s32k312 format keycatalogs condition?

victory

my key catalogs are all HSE_KEY_OWNER_OEM, and mcu lifecycle is in OEM, start with adkpm = 1, start_from_user = 0.

i tried to run FormatKeyCatalogs() but return aa55a21c, what should i do ?

1. is it will fail in LC = cust_del?

2. is it ok if first run format keys in LC = OEM?

3. if 2 is yes, how to re-format key catalogs? , currently, i got aa55a21c,

victory

my key catalogs are all HSE_KEY_OWNER_OEM, and mcu lifecycle is in OEM, start with adkpm = 1, start_from_user = 0.

i tried to run FormatKeyCatalogs() but return aa55a21c, what should i do ?

1. is it will fail in LC = cust_del?
> format catalogs can ONLY do in LC=cust_del, so all group should ok.

2. is it ok if first run format keys in LC = OEM?
> may not, i think LC cant advance to OEM if catalog isn't formated.

3. if 2 is yes, how to re-format key catalogs? , currently, i got aa55a21c,
> not possible in OEM, erase key and import is allowed with permission.

4. format catalogs cant direct format if catalog already exist, we should call hse to remove all keys first?
> LC=CUST_DEL can directly format with no erase. OEM CANT format.

5. is it possible to format keys in LC=CUST_DEL, and key catalog owner are HSE_KEY_OWNER_OEM ?
> ref 1.

View solution in original post

victory

my key catalogs are all HSE_KEY_OWNER_OEM, and mcu lifecycle is in OEM, start with adkpm = 1, start_from_user = 0.

i tried to run FormatKeyCatalogs() but return aa55a21c, what should i do ?

1. is it will fail in LC = cust_del?
> format catalogs can ONLY do in LC=cust_del, so all group should ok.

2. is it ok if first run format keys in LC = OEM?
> may not, i think LC cant advance to OEM if catalog isn't formated.

3. if 2 is yes, how to re-format key catalogs? , currently, i got aa55a21c,
> not possible in OEM, erase key and import is allowed with permission.

4. format catalogs cant direct format if catalog already exist, we should call hse to remove all keys first?
> LC=CUST_DEL can directly format with no erase. OEM CANT format.

5. is it possible to format keys in LC=CUST_DEL, and key catalog owner are HSE_KEY_OWNER_OEM ?
> ref 1.

VaneB

Hi @victory

Are you looking to delete an specific key? if so, Crypto driver does not support this. I recommend calling the HSE service HSE_SRV_ID_ERASE_KEY directly. Refer to section 6.2.8 (Key erase) of the HSE_B Firmware Reference Manual, Rev. 2.3 and the description of hseEraseKeySrv_t structure in the HSE Service API Reference Manual.

IMPORTANT: SuperUser rights are required:

- CUST SuperUser rights are granted using an authorization key owned by CUST.
– OEM SuperUser rights are granted using an authorization key owned by OEM.

BR, VaneB

victory

Hi VaneB，
thanks for your advice, some question in details,
1. format catalogs cant direct format if catalog already exist, we should call hse to remove all keys first?
2. is it possible to format keys in LC=CUST_DEL, and key catalog owner are HSE_KEY_OWNER_OEM ?

brs

VaneB

Hi @victory

1. format catalogs cant direct format if catalog already exist, we should call hse to remove all keys first? The NVM and RAM key catalogs must be formatted before any keys can be provisioned. Refer to section 6.1.5.3 (Key catalog formatting) of the HSE RM and and the description of hseFormatKeyCatalogsSrv_t structure in the HSE Service API RM.

2. is it possible to format keys in LC=CUST_DEL, and key catalog owner are HSE_KEY_OWNER_OEM? No, as stated in the HSE RM "In LC state OEM_PROD (and OEM_START_AS_USER is 0), the host (identified as OEM) which has SU rights can only erase all NVM keys having their key group owner set to HSE_KEY_OWNER_OEM and HSE_KEY_OWNER_ANY.

In LC state IN_FIELD, when the host gets granted with SU rights using a key owned by CUST, it can only erase all NVM keys having their key group owner set to HSE_KEY_OWNER_CUST and HSE_KEY_OWNER_ANY"