persistent keys on psa/crypto.h with TFM

Question

Hi all,

I wonder how to use persistent keys with TFM. Or why persistence works only with ECC

Following code works on secure side and keys are persisted just fine.

When compiling as "_ns" and using TFM, only ECC persistent keys function returns 0.Persistent RSA key generation returns error PSA_ERROR_DATA_INVALID ((psa_status_t)-153).

Any clues or pointing to right direction how to use TFM with psa crypto. Or should I use SPM instead?

/*
Minimal example how on

nrf5340dk_nrf5340_cpuapp_ns:
	- built with TFM
	- RSA persistent psa_generate_key fails
	- ECC persistent psa_generate_key success
nrf5340dk_nrf5340_cpuapp:
	- works ok, why

*/
#include <zephyr.h>
#include <sys/printk.h>
#include <logging/log.h>
#include <stdio.h>

#include <psa/crypto.h>

#ifdef CONFIG_BUILD_WITH_TFM
#include <tfm_ns_interface.h>
#endif


#define SAMPLE_PERS_KEY_ID PSA_KEY_ID_USER_MIN
int testRSAvsECCstored(int isRSA){
	psa_status_t status;
	printk("Destroy old key stored key on %d before test isRSA=%d\n",SAMPLE_PERS_KEY_ID,isRSA);
	status = psa_destroy_key(SAMPLE_PERS_KEY_ID);
	printk("psa_destroy_key returns %d\n",status);

	psa_key_handle_t key_handle;
    psa_key_attributes_t key_attributes = PSA_KEY_ATTRIBUTES_INIT;
    psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT);
    psa_set_key_lifetime(&key_attributes, PSA_KEY_LIFETIME_PERSISTENT);
    psa_set_key_id(&key_attributes, SAMPLE_PERS_KEY_ID);

	if (isRSA){
    	psa_set_key_algorithm(&key_attributes, PSA_ALG_RSA_PKCS1V15_CRYPT);
    	psa_set_key_type(&key_attributes, PSA_KEY_TYPE_RSA_KEY_PAIR);
    	psa_set_key_bits(&key_attributes, 2048);
	}else{
		psa_set_key_algorithm(&key_attributes,  PSA_ALG_ECDSA_ANY);  // or PSA_ALG_ECDH
        psa_set_key_type(&key_attributes,  PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1));
        psa_set_key_bits(&key_attributes, 256);
	}

    status = psa_generate_key(&key_attributes, &key_handle);
    if (status != PSA_SUCCESS) {
    	printk("psa_generate_key failed! isRSA=%d (Error: %d)", isRSA,status);
		return status;
    }
	printk("SUCCESS key handle is %d\n",key_handle);
	psa_reset_key_attributes(&key_attributes);

	return 0;
}



void main(void) {

#ifdef CONFIG_BUILD_WITH_TFM
	printk("Built with TFM\n");
#else
	printk("NOT with TFM\n");
#endif

	int status = psa_crypto_init();
	printk("crypto_init returns: %d\n",status);
	printk("\n---------------  RSA TEST ---------------\n");
	testRSAvsECCstored(1);
	printk("\n---------------  ECC TEST ---------------\n");
	testRSAvsECCstored(0);

}

And prj.conf is

CONFIG_SYS_CLOCK_TICKS_PER_SEC=1000

CONFIG_MAIN_STACK_SIZE=16384
CONFIG_HEAP_MEM_POOL_SIZE=16384

# Enable loging using RTT and UART
CONFIG_CONSOLE=y
CONFIG_LOG=y
CONFIG_USE_SEGGER_RTT=y
CONFIG_LOG_BACKEND_RTT=y
CONFIG_LOG_BACKEND_UART=y
CONFIG_LOG_BUFFER_SIZE=15360
CONFIG_SEGGER_RTT_BUFFER_SIZE_UP=15360

## Enable nordic security backend and PSA APIs
CONFIG_MBEDTLS_LIBRARY_NRF_SECURITY=y
CONFIG_NORDIC_SECURITY_BACKEND=y
CONFIG_MBEDTLS_PSA_CRYPTO_C=y


# Enable persistent storage APIs
CONFIG_MBEDTLS_PSA_CRYPTO_STORAGE_C=y
CONFIG_PSA_NATIVE_ITS=y

# Mbedtls configuration
CONFIG_MBEDTLS_RSA_C=y
CONFIG_MBEDTLS_ENABLE_HEAP=y
CONFIG_MBEDTLS_HEAP_SIZE=16384
CONFIG_MBEDTLS_PK_WRITE_C=y
CONFIG_MBEDTLS_PKCS1_V15=y

Thanks in advance!!