AES Encryption/Decryption using imx-secure-enclave library

JohnKlug · ‎04-14-2025

I am trying to use something like hsm_do_cipher or hsm_cipher_one_go to encrypt with AES 256 a small amount of data (32 bytes).

When I tried hsm_do_cipher I get an error that the handle is bad. If I use hsm_cipher_one_go I get a bad parameter error.

I tried to use this code to create my test:

https://github.com/nxp-imx/imx-secure-enclave/blob/1130c8bb820881ad037ba3f060e7fa70635fae3c/test/hsm...

I get this error from hsm_cipher_one_go:

SAB Error: SAB CMD [0x62] Resp [0x429] - MU sanity check failed / Invalid parameters.

aesencrypt: aesencrypt.c:164: hsm_do_cipher failed, err=0x4

Is there a way to determine what is wrong with my parameters? I see no errors when I create my key in a separate program. Files are created under /etc/ele.
Here is my code setting up the cipher_args:

    memset(&cipher_args,0,sizeof cipher_args);
    cipher_args.key_identifier = KEYID;
    cipher_args.iv = SM2_IDENTIFIER;
    cipher_args.iv_size = sizeof(SM2_IDENTIFIER);
    cipher_args.flags = HSM_CIPHER_ONE_GO_FLAGS_ENCRYPT;
    cipher_args.cipher_algo = HSM_CIPHER_ONE_GO_ALGO_ECB;
    cipher_args.input = sp;
    cipher_args.input_size = slength;
    cipher_args.output = od;
    cipher_args.output_size = slength;

JohnKlug · ‎04-15-2025

I found code that I could use:

https://github.com/nxp-imx/imx-secure-enclave/blob/1130c8bb820881ad037ba3f060e7fa70635fae3c/test/com...

I found that 8 bytes of input data will cause the function hsm_do_hash() to fail with an invalid argument message. 16 bytes does work.

It would be nice if key_identifier requirements were spelled out, iv_size does not have limits, neither does input_size.

元の投稿で解決策を見る

JohnKlug · ‎04-15-2025

I see that the test I copied has this at the start:

f (se_get_soc_id() == SOC_IMX95)
do_cipher_stream_opaquekey_test(key_store_hdl, key_mgmt_hdl);

So this probably prevents this test from running on the i.MX91. So why is the filter on imx95 present? Can you use the keystore with AES encryption on an i.MX91? Is there an example anywhere?

JohnKlug · ‎04-15-2025

It should be:
if (se_get_soc_id() == SOC_IMX95)

Here is the code that skips what I want to do on an i.MX91:
https://github.com/nxp-imx/imx-secure-enclave/blob/1130c8bb820881ad037ba3f060e7fa70635fae3c/test/com...

JohnKlug · ‎04-15-2025

I found code that I could use:

https://github.com/nxp-imx/imx-secure-enclave/blob/1130c8bb820881ad037ba3f060e7fa70635fae3c/test/com...

I found that 8 bytes of input data will cause the function hsm_do_hash() to fail with an invalid argument message. 16 bytes does work.

It would be nice if key_identifier requirements were spelled out, iv_size does not have limits, neither does input_size.

AES Encryption/Decryption using imx-secure-enclave library

AES Encryption/Decryption using imx-secure-enclave library

FRDM-Training