• State Not Answered
  • Replies 8 replies
  • Subscribers 86 subscribers
  • Views 414 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 358436
Options

psa_open_key failed PSA_ERROR_DOES_NOT_EXIST (-134) on nRF9151 with NCS v3.2.2 and MCUboot

luqman

Board: nRF9151DK (nrf9151dk/nrf9151/ns)

NCS version: v3.2.2

Softsim branch: master (59bac8b)

MCUboot: enabled

Issue:

Keys are provisioned successfully (SoftSIM keys written to KMU, SoftSIM fully provisioned) but psa_open_key returns -134 (PSA_ERROR_DOES_NOT_EXIST) during MILENAGE authentication.

*** Booting My Application v1.0.0-a2550914679b ***
*** Using nRF Connect SDK v3.2.2-74845e169be2 ***
*** Using Zephyr OS v4.2.99-fe4f0106803e ***
[00:00:00.257,263] <inf> fs_nvs: 8 Sectors of 4096 bytes
[00:00:00.257,293] <inf> fs_nvs: alloc wra: 1, 6d0
[00:00:00.257,293] <inf> fs_nvs: data wra: 1, 6d8
[00:00:00.263,519] <err> softsim_crypto: Failed to open key 10, error: -134
[00:00:00.265,045] <inf> softsim: Provisioning static profile
[00:00:00.265,289] <err> softsim_crypto: Failed to open a persistent key, ERR: -134
[00:00:00.265,380] <err> softsim_crypto: Failed to open a persistent key, ERR: -134
[00:00:00.265,472] <err> softsim_crypto: Failed to open a persistent key, ERR: -134
[00:00:00.265,502] <inf> softsim: SoftSIM keys written to KMU
[00:00:00.265,533] <inf> softsim: Provisioning SoftSIM 1/4
[00:00:00.356,597] <inf> softsim: Provisioning SoftSIM 2/4
[00:00:00.358,398] <inf> softsim: Provisioning SoftSIM 3/4
[00:00:00.360,473] <inf> softsim: Provisioning SoftSIM 4/4
[00:00:00.363,464] <inf> softsim: SoftSIM provisioned
[00:00:00.363,494] <inf> softsim: SoftSIM fully provisioned
[00:00:00.364,990] <inf> softsim: SoftSIM initialized


[00:02:36.056,793] <err> softsim_crypto: ss_utils_aes_decrypt: psa_open_key failed! (Error: -134)
[00:02:36.056,884] <err> softsim_crypto: ss_utils_aes_decrypt: psa_open_key failed! (Error: -134)
[00:02:36.056,976] <err> softsim_crypto: ss_utils_aes_decrypt: psa_open_key failed! (Error: -134)
[00:02:36.057,098] <err> softsim_crypto: ss_utils_aes_decrypt: psa_open_key failed! (Error: -134)
[00:02:36.057,189] <err> softsim_crypto: ss_utils_aes_decrypt: psa_open_key failed! (Error: -134)
[00:02:36.057,281] <err> softsim_crypto: ss_utils_aes_decrypt: psa_open_key failed! (Error: -134)
[00:02:36.057,373] <err> softsim_crypto: ss_utils_aes_decrypt: psa_open_key failed! (Error: -134)
[00:02:36.057,495] <err> softsim_crypto: ss_utils_aes_decrypt: psa_open_key failed! (Error: -134)
[00:02:46.748,901] <err> softsim_crypto: ss_utils_aes_decrypt: psa_open_key failed! (Error: -134)
[00:02:46.749,023] <err> softsim_crypto: ss_utils_aes_decrypt: psa_open_key failed! (Error: -134)

Configs tried: -

CONFIG_TFM_PARTITION_PROTECTED_STORAGE=n

- CONFIG_PSA_CRYPTO_DRIVER_CC3XX=n

- CONFIG_PM_PARTITION_SIZE_TFM_SRAM=0xC000

- CONFIG_TFM_ITS_NUM_ASSETS=20

- Increased heap to 65536 - Doubled tfm_its partition size to 0x4000 - All combinations of above , None resolved the issue.

Question: Is nRF9151 + MCUboot + NCS v3.2.2 a supported combination? Is there a known working configuration for this setup?

Parents Reply Children
  • 0 in reply to Vidar Berg

    Update: I didn't anyone who immediately recognised the problem you are observing. However, when looking at the logs again now I see that the actual error is PSA_ERROR_NOT_SUPPORTED (-134), which indicates that there is a problem with the crypto configuration in your project. Have you tried the provided softsim_static_profile sample provided in this repo to see if it results in the same errors?

    Best regards,

    Vidar

  • 0 in reply to Vidar Berg

    Hi Vidar,

    Thank you for the suggestion. I tested the softsim_static_profile sample and it works correctly, the device connects to the network successfully.

    *** Booting nRF Connect SDK v3.2.2 ***
[00:00:00.333,038] <inf> softsim_sample: SoftSIM sample started.
[00:00:00.661,956] <inf> softsim_sample: Waiting for LTE connect event.
+CEREG: 2,"2F12","01F80701",7
[00:00:08.241,210] <inf> softsim_sample: LTE cell changed: Cell ID: 33031937, Tracking area: 12050
+CSCON: 1
[00:00:08.295,562] <inf> softsim_sample: RRC mode: Connected
+CEREG: 2,"B07D","00D69C03",7
[00:00:08.801,300] <inf> softsim_sample: LTE cell changed: Cell ID: 14064643, Tracking area: 45181
+CSCON: 1
[00:00:08.849,609] <inf> softsim_sample: RRC mode: Connected

    However, when integrating SoftSIM into my full application (TF-M + MCUboot + LwM2M on nRF9151), psa_open_key returns -134 during network authentication.

    Root cause found: After investigation I traced the issue to CRYPTO_STORAGE_DISABLED=ON in TF-M's CMake build, which is set when CONFIG_MBEDTLS_PSA_CRYPTO_STORAGE_C is not enabled. This results in tfm_config.h having.

    CRYPTO_KEY_MODULE_ENABLED 0
CRYPTO_CIPHER_MODULE_ENABLED 0
CRYPTO_MAC_MODULE_ENABLED 0

    Key difference between working sample and my project:

    • Working sample: no MCUboot, CONFIG_PM_PARTITION_SIZE_TFM=0x10000
    • My project: MCUboot enabled + TF-M + LwM2M + SoftSIM

    hat I've tried:

    • CONFIG_TFM_PARTITION_PROTECTED_STORAGE=n
    • CONFIG_PSA_CRYPTO_DRIVER_CC3XX=n 
    • CONFIG_TFM_PARTITION_INTERNAL_TRUSTED_STORAGE=y
    • CONFIG_MBEDTLS_PSA_CRYPTO_STORAGE_C=y
    • CONFIG_NRF_SECURITY=y
    • CONFIG_PSA_WANT_KEY_TYPE_AES=y
    • CONFIG_PSA_WANT_ALG_CBC_NO_PADDING=y
    • CONFIG_PSA_WANT_ALG_CMAC=y

    But TF-M CMakeCache still shows TFM_PARTITION_INTERNAL_TRUSTED_STORAGE:BOOL=OFF.

    [00:00:00.262,939] <err> softsim_crypto: Failed to open key 10, error: -134
[00:00:00.264,373] <inf> softsim: Provisioning static profile
[00:00:00.264,617] <err> softsim_crypto: Failed to open a persistent key, ERR: -134
[00:00:00.264,709] <err> softsim_crypto: Failed to open a persistent key, ERR: -134
[00:00:00.264,801] <err> softsim_crypto: Failed to open a persistent key, ERR: -134
[00:00:00.264,801] <inf> softsim: SoftSIM keys written to KMU
[00:00:09.108,764] <err> softsim_crypto: ss_utils_aes_decrypt: psa_open_key failed! (Error: -134)
[00:00:09.539,489] <wrn> lte_lc: Registration rejected, EMM cause: 17

    Also, i remove the private SIM configuration due to public, so you may need your own

    Full reproduction code available here: https://github.com/luqman8230339900/nrf9151-softsim-tfm-mcuboot-issue

    Best regards:

    Luqman

  • 0 in reply to luqman

    Hi!

    Vidar is out of office this week and will follow up on this when he's back. 

    I will have a look tomorrow myself to see if I can provide any insight.

    Best regards,
    Carl Richard

  • 0 in reply to Carl Richard

    Hi, 

    Is there any update on my issue? 

    Thanks 

  • 0 in reply to luqman

    Hi,

    Sorry for the delay. I am back now and have just requested access from Onomondo to test the sample you shared. Have you made any progress on this in the meantime? 

    Best regards,

    Vidar

Related
Terms of service