Cryptocell secure ram

Hi,

The CC310 has secure RAM that can be used for some specific use cases (using a configured root key), but the normal AES API does not use secure RAM. This is often not that relevant though since the nRF52840 does not have secure flash, so the key would anyway have to be stored in a normal flash if it should be persistent.

Specifically, the nrf_crypto_aes_key_set() function calls backend_cc310_key_set(), which calls SaSi_AesSetKey(). This writes the key information to the context object, which is in the (normal) RAM provided by the user.

I am not worried about the not secured flash in NRF52840 because I am using Optiga trust X to securely store my AES key.

The only part I am worry about is the footage of the key on RAM, so I need to use Cryptocell's secured RAM.

Can you explain more about how can I use this feature?

I am not worried about the not secured flash in NRF52840 because I am using Optiga trust X to securely store my AES key.

The only part I am worry about is the footage of the key on RAM, so I need to use Cryptocell's secured RAM.

Can you explain more about how can I use this feature?

You can provision the CC310 with a 128-bit device root key (KDR), as explained here. This can then be used for crypto operations, but never read back. But how will this help if you are storing the key in the trust X? If you want to transfer a key from the trust X to the nRF, then you need to send it over I2C, which can be easily tapped. Can you elaborate more on the whole system?

Honestly I'm working on different solutions to find the best for my application right now. What you said is a serious problem with trustX which I am working on solving it or increase its safety if possible.

Thanks for your answer.