• State Not Answered
  • Replies 0 replies
  • Subscribers 74 subscribers
  • Views 49 views
  • Users 0 members are here
Attachments (1) Download All
Nordic Case Info
  • Case ID: 347425
Options

nRF54L15 - Fail to provision keys in to the KMU (nrfutil)

DanN

Hi Team,

We are developing on a custom board with an nRF54L15 (Raytac Module with NRF54L15_xxAA_ENGB) and are unable to provision a pre-generated secp256r1 private key into a non-reserved KMU slot.

The nrfutil tool fails with the error: Failed to provision keys on "1050XXXXXX", Device error: Keys [123] failed provisioning.

We have followed the KMU Provisioning documentation and have reviewed similar DevZone tickets, but have not been able to resolve the issue.

Hardware & Software Environment

  • SoC: nRF54L15_xxAA_ENGB module (on a custom board)
  • Debugger: nRF52840 DK (PCA10056)
  • J-Link Version: V8.18
  • nrfutil Version: 8.0.0
  • nrfutil device Versions Tested: 2.7.2 through 2.12.1
  • NCS SDK Versions Tested: v3.0.1, v2.8

Steps to Reproduce

1. Generate Key Attributes JSON

We use the generate_psa_key_attributes.py script to create the provisioning file (we have also tried an older version of the script, same issue). Our intent is to provision a 256-bit secp256r1 private key, we are currently using the following parameters:

python3 generate_psa_key_attributes.py \
  --usage ENCRYPT_DECRYPT_EXPORT_COPY \
  --id 123 \
  --type RAW_DATA \
  --size 256 \
  --algorithm NONE \
  --location LOCATION_CRACEN_KMU \
  --lifetime PERSISTENCE_READ_ONLY \
  --cracen_usage ENCRYPTED \
  --key {key_data_hex} \
  --file kmu_provisioning_data.json

2. Sample Generated JSON

This creates the following kmu_provisioning_data.json file:

{
    "version": 0,
    "keyslots": [
        {
            "metadata": "0x01100001034B4E800303000000000000000000007B20FF7F00000000",
            "value": "0xfed92de4023d69b9b9d58badebda646889bfb48784408464093a0fdd69b491b1"
        }
    ]
}

3. Run Provisioning Command

We then execute the provisioning command:

nrfutil device x-provision-keys --serial-number 1050XXXXXX --key-file kmu_provisioning_data.json

Expected vs. Actual Results

  • Expected: The key is successfully provisioned into KMU slot 123.
  • Actual: The command fails with the error message:
    Failed to provision keys on "1050XXXXXX", Device error: Keys [123] failed provisioning.

Troubleshooting Steps Taken

  1. Device State: We perform nrfutil device erase --all and nrfutil device --recover between attempts to ensure the MCU is in a clean state for provisioning.
  2. Hardware Connectivity: Our custom board programs successfully with standard applications, and we can observe UART output, confirming the debugger connection and basic board functionality are correct.
  3. Tool Versions: We have tested a wide range of nrfutil device versions.
    • Versions up to 2.10.2 failed with ERROR: Could not read from flash.
    • Versions from 2.10.3 to 2.12.1 consistently produce the failed provisioning error.
  4. DevZone Research: We reviewed the ticket "RE: nRF54L15 - unable to provision key", but it focuses on provisioning via west, whereas our issue is with nrfutil.
  5. We managed to capture a log from the nrfutil device command, it is attached.log.json
Related
Terms of service