• State Verified Answer
  • Replies 7 replies
  • Subscribers 76 subscribers
  • Views 1617 views
  • Users 0 members are here
Attachments (1) Download All
Nordic Case Info
  • Case ID: 297633
Options

PSA Peristent Storage not Working

AntonD

I am using the PSA library for the nRF340 and trying to use persistent keys.

It all works without persistent keys enabled, but if I add the following two lines to the prj.conf it no longer compiles:

CONFIG_MBEDTLS_PSA_CRYPTO_STORAGE_C=y
CONFIG_PSA_NATIVE_ITS=y

I have added those as they are part of the persistent_key_usage example. When I add them I get the following compilation error:

c:\Users\anton\ncs\v2.1.0\mbedtls\library\psa_crypto_storage.c:36:10: fatal error: psa/internal_trusted_storage.h: No such file or directory
   36 | #include "psa/internal_trusted_storage.h"
      |          ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
compilation terminated.

I can find that header in v2.1.0/nrfxlib/nrf_security/include/native_its/psa/internal_trusted_storage.h, which is clearly not getting added to the include path.

How do I add it to the include path?

I have attached my prj.conf file

Parents Reply Children
  • 0 in reply to leox

    I removed the existing version and tried fresh ... and it just worked the second time. Not going to look to far into this I guess.

    I do have a follow up question though. What function[s] need to be called to check if a key already exists in persistent storage? I want to store AES keys in persistent storage but there doesn't appear to be any accessible methods to check, and the example destroys keys each cycle.

  • 0 in reply to AntonD

    Hi,

    There is currently no API for checking if a key is present. For now, you will have to use something like psa_import_key() or psa_generate_key() and check the return value for PSA_ERROR_ALREADY_EXISTS.

  • 0 in reply to Einar Thorsrud

    I am using ECDH to HKDF to generate an AES key that I want to store using psa_key_derivation_* so I am not actually using psa_import_key or psa_generate_key at all and won't necessarily have the key derivation material after the initial ECDH, which is the whole point of persistent storage. Are you suggesting that I do a psa_import_key/psa_generate_key and then destroy it if it doesn't return PSA_ERROR_ALREADY_EXISTS? This feels like a real shortage of the system ...

  • +1 in reply to AntonD

    The last question was about how to see if you have AES keys in persistent storage? And unfortunately there is no dedicated API for that, so in order to check if a key exist you need to operate on/with it somehow, and look at the return value. I agree that it is not elegant and it has been forwarded to the team. But note that the PSA API is made by Arm, so we cannot do much other than suggest that they add a function for checking if a key exist or not exist in the internal trusted storage.

Related
Terms of service