nRF54L15 - Fail to provision keys in to the KMU (nrfutil)

RE: nRF54L15 - Fail to provision keys in to the KMU (nrfutil)

Hieu — Wed, 30 Jul 2025 20:28:42 GMT

Hi Daniyal,

Our developer points out that ECDSA key has to be for signing and not for encryption. Therefore, the problem is with --usage ENCRYPT_DECRYPT_EXPORT. Please use a usage for signing, such as SIGN_VERIFY.

Best regards,

Hieu

RE: nRF54L15 - Fail to provision keys in to the KMU (nrfutil)

DanN — Tue, 29 Jul 2025 12:06:06 GMT

Hi Hieu,

we wanted to move forward on some of our firmware development, so we couldn't wait till this patch is merged, we have tested out with the new patch, we are having the same issue:

 1050250936: Device error: Tried to provision 1 keys, 1 keyslot(s) failed to be provisioned (Generic)

The command we used is the following (we have also changed some parameters to try out different combinations, but non of it worked with the SECP_R1 type key):

/home/redacted/generate_psa_key_attributes_v3.0.3.py 
--usage ENCRYPT_DECRYPT_EXPORT --id 170 
--type ECC_KEY_PAIR_SECP_R1 --key-bits 256 
--algorithm ECDSA_SHA256 --location LOCATION_CRACEN_KMU 
--persistence PERSISTENCE_READ_ONLY --cracen-usage RAW 
--key fbd8003d571e1823f5b351b1f6bc4b083b269fff2bdee596014fc9b1dfb97a68 
--file /home/redacted/kmu_provisioning_data.json

and the content of the json file is the following:

{
    "version": 0,
    "keyslots": [
        {
            "metadata": "0x12710001034B4E80010300000906000600000000AA30FF7F00000000",
            "value": "0xa76a466b3feb77eb4ed5534d1c9847957b9397e396e408c95a14dd68638ff77a"
        }
    ]
}

We have also attached the log file, devzone.nordicsemi.com/.../5265.nrfutil_2D00_device.logcan we please get some support on this.

Kind regards,

Daniyal

RE: nRF54L15 - Fail to provision keys in to the KMU (nrfutil)

DanN — Fri, 11 Jul 2025 09:14:10 GMT

Hi Abhijith,

Just opened a new ticket.

Kind regards,

Daniyal

RE: nRF54L15 - Fail to provision keys in to the KMU (nrfutil)

Menon — Fri, 11 Jul 2025 08:53:47 GMT

Hello,

Sorry you need to open a new ticket for this issue.

Kind Regards,

Abhijith

RE: nRF54L15 - Fail to provision keys in to the KMU (nrfutil)

DanN — Fri, 11 Jul 2025 08:43:01 GMT

Hi Abhijith,

Thanks for the follow up, should I open a new issue in devzone or will you do it?

Kind regards,
Daniyal

RE: nRF54L15 - Fail to provision keys in to the KMU (nrfutil)

Menon — Fri, 11 Jul 2025 08:11:02 GMT

Hello,

Hieu is on vacation for a while, so I’ll be following this thread and keeping you updated.

From what I see, the issues you reported with ED25519 provisioning, like needing --size to be 255 and --cracen_usage only working with RAW, seem to fall outside the scope of this thread/PR. I would suggest we track them separately by opening a new ticket. That’ll help keep DevZone organized and make it easier to reference later.

Kind regards,
Abhijith

RE: nRF54L15 - Fail to provision keys in to the KMU (nrfutil)

DanN — Fri, 04 Jul 2025 16:02:11 GMT

Hi Hieu,

While we are still on this topic, we found some additional issues with the provisioning parameters when we were testing with the ED25519 algorithm:

1. the --size parameter must be 255, the ED25519 key pairs length are actually 256 bit, when we give 256 the provisioning fails, I guess somewhere the microcode checks for this, not sure if this is a issue or not just mentioning it here as information.

2. the --cracen_usage parameter supposed to support both the "ENCRYPTED" and "RAW" based on the link you sent, however, the provisioning only works with the "RAW" option (--size 255). We kept other parameters same as above.

Kind regards,
Daniyal

RE: nRF54L15 - Fail to provision keys in to the KMU (nrfutil)

DanN — Thu, 03 Jul 2025 12:20:13 GMT

Hi Hieu,

Thank you very much for your effort, we will try out the script once its ready to be patched.

Kind regards,

Daniyal

RE: nRF54L15 - Fail to provision keys in to the KMU (nrfutil)

Hieu — Thu, 03 Jul 2025 12:07:22 GMT

Hi Daniyal,

Our developer has created a PR. It is pending further reviews and tests, but if you need something to work with urgently, you can give it a try: scripts: Added features in generate_psa_key_attributes.py by magnev · Pull Request #23113 · nrfconnect/sdk-nrf.

If you can wait, it's best to just follow/watch the PR and patch it in once it is merged.

RE: nRF54L15 - Fail to provision keys in to the KMU (nrfutil)

Hieu — Wed, 02 Jul 2025 11:18:39 GMT

Hi Daniyal,

I have confirmed the issue with the maintainer of the script, and an update will be worked on. I will update you when it is available.

Our apologies for the inconvenience.

RE: nRF54L15 - Fail to provision keys in to the KMU (nrfutil)

DanN — Mon, 30 Jun 2025 15:48:52 GMT

Hi Hieu,

Thanks for the quick reply and the additional information.

The key type we have is "ECC secp256r1 key pair", this is also shown as supported as per the information on the link you have sent.

However, when I look at the latest generate_psa_key_attributes.py file you see only the following few options that are allowed for the provisioning:

class PsaKeyType(IntEnum):
    """The type of the key"""

    AES = 0x2400
    ECC_TWISTED_EDWARDS = 0x4142
    RAW_DATA = 0x1001
    
    
class PsaAlgorithm(IntEnum):
    """Algorithm that can be associated with a key. Not used for AES"""

    NONE = 0
    CBC = 0x04404000
    EDDSA_PURE = 0x06000800

As our inital intent we thought it would be both NONE, that didn't work of course, so based on this script is our key type and algorithm (ECC secp256r1) not support even though the official document says it supports it?

RE: nRF54L15 - Fail to provision keys in to the KMU (nrfutil)

Hieu — Mon, 30 Jun 2025 14:22:36 GMT

Hi Daniyal,

Sorry again for the incompleteness of my last answer. You need to specify both a non-raw key type and algorithm. The reason is that keys provisioned this way will be used with the PSA Crypto API, which requires known key type and algorithm for each key. The list of supported key types is here: nRF54L Series cryptography.

Hieu

RE: nRF54L15 - Fail to provision keys in to the KMU (nrfutil)

DanN — Mon, 30 Jun 2025 12:41:38 GMT

Hi Hieu,

Thanks for the update, I assume you are talking about the "--algorithm" parameter passed onto the generate_psa_key_attributes.py script.

I have just tried with both other two available options for the --algorithm input parameter, "CBC" and "EDDSA_PURE" I'm getting the same error.

Daniyal

RE: nRF54L15 - Fail to provision keys in to the KMU (nrfutil)

Hieu — Mon, 30 Jun 2025 09:29:14 GMT

Hi Daniyal,

My apology for the late follow up. I have been out of office.

The issue is that keys cannot be provisioned to KMU without an algorithm specified. If you specify an algorithm, things will work.

Hieu

RE: nRF54L15 - Fail to provision keys in to the KMU (nrfutil)

DanN — Mon, 30 Jun 2025 08:00:08 GMT

Hi Hieu any update on this issue?

RE: nRF54L15 - Fail to provision keys in to the KMU (nrfutil)

DanN — Wed, 25 Jun 2025 14:04:09 GMT

Hi Hieu,

There are two files in the logs folder, I redacted some file path names and left only the logs regarding the most recent command execution.devzone.nordicsemi.com/.../3225.nrfutil.log devzone.nordicsemi.com/.../8015.nrfutil_2D00_device.log

Thanks!

Daniyal

RE: nRF54L15 - Fail to provision keys in to the KMU (nrfutil)

Hieu — Wed, 25 Jun 2025 13:31:08 GMT

Hi DanN,

Could you please try again with the argument --log-level trace?

It will produce a log file in the .nrfutils/log folder, which is located in the home directory on Linux, or the user root directory on Windows. Please share that file with us.

Hieu