Skip to content

Commit

Permalink
cracen: ensure platform keys are commited to SICR
Browse files Browse the repository at this point in the history 
This fixes an issue where keys would not be written correctly as the
write to SICR is not triggered.

Ref: NCSDK-29337
Signed-off-by: Magne Værnes <[email protected]>
  • Loading branch information
@magnev @rlubos
magnev authored and rlubos committed Oct 14, 2024
1 parent ec0b02a commit 9418b89
Showing 1 changed file with 13 additions and 1 deletion.
14 changes: 13 additions & 1 deletion subsys/nrf_security/src/drivers/cracen/cracenpsa/src/platform_keys/platform_keys.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -607,6 +607,7 @@ psa_status_t cracen_platform_keys_provision(const psa_key_attributes_t *attribut
key.sicr.type = psa_get_key_type(attributes);
key.sicr.bits = psa_get_key_bits(attributes);

/* Generate the 4 first bytes of the nonce, the rest are padded with zeros */
status = psa_generate_random((uint8_t *)key.sicr.nonce, sizeof(key.sicr.nonce[0]));
if (status != PSA_SUCCESS) {
return status;
Expand Down Expand Up @@ -662,6 +663,7 @@ psa_status_t cracen_platform_keys_provision(const psa_key_attributes_t *attribut

NRF_MRAMC_Type *mramc = (NRF_MRAMC_Type *)DT_REG_ADDR(DT_NODELABEL(mramc));
nrf_mramc_config_t mramc_config, mramc_config_write_enabled;
nrf_mramc_readynext_timeout_t readynext_timeout, short_readynext_timeout;

nrf_mramc_config_get(mramc, &mramc_config);
mramc_config_write_enabled = mramc_config;
Expand All @@ -671,16 +673,26 @@ psa_status_t cracen_platform_keys_provision(const psa_key_attributes_t *attribut

nrf_mramc_config_set(mramc, &mramc_config_write_enabled);

memcpy(key.sicr.nonce_addr, &key.sicr.nonce, sizeof(key.sicr.nonce));
memcpy(key.sicr.attr_addr, &attr, sizeof(attr));
if (key.sicr.type == PSA_KEY_TYPE_AES) {
memcpy(key.sicr.key_buffer, encrypted_key, key_buffer_size);
} else {
memcpy(key.sicr.key_buffer, key_buffer, key_buffer_size);
}

nrf_mramc_readynext_timeout_get(mramc, &readynext_timeout);

/* Ensure that nonce is committed to MRAM by setting MRAMC READYNEXT timeout to 0 */
short_readynext_timeout.value = 0;
short_readynext_timeout.direct_write = true;
nrf_mramc_readynext_timeout_set(mramc, &short_readynext_timeout);

/* Only store the 4 first bytes of the nonce, the rest are padded with zeros */
memcpy(key.sicr.nonce_addr, &key.sicr.nonce, sizeof(key.sicr.nonce[0]));

/* Restore MRAMC config */
nrf_mramc_config_set(mramc, &mramc_config);
nrf_mramc_readynext_timeout_set(mramc, &readynext_timeout);

return status;
}

0 comments on commit 9418b89

Please sign in to comment.