crypto: CRACEN: KMU: Adding CRACEN_KEY_PERSISTENCE_READ_ONLY

frkv · bjarki-andreasen · commit f41c3a2d1142 · 2025-04-04T13:17:02.000+02:00
-Adding CRACEN_KEY_PERSISTENCE_READ_ONLY to support importing keys
 that are read-only in KMU. These can never be erased without
 running ERASEALL (if ERASEPROTECT is not set)
-Changing CRACEN identity key and MKEK/MEXT to use this type
 for consistency
-Changed conversion of LIB_KMU_REV_POLICY_LOCKED
 from PSA_KEY_PERSISTENCE_READ_ONLY to CRACEN_KEY_PERSISTENCE_READ_ONLY
-Updated cracen_kmu_get_key_slot to support all rpolicies

ref: NCSDK-32134

Signed-off-by: Frank Audun Kvamtrø &lt;frank.kvamtro@nordicsemi.no&gt;
diff --git a/subsys/nrf_security/src/drivers/cracen/cracenpsa/include/cracen_psa_key_ids.h b/subsys/nrf_security/src/drivers/cracen/cracenpsa/include/cracen_psa_key_ids.h
@@ -25,4 +25,10 @@
  */
 #define CRACEN_KEY_PERSISTENCE_REVOKABLE 0x02
 
+/*
+ * Defines a persistence state where the key can't be erased
+ * In this state the key will only be erased if ERASEALL is available and run
+ */
+ #define CRACEN_KEY_PERSISTENCE_READ_ONLY 0x03
+
 #endif
diff --git a/subsys/nrf_security/src/drivers/cracen/cracenpsa/src/key_management.c b/subsys/nrf_security/src/drivers/cracen/cracenpsa/src/key_management.c
@@ -1202,7 +1202,7 @@ psa_status_t cracen_get_builtin_key(psa_drv_slot_number_t slot_number,
 	switch (slot_number) {
 	case CRACEN_IDENTITY_KEY_SLOT_NUMBER:
 		psa_set_key_lifetime(attributes, PSA_KEY_LIFETIME_FROM_PERSISTENCE_AND_LOCATION(
-							 PSA_KEY_PERSISTENCE_READ_ONLY,
+							 CRACEN_KEY_PERSISTENCE_READ_ONLY,
 							 PSA_KEY_LOCATION_CRACEN));
 		psa_set_key_type(attributes, PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1));
 		psa_set_key_bits(attributes, 256);
@@ -1236,7 +1236,7 @@ psa_status_t cracen_get_builtin_key(psa_drv_slot_number_t slot_number,
 	case CRACEN_MKEK_SLOT_NUMBER:
 	case CRACEN_MEXT_SLOT_NUMBER:
 		psa_set_key_lifetime(attributes, PSA_KEY_LIFETIME_FROM_PERSISTENCE_AND_LOCATION(
-							 PSA_KEY_PERSISTENCE_READ_ONLY,
+							 CRACEN_KEY_PERSISTENCE_READ_ONLY,
 							 PSA_KEY_LOCATION_CRACEN));
 		psa_set_key_type(attributes, PSA_KEY_TYPE_AES);
 		psa_set_key_bits(attributes, 256);
@@ -1299,7 +1299,7 @@ psa_status_t mbedtls_psa_platform_get_builtin_key(mbedtls_svc_key_id_t key_id,
 #endif
 	};
 
-	*lifetime = PSA_KEY_LIFETIME_FROM_PERSISTENCE_AND_LOCATION(PSA_KEY_PERSISTENCE_READ_ONLY,
+	*lifetime = PSA_KEY_LIFETIME_FROM_PERSISTENCE_AND_LOCATION(CRACEN_KEY_PERSISTENCE_READ_ONLY,
 								   PSA_KEY_LOCATION_CRACEN);
 
 	return PSA_SUCCESS;
diff --git a/subsys/nrf_security/src/drivers/cracen/cracenpsa/src/kmu.c b/subsys/nrf_security/src/drivers/cracen/cracenpsa/src/kmu.c
@@ -117,7 +117,7 @@ static psa_status_t get_encryption_key(const uint8_t *context, uint8_t *key)
 	psa_set_key_id(&mkek_attr, mbedtls_svc_key_id_make(0, CRACEN_BUILTIN_MKEK_ID));
 	psa_set_key_lifetime(&mkek_attr,
 			     PSA_KEY_LIFETIME_FROM_PERSISTENCE_AND_LOCATION(
-				     PSA_KEY_PERSISTENCE_READ_ONLY, PSA_KEY_LOCATION_CRACEN));
+				     CRACEN_KEY_PERSISTENCE_READ_ONLY, PSA_KEY_LOCATION_CRACEN));
 
 	cracen_key_derivation_operation_t op = {};
 
@@ -418,13 +418,19 @@ static psa_status_t get_kmu_slot_id_and_count(const psa_key_attributes_t *key_at
 
 psa_status_t cracen_kmu_destroy_key(const psa_key_attributes_t *attributes)
 {
-	psa_key_location_t location =
-		PSA_KEY_LIFETIME_GET_LOCATION(psa_get_key_lifetime(attributes));
+	psa_key_lifetime_t lifetime = psa_get_key_lifetime(attributes);
+
+	psa_key_location_t location = PSA_KEY_LIFETIME_GET_LOCATION(lifetime);
+	psa_key_persistence_t persistence = PSA_KEY_LIFETIME_GET_PERSISTENCE(lifetime);
 
 	if (location == PSA_KEY_LOCATION_CRACEN_KMU) {
 		psa_status_t status;
 		unsigned int slot_id, slot_count;
 
+		if (persistence == CRACEN_KEY_PERSISTENCE_READ_ONLY) {
+			return PSA_ERROR_NOT_PERMITTED;
+		}
+
 		status = get_kmu_slot_id_and_count(attributes, &slot_id, &slot_count);
 		if (status != PSA_SUCCESS) {
 			return status;
@@ -458,7 +464,7 @@ static psa_status_t convert_to_psa_attributes(kmu_metadata *metadata,
 		key_persistence = CRACEN_KEY_PERSISTENCE_REVOKABLE;
 		break;
 	case LIB_KMU_REV_POLICY_LOCKED:
-		key_persistence = PSA_KEY_PERSISTENCE_READ_ONLY;
+		key_persistence = CRACEN_KEY_PERSISTENCE_READ_ONLY;
 		break;
 	default:
 		return PSA_ERROR_STORAGE_FAILURE;
@@ -783,6 +789,7 @@ static psa_status_t convert_from_psa_attributes(const psa_key_attributes_t *key_
 
 	switch (PSA_KEY_LIFETIME_GET_PERSISTENCE(psa_get_key_lifetime(key_attr))) {
 	case PSA_KEY_PERSISTENCE_READ_ONLY:
+	case CRACEN_KEY_PERSISTENCE_READ_ONLY:
 		metadata->rpolicy = LIB_KMU_REV_POLICY_LOCKED;
 		break;
 	case PSA_KEY_PERSISTENCE_DEFAULT:
@@ -936,17 +943,28 @@ psa_status_t cracen_kmu_get_key_slot(mbedtls_svc_key_id_t key_id, psa_key_lifeti
 	psa_status_t status;
 	unsigned int slot_id;
 	kmu_metadata metadata;
+	psa_key_persistence_t persistence;
 
 	status = get_kmu_slot_id_and_metadata(key_id, &slot_id, &metadata);
 	if (status != PSA_SUCCESS) {
 		return status;
 	}
 
-	psa_key_persistence_t read_only = metadata.rpolicy == LIB_KMU_REV_POLICY_ROTATING
-						  ? PSA_KEY_PERSISTENCE_DEFAULT
-						  : PSA_KEY_PERSISTENCE_READ_ONLY;
+	switch (metadata.rpolicy) {
+	case LIB_KMU_REV_POLICY_ROTATING:
+		persistence = PSA_KEY_PERSISTENCE_DEFAULT;
+		break;
+	case LIB_KMU_REV_POLICY_REVOKED:
+		persistence = CRACEN_KEY_PERSISTENCE_REVOKABLE;
+		break;
+	case LIB_KMU_REV_POLICY_LOCKED:
+		persistence = CRACEN_KEY_PERSISTENCE_READ_ONLY;
+		break;
+	default:
+		return PSA_ERROR_INVALID_ARGUMENT;
+	}
 
-	*lifetime = PSA_KEY_LIFETIME_FROM_PERSISTENCE_AND_LOCATION(read_only,
+	*lifetime = PSA_KEY_LIFETIME_FROM_PERSISTENCE_AND_LOCATION(persistence,
 								   PSA_KEY_LOCATION_CRACEN_KMU);
 	*slot_number = slot_id;
 
