https://devzone.nordicsemi.com/f/nordic-q-a/55620/using-the-cryptocell-device-root-key-on-nrf5240-with-zephyrHow do I use the device root key to encrypt and decrypt? I can set the device root key in the cryptocell register, but not sure how to use it. I am using Zephyr by the way. I saw a function mbedtls_internal_aes_decrypt, that I was hoping used theen-USTelligent Community 13Fri, 20 Dec 2019 14:05:54 GMThttps://devzone.nordicsemi.com/thread/226594?ContentTypeID=1Fri, 20 Dec 2019 14:05:54 GMT137ad170-7792-4731-bb38-c0d22fbe4515:4fde3559-1697-48a9-8848-27bb01f1f3abEinar Thorsrud<p>Hi,</p> <p>I see your point. I will forward it internally.</p><div style="clear:both;"></div>https://devzone.nordicsemi.com/thread/226414?ContentTypeID=1Thu, 19 Dec 2019 14:48:38 GMT137ad170-7792-4731-bb38-c0d22fbe4515:c32251cf-2d62-4b21-a1a8-59ff811c8bb7Barry<p>Ok. This is disappointing. We would like to use the Device Root Key. But if there is no way to now, then I guess that&#39;s the way it is. It seems odd to me that you would mention the device root key at all, and how to set it when there is no way to use it. It seems a little misleading. If it were me I would have at least put a statement saying that &quot;While the Device root key can be set, use of the key is not yet implemented and is a future capability that Nordic hopes to implement at some point.&quot;</p><div style="clear:both;"></div>https://devzone.nordicsemi.com/thread/226394?ContentTypeID=1Thu, 19 Dec 2019 13:54:39 GMT137ad170-7792-4731-bb38-c0d22fbe4515:341b5cb1-ea49-4f07-8f4f-e65563e3ec86Einar Thorsrud<p>Hi,</p> <p>I have discussed this with R&amp;D, and the current state is simply that the API is not available. We are looking into it, but unfortunately, I do not have a timeline.</p><div style="clear:both;"></div>https://devzone.nordicsemi.com/thread/225919?ContentTypeID=1Tue, 17 Dec 2019 14:19:37 GMT137ad170-7792-4731-bb38-c0d22fbe4515:18f9195a-7ec1-4c84-be07-eeafeef82447Einar Thorsrud<p>Hi,</p> <p>I have to admit I have not looked at this using nrf_cc310_mbedcrypto for this before, so I need to check. I will get back to you with some information as soon as possible.</p><div style="clear:both;"></div>https://devzone.nordicsemi.com/thread/225466?ContentTypeID=1Fri, 13 Dec 2019 18:30:50 GMT137ad170-7792-4731-bb38-c0d22fbe4515:fa39bfda-b501-4be0-8a05-0de0a2499ca6Barry<p>I see that the word at the 0x38 offset that was not equal to 1 is the word that states if the key has been added to the aes context. Ti only gets set if you do a function like&nbsp;mbedtls_aes_setkey_dec() which sets the word I mentioned and adds the key to the second 16 bytes of the aes context.</p> <p>So it seems like&nbsp;you need to have a function that can add the device root key (Kdr) to a aes context. Although maybe that isn&#39;t possible if the key cannot be read from the cryptocell.</p> <p>In that case I guess you would need to implement an aes function that does not go through mbedtls. Because mbed tls does not have any functions that don&#39;t require there to be a key in the context.</p> <p>Or you have to create an aes function that does not require there to be a key in the context, and then somehow amends the context with the key in the cryptocell.</p> <p>in cc_aes_defs.h you have and enum&nbsp;CCAesKeyType_t that seems like its sole purpose would be to pass the key type to some aes function that would be able to handle this scenario. But it is not used anywhere that I can see.</p><div style="clear:both;"></div>