Skip to content

Commit 9418b89

Browse files
magnevrlubos
magnev
authored and
rlubos
committed
cracen: ensure platform keys are commited to SICR
This fixes an issue where keys would not be written correctly as the write to SICR is not triggered. Ref: NCSDK-29337 Signed-off-by: Magne Værnes <[email protected]>
1 parent ec0b02a commit 9418b89

File tree

1 file changed

+13
-1
lines changed
  • subsys/nrf_security/src/drivers/cracen/cracenpsa/src/platform_keys

1 file changed

+13
-1
lines changed

subsys/nrf_security/src/drivers/cracen/cracenpsa/src/platform_keys/platform_keys.c

Lines changed: 13 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -607,6 +607,7 @@ psa_status_t cracen_platform_keys_provision(const psa_key_attributes_t *attribut
607607
key.sicr.type = psa_get_key_type(attributes);
608608
key.sicr.bits = psa_get_key_bits(attributes);
609609

610+
/* Generate the 4 first bytes of the nonce, the rest are padded with zeros */
610611
status = psa_generate_random((uint8_t *)key.sicr.nonce, sizeof(key.sicr.nonce[0]));
611612
if (status != PSA_SUCCESS) {
612613
return status;
@@ -662,6 +663,7 @@ psa_status_t cracen_platform_keys_provision(const psa_key_attributes_t *attribut
662663

663664
NRF_MRAMC_Type *mramc = (NRF_MRAMC_Type *)DT_REG_ADDR(DT_NODELABEL(mramc));
664665
nrf_mramc_config_t mramc_config, mramc_config_write_enabled;
666+
nrf_mramc_readynext_timeout_t readynext_timeout, short_readynext_timeout;
665667

666668
nrf_mramc_config_get(mramc, &mramc_config);
667669
mramc_config_write_enabled = mramc_config;
@@ -671,16 +673,26 @@ psa_status_t cracen_platform_keys_provision(const psa_key_attributes_t *attribut
671673

672674
nrf_mramc_config_set(mramc, &mramc_config_write_enabled);
673675

674-
memcpy(key.sicr.nonce_addr, &key.sicr.nonce, sizeof(key.sicr.nonce));
675676
memcpy(key.sicr.attr_addr, &attr, sizeof(attr));
676677
if (key.sicr.type == PSA_KEY_TYPE_AES) {
677678
memcpy(key.sicr.key_buffer, encrypted_key, key_buffer_size);
678679
} else {
679680
memcpy(key.sicr.key_buffer, key_buffer, key_buffer_size);
680681
}
681682

683+
nrf_mramc_readynext_timeout_get(mramc, &readynext_timeout);
684+
685+
/* Ensure that nonce is committed to MRAM by setting MRAMC READYNEXT timeout to 0 */
686+
short_readynext_timeout.value = 0;
687+
short_readynext_timeout.direct_write = true;
688+
nrf_mramc_readynext_timeout_set(mramc, &short_readynext_timeout);
689+
690+
/* Only store the 4 first bytes of the nonce, the rest are padded with zeros */
691+
memcpy(key.sicr.nonce_addr, &key.sicr.nonce, sizeof(key.sicr.nonce[0]));
692+
682693
/* Restore MRAMC config */
683694
nrf_mramc_config_set(mramc, &mramc_config);
695+
nrf_mramc_readynext_timeout_set(mramc, &readynext_timeout);
684696

685697
return status;
686698
}

0 commit comments

Comments
 (0)