nrf_security: cracen: Fix identity key personalization

57300 · rlubos · commit ae5d3bb00c4e · 2025-11-24T14:57:48.000+01:00
This fixes an old regression introduced by this commit: (1) 166d9eb which managed to undo some changes from here: (2) a013ce7 This seems to be unintentional, likely a result of a rebasing mistake, because the PR containing (1) was opened before the PR containing (2), but the second one was merged first. The fix entails changing the `identity_key_index` argument to existing function calls from `ikg_signature.c`. Note: this argument only has an effect when CONFIG_CRACEN_IKG_PERSONALIZED_KEYS=y. The argument value will now be `owner_id`, from the second byte of the opaque key buffer, rather than the first byte, which is `slot_number`. It doesn't make sense to use `slot_number` anymore, because this field is not populated for CRACEN_BUILTIN_IDENTITY_KEY_ID in the first place (see `cracen_set_ikg_key_buffer()`), which means that its value is a constant zero. It used to be an explicit zero prior to this refactor: (3) a8918df Ref: NRFX-8427 Signed-off-by: Grzegorz Swiderski <grzegorz.swiderski@nordicsemi.no>
diff --git a/subsys/nrf_security/src/drivers/cracen/cracenpsa/src/key_management.c b/subsys/nrf_security/src/drivers/cracen/cracenpsa/src/key_management.c
@@ -671,7 +671,8 @@ static psa_status_t handle_identity_key(const uint8_t *key_buffer, size_t key_bu
 
 	if (IS_ENABLED(PSA_NEED_CRACEN_ECDSA_SECP_R1_256)) {
 		data[0] = CRACEN_ECC_PUBKEY_UNCOMPRESSED;
-		return silex_statuscodes_to_psa(cracen_ikg_create_pub_key(key_buffer[0], data + 1));
+		return silex_statuscodes_to_psa(cracen_ikg_create_pub_key(
+			((const ikg_opaque_key *)key_buffer)->owner_id, data + 1));
 	}
 	return PSA_ERROR_NOT_SUPPORTED;
 }
diff --git a/subsys/nrf_security/src/drivers/cracen/cracenpsa/src/sign.c b/subsys/nrf_security/src/drivers/cracen/cracenpsa/src/sign.c
@@ -105,7 +105,8 @@ cracen_signature_prepare_ec_pubkey(const uint8_t *key_buffer, size_t key_buffer_
 			if (key_buffer_size != sizeof(ikg_opaque_key)) {
 				return PSA_ERROR_INVALID_ARGUMENT;
 			}
-			sx_status = cracen_ikg_create_pub_key(key_buffer[0], pubkey_buffer);
+			sx_status = cracen_ikg_create_pub_key(
+				((const ikg_opaque_key *)key_buffer)->owner_id, pubkey_buffer);
 		}
 		return silex_statuscodes_to_psa(sx_status);
 	}
@@ -226,11 +227,13 @@ static psa_status_t handle_ikg_sign(bool is_message, const uint8_t *key_buffer,
 	status = hash_get_algo(alg, &hashalgpointer);
 	*signature_length = 2 * ecurve->sz;
 	if (is_message) {
-		status = cracen_ikg_sign_message(key_buffer[0], hashalgpointer, ecurve, input,
-						 input_length, signature);
+		status = cracen_ikg_sign_message(((const ikg_opaque_key *)key_buffer)->owner_id,
+						 hashalgpointer, ecurve, input, input_length,
+						 signature);
 	} else {
-		status = cracen_ikg_sign_digest(key_buffer[0], hashalgpointer, ecurve, input,
-						input_length, signature);
+		status = cracen_ikg_sign_digest(((const ikg_opaque_key *)key_buffer)->owner_id,
+						hashalgpointer, ecurve, input, input_length,
+						signature);
 	}
 	return silex_statuscodes_to_psa(status);
 }

Original file line number	Diff line number	Diff line change
`@@ -671,7 +671,8 @@ static psa_status_t handle_identity_key(const uint8_t *key_buffer, size_t key_bu`
`671`	`671`
`672`	`672`	`if (IS_ENABLED(PSA_NEED_CRACEN_ECDSA_SECP_R1_256)) {`
`673`	`673`	`data[0] = CRACEN_ECC_PUBKEY_UNCOMPRESSED;`
`674`		`- return silex_statuscodes_to_psa(cracen_ikg_create_pub_key(key_buffer[0], data + 1));`
	`674`	`+ return silex_statuscodes_to_psa(cracen_ikg_create_pub_key(`
	`675`	`+ ((const ikg_opaque_key *)key_buffer)->owner_id, data + 1));`
`675`	`676`	`}`
`676`	`677`	`return PSA_ERROR_NOT_SUPPORTED;`
`677`	`678`	`}`
Original file line number	Diff line number	Diff line change
`@@ -105,7 +105,8 @@ cracen_signature_prepare_ec_pubkey(const uint8_t *key_buffer, size_t key_buffer_`
`105`	`105`	`if (key_buffer_size != sizeof(ikg_opaque_key)) {`
`106`	`106`	`return PSA_ERROR_INVALID_ARGUMENT;`
`107`	`107`	`}`
`108`		`- sx_status = cracen_ikg_create_pub_key(key_buffer[0], pubkey_buffer);`
	`108`	`+ sx_status = cracen_ikg_create_pub_key(`
	`109`	`+ ((const ikg_opaque_key *)key_buffer)->owner_id, pubkey_buffer);`
`109`	`110`	`}`
`110`	`111`	`return silex_statuscodes_to_psa(sx_status);`
`111`	`112`	`}`
`@@ -226,11 +227,13 @@ static psa_status_t handle_ikg_sign(bool is_message, const uint8_t *key_buffer,`
`226`	`227`	`status = hash_get_algo(alg, &hashalgpointer);`
`227`	`228`	`signature_length = 2 ecurve->sz;`
`228`	`229`	`if (is_message) {`
`229`		`- status = cracen_ikg_sign_message(key_buffer[0], hashalgpointer, ecurve, input,`
`230`		`- input_length, signature);`
	`230`	`+ status = cracen_ikg_sign_message(((const ikg_opaque_key *)key_buffer)->owner_id,`
	`231`	`+ hashalgpointer, ecurve, input, input_length,`
	`232`	`+ signature);`
`231`	`233`	`} else {`
`232`		`- status = cracen_ikg_sign_digest(key_buffer[0], hashalgpointer, ecurve, input,`
`233`		`- input_length, signature);`
	`234`	`+ status = cracen_ikg_sign_digest(((const ikg_opaque_key *)key_buffer)->owner_id,`
	`235`	`+ hashalgpointer, ecurve, input, input_length,`
	`236`	`+ signature);`
`234`	`237`	`}`
`235`	`238`	`return silex_statuscodes_to_psa(status);`
`236`	`239`	`}`