TLS communication

ashwini2024 · ‎04-28-2025

Dear NXP Support, @chenyin_h

I have a question regarding the use of the HSE service APIs. Specifically, I would like to know if it's possible to derive the ECDH shared secret handle using these APIs, store it securely in the HSE, and then utilize this shared secret in a TLS handshake through OpenSSL.

Could you please confirm if this is feasible?

Thank you for your assistance.

Best regards,
Ashwini

chenyin_h · ‎05-15-2025

Hello, @ashwini2024

OK, got it.

Thanks

BR

Chenyin

chenyin_h · ‎05-14-2025

Hello, @ashwini2024

Thanks for the reply.

The two configurations could be done via "make menuconfig", then choose Cryptographic API -> Hardware crypto devices ->Support for NXP HSE cryptographic engine ->Messaging Unit Interface ->MU2

Device Driver->Userspace I/O drivers ->NXP HSE UIO driver ->Messaging Unit Interface ->MU3

From the latest log you shared, seems it is correct.

With these settings, the BSP could boot correct from my test.

From my opinion, doing it with bootloader(MU0/1 on M core side), it could be a very different topic, and is beyond the original discussion of this post, I suggest raising new post for your specific settings, if additional code/private settings needed to be shared, additional support case via support portal could be raised.

Sorry for your inconvenience.

BR

Chenyin

ashwini2024 · ‎05-14-2025

Hello @chenyin_h ,
I have created a support ticket https://support.nxp.com/s/case/500Tg00000KbNi6/messaging-units-of-hse please update there.

Thank you.

chenyin_h · ‎05-13-2025

Hello, @ashwini2024

You are welcome.

The two configurations I mentioned are from the kernel configurations, I suggest directly modify it according to your own needs from menuconfig before rebuilding the kernel.

BR

Chenyin

ashwini2024 · ‎05-14-2025

I updated the custom_kernel.cfg file with CONFIG_CRYPTO_DEV_NXP_HSE_MU3=y and CONFIG_UIO_NXP_HSE_MU2=y
And when i execute following i get output as in image.png.

But when i use the HSE enabled bootloader and configure in the RM for m7 core mu0 and mu1 and for a53 core [linux] mu2 and mu3 , the control is stuck and does not transition to u-boot.
Could you please help me with that?

Thanks in advance for the information.

ashwini2024 · ‎05-13-2025

Hello @chenyin_h ,
Thank you so much.
I would like to know the detailed steps as i am unable to enable the CONFIG_UIO_NXP_HSE_MU2 and CONFIG_CRYPTO_DEV_NXP_HSE_MU3.
Please help in this.
Thank you.
The below is the output when i search for CONFIG_CRYPTO_DEV_NXP_HSE_MU and CONFIG_UIO_NXP_HSE_MU respectively.

Symbol: CRYPTO_DEV_NXP_HSE_MU2 [=n]

Type: bool
Defined at: drivers/crypto/hse/Kconfig:21
Prompt: MU2
Depends on: <choice>
Location:
- Cryptographic API (CRYPTO [=y])
  - Hardware crypto devices (CRYPTO_HW [=y])
    - Support for NXP HSE cryptographic engine (CRYPTO_DEV_NXP_HSE [=n])
      - Messaging Unit Interface (<choice> [=n])
        MU2 (CRYPTO_DEV_NXP_HSE_MU2 [=n])

Symbol: CRYPTO_DEV_NXP_HSE_MU3 [=n]

Type: bool
Defined at: drivers/crypto/hse/Kconfig:23
Prompt: MU3
Depends on: <choice>
Location:
- Cryptographic API (CRYPTO [=y])
  - Hardware crypto devices (CRYPTO_HW [=y])
    - Support for NXP HSE cryptographic engine (CRYPTO_DEV_NXP_HSE [=n])
      - Messaging Unit Interface (<choice> [=n])
        MU3 (CRYPTO_DEV_NXP_HSE_MU3 [=n])

Symbol: UIO_NXP_HSE_MU2 [=n]

Type: bool
Defined at: drivers/uio/Kconfig:207
Prompt: MU2
Depends on: <choice> && !CRYPTO_DEV_NXP_HSE_MU2 [=n]
Location:
- Device Drivers
  - Userspace I/O drivers (UIO [=m])
    - NXP HSE UIO driver (UIO_NXP_HSE [=n])
      - Messaging Unit Interface (<choice> [=n])
        MU2 (UIO_NXP_HSE_MU2 [=n])

Symbol: UIO_NXP_HSE_MU3 [=n]

Type: bool
Defined at: drivers/uio/Kconfig:210
Prompt: MU3
Depends on: <choice> && !CRYPTO_DEV_NXP_HSE_MU3 [=n]
Location:
- Device Drivers
  - Userspace I/O drivers (UIO [=m])
    - NXP HSE UIO driver (UIO_NXP_HSE [=n])
      - Messaging Unit Interface (<choice> [=n])
        MU3 (UIO_NXP_HSE_MU3 [=n])

chenyin_h · ‎05-07-2025

Hello, @ashwini2024

Thanks for your reply.

It is possible using the MU2/3 in your linux, the linux kernel may have to be recompiled since they are not by default set.

From kernel configuration, you may change the CONFIG_CRYPTO_DEV_NXP_HSE_MU to MU3, while change the CONFIG_UIO_NXP_HSE_MU to MU2 to select MU2/3 used in Linux side, at the same time, only use MU0/1 in M7 side.

BR

Chenyin

ashwini2024 · ‎05-13-2025

Hello @chenyin_h ,
Thank you so much for the reply.
Could you please tell me which files needs to be updated with that configuration.
Thank you so much in advance for the information.

chenyin_h · ‎05-06-2025

Hello, @ashwini2024

Sorry for the delay due out of office.

It is fine for using MU0/1 from M7 side and MU2/MU3 in A53 side, but according to your working setup, from the BSP user manual, there seems limitation existed for using user space APIs when using other MUs.

BR

Chenyin

ashwini2024 · ‎05-06-2025

Hello @chenyin_h ,

Thank you for the reply.

I would like to know if the MU are by default enabled MU2 and MU3. If not, what configurations should i do to enable just MU2 and MU3 in A53 Core and to enable MU0 and MU1 on the M7 core In the NXP bootloader , in the RM i have configured the allocations of MU0 and MU1 to the M7 Core and MU2 and MU3 to the A53 core but the control is stuck and does not transition to the u-boot. Could you please support here.

chenyin_h · ‎04-29-2025

Hello, @ashwini2024

Thanks for the reply.

From the description before, I assume that you may want to implement your own application to support the TLS connections, maybe https server/client or so, and take use of HSE to do something during handshake and/or even data encryption/decryption during the TLS communication, is it right?

Theoretically, it could be done on S32G board, since Linux could be correctly running on it, with various applications/libs supported.(openssl, libcrypto, libssl, etc.)

From NXP's perspective, in formal released BSP, the TLS operation could be done via software, HSE is not involved, since lacking of enough APIs to let the openssl to call the HSE related lower APIs, as you may know, in formal BSPs, only libhse and libpkcs are provided, the users have to learn the details of the lib to implement their own applications on them, but there is not openssl interface, so that the openssl cannot directly access the HSE services in formal BSP release.

In AN14072, the author implemented some code to let the openssl to call the libpkcs, so that some operation could be done via openssl->libpkcs->HSE, the main TLS connection logic is based on the openssl, a few selected algorithm(like ECDH-ECDSA-AES128-SHA) related operation in TLS connection could be done via HSE, while all others are still done via the openssl libs.

For you questions:

1. TLS Cipher Suite Configuration

[Chenyin]: Check the script, there are available cipher suite supported.

2. Location of TLS Scripts

[Chenyin]: The scripts you mentioned are part of the demo, and could not be directly used in BSP.

3. AES Key Storage in HSE

[Chenyin]: Yes, there is not any other documents related, reading the code is suggested.

4. Overview of Required Steps and other related questions

[Chenyin]: Follow the guides in AN14072, firstly apply all patches to the corresponding packages, then rebuild them and put the generating libxxx to the board running with the formal BSP(in the example, BSP38 is used, for recent BSPs, porting may be needed.), then running the script to demo the TLS connections with selected cipher suite.

In summary:

1. With default BSPs, the TLS connection could be done only via openssl and related libs(software based), HSE could not be involved with default configuration.

2. With the patches from AN14072 applied, some selected cipher suite could be offloaded to HSE while doing the TLS test.

3. There seems no other formal documents/demos related with this topic.

I suggest firstly reproducing the TLS demo shown in AN14072 on your board(maybe based on recent BSPs according to the requirements), to check if it could fulfill your requirement, and then to implement your own code based on it(or only reference) to add new features that needed from your own applications.

BR

Chenyin

chenyin_h · ‎04-28-2025

Hello, @ashwini2024

Thanks for your reply.

There is no such examples included in the formal BSP, but there is demo code for implementing simple TLS connections based on openssl/pkcs, which is introduced by AN14072, may I know if you have referenced it?

After checking the demo code attached to the AN, the ECDH-ECDSA-AES128-SHA is supported, thus the ECDH could be used for key-exchange phase for establishing the connection. Which may fit your requirements.

I hope it will help.

BR

Chenyin

ashwini2024 · ‎04-29-2025

Hello @chenyin_h ,
I need to enable all messaging units i mean mu2 and mu3 i have to allocate on A53 core and mu0 and mu1 i need to allocate on M7 core on the bootloader. But when i do that the control doesnt transition to u-boot does that mean i need to change some configuration on A core side ?

ashwini2024 · ‎05-01-2025

Hello @chenyin_h ,
I would need support in enabling only mu2 and mu3 on A53 core .

ashwini2024 · ‎04-29-2025

Hello @chenyin_h ,

I would like to request clarification on the following points:

TLS Cipher Suite Configuration
Could you please advise how to configure or set the specific cipher suite to be used during TLS communication within the provided framework or example applications?
Location of TLS Scripts
I came across references to the following scripts:
- tlsCreateCredentialsRunOnce.sh
- tlsServer.sh
- tlsClient.sh
Could you please let me know where these scripts are located within the SDK or if they are part of a specific demo or example project?
AES Key Storage in HSE
Is it possible to securely store and use the AES key involved in TLS communication within the HSE? If so, could you provide guidance or documentation on how to import, generate, and reference these keys using the HSE APIs during the TLS session?
Overview of Required Steps
A brief overview or recommended procedure for integrating TLS communication with HSE-managed keys in the an14072 would be greatly appreciated to ensure we are following best practices.

Thank you in advance for your support and guidance.

ashwini2024 · ‎04-28-2025

Thank you @chenyin_h .
How do i move further on this ? I just wanted to know if accessing the key from openssl is feasible [ecdh shared secret]
As from the demo app there is a document on queries regarding the TLS .
I would want support on that.

chenyin_h · ‎04-28-2025

Hello, @ashwini2024

Thanks for you reply.

So you want to use the openssl to access the HSE via PKCS engine with BSP43 to achieve the operations mentioned in your original post?

I feel sorry that there is not formal document regarding to the openssl/libpkcs support in BSP, you may have to implement needed functions based on libpkcs/libhse, and integrate them to the openssl engine layer, currently there are not similar examples from the recent release for your reference.

BR

Chenyin

chenyin_h · ‎04-28-2025

Hello, @ashwini2024

Thanks for your post.

May I know if S32G2 or G3 is used? Which version HSE FW is used?

BR

Chenyin

ashwini2024 · ‎04-28-2025

Hello @chenyin_h
We are using s32g3 board with bsp 43, HSE firmware version : 0_2_64_0.

ashwini2024 · ‎04-28-2025

If I access the HSE through the PKCS#11 engine and load the PKCS#11 engine into OpenSSL, will I be able to perform an ECDH key agreement operation, retrieve the shared secret, and securely import and store it in the HSE?