• State Not Answered
  • Replies 4 replies
  • Subscribers 71 subscribers
  • Views 10 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 338624
Options

nRF54L15 + SRAM + Crypto questions

SubuMuthu

Hello,

Platform: nRF54L15, SDK 2.9, VS Code 

Our application is Matter + BLE (like NUS) based door lock application.  A BLE  custom service (adapted from NUS)  is used to exchange info in parallel with Matter. We are not encrypting the BLE transmissions and  the BLE security level is set to  BT_SECURITY_L1.  The reason is due to product requirement that our customers do not want to press the "pairing request" notification in the mobile iOS/Android apps. Setting bonding will eliminate this but Matter standard does not allow bonding. Long story to short, we have taken the approach of encrypting the BLE payload.

For encrypting the payload, we are using the standard ECDH + certificate based authentication to derive a key plus authentication:

  1. After BLE is connected  (first time only),  the lock and mobile uses ECDH  to derive a AES-128 symmetric key, which will be used for encryption and decryption of payload.
  2. Certificates are exchanged to authenticate further and connection is terminated if certificates are not validated. we plan to use ECDSA which will be next step.
  3. Key is stored internally and key derivation is not repeated for subsequent connections
  4. We used PSA CRYPTO libraries.
  5. Since Matter uses PSA Crypto, we did not include any additional configurations in prj.conf. 

Question #1: is there a solution that will allow us to use encryption that comes with BLE stack than we writing the custom encryption (we would prefer BT_SECURITY_L4) but without the iPhone and Android pairing request notifications?I do not believe one exists but we want to ask Nordic to rule this option out.

Q2: When we look look at the ram_report, the SRAM  needed for our Crypto application is very small - it is the space needed for variables. It looks like MBEDtls library did not take additional space. Does it look alright? From our reading,  the MBEDtls should be a memory hog and should consume large memory while we are not seeing an increase in SRAM usage.. This is the reason for asking this question.

Q3. We tried  TF-M (/ns builds),  however, we are running out of SRAM. Without TF-M, the SRM usage comes to 220KB. When we try to build with /ns, the build complains that region `RAM' overflowed by 4076 bytes.  The TFM configuration is as follows (adapted from DK).

tfm_sram:
address: 0x20000000
inside:
- sram_secure
placement:
after:
- start
region: sram_primary
size: 0xF000
sram_primary:
address: 0x2000F000
region: sram_primary
size: 0x31000

According to the above PM, the tfm takes up only about 8K RAM and we have 30K left. The documentation is sparse so please  help to achieve TFM.

Q4.   We would like to store the resulting AES-128 bit asymmetric key in the KMU. It is little bit confusing from  the readings if it will be possible to store the key in the KMU without TF-M as the documentation is sparse.  Assuming that we won't be able to do TF-M, please provide an example, or provide the necessary guidelines for storing the keys and also the certificate in the KMU.

This post says that keys are stored in ITS not in KMU:  Using PSA function to persist key in kmu AND later restore it for AES encryption 

This post says (1 year old) that KMU has limited functionality:  Usage of KMU and CC3XX drivers It is not possible to change the Keys in a slot. Since it is one year old and nRF54L15 is new, is it applicable?

Thanks.

Subu

Auto Copied
Parents
  • 0

    Hi Amanda, Thank for the explanation.

    Regarding Q4:

    1. Do you have an example for storing a key in KMU, then retrieving it after reboot and using it?

    2. If not,  can  you please help me to correct the below code? It is not working. The key is not set and error is generated.

    Primarily I have a AES key and I want to store in KMU. 

        psa_status_t ret;

#define AES_KEY_KMU_SLOT_ID 50

    psa_key_id_t mDACPrivKeyId;
    psa_key_attributes_t key_attributes = PSA_KEY_ATTRIBUTES_INIT;

//    psa_reset_key_attributes(&key_attributes);
    psa_set_key_type(&key_attributes, PSA_KEY_TYPE_AES);
    psa_set_key_bits(&key_attributes, 128);
    psa_set_key_algorithm(&key_attributes, PSA_ALG_ECB_NO_PADDING);
    psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT);

    mDACPrivKeyId = PSA_KEY_HANDLE_FROM_CRACEN_KMU_SLOT(CRACEN_KMU_KEY_USAGE_SCHEME_RAW, AES_KEY_KMU_SLOT_ID);
    psa_set_key_id(&key_attributes, mDACPrivKeyId);

    psa_set_key_lifetime(
        &key_attributes,
        PSA_KEY_LIFETIME_FROM_PERSISTENCE_AND_LOCATION(PSA_KEY_PERSISTENCE_DEFAULT, PSA_KEY_LOCATION_CRACEN_KMU));

    // ret = psa_import_key(&key_attributes, mobile_public_key, 65, &mDACPrivKeyId);
    // when tried importing, the Error = -135 or -133
    //    ret = psa_copy_key(mobile_encryption_key_id, &key_attributes, &mDACPrivKeyId);
    // when tried copying, the error wass -133
    
    ret = psa_generate_key(&key_attributes, &mDACPrivKeyId); // does not generate key, no error

    3. How do I use this key after power cycle or reboot? 

    4. I picked slot #50 (randomly) for testing purpose but would like to know which KMU slot is occupied or available.  Is there an API?

    Thanks

    Subu

Reply
  • 0

    Hi Amanda, Thank for the explanation.

    Regarding Q4:

    1. Do you have an example for storing a key in KMU, then retrieving it after reboot and using it?

    2. If not,  can  you please help me to correct the below code? It is not working. The key is not set and error is generated.

    Primarily I have a AES key and I want to store in KMU. 

        psa_status_t ret;

#define AES_KEY_KMU_SLOT_ID 50

    psa_key_id_t mDACPrivKeyId;
    psa_key_attributes_t key_attributes = PSA_KEY_ATTRIBUTES_INIT;

//    psa_reset_key_attributes(&key_attributes);
    psa_set_key_type(&key_attributes, PSA_KEY_TYPE_AES);
    psa_set_key_bits(&key_attributes, 128);
    psa_set_key_algorithm(&key_attributes, PSA_ALG_ECB_NO_PADDING);
    psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT);

    mDACPrivKeyId = PSA_KEY_HANDLE_FROM_CRACEN_KMU_SLOT(CRACEN_KMU_KEY_USAGE_SCHEME_RAW, AES_KEY_KMU_SLOT_ID);
    psa_set_key_id(&key_attributes, mDACPrivKeyId);

    psa_set_key_lifetime(
        &key_attributes,
        PSA_KEY_LIFETIME_FROM_PERSISTENCE_AND_LOCATION(PSA_KEY_PERSISTENCE_DEFAULT, PSA_KEY_LOCATION_CRACEN_KMU));

    // ret = psa_import_key(&key_attributes, mobile_public_key, 65, &mDACPrivKeyId);
    // when tried importing, the Error = -135 or -133
    //    ret = psa_copy_key(mobile_encryption_key_id, &key_attributes, &mDACPrivKeyId);
    // when tried copying, the error wass -133
    
    ret = psa_generate_key(&key_attributes, &mDACPrivKeyId); // does not generate key, no error

    3. How do I use this key after power cycle or reboot? 

    4. I picked slot #50 (randomly) for testing purpose but would like to know which KMU slot is occupied or available.  Is there an API?

    Thanks

    Subu

Children
No Data
Related
Terms of service