Revert "nrf_security: Refactor Cracen IKG keys"

This reverts commit 45a897f.

This causes issues with the platform keys and needs to be
reworked.

Signed-off-by: Georgios Vasilakis <[email protected]>

Author: Vge0rge

subsys/nrf_security/src/drivers/cracen/cracenpsa/include/cracen_psa_key_ids.h

@@ -13,6 +13,10 @@
 
 #define CRACEN_PROTECTED_RAM_AES_KEY0_ID ((uint32_t)0x7fffc004)
 
+#define CRACEN_IDENTITY_KEY_SLOT_NUMBER 0
+#define CRACEN_MKEK_SLOT_NUMBER		1
+#define CRACEN_MEXT_SLOT_NUMBER		2
+
 #define PSA_KEY_LOCATION_CRACEN ((psa_key_location_t)(0x800000 | ('N' << 8)))
 
 /*

subsys/nrf_security/src/drivers/cracen/cracenpsa/src/common.c

@@ -782,15 +782,18 @@ psa_status_t cracen_load_keyref(const psa_key_attributes_t *attributes, const ui
 		default:
 			if (key_buffer_size == 0) {
 				return PSA_ERROR_CORRUPTION_DETECTED;
-			} else if (key_buffer_size == sizeof(ikg_opaque_key)) {
-				return PSA_ERROR_INVALID_ARGUMENT;
 			}
 
-			/* Normal transparent key. */
-			k->prepare_key = NULL;
-			k->clean_key = NULL;
-			k->key = key_buffer;
-			k->sz = key_buffer_size;
+			if (key_buffer_size == sizeof(ikg_opaque_key)) {
+				k->cfg = ((ikg_opaque_key *)key_buffer)->slot_number;
+				k->owner_id = ((ikg_opaque_key *)key_buffer)->owner_id;
+			} else {
+				/* Normal transparent key. */
+				k->prepare_key = NULL;
+				k->clean_key = NULL;
+				k->key = key_buffer;
+				k->sz = key_buffer_size;
+			}
 		}
 	} else {
 		k->key = key_buffer;

subsys/nrf_security/src/drivers/cracen/cracenpsa/src/key_management.c

@@ -26,7 +26,6 @@
 #include <stddef.h>
 #include <string.h>
 #include <sxsymcrypt/trng.h>
-#include <sxsymcrypt/keyref.h>
 #include <zephyr/sys/__assert.h>
 #include <zephyr/sys/byteorder.h>
 
@@ -1214,7 +1213,7 @@ psa_status_t cracen_get_builtin_key(psa_drv_slot_number_t slot_number,
 	 * attributes, and update the `lifetime` field to be more specific.
 	 */
 	switch (slot_number) {
-	case CRACEN_BUILTIN_IDENTITY_KEY_ID:
+	case CRACEN_IDENTITY_KEY_SLOT_NUMBER:
 		psa_set_key_lifetime(attributes, PSA_KEY_LIFETIME_FROM_PERSISTENCE_AND_LOCATION(
 							 PSA_KEY_PERSISTENCE_READ_ONLY,
 							 PSA_KEY_LOCATION_CRACEN));
@@ -1232,18 +1231,18 @@ psa_status_t cracen_get_builtin_key(psa_drv_slot_number_t slot_number,
 		 */
 		if (key_buffer_size >= cracen_get_opaque_size(attributes)) {
 			*key_buffer_length = cracen_get_opaque_size(attributes);
-			*((ikg_opaque_key *)key_buffer) = (ikg_opaque_key){
-				/* The slot number is not used for the identity key */
-				.owner_id = MBEDTLS_SVC_KEY_ID_GET_OWNER_ID(
-					psa_get_key_id(attributes))};
+			*((ikg_opaque_key *)key_buffer) =
+				(ikg_opaque_key){.slot_number = slot_number,
+						 .owner_id = MBEDTLS_SVC_KEY_ID_GET_OWNER_ID(
+							 psa_get_key_id(attributes))};
 			return PSA_SUCCESS;
 		} else {
 			return PSA_ERROR_BUFFER_TOO_SMALL;
 		}
 		break;
 
-	case CRACEN_BUILTIN_MKEK_ID:
-	case CRACEN_BUILTIN_MEXT_ID:
+	case CRACEN_MKEK_SLOT_NUMBER:
+	case CRACEN_MEXT_SLOT_NUMBER:
 		psa_set_key_lifetime(attributes, PSA_KEY_LIFETIME_FROM_PERSISTENCE_AND_LOCATION(
 							 PSA_KEY_PERSISTENCE_READ_ONLY,
 							 PSA_KEY_LOCATION_CRACEN));
@@ -1258,11 +1257,8 @@ psa_status_t cracen_get_builtin_key(psa_drv_slot_number_t slot_number,
 		 */
 		if (key_buffer_size >= cracen_get_opaque_size(attributes)) {
 			*key_buffer_length = cracen_get_opaque_size(attributes);
-			uint8_t cracen_internal_ikg_index = (slot_number == CRACEN_BUILTIN_MKEK_ID)
-								    ? CRACEN_INTERNAL_HW_KEY1_ID
-								    : CRACEN_INTERNAL_HW_KEY2_ID;
 			*((ikg_opaque_key *)key_buffer) =
-				(ikg_opaque_key){.slot_number = cracen_internal_ikg_index,
+				(ikg_opaque_key){.slot_number = slot_number,
 						 .owner_id = MBEDTLS_SVC_KEY_ID_GET_OWNER_ID(
 							 psa_get_key_id(attributes))};
 			return PSA_SUCCESS;
@@ -1289,13 +1285,13 @@ psa_status_t mbedtls_psa_platform_get_builtin_key(mbedtls_svc_key_id_t key_id,
 {
 	switch (MBEDTLS_SVC_KEY_ID_GET_KEY_ID(key_id)) {
 	case CRACEN_BUILTIN_IDENTITY_KEY_ID:
-		*slot_number = CRACEN_BUILTIN_IDENTITY_KEY_ID;
+		*slot_number = CRACEN_IDENTITY_KEY_SLOT_NUMBER;
 		break;
 	case CRACEN_BUILTIN_MKEK_ID:
-		*slot_number = CRACEN_BUILTIN_MKEK_ID;
+		*slot_number = CRACEN_MKEK_SLOT_NUMBER;
 		break;
 	case CRACEN_BUILTIN_MEXT_ID:
-		*slot_number = CRACEN_BUILTIN_MEXT_ID;
+		*slot_number = CRACEN_MEXT_SLOT_NUMBER;
 		break;
 	default:
 #if CONFIG_PSA_NEED_CRACEN_KMU_DRIVER

subsys/nrf_security/src/drivers/cracen/cracenpsa/src/platform_keys/platform_keys.c

@@ -126,10 +126,16 @@ typedef struct derived_key {
 	char label[DERIVED_KEY_MAX_LABEL_SIZE];
 } derived_key;
 
+typedef struct ikg_key {
+	uint32_t slot_number;
+	uint32_t domain;
+} ikg_key;
+
 typedef union {
 	sicr_key sicr;
 	embedded_key embedded;
 	derived_key derived;
+	ikg_key ikg;
 } platform_key;
 
 typedef enum {
@@ -247,9 +253,18 @@ static key_type find_key(uint32_t id, platform_key *key)
 	}
 
 	if (usage == USAGE_IAK || usage == USAGE_MKEK || usage == USAGE_MEXT) {
-		/* IKG keys are populated in cracen_load_keyref and cracen_get_builtin_key
-		 * so we don't need to populate them here.
-		 */
+		key->ikg.domain = domain;
+		switch (usage) {
+		case USAGE_IAK:
+			key->ikg.slot_number = CRACEN_IDENTITY_KEY_SLOT_NUMBER;
+			break;
+		case USAGE_MKEK:
+			key->ikg.slot_number = CRACEN_MKEK_SLOT_NUMBER;
+			break;
+		case USAGE_MEXT:
+			key->ikg.slot_number = CRACEN_MEXT_SLOT_NUMBER;
+			break;
+		}
 		return IKG;
 	}
 
@@ -547,7 +562,7 @@ psa_status_t cracen_platform_get_key_slot(mbedtls_svc_key_id_t key_id, psa_key_l
 	}
 
 	if (type == IKG) {
-		*slot_number = MBEDTLS_SVC_KEY_ID_GET_KEY_ID(key_id);
+		*slot_number = key.ikg.slot_number;
 		*lifetime = PSA_KEY_LIFETIME_FROM_PERSISTENCE_AND_LOCATION(
 			PSA_KEY_PERSISTENCE_READ_ONLY, PSA_KEY_LOCATION_CRACEN);