cancel
Showing results for 
Search instead for 
Did you mean: 

How do I unload a key that was previously loaded by SHCI_C2_FUS_LoadUsrKey?

KHend.1
Associate II

I have implemented AES encryption / decryption on a STM32WB55 using keys stored in FUS. However, I'm running into a problem when I try to encrypt or decrypt using a non-FUS key. I get a hardfault when the key is written to the registers. Which I assume is because the FUS user key is still loaded.

AN5185 defines the command FUS_UNLOAD_USR_KEY but there is no corresponding implementation in shci.h/shci.c. I implemented my own version of SHCI_C2_FUS_UnLoadUsrKey using SHCI_C2_FUS_LoadUsrKey as an example. But CPU2 is saying that is an unknown command.

What is the process to unload a key that is stored in FUS and / or use the CRYP peripheral with a non-FUS key after previously loading a key into it from FUS?

1 ACCEPTED SOLUTION

Accepted Solutions
Remi QUINTIN
ST Employee

You should use the Customer Key Storage (CKS) to load/unload your own key for any encryption/decryption processing. This is especially true for AES.

Please have a look at the CKS project here: STM32Cube_FW_WB_V1.9.0\Projects\P-NUCLEO-WB55.Nucleo\Applications\CKS

It shows how to use CKS feature to store AES crypto keys in secure area.

View solution in original post

3 REPLIES 3
KHend.1
Associate II

I've since discovered that I can unload the key if FUS is running. But if the wireless stack (BLE full) is running it reports the unload user key command is unknown. Is it really only possible to unload a user key when FUS is running?

Remi QUINTIN
ST Employee

You should use the Customer Key Storage (CKS) to load/unload your own key for any encryption/decryption processing. This is especially true for AES.

Please have a look at the CKS project here: STM32Cube_FW_WB_V1.9.0\Projects\P-NUCLEO-WB55.Nucleo\Applications\CKS

It shows how to use CKS feature to store AES crypto keys in secure area.

KHend.1
Associate II

Hi Remi, Thanks for the response. I took a look at the CKS example and it's very close to what I am doing. There are a couple unanswered questions though:

  1. How is a key unloaded? The AN5185 documents a command for unloading keys but the matching function is missing from shci.h/shci.c
  2. Is the unload command supported in the BLE full wireless stack or only when FUS is running?
  3. Is it possible to initialize the CRYP/AES peripheral with a non CKS key (pKey not NULL) after having loaded a key from CKS?