Hardware unique key

This sample shows how to use a hardware unique key (HUK) to derive an encryption key through psa_crypto APIs.

Requirements

The sample supports the following development kits:

Hardware platforms

PCA

Board name

Board target

nRF9161 DK

PCA10153

nrf9161dk

nrf9161dk/nrf9161/ns nrf9161dk/nrf9161

nRF9160 DK

PCA10090

nrf9160dk

nrf9160dk/nrf9160/ns nrf9160dk/nrf9160

nRF9151 DK

PCA10171

nrf9151dk

nrf9151dk/nrf9151/ns nrf9151dk/nrf9151

nRF54L15 PDK

PCA10156

nrf54l15pdk

nrf54l15pdk/nrf54l15/cpuapp

nRF54L15 DK

PCA10156

nrf54l15dk

nrf54l15dk/nrf54l15/cpuapp

nRF5340 DK

PCA10095

nrf5340dk

nrf5340dk/nrf5340/cpuapp/ns nrf5340dk/nrf5340/cpuapp

nRF52840 DK

PCA10056

nrf52840dk

nrf52840dk/nrf52840

nRF21540 DK

PCA10112

nrf21540dk

nrf21540dk/nrf52840

When built for a board target with the */ns variant, the sample is configured to compile and run as a non-secure application with Cortex-M Security Extensions enabled. Therefore, it automatically includes Trusted Firmware-M that prepares the required peripherals and secure services to be available for the application.

Overview

The sample goes through the following steps to derive a key and use it to encrypt a string:

  1. Initializes the hardware, if applicable.

    When TF-M is enabled, the hardware is initialized automatically when booting.

  2. Generates HUKs, if applicable.

    The sample generates a random HUK and writes it to the Key Management Unit (KMU) or flash. When no KMU is present, the device reboots to allow the immutable bootloader to feed the key into CryptoCell. When TF-M is enabled, the HUKs are generated automatically when booting TF-M, and no action is needed in the sample.

  3. Generates a random initialization vector (IV).

  4. Derives a key used for encryption.

    When TF-M is enabled, the key is derived using the psa_crypto APIs. Otherwise, the native nrf_cc3xx_platform APIs are used, and the key is imported into psa_crypto.

  5. Encrypts a sample string using the key_id received from the psa_crypto.

Configuration

See Configuring and building for information about how to permanently or temporarily change the configuration.

FEM support

You can add support for the nRF21540 front-end module to this sample by using one of the following options, depending on your hardware:

  • Build the sample for one board that contains the nRF21540 FEM, such as nrf21540dk/nrf52840.

  • Manually create a devicetree overlay file that describes how FEM is connected to the nRF5 SoC in your device. See Set devicetree overlays for different ways of adding the overlay file.

  • Provide nRF21540 FEM capabilities by using a shield, for example the Developing with the nRF21540 EK shield that is available in the nRF Connect SDK. In this case, build the project for a board connected to the shield you are using with an appropriate variable included in the build command, for example SHIELD=nrf21540ek. This variable instructs the build system to append the appropriate devicetree overlay file.

    To build the sample in the nRF Connect for VS Code IDE for an nRF52840 DK with the nRF21540 EK attached, add the shield variable in the build configuration’s Extra CMake arguments and rebuild the build configuration. For example: -DSHIELD=nrf21540ek.

    See nRF Connect for VS Code extension pack documentation for more information.

    See Programming nRF21540 EK for information about how to program when you are using a board with a network core, for example nRF5340 DK.

Each of these options adds the description of the nRF21540 FEM to the devicetree. See Developing with Front-End Modules for more information about FEM in the nRF Connect SDK.

To add support for other front-end modules, add the respective devicetree file entries to the board devicetree file or the devicetree overlay file.

Building and running

This sample can be found under samples/keys/hw_unique_key in the nRF Connect SDK folder structure.

When built as firmware image for a board target with the */ns variant, the sample has Cortex-M Security Extensions (CMSE) enabled and separates the firmware between Non-Secure Processing Environment (NSPE) and Secure Processing Environment (SPE). Because of this, it automatically includes the Trusted Firmware-M (TF-M). To read more about CMSE, see Processing environments.

To build the sample, follow the instructions in Building an application for your preferred building environment. See also Programming an application for programming steps and Testing and optimization for general information about testing and debugging in the nRF Connect SDK.

Note

When building repository applications in the SDK repositories, building with sysbuild is enabled by default. If you work with out-of-tree freestanding applications, you need to manually pass the --sysbuild parameter to every build command or configure west to always use it.

Testing

After programming the sample to your development kit, complete the following steps to test it:

  1. Connect to the kit that runs this sample with a terminal emulator (for example, nRF Connect Serial Terminal). See Testing and optimization for the required settings and steps.

  2. Reset the kit.

  3. If not using TF-M, observe the following output:

    Writing random keys to KMU
    Success!
    
  4. Observe the following output (the values for IV, key, and ciphertext will vary randomly):

    Generating random IV
    IV:
    ab8e7c595d6de7d297a00b6c
    
    Deriving key
    Key:
    8d6e8ad32f5dffc10df1de38a2556ba0e01cf4ed56ac1294b9c57965cddc519a
    Key ID: 0x7fffffe0
    
    Encrypting
    Plaintext:
    "Lorem ipsum dolor sit amet. This will be encrypted."
    4c6f72656d20697073756d20646f6c6f722073697420616d65742e2054686973
    2077696c6c20626520656e637279707465642e
    Ciphertext (with authentication tag):
    ea696bf71e106f7c74adfc3296556f4f25ac2c999e453e28c52fb41085ef7b89
    3cbadee1a505cf3ce1901f4bc2fcca4fb86ec68e4b5f1344bb66ef5ce733f47a
    33788a
    

    If an error occurs, the sample prints a message and raises a kernel panic.

Dependencies

This sample uses the following libraries: