I am attempting to store a pre-generated key in the psa key store using the psa API. I have taken the nrf->samples->crypto->hmac and nrf->samples->crypto->persistent_key_usage samples as a base for my implementation.
In my prj.conf file I declare:
CONFIG_NRF_SECURITY=y CONFIG_MBEDTLS_PSA_CRYPTO_C=y CONFIG_MBEDTLS_PSA_CRYPTO_STORAGE_C=y CONFIG_PSA_NATIVE_ITS=y
And I try to store the key using the following code:
psa_status_t status; psa_key_attributes_t key_attributes = PSA_KEY_ATTRIBUTES_INIT; psa_key_id_t key_id; status = psa_crypto_init(); if(status) { LOG_ERR("psa_crypto_init failed - status %d", status); } psa_set_key_lifetime(&key_attributes, PSA_KEY_LIFETIME_PERSISTENT); psa_set_key_id(&key_attributes, HMAC_KEY_TAG); psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_SIGN_HASH); psa_set_key_algorithm(&key_attributes, PSA_ALG_HMAC(PSA_ALG_SHA_256)); psa_set_key_type(&key_attributes, PSA_KEY_TYPE_HMAC); psa_set_key_bits(&key_attributes, (strlen(key) * 8)); status = psa_import_key(&key_attributes, key, strlen(key), &key_id); if(status) { LOG_ERR("psa_import_key failed - status %d", status); }
Unfortunately the call to psa_import_key fails with the return status -134 - suggesting that the operation or some parameter is not supported.
I use the same configuration as in the samples, BUT the CONFIG_PSA_NATIVE_ITS configuration shows a warning that a dependency is missing: !BUILD_WITH_TFM. Which is because I am building for the _ns target of my custom board definition (based on an nrf9160 board sample from the SDK), which has TFM enabled by default.
How would I go about making this work in combination with TFM?
Target: nrf9160 (ns)
SDK version: 2.4.0
Bonus question:
I want this key to have the same lifetime as the device. With the PSA_KEY_PERSISTENCE_READ_ONLY option, will the key be preserved on firmware updates? If not, how do I get the key to be more persistent?
Edit:
I didn’t notice this before, as there is no warning issued for this. Although I have configured CONFIG_MBEDTLS_PSA_CRYPTO_STORAGE_C=y (seems to also be a dependency for key storage) in my prj.conf file, it is somehow set to n in the build.
For the Mbed TLS implementation I use the Nordic provided security backend library, and have the “Generate mbed TLS config files option enabled” (no custom Mbed TLS config file)