nrf_security: CRACEN: Fix KMU key BLOCK can end up in an invalid state

If a blocked key is attempted to be destroyed
the provisioning slot is not cleared.
To avoid this an attempt to push the key is
done before destroying the key.
This allows us to return an error while provisioning
can still happen for other slots.

Signed-off-by: Dag Erik Gjørvad <[email protected]>

Author: degjorva

subsys/nrf_security/src/drivers/cracen/cracenpsa/src/kmu.c

@@ -514,6 +514,27 @@ psa_status_t cracen_kmu_destroy_key(const psa_key_attributes_t *attributes)
 			return psa_status;
 		}
 
+		/* If the slot we attempt to destroy is blocked we will get a hardware failure, and
+		 * there is no way in hardware to distingush between an actual failure and the slot
+		 * being blocked. Therefore we attempt to push the key here to verify if the key is
+		 * blocked or not.
+		 */
+		for (size_t i = 0; i < slot_count; i++) {
+			if (lib_kmu_push_slot(slot_id + i) != 0) {
+				return PSA_ERROR_NOT_PERMITTED;
+			}
+		}
+
+		/* Clean the key data from the push area and protected ram to ensure it's not
+		 * exposed. We use the protected scheme since the key type is not known at
+		 * this point and that clears both.
+		 */
+		kmu_opaque_key_buffer temp_key_buffer = {
+			.key_usage_scheme = CRACEN_KMU_KEY_USAGE_SCHEME_PROTECTED,
+			.number_of_slots = slot_count,
+			.slot_id = slot_id};
+		cracen_kmu_clean_key((const uint8_t *)&temp_key_buffer);
+
 		psa_status = set_provisioning_in_progress(slot_id, slot_count);
 		if (psa_status != PSA_SUCCESS) {
 			return psa_status;