HSE_b: Not allowed to import RSA key to RAM

Emma_G-gbg

I'm trying to understand how to use the key import service by importing a single 1024-bit RSA public key into the RAM catalog, but the server responds HSE_SRV_RSP_NOT_ALLOWED.

My test application formats the RAM key catalog as follows:

{
	{
		muMask = HSE_MU0_MASK | HSE_MU1_MASK,
		groupOwner = HSE_KEY_OWNER_ANY,
		keyType = HSE_KEY_TYPE_RSA_PUB,
		numOfKeySlots = 2,
		maxKeyBitLen = HSE_KEY1024_BITS,
	},
	{
		muMask = HSE_MU0_MASK | HSE_MU1_MASK,
		groupOwner = HSE_KEY_OWNER_ANY,
		keyType = HSE_KEY_TYPE_ECC_PUB_EXT,
		numOfKeySlots = 2, 
		maxKeyBitLen = HSE_KEY256_BITS,
	},
	{
		muMask = 0,
		groupOwner = 0,
		keyType = 0,
		numOfKeySlots = 0, 
		maxKeyBitLen = 0
	},
}

and I get server reply HSE_SRV_RSP_OK.

I then try to import an RSA key with the following key info:

{
	keyFlags = HSE_KF_USAGE_VERIFY,
	keyBitLen = HSE_KEY1024_BITS,
	keyCounter = 0x0,
	smrFlags = 0x0, 
	keyType = HSE_KEY_TYPE_RSA_PUB,
	specific = {
		pubExponentSize = 4,
	}
}

and my request is as follows:

{
	targetKeyHandle = 0x20000,
	pKeyInfo = 0x20401f74,
	pKey = {
		0x210034b4, 
		0x21003534,
		0x0},
	keyLen = {
		0x80,
		0x4,
		0x0},
}

.

I have set HSE_RAM_PUB_KEY_IMPORT_POLICY_ATTR_ID to HSE_KM_POLICY_ALLOW_RAM_PUB_KEY_IMPORT, and read it back as the same.

LC attribute is 0x04, HSE error flags are 0x0000, HSE status flags are 0x0B60. Firmware version reads as 0x0F SoC ID 0x0000 FW type 0x02 major 0x32 minor 0x00 patch.

lukaszadrapa

Hi @Emma_G-gbg

Your parameters are correct, I can see nothing wrong there. If you have super user rights, it’s not even necessary to set that attribute.

I was testing something very similar yesterday, so I just slightly updated my code to import 1024bit RSA public key with 4-bytes public exponent. It looks like this:

Notice that it’s not necessary to set pubExponentSize when importing RSA public key. HSE ignores this parameter. It uses keyLen[1] instead.

Parameter pubExponentSize is used when reading the keyInfo by service HSE_SRV_ID_GET_KEY_INFO. This is what I got when I read the keyInfo of that key:

Isn’t that just data cache issue? Could you try to disable data cache to see if it makes a difference?

Regards,

Lukas

View solution in original post

lukaszadrapa

Hi @Emma_G-gbg

Your parameters are correct, I can see nothing wrong there. If you have super user rights, it’s not even necessary to set that attribute.

I was testing something very similar yesterday, so I just slightly updated my code to import 1024bit RSA public key with 4-bytes public exponent. It looks like this:

Notice that it’s not necessary to set pubExponentSize when importing RSA public key. HSE ignores this parameter. It uses keyLen[1] instead.

Parameter pubExponentSize is used when reading the keyInfo by service HSE_SRV_ID_GET_KEY_INFO. This is what I got when I read the keyInfo of that key:

Isn’t that just data cache issue? Could you try to disable data cache to see if it makes a difference?

Regards,

Lukas

Emma_G-gbg

Thank you, I had missed filling in cipher and auth key handle information, I hadn't checked so I thought HSE_INVALID_KEY_HANDLE would be zero.

It's currently working with at least some of the values in cached memories, with cache maintenance operations before and after service calls. Since we are adding HSE services to an existing project we are precluded from changing the cache structure, but so far everything has worked as long as we make sure it's actually written to the shared memory, although I did also try disabling the cache for the relevant memories, which made no difference.