured in single-owner scenario where Fss_Firmware_au8Oid[] = {0xFF * 16}.
Should the ownerId field in hseDebugCardCmd_t also be set to 0xFF * 16?
Or does it need to match a specific value provisioned during Device Owner installation?

---

[Q2] Does hseDebugCardCmd_t need to be sent after APP_CHALLENGE, or instead of hseDebugAuthorizeProofProvCmd_t?

Per RM: "For APP based options, debug signals are enabled and authorized only through the debug cards authentication (see hseDebugCardCmd_t)(field is ignored)."

Our current flow:
1. AUTH_MODE_REQ (DEBUG_TARGET=0x1B)
2. rx_authmode → HSE_DEBUG_WAITING_RESPONSE_TO_CHG received
3. APP_CHALLENGE → rx_challenge (32 bytes received)
4. hseDebugCardCmd_t sent directly (skipping hseDebugAuthorizeProofProvCmd_t)
5. HSE2 stops responding (T32 hangs at FLAG_END of CARD_REQUEST)

Should hseDebugAuthorizeProofProvCmd_t (appChallengeAuth = AES256-CMAC) be sent BEFORE hseDebugCardCmd_t?
Or should hseDebugCardCmd_t be sent directly after rx_challenge without ProofProv?

---

[Q3] What is the correct Authentication Tag (authTag) computation for hseDebugCardTag_t when using MAC scheme?

We are using:
authScheme.macScheme.macAlgo = HSE_MAC_ALGO_CMAC (0x11)
authTag = AES256-CMAC(key=ADKP, data=Challenge[32 bytes])
authLen = 16

Is this the correct computation? Or should the CMAC input include additional fields (OID, domain map, etc.)?

---

[Q4] What is the correct packet structure for hseDebugCardCmd_t?

Based on the RM byte map, our current implementation:
Packet 1 (32 bytes): KRI(4B) + CMD(4B=0x5DCDEB77) + OID(16B=0xFF*16) + AuthScheme(8B=CMAC)
Packet 2 (32 bytes): enabledDebugDomainMap(bit27=0x08000000) + padding(28B)
Packet 3: debugDomainMapping(4B) + numOfAllowedUids(2B) + reserved(2B) + authLen(2B) + reserved(2B) + authTag(256B)

Is this structure correct? HSE2 stops responding after receiving the OID field (0xFF bytes).

---

Could you please let me know your email?  I will send you cmm file for crs auth.

 

BRs.

0 Kudos
Reply

21 Views
chenyin_h
NXP Employee
NXP Employee

Hello,  

Thanks for your reply, I understand, and will always. try our best to support.

1. I have downloaded the cmm and auth files you shared from the other post S32N55 HSE2 CRS domain authentication does not complete, are they still the same one currently used?

2. For your questions listed later:

[Q1] Is the Owner ID (ownerId) in hseDebugCardInfo_t the same value as provisioned via hseOwnerDebugKeyMapConfig_t?

[Comments]: Yes, the OID of hseDebugCardInfo_t is just the ownerid of Device Owner installation service.

[Q2] Does hseDebugCardCmd_t need to be sent after APP_CHALLENGE, or instead of hseDebugAuthorizeProofProvCmd_t?

[Comments]: hseDebugAuthorizeProofProvCmd_t should be sent before sending CARD_REQUEST

[Q3] What is the correct Authentication Tag (authTag) computation for hseDebugCardTag_t when using MAC scheme?

[Comments]:  Sorry that no obvious description about this in API RM. But the authentication tag for App domain may not use the received challenge, the challenge is used for hseDebugAuthorizeProofProvCmd_t. For user's CRS domain debug, maybe it is authTag = AES256-CMAC(key=ADKP, data=hseDebugCardInfo_t). You may have a try.

[Q4] What is the correct packet structure for hseDebugCardCmd_t?

[Comments]:  The structure of hseDebugCardCmd_t could be referred to the comment in HSE FW API interface which is more clear than the description in HSE FW API RM. by checking your original script shared, we found some errors about hseDebugCardCmd_t structure, see the attached word.

chenyin_h_0-1783312273436.png

For any other files that you may not be conveniently shared within the post, you may send them to me via the private message

chenyin_h_1-1783312450364.png

 

BR

Chenyin

 

0 Kudos
Reply

320 Views
chenyin_h
NXP Employee
NXP Employee

Hello, @EddiePark 

Thanks for your reply.

There are already 6 questions existed in this post, and may take a relative long time to investigate, in order for improving the efficiency,  for additional questions, I suggest creating a new post to track.

And as you mentioned, there would be scripts/logs attached for checking, but I do not see in your post, may I know if they would be uploaded again?

 

BR

Chenyin

0 Kudos
Reply

305 Views
EddiePark
Contributor IV

Hello,

Thank you for your suggestion. As requested, I have created a new post to track the CRS (APP domain) Secure Debug authentication issue:

[S32N55 HSE2 — CRS (APP Domain) Secure Debug Authentication via hseDebugCardCmd_t]
(Please search the title above in NXP Community)

This issue is currently blocking our customer delivery schedule. Could you please review the new post at your earliest convenience?

The CMM script (crs_auth.cmm) and log file are attached in the new post.

Thank you very much for your urgent support.

0 Kudos
Reply

288 Views
chenyin_h
NXP Employee
NXP Employee

Hello, @EddiePark 

Thanks for your reply.

1. As always, we will try our best to support your queries.

2. I understand it is a urgence issue, but as what I had mentioned in previous support, S32N55 is still in pre-production phase, it is not yet supported via the community channel, (during this period, we suggest directly contacting your FAE/Distributor to accelerate the efficiency)so it would take relative long time to reply, furthermore, the secure debug with LC advanced is usually at a relatively late stage of development, the document/samples are still limited in recent term.

Sorry for your inconvenience.

 

BR

Chenyin

0 Kudos
Reply
%3CLINGO-SUB%20id%3D%22lingo-sub-2387055%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3ES32N55%20HSE2%20%E2%80%94%20CRS(APP)%20Domain%20Secure%20Debug%20Authentication%20using%20ADKP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2387055%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3E%3CP%3EHi%3C%2FP%3E%3CP%3EWe%20are%20working%20on%20Secure%20Debug%20authentication%20for%20the%20S32N55%20platform%20and%20have%20successfully%20implemented%20FSS%20domain%20debug%20authorization%20using%20ADKP%20(HSE_OTP_FOEM_ADKP_ATTR_ID)%20via%20SDC-600.%3C%2FP%3E%3CP%3EWe%20are%20now%20trying%20to%20extend%20this%20to%20the%20CRS%20domain%20(HSE_DEBUG_DOMAIN_APP%20%3D%200x1B)%20and%20have%20the%20following%20questions%3A%3C%2FP%3E%3CP%3E---%3C%2FP%3E%3CP%3E%5BQ1%5D%20Is%20ADKP%20usable%20for%20CRS%20domain%20Secure%20Debug%20authentication%3F%3C%2FP%3E%3CP%3EAfter%20provisioning%20ADKP%20via%20HSE_OTP_FOEM_ADKP_ATTR_ID%2C%20is%20it%20possible%20to%20use%20the%20same%20ADKP%20for%20CRS%20domain%20(APP)%20Secure%20Debug%20authentication%20via%20HSE_DEBUG_CMD_APP_CHALLENGE%3F%3C%2FP%3E%3CP%3E---%3C%2FP%3E%3CP%3E%5BQ2%5D%20Does%20SetOwnerDebugKeyMap()%20need%20to%20be%20called%20separately%20per%20MU%20(FSS%20MU%20vs%20CRS%20MU)%3F%3C%2FP%3E%3CP%3EPer%20the%20RM%20description%20of%20hseOwnerDebugKeyMapConfig_t%3A%3CBR%20%2F%3E%22This%20service%20is%20called%20for%20each%20installed%20device%20owner%20individually%20from%20an%20owning%20MU.%3CBR%20%2F%3EHSE%20FW%20assumes%20the%20owner%20identity%20based%20on%20the%20MU%20this%20service%20request%20is%20sent%20to.%22%3C%2FP%3E%3CP%3EOur%20current%20implementation%20calls%20SetOwnerDebugKeyMap()%20(HSE_SRV_ID_DEBUG_KEY_MAPPING)%20only%20through%20FSS%20MU%20(MU0)%2C%20mapping%20aOwnerAuthRef%5B0%5D%20%3D%20HSE_OTP_KEY_FOEM_ADKP.%3C%2FP%3E%3CP%3E-%20Is%20a%20separate%20SetOwnerDebugKeyMap()%20call%20required%20through%20the%20CRS%20MU%20for%20CRS%20domain%20authentication%3F%3CBR%20%2F%3E-%20If%20so%2C%20which%20MU%20number%20should%20be%20used%20for%20the%20CRS%20domain%20on%20S32N55%3F%3C%2FP%3E%3CP%3E---%3C%2FP%3E%3CP%3E%5BQ3%5D%20Does%20SetOwnerDebugKeyMap()%20need%20to%20be%20called%20on%20every%20boot%3F%3C%2FP%3E%3CP%3EThe%20RM%20states%3A%3CBR%20%2F%3E%22Only%20the%20numOfAuthorizationRefEntries%20and%20numOfAuthenticationRefEntries%20are%20logged%2C%3CBR%20%2F%3Erest%20of%20the%20entries%20are%20ignored.%22%3C%2FP%3E%3CP%3EThis%20implies%20the%20key%20mapping%20is%20volatile%20and%20not%20stored%20in%20NVM.%20Does%20this%20mean%20SetOwnerDebugKeyMap()%20must%20be%20called%20on%20every%20boot%20(after%20SU%20rights%20are%20granted)%20for%20both%20FSS%20and%20CRS%20domains%3F%3C%2FP%3E%3CP%3E---%3C%2FP%3E%3CP%3E%5BQ4%5D%20Correct%20keyRef%20value%20for%20APP_CHALLENGE%3C%2FP%3E%3CP%3EIn%20hseDebugAuthorizeStartCmd_t%2C%20the%20keyRef%20field%20references%20the%20index%20mapped%20via%20hseOwnerDebugKeyMapConfig_t.%20Since%20we%20map%20aOwnerAuthRef%5B0%5D%20%3D%20HSE_OTP_KEY_FOEM_ADKP%2C%20we%20send%20keyRef%20%3D%200x00%20for%20CRS%20domain%20authentication.%20Is%20this%20correct%3F%3C%2FP%3E%3CP%3E---%3C%2FP%3E%3CP%3E%5BQ5%5D%20Response%20size%20and%20packet%20structure%20for%20APP_CHALLENGE%3C%2FP%3E%3CP%3EPer%20hseDebugAuthorizeProofProvCmd_t%20byte%20map%2C%20the%20packet%20structure%20is%20always%2032%20bytes%20(2%20packets%20x%208%20words).%20HSE_CR_APP_RESPONSE_SIZE%20%3D%2016U%20vs%20HSE_CR_FSS_OR_HSE_RESPONSE_SIZE%20%3D%2032U.%3C%2FP%3E%3CP%3EFor%20APP_CHALLENGE%2C%20should%20the%20host%20send%3A%3CBR%20%2F%3E-%2016%20bytes%20of%20AES-encrypted%20response%20%2B%2016%20bytes%20of%20zero%20padding%20%3D%2032%20bytes%20total%3F%3CBR%20%2F%3E-%20Or%20only%2016%20bytes%3F%3C%2FP%3E%3CP%3ECurrently%2C%20after%20sending%20FLAG_START%20%2B%20DebugSignalMap(4%20bytes)%20%2B%20Response(16%20bytes)%20%2B%20FLAG_END%2C%20HSE2%20does%20not%20respond%20and%20T32%20hangs%20waiting%20indefinitely.%20When%20we%20send%2032%20bytes%20(16-byte%20response%20%2B%2016-byte%20zero%20padding)%2C%20we%20observe%20the%20same%20hang.%3C%2FP%3E%3CP%3E---%3C%2FP%3E%3CP%3EFor%20reference%3A%3CBR%20%2F%3E-%20Sherpa_Cdd_AllocateChannel()%20always%20allocates%20MU0%20(FSS)%3CBR%20%2F%3E-%20SetOwnerDebugKeyMap()%3A%20aOwnerAuthRef%5B0%5D%20%3D%20HSE_OTP_KEY_FOEM_ADKP%20(0x00000302)%2C%20called%20with%20SU%20rights%3CBR%20%2F%3E-%20crs_auth.cmm%3A%20DEBUG_TARGET%3D0x1B%2C%20OID%3D0xFF*16%2C%20keyRef%3D0x00%3CBR%20%2F%3E-%20AUTH_MODE_REQ%20passes%20successfully%20(HSE_DEBUG_WAITING_RESPONSE_TO_CHG%20received)%3CBR%20%2F%3E-%20Challenge%20received%3A%2032%20bytes%3CBR%20%2F%3E-%20After%20sending%20Response%2C%20no%20ACK%20(0x4A4A4A4A)%20received%20from%20HSE2%3C%2FP%3E%3CP%3EPlease%20see%20the%20attached%20CMM%20script%20and%20log%20for%20reference.%3C%2FP%3E%3CP%3EThank%20you%20in%20advance.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2387698%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%20translate%3D%22no%22%3ERe%3A%20S32N55%20HSE2%20%E2%80%94%20CRS(APP)%20Domain%20Secure%20Debug%20Authentication%20using%20ADKP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2387698%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3E%3CP%3EHello%2C%3C%2FP%3E%3CP%3EThank%20you%20for%20your%20suggestion.%20As%20requested%2C%20I%20have%20created%20a%20new%20post%20to%20track%20the%20CRS%20(APP%20domain)%20Secure%20Debug%20authentication%20issue%3A%3C%2FP%3E%3CP%3E%5BS32N55%20HSE2%20%E2%80%94%20CRS%20(APP%20Domain)%20Secure%20Debug%20Authentication%20via%20hseDebugCardCmd_t%5D%3CBR%20%2F%3E(Please%20search%20the%20title%20above%20in%20NXP%20Community)%3C%2FP%3E%3CP%3EThis%20issue%20is%20currently%20blocking%20our%20customer%20delivery%20schedule.%20Could%20you%20please%20review%20the%20new%20post%20at%20your%20earliest%20convenience%3F%3C%2FP%3E%3CP%3EThe%20CMM%20script%20(crs_auth.cmm)%20and%20log%20file%20are%20attached%20in%20the%20new%20post.%3C%2FP%3E%3CP%3EThank%20you%20very%20much%20for%20your%20urgent%20support.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2387501%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%20translate%3D%22no%22%3ERe%3A%20S32N55%20HSE2%20%E2%80%94%20CRS(APP)%20Domain%20Secure%20Debug%20Authentication%20using%20ADKP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2387501%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3E%3CP%3EHello%2C%3C%2FP%3E%3CP%3EThank%20you%20for%20your%20response.%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20have%20additional%20questions%20regarding%20hseDebugCardCmd_t%20implementation%20for%20CRS%20(APP)%20domain%20Secure%20Debug%20authentication%20on%20S32N55.%3C%2FP%3E%3CP%3E---%3C%2FP%3E%3CP%3E%5BQ1%5D%20Is%20the%20Owner%20ID%20(ownerId)%20in%20hseDebugCardInfo_t%20the%20same%20value%20as%20provisioned%20via%20hseOwnerDebugKeyMapConfig_t%3F%3C%2FP%3E%3CP%3EOur%20device%20is%20configured%20in%20single-owner%20scenario%20where%20Fss_Firmware_au8Oid%5B%5D%20%3D%20%7B0xFF%20*%2016%7D.%3CBR%20%2F%3EShould%20the%20ownerId%20field%20in%20hseDebugCardCmd_t%20also%20be%20set%20to%200xFF%20*%2016%3F%3CBR%20%2F%3EOr%20does%20it%20need%20to%20match%20a%20specific%20value%20provisioned%20during%20Device%20Owner%20installation%3F%3C%2FP%3E%3CP%3E---%3C%2FP%3E%3CP%3E%5BQ2%5D%20Does%20hseDebugCardCmd_t%20need%20to%20be%20sent%20after%20APP_CHALLENGE%2C%20or%20instead%20of%20hseDebugAuthorizeProofProvCmd_t%3F%3C%2FP%3E%3CP%3EPer%20RM%3A%20%22For%20APP%20based%20options%2C%20debug%20signals%20are%20enabled%20and%20authorized%20only%20through%20the%20debug%20cards%20authentication%20(see%20hseDebugCardCmd_t)(field%20is%20ignored).%22%3C%2FP%3E%3CP%3EOur%20current%20flow%3A%3CBR%20%2F%3E1.%20AUTH_MODE_REQ%20(DEBUG_TARGET%3D0x1B)%3CBR%20%2F%3E2.%20rx_authmode%20%E2%86%92%20HSE_DEBUG_WAITING_RESPONSE_TO_CHG%20received%3CBR%20%2F%3E3.%20APP_CHALLENGE%20%E2%86%92%20rx_challenge%20(32%20bytes%20received)%3CBR%20%2F%3E4.%20hseDebugCardCmd_t%20sent%20directly%20(skipping%20hseDebugAuthorizeProofProvCmd_t)%3CBR%20%2F%3E5.%20HSE2%20stops%20responding%20(T32%20hangs%20at%20FLAG_END%20of%20CARD_REQUEST)%3C%2FP%3E%3CP%3EShould%20hseDebugAuthorizeProofProvCmd_t%20(appChallengeAuth%20%3D%20AES256-CMAC)%20be%20sent%20BEFORE%20hseDebugCardCmd_t%3F%3CBR%20%2F%3EOr%20should%20hseDebugCardCmd_t%20be%20sent%20directly%20after%20rx_challenge%20without%20ProofProv%3F%3C%2FP%3E%3CP%3E---%3C%2FP%3E%3CP%3E%5BQ3%5D%20What%20is%20the%20correct%20Authentication%20Tag%20(authTag)%20computation%20for%20hseDebugCardTag_t%20when%20using%20MAC%20scheme%3F%3C%2FP%3E%3CP%3EWe%20are%20using%3A%3CBR%20%2F%3EauthScheme.macScheme.macAlgo%20%3D%20HSE_MAC_ALGO_CMAC%20(0x11)%3CBR%20%2F%3EauthTag%20%3D%20AES256-CMAC(key%3DADKP%2C%20data%3DChallenge%5B32%20bytes%5D)%3CBR%20%2F%3EauthLen%20%3D%2016%3C%2FP%3E%3CP%3EIs%20this%20the%20correct%20computation%3F%20Or%20should%20the%20CMAC%20input%20include%20additional%20fields%20(OID%2C%20domain%20map%2C%20etc.)%3F%3C%2FP%3E%3CP%3E---%3C%2FP%3E%3CP%3E%5BQ4%5D%20What%20is%20the%20correct%20packet%20structure%20for%20hseDebugCardCmd_t%3F%3C%2FP%3E%3CP%3EBased%20on%20the%20RM%20byte%20map%2C%20our%20current%20implementation%3A%3CBR%20%2F%3EPacket%201%20(32%20bytes)%3A%20KRI(4B)%20%2B%20CMD(4B%3D0x5DCDEB77)%20%2B%20OID(16B%3D0xFF*16)%20%2B%20AuthScheme(8B%3DCMAC)%3CBR%20%2F%3EPacket%202%20(32%20bytes)%3A%20enabledDebugDomainMap(bit27%3D0x08000000)%20%2B%20padding(28B)%3CBR%20%2F%3EPacket%203%3A%20debugDomainMapping(4B)%20%2B%20numOfAllowedUids(2B)%20%2B%20reserved(2B)%20%2B%20authLen(2B)%20%2B%20reserved(2B)%20%2B%20authTag(256B)%3C%2FP%3E%3CP%3EIs%20this%20structure%20correct%3F%20HSE2%20stops%20responding%20after%20receiving%20the%20OID%20field%20(0xFF%20bytes).%3C%2FP%3E%3CP%3E---%3C%2FP%3E%3CP%3ECould%20you%20please%20let%20me%20know%20your%20email%3F%26nbsp%3B%20I%20will%20send%20you%20cmm%20file%20for%20crs%20auth.%3C%2FP%3E%3CBR%20%2F%3E%3CP%3EBRs.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2387464%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%20translate%3D%22no%22%3ERe%3A%20S32N55%20HSE2%20%E2%80%94%20CRS(APP)%20Domain%20Secure%20Debug%20Authentication%20using%20ADKP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2387464%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3E%3CP%3EHello%2C%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fcommunity.nxp.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F243574%22%20target%3D%22_blank%22%3E%40EddiePark%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThanks%20for%20your%20post.%3C%2FP%3E%0A%3CP%3EPleased%20to%20hear%20that%20the%26nbsp%3B%3CSPAN%3ESecure%20Debug%20authentication%20for%20the%20S32N55%20platform%20have%20successfully%20implemented%20FSS%20domain%20debug%20authorization%20using%20ADKP%20(HSE_OTP_FOEM_ADKP_ATTR_ID)%20via%20SDC-600.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EI%20will%20continue%20to%20help%20check%20with%20the%20details%20for%20your%20new%20issues%2C%20sorry%20that%20I%20did%20not%20see%20the%26nbsp%3Battached%20CMM%20script%20and%20log%20for%20reference%2C%20would%20you%20mind%20uploading%20them%20again%20to%20share%20with%20us%3F%3C%2FSPAN%3E%3C%2FP%3E%0A%3CBR%20%2F%3E%0A%3CP%3E%3CSPAN%3EBR%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EChenyin%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2387519%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%20translate%3D%22no%22%3ERe%3A%20S32N55%20HSE2%20%E2%80%94%20CRS(APP)%20Domain%20Secure%20Debug%20Authentication%20using%20ADKP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2387519%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3E%3CP%3EHello%2C%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fcommunity.nxp.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F243574%22%20target%3D%22_blank%22%3E%40EddiePark%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThanks%20for%20your%20reply.%3C%2FP%3E%0A%3CP%3EThere%20are%20already%206%20questions%20existed%20in%20this%20post%2C%20and%20may%20take%20a%20relative%20long%20time%20to%20investigate%2C%20in%20order%20for%20improving%20the%20efficiency%2C%26nbsp%3B%20for%20additional%20questions%2C%20I%20suggest%20creating%20a%20new%20post%20to%20track.%3C%2FP%3E%0A%3CP%3EAnd%20as%20you%20mentioned%2C%20there%20would%20be%20scripts%2Flogs%20attached%20for%20checking%2C%20but%20I%20do%20not%20see%20in%20your%20post%2C%20may%20I%20know%20if%20they%20would%20be%20uploaded%20again%3F%3C%2FP%3E%0A%3CBR%20%2F%3E%0A%3CP%3EBR%3C%2FP%3E%0A%3CP%3EChenyin%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2388017%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%20translate%3D%22no%22%3ERe%3A%20S32N55%20HSE2%20%E2%80%94%20CRS(APP)%20Domain%20Secure%20Debug%20Authentication%20using%20ADKP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2388017%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3E%3CP%3EHello%2C%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fcommunity.nxp.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F243574%22%20target%3D%22_blank%22%3E%40EddiePark%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThanks%20for%20your%20reply.%3C%2FP%3E%0A%3CP%3E1.%20As%20always%2C%20we%20will%20try%20our%20best%20to%20support%20your%20queries.%3C%2FP%3E%0A%3CP%3E2.%20I%20understand%20it%20is%20a%20urgence%20issue%2C%20but%20as%20what%20I%20had%20mentioned%20in%20previous%20support%2C%20S32N55%20is%20still%20in%20pre-production%20phase%2C%20it%20is%20not%20yet%20supported%20via%20the%20community%20channel%2C%20(during%20this%20period%2C%20we%20suggest%20directly%20contacting%20your%20FAE%2FDistributor%20to%20accelerate%20the%20efficiency)so%20it%20would%20take%20relative%20long%20time%20to%20reply%2C%20furthermore%2C%20the%20secure%20debug%20with%20LC%20advanced%20is%20usually%20at%20a%20relatively%20late%20stage%20of%20development%2C%20the%20document%2Fsamples%20are%20still%20limited%20in%20recent%20term.%3C%2FP%3E%0A%3CP%3ESorry%20for%20your%20inconvenience.%3C%2FP%3E%0A%3CBR%20%2F%3E%0A%3CP%3EBR%3C%2FP%3E%0A%3CP%3EChenyin%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2390310%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%20translate%3D%22no%22%3ERe%3A%20S32N55%20HSE2%20%E2%80%94%20CRS(APP)%20Domain%20Secure%20Debug%20Authentication%20using%20ADKP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2390310%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3E%3CP%3EHello%2C%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fcommunity.nxp.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F243574%22%20target%3D%22_blank%22%3E%40EddiePark%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThanks%20for%20your%20patience%2C%20below%20are%20some%20initial%3CSPAN%3E%26nbsp%3Bcomments%20for%20your%20reference%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%5BQ1%5D%20Is%20ADKP%20usable%20for%20CRS%20domain%20Secure%20Debug%20authentication%3F%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%5BComments%5D%3C%2FSTRONG%3E%3A%26nbsp%3B%3CSPAN%3EYes%2C%20the%20used%20key%20for%20App%20domain%20secure%20debug%20authentication%20is%20selected%20from%20the%26nbsp%3BhseOwnerDebugKeyMapConfig_t-%26gt%3BpOwnerCardAuthenticationRef%2C%20it%20could%20includes%20the%20ADKP%20's%20keyhandle.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%5BQ2%5D%20Does%20SetOwnerDebugKeyMap()%20need%20to%20be%20called%20separately%20per%20MU%20(FSS%20MU%20vs%20CRS%20MU)%3F%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%3CSTRONG%3E%5BComments%5D%3C%2FSTRONG%3E%3A%20SetOwnerDebugKeyMap()%20should%20bound%20to%20the%20Device%20owner%20%2C%20not%20MU.%20The%20Device%20owner%20could%20includes%20multiple%20cohorts%20which%20has%20multiple%20MU%20instances.%26nbsp%3BIf%20FSS%20and%20CRS%20are%20included%20in%20the%20same%20device%20owner%2C%20it%20could%20be%20called%20by%20the%20CRS%20MU%20or%20FSS%20MU.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%5BQ3%5D%20Does%20SetOwnerDebugKeyMap()%20need%20to%20be%20called%20on%20every%20boot%3F%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%3CSTRONG%3E%5BComments%5D%3C%2FSTRONG%3E%3A%26nbsp%3B%26nbsp%3BIt%20should%20not%20be%20called%20on%20every%20boot%2C%20the%20configuration%20should%20be%20saved%20in%20the%20SYS-IMG%20or%20fuse%2C%20otherwise%20the%20secure%20debug%20will%20fail%20after%20repowering%20the%20device%2C%20it%20does%20not%20meet%20the%20design%20expectation%20of%20secure%20debug.%20However%20not%20sure%20where%20to%20store%20this%20configuration%20from%20the%20current%20available%20resource.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%5BQ4%5D%20Correct%20keyRef%20value%20for%20APP_CHALLENGE%3C%2FP%3E%0A%3CP%3EIn%20hseDebugAuthorizeStartCmd_t%2C%20the%20keyRef%20field%20references%20the%20index%20mapped%20via%20hseOwnerDebugKeyMapConfig_t.%20Since%20we%20map%20aOwnerAuthRef%5B0%5D%20%3D%20HSE_OTP_KEY_FOEM_ADKP%2C%20we%20send%20keyRef%20%3D%200x00%20for%20CRS%20domain%20authentication.%20Is%20this%20correct%3F%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%3CSTRONG%3E%5BComments%5D%3C%2FSTRONG%3E%3A%20Yes%2C%20if%26nbsp%3B%20ADKP%20handle%20is%20the%20first%20entry%20of%26nbsp%3BOwnerCardAuthenticationRef%20and%20the%20user%20wants%20to%20use%20ADKP%20to%20authenticate%20CRD%20debug%2C%20the%26nbsp%3BauthKeyRef%26nbsp%3B%20should%20be%200(The%20index%20of%20ADKP%20handle%20entry)%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%5BQ5%5D%20Response%20size%20and%20packet%20structure%20for%20APP_CHALLENGE%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%3CSTRONG%3E%5BComments%5D%3C%2FSTRONG%3E%3A%20For%20App%20debug%2C%20besides%20the%20debug%20signal%20map%20and%20challenge%20response%20data%20fileds%2C%20the%20other%20unused%20data%26nbsp%3B%20in%20packet%201%20can%20be%20filled%20with%200.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CBR%20%2F%3E%0A%3CP%3E%3CSPAN%3ESince%20the%20corresponding%20documents%20are%20not%20yet%20updated%20fully%20for%20this%20topic(the%20S32N55%20is%20still%20at%20early%20stage)%2C%20there%20is%20limited%20information%20we%20would%20provide.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3ESorry%20for%20your%20inconvenience.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CBR%20%2F%3E%0A%3CP%3E%3CSPAN%3EBR%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EChenyin%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E