nrf_security: cracen: kmu: add slot blocking function

[tomi-font]

Plus some minor improvements.

[NordicBuilder]

CI Information

^{To view the history of this post, clich the 'edited' button above}
Build number: 10

Inputs:

Sources:

sdk-nrf: PR head: 922d0b8988f3fb2a7f670a65143bc1bf3bf46de4

more details

sdk-nrf:

PR head: 922d0b8988f3fb2a7f670a65143bc1bf3bf46de4
merge base: 6e9bfd5e72de622427ad11ff54a5f1f2f11f4932
target head (main): 6e9bfd5e72de622427ad11ff54a5f1f2f11f4932
Diff

Github labels

Enabled	Name	Description
	ci-disabled	Disable the ci execution
	ci-all-test	Run all of ci, no test spec filtering will be done
	ci-force-downstream	Force execution of downstream even if twister fails
	ci-run-twister	Force run twister
	ci-run-zephyr-twister	Force run zephyr twister

List of changed files detected by CI (5)

subsys
│  ├── nrf_security
│  │  ├── src
│  │  │  ├── drivers
│  │  │  │  ├── cracen
│  │  │  │  │  ├── common
│  │  │  │  │  │  ├── include
│  │  │  │  │  │  │  ├── cracen
│  │  │  │  │  │  │  │  │ lib_kmu.h
│  │  │  │  │  ├── cracenpsa
│  │  │  │  │  │  ├── include
│  │  │  │  │  │  │  │ cracen_psa_kmu.h
│  │  │  │  │  │  ├── src
│  │  │  │  │  │  │  ├── kmu.c
│  │  │  │  │  │  │  ├── kmu.h
│  │  │  │  │  │  │  │ lib_kmu.c

Outputs:

Toolchain

Version: 342151af73
Build docker image: docker-dtr.nordicsemi.no/sw-production/ncs-build:342151af73_bbe5b33786

Test Spec & Results: ✅ Success; ❌ Failure; 🟠 Queued; 🟡 Progress; ◻️ Skipped; ⚠️ Quarantine

• ◻️ Toolchain - Skipped: existing toolchain is used
• ✅ Build twister
  • sdk-nrf test count: 1607
• ✅ Integration tests
  • ✅ test-fw-nrfconnect-chip
  • ✅ test-fw-nrfconnect-nrf_crypto
  • ✅ test-fw-nrfconnect-tfm
  • ✅ test-sdk-find-my
  • ✅ test-sdk-sidewalk
  • ✅ test-sdk-dfu
  • ⚠️ test-fw-nrfconnect-nrf-iot_cloud

Disabled integration tests

• • desktop52_verification
  • doc-internal
  • test_ble_nrf_config
  • test-fw-nrfconnect-apps
  • test-fw-nrfconnect-ble_mesh
  • test-fw-nrfconnect-ble_samples
  • test-fw-nrfconnect-boot
  • test-fw-nrfconnect-fem
  • test-fw-nrfconnect-nfc
  • test-fw-nrfconnect-nrf-iot_lwm2m
  • test-fw-nrfconnect-nrf-iot_mosh
  • test-fw-nrfconnect-nrf-iot_positioning
  • test-fw-nrfconnect-nrf-iot_samples
  • test-fw-nrfconnect-nrf-iot_serial_lte_modem
  • test-fw-nrfconnect-nrf-iot_thingy91
  • test-fw-nrfconnect-nrf-iot_zephyr_lwm2m
  • test-fw-nrfconnect-proprietary_esb
  • test-fw-nrfconnect-ps
  • test-fw-nrfconnect-rpc
  • test-fw-nrfconnect-rs
  • test-fw-nrfconnect-thread
  • test-fw-nrfconnect-zigbee
  • test-low-level
  • test-sdk-audio
  • test-sdk-mcuboot
  • test-sdk-pmic-samples
  • test-sdk-wifi
  • test-secdom-samples-public

Note: This message is automatically posted and updated by the CI

[nvlsianpu]

I wonder wheter we can have (paralel) API psa_status_t cracen_kmu_block_raw(const size_t slot_id, const size_t slot_count)
rationale: nowadays we are using key-ids as key-slot-number. We can avoid of construction key_attr then.

[tomi-font]

Sure thing: https://github.com/nrfconnect/sdk-nrf/compare/d34db6c7f4aa80e516f19245190fd1a55e9a37fe..a26c5537b1373d70b030dfb9a3d2a7b41ef4872c

[Vge0rge]

I have concerns regarding this, the PSA core uses the term slot as well which can make this confusing.

Since there is a function in the lib_kmu which can block the slots, lib_kmu_block_slot, I don't see why we need this function. And even if we need it, its better for this to be in the lib_kmu and not in the PSA driver. I am saying that because the slot_id that this function takes is a low level hardware id, the kmu slot number, not a PSA concept, so it will be better to exist there instead of the PSA driver.

[tomi-font]

Addressed as part of https://github.com/nrfconnect/sdk-nrf/compare/ff74bdbc3a4fa2127c56c763383f05cd6e55bd32..925f3477c235a5a695b5e96763bc247c6dd126b8. You have a good point.
@nvlsianpu, you will be able to directly use lib_kmu_block_slot_range() at your own risk if you really want to.

[Vge0rge]

Funcionaly this change should work so I approve it.
I have a couple of minor comments regarding comments in the code.

I want to say a couple of things here which are not necessary to handle here, we can take it in a next PR.

1. We have mutiple ways of calculating the number of KMU slots. We have the one that you added here as a function and we have the one used in cracen_kmu_get_builtin_key which reads the metadata and gets the slots based on this. It is probably a good idea to have only one way of doing this since it makes the code less error prone.
2. It is not clear from this PR whch error code will be returned if one tries to call cracen_kmu_get_builtin_key after the key is blocked. I think that it will return PSA_ERROR_INVALID_ARGUMENT, which maybe is not ideal.

[Vge0rge]

Was it intentional to remove the @ brief ?

[tomi-font]

Yeah. The result in Doxygen is the same with or without @brief. Though no strong stance on that.

[Vge0rge]

No need to remove that I think, the function still returns psa_status_t

[tomi-font]

Yes but what information does that add? It's very clear from the function prototype what type it returns. It would be useful information if it listed the actual error codes, but the way it was it's not.

[tomi-font]

1. We have mutiple ways of calculating the number of KMU slots. We have the one that you added here as a function and we have the one used in cracen_kmu_get_builtin_key which reads the metadata and gets the slots based on this. It is probably a good idea to have only one way of doing this since it makes the code less error prone.

Agreed. Do you have any suggestion?

2. It is not clear from this PR whch error code will be returned if one tries to call cracen_kmu_get_builtin_key after the key is blocked. I think that it will return PSA_ERROR_INVALID_ARGUMENT, which maybe is not ideal.

I just had a look at this. I think the exact error code might vary depending on the caller and what it's trying to do. Indeed it's not clear for me either. But maybe also not that important to spend time on right now?

[Vge0rge]

1. We have mutiple ways of calculating the number of KMU slots. We have the one that you added here as a function and we have the one used in cracen_kmu_get_builtin_key which reads the metadata and gets the slots based on this. It is probably a good idea to have only one way of doing this since it makes the code less error prone.

Agreed. Do you have any suggestion?

My suggestion is to create a single function which reads the metadata and returns the slots. But this doesn't need to be done here necessarily. It needs to be tracked though, so I can create a ticket of this if you want.

2. It is not clear from this PR whch error code will be returned if one tries to call cracen_kmu_get_builtin_key after the key is blocked. I think that it will return PSA_ERROR_INVALID_ARGUMENT, which maybe is not ideal.

I just had a look at this. I think the exact error code might vary depending on the caller and what it's trying to do. Indeed it's not clear for me either. But maybe also not that important to spend time on right now?

We either need to define the error code here or again, open a ticket to handle it later. I am OK with both as long as it is tracked.

[tomi-font]

My suggestion is to create a single function which reads the metadata and returns the slots. But this doesn't need to be done here necessarily. It needs to be tracked though, so I can create a ticket of this if you want.

Done as part of https://github.com/nrfconnect/sdk-nrf/compare/3a9b075f4c7e775a21178fce2207cb979c7c52dc..ff74bdbc3a4fa2127c56c763383f05cd6e55bd32.

We either need to define the error code here or again, open a ticket to handle it later. I am OK with both as long as it is tracked.

NCSDK-31298

[tomi-font]

@nvlsianpu Will you review?

[tomi-font]

@nvlsianpu Will you review?

ping @nvlsianpu