nRF54L15 - Fail to provision ED25519 keys in to the KMU (nrfutil)

DanN 9 hours ago

Hi Team,

While we are testing provisioning private keys (secp256r1) into the KMU via nrfutil we came across few issues which are recorded in the other ticket we opened, after some more testing we ran in to some additional issues with the provisioning parameters when we were testing with the ED25519 algorithm based keys:

1. the --size parameter must be 255, the ED25519 key pairs length are actually 256 bit, when we give 256 the provisioning fails, I guess somewhere the microcode checks for this, not sure if this is a issue or not just mentioning it here as information.

2. the --cracen_usage parameter supposed to support both the "ENCRYPTED" and "RAW" based on the info provided by Nordic, however, the provisioning only works with the "RAW" option (--size 255). We kept other parameters same as above.

Kind regards,
Daniyal

Parents

0 Priyanka 5 hours ago

Hi Daniyal,

Checking this internally and will keep you updated.

Please expect a slight delay as it's the summer vacation here in Norway .

Thank you for understanding.

-Priyanka
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Priyanka 5 hours ago in reply to Priyanka

1. the --size parameter must be 255, the ED25519 key pairs length are actually 256 bit, when we give 256 the provisioning fails, I guess somewhere the microcode checks for this, not sure if this is a issue or not just mentioning it here as information.

ed25519 keys in PSA are 255-bit: https://arm-software.github.io/psa-api/crypto/1.2/api/keys/types.html

2. the --cracen_usage parameter supposed to support both the "ENCRYPTED" and "RAW" based on the info provided by Nordic, however, the provisioning only works with the "RAW" option (--size 255). We kept other parameters same as above.

What error do you get when trying to provision with the ENCRYPTED option? Could be an issue with the script, but it is supported in the KMU.

-Priyanka
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Reply

0 Priyanka 5 hours ago in reply to Priyanka

1. the --size parameter must be 255, the ED25519 key pairs length are actually 256 bit, when we give 256 the provisioning fails, I guess somewhere the microcode checks for this, not sure if this is a issue or not just mentioning it here as information.

ed25519 keys in PSA are 255-bit: https://arm-software.github.io/psa-api/crypto/1.2/api/keys/types.html

2. the --cracen_usage parameter supposed to support both the "ENCRYPTED" and "RAW" based on the info provided by Nordic, however, the provisioning only works with the "RAW" option (--size 255). We kept other parameters same as above.

What error do you get when trying to provision with the ENCRYPTED option? Could be an issue with the script, but it is supported in the KMU.

-Priyanka
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Children

0 DanN 5 hours ago in reply to Priyanka

Hi Priyanka,

Thanks for the quick follow up and the information regarding the key bit size.

As for the error message, it's not very informative, we get the generic message same as the issue reported in the other ticket I mentioned:

"Failed to provision keys on "1050XXXXXX", Device error: Keys [123] failed provisioning."

Kind regards,

Daniyal
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel