psa_generate_key failed! with Error: -134

Hello,

-134 means PSA_ERROR_NOT_SUPPORTED.

Unfortunately, your issue is likely related to known issue:
Zephyr bus fault when using PSA crypto with CC310 and Openthread L2 layer 
PSA crypto features not enabled when CONFIG_MBEDTLS_LEGACY_CRYPTO_C is enabled 

You may try the patch mentioned in the thread, but I can check internally if there is any news on this.

Best regards,
Kenneth

Hi Kenneth, 

I looked into the threads mentioned but I don't think that the suggestions mentioned there helps to solve my issues as I don't have open thread feature in my application. I am working on integrating nrf security sub system module(crypto cell ) application and transport application(wifi, tcp/tls) to develop a new usecase application which securely communicate with remote network.

NCS Version: nrf-connect-sdk-v2.2.99-dev3

Zephyr SDK Version: 0.15.2

Please let me know if you get any clue on this issue. My prj.conf is added here. 

#
#   Application project specific configuration
#
CONFIG_SOC_SERIES_NRF53X=y
CONFIG_SOC_NRF5340_CPUAPP_QKAA=y

# Target memory specific options
CONFIG_HW_UNIQUE_KEY=y
CONFIG_HW_UNIQUE_KEY_RANDOM=y
CONFIG_PM_SINGLE_IMAGE=y
CONFIG_MPU_ALLOW_FLASH_WRITE=y
CONFIG_RESET_ON_FATAL_ERROR=y
CONFIG_REBOOT=y
CONFIG_FPU=y
CONFIG_FP_HARDABI=y
CONFIG_KERNEL_MEM_POOL=y
CONFIG_INIT_STACKS=y

# System settings
CONFIG_NEWLIB_LIBC=y
CONFIG_NEWLIB_LIBC_NANO=n

# Device security specific configs
CONFIG_NRF_SECURITY=y
CONFIG_NRF_SECURITY_ADVANCED=y
CONFIG_TRUSTED_EXECUTION_SECURE=y
CONFIG_BUILD_WITH_TFM=n
CONFIG_TFM_PROFILE_TYPE_NOT_SET=y

# For hardware crypto accelerator
CONFIG_PSA_CRYPTO_DRIVER_OBERON=n
CONFIG_PSA_CRYPTO_DRIVER_CC3XX=y

# Enable nordic security backend and PSA APIs
CONFIG_MBEDTLS_PSA_CRYPTO_C=y


# General
CONFIG_POSIX_CLOCK=y
CONFIG_POSIX_MAX_FDS=8
CONFIG_HW_STACK_PROTECTION=y
CONFIG_HW_ID_LIBRARY_SOURCE_NET_MAC=y
CONFIG_DK_LIBRARY=y
CONFIG_PM=y
CONFIG_FPU=y

# System settings
CONFIG_NEWLIB_LIBC=y
CONFIG_NEWLIB_LIBC_NANO=n

# Kernel options
CONFIG_ENTROPY_GENERATOR=y

# Memories
CONFIG_MAIN_STACK_SIZE=4096
CONFIG_SYSTEM_WORKQUEUE_STACK_SIZE=4096
CONFIG_NET_TX_STACK_SIZE=4096
CONFIG_NET_RX_STACK_SIZE=4096
CONFIG_NET_TCP_WORKQ_STACK_SIZE=4096
CONFIG_NET_MGMT_EVENT_STACK_SIZE=4096
CONFIG_LOG_BUFFER_SIZE=4096
# Below section is the primary contributor to SRAM and is currently
# tuned for performance, but this will be revisited in the future.
CONFIG_HEAP_MEM_POOL_SIZE=153600
CONFIG_NET_BUF_RX_COUNT=16
CONFIG_NET_BUF_TX_COUNT=16
CONFIG_NET_BUF_DATA_SIZE=128
CONFIG_NET_TC_TX_COUNT=0
CONFIG_NET_PKT_RX_COUNT=8
CONFIG_NET_PKT_TX_COUNT=8

#Socket settings
CONFIG_NET_SOCKETS_SOCKOPT_TLS=y

# Native network stack
CONFIG_NRF_SECURITY=y
CONFIG_MBEDTLS=y
CONFIG_MBEDTLS_BUILTIN=y
CONFIG_MBEDTLS_ENABLE_HEAP=y
CONFIG_MBEDTLS_HEAP_SIZE=120000
CONFIG_MBEDTLS_SSL_MAX_CONTENT_LEN=16384
CONFIG_MBEDTLS_KEY_EXCHANGE_RSA_ENABLED=y
CONFIG_MBEDTLS_MAC_SHA256_ENABLED=y

# PSA
CONFIG_PSA_CRYPTO_DRIVER_CC3XX=y

# NET sockets
CONFIG_NETWORKING=y
CONFIG_NET_SOCKETS=y
CONFIG_NET_SOCKETS_POSIX_NAMES=y
CONFIG_NET_SOCKETS_POLL_MAX=8
CONFIG_NET_L2_ETHERNET=y
CONFIG_NET_IPV4=y
CONFIG_NET_TCP=y
CONFIG_NET_SOCKETS_OFFLOAD=n
CONFIG_NET_NATIVE=y
CONFIG_NET_DHCPV4=y
CONFIG_NET_CONTEXT_SNDTIMEO=y

CONFIG_NET_TCP_ISN_RFC6528=y
CONFIG_NET_MGMT_EVENT_INFO=y
CONFIG_NET_IF_UNICAST_IPV4_ADDR_COUNT=1
CONFIG_NET_MAX_CONTEXTS=5
CONFIG_NET_CONTEXT_SYNC_RECV=y
CONFIG_INIT_STACKS=y

# DNS
CONFIG_DNS_RESOLVER=y

# Debugging
CONFIG_STACK_SENTINEL=y
CONFIG_DEBUG_COREDUMP=y
CONFIG_DEBUG_COREDUMP_BACKEND_LOGGING=y
CONFIG_DEBUG_COREDUMP_MEMORY_DUMP_MIN=y
CONFIG_SHELL_CMDS_RESIZE=n

# Logging
CONFIG_LOG=y
CONFIG_NET_LOG=y
CONFIG_NET_TCP_LOG_LEVEL_DBG=n
CONFIG_NET_SOCKETS_LOG_LEVEL_DBG=n
CONFIG_NET_CONN_LOG_LEVEL_DBG=n
CONFIG_NET_CONTEXT_LOG_LEVEL_DBG=n
CONFIG_NET_HTTP_LOG_LEVEL_DBG=n
CONFIG_WIFI_LOG_LEVEL_ERR=n
CONFIG_WPA_SUPP_LOG_LEVEL_ERR=n

# Network address config
CONFIG_NET_CONFIG_SETTINGS=y
CONFIG_NET_CONFIG_NEED_IPV4=y
CONFIG_NET_CONFIG_MY_IPV4_ADDR="192.168.1.99"
CONFIG_NET_CONFIG_MY_IPV4_NETMASK="255.255.255.0"
CONFIG_NET_CONFIG_MY_IPV4_GW="192.168.1.1"

# Server IPV4/IPV6 address config
#Mainnet.Incubed
CONFIG_NET_CONFIG_PEER_IPV4_ADDR="167.86.94.248"

# HTTP
CONFIG_HTTP_CLIENT=y

# WiFi driver 
CONFIG_WIFI=y
CONFIG_WIFI_NRF700X=y
CONFIG_FLASH=y
CONFIG_FLASH_PAGE_LAYOUT=y
CONFIG_FLASH_MAP=y
CONFIG_NVS=y
CONFIG_SETTINGS=y
CONFIG_SETTINGS_NVS=y

# WPA supplicant
CONFIG_WPA_SUPP=y

 Regards

Vipin Das

I got help from a collegue:

The configuration that it is proposed there uses the MBEDTLS_BUILTIN which is using the MbedTLS library from Zephyr. We would propose to disable both the CONFIG_MBEDLTS and the CONFIG_MBEDTLS_BUILTIN. TLS configurations can be changed through the Kconfig in nrf_security: https://github.com/nrfconnect/sdk-nrfxlib/blob/main/nrf_security/Kconfig

Also from the case there we are not sure what environment you are trying to run. We see that you have these three options:

CONFIG_TRUSTED_EXECUTION_SECURE=y
CONFIG_BUILD_WITH_TFM=n
CONFIG_TFM_PROFILE_TYPE_NOT_SET=y

Which are confusing. It will be nice if you can clarify if you are trying to use Trustzone with the legacy Nordic solution called SPM and not the current solution which is TF-M.

Hope it helps,
Kenneth

Hi Kenneth, 

Thanks for the reply and providing me with a glimpse of useful information. 

first and foremost let me clarify your confusion on the environment, for my current usecase we really need key management and derivation feature. But I am not sure which one we should use for that, Trustzone with the legacy Nordic solution(SPM) or TF-M. But I feel TF-M could be a good option. So. stick with TF-M.

After your reply, I played around with the configurations to break down which config causes the issue. Finally I could figure it out and it is "CONFIG_WPA_SUPP". 

My prj.conf after clean-up:

#
#   Application project specific configuration
#
CONFIG_SOC_SERIES_NRF53X=y
CONFIG_SOC_NRF5340_CPUAPP_QKAA=y

# General
CONFIG_POSIX_CLOCK=y
CONFIG_POSIX_MAX_FDS=8
CONFIG_HW_STACK_PROTECTION=y
CONFIG_PM=y

# Target memory specific options
CONFIG_HW_UNIQUE_KEY=y
CONFIG_HW_UNIQUE_KEY_RANDOM=y
CONFIG_PM_SINGLE_IMAGE=y
CONFIG_MPU_ALLOW_FLASH_WRITE=y
CONFIG_RESET_ON_FATAL_ERROR=y
CONFIG_REBOOT=y
CONFIG_FPU=y
CONFIG_FP_HARDABI=y
CONFIG_KERNEL_MEM_POOL=y
CONFIG_INIT_STACKS=y
CONFIG_FLASH=y
CONFIG_FLASH_PAGE_LAYOUT=y
CONFIG_FLASH_MAP=y
CONFIG_NVS=y
CONFIG_SETTINGS=y
CONFIG_SETTINGS_NVS=y

# System settings
CONFIG_NEWLIB_LIBC=y
CONFIG_NEWLIB_LIBC_NANO=n

# Device security specific configs
CONFIG_NRF_SECURITY=y
CONFIG_BUILD_WITH_TFM=y

# For hardware crypto accelerator
CONFIG_PSA_CRYPTO_DRIVER_OBERON=n
CONFIG_PSA_CRYPTO_DRIVER_CC3XX=y

# Enable nordic security backend and PSA APIs
CONFIG_MBEDTLS_PSA_CRYPTO_C=y

# Memories
CONFIG_MAIN_STACK_SIZE=4096
CONFIG_SYSTEM_WORKQUEUE_STACK_SIZE=4096
CONFIG_LOG_BUFFER_SIZE=4096
# Below section is the primary contributor to SRAM and is currently
# tuned for performance, but this will be revisited in the future.
CONFIG_HEAP_MEM_POOL_SIZE=153600
CONFIG_MBEDTLS_HEAP_SIZE=120000

# Logging
CONFIG_LOG=y
CONFIG_CONSOLE=y
CONFIG_LOG_BACKEND_UART=y
CONFIG_NET_TCP_LOG_LEVEL_DBG=n
CONFIG_NET_SOCKETS_LOG_LEVEL_DBG=n
CONFIG_NET_CONN_LOG_LEVEL_DBG=n
CONFIG_NET_CONTEXT_LOG_LEVEL_DBG=n
CONFIG_NET_HTTP_LOG_LEVEL_DBG=n
CONFIG_WIFI_LOG_LEVEL_ERR=n
CONFIG_WPA_SUPP_LOG_LEVEL_ERR=n

# NET sockets
CONFIG_NETWORKING=y
CONFIG_NET_SOCKETS=y
CONFIG_NET_SOCKETS_POSIX_NAMES=y
CONFIG_NET_SOCKETS_POLL_MAX=8
CONFIG_NET_L2_ETHERNET=y
CONFIG_NET_IPV4=y
CONFIG_NET_TCP=y
CONFIG_NET_SOCKETS_OFFLOAD=n
CONFIG_NET_NATIVE=y
CONFIG_NET_DHCPV4=y
CONFIG_NET_CONTEXT_SNDTIMEO=y
CONFIG_NET_TCP_ISN_RFC6528=n
CONFIG_NET_MGMT_EVENT_INFO=y
CONFIG_NET_IF_UNICAST_IPV4_ADDR_COUNT=1
CONFIG_NET_MAX_CONTEXTS=5
CONFIG_NET_CONTEXT_SYNC_RECV=y

# Network address config
CONFIG_NET_CONFIG_SETTINGS=y
CONFIG_NET_CONFIG_NEED_IPV4=y
CONFIG_NET_CONFIG_MY_IPV4_ADDR="192.168.1.99"
CONFIG_NET_CONFIG_MY_IPV4_NETMASK="255.255.255.0"
CONFIG_NET_CONFIG_MY_IPV4_GW="192.168.1.1"

# Server IPV4/IPV6 address config
#Mainnet.Incubed
CONFIG_NET_CONFIG_PEER_IPV4_ADDR="167.86.94.248"

# HTTP
CONFIG_HTTP_CLIENT=y

# WiFi driver 
CONFIG_WIFI=y
CONFIG_WIFI_NRF700X=y

# Enable Secure socket option
CONFIG_NET_SOCKETS_SOCKOPT_TLS=y
CONFIG_MBEDTLS_ENABLE_HEAP=y
CONFIG_MBEDTLS_MAC_SHA256_ENABLED=y
CONFIG_MBEDTLS_SSL_MAX_CONTENT_LEN=8192
CONFIG_MBEDTLS_TLS_LIBRARY=y

# WPA supplicant
CONFIG_WPA_SUPP=y

My application output with above config. Here psa_generate_key failed but message send success. 

*** Booting Zephyr OS build v3.2.99-ncs1-1547-ge2bec540218d ***
[00:00:01.251,159] <inf> cryptocell: Writing random keys to KMU
[00:00:01.313,690] <inf> cryptocell: Success!
[00:00:01.313,964] <dbg> in3_https: in3_register_https_client: in3 register https
[00:00:01.375,976] <inf> cryptocell: psa_generate_key failed! Error: -134
[00:00:01.376,129] <inf> wpa_supp: start_wpa_supplicant: 192 Starting wpa_supplicant thread with debug level: 3

[00:00:01.376,342] <inf> wpa_supp: Successfully initialized wpa_supplicant
[00:00:01.376,434] <inf> wpa_supp: iface_cb: iface wlan0 ifindex 1 f4:ce:36:00:1a:ee
[00:00:01.376,495] <inf> wpa_supp: Using interface wlan0

[00:00:01.376,525] <inf> wpa_supp: Initializing interface 0: wlan0

[00:00:02.379,760] <inf> wpa_supp: l2_packet_init: iface wlan0 ifindex 1
[00:00:03.311,889] <inf> wifi_handler: Connection requested
[00:00:03.611,999] <inf> wifi_handler: State: SCANNING
[00:00:03.912,139] <inf> wifi_handler: State: SCANNING
[00:00:04.212,280] <inf> wifi_handler: State: SCANNING
[00:00:04.512,390] <inf> wifi_handler: State: SCANNING
[00:00:04.812,500] <inf> wifi_handler: State: SCANNING
[00:00:05.112,640] <inf> wifi_handler: State: SCANNING
[00:00:05.412,750] <inf> wifi_handler: State: SCANNING
[00:00:05.712,890] <inf> wifi_handler: State: SCANNING
[00:00:06.013,000] <inf> wifi_handler: State: SCANNING
[00:00:06.313,140] <inf> wifi_handler: State: SCANNING
[00:00:06.613,250] <inf> wifi_handler: State: SCANNING
[00:00:06.913,360] <inf> wifi_handler: State: SCANNING
[00:00:07.213,470] <inf> wifi_handler: State: SCANNING
[00:00:07.513,610] <inf> wifi_handler: State: SCANNING
[00:00:07.813,751] <inf> wifi_handler: State: SCANNING
[00:00:08.113,891] <inf> wifi_handler: State: SCANNING
[00:00:08.414,001] <inf> wifi_handler: State: SCANNING
[00:00:08.651,611] <inf> wpa_supp: wlan0: SME: Trying to authenticate with ec:a8:1f:c9:bc:98 (SSID='Das' freq=2437 MHz)
[00:00:08.670,074] <inf> wifi_nrf: wifi_nrf_wpa_supp_authenticate:Authentication request sent successfully

[00:00:08.714,172] <inf> wifi_handler: State: AUTHENTICATING
[00:00:08.925,445] <inf> wpa_supp: wlan0: Trying to associate with ec:a8:1f:c9:bc:98 (SSID='Das' freq=2437 MHz)
[00:00:08.934,295] <inf> wifi_nrf: wifi_nrf_wpa_supp_associate: Association request sent successfully

[00:00:08.963,409] <inf> wpa_supp: wpa_drv_zep_get_ssid: SSID size: 3

[00:00:08.963,562] <inf> wpa_supp: wlan0: Associated with ec:a8:1f:c9:bc:98
[00:00:08.963,714] <inf> wpa_supp: wlan0: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0
[00:00:08.970,062] <inf> wpa_supp: wpa_drv_zep_get_ssid: SSID size: 3

[00:00:08.992,126] <inf> wpa_supp: wlan0: WPA: Key negotiation completed with ec:a8:1f:c9:bc:98 [PTK=CCMP GTK=CCMP]
[00:00:08.992,370] <inf> wpa_supp: wlan0: CTRL-EVENT-CONNECTED - Connection to ec:a8:1f:c9:bc:98 completed [id=0 id_str=]
[00:00:08.992,431] <inf> wifi_handler: Connected
[00:00:09.020,263] <inf> wifi_handler: State: COMPLETED
9120 DEBUG request.c:210:req_new(): ::: exec eth_getBalance ["0x03cb0021808442ad5efb61197966aef72a1def96","latest"] 
9121 TRACE execute.c:763:in3_handle_rpc(): ... request to https://mainnet.incubed.net
... [{"id":"2","jsonrpc":"2.0","method":"eth_getBalance","params":["0x03cb0021808442ad5efb61197966aef72a1def96","latest"]}]
[00:00:10.281,555] <dbg> in3_https: server_response_cb: All the data received (618 bytes)
[00:00:10.281,585] <dbg> in3_https: server_response_cb: http status:OK http status code:200
[00:00:10.286,499] <dbg> in3_https: run_https_post: https POST success
10286 TRACE execute.c:777:in3_handle_rpc(): ... response(https://mainnet.incubed.net): 
... [{"jsonrpc":"2.0","id":"2","result":"0x2fe1d73e5a1d8c2d33","in3":{"lastValidatorChange":0,"lastNodeList":16168758,"execTime":153,"rpcTime":153,"rpcCount":1,"currentBlock":17136458,"version":"2.1.0"}}]
10287 DEBUG execute.c:494:find_valid_result(): accepted response for eth_getBalance from https://mainnet.incubed.net
[00:00:10.287,872] <dbg> main: main: Result: "0x2fe1d73e5a1d8c2d33"

Application output after I make CONFIG_WPA_SUPP=n, here psa_generate_key is success but wifi connectivity failed.

*** Booting Zephyr OS build v3.2.99-ncs1-1547-ge2bec540218d ***
[00:00:01.248,535] <inf> cryptocell: Writing random keys to KMU
[00:00:01.311,065] <inf> cryptocell: Success!
[00:00:01.311,340] <dbg> in3_https: in3_register_https_client: in3 register https
[00:00:01.389,038] <inf> cryptocell: Identity key stored from local memory to kmu slot 6
[00:00:01.389,221] <inf> cryptocell: Private Key loaded to local memory from kmu slot 6 
[00:00:01.389,221] <inf> cryptocell: Importing the identity key into PSA crypto.
[00:00:01.404,113] <inf> cryptocell: Exporting the public key corresponding to the identity key.
[00:00:01.419,006] <inf> cryptocell: Exported Public Key
                                     04 64 6c 38 a0 5c 5f f5  76 eb ab d0 2f d7 e7 c9 |.dl8.\_. v.../...
                                     7c 0a 41 a6 c6 46 bd f0  22 99 86 49 62 66 59 9b ||.A..F.. "..IbfY.
                                     2e 97 6b 2a 19 c9 b3 5c  ab 64 91 31 d1 ee 32 0b |..k*...\ .d.1..2.
                                     84 5f 36 ad 1a 41 ea e5  62 49 cc 89 e9 30 4f ba |._6..A.. bI...0O.
                                     23                                               |#                
[00:00:02.419,097] <err> wifi_handler: Connection request failed
[00:00:02.719,207] <inf> wifi_handler: Status request failed
[00:00:03.019,317] <inf> wifi_handler: Status request failed
[00:00:03.319,396] <inf> wifi_handler: Status request failed
[00:00:03.619,506] <inf> wifi_handler: Status request failed
[00:00:03.919,616] <inf> wifi_handler: Status request failed
[00:00:04.219,726] <inf> wifi_handler: Status request failed

Could you please take a look or ask any of your colleague about this problem. Is there any way I can connect to wifi network without wpa supplicant?

My Environment:

Hi Vipin,

You need to use wpa_supplicant to use encrypted Wi-Fi networks, and currently that is not compatible with using TF-M. These are both critical features though and we are actively working on this now, so while I do not have any solution at the moment, this will come soon.