nrf_security: cracenpsa: KMU: Key buffer size check fix

AntonZma · AntonZma · commit c1624a6b8144 · 2025-09-19T13:51:50.000+03:00
Fix for an invalid check for key size.

Signed-off-by: Anton Zyma &lt;anton.zyma@nordicsemi.no&gt;
diff --git a/subsys/nrf_security/src/drivers/cracen/cracenpsa/src/cracen_mac_cmac.c b/subsys/nrf_security/src/drivers/cracen/cracenpsa/src/cracen_mac_cmac.c
@@ -22,13 +22,15 @@ psa_status_t cracen_cmac_setup(cracen_mac_operation_t *operation,
 {
 	int sx_status;
 	psa_status_t status = PSA_SUCCESS;
+	psa_key_location_t location =
+		PSA_KEY_LIFETIME_GET_LOCATION(psa_get_key_lifetime(attributes));
 
 	/* Only AES-CMAC is supported */
 	if (psa_get_key_type(attributes) != PSA_KEY_TYPE_AES) {
 		return PSA_ERROR_NOT_SUPPORTED;
 	}
 
-	if (key_buffer_size < AES_BLOCK_SIZE) {
+	if (key_buffer_size < AES_BLOCK_SIZE && location != PSA_KEY_LOCATION_CRACEN_KMU) {
 		return PSA_ERROR_INVALID_ARGUMENT;
 	}
 

Original file line number	Diff line number	Diff line change
`@@ -22,13 +22,15 @@ psa_status_t cracen_cmac_setup(cracen_mac_operation_t *operation,`
`22`	`22`	`{`
`23`	`23`	`int sx_status;`
`24`	`24`	`psa_status_t status = PSA_SUCCESS;`
	`25`	`+ psa_key_location_t location =`
	`26`	`+ PSA_KEY_LIFETIME_GET_LOCATION(psa_get_key_lifetime(attributes));`
`25`	`27`
`26`	`28`	`/* Only AES-CMAC is supported */`
`27`	`29`	`if (psa_get_key_type(attributes) != PSA_KEY_TYPE_AES) {`
`28`	`30`	`return PSA_ERROR_NOT_SUPPORTED;`
`29`	`31`	`}`
`30`	`32`
`31`		`- if (key_buffer_size < AES_BLOCK_SIZE) {`
	`33`	`+ if (key_buffer_size < AES_BLOCK_SIZE && location != PSA_KEY_LOCATION_CRACEN_KMU) {`
`32`	`34`	`return PSA_ERROR_INVALID_ARGUMENT;`
`33`	`35`	`}`
`34`	`36`