nrf_security: Allow importing the nRF54L PROT_RAM invalidation slots

Add a Kconfig option to allow performing a psa_import_key in order
to provision the KMU slots used for invalidating the protected RAM
content.

With this change a psa_import_key with KMU slot 248 will populate
the KMU invilidation slots with random data so that it can be used
later.

Signed-off-by: Georgios Vasilakis <[email protected]>

Author: Vge0rge

subsys/nrf_security/src/drivers/cracen/Kconfig

@@ -75,6 +75,18 @@ config CRACEN_PROVISION_PROT_RAM_INV_SLOTS_ON_INIT
 	  When disabled the application is expected to provision the reserved KMU slots 248 and 249
 	  manually, otherwise the protected RAM keys will not be usable.
 
+config CRACEN_PROVISION_PROT_RAM_INV_SLOTS_WITH_IMPORT
+	bool "Provision protected RAM invalidation slots using psa_import_key"
+	depends on CRACEN_LIB_KMU
+	depends on !CRACEN_PROVISION_PROT_RAM_INV_SLOTS_ON_INIT
+	help
+	  Provision the protected RAM invalidation KMU slots (248,249) in the KMU using a
+	  psa_import_key call. The application is required to call psa_import_key with the
+	  KMU slot 248. The key material provided is ignored and random data is generated to
+	  populate the slots.
+	  This is meant to be used by a provisioning image that runs once before the application
+	  image is flashed. This is not meant to be used by user applications.
+
 config CRACEN_IKG
 	bool "CRACEN IKG"
 	help

subsys/nrf_security/src/drivers/cracen/cracenpsa/src/key_management.c

@@ -954,6 +954,14 @@ psa_status_t cracen_import_key(const psa_key_attributes_t *attributes, const uin
 			MBEDTLS_SVC_KEY_ID_GET_KEY_ID(psa_get_key_id(attributes)));
 		psa_key_attributes_t stored_attributes;
 
+#ifdef CONFIG_CRACEN_PROVISION_PROT_RAM_INV_SLOTS_WITH_IMPORT
+		if (slot_id == PROTECTED_RAM_INVALIDATION_DATA_SLOT1) {
+			/* The key bits are required for the psa_import_key to succeed */
+			*key_bits = 256;
+			return cracen_provision_prot_ram_inv_slots();
+		}
+#endif
+
 		size_t opaque_key_size;
 		psa_status_t status = cracen_get_opaque_size(attributes, &opaque_key_size);
 

subsys/nrf_security/src/drivers/cracen/cracenpsa/src/kmu.c

@@ -206,7 +206,8 @@ static psa_status_t cracen_kmu_decrypt(kmu_metadata *metadata, size_t number_of_
 
 #endif /* PSA_NEED_CRACEN_KMU_ENCRYPTED_KEYS */
 
-#ifdef CONFIG_CRACEN_PROVISION_PROT_RAM_INV_SLOTS_ON_INIT
+#if defined(CONFIG_CRACEN_PROVISION_PROT_RAM_INV_SLOTS_ON_INIT) ||                                 \
+	defined(CONFIG_CRACEN_PROVISION_PROT_RAM_INV_SLOTS_WITH_IMPORT)
 psa_status_t cracen_provision_prot_ram_inv_slots(void)
 {
 	uint8_t rng_buffer[2 * CRACEN_KMU_SLOT_KEY_SIZE];
@@ -254,9 +255,9 @@ psa_status_t cracen_provision_prot_ram_inv_slots(void)
 	safe_memzero(rng_buffer, sizeof(rng_buffer));
 	return psa_status;
 }
-#endif /* CONFIG_CRACEN_PROVISION_PROT_RAM_INV_SLOTS_ON_INIT */
-
-
+#endif /* CONFIG_CRACEN_PROVISION_PROT_RAM_INV_SLOTS_ON_INIT ||
+	* CONFIG_CRACEN_PROVISION_PROT_RAM_INV_SLOTS_WITH_IMPORT
+	*/
 /* Used internally in sxsymcrypt so we use sx return codes here. */
 int cracen_kmu_prepare_key(const uint8_t *user_data)
 {