nrf5340 key mangement unit

Question

Hi, I am interested in using the KMU and I have seen some examples of it here (9160 but similar): https://github.com/einarthorsrud/kmu_sample 
 and also some docmentation here: https://developer.nordicsemi.com/nRF_Connect_SDK/doc/latest/nrf/include/hw_unique_key.html 
 
 I would like generate keys but not expose the secret key (ie store in flash etc), hence would only be queried from the keyslot if called from a secure app. From what i have read i can only write to the keyslot once and then cannot until a mass erase. So my question is how can i safely generate and write unlimited keys into the keyslot without a mass erase. I don't mind overwriting the existing keyslot. If not keyslot (given the limitations of being able to write only once after an erase), how would you recommend going about doing this.

Sigurd Hellesvik · Accepted Answer

Hi Rookie 
 It is only possible to write to a keyslot if it is empty. This is decided by hardware, se the nRF5340 Product Specification : 
 "The selected key slot must be empty in order to add a new entry to UICR" 
 In other words, you can not overwrite KMU keys from firmware. 
 
 There is another, a bit less secure way to save keys, as mentioned in Hardware unique key documentation : 
 "In devices without a KMU , like nRF52840, the bootloader writes the key to the Arm CryptoCell and locks the flash memory page where the key is stored. In this case, only one key is supported." 
 However, it is not possible to unlock hardware flash write protection before a reset, so you can not overwrite keys with this method either. 
 This answer describes some alternatives for securing when not using secure flash(KMU), which may be what you are looking for. 
 Did this answer your question? 
 Regards, Sigurd Hellesvik

nrf5340 key mangement unit

Top Replies