PSA Crypto vs Key Management Unit

RE: PSA Crypto vs Key Management Unit

Amanda Hsieh — Mon, 29 Jan 2024 13:30:00 GMT

Happy to help. 🙂

RE: PSA Crypto vs Key Management Unit

Cla — Mon, 29 Jan 2024 11:37:11 GMT

Thanks

RE: PSA Crypto vs Key Management Unit

Amanda Hsieh — Thu, 25 Jan 2024 14:09:23 GMT

Hi,

We only use HW keys in KMU for the HW unique keys (MKEK for EITS, MEXT for PSA PS, and encrypted private key for identity in Attestation tokens) TF-M uses hw_unique_key library for this.

Generic KMU support is not in place in the PSA driver scope.

-Amanda H.

RE: PSA Crypto vs Key Management Unit

Cla — Wed, 24 Jan 2024 09:24:41 GMT

[quote userid="77782" url="~/f/nordic-q-a/107522/psa-crypto-vs-key-management-unit/465617"]2 &6. as my previous reply. [/quote]

My understanding from reading the documentation is, that when using the psa_crypto APIs the keys are exactly not stored in the Key Management Unit. Instead the keys are stored in internal trusted storage, which in turn in encrypted using MKEK. MKEK is stored in the keymanagement unit (using nrf_cc3xx).

That is to say, if I read the documentation about persistent keys, when using the psa_crypto APIs correctly, then it is not a way to use the keymanagement unit to store keys. Instead it uses TFM ITS to store keys.

"The persistent key sample shows how to generate a persistent key using the Platform Security Architecture (PSA) APIs. Persistent keys are stored in the Internal Trusted Storage (ITS) " https://developer.nordicsemi.com/nRF_Connect_SDK/doc/latest/nrf/samples/crypto/persistent_key_usage/README.html#crypto-persistent-key-storage

If I would like to use the key management unit to store keys when using TFM do I have to implement my own custom service?

[quote userid="77782" url="~/f/nordic-q-a/107522/psa-crypto-vs-key-management-unit/465617"]4 & 5. psa_crypto APIs could be used without TFM. Here is the sample https://github.com/nrfconnect/sdk-nrf/tree/main/samples/crypto/persistent_key_usage [/quote]

Edit: Understood, thanks for the sample.

[quote userid="77782" url="~/f/nordic-q-a/107522/psa-crypto-vs-key-management-unit/465617"]TFM can support hardware unique key with psa_crypto APIs instead of using nrf_cc3xx.[/quote]

I am not refering to colloquial hardware keys that are unique. I am refering explicitly to the linked library https://developer.nordicsemi.com/nRF_Connect_SDK/doc/latest/nrf/libraries/others/hw_unique_key.html . This library is unavailable when using TFM?

RE: PSA Crypto vs Key Management Unit

Amanda Hsieh — Tue, 23 Jan 2024 14:29:03 GMT

1. correct

2 &6. as my previous reply.

3. TFM can support hardware unique key with psa_crypto APIs instead of using nrf_cc3xx.

4 & 5. psa_crypto APIs could be used without TFM. Here is the sample https://github.com/nrfconnect/sdk-nrf/tree/main/samples/crypto/persistent_key_usage

RE: PSA Crypto vs Key Management Unit

Cla — Tue, 23 Jan 2024 09:04:12 GMT

Thank you for your reply.
Do I understand your reply correctly, that your are confirming all above statements 1-6 to be true?

RE: PSA Crypto vs Key Management Unit

Amanda Hsieh — Mon, 22 Jan 2024 17:33:45 GMT

When TF-M is enabled, the hardware unique key is derived using the psa_crypto APIs. Otherwise, the native nrf_cc3xx_platform APIs are used, and the key is imported into psa_crypto. For more information, see the hardware unique key library and sample.

RE: PSA Crypto vs Key Management Unit

Cla — Mon, 22 Jan 2024 16:38:04 GMT

Thanks for replying. This does not at all help to clarify, I am afraid.

Maybe let me express myself differently:

If I want to access https://developer.nordicsemi.com/nRF_Connect_SDK/doc/latest/nrfxlib/crypto/doc/api.html#crypto-api-nrf-cc3xx-platform from my application, then I MUST not use COFIG_BUILD_WITH_TFM
If I want to access https://developer.nordicsemi.com/nRF_Connect_SDK/doc/latest/nrf/libraries/others/hw_unique_key.html from my application, then I MUST not use CONFIG_BUILD_WITH_TFM
If I want to use CONFIG_BUILD_WITH_TFM, then `cc3xx` and `hw_unique_keys` is not available to the application
If I want to use any of the PSA_...- libraries (https://arm-software.github.io/psa-api/ crypto, secure storage consisting of internal trusted storage and protected storage), then I MUST use CONFIG_BUILD_WITH_TFM
If I do not want to use CONFIG_BUILD_WITH_TFM, then the PSA_...-libraries are not available to me.
So I can either use CONFIG_BUILD_WITH_TFM and the PSA...-libraries or the `cc3xx`- and `hw_unique_keys`-libraries. But I can not mix. In that sense they are mutually exclusive.

Did I get that right?

RE: PSA Crypto vs Key Management Unit

Amanda Hsieh — Mon, 22 Jan 2024 15:35:20 GMT

TF-M Internal Trusted Storage (ITS) service implements PSA Internal Trusted Storage APIs. See TF-M Internal Trusted Storage Service Integration Guide.

RE: PSA Crypto vs Key Management Unit

Cla — Mon, 22 Jan 2024 07:45:13 GMT

Thanks for your reply.

Do I understand correctly, that to access the CryptoCell there are different options?

- Build without tfm and use the `cc3xx` interface and/or the `hardware_unique_key`

- Build with tfm and use the `PSA X` (PSA CRYPTO, PSA ITS, PSA PS) -interfaces

The two options are mutually exclusive? No combination of the above is possible?

RE: PSA Crypto vs Key Management Unit

Amanda Hsieh — Fri, 19 Jan 2024 21:19:41 GMT

The warning is expected. NRF_CC3XX library cannot work with TF-M. To encrypted ITS with TF-M, it requires CONFIG_TFM_ITS_ENCRYPTED. See the Encrypted ITS section.

RE: PSA Crypto vs Key Management Unit

Cla — Fri, 19 Jan 2024 17:04:32 GMT

The cc3xx library can work in the non-TF-M secure environment.

When I want to enable `NRF_CC3XX_PLATFORM` I get a warning, that TFM needs to be disabled!
Am I doing something wrong?

RE: PSA Crypto vs Key Management Unit

Amanda Hsieh — Thu, 18 Jan 2024 16:46:18 GMT

Hi,

[quote user=""]

If the ITS is encrypted it will use the MKEK key (part of HARDWARE UNIQUE KEYS (HUK), stored in the key management unit).

Is my assessment correct?

[/quote]

Yes, see this post.

[quote user=""]What is the connection between the PSA CRYPTO API, the KEY MANAGEMENT UNIT and the ...cc3x_...-library?[/quote]

See this blog Persistent storage of keys and data using the nRF Connect SDK

[quote user=""]Is the cc3xx...-api available from secure and non-secure processing environment (app and tfm?)?[/quote]

The cc3xx library can work in the non-TF-M secure environment. As for TFM, please see Encrypted ITS.

Regards,
Amanda H.

RE: PSA Crypto vs Key Management Unit

Cla — Thu, 18 Jan 2024 12:28:08 GMT

Compare also: devzone.nordicsemi.com/.../using-psa-function-to-persist-key-in-kmu-and-later-restore-it-for-aes-encryption