hello all
we met a question when we implement the secure boot. We tried to install the defined SMR table into the HSE using the HSELIB API. But it always return the 0x55A5A399 which means HSE_SRV_RSP_INVALID_PARAM. But we checked several times for the parameters we input the HSELIB Install API. but we didn't find any uncorrect parameters.
Detailed information:
MCU: S32K312 publickey has been provioned into HSE.
for smrenty is shown as below:
smrEntry_Test[4].configFlags = HSE_SMR_CFG_FLAG_INSTALL_AUTH; /* Indicate that verification should be done on provided signature*/
smrEntry_Test[4].pSmrDest = 0U; /* Destination address shall be NULL for flashed based devices*/
smrEntry_Test[4].checkPeriod = 0U; /* If not 0, SMR will be automatically and periodically verified at run-time regardless of verifMethod*/
smrEntry_Test[4].pSmrSrc = 0x00520000ul; /* Start of APP code*/
smrEntry_Test[4].smrSize = 0x124; /* Length of APP code (test use value like 0x00010000U)*/
smrEntry_Test[4].authKeyHandle = NVM_CUST_RSA2048_BOOT_PUB_KEY; /* HANDLE0 -> HANDLE1(The actual import key slot of RSA keys)*/
smrEntry_Test[4].authScheme.sigScheme.signSch = HSE_SIGN_RSASSA_PSS;
smrEntry_Test[4].authScheme.sigScheme.sch.rsaPss.hashAlgo = HSE_HASH_ALGO_SHA2_256;
smrEntry_Test[4].authScheme.sigScheme.sch.rsaPss.saltLength = 32UL;
#if 1
smrEntry_Test[4].pInstAuthTag[0] = 0x00510000UL; /* Signature tag address*/
#else
smrEntry_Test[4].pInstAuthTag[0] = (uint32_t)NULL; ; /* Signature tag address*/
#endif
smrEntry_Test[4].pInstAuthTag[1] = (uint32_t)NULL;
below is the install the smr API details:
hseSrvResponse_t HSE_InstallSmrEntry
(
const uint8_t entryIndex,
const hseSmrEntry_t *pSmrEntry,
const uint8_t *pData,
const uint32_t dataLen,
const uint8_t *pSign0,
const uint8_t *pSign1,
const uint32_t SignLen0,
const uint32_t SignLen1
)
{
uint8_t u8MuChannel = 1U;
/*hseSrvDescriptor_t *pHseSrvDesc;*/
/*hseSmrEntryInstallSrv_t *pSmrEntryInstall;*/
hseSrvResponse_t srvResponse = HSE_SRV_RSP_GENERAL_ERROR;
/* Clear the service descriptor placed in shared memory */
pHseSrvDesc = &gHseSrvDesc[MU0][u8MuChannel];
pSmrEntryInstall = &(pHseSrvDesc->hseSrv.smrEntryInstallReq);
memset(pHseSrvDesc, 0, sizeof(hseSrvDescriptor_t));
pSmrEntryInstallTemp = pSmrEntryInstall;
pSign0_Temp = PTR_TO_HOST_ADDR(pSign0);;
pSign1_Temp = PTR_TO_HOST_ADDR(pSign1);
SignLen0Temp = SignLen0;
SignLen1Temp = SignLen1;
srvId_Temp = HSE_SRV_ID_SMR_ENTRY_INSTALL;
/* Fill the service descriptor */
pHseSrvDesc->srvId = HSE_SRV_ID_SMR_ENTRY_INSTALL;
pSmrEntryInstall->accessMode = HSE_ACCESS_MODE_ONE_PASS;
pSmrEntryInstall->entryIndex = entryIndex;
pSmrEntryInstall->pSmrEntry = PTR_TO_HOST_ADDR(pSmrEntry);
pSmrEntryInstall->pSmrData = PTR_TO_HOST_ADDR(pData);
pSmrEntryInstall->smrDataLength = dataLen;
pSmrEntryInstall->pAuthTag[0] = PTR_TO_HOST_ADDR(pSign0);
pSmrEntryInstall->pAuthTag[1] = PTR_TO_HOST_ADDR(pSign1);
pSmrEntryInstall->authTagLength[0] = SignLen0;
#if 1
pSmrEntryInstall->authTagLength[1] = 0;
#else
pSmrEntryInstall->authTagLength[1] = SignLen1;
#endif
pHseSrvDescTemp = pHseSrvDesc;
/* Send the request synchronously */
srvResponse = HSE_Send(MU0, u8MuChannel, gSyncTxOption, pHseSrvDesc);
return srvResponse;
}
below is the key information:
/****************************** NVM RSA-PUB *****************************/
/* Import RSA keys for secure boot. */
srvResponse = ImportPlainRsaKeyReq(
NVM_CUST_RSA2048_BOOT_PUB_KEY,
HSE_KEY_TYPE_RSA_PUB,
(HSE_KF_USAGE_VERIFY),
(HOST_ADDR)rsa2048CustAuthKeyModulus,
rsa2048CustAuthKeyModulusLength,
(HOST_ADDR)rsa2048CustAuthKeyPubExp,
rsa2048CustAuthKeyPubExpLength,
(HOST_ADDR) NULL,
0UL
);
ASSERT(HSE_SRV_RSP_OK == srvResponse);