tkey: Correct handling of the USS

The position of the USS in the load-app header is incorrect. Fix it in
the driver and the emulator, so it matches the tkey-sign program.

Co-developed-by: Claude <claude@anthropic.com>
Signed-off-by: Simon Glass <simon.glass@canonical.com>

drivers/misc/tkey-uclass.c

@@ -470,12 +470,12 @@ static int tkey_load_app_header(struct udevice *dev, int app_size,
 			return ret;
 		}
 
-		/* USS present flag */
-		cmd_frame.data[5] = 1;
-		/* Copy USS hash (32 bytes) */
-		memcpy(&cmd_frame.data[6], uss_hash, 32);
+		log_debug("USS hash: %*ph\n", 32, uss_hash);
+
+		/* Copy USS hash (32 bytes) starting at data[5] */
+		memcpy(&cmd_frame.data[5], uss_hash, 32);
 		/* Pad remaining bytes with zeros */
-		memset(&cmd_frame.data[38], '\0', 128 - 38);
+		memset(&cmd_frame.data[37], '\0', 128 - 37);
 
 		log_debug("USS hash included in app header\n");
 	} else {
@@ -657,9 +657,9 @@ int tkey_get_pubkey(struct udevice *dev, void *pubkey)
 		return -EIO;
 	}
 
-	/* Extract public key (32 bytes) from response */
-	if (ret >= TKEY_FRAME_HEADER_SIZE + TKEY_PUBKEY_SIZE) {
-		memcpy(pubkey, rsp_frame.data, TKEY_PUBKEY_SIZE);
+	/* Extract public key (32 bytes) from response, skip response code byte */
+	if (ret >= TKEY_FRAME_HEADER_SIZE + 1 + TKEY_PUBKEY_SIZE) {
+		memcpy(pubkey, rsp_frame.data + 1, TKEY_PUBKEY_SIZE);
 		log_debug("Public key retrieved successfully\n");
 		return 0;
 	}

drivers/misc/tkey_emul.c

@@ -182,8 +182,13 @@ static int handle_firmware_cmd(struct udevice *dev, u8 cmd, const u8 *data)
 
 static int handle_app_get_pubkey(struct tkey_emul_priv *priv)
 {
-	memcpy(priv->resp, priv->pubkey, 32);
-	priv->resp_len = 32;
+	/*
+	 * Response format: 1-byte response code (0x02) + 32-byte pubkey
+	 * tkey_get_pubkey() expects this format and skips the response code
+	 */
+	priv->resp[0] = 0x02;  /* Response code for GET_PUBKEY */
+	memcpy(priv->resp + 1, priv->pubkey, 32);
+	priv->resp_len = 33;
 	log_debug("GET_PUBKEY\n");
 
 	return 0;