psa_generate_key failed! with Error: -134

Hi nordic team, 

I am working on an application which uses crypto cell feature, wifi capability of nrf7002DK, mbedTLS etc. I proceeded my development after individually verifying each features on nrf7002dk (crypto cell, wifi, mbedTLS etc). 

My current problem is that, psa_generate_key() failed to generate key and returns error code of -134. This is happening only if I integrate my complete application(crypto cell, wifi, mbedtls etc). If I run crypto cell specific changes alone it works and if I run  along with wifi + mbedTLS changes it fails. I am not sure what causes this problem. 

Just sharing my prj.conf below. 

With below configuration crypto cell feature for private key generation is working as expected. 

But when I add below configuration for enabling wifi & network, spa_generate_key fails with -134.

Can some one please tell me what should be the problem with key_generation and wifi network configuration. 

Thanks 

Vipin Das

Parents
  • Hello,

    -134 means PSA_ERROR_NOT_SUPPORTED.

    Unfortunately, your issue is likely related to known issue:
    Zephyr bus fault when using PSA crypto with CC310 and Openthread L2 layer 
    PSA crypto features not enabled when CONFIG_MBEDTLS_LEGACY_CRYPTO_C is enabled 

    You may try the patch mentioned in the thread, but I can check internally if there is any news on this.

    Best regards,
    Kenneth

  • Hi Kenneth, 

    I looked into the threads mentioned but I don't think that the suggestions mentioned there helps to solve my issues as I don't have open thread feature in my application. I am working on integrating nrf security sub system module(crypto cell ) application and transport application(wifi, tcp/tls) to develop a new usecase application which securely communicate with remote network.

    NCS Version: nrf-connect-sdk-v2.2.99-dev3

    Zephyr SDK Version: 0.15.2

    Please let me know if you get any clue on this issue. My prj.conf is added here. 

     Regards

    Vipin Das

  • I got help from a collegue:

    The configuration that it is proposed there uses the MBEDTLS_BUILTIN which is using the MbedTLS library from Zephyr. We would propose to disable both the CONFIG_MBEDLTS and the CONFIG_MBEDTLS_BUILTIN. TLS configurations can be changed through the Kconfig in nrf_security: https://github.com/nrfconnect/sdk-nrfxlib/blob/main/nrf_security/Kconfig

    Also from the case there we are not sure what environment you are trying to run. We see that you have these three options:

    CONFIG_TRUSTED_EXECUTION_SECURE=y
    CONFIG_BUILD_WITH_TFM=n
    CONFIG_TFM_PROFILE_TYPE_NOT_SET=y

    Which are confusing. It will be nice if you can clarify if you are trying to use Trustzone with the legacy Nordic solution called SPM and not the current solution which is TF-M.

    Hope it helps,
    Kenneth

  • Hi Kenneth, 

    Thanks for the reply and providing me with a glimpse of useful information. 

    first and foremost let me clarify your confusion on the environment, for my current usecase we really need key management and derivation feature. But I am not sure which one we should use for that, Trustzone with the legacy Nordic solution(SPM) or TF-M. But I feel TF-M could be a good option. So. stick with TF-M.

    After your reply, I played around with the configurations to break down which config causes the issue. Finally I could figure it out and it is "CONFIG_WPA_SUPP". 

    My prj.conf after clean-up:

    My application output with above config. Here psa_generate_key failed but message send success. 

     

    Application output after I make CONFIG_WPA_SUPP=n, here psa_generate_key is success but wifi connectivity failed.

    Could you please take a look or ask any of your colleague about this problem. Is there any way I can connect to wifi network without wpa supplicant?

    My Environment:

    ZEPHYR_SDK_VERSION : 0.15.2
    NCS: v2.2.99-dev3
    Regards
    Vipin Das
Reply
  • Hi Kenneth, 

    Thanks for the reply and providing me with a glimpse of useful information. 

    first and foremost let me clarify your confusion on the environment, for my current usecase we really need key management and derivation feature. But I am not sure which one we should use for that, Trustzone with the legacy Nordic solution(SPM) or TF-M. But I feel TF-M could be a good option. So. stick with TF-M.

    After your reply, I played around with the configurations to break down which config causes the issue. Finally I could figure it out and it is "CONFIG_WPA_SUPP". 

    My prj.conf after clean-up:

    My application output with above config. Here psa_generate_key failed but message send success. 

     

    Application output after I make CONFIG_WPA_SUPP=n, here psa_generate_key is success but wifi connectivity failed.

    Could you please take a look or ask any of your colleague about this problem. Is there any way I can connect to wifi network without wpa supplicant?

    My Environment:

    ZEPHYR_SDK_VERSION : 0.15.2
    NCS: v2.2.99-dev3
    Regards
    Vipin Das
Children
  • Hi Vipin,

    You need to use wpa_supplicant to use encrypted Wi-Fi networks, and currently that is not compatible with using TF-M. These are both critical features though and we are actively working on this now, so while I do not have any solution at the moment, this will come soon.

  • Hi Einar, 

    Is there any other option, I can try to proceed with my current development. I have nrf5340dk and nrf7002dk with me. My final goal is to key derivation and management for message signing/verification operation and transmit the signed message to remote network. 

    Is it possible to proceed without TF-M? Without TF-M is there any other option to derive key and store the generated key in crypto cell? 

    What about using Legacy Nordic solution SPM? Can I use it in my current integration? 

    Regards

    Vipin Das 

  • Hi Vipin,

    You don't need TF-M for using CryptoCell if you whole application runs in secure mode. That mean you are not utilizing security by separation, though. So if you are making a product where security is important I would try to avoid skipping that. Regarding SPM that is legacy as you write, and no longer present in nRF Connect SDK 2.3.0. It also supported a very limited feature set.

    However, the real issue with combinding wpa_supplicant with the PSA crypto libraries is incompatible APIs, and this remains the same regardless if you use TF-M or not.

    As the one of the main problems is combining the use of PSA Crypto and wpa_supplicatant and you will need both (unless you want to put together you own custom thing based partially on legacy APIs), I would try to keep the cryoto work or wifi_work in a separate project for now and combine later. If not, I suspect you will essentially be doing a similar work as we are currently doing in parallel, which doesn't seem efficient.

    I will try to update you whenever we have something usable in a PR.

    (Here is another thread with a similar issue where we gave essentially the same advice.)

  • Thanks for the detailed information. I completely got your point and agree with you. 

    We are focussing on developing secure product. But right now, we wanted to utilise the key derivation and management feature and try to communicate securely with remote server/devices. 

    As I mentioned, we already have our crypto portion working and wifi portion working. Only the wpa_supplicant one is making the psa key derivation to fail. 

    Let me ask you one thing, is there any way I can connect to wifi with disabling wpa_supplicant?. I mean wifi connect using part terminal etc. That is also fine for time being to progress my further development. 

    Thanks 

    Vipin Das

  • Hi Vipin,

    The Wi-Fi stack depends on wpa_supplicant for other tasks as well (see Supplicant), so I think it will be difficult to do much useful - even with open networks - without wpa_supplicant. (You can do some things without it though, like scanning).