nRF54L Series Express

Feedback
Feedback

If you are having issues with the exercises, please create a ticket on DevZone: devzone.nordicsemi.com
Drag & Drop Files, Choose Files to Upload You can upload up to 2 files.
Register

Key management and secure key storage

In the previous sections, we learned about the secure boot process and how private and public keys are used to authenticate and verify the integrity of application and bootloader firmware.

Keeping the keys secure and out of the hands of malicious actors is one of the most essential aspects in ensuring the security, integrity, and authenticity of devices and communication. If the keys are compromised, so is the chain of trust and the devices’ security.

For the nRF54L SoCs, the Key Management Unit (KMU) is used to store the symmetric keys, public keys and device unique seed securely. In this section we will talk more about the KMU and learn how secure key storage works in the nRF54L Series devices.

Key management unit

The key management unit (KMU) facilitates secure and confidential storage of keys by storing data in a dedicated region of RRAM called Secure Information Configuration Region (SICR). The SICR holds keys, seeds and metadata and the KMU has exclusive access to it.

KMU provides an interface to transfer keys from NVM to CRACEN. How the keys are transferred depends on the type of key. For symmetric keys, the key value is not exposed to the CPU at any point, whereas public keys are transferred to system RAM and mapped to secure mode TrustZone.

KMU provides operations to import, use, revoke, or delete assets. KMU stores data in key slots that hold one 128-bit value together with an access policy, or rather, a revocation policy, and a destination address for the key value and metadata. The revocation policy dictates whether a key slot can be pushed, reused, or revoked. For more information about the revocation policy, see the technical documentation Key management unit: Provisioning. Once keys are stored in the KMU, the CPU can use the key values stored inside the KMU’s key slots for cryptographic operations without knowing the key value.

It is worth noting that multiple key slots can be combined to hold key sizes larger than 128 bits. When requested by the CPU, the destination address, which is part of the key slot, determines the memory map location for the key value that is pushed by KMU. The KMU has 250 key slots in total with 32-bit metadata per slot.

Key slot states

KMU maintains the key slot state. In short, the 128-bit key slots can be:

  • Provision-once or rotating
  • Combined to form keys larger than 128 bits
  • Revoked so that keys and seeds can be invalidated and their reuse is prevented

The following figure shows the key slot states and how they transition through the device life cycle

Key slot states and their transition diagram for the KMU

In summary, KMU has the following operations to store, use, and remove assets.

OperationDescription
ProvisionStore assets in SICR
PushRetrieve assets from SICR and push to write-only registers or memory for use
Read metadataRead key slot metadata from SICR
RevokeRemove an asset from SICR
BlockBlock a key slot from being pushed, provisioned, or revoked until next reset
Push blockBlock a key slot by preventing a push until next reset

For devices using the nRF Connect SDK, the PSA API supports persistent secure key storage, enabling keys to be securely generated and retained across device resets.

With these secure storage features and PSA-based key management, the nRF54L Series devices provide reliable solutions for protecting cryptographic keys, helping developers meet essential security requirements across diverse embedded applications.

Make sure to Log in or Register to save your progress

Back
Next

Switch language?

Progress is tracked separately for each language. Switching will continue from your progress in that language or start fresh if you haven't begun.

Your current progress is saved, and you can switch back anytime.

Register an account
Already have an account? Log in
(All fields are required unless specified optional)

  • 8 or more characters
  • Upper and lower case letters
  • At least one number or special character

Forgot your password?
Enter the email associated with your account, and we will send you a link to reset your password.