You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The STM32H5 series provides a DHUK (Derived Hardware Unique Key) mechanism via SAES.
The DHUK is derived internally from the Root HUK (RHUK) and is never exposed to software.
This enables device-unique, non-exportable key usage suitable for secure storage, firmware signing, metering, etc.
Currently, Zephyr’s STM32 crypto driver (CRYP/SAES) exposes CAP_RAW_KEY and in some cases CAP_OPAQUE_KEY_HNDL, but there is no integration that allows using the STM32H5 DHUK as an opaque AES key through:
Zephyr Crypto API
or PSA Crypto API
As a result, applications must provide raw AES key material from RAM, which defeats the purpose of using hardware-unique secure keys.
Proposed enhancement
Add support for DHUK-backed opaque AES keys on STM32H5, ideally through:
PSA Crypto driver integration
Implement a key type or driver mapping where a PSA key identifier can internally map to:
SAES DHUK
or DHUK-derived wrapped key
Ensure key material is never exposed to application space
Zephyr Crypto API extension
Allow CAP_OPAQUE_KEY_HNDL to reference:
SAES hardware key slot
DHUK-based key derivation
Add a mechanism to select hardware-derived keys instead of RAM-provided raw keys
Expected behavior
Applications should be able to:
Perform AES encryption/decryption
Without providing raw key bytes
Using a hardware-unique, non-exportable key (DHUK)
Fully compatible with TrustZone-enabled and non-secure firmware setups
Why this is important
Enables secure metering and anti-cloning applications
Prevents key extraction from firmware
Aligns Zephyr STM32H5 support with the hardware security capabilities of the device
Required for IEC/industrial security scenarios
Target hardware
STM32H533 / STM32H5 series
SAES peripheral with DHUK support
Additional context
STM32H5 reference manual describes:
Root HUK (RHUK)
Derived HUK (DHUK)
SAES hardware key derivation capability
Currently this functionality is not accessible via Zephyr’s crypto stack.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
The STM32H5 series provides a DHUK (Derived Hardware Unique Key) mechanism via SAES.
The DHUK is derived internally from the Root HUK (RHUK) and is never exposed to software.
This enables device-unique, non-exportable key usage suitable for secure storage, firmware signing, metering, etc.
Currently, Zephyr’s STM32 crypto driver (CRYP/SAES) exposes CAP_RAW_KEY and in some cases CAP_OPAQUE_KEY_HNDL, but there is no integration that allows using the STM32H5 DHUK as an opaque AES key through:
Zephyr Crypto API
or PSA Crypto API
As a result, applications must provide raw AES key material from RAM, which defeats the purpose of using hardware-unique secure keys.
Proposed enhancement
Add support for DHUK-backed opaque AES keys on STM32H5, ideally through:
PSA Crypto driver integration
Implement a key type or driver mapping where a PSA key identifier can internally map to:
SAES DHUK
or DHUK-derived wrapped key
Ensure key material is never exposed to application space
Zephyr Crypto API extension
Allow CAP_OPAQUE_KEY_HNDL to reference:
SAES hardware key slot
DHUK-based key derivation
Add a mechanism to select hardware-derived keys instead of RAM-provided raw keys
Expected behavior
Applications should be able to:
Perform AES encryption/decryption
Without providing raw key bytes
Using a hardware-unique, non-exportable key (DHUK)
Fully compatible with TrustZone-enabled and non-secure firmware setups
Why this is important
Enables secure metering and anti-cloning applications
Prevents key extraction from firmware
Aligns Zephyr STM32H5 support with the hardware security capabilities of the device
Required for IEC/industrial security scenarios
Target hardware
STM32H533 / STM32H5 series
SAES peripheral with DHUK support
Additional context
STM32H5 reference manual describes:
Root HUK (RHUK)
Derived HUK (DHUK)
SAES hardware key derivation capability
Currently this functionality is not accessible via Zephyr’s crypto stack.
Beta Was this translation helpful? Give feedback.
All reactions