Facing the HSE_SRV_RSP_INVALID_ADDR issue while importing authenticated key in NVM catalog

KaleRushikesh

Hi NXP Team,

I am currently working with the HSE on S32K3xx and attempting to import an authorized key into an NVM Key Catalog Slot.

To achieve this, I created a container and performed CMAC to obtain the TAG. However, when I used the Import service to import the key, I received the response HSE_SRV_RSP_INVALID_ADDR from the HSE.

Could you please review the provided code snippet and guide me on how to correctly carry out this operation?

uint8_t keyContainer[496] __attribute__((section(".mcal_bss_no_cacheable")));

static hseKeyInfo_t AuthkeyInfo __attribute__((section(".mcal_data_no_cacheable")));

uint8_t containerTag[16]__attribute__((section(".mcal_bss_no_cacheable")));

uint32_t containerTagLen __attribute__((section(".mcal_data_no_cacheable"))) = sizeof(containerTag);

//void fillContainer(uint8_t* pContainer, hseKeyInfo_t* pkeyInfo, uint8_t keyInfoLen, uint8_t* pkey, uint8_t keyLen)

void fillContainer(void)

{

AuthkeyInfo.keyBitLen = 128;

AuthkeyInfo.keyType = HSE_KEY_TYPE_AES;

AuthkeyInfo.keyFlags = HSE_KF_USAGE_ENCRYPT | HSE_KF_USAGE_DECRYPT; //| HSE_KF_USAGE_KEY_PROVISION;

AuthkeyInfo.keyCounter = 0; // first time while NVM key importing it should be greater than or equal to 0.

AuthkeyInfo.smrFlags = 0;

AuthkeyInfo.specific.aesBlockModeMask = HSE_KU_AES_BLOCK_MODE_ANY;

unsigned int i = 0;

i= i + 10;

memcpy(&keyContainer[i],&AuthkeyInfo,sizeof(hseKeyInfo_t));

i= i+sizeof(hseKeyInfo_t);

i= i+5;

memcpy(&keyContainer[i], App_au8EncAesNvmKey,sizeof(App_au8EncAesNvmKey));

}

hseSrvResponse_t AppGenCmac(void)

{

uint8_t u8MuInstance = 0U;

hseSrvDescriptor_t* pCmacGenSrvDescriptor;

hseSrvResponse_t RetVal = HSE_SRV_RSP_GENERAL_ERROR;

uint8_t muChannel = Hse_Ip_GetFreeChannel(u8MuInstance);

pCmacGenSrvDescriptor = &Hse_aSrvDescriptor[muChannel];

hseMacSrv_t* pMacSrv = &pCmacGenSrvDescriptor->hseSrv.macReq;

pCmacGenSrvDescriptor->srvId = HSE_SRV_ID_MAC;

pMacSrv->accessMode = HSE_ACCESS_MODE_ONE_PASS;

pMacSrv->sgtOption = HSE_SGT_OPTION_NONE;

pMacSrv->streamId = 0;

pMacSrv->authDir = HSE_AUTH_DIR_GENERATE;

pMacSrv->macScheme.macAlgo = HSE_MAC_ALGO_CMAC;

pMacSrv->macScheme.sch.cmac.cipherAlgo= HSE_CIPHER_ALGO_AES;

pMacSrv->keyHandle = GET_KEY_HANDLE(1,1,0); //Normal AES key

pMacSrv->inputLength = sizeof(keyContainer);

pMacSrv->pInput = (HOST_ADDR)keyContainer;

pMacSrv->pTagLength = (HOST_ADDR) &containerTagLen;

pMacSrv->pTag = (HOST_ADDR) containerTag;

HseIp_aRequest[muChannel].eReqType = HSE_IP_REQTYPE_SYNC;

HseIp_aRequest[muChannel].u32Timeout = TIMEOUT_TICKS_U32;

/* Send the request to Hse Ip layer */

RetVal = Hse_Ip_ServiceRequest(u8MuInstance, muChannel, &HseIp_aRequest[muChannel], pCmacGenSrvDescriptor);

return RetVal;

}

/*

Can we import an encrypted key into the RAM/NVM catalog without using authentication if I have superuser rights?

- No. The HSE Service API reference manual explicitly says:

“An encrypted key can be imported only authenticated.”

This is valid for both User rights and SuperUser rights.

*/

static hseSrvResponse_t App_AesLoadAuthNvmKey(void)

{

hseSrvResponse_t RetVal = HSE_SRV_RSP_GENERAL_ERROR;

hseSrvDescriptor_t *pHseSrvDescriptor;

uint8 u8MuChannel = Hse_Ip_GetFreeChannel(MU0_INSTANCE_U8);

if(HSE_IP_INVALID_MU_CHANNEL_U8 != u8MuChannel)

{

pHseSrvDescriptor = &Hse_aSrvDescriptor[u8MuChannel];

memset(pHseSrvDescriptor, 0, sizeof(hseSrvDescriptor_t));

pHseSrvDescriptor->srvId = HSE_SRV_ID_IMPORT_KEY;

pHseSrvDescriptor->hseSrv.importKeyReq.keyLen[2] = 16;

pHseSrvDescriptor->hseSrv.importKeyReq.pKey[2] = HSE_PTR_TO_HOST_ADDR(App_au8EncAesNvmKey);

pHseSrvDescriptor->hseSrv.importKeyReq.pKeyInfo= HSE_PTR_TO_HOST_ADDR(&AuthkeyInfo);

pHseSrvDescriptor->hseSrv.importKeyReq.targetKeyHandle = GET_KEY_HANDLE(1,1,2);

// Both the fields given below must be configured.

pHseSrvDescriptor->hseSrv.importKeyReq.cipher.cipherKeyHandle = HSE_INVALID_KEY_HANDLE;

// pHseSrvDescriptor->hseSrv.importKeyReq.cipher.cipherScheme.symCipher.cipherAlgo = HSE_CIPHER_ALGO_AES ;

// pHseSrvDescriptor->hseSrv.importKeyReq.cipher.cipherScheme.symCipher.cipherBlockMode = HSE_CIPHER_BLOCK_MODE_ECB ;

// pHseSrvDescriptor->hseSrv.importKeyReq.cipher.cipherScheme.symCipher.ivLength = ;

// pHseSrvDescriptor->hseSrv.importKeyReq.cipher.cipherScheme.symCipher.pIV = ;

pHseSrvDescriptor->hseSrv.importKeyReq.keyContainer.authKeyHandle = GET_KEY_HANDLE(1,1,0);

pHseSrvDescriptor->hseSrv.importKeyReq.keyContainer.authLen[0] = containerTagLen;

pHseSrvDescriptor->hseSrv.importKeyReq.keyContainer.authScheme.macScheme.macAlgo = HSE_MAC_ALGO_CMAC ;

pHseSrvDescriptor->hseSrv.importKeyReq.keyContainer.authScheme.macScheme.sch.cmac.cipherAlgo= HSE_CIPHER_ALGO_AES;

pHseSrvDescriptor->hseSrv.importKeyReq.keyContainer.keyContainerLen = sizeof(keyContainer);

pHseSrvDescriptor->hseSrv.importKeyReq.keyContainer.pAuth[0] = (HOST_ADDR)containerTag;

pHseSrvDescriptor->hseSrv.importKeyReq.keyContainer.pKeyContainer = (HOST_ADDR)keyContainer;

/* Build the request to be sent to Hse Ip layer */

HseIp_aRequest[u8MuChannel].eReqType = HSE_IP_REQTYPE_SYNC;

HseIp_aRequest[u8MuChannel].u32Timeout = TIMEOUT_TICKS_U32;

/* Send the request to Hse Ip layer */

RetVal = Hse_Ip_ServiceRequest(MU0_INSTANCE_U8, u8MuChannel, &HseIp_aRequest[u8MuChannel], pHseSrvDescriptor);

}

return RetVal;

}

Thank you for your support.

Best regards, Rushikesh

lukaszadrapa

Hi @KaleRushikesh

It looks like you are passing addresses of original key and KeyInfo:

pHseSrvDescriptor->hseSrv.importKeyReq.pKey[2] = HSE_PTR_TO_HOST_ADDR(App_au8EncAesNvmKey);

pHseSrvDescriptor->hseSrv.importKeyReq.pKeyInfo= HSE_PTR_TO_HOST_ADDR(&AuthkeyInfo);

But you need to use addresses of key and KeyInfo inside the container. If HSE finds out that you are trying to provide key and KeyInfo from addresses which do not fall within the container, it will return invalid address error.

Regards,

Lukas