Hi Brian,

The struct you have mentioned is part of the implementation defined `psa_key_attributes_t` data structure. The key algorithm and policy are accessed via appropriate get/set API’s (like psa_set_key_algorithm/ psa_get_key_algorithm). Hence these fields are not meant to be directly accessed by the clients but are an implementation detail of crypto Service.

The only reason the 2 algorithm fields exists now is because the mbedcrypto defined the structure that way. I have a patch in flight which cleans up the client view of the psa_key_attributes_t such that only fields required by client are defined. The patch is available for review here :

https://review.trustedfirmware.org/c/trusted-firmware-m/+/4217

Regarding psa_open_key() and psa_close_key(), TF-M tries to implement PSA Crypto 1.0 Beta 3 version of the spec whereas the APIs are removed in 1.0 version. Currently mbedcrypto does not support 1.0 version fully yet. Once 1.0 is supported mbedcrypto, then TF-M will also make the migrate the APIs to 1.0. This is expected to happen during Q3 timeframe.

Best Regards

Soby Mathew

From: TF-M <tf-m-bounces@lists.trustedfirmware.org> On Behalf Of Quach, Brian via TF-M
Sent: 02 June 2020 23:44
To: tf-m@lists.trustedfirmware.org
Subject: [TF-M] TF-M PSA key management

Hi All,

I see that the PSA crypto API v1.0 spec says “This specification only defines policies that restrict keys to a single algorithm, which is consistent with both common practice and security good practice. “, but the TF-M code defines two algs in the policy struct. Which will be the path going forward?

struct psa_key_policy_s

{

psa_key_usage_t usage;

psa_algorithm_t alg;

psa_algorithm_t alg2;

};

I also see psa_open_key() and psa_close_key() were removed from the spec. Any plans to remove from TF-M code in the future?

Regards,

Brian Quach

SimpleLink MCU

Texas Instruments Inc.

12500 TI Blvd, MS F-4000

Dallas, TX 75243

214-479-4076