• State Not Answered
  • Replies 15 replies
  • Subscribers 75 subscribers
  • Views 507 views
  • Users 0 members are here
Attachments (3) Download All
Nordic Case Info
  • Case ID: 347425
Options

nRF54L15 - Fail to provision keys in to the KMU (nrfutil)

DanN

Hi Team,

We are developing on a custom board with an nRF54L15 (Raytac Module with NRF54L15_xxAA_ENGB) and are unable to provision a pre-generated secp256r1 private key into a non-reserved KMU slot.

The nrfutil tool fails with the error: Failed to provision keys on "1050XXXXXX", Device error: Keys [123] failed provisioning.

We have followed the KMU Provisioning documentation and have reviewed similar DevZone tickets, but have not been able to resolve the issue.

Hardware & Software Environment

  • SoC: nRF54L15_xxAA_ENGB module (on a custom board)
  • Debugger: nRF52840 DK (PCA10056)
  • J-Link Version: V8.18
  • nrfutil Version: 8.0.0
  • nrfutil device Versions Tested: 2.7.2 through 2.12.1
  • NCS SDK Versions Tested: v3.0.1, v2.8

Steps to Reproduce

1. Generate Key Attributes JSON

We use the generate_psa_key_attributes.py script to create the provisioning file (we have also tried an older version of the script, same issue). Our intent is to provision a 256-bit secp256r1 private key, we are currently using the following parameters:

python3 generate_psa_key_attributes.py \
  --usage ENCRYPT_DECRYPT_EXPORT_COPY \
  --id 123 \
  --type RAW_DATA \
  --size 256 \
  --algorithm NONE \
  --location LOCATION_CRACEN_KMU \
  --lifetime PERSISTENCE_READ_ONLY \
  --cracen_usage ENCRYPTED \
  --key {key_data_hex} \
  --file kmu_provisioning_data.json

2. Sample Generated JSON

This creates the following kmu_provisioning_data.json file:

{
    "version": 0,
    "keyslots": [
        {
            "metadata": "0x01100001034B4E800303000000000000000000007B20FF7F00000000",
            "value": "0xfed92de4023d69b9b9d58badebda646889bfb48784408464093a0fdd69b491b1"
        }
    ]
}

3. Run Provisioning Command

We then execute the provisioning command:

nrfutil device x-provision-keys --serial-number 1050XXXXXX --key-file kmu_provisioning_data.json

Expected vs. Actual Results

  • Expected: The key is successfully provisioned into KMU slot 123.
  • Actual: The command fails with the error message:
    Failed to provision keys on "1050XXXXXX", Device error: Keys [123] failed provisioning.

Troubleshooting Steps Taken

  1. Device State: We perform nrfutil device erase --all and nrfutil device --recover between attempts to ensure the MCU is in a clean state for provisioning.
  2. Hardware Connectivity: Our custom board programs successfully with standard applications, and we can observe UART output, confirming the debugger connection and basic board functionality are correct.
  3. Tool Versions: We have tested a wide range of nrfutil device versions.
    • Versions up to 2.10.2 failed with ERROR: Could not read from flash.
    • Versions from 2.10.3 to 2.12.1 consistently produce the failed provisioning error.
  4. DevZone Research: We reviewed the ticket "RE: nRF54L15 - unable to provision key", but it focuses on provisioning via west, whereas our issue is with nrfutil.
  5. We managed to capture a log from the nrfutil device command, it is attached.log.json
Parents Reply Children
  • 0 in reply to Hieu

    Hi Hieu,

    There are two files in the logs folder, I redacted some file path names and left only the logs regarding the most recent command execution.

    Fullscreen 3225.nrfutil.log Download 
    [2025-06-25T13:33:49.186Z] [30898] INFO - nrfutil (version = 8.0.0, platform = x86_64-unknown-linux-gnu) invoked with device --version 
[2025-06-25T13:34:27.901Z] [31007] INFO - nrfutil (version = 8.0.0, platform = x86_64-unknown-linux-gnu) invoked with device recover --serial-number 1050253845 
[2025-06-25T13:34:32.596Z] [31057] INFO - nrfutil (version = 8.0.0, platform = x86_64-unknown-linux-gnu) invoked with device recover --serial-number 1050250936 
[2025-06-25T13:35:12.602Z] [31248] INFO - nrfutil (version = 8.0.0, platform = x86_64-unknown-linux-gnu) invoked with --version 
[2025-06-25T13:35:12.825Z] [31260] INFO - nrfutil (version = 8.0.0, platform = x86_64-unknown-linux-gnu) invoked with device list --log-level=off --json 
[2025-06-25T13:35:27.029Z] [31380] INFO - nrfutil (version = 8.0.0, platform = x86_64-unknown-linux-gnu) invoked with device read --address 131072 --bytes 4 --serial-number 001050250936 
[2025-06-25T13:35:27.438Z] [31415] INFO - nrfutil (version = 8.0.0, platform = x86_64-unknown-linux-gnu) invoked with device read --address 16761612 --bytes 4 --serial-number 001050250936 
[2025-06-25T13:35:27.846Z] [31450] INFO - nrfutil (version = 8.0.0, platform = x86_64-unknown-linux-gnu) invoked with device read --address 16761616 --bytes 4 --serial-number 001050250936 
[2025-06-25T13:35:28.254Z] [31499] INFO - nrfutil (version = 8.0.0, platform = x86_64-unknown-linux-gnu) invoked with device read --address 16761620 --bytes 4 --serial-number 001050250936 
[2025-06-25T13:35:28.663Z] [31534] INFO - nrfutil (version = 8.0.0, platform = x86_64-unknown-linux-gnu) invoked with device read --address 16761624 --bytes 4 --serial-number 001050250936 
[2025-06-25T13:36:01.438Z] [31646] INFO - nrfutil (version = 8.0.0, platform = x86_64-unknown-linux-gnu) invoked with device erase --all --serial-number 001050250936 
[2025-06-25T13:36:01.947Z] [31684] INFO - nrfutil (version = 8.0.0, platform = x86_64-unknown-linux-gnu) invoked with device erase --all --serial-number 001050253845 
[2025-06-25T13:36:02.456Z] [31731] INFO - nrfutil (version = 8.0.0, platform = x86_64-unknown-linux-gnu) invoked with device program --firmware /home/internal_boot_partition_cs.hex --serial-number 001050250936 
[2025-06-25T13:36:02.964Z] [31783] INFO - nrfutil (version = 8.0.0, platform = x86_64-unknown-linux-gnu) invoked with device program --firmware /home/internal_boot_partition_cs.hex --serial-number 001050253845 
[2025-06-25T13:36:03.473Z] [31828] INFO - nrfutil (version = 8.0.0, platform = x86_64-unknown-linux-gnu) invoked with device x-provision-keys --serial-number 001050250936 --key-file /home/kmu_provisioning_data.json 
[2025-06-25T13:36:16.568Z] [31915] INFO - nrfutil (version = 8.0.0, platform = x86_64-unknown-linux-gnu) invoked with device recover --serial-number 1050253845 
[2025-06-25T13:36:19.961Z] [31956] INFO - nrfutil (version = 8.0.0, platform = x86_64-unknown-linux-gnu) invoked with device recover --serial-number 1050250936 
[2025-06-25T13:37:02.586Z] [32102] INFO - nrfutil (version = 8.0.0, platform = x86_64-unknown-linux-gnu) invoked with device x-provision-keys --serial-number 1050250936 --key-file /home/kmu_provisioning_data.json --log-level trace
    8015.nrfutil-device.log

    Thanks!

    Daniyal

  • 0 in reply to DanN

    Hi Daniyal,

    My apology for the late follow up. I have been out of office.

    The issue is that keys cannot be provisioned to KMU without an algorithm specified. If you specify an algorithm, things will work.

    Hieu

  • 0 in reply to Hieu

    Hi Hieu,

    Thanks for the update, I assume you are talking about the "--algorithm" parameter passed onto the generate_psa_key_attributes.py script. 

    I have just tried with both other two available options for the --algorithm input parameter, "CBC" and "EDDSA_PURE" I'm getting the same error.

    Daniyal

     
  • 0 in reply to DanN

    Hi Daniyal,

    Sorry again for the incompleteness of my last answer. You need to specify both a non-raw key type and algorithm. The reason is that keys provisioned this way will be used with the PSA Crypto API, which requires known key type and algorithm for each key. The list of supported key types is here: nRF54L Series cryptography.

    Hieu

Related
Terms of service