帮助
英语(美国) | English (US) 日本語 | Japanese 中文 | Chinese (Simplified)

sss_key_store_set_key() fails with KEK operation

取消
开启建议
自动建议可通过在您键入时建议可能的匹配,而快速缩小您的搜索结果范围。
显示结果 
显示  仅  | 搜索替代 
您的意思是: 
已解决
跳至解决方案

sss_key_store_set_key() fails with KEK operation

跳至解决方案
‎12-28-2022 05:20 PM
1,802 次查看
psvz
Contributor IV

Hi Kan,

I have AES-256 key in the store (KEK), and I am trying to set 40 bytes wrap of a HMAC key (wrapped per rfc3394). sss_key_store_set_key() fails, and I have traced it down to...

in simw-top/hostlib/hostLib/se05x/src/se05x_tlv.c return value is calculated in a weird way:

smStatus_t se05x_DeCrypt(
    struct Se05xSession *pSessionCtx, size_t cmd_cmacLen, uint8_t *rsp, size_t *rspLength, uint8_t hasle)
{
    AX_UNUSED_ARG(cmd_cmacLen);
    AX_UNUSED_ARG(hasle);
    U16 rv = SM_NOT_OK;

    if (*rspLength >= 2) {
        rv = rsp[(*rspLength) - 2] << 8 | rsp[(*rspLength) - 1];

This function is called many times and usually rv = 0x9000 (SM_OK), but the failure happens with rv:

SM_ERR_COMMAND_NOT_ALLOWED = 0x6986,        // Command not allowed - access denied based on object policy

I did not explicitly set any policy objects with AES-256 key (existing KEK) - nor do I have any policy object with the HMAC key I am trying to set. Could you please help me resolve this - the documents you provided yesterday do not ask for any policy with KEK...

标签 (1)
标签
0 项奖励
回复
1 解答

跳至解决方案
‎01-02-2023 11:36 PM
1,745 次查看
Kan_Li
NXP TechSupport
NXP TechSupport

Hi @psvz ,

 

Good to know, but I don't think this secure object can not be deleted by DeleteAll command, unless you can set its Origin to ORIGIN_PROVISIONED.

 

Have a great day,
Kan


-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

在原帖中查看解决方案

0 项奖励
回复
3 回复数

跳至解决方案
‎12-28-2022 07:56 PM
1,795 次查看
Kan_Li
NXP TechSupport
NXP TechSupport

Hi @psvz ,

 

Did you inject KEK already inside the SE? Did you use  sss_se05x_key_store_open_key() before set up the HMAC key? Maybe you can share your code for a review then?

 

Have a great day,
Kan


-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

0 项奖励
回复

跳至解决方案
‎12-29-2022 02:16 PM
1,788 次查看
psvz
Contributor IV

Hi Kan,

It is all working now - my suspicion was correct: I have now attached "can_Wrap" policy while provisioning KEK and my wrapped key is getting set now.

One thing to discuss though. It looks like without sss_policy_common_u in addition to sss_policy_sym_key_u (where can_Wrap = 1), all common operations are forbidden and the key gets burnt into SE050 forever. Readidlist-wise this is my working key:

sss   :WARN :Error in Se05x_API_ReadType. Further use of object may fail
sss   :WARN :nxEnsure:'ret == SM_OK' failed. At Line:6971 Function:sss_se05x_TXn
Key-Id: 0X3e3                                         Size(Bits): No Info available

And this is some key coming from NXP:

sss   :WARN :Error in Se05x_API_ReadType. Further use of object may fail
sss   :WARN :nxEnsure:'ret == SM_OK' failed. At Line:6971 Function:sss_se05x_TXn
Key-Id: 0X7fff020b   AES                              Size(Bits): No Info available

Can you please confirm:

1/ my key cannot be deleted from SE050 even with hard reset?

2/ error messages middleware spits out are all bull**bleep** and everything works properly?

0 项奖励
回复

跳至解决方案
‎01-02-2023 11:36 PM
1,746 次查看
Kan_Li
NXP TechSupport
NXP TechSupport

Hi @psvz ,

 

Good to know, but I don't think this secure object can not be deleted by DeleteAll command, unless you can set its Origin to ORIGIN_PROVISIONED.

 

Have a great day,
Kan


-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

0 项奖励
回复