nrf_security: cracen: Add generic IKG personalization

On Haltium devices, each CRACEN built-in key ID is expected to reference
a different IKG-generated key for each domain. This used to be a part of
SUIT SDFW's platform key implementation, which is now unused and will be
removed soon. When no personalization string is passed, all domains have
the same IAK, MKEK, and MEXT keys.

To solve this, introduce a more generic key personalization scheme that
leverages the owner ID already passed from `cracen_load_ikg_keyref()`.
It's hidden behind a new Kconfig option, which is disabled by default,
as it only makes sense when MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER.

Ref: NCSDK-35202
Signed-off-by: Grzegorz Swiderski <[email protected]>

Author: 57300

subsys/nrf_security/src/drivers/cracen/Kconfig

@@ -83,6 +83,13 @@ config CRACEN_IKG_SEED_KMU_SLOT
 	  This defines the KMU slot (along with the two following it) to which
 	  the IKG seed is provisioned and that is pushed when loading the IKG seed.
 
+config CRACEN_IKG_PERSONALIZED_KEYS
+	bool "CRACEN IKG personalized keys"
+	help
+	  Personalize each IKG-generated key for the associated key owner.
+	  If an owner ID is encoded into the mbedtls_svc_key_id_t type,
+	  it will be passed to the IKG as a personalization string.
+
 config CRACEN_USE_INTERRUPTS
 	bool "Use cracen with interrupts"
 	default y

subsys/nrf_security/src/drivers/cracen/cracenpsa/src/common.c

@@ -734,6 +734,10 @@ int cracen_prepare_ik_key(const uint8_t *user_data)
 	}
 #endif
 
+#ifdef CONFIG_CRACEN_IKG_PERSONALIZED_KEYS
+	cfg.key_bundle = (const uint32_t *)user_data;
+	cfg.key_bundle_sz = 1; /* size of the owner_id is one 32-bit word */
+#endif
 
 #if defined(CONFIG_CRACEN_IKG)
 	return sx_pk_ik_derive_keys(&cfg);