Attestation Interface

The PSA Attestation API is a standard interface provided by the PSA Root of Trust.

For attestation within the context of PSA, the key can be generated or injected into the system. For the RSL15 secure bootloader sample application, there is a function to inject a key. If the application is not given an injected key, it creates and internal key.

The main relevant functions for the RSL15 attestation interface are as follows:

  • Inject attestation key
  • Get attestation token
  • Get attestation token size

A summary and the prototypes of the attestation interface functions are provided below. See the relevant parts of the full API and the bl_attestation.h header file for further details on function parameters.

Key Injection

  • The key injection interface allows for the injection of keys generated externally to the device.
  • It also allows for keys to be generated on the device and then stored for later use.
  • AES keys are derived from the HUK (Hardware Unique Key) using some form of initial value.
  • If a key is provided, the private component key is stored and the public component is returned. If no key is provided, a new key is generated, the private component is stored and the public component is returned. If a symmetric (AES) key is requested, the key is stored and returned.

BL_AttestStatus_t BL_AttestInjectKey(

const uint8_t *key, size_t keySize, BL_AttestKeyType_t type,

uint8_t *publicKey, size_t publicKeyMaxSize, size_t *publicKeySize);

Get Token

To use the token, the attestation client issues some form of challenge and the device needs to respond. Part of the challenge is a random value that needs to be in the token to confirm its validity. This function is used to request the token from the device.

BL_AttestStatus_t BL_AttestGetToken(

const uint8_t *challenge, BL_AttestationChallengeSize_t challengeSize,

uint8_t *token, uint32_t *tokenSize);

Get Token Size

BL_AttestStatus_t BL_AttestGetTokenSize(

BL_AttestationChallengeSize_t challengeSize, uint32_t *tokenSize);

Key Injection Process

The "Attestation Interface" figure illustrates the process of key injection.