Difference between Hardware Root Key and Hardware Unique Key in RA

Hello,

I've read the documentation on Injecting and Updating Secure User Keys (R11AN0496EU0200 Rev.2.00 Jan.03.24), and also the documentation for the Security Key Management Tool (R20UT5349EJ0107 Rev.1.07 Aug.30.24). I'd like to make sure I understand the difference between the "Hardware Root Key" and the "Hardware Unique Key".

  • The graphics show the HRK is used by the Renesas Key Wrap server to wrap the UFPK. So the HRK can't be MCU-specific, it has to be hardware-specific, but broader than individual MCU level. Say I want to wrap a key for an RA6M3 MCU. Would the HRK in this case be specific to all RAs, or would it be specific to just the RA6M3?  
  • When the User Key injection operation is performed, the graphic shows the HRK embedded inside the SCE. The HUK is also shown as embedded in the MCU.  Would this be a correct description of what happens inside the SCE?
    - The SCE uses the HRK to decrypt the wrapped UFPK, and then uses the UFPK to decrypt the User Key.
    - The SCE then uses the HUK to wrap the User Key and saves it to the specified location.

The desired end result being a User Key that's been wrapped with the Hardware Unique Key.

Thank you,

tom