The function mbedtls_psa_register_se_key creates a PSA key object that is backed by a secure element. It's meant to be used when key material is already present in a secure element, provisioned out of band rather than through the normal crypto API.

It is currently only implemented only for dynamic secure element drivers (the feature enabled by MBEDTLS_PSA_CRYPTO_SE_C), which are going away in TF-PSA-Crypto 1.0 (i.e. Mbed TLS 4.0). But it would be useful for the new kind of opaque drivers too.

It needs a new interface for that, to specify a label that the secure element can use to know which key is referred to. With dynamic secure elements, that comes from the slot_number parameter in the attributes, but we want to move away from attributes that are only relevant in special cases.

We'll want to fix #9254 while we're at it. Thus the new prototype should probably be:

int mbedtls_psa_register_se_key(
    const psa_key_attributes_t *attributes,
    const uint8_t *label, size_t label_length,
    mbedtls_svc_key_id_t *key_id);

Update

See ARM-software/psa-api#242 for the proposal of the new PSA API function that should replace mbedtls_psa_register_se_key.