Hi Brian, The struct you have mentioned is part of the implementation defined `psa_key_attributes_t` data structure. The key algorithm and policy are accessed via appropriate get/set API's (like psa_set_key_algorithm/ psa_get_key_algorithm). Hence these fields are not meant to be directly accessed by the clients but are an implementation detail of crypto Service.

The only reason the 2 algorithm fields exists now is because the mbedcrypto defined the structure that way. I have a patch in flight which cleans up the client view of the psa_key_attributes_t such that only fields required by client are defined. The patch is available for review here :

https://review.trustedfirmware.org/c/trusted-firmware-m/+/4217

Regarding psa_open_key() and psa_close_key(), TF-M tries to implement PSA Crypto 1.0 Beta 3 version of the spec whereas the APIs are removed in 1.0 version. Currently mbedcrypto does not support 1.0 version fully yet. Once 1.0 is supported mbedcrypto, then TF-M will also make the migrate the APIs to 1.0. This is expected to happen during Q3 timeframe.

Best Regards Soby Mathew

From: TF-M tf-m-bounces@lists.trustedfirmware.org On Behalf Of Quach, Brian via TF-M Sent: 02 June 2020 23:44 To: tf-m@lists.trustedfirmware.org Subject: [TF-M] TF-M PSA key management

Hi All,

I see that the PSA crypto API v1.0 spec says "This specification only defines policies that restrict keys to a single algorithm, which is consistent with both common practice and security good practice. ", but the TF-M code defines two algs in the policy struct. Which will be the path going forward?

struct psa_key_policy_s { psa_key_usage_t usage; psa_algorithm_t alg; psa_algorithm_t alg2; };

I also see psa_open_key() and psa_close_key() were removed from the spec. Any plans to remove from TF-M code in the future?

Regards,

Brian Quach SimpleLink MCU Texas Instruments Inc. 12500 TI Blvd, MS F-4000 Dallas, TX 75243 214-479-4076