imx.8 hsm import external public key

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

imx.8 hsm import external public key

452 Views
sunnnn
Contributor I

Hello community guys:

     I use "imx-seco-libs-imx_5.4.70_2.3.11" apis to import public keys into hsm storage.

     But according to the api "hsm_manage_key", i need to use the root kek to encrypt the public key with the algorithm AES GCM. and the api support this algorithm is "hsm_auth_enc", and finally i can not find how to get the root kek identifier.

      So how to get the ROOT_KEK  key identifier?

------------------------------------------------------------------------------------------------------------------------------------------

Here is the description of hsm_manage_key:

/**
 * This command is designed to perform the following operations:
 *  - import a key creating a new key identifier (import and create)
 *  - import a key using an existing key identifier (import and update)
 *  - delete an existing key
 *
 * The key encryption key (KEK) can be previously pre-shared or stored in the key store.
 *
 * The key to be imported must be encrypted by using the KEK as following:
 *  - Algorithm: AES GCM
 *  - Key: root KEK
 *  - AAD = 0
 *  - IV = 12 bytes. When encrypting with a given key, the same IV MUST NOT be repeated. Refer to SP 800-38D for recommendations.
 *  - Tag = 16 bytes
 *  - Plaintext: key to be imported
 *
 * The hsm_manage_key_ext function (described separately) allows additional settings when importing keys.  When using the hsm_manage_key function to import a key, all additional settings are set to their default values
 *
 * User can call this function only after having opened a key management service flow
 *
 * \param key_management_hdl handle identifying the key management service flow.
 * \param args pointer to the structure containing the function arguments.
 *
 * \return error code
 */
hsm_err_t hsm_manage_key(hsm_hdl_t key_management_hdl, op_manage_key_args_t *args);
#define HSM_OP_MANAGE_KEY_FLAGS_IMPORT_UPDATE                           ((hsm_op_manage_key_flags_t)(1u << 0))   //!< User can replace an existing key only by importing a key with the same type of the original one.
#define HSM_OP_MANAGE_KEY_FLAGS_IMPORT_CREATE                           ((hsm_op_manage_key_flags_t)(1u << 1))   //!< Import a key and create a new identifier.
#define HSM_OP_MANAGE_KEY_FLAGS_DELETE                                  ((hsm_op_manage_key_flags_t)(1u << 2))   //!< Delete an existing key.
#define HSM_OP_MANAGE_KEY_FLAGS_PART_UNIQUE_ROOT_KEK                    ((hsm_op_manage_key_flags_t)(1u << 3))   //!< The key to be imported is encrypted using the part-unique root kek.
#define HSM_OP_MANAGE_KEY_FLAGS_COMMON_ROOT_KEK                         ((hsm_op_manage_key_flags_t)(1u << 4))   //!< The key to be imported is encrypted using the common root kek.
#define HSM_OP_MANAGE_KEY_FLAGS_STRICT_OPERATION                        ((hsm_op_manage_key_flags_t)(1u << 7))   //!< The request is completed only when the new key has been written in the NVM. This is only applicable for persistent key.

------------------------------------------------------------------------------------------------------------------------------------------

 

------------------------------------------------------------------------------------------------------------------------------------------

Here is the description of hsm_auth_enc:

/**
 * Perform authenticated encryption operation\n
 * User can call this function only after having opened a cipher service flow\n
 *
 *
 * For decryption operations, the full IV is supplied by the caller via the iv and iv_size parameters. HSM_AUTH_ENC_FLAGS_GENERATE_FULL_IV and HSM_AUTH_ENC_FLAGS_GENERATE_COUNTER_IV flags are ignored.\n
 *
 * For encryption operations, either HSM_AUTH_ENC_FLAGS_GENERATE_FULL_IV or HSM_AUTH_ENC_FLAGS_GENERATE_COUNTER_IV must be set when calling this function:
 * - When HSM_AUTH_ENC_FLAGS_GENERATE_FULL_IV is set, the full IV is internally generated, iv and iv_size must be set to 0
 * - When HSM_AUTH_ENC_FLAGS_GENERATE_COUNTER_IV is set, the user supplies a 4 byte fixed part of the IV.  The other IV bytes are internally generated
 *
 * \param cipher_hdl handle identifying the cipher service flow.
 * \param args pointer to the structure containing the function arguments.
 *
 * \return error code
 */
hsm_err_t hsm_auth_enc(hsm_hdl_t cipher_hdl, op_auth_enc_args_t* args);
#define HSM_AUTH_ENC_ALGO_AES_GCM              ((hsm_op_auth_enc_algo_t)(0x00u))       //!< Perform AES GCM with following constraints: AES GCM where AAD supported, Tag len = 16 bytes, IV len = 12 bytes
#define HSM_AUTH_ENC_ALGO_SM4_CCM              ((hsm_op_auth_enc_algo_t)(0x10u))       //!< Perform SM4 CCM with following constraints: SM4 CCM where AAD supported, Tag len = 16 bytes, IV len = 12 bytes
#define HSM_AUTH_ENC_FLAGS_DECRYPT             ((hsm_op_auth_enc_flags_t)(0u << 0))
#define HSM_AUTH_ENC_FLAGS_ENCRYPT             ((hsm_op_auth_enc_flags_t)(1u << 0))
#define HSM_AUTH_ENC_FLAGS_GENERATE_FULL_IV    ((hsm_op_auth_enc_flags_t)(1u << 1))    //!< Full IV is internally generated (only relevant for encryption)
#define HSM_AUTH_ENC_FLAGS_GENERATE_COUNTER_IV ((hsm_op_auth_enc_flags_t)(1u << 2))    //!< User supplies 4 bytes of the IV (fixed part), the other bytes are internally generated (only relevant for encryption)

------------------------------------------------------------------------------------------------------------------------------------------

Thanks!

Tags (1)
0 Kudos
Reply
0 Replies