Hi,

I need to derive a new key from the HUK using HKDF, but are we able to request key derivation with the HUK from the NS side, or would we need to create a custom ARoT partittion for that?

The requirements are identical to what PS does here with HKDF -- no salt and a fixed 'info' value, resulting in a key that is device-bound and can be regenerated at startup with no storage requirements: https://tf-m-user-guide.trustedfirmware.org/docs/technical_references/design_docs/ps_key_management.html#key-derivation (that API usage looks to be out of date, BTW, since "psa_open_key" now takes two params).

I tried to do something similar from the NS side, modifying this code https://github.com/zephyrproject-rtos/zephyr/blob/main/samples/tfm_integration/psa_crypto/src/psa_crypto.c#L94 ..., but get an error when trying to open the HUK with "TFM_CRYPTO_KEY_ID_HUK".

That isn't surprising, but is there any alternative to generate keys from the HUK without a custom ARoT service? The fact that no storage is required when deriving from the HUK is significant.