• State Not Answered
  • Replies 1 reply
  • Subscribers 85 subscribers
  • Views 334 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 351868
Options

BLE provisioning example - errors when building with /nc

ddavson

BLE provisioning sample fails with crypto errors when using TrustZone (/ns) board target on nRF7002 DK with nRF5340.

  • Hardware: nRF7002 DK (nRF5340 + nRF7002)
  • SDK: nRF Connect SDK v3.1.1-e2a97fe2578a
  • Zephyr: v4.1.99-ff8f0c579eeb
  • Board Targetnrf7002dk/nrf5340/cpuapp/ns (TrustZone enabled)
  • Samplesamples/wifi/provisioning/ble/

Working Configuration

  • Board Targetnrf7002dk/nrf5340/cpuapp (non-TrustZone) White check mark WORKS
  • Functionality: BLE provisioning and WiFi connectivity work perfectly
  • No crypto errors with standard (non-TrustZone) configuration

Problem with TrustZone

When switching to nrf7002dk/nrf5340/cpuapp/ns (TrustZone enabled):

Error Messages:[00:00:01.520,935] <err> bt_ecc: Failed to generate ECC key -134[00:00:01.520,935] <wrn> bt_smp: Public key not available[00:00:01.530,548] <err> bt_gatt: Unable to import the key for AES CMAC -134Impact:

  • BLE advertising starts successfully
  • WiFi provisioning service initializes
  • BLE crypto operations fail (ECC key generation, AES CMAC)
  • Likely affects BLE pairing and security

Attempted Solutions:

  1. PSA Crypto Driver Configuration:

CONFIG_PSA_CRYPTO_DRIVER_OBERON=y

CONFIG_PSA_CRYPTO_DRIVER_CC3XX=n

Result: No improvement

  1. Increased mbedTLS Heap Size:

CONFIG_MBEDTLS_HEAP_SIZE=32768 (increased from 8192)Result: No improvement

  1. Explicit Crypto Module Enablement:

CONFIG_MBEDTLS_PSA_CRYPTO_C=y

CONFIG_MBEDTLS_ECP_C=y

CONFIG_MBEDTLS_ECDH_C=y

CONFIG_MBEDTLS_ECDSA_C=y

CONFIG_MBEDTLS_CMAC_C=y

Result: No improvement

  1. Disabled PSA Crypto Drivers:

Commented out PSA driver configsResult: Same crypto errors persistExpected Behavior:BLE provisioning sample should work with TrustZone (/ns) without crypto errors, similar to how it works without TrustZone.Questions:

  1. Is additional TrustZone-specific crypto configuration required for BLE stack integration?
  1. Are there known issues with BLE crypto operations in TrustZone mode?
  1. What is the correct PSA crypto configuration for BLE + WiFi + TrustZone?
  1. Is error code -134 documented and what does it specifically indicate?

Project Context

Building commercial IoT gateway requiring:

  • BLE WiFi provisioning
  • AWS IoT connectivity with FOTA
  • TrustZone security for production deployment

Need TrustZone working for secure certificate storage and production security requirements (and integration with IOT Core example)

Related
Terms of service