Hi,
I have been using the PSA crypto APIs successfully with volatile keys till now.
We want to move on to using persistent keys but I am not able to import a persistent key. I receive an error -135.
Here's my configuration. The build target is a _ns application.
# Basic BT Configs
CONFIG_BT=y
CONFIG_BT_PERIPHERAL=y
CONFIG_BT_CENTRAL=y
CONFIG_BT_SMP=y
CONFIG_BT_PHY_UPDATE=n
CONFIG_BT_HCI_VS=y
CONFIG_BT_HCI_VS_EXT=y
CONFIG_BT_HCI_VS_FATAL_ERROR=y
CONFIG_BT_MAX_CONN=5
CONFIG_BT_BUF_ACL_RX_SIZE=251
CONFIG_BT_BUF_ACL_TX_SIZE=251
CONFIG_BT_L2CAP_TX_MTU=247
# GATT Configs
CONFIG_BT_GATT_CLIENT=y
CONFIG_BT_GATT_DM=y
CONFIG_BT_GATT_DM_MAX_ATTRS=50
CONFIG_BT_GATT_DM_DATA_PRINT=n
CONFIG_BT_GATT_AUTO_UPDATE_MTU=y
CONFIG_BT_SMP_APP_PAIRING_ACCEPT=y
# Enable Persistent Storage for Bonds
CONFIG_SETTINGS=y
CONFIG_BT_SETTINGS=y
CONFIG_FLASH=y
CONFIG_FLASH_PAGE_LAYOUT=y
CONFIG_FLASH_MAP=y
CONFIG_NVS=y
CONFIG_BT_MAX_PAIRED=5
CONFIG_BT_KEYS_OVERWRITE_OLDEST=y
CONFIG_BT_ID_UNPAIR_MATCHING_BONDS=y
# Using hardware crypto accelerator on _ns build
CONFIG_TFM_PROFILE_TYPE_NOT_SET=y
CONFIG_PSA_CRYPTO_DRIVER_OBERON=n
CONFIG_PSA_CRYPTO_DRIVER_CC3XX=y
CONFIG_PSA_WANT_KEY_TYPE_HMAC=y
CONFIG_ENTROPY_GENERATOR=y
CONFIG_ENTROPY_DEVICE_RANDOM_GENERATOR=y
CONFIG_NRF_SECURITY=y
CONFIG_MBEDTLS_PSA_CRYPTO_C=y
CONFIG_MBEDTLS_PSA_CRYPTO_STORAGE_C=y
CONFIG_MBEDTLS_ENABLE_HEAP=y
CONFIG_MBEDTLS_HEAP_SIZE=8192
# CONFIG_TFM_SECURE_UART0=y
# Dependencies for APP_EVENT_MANAGER and CAF & Security
CONFIG_MAIN_STACK_SIZE=4096
CONFIG_SYSTEM_WORKQUEUE_STACK_SIZE=4096
# Enable CAF_BUTTONS
CONFIG_APP_EVENT_MANAGER=y
CONFIG_CAF=y
CONFIG_CAF_BUTTONS=y
CONFIG_CAF_CLICK_DETECTOR=y
CONFIG_CAF_CLICK_DETECTOR_LOG_LEVEL_INF=y
CONFIG_CAF_BUTTONS_POLARITY_INVERSED=y
# Enable Power Management
CONFIG_PM=y
CONFIG_PM_DEVICE=y
CONFIG_HW_ID_LIBRARY=y
CONFIG_HW_ID_LIBRARY_SOURCE_DEVICE_ID=y
# Enable LOGGING modules
CONFIG_LOG=y
CONFIG_LOG_BUFFER_SIZE=10240
CONFIG_SERIAL=y
CONFIG_LOG_MAX_LEVEL=4
CONFIG_APP_EVENT_MANAGER_LOG_LEVEL_WRN=y
CONFIG_BT_LOG_LEVEL_INF=y
CONFIG_BT_GATT_DM_LOG_LEVEL_INF=y
CONFIG_BT_HCI_CORE_LOG_LEVEL_INF=y
CONFIG_FATAL_ERROR_LOG_LEVEL_DBG=y
CONFIG_EXTRA_EXCEPTION_INFO=y
# Bootloader and DFU
CONFIG_BOOTLOADER_MCUBOOT=yThe code I am using to import a persistent key.
psa_status_t hmac_import_key(
psa_key_lifetime_t key_lifetime,
const uint8_t* hmac_key,
uint8_t hmac_key_size)
{
psa_status_t status = PSA_SUCCESS;
psa_key_attributes_t key_attributes = PSA_KEY_ATTRIBUTES_INIT;
if (hmac_key_size != HMAC_SIG_SIZE_BYTES)
{
LOG_ERR("Invalid HMAC key size");
status = PSA_ERROR_GENERIC_ERROR;
}
if (status == PSA_SUCCESS)
{
// set import key parameters
psa_set_key_usage_flags(
&key_attributes,
PSA_KEY_USAGE_VERIFY_HASH | PSA_KEY_USAGE_SIGN_HASH);
psa_set_key_algorithm(
&key_attributes,
PSA_ALG_HMAC(PSA_ALG_SHA_256));
psa_set_key_lifetime(
&key_attributes,
key_lifetime);
psa_set_key_type(
&key_attributes,
PSA_KEY_TYPE_HMAC);
psa_set_key_bits(
&key_attributes,
HMAC_KEY_LENGTH_BITS);
if (key_lifetime == PSA_KEY_PERSISTENCE_READ_ONLY)
{
psa_set_key_id(
&key_attributes,
121);
}
if (key_lifetime == PSA_KEY_LIFETIME_VOLATILE)
{
LOG_HEXDUMP_INF(
hmac_key,
32,
"Importing volatile debug HMAC key");
}
// Import key
status = psa_import_key(
&key_attributes,
hmac_key,
hmac_key_size,
&g_hmac_key_info.key_id);
}While importing a debug key I see this at the application log

And I see this on the secure thread log
