S32K3 HSE NvM Key update

strofald · ‎09-12-2025

Hello,

I am using Crypto_43_HSE module v6.0.0.
After formatting of key catalogs I am able to load a NvM key the first time, but if I try to update it again (through a subsequente call of KeyElementSet) i get the NOT_ALLOWED response code from the HSE.
From the HSE user manual I can see that

What does 'Authenticated' mean? Does it mean that we need to use the SHE protocol to do so? Do you have any example that explains how to do so?

Thanks

lukaszadrapa · ‎09-15-2025

Hi @strofald

This is described in section "6.2.3 Key import" in HSE firmware reference manual v2.6. See Table 47 and Table 48. These tables show the difference when importing/updating empty slot and "non-empty" slot. If a slot is non-empty, authentication is mandatory, encryption is optional.
Authentication means that a container needs to be authenticated by Ka. In other words, you need to know another key (Ka) to be able to update your key. It is not simple operation and it is not supported by Crypto driver. Easiest options is to erase the key (you need to have super user rights) and then import the key again as usual.
Attached is SW example which shows how to erase the key. It's updated SW example from RTD, just this functionality was added.
Demo environment:
RTD: SW32K3_S32M27x_RTD_4.4_4.0.0_P20,
EB Tresos: 29.0.0

If you have SHE key, you need to follow memory update protocol described by SHE specification. That means you need to calculate new M1-M5 values with increased key counter and with knowledge of previous key or MASTER_ECU_KEY.

Regards,
Lukas