Persistent Key Impot PSA failing with -135 (PSA_ERROR_INVALID_ARGUMENT)

Hi, 

I have been using the PSA crypto APIs successfully with volatile keys till now. 

We want to move on to using persistent keys but I am not able to import a persistent key. I receive an error -135. 


Here's my configuration. The build target is a _ns application.

# Basic BT Configs
CONFIG_BT=y
CONFIG_BT_PERIPHERAL=y
CONFIG_BT_CENTRAL=y
CONFIG_BT_SMP=y  
CONFIG_BT_PHY_UPDATE=n
                       
CONFIG_BT_HCI_VS=y
CONFIG_BT_HCI_VS_EXT=y
CONFIG_BT_HCI_VS_FATAL_ERROR=y
CONFIG_BT_MAX_CONN=5            
CONFIG_BT_BUF_ACL_RX_SIZE=251
CONFIG_BT_BUF_ACL_TX_SIZE=251
CONFIG_BT_L2CAP_TX_MTU=247

# GATT Configs
CONFIG_BT_GATT_CLIENT=y
CONFIG_BT_GATT_DM=y
CONFIG_BT_GATT_DM_MAX_ATTRS=50
CONFIG_BT_GATT_DM_DATA_PRINT=n
CONFIG_BT_GATT_AUTO_UPDATE_MTU=y 
CONFIG_BT_SMP_APP_PAIRING_ACCEPT=y

# Enable Persistent Storage for Bonds
CONFIG_SETTINGS=y
CONFIG_BT_SETTINGS=y
CONFIG_FLASH=y
CONFIG_FLASH_PAGE_LAYOUT=y
CONFIG_FLASH_MAP=y
CONFIG_NVS=y
CONFIG_BT_MAX_PAIRED=5
CONFIG_BT_KEYS_OVERWRITE_OLDEST=y
CONFIG_BT_ID_UNPAIR_MATCHING_BONDS=y

# Using hardware crypto accelerator on _ns build
CONFIG_TFM_PROFILE_TYPE_NOT_SET=y        
CONFIG_PSA_CRYPTO_DRIVER_OBERON=n
CONFIG_PSA_CRYPTO_DRIVER_CC3XX=y
CONFIG_PSA_WANT_KEY_TYPE_HMAC=y
CONFIG_ENTROPY_GENERATOR=y
CONFIG_ENTROPY_DEVICE_RANDOM_GENERATOR=y
CONFIG_NRF_SECURITY=y
CONFIG_MBEDTLS_PSA_CRYPTO_C=y
CONFIG_MBEDTLS_PSA_CRYPTO_STORAGE_C=y
CONFIG_MBEDTLS_ENABLE_HEAP=y
CONFIG_MBEDTLS_HEAP_SIZE=8192
# CONFIG_TFM_SECURE_UART0=y

# Dependencies for APP_EVENT_MANAGER and CAF & Security
CONFIG_MAIN_STACK_SIZE=4096
CONFIG_SYSTEM_WORKQUEUE_STACK_SIZE=4096

# Enable CAF_BUTTONS
CONFIG_APP_EVENT_MANAGER=y    
CONFIG_CAF=y
CONFIG_CAF_BUTTONS=y
CONFIG_CAF_CLICK_DETECTOR=y
CONFIG_CAF_CLICK_DETECTOR_LOG_LEVEL_INF=y
CONFIG_CAF_BUTTONS_POLARITY_INVERSED=y             

# Enable Power Management 
CONFIG_PM=y
CONFIG_PM_DEVICE=y
CONFIG_HW_ID_LIBRARY=y
CONFIG_HW_ID_LIBRARY_SOURCE_DEVICE_ID=y

# Enable LOGGING modules
CONFIG_LOG=y
CONFIG_LOG_BUFFER_SIZE=10240
CONFIG_SERIAL=y
CONFIG_LOG_MAX_LEVEL=4
CONFIG_APP_EVENT_MANAGER_LOG_LEVEL_WRN=y
CONFIG_BT_LOG_LEVEL_INF=y
CONFIG_BT_GATT_DM_LOG_LEVEL_INF=y
CONFIG_BT_HCI_CORE_LOG_LEVEL_INF=y
CONFIG_FATAL_ERROR_LOG_LEVEL_DBG=y
CONFIG_EXTRA_EXCEPTION_INFO=y


# Bootloader and DFU
CONFIG_BOOTLOADER_MCUBOOT=y



The code I am using to import a persistent key. 

psa_status_t hmac_import_key(
    psa_key_lifetime_t key_lifetime,
    const uint8_t* hmac_key,
    uint8_t hmac_key_size)
{
    psa_status_t status = PSA_SUCCESS;

    psa_key_attributes_t key_attributes = PSA_KEY_ATTRIBUTES_INIT;

    if (hmac_key_size != HMAC_SIG_SIZE_BYTES)
    {
        LOG_ERR("Invalid HMAC key size");
        status = PSA_ERROR_GENERIC_ERROR;
    }

    if (status == PSA_SUCCESS)
    {
        // set import key parameters
        psa_set_key_usage_flags(
            &key_attributes,
            PSA_KEY_USAGE_VERIFY_HASH | PSA_KEY_USAGE_SIGN_HASH);

        psa_set_key_algorithm(
            &key_attributes,
            PSA_ALG_HMAC(PSA_ALG_SHA_256));

        psa_set_key_lifetime(
            &key_attributes,
            key_lifetime);

        psa_set_key_type(
            &key_attributes,
            PSA_KEY_TYPE_HMAC);

        psa_set_key_bits(
            &key_attributes,
            HMAC_KEY_LENGTH_BITS);

        if (key_lifetime == PSA_KEY_PERSISTENCE_READ_ONLY)
        {
            psa_set_key_id(
                &key_attributes,
                121);
        }

        if (key_lifetime == PSA_KEY_LIFETIME_VOLATILE)
        {
            LOG_HEXDUMP_INF(
                hmac_key,
                32,
                "Importing volatile debug HMAC key");
        }
        // Import key
        status = psa_import_key(
            &key_attributes,
            hmac_key,
            hmac_key_size,
            &g_hmac_key_info.key_id);
    }



While importing a debug key I see this at the application log



And I see this on the secure thread log



  • Hi,

    I don't see all of your hmac_import_key() function. Is it from psa_import_key() you get PSA_ERROR_INVALID_ARGUMENT or somewhere else? What exactly are the input arguments?

    From the API doc:

    PSA_ERROR_INVALID_ARGUMENT - The following conditions can result in this error:

    • The key type is invalid.
    • The key size is nonzero, and is incompatible with the key data in data.
    • The key lifetime is invalid.
    • The key identifier is not valid for the key lifetime.
    • The key usage flags include invalid values.
    • The key’s permitted-usage algorithm is invalid.
    • The key attributes, as a whole, are invalid.
    • The key data is not correctly formatted for the key type.
Related