• State Verified Answer
  • Replies 4 replies
  • Subscribers 72 subscribers
  • Views 1242 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 309302
Options

Using PSA function to persist key in kmu AND later restore it for AES encryption

Anthony Ambuehl

NCS v2.3.0

NRF5340DK nrf5340 cpuapp

I'm trying to understand how I would configure and use the PSA functions to store a key in the KMU and then perform an encryption operation using the key directly from the kmu without loading into memory.

I saw this sample developer.nordicsemi.com/.../README.html which shows generating a random key and persisting it some place. Its unclear to me if this is actually stored in the kmu or if its stored in a secure partition. This example also does not demonstrate how to use a key that was previously created and persisted.

If I have multiple persistent keys that were previously created, how do I get the key_handle to them?

I noticed in crypto_extra.h there is an api to specify a slot number: psa_set_key_slot_number

and also an API for registering an already loaded key: mbedtls_psa_register_se_key

However I cannot figure out how to get these APIs enabled in my build.. it requires MBEDTLS_PSA_CRYPTO_SE_C which does not seem to have an existing KCONFIG flag.

Is the PSA a supported way to perform crypto operations with persistent keys? Do I need to use nrf3x and mbedtls functions directly as in this sample github.com/.../main.c ?

It would be great if the persistent key usage sample actually showed retrieving key and using it.

Parents
  • +1

    Hi,

    When you store persistent keys with PSA crypto those are stored in the Internal Trusted Storage and not the KMU. However, the internal trusted storage is encrypted by a key that is stored in the KMU.

    As you wound, they key is identified with an ID/handle (that you get when generating or importing it), and it is the handle you use to refer to that key whenever it is needed, never the key itself. You can se several examples of this in the examples under nrf\samples\crypto\.

    There is no explicit API for checking if a key exists. So you would have to try to use it or generate it, and handle the error code if it did / did not exist.

    I would recommend using the PSA APIs, but if you need to use the KMU directly to store your data there, you can use CC3XX Platform - KMU APIs.

Reply
  • +1

    Hi,

    When you store persistent keys with PSA crypto those are stored in the Internal Trusted Storage and not the KMU. However, the internal trusted storage is encrypted by a key that is stored in the KMU.

    As you wound, they key is identified with an ID/handle (that you get when generating or importing it), and it is the handle you use to refer to that key whenever it is needed, never the key itself. You can se several examples of this in the examples under nrf\samples\crypto\.

    There is no explicit API for checking if a key exists. So you would have to try to use it or generate it, and handle the error code if it did / did not exist.

    I would recommend using the PSA APIs, but if you need to use the KMU directly to store your data there, you can use CC3XX Platform - KMU APIs.

Children
Related
Terms of service