nRF54L15 - Fail to provision keys in to the KMU (nrfutil)

DanN 6 days ago

Hi Team,

We are developing on a custom board with an nRF54L15 (Raytac Module with NRF54L15_xxAA_ENGB) and are unable to provision a pre-generated secp256r1 private key into a non-reserved KMU slot.

The nrfutil tool fails with the error: Failed to provision keys on "1050XXXXXX", Device error: Keys [123] failed provisioning.

We have followed the KMU Provisioning documentation and have reviewed similar DevZone tickets, but have not been able to resolve the issue.

Hardware & Software Environment

SoC: nRF54L15_xxAA_ENGB module (on a custom board)
Debugger: nRF52840 DK (PCA10056)
J-Link Version: V8.18
nrfutil Version: 8.0.0
nrfutil device Versions Tested: 2.7.2 through 2.12.1
NCS SDK Versions Tested: v3.0.1, v2.8

Steps to Reproduce

1. Generate Key Attributes JSON

We use the generate_psa_key_attributes.py script to create the provisioning file (we have also tried an older version of the script, same issue). Our intent is to provision a 256-bit secp256r1 private key, we are currently using the following parameters:

python3 generate_psa_key_attributes.py \
  --usage ENCRYPT_DECRYPT_EXPORT_COPY \
  --id 123 \
  --type RAW_DATA \
  --size 256 \
  --algorithm NONE \
  --location LOCATION_CRACEN_KMU \
  --lifetime PERSISTENCE_READ_ONLY \
  --cracen_usage ENCRYPTED \
  --key {key_data_hex} \
  --file kmu_provisioning_data.json

2. Sample Generated JSON

This creates the following kmu_provisioning_data.json file:

{
    "version": 0,
    "keyslots": [
        {
            "metadata": "0x01100001034B4E800303000000000000000000007B20FF7F00000000",
            "value": "0xfed92de4023d69b9b9d58badebda646889bfb48784408464093a0fdd69b491b1"
        }
    ]
}

3. Run Provisioning Command

We then execute the provisioning command:

nrfutil device x-provision-keys --serial-number 1050XXXXXX --key-file kmu_provisioning_data.json

Expected vs. Actual Results

Expected: The key is successfully provisioned into KMU slot 123.

Actual: The command fails with the error message:

Failed to provision keys on "1050XXXXXX", Device error: Keys [123] failed provisioning.

Troubleshooting Steps Taken

Device State: We perform nrfutil device erase --all and nrfutil device --recover between attempts to ensure the MCU is in a clean state for provisioning.
Hardware Connectivity: Our custom board programs successfully with standard applications, and we can observe UART output, confirming the debugger connection and basic board functionality are correct.
Tool Versions: We have tested a wide range of nrfutil device versions.
- Versions up to 2.10.2 failed with ERROR: Could not read from flash.
- Versions from 2.10.3 to 2.12.1 consistently produce the failed provisioning error.
DevZone Research: We reviewed the ticket "RE: nRF54L15 - unable to provision key", but it focuses on provisioning via west, whereas our issue is with nrfutil.
We managed to capture a log from the nrfutil device command, it is attached.log.json

Parents

0 Hieu 5 days ago

Hi DanN,

Could you please try again with the argument --log-level trace?

It will produce a log file in the .nrfutils/log folder, which is located in the home directory on Linux, or the user root directory on Windows. Please share that file with us.

Hieu
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 DanN 10 hours ago in reply to Hieu

Hi Hieu any update on this issue?
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Hieu 8 hours ago in reply to DanN

Hi Daniyal,

My apology for the late follow up. I have been out of office.

The issue is that keys cannot be provisioned to KMU without an algorithm specified. If you specify an algorithm, things will work.

Hieu
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 DanN 5 hours ago in reply to Hieu

Hi Hieu,

Thanks for the update, I assume you are talking about the "--algorithm" parameter passed onto the generate_psa_key_attributes.py script.

I have just tried with both other two available options for the --algorithm input parameter, "CBC" and "EDDSA_PURE" I'm getting the same error.

Daniyal
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Hieu 4 hours ago in reply to DanN

Hi Daniyal,

Sorry again for the incompleteness of my last answer. You need to specify both a non-raw key type and algorithm. The reason is that keys provisioned this way will be used with the PSA Crypto API, which requires known key type and algorithm for each key. The list of supported key types is here: nRF54L Series cryptography.

Hieu
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Reply

0 Hieu 4 hours ago in reply to DanN

Hi Daniyal,

Sorry again for the incompleteness of my last answer. You need to specify both a non-raw key type and algorithm. The reason is that keys provisioned this way will be used with the PSA Crypto API, which requires known key type and algorithm for each key. The list of supported key types is here: nRF54L Series cryptography.

Hieu
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Children

0 DanN 2 hours ago in reply to Hieu
Hi Hieu,

Thanks for the quick reply and the additional information.

The key type we have is "ECC secp256r1 key pair", this is also shown as supported as per the information on the link you have sent.

However, when I look at the latest generate_psa_key_attributes.py file you see only the following few options that are allowed for the provisioning:

class PsaKeyType(IntEnum): """The type of the key""" AES = 0x2400 ECC_TWISTED_EDWARDS = 0x4142 RAW_DATA = 0x1001 class PsaAlgorithm(IntEnum): """Algorithm that can be associated with a key. Not used for AES""" NONE = 0 CBC = 0x04404000 EDDSA_PURE = 0x06000800

As our inital intent we thought it would be both NONE, that didn't work of course, so based on this script is our key type and algorithm (ECC secp256r1) not support even though the official document says it supports it?
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel