5.6.1. PSA Non Secure Example

This example is to demonstrate how to use PSA library APIs to perform a Sign/Verify operations.

5.6.1.1. Pre-requisites

You need to build PSA-ALT library for TrustZone before compiling this application code.

Refer to Section 8.3 Platform Security Architecture.

5.6.1.2. PSA Operation Examples

  • Generating asymmetric keys.

    psa_key_id_t key_id             = PSA_ALT_ITS_SE_FLAG | 0x00181001;
    psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
    psa_set_key_usage_flags(&attributes,
        PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT | PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_SIGN_HASH |
            PSA_KEY_USAGE_VERIFY_HASH);
    psa_set_key_algorithm(&attributes, alg);
    psa_set_key_type(&attributes, PSA_KEY_TYPE_RSA_KEY_PAIR);
    psa_set_key_bits(&attributes, key_bits);
    psa_set_key_lifetime(&attributes, lifetime);
    psa_set_key_id(&attributes, key_id);
    
    LOG_I("Generating RSA-%d key", key_bits);
    
    status = psa_generate_key(&attributes, &key_handle);
    
  • Performing Sign-Verify operations.

    uint8_t hash[32]       = {1};
    size_t hashLen         = sizeof(hash);
    uint8_t signature[256] = {0};
    size_t sigLen          = sizeof(signature);
    
    status = psa_sign_hash(
        key_handle, PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_256), hash, hashLen, signature, sizeof(signature), &sigLen);
    if (status != 0) {
        LOG_E("Signing failed");
        goto cleanup;
    }
    else {
        LOG_I("Signing success");
    }
    
    status = psa_verify_hash(key_handle, PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_256), hash, hashLen, signature, sigLen);
    if (status != 0) {
        LOG_E("Verification failed");
        goto cleanup;
    }
    else {
        LOG_I("Verification success");
    }
    

5.6.1.3. Building Example

This example would run in normal world and must link with the secure world PSA library so that definitions for veneer APIs can be found. Build this example with the following CMake configurations:

  • Host=lpcxpresso55s_ns

  • HostCrypto=MBEDTLS

  • mbedTLS_ALT=PSA

  • RTOS=Default

  • SMCOM=T1oI2C

  • PROJECT=psa_nonsecure