Hello
I am working on integrating https client functionality to product based on nrf9160. My current setup consist of nrf9160DK and nrfConnect SDK v2.5.0. Build is performed on Mac OS intel machine.
Client have to be verified so TLS handshake must consist of Client-Certificate Verify step. Therefore client has to store private key and certificate.
The security requirement is that the private key can't be accessible from non-secure domain.
My understanding is that this might be easily done with offloaded nrf91 socket, since modem supports keygen command and returns certificate signing request. However the project should support multiple network interfaces with one key so using offloaded stack doesn't seem to be an option.
In many responses on devzonze you recommend using:
https://developer.nordicsemi.com/nRF_Connect_SDK/doc/latest/nrf/samples/crypto/psa_tls/README.html,
which states that "During the sample initialization, the certificates and keys are fetched from TF-M Protected Storage and kept in non-secure RAM for use during every subsequent TLS handshake.", which is does not fulfill my requirements.
There is also sample available directly in zephyr repo, which seems like exactly what I need:
https://docs.zephyrproject.org/latest/samples/tfm_integration/psa_crypto/README.html,
but it won't build for nrf9160_nrf9160dk_ns and seems very outdated since some symbols like:
Is there currently any supported way of using tls with zephyr network stack and private keeping key in secure domain?
Regards,
Piotr
