PSA Peristent Storage not Working

Hi,

Have you had a look at the Crypto: Persistent key storage sample?

Yes I have. It is what I based my code on. It doesn't compile either.

Hi Anton,

This example Crypto: Persistent key storage sample works with my setup: with the following command:

nrf/samples/crypto/persistent_key_usage$ west build -b nrf5340dk_nrf5340_cpuapp_ns -p

nrf/samples/crypto/persistent_key_usage$ west build -b nrf5340dk_nrf5340_cpuapp -p

could you share the host and toolchain version?

Is the host with Linux, windows?

toolchain version, zephyr 0.14.1?

I removed the existing version and tried fresh ... and it just worked the second time. Not going to look to far into this I guess.

I do have a follow up question though. What function[s] need to be called to check if a key already exists in persistent storage? I want to store AES keys in persistent storage but there doesn't appear to be any accessible methods to check, and the example destroys keys each cycle.

Hi,

There is currently no API for checking if a key is present. For now, you will have to use something like psa_import_key() or psa_generate_key() and check the return value for PSA_ERROR_ALREADY_EXISTS.

Hi,

There is currently no API for checking if a key is present. For now, you will have to use something like psa_import_key() or psa_generate_key() and check the return value for PSA_ERROR_ALREADY_EXISTS.

I am using ECDH to HKDF to generate an AES key that I want to store using psa_key_derivation_* so I am not actually using psa_import_key or psa_generate_key at all and won't necessarily have the key derivation material after the initial ECDH, which is the whole point of persistent storage. Are you suggesting that I do a psa_import_key/psa_generate_key and then destroy it if it doesn't return PSA_ERROR_ALREADY_EXISTS? This feels like a real shortage of the system ...

The last question was about how to see if you have AES keys in persistent storage? And unfortunately there is no dedicated API for that, so in order to check if a key exist you need to operate on/with it somehow, and look at the return value. I agree that it is not elegant and it has been forwarded to the team. But note that the PSA API is made by Arm, so we cannot do much other than suggest that they add a function for checking if a key exist or not exist in the internal trusted storage.