CMAC calculation failed with SDK 1.9.1

SoC: nRF5340
SDK: nRF Connect SDK 1.9.1

CMAC calculation works fine with SDK 1.7 and SDK 1.8.
But it failed with SDK 1.9.1.

psa_mac_sign_setup returns error = PSA_ERROR_NOT_PERMITTED (-133).
psa_mac_compute returns PSA_ERROR_NOT_PERMITTED (-133) too.

Simplified code:

size_t key_bits = 128;
size_t key_len  = 16;
uint8_t key[16] = { 0x00 };

psa_algorithm_t algo = PSA_ALG_CMAC;

psa_key_attributes_t key_attributes = PSA_KEY_ATTRIBUTES_INIT;

psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_SIGN_MESSAGE);
psa_set_key_lifetime(&key_attributes, PSA_KEY_LIFETIME_VOLATILE);
psa_set_key_algorithm(&key_attributes, algo);

psa_set_key_type(&key_attributes, PSA_KEY_TYPE_AES);
psa_set_key_bits(&key_attributes, key_bits);

psa_status_t status;
psa_key_handle_t key_handle;
psa_mac_operation_t operation = PSA_MAC_OPERATION_INIT;

status = psa_import_key(&key_attributes, key, key_len, &key_handle);
if (status != PSA_SUCCESS) {
    LOG_ERR("psa_import_key failed! (Error: %d)\n", status);
    return false;
}

status = psa_mac_sign_setup(&operation, key_handle, algo);
if (status != PSA_SUCCESS) {
    LOG_ERR("psa_mac_sign_setup failed! (Error: %d)\n", status);
    return false;
}

/*
status = psa_mac_update(&operation, plain, plain_len);
if (status != PSA_SUCCESS) {
    LOG_ERR("psa_mac_update failed! (Error: %d)\n", status);
    return false;
}

status = psa_mac_sign_finish(&operation, out_mac, output_max, &output_len);
if (status != PSA_SUCCESS) {
    LOG_ERR("psa_mac_sign_finish failed! (Error: %d)\n", status);
    return false;
}
*/

Related