https://devzone.nordicsemi.com/f/nordic-q-a/98637/hashing-key-is-tf-mHi, I am looking into using TF-m/PSA in Nordic nRF9160 for our product. One of the requirements is to store a symmetric key as the SHA256 hashing key. I started with the sample in tfm_hello_world, where there is a call to psa_hash_compute() to calculateen-USTelligent Community 13Fri, 14 Apr 2023 15:01:15 GMThttps://devzone.nordicsemi.com/thread/420556?ContentTypeID=1Fri, 14 Apr 2023 15:01:15 GMT137ad170-7792-4731-bb38-c0d22fbe4515:355f65a4-e507-4c91-ac42-ea7152af60e1Amanda Hsieh<p>Hi,&nbsp;</p> <p>SHA-256 is a deterministic hashing algorithm but the result of calling SHA-256 is a &quot;digest&quot; and I don&#39;t think it is common to refer to that as a key.</p> <p>There are multiple options of keeping a hash-digest following the nRF9160. I will list out the options. You don&#39;t need to use the PSA Crypto APIs (psa_import_key) for this.</p> <ol> <li>Use some data in the OTP region to keep the hash digest and implement an ARoT to give access to this in the S-world, or alternatively use the ARoT to do the whole operation they want to do (like a custom security service). <strong>Note that this may limit the number of upgrades you can do if downgrade protection is used in the DFU</strong></li> <li>Use a CPU-accessible slot in KMU (Don&#39;t lock it only for CryptoCell usage) and make the same type of ARoT to either give direct access to the digest or make a custom ARoT functionality to do the operation using this digest</li> <li>Use PSA PS (Protected Storage) API provided by TF-M to store the hash-digest without permissions to make it erasable. Data in PSA PS will be accessible from the NS world</li> <li>Use psa_import_key but give usage permissions to export the digest key (so NS world can get access to it)</li> </ol> <p>Final notes: Only option 1 and 2 can be done in a production line without having any application running on the device. This is a huge benefit. But as you see, the OTP and the KMU is a secure-only peripheral so there needs to be a secure service when TrustZone is enabled (with TF-M)</p> <p>Option 3 and 4 work without any specialized ARoT service and the business-logic of handling this SHA-256 digest will be in the NS image. This means that this hash for sure is readable in the NS image. So the concept of &quot;key&quot; is further diminished as everyone will have access to it.&nbsp;</p> <p>-Amanda H.</p><div style="clear:both;"></div>https://devzone.nordicsemi.com/thread/420185?ContentTypeID=1Thu, 13 Apr 2023 10:50:14 GMT137ad170-7792-4731-bb38-c0d22fbe4515:a30ef20d-6172-403b-9c0e-b7edb1194acfWhiteCloud2<p>Thanks for the note.</p> <p>The provisioning_image example demonstrates writing the identity key and the implementation id. However, I am looking for the key used for hashing. I did change the identity key and implementation id and get the same hashing value for a given string. That I think confirms that they are not the hashing key.</p><div style="clear:both;"></div>https://devzone.nordicsemi.com/thread/420058?ContentTypeID=1Wed, 12 Apr 2023 21:00:34 GMT137ad170-7792-4731-bb38-c0d22fbe4515:3d0aa05d-e7b7-454a-bc91-91afe7414be3Amanda Hsieh<p>Hi,&nbsp;</p> [quote user=""]Could someone shed some light into it? Where is the key stored?[/quote] <p>The key is managed and stored in the&nbsp;<a href="https://infocenter.nordicsemi.com/topic/ps_nrf5340/kmu.html?cp=4_0_0_6_16">key management unit</a>&nbsp;(KMU). See more<span>&nbsp;information in</span><a href="https://infocenter.nordicsemi.com/topic/ps_nrf5340/kmu.html?cp=3_0_0_6_16"><span>&nbsp;</span>KMU documentation</a><span>.</span></p> [quote user=""]how do I provision it?[/quote] <p><a href="https://developer.nordicsemi.com/nRF_Connect_SDK/doc/latest/nrf/samples/tfm/provisioning_image/README.html">Provisioning image sample</a> and <a href="https://developer.nordicsemi.com/nRF_Connect_SDK/doc/latest/nrf/samples/tfm/tfm_psa_template/README.html">PSA template</a>&nbsp;are good samples to start as you did.&nbsp;</p> <p>Regards,<br />Amanda H.</p><div style="clear:both;"></div>