Current key handling strategy in TF-M
- Crypto keys are embedded at compile time and they are part of the secure image or bootloader.
- This behaviour is unlikely in a real device.
- It is expected that some mandatory crypto keys is provisioned to immutable memory at the factory floor.
The scope of the task is to simulate the real-life key provisioning with:
- Define a new flash area per target device to store keys there
- Create a binary object at compile time which contains the necessary crypto keys: HUK, attestation private key, image signing key(s).
- Update documentation how to load the key object to device memory.
- Modify platform example code to not contain any embedded crypto key instead retrieving the keys from dedicated flash area.