Hi Poppy,

 

Question 2 and 3:

 

In the PSA crypto spec, the Key derivation function section describes the steps to perform a key derivation. Also I think you can take the implementation of the key generation based on HUK on NXP platform as a reference at https://git.trustedfirmware.org/TF-M/trusted-firmware-m.git/tree/platform/ext/target/nxp/common/plat_huk_key.c#n79.

 

TFM_CRYPTO_KEY_ID_HUK  defined in tfm_crypto_defs.h is a temp work before persistent key APIs support in general. It should be removed now.

 

 

Regards,

Sherry Zhang

 

From: TF-M <tf-m-bounces@lists.trustedfirmware.org> On Behalf Of Edward Yang via TF-M
Sent: Wednesday, June 2, 2021 1:30 PM
To: tf-m@lists.trustedfirmware.org
Subject: [TF-M] Questions about psa crypto persistent key

 


Hi Experts,

I have some questions about crypto persisten keys.

1. psa_open_key() is removed in psa crypto spec,so it is impossible to import a persistent key into key slot with key_id,which means encrypt/decrypt data directly with a persistent key is not allowed,these persistent keys can only be

used to derive volatile keys which will be used for encryption/decryption, I am not sure if I understand correctly.

2. Besides,HUK can be used to derive the other crypto keys,such as ps crypto key.HUK may be stored in OTP area of MCU(without crypto element such as cc312),then what's intended flow to derive crypto keys from HUK via calling PSA crypto service?There is no reference implementation in tf-m code.  


tfm_plat_get_huk_derived_key(){

 get HUK from OTP
     ||
     ||
     \/
how to derive crypto key from HUK with calling crypto service?
}


3. BTW,HUK has a persistent key id TFM_CRYPTO_KEY_ID_HUK  defined in tfm_crypto_defs.h,but I haven't seen any reference to this macro. What's the intended use of this key id?And what's the key owner of HUK?


Best Regards,
Poppy Wu


Macronix Microelectronics (Suzhou) Co.,Ltd
http://www.mxic.com.cn

CONFIDENTIALITY NOTE:

This e-mail and any attachments may contain confidential information and/or personal data, which is protected by applicable laws. Please be reminded that duplication, disclosure, distribution, or use of this e-mail (and/or its attachments) or any part thereof is prohibited. If you receive this e-mail in error, please notify us immediately and delete this mail as well as it attachments from your system. In addition, please be informed that collection, processing, and/or use of personal data is prohibited unless expressly permitted by personal data protection laws. Thank you for your attention and cooperation.

Macronix International Co., Ltd.

=====================================================================