key injection

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

key injection

991 Views
yahyatarek
Contributor I

I have two questions regarding key injection in the S32K388:

1. When I create an NVM Key Catalog of type AES and then call Crypto_43_HSE_Ipw_FormatKeyCatalogs to format it, I receive the error HSE_SRV_RSP_NOT_ALLOWED. The crypto driver documentation indicates that non-SHE types can be added after SHE types. Is it permissible, therefore, to configure an AES key catalog within the NVM Key Catalog?

2. When attempting to set a plaintext key inside a RAM catalog of type SHE, I receive the error HSE_SRV_RSP_INVALID_PARAM. However, the operation passes when setting a plaintext key in a RAM catalog of type AES. The documentation suggests the main difference between AES and SHE RAM catalogs is their size, and I configured both with a 128-key size. Why is the operation successful for AES but not for SHE?

0 Kudos
Reply
4 Replies

965 Views
lukaszadrapa
NXP TechSupport
NXP TechSupport

Hi @yahyatarek 

1. Yes, you can have AES key in the NVM catalog.
There’s a set of rules how the catalog should be configured. This can be found in section “6.1.5 Key catalog” in HSE Firmware Reference Manual rev. 2.7.
There’s an example of NVM catalog on page 105 and there’s a list of reasons why the service can fail (page 106).

2. There are specific rules for SHE keys. This is described in section “6.3 Key management: SHE keys”. In short, SHE keys must be mapped to key group 0 and the group owner must be HSE_KEY_OWNER_ANY. Extended SHE keys must be mapped to key groups 1 – 4. If SHE keys are not used, you can map any keys to these groups.
You can have only one SHE RAM key which must be mapped to group 0 in RAM catalog. There’s an example in “6.3.4 Declaration example”:

hseKeyGroupCfgEntry_t my_RAM_key_catalog[] = {
/* SHE keys */ {HSE_MU0_MASK, HSE_KEY_OWNER_ANY, HSE_KEY_TYPE_SHE, 1, 128}, /* RAM_KEY */
{0, 0, 0, 0, 0}
};

If this doesn’t help, please share your configuration of the catalogs.

Regards,
Lukas

0 Kudos
Reply

826 Views
yahyatarek
Contributor I

Hello @lukaszadrapa , thanks for your help. I just reviewed the section describing the NVM catalog, and it seems there are no major changes between us. I have attached my configuration; the only change is the key owner. I tried configuring it as 'ANY' or 'Custom,' but both failed during key formatting.

yahyatarek_0-1775995913692.png

yahyatarek_1-1775995936702.png

yahyatarek_2-1775995987752.pngyahyatarek_3-1775996001575.png

 

0 Kudos
Reply

745 Views
yahyatarek
Contributor I

Hello @lukaszadrapa , this is just a reminder that the configuration I shared is currently a blocker for me. If there are any incorrect configuration, could you please tell me which ones need fixing?

0 Kudos
Reply

738 Views
lukaszadrapa
NXP TechSupport
NXP TechSupport

Hi @yahyatarek 

I'm sorry, for some reason, I didn't get notification about your previous message from the system. 

NVM AES key cannot use HSE_KEY_OWNER_ANY. This is reserved for RAM keys and for SHE keys. Just change it to HSE_KEY_OWNER_CUST or to HSE_KEY_OWNER_OEM depending on your needs and it will work as expected. 

Regards,

Lukas

0 Kudos
Reply
%3CLINGO-SUB%20id%3D%22lingo-sub-2347210%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3Ekey%20injection%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2347210%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3E%3CP%3EI%20have%20two%20questions%20regarding%20key%20injection%20in%20the%20S32K388%3A%3C%2FP%3E%3CP%3E1.%20When%20I%20create%20an%20NVM%20Key%20Catalog%20of%20type%20AES%20and%20then%20call%20Crypto_43_HSE_Ipw_FormatKeyCatalogs%20to%20format%20it%2C%20I%20receive%20the%20error%20HSE_SRV_RSP_NOT_ALLOWED.%20The%20crypto%20driver%20documentation%20indicates%20that%20non-SHE%20types%20can%20be%20added%20after%20SHE%20types.%20Is%20it%20permissible%2C%20therefore%2C%20to%20configure%20an%20AES%20key%20catalog%20within%20the%20NVM%20Key%20Catalog%3F%3C%2FP%3E%3CP%3E2.%20When%20attempting%20to%20set%20a%20plaintext%20key%20inside%20a%20RAM%20catalog%20of%20type%20SHE%2C%20I%20receive%20the%20error%20HSE_SRV_RSP_INVALID_PARAM.%20However%2C%20the%20operation%20passes%20when%20setting%20a%20plaintext%20key%20in%20a%20RAM%20catalog%20of%20type%20AES.%20The%20documentation%20suggests%20the%20main%20difference%20between%20AES%20and%20SHE%20RAM%20catalogs%20is%20their%20size%2C%20and%20I%20configured%20both%20with%20a%20128-key%20size.%20Why%20is%20the%20operation%20successful%20for%20AES%20but%20not%20for%20SHE%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2347322%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%20translate%3D%22no%22%3ERe%3A%20key%20injection%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2347322%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fcommunity.nxp.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F261482%22%20target%3D%22_blank%22%3E%40yahyatarek%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E1.%20Yes%2C%20you%20can%20have%20AES%20key%20in%20the%20NVM%20catalog.%20%3CBR%20%2F%3EThere%E2%80%99s%20a%20set%20of%20rules%20how%20the%20catalog%20should%20be%20configured.%20This%20can%20be%20found%20in%20section%20%E2%80%9C6.1.5%20Key%20catalog%E2%80%9D%20in%20HSE%20Firmware%20Reference%20Manual%20rev.%202.7.%20%3CBR%20%2F%3EThere%E2%80%99s%20an%20example%20of%20NVM%20catalog%20on%20page%20105%20and%20there%E2%80%99s%20a%20list%20of%20reasons%20why%20the%20service%20can%20fail%20(page%20106).%3C%2FP%3E%0A%3CP%3E2.%20There%20are%20specific%20rules%20for%20SHE%20keys.%20This%20is%20described%20in%20section%20%E2%80%9C6.3%20Key%20management%3A%20SHE%20keys%E2%80%9D.%20In%20short%2C%20SHE%20keys%20must%20be%20mapped%20to%20key%20group%200%20and%20the%20group%20owner%20must%20be%20HSE_KEY_OWNER_ANY.%20Extended%20SHE%20keys%20must%20be%20mapped%20to%20key%20groups%201%20%E2%80%93%204.%20If%20SHE%20keys%20are%20not%20used%2C%20you%20can%20map%20any%20keys%20to%20these%20groups.%20%3CBR%20%2F%3EYou%20can%20have%20only%20one%20SHE%20RAM%20key%20which%20must%20be%20mapped%20to%20group%200%20in%20RAM%20catalog.%20There%E2%80%99s%20an%20example%20in%20%E2%80%9C6.3.4%20Declaration%20example%E2%80%9D%3A%3C%2FP%3E%0A%3CP%3EhseKeyGroupCfgEntry_t%20my_RAM_key_catalog%5B%5D%20%3D%20%7B%3CBR%20%2F%3E%2F*%20SHE%20keys%20*%2F%20%7BHSE_MU0_MASK%2C%20HSE_KEY_OWNER_ANY%2C%20HSE_KEY_TYPE_SHE%2C%201%2C%20128%7D%2C%20%2F*%20RAM_KEY%20*%2F%3CBR%20%2F%3E%7B0%2C%200%2C%200%2C%200%2C%200%7D%3CBR%20%2F%3E%7D%3B%3C%2FP%3E%0A%3CP%3EIf%20this%20doesn%E2%80%99t%20help%2C%20please%20share%20your%20configuration%20of%20the%20catalogs.%3C%2FP%3E%0A%3CP%3ERegards%2C%3CBR%20%2F%3ELukas%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2349766%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%20translate%3D%22no%22%3ERe%3A%20key%20injection%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2349766%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3E%3CP%3EHello%20%3CA%20href%3D%22https%3A%2F%2Fcommunity.nxp.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F37795%22%20target%3D%22_blank%22%3E%40lukaszadrapa%3C%2FA%3E%26nbsp%3B%2C%20thanks%20for%20your%20help.%20I%20just%20reviewed%20the%20section%20describing%20the%20NVM%20catalog%2C%20and%20it%20seems%20there%20are%20no%20major%20changes%20between%20us.%20I%20have%20attached%20my%20configuration%3B%20the%20only%20change%20is%20the%20key%20owner.%20I%20tried%20configuring%20it%20as%20'ANY'%20or%20'Custom%2C'%20but%20both%20failed%20during%20key%20formatting.%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22yahyatarek_0-1775995913692.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%22%20image-alt%3D%22yahyatarek_0-1775995913692.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%22%20image-alt%3D%22yahyatarek_0-1775995913692.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3Cspan%20class%3D%22lia-inline-image-display-wrapper%22%20image-alt%3D%22yahyatarek_0-1775995913692.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3Cimg%20src%3D%22https%3A%2F%2Fcommunity.nxp.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F382049i08B265323E945B89%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22yahyatarek_0-1775995913692.png%22%20alt%3D%22yahyatarek_0-1775995913692.png%22%20%2F%3E%3C%2Fspan%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22yahyatarek_1-1775995936702.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%22%20image-alt%3D%22yahyatarek_1-1775995936702.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%22%20image-alt%3D%22yahyatarek_1-1775995936702.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3Cspan%20class%3D%22lia-inline-image-display-wrapper%22%20image-alt%3D%22yahyatarek_1-1775995936702.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3Cimg%20src%3D%22https%3A%2F%2Fcommunity.nxp.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F382050i795B8A425F5D3698%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22yahyatarek_1-1775995936702.png%22%20alt%3D%22yahyatarek_1-1775995936702.png%22%20%2F%3E%3C%2Fspan%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22yahyatarek_2-1775995987752.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%22%20image-alt%3D%22yahyatarek_2-1775995987752.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%22%20image-alt%3D%22yahyatarek_2-1775995987752.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3Cspan%20class%3D%22lia-inline-image-display-wrapper%22%20image-alt%3D%22yahyatarek_2-1775995987752.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3Cimg%20src%3D%22https%3A%2F%2Fcommunity.nxp.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F382051iCC913F8A5D9C882D%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22yahyatarek_2-1775995987752.png%22%20alt%3D%22yahyatarek_2-1775995987752.png%22%20%2F%3E%3C%2Fspan%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22yahyatarek_3-1775996001575.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%22%20image-alt%3D%22yahyatarek_3-1775996001575.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%22%20image-alt%3D%22yahyatarek_3-1775996001575.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3Cspan%20class%3D%22lia-inline-image-display-wrapper%22%20image-alt%3D%22yahyatarek_3-1775996001575.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3Cimg%20src%3D%22https%3A%2F%2Fcommunity.nxp.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F382052i6076FB1A80EF0352%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22yahyatarek_3-1775996001575.png%22%20alt%3D%22yahyatarek_3-1775996001575.png%22%20%2F%3E%3C%2Fspan%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2352397%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%20translate%3D%22no%22%3ERe%3A%20key%20injection%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2352397%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fcommunity.nxp.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F261482%22%20target%3D%22_blank%22%3E%40yahyatarek%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI'm%20sorry%2C%20for%20some%20reason%2C%20I%20didn't%20get%20notification%20about%20your%20previous%20message%20from%20the%20system.%26nbsp%3B%3C%2FP%3E%0A%3CP%3ENVM%20AES%20key%20cannot%20use%20HSE_KEY_OWNER_ANY.%20This%20is%20reserved%20for%20RAM%20keys%20and%20for%20SHE%20keys.%20Just%20change%20it%20to%20HSE_KEY_OWNER_CUST%20or%20to%20HSE_KEY_OWNER_OEM%20depending%20on%20your%20needs%20and%20it%20will%20work%20as%20expected.%26nbsp%3B%3C%2FP%3E%0A%3CP%3ERegards%2C%3C%2FP%3E%0A%3CP%3ELukas%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2352216%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%20translate%3D%22no%22%3ERe%3A%20key%20injection%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2352216%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3E%3CP%3EHello%20%3CA%20href%3D%22https%3A%2F%2Fcommunity.nxp.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F37795%22%20target%3D%22_blank%22%3E%40lukaszadrapa%3C%2FA%3E%26nbsp%3B%2C%26nbsp%3Bthis%20is%20just%20a%20reminder%20that%20the%20configuration%20I%20shared%20is%20currently%20a%20blocker%20for%20me.%20If%20there%20are%20any%20incorrect%20configuration%2C%20could%20you%20please%20tell%20me%20which%20ones%20need%20fixing%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E