Hi Antonio,

Thank you for taking the time to help confirm the function, and we've found out that this error just resulted from
the incorrect initialization of 'operation' before calling PSA APIs, after fixing this bug, we also got the correct
OKM. Thanks again for your support.

Best Regards,
Poppy Wu
吴偏偏

http://www.mxic.com.cn

Antonio De Angelis via TF-M <tf-m@lists.trustedfirmware.org>

2023/03/23 21:58

Please respond to
Antonio De Angelis <Antonio.DeAngelis@arm.com>

To	"tf-m@lists.trustedfirmware.org" <tf-m@lists.trustedfirmware.org>
cc	nd <nd@arm.com>
Subject	[TF-M] Re: Please help check the failure of PSA_ALG_HKDF_EXPAND operation test

Hi,

I have tried the example below on mbed TLS running on an x86 Linux based host machine, and on the AN521 platform, and in both cases I can get consistent results, i.e. the value of the okm buffer at the end is:

0x3c, 0xb2, 0x5f, 0x25, 0xfa, 0xac,
0xd5, 0x7a, 0x90, 0x43, 0x4f, 0x64,
0xd0, 0x36, 0x2f, 0x2a, 0x2d, 0x2d,
0x0a, 0x90, 0xcf, 0x1a, 0x5a, 0x4c,
0x5d, 0xb0, 0x2d, 0x56, 0xec, 0xc4,
0xc5, 0xbf, 0x34, 0x00, 0x72, 0x08,
0xd5, 0xb8, 0x87, 0x18, 0x58, 0x65

Which I believe matches the expected output below. Given that your issue seems to be specific to the stm32l562e_dk platform, which uses its own crypto accelerator I believe rather than pure software implementation, I would suggest to have a look at the intermediate steps and compare your results against the AN521 platform results. You might want to raise this behaviour to the platform maintainer, as at this stage this seems to me to be a platform specific issue.

I can only confirm that you are not misusing the PSA Crypto APIs here.

Let me know if I can be of any more help.

Thanks,
Antonio

From: Antonio De Angelis via TF-M <tf-m@lists.trustedfirmware.org>
Sent: Thursday, March 23, 2023 12:51
To: tf-m@lists.trustedfirmware.org
Subject: [TF-M] Re: Please help check the failure of PSA_ALG_HKDF_EXPAND operation test

I am going to have a look into this. Thanks for the instructions on how to reproduce. Might get a while to reply, please bear with me.

Thanks,
Antonio

From: Edward Yang via TF-M <tf-m@lists.trustedfirmware.org>
Sent: Thursday, March 23, 2023 01:36
To: tf-m@lists.trustedfirmware.org
Subject: [TF-M] Please help check the failure of PSA_ALG_HKDF_EXPAND operation test

Hi experts,

Recently we're testing the HKDF-EXPAND interface with TF-M v1.7.0 on stm32l562e_dk platform.

But the HKDF-EXPAND output didn't match the expected OKM.

The test vector is as below:

ALG : PSA_ALG_HKDF_EXPAND(PSA_ALG_SHA_256),
"info" : decode_hex("f0f1f2f3f4f5f6f7f8f9"),
"L" : 42,
"PRK" : "077709362c2e32df0ddc3f0dc47bba6390b6c73bb50f9c3122ec844ad7c2b3e5"
"OKM" : "3cb25f25faacd57a90434f64d0362f2a2d2d0a90cf1a5a4c5db02d56ecc4c5bf34007208d5b887185865"

The corresponding code is as follow：

int8_t okm[42]={0};
uint8_t info[] = {0xf0,0xf1,0xf2,0xf3,0xf4,0xf5,0xf6,0xf7,0xf8,0xf9};
uint8_t ikm[]= {
0x7,0x77,0x9,0x36,0x2c,0x2e,0x32,0xdf,
0xd,0xdc,0x3f,0xd,0xc4,0x7b,0xba,0x63,
0x90,0xb6,0xc7,0x3b,0xb5,0xf,0x9c,0x31,
0x22,0xec,0x84,0x4a,0xd7,0xc2,0xb3,0xe5
};

status = psa_key_derivation_setup(&operation, PSA_ALG_HKDF_EXPAND(PSA_ALG_SHA_256));

status = psa_key_derivation_input_bytes(&operation, PSA_KEY_DERIVATION_INPUT_SECRET,
ikm, sizeof(ikm));
status = psa_key_derivation_input_bytes(&operation, PSA_KEY_DERIVATION_INPUT_INFO,
info, sizeof(info));
status = psa_key_derivation_output_bytes( &operation, okm, sizeof(okm) );

The actual output okm is : 5a 1c ea 2d 24 ee 79 c5 bf ce 27 7b ... be b 3b 2e 19 18 77 ae, which didn't match the OKM of above test vector.

Have we misused the HKDF-EXPAND operation?

Best Regards,
Poppy Wu
吴偏偏

http://www.mxic.com.cn -- TF-M mailing list -- tf-m@lists.trustedfirmware.org To unsubscribe send an email to tf-m-leave@lists.trustedfirmware.org