Merge "fix(nxp-crypto): restricts generating nxp_mkvb via ns-world" into integration

commit: 0f39b7e668631a5d0c849033b45d7d953ca2254b [log] [tgz]
author: Govindraj Raja <govindraj.raja@arm.com> Mon Jun 23 16:16:05 2025 +0000
committer: TrustedFirmware Code Review <review@review.trustedfirmware.org> Mon Jun 23 16:16:05 2025 +0000
tree: fdf7997d22a33a393038ba98482dccb62fa4393c
parent: 51dbe464ec5b176eed0b4ffc664df6277344931e [diff]
parent: 76a95609a05674635e867949f84a3fd499c01313 [diff]
diff --git a/drivers/nxp/crypto/caam/src/hw_key_blob.c b/drivers/nxp/crypto/caam/src/hw_key_blob.c
index 6bcb6ba..0ac750d 100644
--- a/drivers/nxp/crypto/caam/src/hw_key_blob.c
+++ b/drivers/nxp/crypto/caam/src/hw_key_blob.c

@@ -43,6 +43,10 @@
 	struct job_descriptor *jobdesc = &desc;
 	uint32_t in_sz = 16U;
 
+	if (size <= 0 ||  size > 16) {
+		ERROR("Error: Requested invalid length of HUK.\n");
+		return -1;
+	}
 	/* Output blob will have 32 bytes key blob in beginning and
 	 * 16 byte HMAC identifier at end of data blob
 	 */

diff --git a/plat/nxp/common/sip_svc/sip_svc.c b/plat/nxp/common/sip_svc/sip_svc.c
index 1c8668e..4eec0ac 100644
--- a/plat/nxp/common/sip_svc/sip_svc.c
+++ b/plat/nxp/common/sip_svc/sip_svc.c

@@ -100,7 +100,7 @@
 		}
 		/* break is not required as SMC_RETx return */
 	case SIP_SVC_HUK:
-		if (is_sec_enabled() == false) {
+		if (ns != 0 || is_sec_enabled() == false) {
 			NOTICE("SEC is disabled.\n");
 			SMC_RET1(handle, SMC_UNK);
 		}
commit	0f39b7e668631a5d0c849033b45d7d953ca2254b	[log] [tgz]
author	Govindraj Raja <govindraj.raja@arm.com>	Mon Jun 23 16:16:05 2025 +0000
committer	TrustedFirmware Code Review <review@review.trustedfirmware.org>	Mon Jun 23 16:16:05 2025 +0000
tree	fdf7997d22a33a393038ba98482dccb62fa4393c
parent	51dbe464ec5b176eed0b4ffc664df6277344931e [diff]
parent	76a95609a05674635e867949f84a3fd499c01313 [diff]