• State Verified Answer
  • Replies 7 replies
  • Subscribers 87 subscribers
  • Views 2643 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 312394
Options

Cannot store a key in the psa key storage (err -134)

luc_eac

I am attempting to store a pre-generated key in the psa key store using the psa API. I have taken the nrf->samples->crypto->hmac and nrf->samples->crypto->persistent_key_usage samples as a base for my implementation.

In my prj.conf file I declare:

CONFIG_NRF_SECURITY=y
CONFIG_MBEDTLS_PSA_CRYPTO_C=y
CONFIG_MBEDTLS_PSA_CRYPTO_STORAGE_C=y
CONFIG_PSA_NATIVE_ITS=y

And I try to store the key using the following code:

    psa_status_t status;
    psa_key_attributes_t key_attributes = PSA_KEY_ATTRIBUTES_INIT;
    psa_key_id_t  key_id;

    status = psa_crypto_init();
    if(status)
    {
        LOG_ERR("psa_crypto_init failed - status %d", status);
    }

    psa_set_key_lifetime(&key_attributes, PSA_KEY_LIFETIME_PERSISTENT);
    psa_set_key_id(&key_attributes, HMAC_KEY_TAG);
    psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_SIGN_HASH);
    psa_set_key_algorithm(&key_attributes, PSA_ALG_HMAC(PSA_ALG_SHA_256));
    psa_set_key_type(&key_attributes, PSA_KEY_TYPE_HMAC);
    psa_set_key_bits(&key_attributes, (strlen(key) * 8));
    
    status = psa_import_key(&key_attributes, key, strlen(key), &key_id);
    if(status)
    {
        LOG_ERR("psa_import_key failed - status %d", status);
    }

Unfortunately the call to psa_import_key fails with the return status -134 - suggesting that the operation or some parameter is not supported.

I use the same configuration as in the samples, BUT the CONFIG_PSA_NATIVE_ITS configuration shows a warning that a dependency is missing: !BUILD_WITH_TFM. Which is because I am building for the _ns target of my custom board definition (based on an nrf9160 board sample from the SDK), which has TFM enabled by default.

How would I go about making this work in combination with TFM?

Target: nrf9160 (ns)

SDK version: 2.4.0


Bonus question:

I want this key to have the same lifetime as the device. With the PSA_KEY_PERSISTENCE_READ_ONLY option, will the key be preserved on firmware updates? If not, how do I get the key to be more persistent?

Edit:

I didn’t notice this before, as there is no warning issued for this. Although I have configured CONFIG_MBEDTLS_PSA_CRYPTO_STORAGE_C=y (seems to also be a dependency for key storage) in my prj.conf file, it is somehow set to n in the build.

For the Mbed TLS implementation I use the Nordic provided security backend library, and have the “Generate mbed TLS config files option enabled” (no custom Mbed TLS config file)

  • 0

    Hi, 

    How would I go about making this work in combination with TFM?

    I am checking with the team and will update it later. 

    I want this key to have the same lifetime as the device. With the PSA_KEY_PERSISTENCE_READ_ONLY option, will the key be preserved on firmware updates? If not, how do I get the key to be more persistent?

    See the note in persistent_key_usage sample: 

    The read-only type of persistent keys cannot be destroyed with the psa_destroy_key function. The PSA_KEY_PERSISTENCE_READ_ONLY macro is used for read-only keys. The key ID of a read-only key is writable again after a full erase of the device memory. Use the west -v flash --erase command for the full erase.

    Regards,
    Amanda H.

  • +1

    Hi, 

    Persistent key storage using PSA ITS from TF-M (available through PSA Crypto) in anything other than the configuyration than TF-M minimal build. CONFIG_PSA_NATIVE_ITS is only usable for non TF-M builds.

    Likely the only thing strictly required is to set this in prj.conf and build the sample for _ns:
    CONFIG_TFM_PROFILE_TYPE_NOT_SET=y

    nrf_security is a given for TF-M usage (ns-targets). PSA ITS support is dependent on not using TF-M minimal build. You should be able to configure and test this fairly easily on your desk to confirm.

    I don't know what the size of key_bits is set to here, so I can't state anything about if this is the cause of some issue of not being supported. 

    -Amanda H.

  • 0 in reply to Amanda Hsieh

    Hi Amanda,

    Thank you for the answers. I ran out of flash and had to do a bit of fighting with the partition manager and MCUBoot to get things to compile and run again.

    After that I was able to verity that storing and using keys through the psa API works.

    One last question: I see that the build system has created 3 new partitions; tfm_otp_nv_counters, tfm_ps and tfm_its. Presumably these are the partitions that TFM uses to store encrypted data. However, these partitions are created inside my mcuboot_primary partition by default.

    Is it advised to manually move these partitions to outside the application image partition? Does it even matter? (the key seems to remain untouched when I re-flash my system to start a new debugging session)

  • 0 in reply to luc_eac

    Hi, 

    You can relocate tfm_otp_nv_counters, tfm_ps, and tfm_its. You can build TF-M: PSA template and refer to its partitions. 

    -Amanda H.

  • 0 in reply to luc_eac

    Hi luc_eac,

     how did you manage to get psa API to work?

    When I disable the CONFIG_TFM_PROFILE_TYPE_MINIMAL in order to be able to configure anything the tfm_secure partition explodes (from 32 kB in CONFIG_TFM_PROFILE_TYPE_MINIMAL to 256 kB)

    Thanks

    Stefan

Related
Terms of service