STMicroelectronics · Grolleau-Benjamin · Feb 25, 2026 · Mar 3, 2026
diff --git a/core/stse_device.h b/core/stse_device.h
@@ -161,8 +161,8 @@ struct stse_session_t {
     union {
         struct {
             stse_Handler_t *pSTSE;
-            PLAT_UI8 *pHost_MAC_key;
-            PLAT_UI8 *pHost_cypher_key;
+            PLAT_UI32 Host_MAC_key_idx;
+            PLAT_UI32 Host_cypher_key_idx;
             stse_aes_key_type_t key_type;
             PLAT_UI32 MAC_counter;
         } host;

diff --git a/core/stse_platform.h b/core/stse_platform.h
@@ -209,15 +209,34 @@ stse_ReturnCode_t stse_platform_nist_kw_encrypt(PLAT_UI8 *pPayload, PLAT_UI32 pa
 
 #if defined(STSE_CONF_USE_HOST_KEY_ESTABLISHMENT) || defined(STSE_CONF_USE_SYMMETRIC_KEY_ESTABLISHMENT) || defined(STSE_CONF_USE_HOST_SESSION)
 
+/*!
+ * \brief      Store session key in platform secure storage
+ * \param[in]  pCypherKey Pointer to the cypher key
+ * \param[out] pCypherKeyIdx Pointer to receive the index of the stored cypher key
+ * \param[in]  pMACKey Pointer to the MAC key
+ * \param[out] pMACKeyIdx Pointer to receive the index of the stored MAC key
+ * \param[in]  key_length Length of the keys in bytes
+ * \return     \ref STSE_OK on success; \ref stse_ReturnCode_t error code otherwise
+ */
+stse_ReturnCode_t stse_platform_store_session_key(PLAT_UI8 *pCypherKey, PLAT_UI32 *pCypherKeyIdx,
+                                                  PLAT_UI8 *pMACKey, PLAT_UI32 *pMACKeyIdx,
+                                                  PLAT_UI16 key_length);
+
+/*!
+ * \brief      Delete session key from platform secure storage
+ * \param[in]  CypherKeyIdx Index of the cypher key to delete
+ * \param[in]  MACKeyIdx Index of the MAC key to delete
+ * \return     \ref STSE_OK on success; \ref stse_ReturnCode_t error code otherwise
+ */
+stse_ReturnCode_t stse_platform_delete_key(PLAT_UI32 CypherKeyIdx, PLAT_UI32 MACKeyIdx);
+
 /*!
  * \brief      Initialize AES CMAC computation
- * \param[in]  pKey Pointer to the key
- * \param[in]  key_length Length of the key
+ * \param[in]  key_idx Index of the key in secure storage
  * \param[in]  exp_tag_size Expected tag size
  * \return     \ref STSE_OK on success; \ref stse_ReturnCode_t error code otherwise
  */
-stse_ReturnCode_t stse_platform_aes_cmac_init(const PLAT_UI8 *pKey,
-                                              PLAT_UI16 key_length,
+stse_ReturnCode_t stse_platform_aes_cmac_init(const PLAT_UI32 key_idx,
                                               PLAT_UI16 exp_tag_size);
 
 /*!
@@ -247,76 +266,71 @@ stse_ReturnCode_t stse_platform_aes_cmac_verify_finish(PLAT_UI8 *pTag);
  * \brief      Perform an AES CMAC encryption
  * \param[in]  pPayload Pointer to Payload
  * \param[in]  payload_length Length of the payload in bytes
- * \param[in]  pKey Pointer to key
- * \param[in]  key_length Length of the key in bytes
+ * \param[in]  key_idx Index of the key in secure storage
  * \param[in]  exp_tag_size Expected tag size in bytes
  * \param[out] pTag Pointer to Tag
  * \param[out] pTag_length Pointer to Tag length value output
  * \return     \ref STSE_OK on success; \ref stse_ReturnCode_t error code otherwise
  */
 stse_ReturnCode_t stse_platform_aes_cmac_compute(const PLAT_UI8 *pPayload, PLAT_UI16 payload_length,
-                                                 const PLAT_UI8 *pKey, PLAT_UI16 key_length,
+                                                 const PLAT_UI32 key_idx,
                                                  PLAT_UI16 exp_tag_size,
                                                  PLAT_UI8 *pTag, PLAT_UI16 *pTag_length);
 
 /*!
  * \brief      Perform an AES CMAC decryption
  * \param[in]  pPayload Pointer to Payload
  * \param[in]  payload_length Length of the payload in bytes
- * \param[in]  pKey Pointer to key
- * \param[in]  key_length Length of the key in bytes
+ * \param[in]  key_idx Index of the key in secure storage
  * \param[in]  pTag Pointer to Tag
  * \param[in]  tag_length Pointer to Tag length value output
  * \return     \ref STSE_OK on success; \ref stse_ReturnCode_t error code otherwise
  */
 stse_ReturnCode_t stse_platform_aes_cmac_verify(const PLAT_UI8 *pPayload, PLAT_UI16 payload_length,
-                                                const PLAT_UI8 *pKey, PLAT_UI16 key_length,
+                                                const PLAT_UI32 key_idx,
                                                 const PLAT_UI8 *pTag, PLAT_UI16 tag_length);
 
 /*!
  * \brief      Perform an AES CBC encryption
  * \param[in]  pPlaintext Pointer to the plaintext data
  * \param[in]  plaintext_length Length of the plaintext data
  * \param[in]  pInitial_value Pointer to encryption IV
- * \param[in]  pKey Pointer to the key
- * \param[in]  key_length Length of the key
+ * \param[in]  key_idx Index of the key in secure storage
  * \param[out] pEncryptedtext Pointer to the encrypted payload
  * \param[out] pEncryptedtext_length Length of encrypted payload
  * \return     \ref STSE_OK on success; \ref stse_ReturnCode_t error code otherwise
  */
 stse_ReturnCode_t stse_platform_aes_cbc_enc(const PLAT_UI8 *pPlaintext, PLAT_UI16 plaintext_length,
-                                            PLAT_UI8 *pInitial_value, const PLAT_UI8 *pKey,
-                                            PLAT_UI16 key_length, PLAT_UI8 *pEncryptedtext,
+                                            PLAT_UI8 *pInitial_value, const PLAT_UI32 key_idx,
+                                            PLAT_UI8 *pEncryptedtext,
                                             PLAT_UI16 *pEncryptedtext_length);
 
 /*!
  * \brief      Perform an AES CBC decryption
  * \param[in]  pEncryptedtext Pointer to the encrypted payload
  * \param[in]  encryptedtext_length Length of encrypted payload
  * \param[in]  pInitial_value Pointer to decryption IV
- * \param[in]  pKey Pointer to the key
- * \param[in]  key_length Length of the key
+ * \param[in]  key_idx Index of the key in secure storage
  * \param[out] pPlaintext Pointer to PlainText payload
  * \param[out] pPlaintext_length Length of the PlainText payload
  * \return     \ref STSE_OK on success; \ref stse_ReturnCode_t error code otherwise
  */
 stse_ReturnCode_t stse_platform_aes_cbc_dec(const PLAT_UI8 *pEncryptedtext, PLAT_UI16 encryptedtext_length,
-                                            PLAT_UI8 *pInitial_value, const PLAT_UI8 *pKey,
-                                            PLAT_UI16 key_length, PLAT_UI8 *pPlaintext,
+                                            PLAT_UI8 *pInitial_value, const PLAT_UI32 key_idx,
+                                            PLAT_UI8 *pPlaintext,
                                             PLAT_UI16 *pPlaintext_length);
 
 /*!
  * \brief      Perform an AES ECB encryption
  * \param[in]  pPlaintext Pointer to the plaintext data
  * \param[in]  plaintext_length Length of the plaintext data
- * \param[in]  pKey Pointer to the key
- * \param[in]  key_length Length of the key
+ * \param[in]  key_idx Index of the key in secure storage
  * \param[out] pEncryptedtext Pointer to the encrypted payload
  * \param[out] pEncryptedtext_length Length of encrypted payload
  * \return     \ref STSE_OK on success; \ref stse_ReturnCode_t error code otherwise
  */
 stse_ReturnCode_t stse_platform_aes_ecb_enc(const PLAT_UI8 *pPlaintext, PLAT_UI16 plaintext_length,
-                                            const PLAT_UI8 *pKey, PLAT_UI16 key_length,
+                                            const PLAT_UI32 key_idx,
                                             PLAT_UI8 *pEncryptedtext, PLAT_UI16 *pEncryptedtext_length);
 
 #endif /* defined(STSE_CONF_USE_HOST_KEY_ESTABLISHMENT) || defined(STSE_CONF_USE_SYMMETRIC_KEY_ESTABLISHMENT) || defined(STSE_CONF_USE_HOST_SESSION) */

diff --git a/services/stsafea/stsafea_sessions.c b/services/stsafea/stsafea_sessions.c
@@ -75,9 +75,69 @@ stse_ReturnCode_t stsafea_open_host_session(stse_Handler_t *pSTSE, stse_session_
         pSession->context.host.MAC_counter = ARRAY_3B_SWAP_TO_UI32(host_key_slot.cmac_sequence_counter);
     }
 
+    PLAT_UI32 HostMacKeyIdx;
+    PLAT_UI32 HostCypherKeyIdx;
+    PLAT_UI16 key_length = (pSession->context.host.key_type == STSE_AES_128_KT) ? STSE_AES_128_KEY_SIZE : STSE_AES_256_KEY_SIZE;
+
+    ret = stse_platform_store_session_key(pHost_cypher_key, &HostCypherKeyIdx, pHost_MAC_key, &HostMacKeyIdx, key_length);
+    if (ret != STSE_OK) {
+        return ret;
+    }
+
+    memset(pHost_MAC_key, 0x00, key_length);
+    memset(pHost_cypher_key, 0x00, key_length);
+
     pSession->type = STSE_HOST_SESSION;
-    pSession->context.host.pHost_MAC_key = pHost_MAC_key;
-    pSession->context.host.pHost_cypher_key = pHost_cypher_key;
+    pSession->context.host.Host_MAC_key_idx = HostMacKeyIdx;
+    pSession->context.host.Host_cypher_key_idx = HostCypherKeyIdx;
+    pSession->context.host.pSTSE = pSTSE;
+    pSTSE->pActive_host_session = pSession;
+
+    return (STSE_OK);
+}
+
+stse_ReturnCode_t stsafea_open_host_session_from_idx(stse_Handler_t *pSTSE, stse_session_t *pSession, PLAT_UI32 Host_MAC_key_idx, PLAT_UI32 Host_cypher_key_idx) {
+    stse_ReturnCode_t ret;
+
+    if (pSTSE == NULL) {
+        return STSE_CORE_HANDLER_NOT_INITIALISED;
+    }
+
+    if (pSession == NULL) {
+        return STSE_CORE_SESSION_ERROR;
+    }
+
+    if (pSTSE->device_type == STSAFE_A120) {
+        stsafea_host_key_slot_v2_t host_key_slot;
+
+        ret = stsafea_query_host_key_v2(pSTSE, &host_key_slot);
+        if (ret != STSE_OK) {
+            return ret;
+        }
+
+        if (host_key_slot.key_presence_flag == 0) {
+            return STSE_SERVICE_SESSION_ERROR;
+        }
+        pSession->context.host.key_type = (stse_aes_key_type_t)host_key_slot.key_type;
+        pSession->context.host.MAC_counter = ARRAY_4B_SWAP_TO_UI32(host_key_slot.cmac_sequence_counter);
+    } else {
+        stsafea_host_key_slot_t host_key_slot;
+
+        ret = stsafea_query_host_key(pSTSE, &host_key_slot);
+        if (ret != STSE_OK) {
+            return ret;
+        }
+
+        if (host_key_slot.key_presence_flag == 0) {
+            return STSE_SERVICE_SESSION_ERROR;
+        }
+        pSession->context.host.key_type = STSE_AES_128_KT;
+        pSession->context.host.MAC_counter = ARRAY_3B_SWAP_TO_UI32(host_key_slot.cmac_sequence_counter);
+    }
+
+    pSession->type = STSE_HOST_SESSION;
+    pSession->context.host.Host_MAC_key_idx = Host_MAC_key_idx;
+    pSession->context.host.Host_cypher_key_idx = Host_cypher_key_idx;
     pSession->context.host.pSTSE = pSTSE;
     pSTSE->pActive_host_session = pSession;
 
@@ -107,6 +167,12 @@ void stsafea_session_clear_context(stse_session_t *pSession) {
         return;
     }
 
+    if (pSession->context.host.Host_MAC_key_idx && pSession->context.host.Host_cypher_key_idx) {
+        stse_platform_delete_key(pSession->context.host.Host_cypher_key_idx, pSession->context.host.Host_MAC_key_idx);
+        pSession->context.host.Host_MAC_key_idx = 0x00;
+        pSession->context.host.Host_cypher_key_idx = 0x00;
+    }
+
     /* - Clear session context */
     memset(pSession, 0x00, sizeof(stse_session_t));
 }
@@ -164,8 +230,7 @@ stse_ReturnCode_t stsafea_session_frame_encrypt(stse_session_t *pSession,
     /* - Perform first AES ECB round on IV */
     ret = stse_platform_aes_ecb_enc(initial_value,
                                     STSAFEA_HOST_AES_BLOCK_SIZE,
-                                    pSession->context.host.pHost_cypher_key,
-                                    (pSession->context.host.key_type == STSE_AES_128_KT) ? STSE_AES_128_KEY_SIZE : STSE_AES_256_KEY_SIZE,
+                                    pSession->context.host.Host_cypher_key_idx,
                                     initial_value,
                                     &encrypted_iv_len);
     if (ret != STSE_OK) {
@@ -196,8 +261,7 @@ stse_ReturnCode_t stsafea_session_frame_encrypt(stse_session_t *pSession,
         pEnc_payload_element->pData,
         pEnc_payload_element->length,
         initial_value,
-        pSession->context.host.pHost_cypher_key,
-        (pSession->context.host.key_type == STSE_AES_128_KT) ? STSE_AES_128_KEY_SIZE : STSE_AES_256_KEY_SIZE,
+        pSession->context.host.Host_cypher_key_idx,
         pEnc_payload_element->pData,
         &encrypted_payload_len);
     if (ret != 0) {
@@ -256,8 +320,7 @@ static stse_ReturnCode_t stsafea_session_frame_decrypt(stse_session_t *pSession,
     /* - Transform IV using AES ECB */
     ret = stse_platform_aes_ecb_enc(initial_value,
                                     STSAFEA_HOST_AES_BLOCK_SIZE,
-                                    pSession->context.host.pHost_cypher_key,
-                                    (pSession->context.host.key_type == STSE_AES_128_KT) ? STSE_AES_128_KEY_SIZE : STSE_AES_256_KEY_SIZE,
+                                    pSession->context.host.Host_cypher_key_idx,
                                     initial_value,
                                     &out_len);
 
@@ -271,8 +334,7 @@ static stse_ReturnCode_t stsafea_session_frame_decrypt(stse_session_t *pSession,
     ret = stse_platform_aes_cbc_dec(decrypt_buffer,
                                     encrypted_payload_len,
                                     initial_value,
-                                    pSession->context.host.pHost_cypher_key,
-                                    (pSession->context.host.key_type == STSE_AES_128_KT) ? STSE_AES_128_KEY_SIZE : STSE_AES_256_KEY_SIZE,
+                                    pSession->context.host.Host_cypher_key_idx,
                                     decrypt_buffer,
                                     &decrypted_payload_len);
 
@@ -328,8 +390,7 @@ static stse_ReturnCode_t stsafea_session_frame_c_mac_compute(stse_session_t *pSe
 
     /*- Initialize AES C-MAC computation */
 
-    ret = stse_platform_aes_cmac_init(pSession->context.host.pHost_MAC_key,
-                                      (pSession->context.host.key_type == STSE_AES_128_KT) ? STSE_AES_128_KEY_SIZE : STSE_AES_256_KEY_SIZE,
+    ret = stse_platform_aes_cmac_init(pSession->context.host.Host_MAC_key_idx,
                                       STSAFEA_MAC_SIZE);
     if (ret != STSE_OK) {
         return ret;
@@ -420,8 +481,7 @@ static stse_ReturnCode_t stsafea_session_frame_r_mac_verify(stse_session_t *pSes
 
         /*- Initialize AES CMAC computation */
         stse_platform_aes_cmac_init(
-            pSession->context.host.pHost_MAC_key,
-            (pSession->context.host.key_type == STSE_AES_128_KT) ? STSE_AES_128_KEY_SIZE : STSE_AES_256_KEY_SIZE,
+            pSession->context.host.Host_MAC_key_idx,
             STSAFEA_MAC_SIZE);
 
         /*- Perform First AES-CMAC round */

diff --git a/services/stsafea/stsafea_sessions.h b/services/stsafea/stsafea_sessions.h
@@ -38,6 +38,21 @@ stse_ReturnCode_t stsafea_open_host_session(stse_Handler_t *pSTSE,
                                             PLAT_UI8 *pHost_MAC_key,
                                             PLAT_UI8 *pHost_cypher_key);
 
+/*!
+ * \brief 		This Core function Create a session context and associate it to STSAFE handler based on provided key index
+ * \details 	In some configuration, the session keys are already stored in the platform secure storage. This function
+ * allows to open a session based on the key index in the platform secure storage without providing the key value in input.
+ * \param[in] 	*pSession 			\ref stse_session_t Pointer to session
+ * \param[in] 	Host_MAC_key_idx 	Index of the MAC key in the platform secure storage
+ * \param[in] 	Host_cypher_key_idx Index of the cypher key in the platform secure storage
+ * \return \ref STSE_OK on success ; \ref stse_ReturnCode_t error code otherwise
+ * \details 	\include{doc} stsafe_erase_context.dox
+ */
+stse_ReturnCode_t stsafea_open_host_session_from_idx(stse_Handler_t *pSTSE,
+                                                     stse_session_t *pSession,
+                                                     PLAT_UI32 Host_MAC_key_idx,
+                                                     PLAT_UI32 Host_cypher_key_idx);
+
 /*!
  * \brief 		This Core function Close an existing host session context
  * \param[in] 	*pSession 			\ref stse_session_t Pointer to session