• State Not Answered
  • Replies 2 replies
  • Subscribers 86 subscribers
  • Views 310 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 351198
Options

CMAC using KMU on nRF54L15

cbe9

Hi Team,

I'm trying to calculate CMAC using the KMU on the nRF54L15, but the `psa_mac_compute()` function fails with the error code `PSA_ERROR_NOT_PERMITTED (-133)`.
I need help resolving this issue. Below is the environment I used for testing.

My environment is as follows:

Board: nRF54L15-DK
SDK: nRF Connect SDK v3.1.0
Board target:nrf54l15dk/nrf54l15/cpuapp (non TM-F)

I performed KMU provisioning using the following command:

python.exe generate_psa_key_attributes.py ^
 --usage SIGN_VERIFY_EXPORT ^
 --id 5 ^
 --type AES ^
 --size 128 ^
 --algorithm CBC ^
 --location LOCATION_CRACEN_KMU ^
 --lifetime PERSISTENCE_DEFAULT ^
 --cracen_usage RAW ^
 --key 0x22222222222222222222222222222222 ^
 --file keys.json
nrfutil device recover
nrfutil device x-provision-keys --serial-number 1057737100 --key-file keys.json

I calculated the CMAC using the following code with PSA:

psa_status_t			sts;
psa_key_handle_t		key_handle;
psa_key_attributes_t	attr = PSA_KEY_ATTRIBUTES_INIT;
psa_key_id_t			key_id;
size_t					out_len;
uint8_t					data[] = { 0x12, 0x34, 0x56, 0x78 };
uint8_t					cmac[16] = { 0 };

sts = psa_crypto_init();
if (PSA_SUCCESS != sts) {
	LOG_ERR("psa_crypto_init sts = %d", sts);
	return;
}
key_id = PSA_KEY_HANDLE_FROM_CRACEN_KMU_SLOT(CRACEN_KMU_KEY_USAGE_SCHEME_RAW, 5);
psa_set_key_usage_flags(&attr, PSA_KEY_USAGE_SIGN_MESSAGE);
psa_set_key_lifetime(&attr, PSA_KEY_LIFETIME_FROM_PERSISTENCE_AND_LOCATION(PSA_KEY_PERSISTENCE_DEFAULT, PSA_KEY_LOCATION_CRACEN_KMU));
psa_set_key_id(&attr, key_id);
psa_set_key_algorithm(&attr, PSA_ALG_CMAC);
psa_set_key_type(&attr, PSA_KEY_TYPE_AES);
psa_set_key_bits(&attr, 128);
sts = psa_open_key(key_id, &key_handle);
if (PSA_SUCCESS != sts) {
	LOG_ERR("psa_open_key sts = %d", sts);
	return;
}
sts = psa_mac_compute(key_handle, PSA_ALG_CMAC, data, 4, cmac, 16, &out_len);
if (PSA_SUCCESS != sts) {
	LOG_ERR("psa_mac_compute sts = %d", sts);
	return;
}
psa_destroy_key(key_handle);
LOG_HEXDUMP_INF(cmac, 16, "CMAC");

I used the following Kconfig settings:

CONFIG_LOG=y
CONFIG_USE_SEGGER_RTT=y
CONFIG_RTT_CONSOLE=y

CONFIG_NRF_SECURITY=y
CONFIG_MBEDTLS_PSA_CRYPTO_C=y
CONFIG_PSA_WANT_GENERATE_RANDOM=y
CONFIG_PSA_WANT_KEY_TYPE_AES=y
CONFIG_PSA_WANT_ALG_CBC_PKCS7=y
CONFIG_PSA_WANT_ALG_CBC_NO_PADDING=y
CONFIG_PSA_WANT_ALG_ECB_NO_PADDING=y
CONFIG_PSA_WANT_ALG_CMAC=y
CONFIG_PSA_CRYPTO_DRIVER_OBERON=n
CONFIG_PSA_CRYPTO_DRIVER_CRACEN=y

CONFIG_MBEDTLS_ENABLE_HEAP=y
CONFIG_MBEDTLS_HEAP_SIZE=8192

What could be causing this `PSA_ERROR_NOT_PERMITTED` error?

Related
Terms of service