Facing issue while setting the RAM catalog key as key provision using key usages flag

KaleRushikesh · ‎03-16-2026

Hello NXP Team,

I want to use the RAM catalog key (which is in plain) to provision the next import keys in RAM catalog. For this purpose, we add the key usages flag as shown below for the key. But the hse service gives HSE_SRV_RSP_INVALID_PARAM as response after adding the usages flag HSE_KF_USAGE_KEY_PROVISION.

As per my understanding we can use RAM key if it is with usages flag HSE_SRV_RSP_INVALID_PARAM to provision the keys, then why this happened?

Here is my service descriptor: -

hseSrvResponse_t RetVal = HSE_SRV_RSP_GENERAL_ERROR;

hseSrvDescriptor_t *pHseSrvDescriptor;

uint8 u8MuChannel = Hse_Ip_GetFreeChannel(MU0_INSTANCE_U8);

keyInfo.keyBitLen = 128;

keyInfo.keyType = HSE_KEY_TYPE_AES;

keyInfo.keyFlags = (HSE_KF_USAGE_KEY_PROVISION | HSE_KF_USAGE_DECRYPT | HSE_KF_USAGE_ENCRYPT );

//keyInfo.specific.aesBlockModeMask = HSE_KU_AES_BLOCK_MODE_ANY;

if(HSE_IP_INVALID_MU_CHANNEL_U8 != u8MuChannel)

{

pHseSrvDescriptor = &Hse_aSrvDescriptor[u8MuChannel];

memset(pHseSrvDescriptor, 0, sizeof(hseSrvDescriptor_t));

pHseSrvDescriptor->srvId = HSE_SRV_ID_IMPORT_KEY;

pHseSrvDescriptor->hseSrv.importKeyReq.keyLen[2] = 16;

pHseSrvDescriptor->hseSrv.importKeyReq.pKey[2] = HSE_PTR_TO_HOST_ADDR(App_au8AesRamKey);

pHseSrvDescriptor->hseSrv.importKeyReq.pKeyInfo= HSE_PTR_TO_HOST_ADDR(&keyInfo);

pHseSrvDescriptor->hseSrv.importKeyReq.targetKeyHandle = GET_KEY_HANDLE(2,1,0);

// Both the fields given below must be configured.

pHseSrvDescriptor->hseSrv.importKeyReq.cipher.cipherKeyHandle= HSE_INVALID_KEY_HANDLE;

pHseSrvDescriptor->hseSrv.importKeyReq.keyContainer.authKeyHandle= HSE_INVALID_KEY_HANDLE;

/* Build the request to be sent to Hse Ip layer */

HseIp_aRequest[u8MuChannel].eReqType = HSE_IP_REQTYPE_SYNC;

HseIp_aRequest[u8MuChannel].u32Timeout = TIMEOUT_TICKS_U32;

/* Send the request to Hse Ip layer */

RetVal = Hse_Ip_ServiceRequest(MU0_INSTANCE_U8, u8MuChannel, &HseIp_aRequest[u8MuChannel], pHseSrvDescriptor);

thanks...

KaleRushikesh · ‎03-17-2026

Also, I have the following questions:
1. We know that while importing RAM/NVM keys, the owner of the provisioning key and the target key must be the same. So, can we use a provisioning key of a different type than the importing key type? For example, can we use an AES-type provisioning key to import an RSA key pair?
2. Can we import an encrypted key into the RAM/NVM catalog without using authentication if I have superuser rights?
3. For importing an authenticated key, we need to configure keyConatiner. I understand the data fields other than pKeyContainer. Since there is no standard structure that describes this field, could you please explain it with an example?

KaleRushikesh · ‎03-20-2026

Any updates, Team

lukaszadrapa · ‎03-23-2026

Hi @KaleRushikesh

Description of hseImportKeySrv_t in HSE Service API reference manual explicitly states:

“The RAM provision keys can be imported only authenticated and can be used only to import RAM keys.”

It also says:

“The NVM provisioning keys can be installed/updated without authentication only having

SuperUser rights; they can also be updated having User rights using the pre-installed provision keys.”

So, SuperUser rights are not sufficient for RAM keys, the authentication is needed.

We know that while importing RAM/NVM keys, the owner of the provisioning key and the target key must be the same. So, can we use a provisioning key of a different type than the importing key type? For example, can we use an AES-type provisioning key to import an RSA key pair?

- That’s correct, you can use different key types – like mentioned AES provisioning key to import RSA key pair.

Can we import an encrypted key into the RAM/NVM catalog without using authentication if I have superuser rights?

- No. The HSE Service API reference manual explicitly says:
“An encrypted key can be imported only authenticated.”

This is valid for both User rights and SuperUser rights.

For importing an authenticated key, we need to configure keyConatiner. I understand the data fields other than pKeyContainer. Since there is no standard structure that describes this field, could you please explain it with an example?

- KeyContainer has no defined structure. But the idea is simple – it’s just an array somewhere in RAM. You are supposed to copy KeyInfo structure and the Key itself to the array. The size of array must be large enough for KeyInfo + Key. It can be bigger, it’s not limited.

Then you need to generate a signature of the container/array.

When importing authenticated key, fill structure hseImportKeySrv_t.keyContainer – there’s pointer to the container, length of the container, keyhandle for verification, pointer to signature…

Pointer to the key and to the KeyInfo is configured in hseImportKeySrv_t. That’s the reason why no specific structure is needed for the container. HSE itself will check if the key and KeyInfo fall within the container.

I have an example for update of ECC public key. This operation requires authentication. I used HSE framework from HSE DemoExamples SW package. If you are interested, please create a case here and I will share it:

https://support.nxp.com/s/?language=en_US

Write something like “Assign to Lukas Zadrapa” to the description.

Regards,

Lukas

KaleRushikesh · ‎03-24-2026

More quick questions-
1) As the authentication is mandatory for provision key to import in RAM catalog. So, when there is not any provision key present in catalog (means we are importing our first provision key), what are the fields for cipherKeyHandle, authKeyHandle.
2) I am struggling while calculating the M1, M2, M3, M4, M5 of SHE Key update protocol, do we have some standard tool to calculate these parameters?

lukaszadrapa · ‎03-23-2026

Hi @KaleRushikesh

Sorry for delay, I'm quite overloaded now. I will try to check this later today or tomorrow. Thanks for patience.

Regards,

Lukas