• State Verified Answer
  • Replies 7 replies
  • Subscribers 66 subscribers
  • Views 605 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 312394
Options

Cannot store a key in the psa key storage (err -134)

luc_eac

I am attempting to store a pre-generated key in the psa key store using the psa API. I have taken the nrf->samples->crypto->hmac and nrf->samples->crypto->persistent_key_usage samples as a base for my implementation.

In my prj.conf file I declare:

CONFIG_NRF_SECURITY=y
CONFIG_MBEDTLS_PSA_CRYPTO_C=y
CONFIG_MBEDTLS_PSA_CRYPTO_STORAGE_C=y
CONFIG_PSA_NATIVE_ITS=y

And I try to store the key using the following code:

    psa_status_t status;
    psa_key_attributes_t key_attributes = PSA_KEY_ATTRIBUTES_INIT;
    psa_key_id_t  key_id;

    status = psa_crypto_init();
    if(status)
    {
        LOG_ERR("psa_crypto_init failed - status %d", status);
    }

    psa_set_key_lifetime(&key_attributes, PSA_KEY_LIFETIME_PERSISTENT);
    psa_set_key_id(&key_attributes, HMAC_KEY_TAG);
    psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_SIGN_HASH);
    psa_set_key_algorithm(&key_attributes, PSA_ALG_HMAC(PSA_ALG_SHA_256));
    psa_set_key_type(&key_attributes, PSA_KEY_TYPE_HMAC);
    psa_set_key_bits(&key_attributes, (strlen(key) * 8));
    
    status = psa_import_key(&key_attributes, key, strlen(key), &key_id);
    if(status)
    {
        LOG_ERR("psa_import_key failed - status %d", status);
    }

Unfortunately the call to psa_import_key fails with the return status -134 - suggesting that the operation or some parameter is not supported.

I use the same configuration as in the samples, BUT the CONFIG_PSA_NATIVE_ITS configuration shows a warning that a dependency is missing: !BUILD_WITH_TFM. Which is because I am building for the _ns target of my custom board definition (based on an nrf9160 board sample from the SDK), which has TFM enabled by default.

How would I go about making this work in combination with TFM?

Target: nrf9160 (ns)

SDK version: 2.4.0


Bonus question:

I want this key to have the same lifetime as the device. With the PSA_KEY_PERSISTENCE_READ_ONLY option, will the key be preserved on firmware updates? If not, how do I get the key to be more persistent?

Edit:

I didn’t notice this before, as there is no warning issued for this. Although I have configured CONFIG_MBEDTLS_PSA_CRYPTO_STORAGE_C=y (seems to also be a dependency for key storage) in my prj.conf file, it is somehow set to n in the build.

For the Mbed TLS implementation I use the Nordic provided security backend library, and have the “Generate mbed TLS config files option enabled” (no custom Mbed TLS config file)

Parents
  • +1

    Hi, 

    Persistent key storage using PSA ITS from TF-M (available through PSA Crypto) in anything other than the configuyration than TF-M minimal build. CONFIG_PSA_NATIVE_ITS is only usable for non TF-M builds.

    Likely the only thing strictly required is to set this in prj.conf and build the sample for _ns:
    CONFIG_TFM_PROFILE_TYPE_NOT_SET=y

    nrf_security is a given for TF-M usage (ns-targets). PSA ITS support is dependent on not using TF-M minimal build. You should be able to configure and test this fairly easily on your desk to confirm.

    I don't know what the size of key_bits is set to here, so I can't state anything about if this is the cause of some issue of not being supported. 

    -Amanda H.

  • 0 in reply to Amanda Hsieh

    Hi Amanda,

    Thank you for the answers. I ran out of flash and had to do a bit of fighting with the partition manager and MCUBoot to get things to compile and run again.

    After that I was able to verity that storing and using keys through the psa API works.

    One last question: I see that the build system has created 3 new partitions; tfm_otp_nv_counters, tfm_ps and tfm_its. Presumably these are the partitions that TFM uses to store encrypted data. However, these partitions are created inside my mcuboot_primary partition by default.

    Is it advised to manually move these partitions to outside the application image partition? Does it even matter? (the key seems to remain untouched when I re-flash my system to start a new debugging session)

  • 0 in reply to luc_eac

    Hi, 

    You can relocate tfm_otp_nv_counters, tfm_ps, and tfm_its. You can build TF-M: PSA template and refer to its partitions. 

    -Amanda H.

  • 0 in reply to luc_eac

    Hi luc_eac,

     how did you manage to get psa API to work?

    When I disable the CONFIG_TFM_PROFILE_TYPE_MINIMAL in order to be able to configure anything the tfm_secure partition explodes (from 32 kB in CONFIG_TFM_PROFILE_TYPE_MINIMAL to 256 kB)

    Thanks

    Stefan

  • 0 in reply to Stefan Schmidt

    Hi Stefan,

    It seems I set the configuration to:

    CONFIG_MBEDTLS_PSA_CRYPTO_C=y
CONFIG_MBEDTLS_PSA_CRYPTO_STORAGE_C=y
CONFIG_TFM_PROFILE_TYPE_NOT_SET=y
CONFIG_NRF_SECURITY=y

    In combination with the code snippet in my original post.

    For us the tfm_secure partition is also >200kB. I have not looked into decreasing the size for this partition because "It works! Don't touch it!".

  • 0 in reply to luc_eac

    Hi luc_eac,

    thank you for your reply.

    Mmmh, if you want to build a real world application (which means you have to support FOTA) and you need more features than included in CONFIG_TFM_PROFILE_TYPE_MINIMAL, then the space left for the actual application gets pretty tiny... If you don't have an external Flash available (as it is expected in the Nordic provided applications).

Reply
  • 0 in reply to luc_eac

    Hi luc_eac,

    thank you for your reply.

    Mmmh, if you want to build a real world application (which means you have to support FOTA) and you need more features than included in CONFIG_TFM_PROFILE_TYPE_MINIMAL, then the space left for the actual application gets pretty tiny... If you don't have an external Flash available (as it is expected in the Nordic provided applications).

Children
No Data
Related