• State Not Answered
  • Replies 5 replies
  • Subscribers 74 subscribers
  • Views 712 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 300775
Options

Restriction from secure element to store specific type of key

skirti

I am using nrf5340dk board and trying to import a key using PSA API. The api used is psa_import_key() API for key attributes, 

key_id = 0x010001A0,   key_type = PSA_KEY_TYPE_AES ,  key_bits = 128,  key_usage = PSA_KEY_USAGE_DERIVE, key_alg = PSA_ALG_CMAC

key_lifetime = 0x00000101 ( Persistence level -> PSA_KEY_PERSISTENCE_DEFAULT, Location indicator -> Primary secure element ) 
                                                PSA spec says, Implementations should support Primary secure element(location indicator)
                                                value if there is a secure element attached to the operating environment.  As a guideline,
                                                secure elements may provide higher resistance against side channel and physical attacks
                                                than the primary local storage, but may have restrictions on supported key types, sizes,
                                                policies and operations and may have different performance characteristics.

If I use Primary local element  which means as per PSA spec, primary local storage is typically the same storage area that contains the key metadata instead of Primary secure element , key import works.

I would like to know if there is any restriction from hardware i.e. Primary secure element to store above specified type of key.

Parents
  • 0

    Hi,

    So that we are on the same page: Can you provide a link to where the following documentation comes from?

    key_lifetime = 0x00000101 ( Persistence level -> PSA_KEY_PERSISTENCE_DEFAULT, Location indicator -> Primary secure element ) 
                                                    PSA spec says, Implementations should support Primary secure element(location indicator)
                                                    value if there is a secure element attached to the operating environment.  As a guideline,
                                                    secure elements may provide higher resistance against side channel and physical attacks
                                                    than the primary local storage, but may have restrictions on supported key types, sizes,
                                                    policies and operations and may have different performance characteristics.

    Regards,
    Sigurd Hellesvik

  • 0 in reply to Sigurd Hellesvik

    armmbed.github.io/.../lifetimes.html

    Please check Primary secure element section in the given table in screenshot. Same can be accessed using the above link.

  • 0 in reply to skirti

    Hi,

    Our nRF microcontrollers do not have secure elements built-in.

    If you store persistent PSA keys, it will store the keys using the Internal Trusted Storage from Trusted Firmware-M.
    This is internal flash which belongs to the secure partition.

    If you need your keys to be a bit more secure than this, you can enable CONFIG_TFM_ITS_ENCRYPTED to make the ITS data encrypted.
    The encryption key for the ITS data is derived from a Hardware unique Key
    Keep in mind that Encrypted ITS is not in the PSA Spec as far as I know.

    For some general Trusted Firmware-M concepts, see  An Introduction to Trusted Firmware-M (TF-M)

    Regards,
    Sigurd Hellesvik

Reply Children
Related
Terms of service