Secure connection to AWS IoT over WiFi

We are using nRF5340 and nRF7002 to build a WiFi connected device that integrates into our backend via AWS IoT Core. We are evaluating what the best way is to secure the private key for the TLS client authentication and whether we need an external Hardware Security Module for that or can support everything with the nRF5340 itself.

In general I see two possibilities to do the handshake:

1. Store the private key in a secure storage and have the TLS handshake executed in a secure environment

2. Generate a symmetric key in a secure environment and store it in a secure storage. Encrypt the private key with the symmetric key in the secure environment and store the encrypted private key on flash. Get the private key decrypted before connection and keep it only in memory, but never on flash in plain text.

The first one would obviously be desirable, because the key would never leave the secure environment after provisioning.

According to the docs, the nRF5340 is equipped with a KMU that could be used for securely storing keys and Cryptocell that could be used to perform the secure operations of signing, decrypting and encrypting and with TFM it should be possible to set up a secure environment.

So my questions are mainly:

* How secure is the usage of the functionality provided in the nRF5340 compared to an external dedicated Hardware Security Module?

* Is there a way (or even a sample) for the nRF5340+nRF7002 to transparently set up a client-authenticated TLS tunnel using a private key stored in the KMU?

* How does the Nordic Security Module relate to TFM?

Thanks already for the support!