- Forums
- Product Forums
- General Purpose MicrocontrollersGeneral Purpose Microcontrollers
- i.MX Forumsi.MX Forums
- QorIQ Processing PlatformsQorIQ Processing Platforms
- Identification and SecurityIdentification and Security
- Power ManagementPower Management
- MCX Microcontrollers
- S32G
- S32K
- S32V
- MPC5xxx
- Other NXP Products
- Wireless Connectivity
- S12 / MagniV Microcontrollers
- Powertrain and Electrification Analog Drivers
- Sensors
- Vybrid Processors
- Digital Signal Controllers
- 8-bit Microcontrollers
- ColdFire/68K Microcontrollers and Processors
- PowerQUICC Processors
- OSBDM and TBDML
-
- Solution Forums
- Software Forums
- MCUXpresso Software and ToolsMCUXpresso Software and Tools
- CodeWarriorCodeWarrior
- MQX Software SolutionsMQX Software Solutions
- Model-Based Design Toolbox (MBDT)Model-Based Design Toolbox (MBDT)
- FreeMASTER
- eIQ Machine Learning Software
- Embedded Software and Tools Clinic
- S32 SDK
- S32 Design Studio
- GUI Guider
- Zephyr Project
- Voice Technology
- Application Software Packs
- Secure Provisioning SDK (SPSDK)
- Processor Expert Software
- MCUXpresso Training Hub
-
- Topics
- Mobile Robotics - Drones and RoversMobile Robotics - Drones and Rovers
- NXP Training ContentNXP Training Content
- University ProgramsUniversity Programs
- Rapid IoT
- NXP Designs
- SafeAssure-Community
- OSS Security & Maintenance
- Using Our Community
-
- Cloud Lab Forums
-
- Knowledge Bases
- Home
- :
- i.MX Forums
- :
- i.MX Processors
- :
- imx.8 hsm import external public key
imx.8 hsm import external public key
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
imx.8 hsm import external public key
11-21-2023
02:10 AM
324 Views
sunnnn
Contributor I
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello community guys:
I use "imx-seco-libs-imx_5.4.70_2.3.11" apis to import public keys into hsm storage.
But according to the api "hsm_manage_key", i need to use the root kek to encrypt the public key with the algorithm AES GCM. and the api support this algorithm is "hsm_auth_enc", and finally i can not find how to get the root kek identifier.
So how to get the ROOT_KEK key identifier?
------------------------------------------------------------------------------------------------------------------------------------------
Here is the description of hsm_manage_key:
/**
* This command is designed to perform the following operations:
* - import a key creating a new key identifier (import and create)
* - import a key using an existing key identifier (import and update)
* - delete an existing key
*
* The key encryption key (KEK) can be previously pre-shared or stored in the key store.
*
* The key to be imported must be encrypted by using the KEK as following:
* - Algorithm: AES GCM
* - Key: root KEK
* - AAD = 0
* - IV = 12 bytes. When encrypting with a given key, the same IV MUST NOT be repeated. Refer to SP 800-38D for recommendations.
* - Tag = 16 bytes
* - Plaintext: key to be imported
*
* The hsm_manage_key_ext function (described separately) allows additional settings when importing keys. When using the hsm_manage_key function to import a key, all additional settings are set to their default values
*
* User can call this function only after having opened a key management service flow
*
* \param key_management_hdl handle identifying the key management service flow.
* \param args pointer to the structure containing the function arguments.
*
* \return error code
*/
hsm_err_t hsm_manage_key(hsm_hdl_t key_management_hdl, op_manage_key_args_t *args);
#define HSM_OP_MANAGE_KEY_FLAGS_IMPORT_UPDATE ((hsm_op_manage_key_flags_t)(1u << 0)) //!< User can replace an existing key only by importing a key with the same type of the original one.
#define HSM_OP_MANAGE_KEY_FLAGS_IMPORT_CREATE ((hsm_op_manage_key_flags_t)(1u << 1)) //!< Import a key and create a new identifier.
#define HSM_OP_MANAGE_KEY_FLAGS_DELETE ((hsm_op_manage_key_flags_t)(1u << 2)) //!< Delete an existing key.
#define HSM_OP_MANAGE_KEY_FLAGS_PART_UNIQUE_ROOT_KEK ((hsm_op_manage_key_flags_t)(1u << 3)) //!< The key to be imported is encrypted using the part-unique root kek.
#define HSM_OP_MANAGE_KEY_FLAGS_COMMON_ROOT_KEK ((hsm_op_manage_key_flags_t)(1u << 4)) //!< The key to be imported is encrypted using the common root kek.
#define HSM_OP_MANAGE_KEY_FLAGS_STRICT_OPERATION ((hsm_op_manage_key_flags_t)(1u << 7)) //!< The request is completed only when the new key has been written in the NVM. This is only applicable for persistent key.
------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------
Here is the description of hsm_auth_enc:
/**
* Perform authenticated encryption operation\n
* User can call this function only after having opened a cipher service flow\n
*
*
* For decryption operations, the full IV is supplied by the caller via the iv and iv_size parameters. HSM_AUTH_ENC_FLAGS_GENERATE_FULL_IV and HSM_AUTH_ENC_FLAGS_GENERATE_COUNTER_IV flags are ignored.\n
*
* For encryption operations, either HSM_AUTH_ENC_FLAGS_GENERATE_FULL_IV or HSM_AUTH_ENC_FLAGS_GENERATE_COUNTER_IV must be set when calling this function:
* - When HSM_AUTH_ENC_FLAGS_GENERATE_FULL_IV is set, the full IV is internally generated, iv and iv_size must be set to 0
* - When HSM_AUTH_ENC_FLAGS_GENERATE_COUNTER_IV is set, the user supplies a 4 byte fixed part of the IV. The other IV bytes are internally generated
*
* \param cipher_hdl handle identifying the cipher service flow.
* \param args pointer to the structure containing the function arguments.
*
* \return error code
*/
hsm_err_t hsm_auth_enc(hsm_hdl_t cipher_hdl, op_auth_enc_args_t* args);
#define HSM_AUTH_ENC_ALGO_AES_GCM ((hsm_op_auth_enc_algo_t)(0x00u)) //!< Perform AES GCM with following constraints: AES GCM where AAD supported, Tag len = 16 bytes, IV len = 12 bytes
#define HSM_AUTH_ENC_ALGO_SM4_CCM ((hsm_op_auth_enc_algo_t)(0x10u)) //!< Perform SM4 CCM with following constraints: SM4 CCM where AAD supported, Tag len = 16 bytes, IV len = 12 bytes
#define HSM_AUTH_ENC_FLAGS_DECRYPT ((hsm_op_auth_enc_flags_t)(0u << 0))
#define HSM_AUTH_ENC_FLAGS_ENCRYPT ((hsm_op_auth_enc_flags_t)(1u << 0))
#define HSM_AUTH_ENC_FLAGS_GENERATE_FULL_IV ((hsm_op_auth_enc_flags_t)(1u << 1)) //!< Full IV is internally generated (only relevant for encryption)
#define HSM_AUTH_ENC_FLAGS_GENERATE_COUNTER_IV ((hsm_op_auth_enc_flags_t)(1u << 2)) //!< User supplies 4 bytes of the IV (fixed part), the other bytes are internally generated (only relevant for encryption)
------------------------------------------------------------------------------------------------------------------------------------------
Thanks!
0 Replies
