Key Management on Silicon Labs Devices#
Key Identifiers#
Cryptographic functions in the PSA Crypto API requires a key taken in as a key by reference through psa_key_id_t
.
A key's ID is either:
User-defined, for persistent keys (stored in non-volatile storage). The key ID should be set to the key's attributes before importing/creating the key. It needs to be in the user range and cannot be 0.
Auto-generated, for transient/volatile keys (stored in RAM). The key ID in the key's attributes should be set to 0 before importing/creating the key, and upon success the auto-assigned ID (valid for this session or until the key is destroyed) will be output by the key import/generation function.
System-defined, for keys accessed through either the built-in key mechanism (e.g. attestation keys preprovisioned on Secure Vault High parts).
PSA Crypto Key ID Namespacing in the Simplicity SDK#
As PSA Crypto is the common place for cryptographic key storage and usage, all components in an application are sharing the PSA key ID namespace. To avoid collisions, especially in case the application stores keys with an identifier which is later attempted to be stored by another SDK component, agreement needs to happen on which part of the namespace belongs to which component.
So far, the following allocations have been made within the Simplicity SDK:
Key ID Range | Scope |
---|---|
0x00000000 - 0x00004000 | Available for application use |
0x00004000 - 0x0000FFFF | Silicon Labs Layer 5 - 7 SDK components |
0x00010000 - 0x00FFFFFF | Silicon Labs Layer 1 - 4 SDK components |
0x01000000 - 0x2FFFFFFF | Reserved for future use by SDK components |
0x30000000 - 0x3FFFFFFF | Available for application use |
0x40000000 - 0x7FFEFFFF | Range allocated by Mbed TLS for internal usage |
0x7FFF0000 - 0x7FFFEFFF | 'Builtin' key range in PSA. Used for e.g. accessing attestation keys on Vault devices. |
0x80000000 - 0xFFFFFFFF | Range reserved by the PSA Crypto specification |
Note: For more details on the built-in keys in Silicon Labs devices, see PSA Crypto Key Lifetimes on Silicon Labs Devices below.
Applications are highly encouraged to adhere to the allocations made for application usage, as the SDK usage of ranges allocated to the SDK may change at any time.
Note: Irrespective of the size of the allocated ranges, there is a limitation on how many keys the non-volatile storage mechanism can store. This is a function of the total size of the storage area, as well as the file ID range allocated to PSA Crypto in the storage backend, and the sizing of the PSA ITS driver. This limit is defined in the PSA Crypto configuration file.
PSA Crypto Key Lifetimes on Silicon Labs Devices#
When adding a key to PSA Crypto, a lifetime value (which consists of a persistence and location value) dictates where and how the key gets stored. This value gets constructed by PSA_KEY_LIFETIME_FROM_PERSISTENCE_AND_LOCATION()
.
The PSA Crypto implementation on Silicon Labs devices currently supports persistence values of PSA_KEY_PERSISTENCE_VOLATILE
(where the key is stored in volatile RAM and thus disappears on reset) and PSA_KEY_PERSISTENCE_DEFAULT
(where the key will be stored in non-volatile memory). For storing keys in non-volatile memory, the component 'PSA Persistent Storage Support (ITS)' needs to be included to the project, and users should take note of the key ID ranges as described in PSA Crypto key ID namespacing in the Simplicity SDK.
In addition to the persistence level, the following supported key location attributes can be used as follows:
PSA_KEY_LOCATION_LOCAL_STORAGE
, which corresponds to plaintext keys. Can be used on all devices.SL_PSA_KEY_LOCATION_WRAPPED
, which will cause the key material to be cryptographically secured using the device-unique secret. This gives heightened protection against key leakage, since the key can only be used by the device which stored it. Silicon Labs devices with Hardware Secure Engines and Vault-High capabilities support this feature.SL_PSA_KEY_LOCATION_BUILTIN
, which is used by pre-provisioned keys (and therefore cannot be imported/created at application runtime). To access these keys, theBuilt-In Keys
PSA Crypto component needs to be added to the project. Refer to Built-In Keys for the values of the defined key IDs.