Built-in keys#

Built-in key mechanism provides access to the keys stored in hardware.

It can be accessed using key ID that is in the range [MBEDTLS_PSA_KEY_ID_BUILTIN_MIN, MBEDLTS_PSA_KEY_ID_BUILTIN_MAX].

Note

Available builtin key IDs vary for different family of devices. For devices vith VSE see Builtin keys on devices with a VSE , and for devices with Secure Engine see Builtin keys on devices with Secure Engine .

Typedefs#

typedef uint64_t

psa_drv_slot_number_t

A slot number identifying a key in a driver.

Functions#

int

psa_key_id_is_builtin(psa_key_id_t key_id)

Test whether a key identifier belongs to the builtin key range.

psa_status_t

mbedtls_psa_platform_get_builtin_key(mbedtls_svc_key_id_t key_id, psa_key_lifetime_t *lifetime, psa_drv_slot_number_t *slot_number)

Platform function to obtain the location and slot number of a built-in key.

Macros#

#define

MBEDTLS_PSA_KEY_ID_BUILTIN_MIN ((psa_key_id_t) 0x7fff0000)

The minimum value for a key identifier that is built into the implementation.

#define

MBEDTLS_PSA_KEY_ID_BUILTIN_MAX ((psa_key_id_t) 0x7fffefff)

The maximum value for a key identifier that is built into the implementation.

#define

MBEDTLS_PSA_KEY_ID_BUILTIN_MIN ((psa_key_id_t)0x7fff0000)

The minimum value for a key identifier that is built into the implementation.

#define

MBEDTLS_PSA_KEY_ID_BUILTIN_MAX ((psa_key_id_t)0x7fffefff)

The maximum value for a key identifier that is built into the implementation.

Typedef Documentation#

psa_drv_slot_number_t#

typedef uint64_t psa_drv_slot_number_t

A slot number identifying a key in a driver.

Values of this type are used to identify built-in keys.

Function Documentation#

psa_key_id_is_builtin#

static int psa_key_id_is_builtin (psa_key_id_t key_id)

Test whether a key identifier belongs to the builtin key range.

Parameters

Type	Direction	Argument Name	Description
psa_key_id_t	N/A	key_id	Key identifier to test.

mbedtls_psa_platform_get_builtin_key#

psa_status_t mbedtls_psa_platform_get_builtin_key (mbedtls_svc_key_id_t key_id, psa_key_lifetime_t * lifetime, psa_drv_slot_number_t * slot_number)

Platform function to obtain the location and slot number of a built-in key.

Parameters

Type	Direction	Argument Name	Description
mbedtls_svc_key_id_t	N/A	key_id	The key ID for which to retrieve the location and slot attributes.
psa_key_lifetime_t *	[out]	lifetime	On success, the lifetime associated with the key corresponding to `key_id`. Lifetime is a combination of which driver contains the key, and with what persistence level the key is intended to be used. If the platform implementation does not contain specific information about the intended key persistence level, the persistence level may be reported as PSA_KEY_PERSISTENCE_DEFAULT.
psa_drv_slot_number_t *	[out]	slot_number	On success, the slot number known to the driver registered at the lifetime location reported through `lifetime` which corresponds to the requested built-in key.

An application-specific implementation of this function must be provided if #MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS is enabled. This would typically be provided as part of a platform's system image.

#MBEDTLS_SVC_KEY_ID_GET_KEY_ID(key_id) needs to be in the range from MBEDTLS_PSA_KEY_ID_BUILTIN_MIN to MBEDTLS_PSA_KEY_ID_BUILTIN_MAX.

In a multi-application configuration (MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER is defined), this function should check that #MBEDTLS_SVC_KEY_ID_GET_OWNER_ID(key_id) is allowed to use the given key.

Returns

(any other error) Any other error is propagated to the function that requested the key. Common errors include:
- PSA_ERROR_NOT_PERMITTED: the key exists but the requested owner is not allowed to access it.

Return values

PSA_SUCCESS: The requested key identifier designates a built-in key. In a multi-application configuration, the requested owner is allowed to access it.
PSA_ERROR_DOES_NOT_EXIST: The requested key identifier is not a built-in key which is known to this function. If a key exists in the key storage with this identifier, the data from the storage will be used.