Clarification Needed: secp192r1 Support for NRF54L15

Question

Hello,

We’re starting to implement our solution in an nRF SDK project (version 3.2.2) targeting the nRF54L15 component.
From a cryptography standpoint, we will need to use MbedTLS to verify X.509 certificates signed with ECDSA (secp192r1 curves).

secp256r1 works with the ECDSA sample ( https://github.com/nrfconnect/sdk-nrf/blob/main//samples/crypto/ecdsa/README.rst ), but we’re running into issues with the secp192r1 curve. 
 In the nRF Connect SDK documentation, it’s stated that secp192r1 is supported by the Cracen driver but not by the Oberon driver: https://docs.nordicsemi.com/bundle/ncs-3.0.2/page/nrf/libraries/security/nrf_security/doc/driver_config.html#ecc_curve_support 
 If I modify the ECDSA sample code to enable CONFIG_PSA_WANT_ECC_SECP_R1_192 , I get the following build error:

In file included from C:/my_project/ncs/nrf/samples/crypto/ecdsa/build/ecdsa/generated/library_nrf_security_psa/nrf-psa-crypto-user-config.h:508, 
 from C:/my_project/ncs/modules/crypto/oberon-psa-crypto/include/mbedtls/build_info.h:141, 
 from C:/my_project/ncs/modules/crypto/mbedtls/include/library/common.h:14, 
 from C:/my_project/ncs/modules/crypto/mbedtls/library/oid.c:10: 
 C:/my_project/ncs/modules/crypto/oberon-psa-crypto/oberon/drivers/oberon_check_unsupported.h:130:10: error: #error "No crypto implementation for secp-r1-192 public key" 
 130 | #error "No crypto implementation for secp-r1-192 public key" 
 | ^~~~~ 
 C:/my_project/ncs/modules/crypto/oberon-psa-crypto/oberon/drivers/oberon_check_unsupported.h:133:10: error: #error "No crypto implementation for secp-r1-192 key pair import" 
 133 | #error "No crypto implementation for secp-r1-192 key pair import" 
 | ^~~~~ 
 C:/my_project/ncs/modules/crypto/oberon-psa-crypto/oberon/drivers/oberon_check_unsupported.h:136:10: error: #error "No crypto implementation for secp-r1-192 key pair export" 
 136 | #error "No crypto implementation for secp-r1-192 key pair export" 
 | ^~~~~ 
 C:/my_project/ncs/modules/crypto/oberon-psa-crypto/oberon/drivers/oberon_check_unsupported.h:140:10: error: #error "No crypto implementation for secp-r1-192 key pair generate" 
 140 | #error "No crypto implementation for secp-r1-192 key pair generate" 
 | ^~~~~ 
 ninja: build stopped: subcommand failed. 
 FATAL ERROR: command exited with status 1: 'C:
cs	oolchains\c717907b94\opt\bin\cmake.EXE' --build C:/my_project/ncs/nrf/samples/crypto/ecdsa/build/ecdsa

If I remove the option and, in the sample code, replace:

psa_set_key_bits ( & key_attributes , 256 );

with:

psa_set_key_bits ( & key_attributes , 192 );

the build succeeds, but I then get a runtime error in the Cracen driver at this point: https://github.com/nrfconnect/sdk-nrf/blob/main/subsys/nrf_security/src/drivers/cracen/cracenpsa/src/internal/ecc/cracen_ecc_helpers.c#L88 
 Is the secp192r1 curve actually supported by the Cracen driver and by the nRF54L15 component? Which options need to be enabled to use it?

Thanks

Sigurd Hellesvik · Accepted Answer

Hi, 
 From ECC curve types , we can see that secp192k1 and secp192r1 are not supported for the nRF54L series: 
 
 Regards, Sigurd Hellesvik