• State Not Answered
  • Replies 6 replies
  • Subscribers 91 subscribers
  • Views 2290 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 286205
Options

Making the RSA keypair persist.

imtiz_ahmed

Hi,

I am using the RSA sample code and I need to make the key persist. When I try to change the lifetime attribute to PSA_KEY_LIFETIME_PERSISTENT, the key generation fails.

I am using nRF52840 dev kit.

int generate_rsa_keypair(void)
{
psa_status_t status;
size_t olen;

LOG_INF("Generating random RSA keypair...");

/* Configure the key attributes */
psa_key_attributes_t key_attributes = PSA_KEY_ATTRIBUTES_INIT;

/* Configure the key attributes */
psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_SIGN_HASH);
psa_set_key_lifetime(&key_attributes, PSA_KEY_LIFETIME_VOLATILE);
psa_set_key_algorithm(&key_attributes, PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_256));
psa_set_key_type(&key_attributes, PSA_KEY_TYPE_RSA_KEY_PAIR);
psa_set_key_bits(&key_attributes, KEY_SIZE);

/* Generate a random keypair. The keypair is not exposed to the application,
* we can use it to signing/verification the key handle.
*/
status = psa_generate_key(&key_attributes, &keypair_handle);
if (status != PSA_SUCCESS) {
LOG_INF("psa_generate_key failed! (Error: %d)", status);
return APP_ERROR;
}

rsa: psa_generate_key failed! (Error: -134)


Any idea what else needs to be done so the key pair could persist during reboots?

Thanks!
Parents
  • 0

    Hi, 

    There are two reasons that this fails if you just change the lifetime flag from volatile to persistent. The persistent keys requires to set a key id for the key, with the psa_set_key_id function. The second reason is that you have to enable for the persistent key storage support in Kconfig. In the case of nRF52840 these options need to be added:

    CONFIG_MBEDTLS_PSA_CRYPTO_STORAGE_C=y
CONFIG_PSA_NATIVE_ITS=y

 

# Note that NVS is only one of the options to enable persistent storage of keys
# using the settings subsystem.
CONFIG_FLASH=y
CONFIG_FLASH_PAGE_LAYOUT=y
CONFIG_FLASH_MAP=y
CONFIG_NVS=y
CONFIG_SETTINGS=y

    Note that these configurations are documented in our persistent_key_storage sample.

    Now to avoid misunderstandings, please be clear that in the case of nRF52840 the keys will anyway be stored in flash and they will not be protected. The comments in the sample which describe that "the key will not be exposed to the application" are relevant only for TF-M enabled devices (namely nRF5340, nRF9160). The nRF52840 has only the ability to store one symmetric key which will be hidden from the application after being flashed. This is the device root key and is documented here:

    https://developer.nordicsemi.com/nRF_Connect_SDK/doc/latest/nrf/libraries/others/hw_unique_key.html?highlight=kdr#functionality

Reply
  • 0

    Hi, 

    There are two reasons that this fails if you just change the lifetime flag from volatile to persistent. The persistent keys requires to set a key id for the key, with the psa_set_key_id function. The second reason is that you have to enable for the persistent key storage support in Kconfig. In the case of nRF52840 these options need to be added:

    CONFIG_MBEDTLS_PSA_CRYPTO_STORAGE_C=y
CONFIG_PSA_NATIVE_ITS=y

 

# Note that NVS is only one of the options to enable persistent storage of keys
# using the settings subsystem.
CONFIG_FLASH=y
CONFIG_FLASH_PAGE_LAYOUT=y
CONFIG_FLASH_MAP=y
CONFIG_NVS=y
CONFIG_SETTINGS=y

    Note that these configurations are documented in our persistent_key_storage sample.

    Now to avoid misunderstandings, please be clear that in the case of nRF52840 the keys will anyway be stored in flash and they will not be protected. The comments in the sample which describe that "the key will not be exposed to the application" are relevant only for TF-M enabled devices (namely nRF5340, nRF9160). The nRF52840 has only the ability to store one symmetric key which will be hidden from the application after being flashed. This is the device root key and is documented here:

    https://developer.nordicsemi.com/nRF_Connect_SDK/doc/latest/nrf/libraries/others/hw_unique_key.html?highlight=kdr#functionality

Children
Related
Terms of service