cracen: Fix for SICR platform keys

Fixes issues caused by wrong size being required, and missing case crypto driver wrappers. Signed-off-by: Vidar Lillebø <[email protected]>
jayteemo · Aug 16, 2024 · 47e5835 · 47e5835
1 parent 6dd74e4
commit 47e5835
Show file tree

Hide file tree

Showing 3 changed files with 13 additions and 9 deletions.
diff --git a/subsys/nrf_security/cmake/psa_crypto_config.cmake b/subsys/nrf_security/cmake/psa_crypto_config.cmake
@@ -235,6 +235,7 @@ kconfig_check_and_set_base_to_one(PSA_NEED_CRACEN_KEY_TYPE_RSA_KEY_PAIR_GENERATE
 
 kconfig_check_and_set_base_to_one(PSA_NEED_CRACEN_KEY_MANAGEMENT_DRIVER)
 kconfig_check_and_set_base_to_one(PSA_NEED_CRACEN_KMU_DRIVER)
+kconfig_check_and_set_base_to_one(PSA_NEED_CRACEN_PLATFORM_KEYS)
 
 # MAC driver configurations
 kconfig_check_and_set_base_to_one(PSA_NEED_CRACEN_HMAC)

diff --git a/subsys/nrf_security/src/drivers/cracen/cracenpsa/src/platform_keys/platform_keys.c b/subsys/nrf_security/src/drivers/cracen/cracenpsa/src/platform_keys/platform_keys.c
@@ -454,17 +454,15 @@ size_t cracen_platform_keys_get_size(psa_key_attributes_t const *attributes)
 {
 	platform_key key;
 	key_type type = find_key(MBEDTLS_SVC_KEY_ID_GET_KEY_ID(psa_get_key_id(attributes)), &key);
+	psa_key_type_t key_type = psa_get_key_type(attributes);
 
-	if (type == SICR) {
-		return PSA_BITS_TO_BYTES(key.sicr.bits);
+	if (type == INVALID) {
+		return 0;
 	}
 
-	if (type == EMBEDDED) {
-		return key.embedded.key_buffer_size;
-	}
-
-	if (type == DERIVED) {
-		return 32;
+	if (key_type == PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_TWISTED_EDWARDS) ||
+	    key_type == PSA_KEY_TYPE_AES) {
+		return PSA_BITS_TO_BYTES(psa_get_key_bits(attributes));
 	}
 
 	return 0;
@@ -487,6 +485,10 @@ psa_status_t cracen_platform_get_key_slot(mbedtls_svc_key_id_t key_id, psa_key_l
 		*slot_number = MBEDTLS_SVC_KEY_ID_GET_KEY_ID(key_id);
 		*lifetime = PSA_KEY_LIFETIME_FROM_PERSISTENCE_AND_LOCATION(
 			PSA_KEY_PERSISTENCE_READ_ONLY, PSA_KEY_LOCATION_CRACEN);
+
+		if (type == SICR && key.sicr.bits == UINT16_MAX) {
+			return PSA_ERROR_DOES_NOT_EXIST;
+		}
 		return PSA_SUCCESS;
 	}
 

diff --git a/subsys/nrf_security/src/psa_crypto_driver_wrappers.c b/subsys/nrf_security/src/psa_crypto_driver_wrappers.c
@@ -625,7 +625,8 @@ psa_status_t psa_driver_wrapper_import_key(const psa_key_attributes_t *attribute
 		return psa_import_key_into_slot(attributes, data, data_length, key_buffer,
 						key_buffer_size, key_buffer_length, bits);
 
-#if defined(PSA_NEED_CRACEN_KMU_DRIVER)
+#if defined(PSA_NEED_CRACEN_PLATFORM_KEYS) || defined(PSA_NEED_CRACEN_KMU_DRIVER)
+	case PSA_KEY_LOCATION_CRACEN:
 	case PSA_KEY_LOCATION_CRACEN_KMU:
 		status = cracen_import_key(attributes, data, data_length, key_buffer,
 					   key_buffer_size, key_buffer_length, bits);