Hi Andrew,
“built-in keys with a pre-defined key_id” ,I take this to mean that HUK is a built-in key with the pre-defined key_id TFM_CRYPTO_KEY_ID_HUK,which can be stored in OTP,EEPROM or embedded Flash of MCU.
There is no ownership of these built-in keys,however,application persisten keys are created by an application,so application persisten keys are owned by relevant applications.
Best Regards, Poppy Wu
Macronix Microelectronics (Suzhou) Co.,Ltd http://www.mxic.com.cn
Andrew Thoelke via TF-M tf-m@lists.trustedfirmware.org Sent by: "TF-M" tf-m-bounces@lists.trustedfirmware.org 2021/06/02 17:33 Please respond to Andrew Thoelke Andrew.Thoelke@arm.com
To "tf-m@lists.trustedfirmware.org" tf-m@lists.trustedfirmware.org, nd nd@arm.com cc
Subject Re: [TF-M] Questions about psa crypto persistent key
Hi Poppy Wu,
In the v1.0.0 PSA Crypto spec, key handles were removed, and keys are now always referred to by a key identifier.
After creating a persistent key with a key_id specified by the application (by import, generation or derivation), the key can be used in a cryptographic operation by passing the key_id to the operation function. No key handles are needed anymore. See https://armmbed.github.io/mbed-crypto/html/api/keys/lifetimes.html#persisten... .
An implementation can provide some built-in keys with a pre-defined key_id. Depending on the key attributes and policy, these can be used by an application in appropriate cryptographic operations. Built-in keys can behave differently to application persistent keys:
They cannot be destroyed by an application They might be accessible to multiple applications They might have different values in different applications
The implementation should provide documentation on the expected use of any built-in keys.
We’ll need one of the TF-M team to comment on the expected use for TFM_CRYPTO_KEY_ID_HUK.
Regards, Andrew Thoelke
Andrew Thoelke Software Systems Architect | Arm . . . . . . . . . . . . . . . . . . . . . . . . . . . Arm.com
From: TF-M tf-m-bounces@lists.trustedfirmware.org On Behalf Of Edward Yang via TF-M Sent: 02 June 2021 06:30 To: tf-m@lists.trustedfirmware.org Subject: [TF-M] Questions about psa crypto persistent key
Hi Experts,
I have some questions about crypto persisten keys.
1. psa_open_key() is removed in psa crypto spec,so it is impossible to import a persistent key into key slot with key_id,which means encrypt/decrypt data directly with a persistent key is not allowed,these persistent keys can only be
used to derive volatile keys which will be used for encryption/decryption, I am not sure if I understand correctly.
2. Besides,HUK can be used to derive the other crypto keys,such as ps crypto key.HUK may be stored in OTP area of MCU(without crypto element such as cc312),then what's intended flow to derive crypto keys from HUK via calling PSA crypto service?There is no reference implementation in tf-m code.
tfm_plat_get_huk_derived_key(){
get HUK from OTP || || / how to derive crypto key from HUK with calling crypto service? }
3. BTW,HUK has a persistent key id TFM_CRYPTO_KEY_ID_HUK defined in tfm_crypto_defs.h,but I haven't seen any reference to this macro. What's the intended use of this key id?And what's the key owner of HUK?
Best Regards, Poppy Wu
Macronix Microelectronics (Suzhou) Co.,Ltd http://www.mxic.com.cn CONFIDENTIALITY NOTE: This e-mail and any attachments may contain confidential information and/or personal data, which is protected by applicable laws. Please be reminded that duplication, disclosure, distribution, or use of this e-mail (and/or its attachments) or any part thereof is prohibited. If you receive this e-mail in error, please notify us immediately and delete this mail as well as it attachments from your system. In addition, please be informed that collection, processing, and/or use of personal data is prohibited unless expressly permitted by personal data protection laws. Thank you for your attention and cooperation. Macronix International Co., Ltd. =====================================================================-- TF-M mailing list TF-M@lists.trustedfirmware.org https://lists.trustedfirmware.org/mailman/listinfo/tf-m
============================================================================
CONFIDENTIALITY NOTE:
This e-mail and any attachments may contain confidential information and/or personal data, which is protected by applicable laws. Please be reminded that duplication, disclosure, distribution, or use of this e-mail (and/or its attachments) or any part thereof is prohibited. If you receive this e-mail in error, please notify us immediately and delete this mail as well as its attachment(s) from your system. In addition, please be informed that collection, processing, and/or use of personal data is prohibited unless expressly permitted by personal data protection laws. Thank you for your attention and cooperation.
Macronix International Co., Ltd.
=====================================================================