nrf_security: Allow the IAK to be exported in Cracen

The Cracen builtin keys now have a list of allowed owners which
dictates which owner can use each key.

This has an issue with the IAK because this key should only be
usable by the TF-M attestation partition but at the same time it
should be possible for the application to export the public key
of it.

This updates the logic in the export_public_key function in the
Cracen PSA driver to skip checking for ownerhip for the IKG keys
of Cracen for this function.

Signed-off-by: Georgios Vasilakis <[email protected]>

Author: Vge0rge

subsys/nrf_security/src/drivers/cracen/cracenpsa/src/key_management.c

@@ -895,7 +895,14 @@ psa_status_t cracen_export_public_key(const psa_key_attributes_t *attributes,
 		return PSA_ERROR_INVALID_ARGUMENT;
 	}
 
-	if (!cracen_builtin_key_user_allowed(attributes)) {
+	/* The public key of the IAK needs to be allowed to get exported because there is no
+	 * way to provide the public key through the attestation service at the moment.
+	 * The check for IKG keys is skipped since the only IKG key that can use this operation
+	 * is the IAK.
+	 */
+	if (!cracen_builtin_key_user_allowed(attributes) &&
+	    PSA_KEY_LIFETIME_GET_LOCATION(psa_get_key_lifetime(attributes)) !=
+		    PSA_KEY_LOCATION_CRACEN) {
 		return PSA_ERROR_NOT_PERMITTED;
 	}