ヘルプ
英语(美国) | English (US) 日本語 | Japanese 中文 | Chinese (Simplified)

Using HSE APIs from OP-TEE Trusted Application on S32G3 (BSP 43)

キャンセル
提案をオンにする
自動提案では、入力時に可能な一致が提案されるので検索結果を素早く絞り込むことができます。
次の結果を表示 
表示  限定  | 次の代わりに検索 
もしかして: 

Using HSE APIs from OP-TEE Trusted Application on S32G3 (BSP 43)

‎05-14-2025 10:08 PM
378件の閲覧回数
yashasdu
Contributor I

Hi,

I'm working on a custom S32G3 board running BSP 43 with OP-TEE initialized and HSE support available. I would like to offload cryptographic operations (e.g., AES, RSA, SHA) to the HSE, but execute them securely through an OP-TEE Trusted Application (TA).

My intended flow:

  • A Linux user-space application invokes a crypto operation via the OP-TEE Client API.

  • The call is handled by a Trusted Application in OP-TEE.

  • The TA performs the cryptographic operation using HSE and returns the result to the normal world.

My questions:

  1. Are there any reference examples or existing OP-TEE TAs that use HSE APIs from within the secure world?

  2. What is the recommended way to invoke HSE API calls inside an OP-TEE TA?

  3. Does OP-TEE need special integration to access HSE drivers, or is this already handled by BSP 43?

  4. Is the pkcs11-hse repo a good starting point, or is there a simpler example for direct HSE usage in a TA?

Any advice or references on how to structure this setup would be greatly appreciated.

Thanks!

0 件の賞賛
返信
2 返答(返信)

‎06-19-2025 11:00 PM
179件の閲覧回数
yashasdu
Contributor I

Thank you for the response.

I’ve reviewed Chapter 26 of the BSP43 UM, and I understand that OP-TEE TAs can communicate with HSE directly using supported APIs.

To clarify my current use case:

  • I need to generate and store keys inside the HSE key catalog.

  • From within an OP-TEE Trusted Application, I need to reference those keys using HSE key handles.

  • Then, I need to perform encryption/decryption operations using those key handles via the HSE Crypto Engine.

Given that, I’d like to clarify the following:

  1. Do the standard OP-TEE crypto APIs (e.g., TEE_AEEncryptFinal, TEE_AllocateTransientObject, etc.) automatically route cryptographic operations to the HSE engine?

  2. If not, is it required to manually construct HSE service descriptors (e.g., HSE_SRV_ID_IMPORT_KEY, HSE_SRV_ID_SYM_CIPHER) and invoke the corresponding APIs from inside the TA?

  3. Is there a reference or documented method in BSP43 that shows how a TA can build and submit HSE service descriptors?

  4. Specifically, how can a TA access and use key handles for encryption/decryption via HSE? Are there APIs or interface layers exposed for this purpose?

  5. Are there particular headers or secure-side libraries I should include in the TA to enable direct use of HSE service APIs?

Any guidance or examples related to this HSE + OP-TEE integration, especially involving key handle usage inside the TEE, would be greatly appreciated.

Best regards,
Yashas

0 件の賞賛
返信

‎05-16-2025 12:42 AM
349件の閲覧回数
chenyin_h
NXP Employee
NXP Employee

Hello, @yashasdu 

Thanks for your post.

The whole features/examples that are supported in BSP43 for OPTEE is detailed described in chapter 26 of BSP43 UM for S32G3.

Currently, the user space application would take use of the OPTEE driver in Linux to communicate with TEE, and the APIs in TEE support communicating with HSE directly

chenyin_h_0-1747381089464.png

 

 BR

Chenyin

0 件の賞賛
返信