Tool/software:
Hi,
We are currently learning about the use of HSM module, but the information we can find is relatively limited at present, so I have a few questions to confirm.
1. I see some related configurations in the.syscfg file, I see the maximum is 10kb, right?I n addition, there are 5 Asset Store Key Slots, which means that 10kb space can be divided into 5 slots at most?
2. Are there appropriate routines that allow users to implement Secure Key Storage using the PSA API?
Hello,
Documentation that will go over the HSM and Secure Key Storage will be available soon. In the meantime, please see my answers below:
1. I see some related configurations in the.syscfg file, I see the maximum is 10kb, right?I n addition, there are 5 Asset Store Key Slots, which means that 10kb space can be divided into 5 slots at most?
It's admittedly confusing, and I believe the wording will need to change in the future.
Asset Store Key Slots are referring to key slots in the HSM KeyStore which is separate than the PSA KeyStore. There can only be up to 5 keys stored in the HSM due to the limited amount of RAM. KeyStore Flash Size refers to the key storage that's stored in flash on the chip. Keys that are stored on the HSM are used internally by the HSM and cannot be exported out of the HSM. Keys stored in the key store are stored in plaintext but are exportable.
2. Are there appropriate routines that allow users to implement Secure Key Storage using the PSA API?
Yes. If you are looking for the PSA API you can find it here: PSA Cryptography API 1.1
Additionally for more key store information, please see here: KeyStore — SimpleLink
Low Power F3 SDK BLE5-Stack User's Guide 3.03.04.00 documentation
Hope that helps!
Best,
Nima Behmanesh
Hi Ethan,
Thanks for your answer, I think I confused the two areas of the key Store, the PSA KeyStore and the HSM Asset Store.
I believe it isn't clear to begin with, so I'll talk to the team to see if we can make it clearer what refers to what 
. I'll also make sure the documentation that will be released soon makes it clear what settings affect which key storage.
I would like to further ask which of these two areas belongs to secure storage, for example, I want to store private keys, where should I put them?
Honestly, it depends:
If these private keys are being used to encrypt data, and they will never need to be exported, then storing them in the HSM Asset Store makes the most sense. Storing keys in the HSM is the most secure, as they will never be exposed to the application. For instance, say that you want something encrypted, you would send that payload to the HSM (which contains the stored private key), and the HSM will return the payload encrypted. At the same time, the private key is never exposed to the application, and there is no way to retrieve the private key from the HSM.
If, for some reason, you'd want to retrieve the private key then you wouldn't be able to retrieve the key from the HSM, and so I believe that is the main question to be asked where to store it. If you will need to export keys, store them in the Key Store, if not, store them in the HSM.
I already know that the size of KeyStore is 10KB (35 Persistent Keys Max) and HSM Asset Store has 5 Key Slots, so what is its size?
I'm not sure I fully grasp the question, are you asking about the size of the 5 key slots in the HSM? It really depends on the type of keys that are being stored in the HSM, but this has been accounted for internally. So whatever key type is being stored, will be able to be stored in the HSM (given that you're only storing 5 keys). If this isn't what you're asking, please let me know.
Hope that helps!
Best,
Nima Behmanesh
