Key Management#

PSA Crypto key management on Silicon Labs devices.

Built-in Keys#

The PSA Crypto API provides a mechanism for accessing keys that are stored in the hardware. Available built-in key IDs vary for different family of devices. For devices vith a Virtual Secure Engine see Built-in keys on devices with a VSE , and for devices with a Hardware Secure Engine see Built-in keys on devices with a HSE .

Refer to AN1311 for more information on the usage of builtin keys through PSA Crypto.

Modules#

Built-in keys on devices with a HSE

Built-in keys on devices with a VSE

Functions#

void
sl_psa_set_key_lifetime_with_location_preference(psa_key_attributes_t *attributes, psa_key_persistence_t persistence, psa_key_location_t preferred_location)

Set the location attribute of a key in PSA Crypto according to a given persistence level, and a preferred location.

psa_key_location_t

Get the 'most secure' location attribute of a key usable in this implementation of PSA Crypto.

Macros#

#define
SL_PSA_KEY_LOCATION_WRAPPED ((psa_key_location_t)0x000001UL)

Location value for keys to be stored encrypted with the device-unique secret.

#define
SL_PSA_KEY_LOCATION_BUILTIN ((psa_key_location_t)0x000001UL)

Location value for usage of built-in keys.

#define
PSA_KEY_LOCATION_SL_SE_OPAQUE (SL_PSA_KEY_LOCATION_WRAPPED)

Location value for keys to be stored encrypted with the device-unique secret, or for accessing the built-in keys on Vault-High devices.

#define
PSA_KEY_LOCATION_SL_CRYPTOACC_OPAQUE (SL_PSA_KEY_LOCATION_BUILTIN)

Location value for built-in keys on VSE archtectures Users should use SL_PSA_KEY_LOCATION_BUILTIN instead.

Function Documentation#

sl_psa_set_key_lifetime_with_location_preference#

void sl_psa_set_key_lifetime_with_location_preference (psa_key_attributes_t * attributes, psa_key_persistence_t persistence, psa_key_location_t preferred_location)

Set the location attribute of a key in PSA Crypto according to a given persistence level, and a preferred location.

Parameters
[out]attributes

The attribute structure to write to.

[in]persistence

The persistence level of the key. If this is #PSA_KEY_PERSISTENCE_VOLATILE, the key will be volatile, and the key identifier attribute is reset to 0.

[in]preferred_location

The location of the key. Can be SL_PSA_KEY_LOCATION_WRAPPED, SL_PSA_KEY_LOCATION_BUILTIN, or PSA_KEY_LOCATION_LOCAL_STORAGE.

If the preferred location is not available, perhaps because the device does not support this location, the primary local storage (PSA_KEY_LOCATION_LOCAL_STORAGE) will be used.


Definition at line 70 of file platform/security/sl_component/sl_mbedtls_support/inc/sl_psa_crypto.h

sl_psa_get_most_secure_key_location#

psa_key_location_t sl_psa_get_most_secure_key_location (void )

Get the 'most secure' location attribute of a key usable in this implementation of PSA Crypto.

Parameters
N/A

Returns

  • The 'most secure' usable location of a key. In order of preference, the following values can be returned: SL_PSA_KEY_LOCATION_WRAPPED, or PSA_KEY_LOCATION_LOCAL_STORAGE.


Definition at line 85 of file platform/security/sl_component/sl_mbedtls_support/inc/sl_psa_crypto.h

Macro Definition Documentation#

SL_PSA_KEY_LOCATION_WRAPPED#

#define SL_PSA_KEY_LOCATION_WRAPPED
Value:
((psa_key_location_t)0x000001UL)

Location value for keys to be stored encrypted with the device-unique secret.

Wrapped key locations are vailable on Secure Vault High devices.


Definition at line 70 of file platform/security/sl_component/sl_mbedtls_support/inc/sl_psa_values.h

SL_PSA_KEY_LOCATION_BUILTIN#

#define SL_PSA_KEY_LOCATION_BUILTIN
Value:
((psa_key_location_t)0x000001UL)

Location value for usage of built-in keys.

Built-in key locations are available on Secure Vault Mid (and higher) devices with PUF-key support.


Definition at line 76 of file platform/security/sl_component/sl_mbedtls_support/inc/sl_psa_values.h

PSA_KEY_LOCATION_SL_SE_OPAQUE#

#define PSA_KEY_LOCATION_SL_SE_OPAQUE
Value:
(SL_PSA_KEY_LOCATION_WRAPPED)

Location value for keys to be stored encrypted with the device-unique secret, or for accessing the built-in keys on Vault-High devices.

Users should use SL_PSA_KEY_LOCATION_WRAPPED or SL_PSA_KEY_LOCATION_BUILTIN instead.


Definition at line 89 of file platform/security/sl_component/sl_mbedtls_support/inc/sl_psa_values.h

PSA_KEY_LOCATION_SL_CRYPTOACC_OPAQUE#

#define PSA_KEY_LOCATION_SL_CRYPTOACC_OPAQUE
Value:
(SL_PSA_KEY_LOCATION_BUILTIN)

Location value for built-in keys on VSE archtectures Users should use SL_PSA_KEY_LOCATION_BUILTIN instead.


Definition at line 154 of file platform/security/sl_component/sl_mbedtls_support/inc/sl_psa_values.h