If PBKDF2 is used in a combined key agreement with key derivation, for example PSA_ALG_KEY_AGREEMENT(PSA_ALG_ECDH, PSA_ALG_PBKDF2_HMAC(PSA_ALG_SHA_256)), the resulting algorithm identifier cannot be decomposed into a KDF algorithm and a key agreement algorithm using the example implementations of PSA_ALG_KEY_AGREEMENT_GET_KDF() and PSA_ALG_KEY_AGREEMENT_GET_BASE() (as in Appendix C.
The PBKDF2 algorithm identifiers have bit 23 set to 1, and the masking operations in these support macro examples retain this bit for the key agreement component and clear it for the KDF component.
Although the use of PBKDF2 with a key agreement is unusual, it can make sense to use PBKDF2 with a single iteration for this purpose for devices that already support PBKDF2 for password processing, where there is no use for additional KDF primitives.
If PBKDF2 is used in a combined key agreement with key derivation, for example
PSA_ALG_KEY_AGREEMENT(PSA_ALG_ECDH, PSA_ALG_PBKDF2_HMAC(PSA_ALG_SHA_256)), the resulting algorithm identifier cannot be decomposed into a KDF algorithm and a key agreement algorithm using the example implementations ofPSA_ALG_KEY_AGREEMENT_GET_KDF()andPSA_ALG_KEY_AGREEMENT_GET_BASE()(as in Appendix C.The PBKDF2 algorithm identifiers have bit 23 set to 1, and the masking operations in these support macro examples retain this bit for the key agreement component and clear it for the KDF component.
Although the use of PBKDF2 with a key agreement is unusual, it can make sense to use PBKDF2 with a single iteration for this purpose for devices that already support PBKDF2 for password processing, where there is no use for additional KDF primitives.
See also https://github.com/Mbed-TLS/mbedtls/issues/8827