i try to use SHE secureboot.

I have loaded the MASTER_ECU_KEY and BOOT_MAC_KEY into the HSE’s NVM according to the reference manual.
As documented, when BOOT_MAC is empty, it is automatically computed and populated.
My concern arises when the firmware is updated and I need to update the BOOT_MAC for the new firmware.
The update procedure itself is clear and follows the same method used to load the MASTER_ECU_KEY and BOOT_MAC_KEY, so that part is not an issue.
The issue occurs during the BOOT_MAC calculation.
Specifically, when I set pFastCMacSrv->keyHandle to the BOOT_MAC_KEY handle,
I receive the error shown below. I assume this is due to restrictions related to the special nature of SHE keys.
0xA5AA52B4UL
/**< @brief The key usage flags (provided using the key handle) don't allow to perform the requested crypto operation (the key flags don't match the crypto operation;
e.g. the key is configured to be used for decryption, and the host requested an encryption).
In SHE, the key ID provided is either invalid or non-usable due to some flag restrictions. */
Question: In the CMAC update flow, how should I obtain and use the appropriate CMAC key for the calculation if I cannot directly use the BOOT_MAC_KEY handle? Could you advise on the correct approach for computing the CMAC that will be used to update BOOT_MAC?