Public and Private key generation for TLS communication using PSA Crypto calls.

Hi,

Thanks for the detailed information and sorry this has been a pain, especially after our first reply pointed you the wrong way on the sample. We mentioned EdDSA sample before but ECDSA sample is what you want.

Your build is fine and the runtime failure PSA_ERROR_NOT_SUPPORTED means the key type or flags requested aren't supported in your current setup. The main issue is that the code is creating an ECDH key, but certs and CSRs need ECDSA (signing), not ECDH (key agreement). Secondly, with TF-M, PSA_KEY_USAGE_EXPORT on a private key is often rejected because private keys are meant to stay in the secure partition so use psa_export_public_key() for the public key instead. Also make sure to call psa_crypto_init() once at startup before psa_generate_key().

The recommended path is to flash the unmodified ECDSA sample on your DK first. If that works, switch your code to ECDSA + PSA_KEY_USAGE_SIGN_HASH. For CSR/cert formatting you still need a small mbed TLS X.509 layer.

Regarding removing TF-M:

• Modem should not be affected, as the modem core is a separate processor with its own firmware and TLS stack.
• Private keys would sit in normal application RAM instead of being hardware isolated in a secure partition.
• PSA Certified security levels may require TFM as mentioned here.

Let us know how the ECDSA sample goes on your board and we can help from there.

Best Regards,
Syed Maysum

Thanks, Syed, for the explanation. I will try and go through the example you mentioned and report back. 

I still have a confusion on TFM, few more questions and need some insights related to nRF9160_ns and nRF9160 builds.
From the nordic's documentation I got to know that when we build the code with _ns configuration TFM comes by default, and we are using the same config for our Project. 
I just wanted to see if I can get rid of TFM by building my code without _ns configuration and build failed because I am using below configs

Thanks, Syed, for the explanation. I will try and go through the example you mentioned and report back. 

I still have a confusion on TFM, few more questions and need some insights related to nRF9160_ns and nRF9160 builds.
From the nordic's documentation I got to know that when we build the code with _ns configuration TFM comes by default, and we are using the same config for our Project. 
I just wanted to see if I can get rid of TFM by building my code without _ns configuration and build failed because I am using below configs

Hi Syed Maysum Abbas Zaidi 

As I am looking into document. I am having few more queries. I am having built configuration with nrf9160_ns and I am using Modem for IP based communication with TLS enabled. Now if I build my code in nRF9160 mode then I can see my code fails by saying that TFM is need and following dependency is shown

Some additional info about using TFM is, we are using nrf_modem_lib which cannot be used if we disable the TFM completely.

menuconfig NRF_MODEM_LIB
bool "Modem library"
depends on SOC_SERIES_NRF91X
depends on TRUSTED_EXECUTION_NONSECURE
select NRF_MODEM
imply NET_SOCKETS_OFFLOAD
imply NET_SOCKETS_POSIX_NAMES if !POSIX_API
# The modem must be turned on to achieve low power consumption.
# But disable it for ZTEST's as some tests have HW
# resource-conflicts with NRF_MODEM_LIB.
default y if !ZTEST
help
Use Nordic Modem library.
This is the kconfig at path: lib/nrf_modem_lib/Kconfig which has the check of dependency.

- Following question is currently I am assigning 32 KB RAM to TFM out of which 44% is the runtime/static RAM consumption can you tell me how much peak consumption it can reach

Regarding the example you provided. I was able to build the code with secure build and non-secure build. I think I have used this PSA_CRYPTO samples for 

Thanks,
Akshay