nrf_security: Refactor writing of SICR keys

Vge0rge · rlubos · commit fe5f6822038d · 2025-01-30T13:33:27.000+01:00
This refactors how SICR keys are writen into MRAM. This refactors the
code but it should not change any funcionality. The purpose of this
is to make the MRAM writing part reusable so it can be used by the
revocation functionality later.

Signed-off-by: Georgios Vasilakis &lt;georgios.vasilakis@nordicsemi.no&gt;
diff --git a/subsys/nrf_security/src/drivers/cracen/cracenpsa/src/platform_keys/platform_keys.c b/subsys/nrf_security/src/drivers/cracen/cracenpsa/src/platform_keys/platform_keys.c
@@ -286,6 +286,39 @@ static key_type find_key(uint32_t id, platform_key *key)
 	return INVALID;
 }
 
+static void write_sicr_key_to_mram(platform_key *key, uint32_t sicr_attr, const uint8_t *key_buffer,
+				   size_t key_buffer_size)
+{
+	NRF_MRAMC_Type *mramc = (NRF_MRAMC_Type *)DT_REG_ADDR(DT_NODELABEL(mramc));
+	nrf_mramc_config_t mramc_config, mramc_config_write_enabled;
+	nrf_mramc_readynext_timeout_t readynext_timeout, short_readynext_timeout;
+
+	nrf_mramc_config_get(mramc, &mramc_config);
+	mramc_config_write_enabled = mramc_config;
+
+	/* Ensure MRAMC is configured for SICR writing */
+	mramc_config_write_enabled.mode_write = NRF_MRAMC_MODE_WRITE_DIRECT;
+
+	nrf_mramc_config_set(mramc, &mramc_config_write_enabled);
+
+	memcpy(key->sicr.attr_addr, &sicr_attr, sizeof(sicr_attr));
+	memcpy(key->sicr.key_buffer, key_buffer, key_buffer_size);
+
+	nrf_mramc_readynext_timeout_get(mramc, &readynext_timeout);
+
+	/* Ensure that nonce is committed to MRAM by setting MRAMC READYNEXT timeout to 0 */
+	short_readynext_timeout.value = 0;
+	short_readynext_timeout.direct_write = true;
+	nrf_mramc_readynext_timeout_set(mramc, &short_readynext_timeout);
+
+	/* Only store the 4 first bytes of the nonce, the rest are padded with zeros */
+	memcpy(key->sicr.nonce_addr, &key->sicr.nonce, sizeof(key->sicr.nonce[0]));
+
+	/* Restore MRAMC config */
+	nrf_mramc_config_set(mramc, &mramc_config);
+	nrf_mramc_readynext_timeout_set(mramc, &readynext_timeout);
+}
+
 /**
  * @brief Checks whether key usage from a certain domain can access key.
  *
@@ -669,40 +702,13 @@ psa_status_t cracen_platform_keys_provision(const psa_key_attributes_t *attribut
 		return status;
 	}
 
-	uint32_t attr = (key.sicr.bits << 16) | key.sicr.type;
-
-	NRF_MRAMC_Type *mramc = (NRF_MRAMC_Type *)DT_REG_ADDR(DT_NODELABEL(mramc));
-	nrf_mramc_config_t mramc_config, mramc_config_write_enabled;
-	nrf_mramc_readynext_timeout_t readynext_timeout, short_readynext_timeout;
-
-	nrf_mramc_config_get(mramc, &mramc_config);
-	mramc_config_write_enabled = mramc_config;
-
-	/* Ensure MRAMC is configured for SICR writing */
-	mramc_config_write_enabled.mode_write = NRF_MRAMC_MODE_WRITE_DIRECT;
-
-	nrf_mramc_config_set(mramc, &mramc_config_write_enabled);
+	uint32_t sicr_attr = (key.sicr.bits << 16) | key.sicr.type;
 
-	memcpy(key.sicr.attr_addr, &attr, sizeof(attr));
 	if (key.sicr.type == PSA_KEY_TYPE_AES) {
-		memcpy(key.sicr.key_buffer, encrypted_key, key_buffer_size);
+		write_sicr_key_to_mram(&key, sicr_attr, encrypted_key, key_buffer_size);
 	} else {
-		memcpy(key.sicr.key_buffer, key_buffer, key_buffer_size);
+		write_sicr_key_to_mram(&key, sicr_attr, key_buffer, key_buffer_size);
 	}
 
-	nrf_mramc_readynext_timeout_get(mramc, &readynext_timeout);
-
-	/* Ensure that nonce is committed to MRAM by setting MRAMC READYNEXT timeout to 0 */
-	short_readynext_timeout.value = 0;
-	short_readynext_timeout.direct_write = true;
-	nrf_mramc_readynext_timeout_set(mramc, &short_readynext_timeout);
-
-	/* Only store the 4 first bytes of the nonce, the rest are padded with zeros */
-	memcpy(key.sicr.nonce_addr, &key.sicr.nonce, sizeof(key.sicr.nonce[0]));
-
-	/* Restore MRAMC config */
-	nrf_mramc_config_set(mramc, &mramc_config);
-	nrf_mramc_readynext_timeout_set(mramc, &readynext_timeout);
-
 	return status;
 }
