@@ -76,7 +76,7 @@ enum kmu_metadata_algorithm {
7676 METADATA_ALG_ECDSA = 11 ,
7777 METADATA_ALG_ED25519PH = 12 ,
7878 METADATA_ALG_HMAC = 13 ,
79- METADATA_ALG_RESERVED4 = 14 ,
79+ METADATA_ALG_ECDH = 14 ,
8080 METADATA_ALG_RESERVED5 = 15 ,
8181};
8282
@@ -372,6 +372,13 @@ static bool can_sign(const psa_key_attributes_t *key_attr)
372372}
373373#endif /* defined(CONFIG_PSA_WANT_ALG_PURE_EDDSA) || define(CONFIG_PSA_WANT_ALG_ED25519PH) */
374374
375+ #if defined(CONFIG_PSA_WANT_ALG_ECDH )
376+ static bool can_derive (const psa_key_attributes_t * key_attr )
377+ {
378+ return psa_get_key_usage_flags (key_attr ) & PSA_KEY_USAGE_DERIVE ;
379+ }
380+ #endif
381+
375382/**
376383 * @brief Check provisioning state, and delete slots that were not completely provisioned.
377384 *
@@ -680,6 +687,12 @@ static psa_status_t convert_to_psa_attributes(kmu_metadata *metadata,
680687 psa_set_key_type (key_attr , PSA_KEY_TYPE_HMAC );
681688 psa_set_key_algorithm (key_attr , PSA_ALG_HMAC (PSA_ALG_SHA_256 ));
682689 break ;
690+ #endif
691+ #ifdef CONFIG_PSA_WANT_ALG_ECDH
692+ case METADATA_ALG_ECDH :
693+ psa_set_key_type (key_attr , PSA_KEY_TYPE_ECC_KEY_PAIR (PSA_ECC_FAMILY_SECP_R1 ));
694+ psa_set_key_algorithm (key_attr , PSA_ALG_ECDH );
695+ break ;
683696#endif
684697 default :
685698 return PSA_ERROR_HARDWARE_FAILURE ;
@@ -880,6 +893,15 @@ static psa_status_t convert_from_psa_attributes(const psa_key_attributes_t *key_
880893 }
881894 metadata -> algorithm = METADATA_ALG_HMAC ;
882895 break ;
896+ #endif
897+ #ifdef CONFIG_PSA_WANT_ALG_ECDH
898+ case PSA_ALG_ECDH :
899+ if (!can_derive (key_attr ) || PSA_KEY_TYPE_ECC_GET_FAMILY (psa_get_key_type (
900+ key_attr )) != PSA_ECC_FAMILY_SECP_R1 ) {
901+ return PSA_ERROR_NOT_SUPPORTED ;
902+ }
903+ metadata -> algorithm = METADATA_ALG_ECDH ;
904+ break ;
883905#endif
884906 default :
885907 /* Ignore the algorithm for the protected ram invalidation kmu slot because
0 commit comments