Imx Secure Enclave library with HSM API's on iMX93

Hi nxp tech team,

I have successfully cross-compiled the Secure Enclave userspace library for the ELE-HSM platform targeting the i.MX93 processor-based board, following the build steps provided here

https://github.com/nxp-imx/imx-secure-enclave/blob/lf-6.6.23_2.0.0/README

I also compiled and ran the ELE-HSM test application (hsm_test.c):

https://github.com/nxp-imx/imx-secure-enclave/blob/lf-6.6.23_2.0.0/test/hsm/hsm_test.c

As per my understanding, the application opens a session, performs key store operations, generates/deletes keys, runs cipher tests, and closes the key store and session.

Please find the attached logs from the test run.

I have the following queries:

1. Where is the generated key physically stored?

• Question: After running the test app, where are the keys physically stored on the system?

  • Are they persisted in the root filesystem, or is it stored within secure hardware storage (e.g., in OTP/NVM/FUSE/eFUSE or internal HSM memory)?

  • If on filesystem, what is the exact location or mechanism for storing key blobs?

2. Is there an HSM API to retrieve actual key material (key data buffer)?

• The current APIs (e.g., hsm_get_key_attribute) seem to only allow retrieval of key metadata (ID, size, type).

• Is there a supported API to extract/export the raw key material from the HSM (e.g., for use in symmetric encryption)?

  • If not, is this restricted by design for security reasons (e.g., key never leaves HSM)?

3. How can we generate a key in user space and use it for encryption/decryption?

• If raw keys cannot be retrieved from HSM, what's the recommended flow to:

  • Generate a key (symmetric or asymmetric)

  • Use it for encryption/decryption operations (either directly in HSM or in user space)?

• Are there sample applications or API examples for encrypt/decrypt flow using HSM-managed keys?

Any guidance or sample code snippets would be highly appreciated.

Thanks & Regards,
Mallikarjuna Reddy Ambati