Cannot store a key in the psa key storage (err -134)

Question

I am attempting to store a pre-generated key in the psa key store using the psa API. I have taken the nrf->samples->crypto->hmac and nrf->samples->crypto->persistent_key_usage samples as a base for my implementation. 
 In my prj.conf file I declare: 
 CONFIG_NRF_SECURITY=y
CONFIG_MBEDTLS_PSA_CRYPTO_C=y
CONFIG_MBEDTLS_PSA_CRYPTO_STORAGE_C=y
CONFIG_PSA_NATIVE_ITS=y 
 And I try to store the key using the following code: 
 psa_status_t status;
 psa_key_attributes_t key_attributes = PSA_KEY_ATTRIBUTES_INIT;
 psa_key_id_t key_id;

 status = psa_crypto_init();
 if(status)
 {
 LOG_ERR("psa_crypto_init failed - status %d", status);
 }

 psa_set_key_lifetime(&key_attributes, PSA_KEY_LIFETIME_PERSISTENT);
 psa_set_key_id(&key_attributes, HMAC_KEY_TAG);
 psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_SIGN_HASH);
 psa_set_key_algorithm(&key_attributes, PSA_ALG_HMAC(PSA_ALG_SHA_256));
 psa_set_key_type(&key_attributes, PSA_KEY_TYPE_HMAC);
 psa_set_key_bits(&key_attributes, (strlen(key) * 8));
 
 status = psa_import_key(&key_attributes, key, strlen(key), &key_id);
 if(status)
 {
 LOG_ERR("psa_import_key failed - status %d", status);
 } 
 Unfortunately the call to psa_import_key fails with the return status -134 - suggesting that the operation or some parameter is not supported. 
 I use the same configuration as in the samples, BUT the CONFIG_PSA_NATIVE_ITS configuration shows a warning that a dependency is missing: !BUILD_WITH_TFM. Which is because I am building for the _ns target of my custom board definition (based on an nrf9160 board sample from the SDK), which has TFM enabled by default. 
 How would I go about making this work in combination with TFM? 
 Target: nrf9160 (ns) 
 SDK version: 2.4.0 
 
 Bonus question: 
 I want this key to have the same lifetime as the device. With the PSA_KEY_PERSISTENCE_READ_ONLY option, will the key be preserved on firmware updates? If not, how do I get the key to be more persistent? 
 
 Edit: 
 I didn’t notice this before, as there is no warning issued for this. Although I have configured CONFIG_MBEDTLS_PSA_CRYPTO_STORAGE_C=y (seems to also be a dependency for key storage) in my prj.conf file, it is somehow set to n in the build. 
 For the Mbed TLS implementation I use the Nordic provided security backend library, and have the “Generate mbed TLS config files option enabled” (no custom Mbed TLS config file)

Amanda Hsieh · Accepted Answer

Hi, 
 Persistent key storage using PSA ITS from TF-M (available through PSA Crypto) in anything other than the configuyration than TF-M minimal build. CONFIG_PSA_NATIVE_ITS is only usable for non TF-M builds. 
 Likely the only thing strictly required is to set this in prj.conf and build the sample for _ns: CONFIG_TFM_PROFILE_TYPE_NOT_SET =y 
 nrf_security is a given for TF-M usage (ns-targets). PSA ITS support is dependent on not using TF-M minimal build. You should be able to configure and test this fairly easily on your desk to confirm. 
 I don't know what the size of key_bits is set to here, so I can't state anything about if this is the cause of some issue of not being supported. 
 -Amanda H.

Cannot store a key in the psa key storage (err -134)

Top Replies