• State Not Answered
  • Replies 7 replies
  • Subscribers 73 subscribers
  • Views 177 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 340507
Options

persistent EdDSA key generate ,detroy and generate

kelk

Hi! I’m trying to generate an EdDSA key pair and store it in persistent storage. I then delete the keys and regenerate them. However, after a few successful iterations, my program freezes.

I also noticed that when I enable the hardware accelerator (CONFIG_PSA_CRYPTO_DRIVER_CC3XX=y), the program freezes immediately during key generation.

Additionally, I’m having trouble debugging my program, likely due to the large number of files in my project.

I’m using the CPN003 board with SDK v2.7.0. What could be c

##Crypto
# Enable nordic security backend and PSA APIs
# The Zephyr CMSIS emulation assumes that ticks are ms, currently
CONFIG_SYS_CLOCK_TICKS_PER_SEC=1000

CONFIG_HEAP_MEM_POOL_SIZE=8192
CONFIG_NRF_SECURITY=y
CONFIG_MBEDTLS_PSA_CRYPTO_C=y

CONFIG_MBEDTLS_ENABLE_HEAP=y
CONFIG_MBEDTLS_HEAP_SIZE=8192


CONFIG_PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE=y
CONFIG_PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT=y
CONFIG_PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT=y
CONFIG_PSA_WANT_ECC_TWISTED_EDWARDS_255=y
CONFIG_PSA_WANT_ALG_SHA_512=y
CONFIG_PSA_WANT_ALG_PURE_EDDSA=y

# Using hardware crypto accelerator
CONFIG_PSA_CRYPTO_DRIVER_OBERON=y
CONFIG_PSA_CRYPTO_DRIVER_CC3XX=y
# For key generation
CONFIG_PSA_WANT_GENERATE_RANDOM=y

#ECDH
CONFIG_PSA_WANT_ALG_ECDH=y
CONFIG_PSA_WANT_ECC_MONTGOMERY_255=y

#HKDF
CONFIG_PSA_WANT_ALG_HKDF=y
CONFIG_PSA_WANT_ALG_HMAC=y
CONFIG_PSA_WANT_ALG_SHA_256=y
CONFIG_PSA_WANT_KEY_TYPE_HMAC=y
#AES GCM
CONFIG_PSA_WANT_KEY_TYPE_AES=y
CONFIG_PSA_WANT_ALG_GCM=y

# Enable persistent storage APIs
CONFIG_MBEDTLS_PSA_CRYPTO_STORAGE_C=y
CONFIG_PSA_WANT_ALG_CTR=y
CONFIG_TFM_ITS_ENCRYPTED=y
CONFIG_REBOOT=y

# Enable secure storage APIs
# Using hardware crypto accelerator


CONFIG_FLASH=y
CONFIG_FLASH_PAGE_LAYOUT=y
CONFIG_FLASH_MAP=y
CONFIG_NVS=y
CONFIG_SETTINGS=y
CONFIG_SETTINGS_NVS=y
CONFIG_TRUSTED_STORAGE=y

#CMAC
CONFIG_PSA_WANT_ALG_CMAC=y
CONFIG_PSA_WANT_ALG_ECB_NO_PADDING=y
ausing these issues, and how can I resolve them?

  • 0 in reply to Amanda Hsieh

    Hi Amanda ,

    Thank you for your response. My code is based on this sample, but the difference is that my key lifetime is persistent rather than volatile. I've noticed that key generation takes increasingly more time, ranging from 5 ms to 10 ms, possibly because the application needs to access the ITS where the persistent keys are stored. After that, the application freezes. I have also reviewed the sample with persistent keys. Is it possible to generate keys asynchronously?

  • 0 in reply to kelk

    Hi, 

    I am confused now. In the first post, you said

    when I enable the hardware accelerator (CONFIG_PSA_CRYPTO_DRIVER_CC3XX=y), the program freezes immediately during key generation.

    Later

    kelk said:
    I've noticed that key generation takes increasingly more time, ranging from 5 ms to 10 ms, possibly because the application needs to access the ITS where the persistent keys are stored. After that, the application freezes.

    Seems like two different issues.

    Could you test your key generation setting with persistent_key_usage? Do you get any errors? If so, please provide the log and snipped code. If not, You can check this course https://academy.nordicsemi.com/courses/nrf-connect-sdk-intermediate/lessons/lesson-2-debugging/ on how to debug your application.

    -Amanda H.

  • 0 in reply to Amanda Hsieh

    Hi Amanda, 

    i recapitulate

    • I can generate the key successfully, but after a few iterations (5–6), the program freezes. I've also noticed that key generation time gradually increases from 5 ms to 10 ms before the freeze occurs.
    • When I enable CONFIG_PSA_CRYPTO_DRIVER_CC3XX=y, as shown in the persistent storage sample, the program freezes immediately during key generation.
    • When the program freezes, there is no error code or any indication of failure.
    • I destrotroy the key before generating a new one 
    • #define KEY_PAIR    ((psa_key_id_t) 0x00000110)
static psa_key_id_t key_pair_id;
int SecCom_generate_eddsa_keypair(void)
{
    psa_status_t status;

    LOG_INF("Generating random EDDSA keypair");

    /* Initialize key attributes */
    psa_key_attributes_t key_attributes = PSA_KEY_ATTRIBUTES_INIT;

    /* Configure key attributes for signing */
    psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_SIGN_MESSAGE);
    psa_set_key_algorithm(&key_attributes, PSA_ALG_PURE_EDDSA);
    psa_set_key_type(&key_attributes, 
                     PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_TWISTED_EDWARDS));
    psa_set_key_bits(&key_attributes, 255);

    /* Configure key for persistent storage */
    psa_set_key_lifetime(&key_attributes, PSA_KEY_LIFETIME_PERSISTENT);
    psa_set_key_id(&key_attributes, KEY_PAIR);

    /* Generate a random keypair */
    status = psa_generate_key(&key_attributes, &key_pair_id);
    if (status == PSA_ERROR_ALREADY_EXISTS)
    {
        LOG_INF("Key already exists");
        return APP_SUCCESS;
    }
    else if (status != PSA_SUCCESS) 
    {
        LOG_INF("psa_generate_key failed! (Error: %d)", lu32_status);
        return APP_ERROR;
    }

    /* Purge the generated key  from the RAM */
    status = psa_purge_key(key_pair_id);
    if (status != PSA_SUCCESS) 
    {
        LOG_INF("psa_purge_key failed! (Error: %d)", status);
        return APP_ERROR;
    }

    /* Reset key attributes and free allocated resources */
    psa_reset_key_attributes(&key_attributes);

    return APP_SUCCESS;
}
int SecCom_destroy_persistent_key()
{
    psa_status_t status;

    status = psa_destroy_key(KEY_PAIR);
    if (status != PSA_SUCCESS) {
        LOG_INF("Failed to destroy key (Error: %d)", status);
        return APP_ERROR;
    }


    LOG_INF("Persistent key destroyed successfully");
    return APP_SUCCESS;
}
  • 0 in reply to kelk

    Hi, 

    We tried to generate 20 keys using v2.7.0 with the code you provided with the 5340dk, and it worked for me.  Can you provide some more information about your configuration? Maybe the Zephyr autoconf.h header under build/zephyr/include/generated?

     

    Also, can you enable TFM logging?

    If this is the case you can try to enable:

    CONFIG_TFM_EXCEPTION_INFO_DUMP=y

    CONFIG_SPM_LOG_LEVEL_DEBUG=y

    And see if TFM is faulting maybe.

    -Amanda H.

Related
Terms of service