sys/psa_crypto: Separate PSA operations by modules

RIOT-OS · Oct 19, 2023 · 90866b4 · 90866b4
1 parent c105e43
commit 90866b4
Show file tree

Hide file tree

Showing 18 changed files with 192 additions and 90 deletions.
diff --git a/sys/include/psa_crypto/psa/crypto_sizes.h b/sys/include/psa_crypto/psa/crypto_sizes.h
@@ -981,7 +981,7 @@ extern "C" {
 /**
  * @brief   The maximum size of the used key data.
  */
-#if IS_USED(MODULE_PSA_SECURE_ELEMENT_ASYMMETRIC) || IS_USED(MODULE_PSA_ASYMMETRIC)
+#if IS_USED(MODULE_PSA_ASYMMETRIC)
 #define PSA_MAX_KEY_DATA_SIZE  (PSA_EXPORT_PUBLIC_KEY_MAX_SIZE)
 #else
 #define PSA_MAX_KEY_DATA_SIZE  (CONFIG_PSA_MAX_KEY_SIZE)

diff --git a/sys/include/psa_crypto/psa/crypto_struct.h b/sys/include/psa_crypto/psa/crypto_struct.h
@@ -28,34 +28,7 @@ extern "C" {
 #include "crypto_sizes.h"
 #include "crypto_contexts.h"
 
-/**
- * @brief   Structure containing a hash context and algorithm
- */
-struct psa_hash_operation_s {
-    psa_algorithm_t alg;        /**< Operation algorithm */
-#if IS_USED(MODULE_PSA_HASH)
-    psa_hash_context_t ctx;     /**< Operation hash context */
-#endif
-};
-
-/**
- * @brief   This macro returns a suitable initializer for a hash operation object of type
- *          @ref psa_hash_operation_t.
- */
-#define PSA_HASH_OPERATION_INIT { 0 }
-
-/**
- * @brief   Return an initial value for a hash operation object.
- *
- * @return  struct psa_hash_operation_s
- */
-static inline struct psa_hash_operation_s psa_hash_operation_init(void)
-{
-    const struct psa_hash_operation_s v = PSA_HASH_OPERATION_INIT;
-
-    return v;
-}
-
+#if IS_USED(MODULE_PSA_KEY_MANAGEMENT) || defined(DOXYGEN)
 /**
  * @brief   Structure storing the key usage policies
  */
@@ -97,7 +70,9 @@ static inline struct psa_key_attributes_s psa_key_attributes_init(void)
 
     return v;
 }
+#endif
 
+#if IS_USED(MODULE_PSA_AEAD) || defined(DOXYGEN)
 /**
  * @brief   Structure storing an AEAD operation context
  *
@@ -124,7 +99,9 @@ static inline struct psa_aead_operation_s psa_aead_operation_init(void)
 
     return v;
 }
+#endif
 
+#if IS_USED(MODULE_PSA_CIPHER) || defined(DOXYGEN)
 /**
  * @brief   Structure storing a cipher operation context
  */
@@ -135,9 +112,7 @@ struct psa_cipher_operation_s {
     psa_algorithm_t alg;            /**< Operation algorithm*/
     /** Union containing cipher contexts for the executing backend */
     union cipher_context {
-#if IS_USED(MODULE_PSA_CIPHER)
         psa_cipher_context_t cipher_ctx;    /**< Cipher context */
-#endif
 #if IS_USED(MODULE_PSA_SECURE_ELEMENT_ATECCX08A) || defined(DOXYGEN)
         psa_se_cipher_context_t se_ctx;     /**< SE Cipher context */
 #endif
@@ -161,7 +136,9 @@ static inline struct psa_cipher_operation_s psa_cipher_operation_init(void)
 
     return v;
 }
+#endif /* MODULE_PSA_CIPHER */
 
+#if IS_USED(MODULE_PSA_KEY_DERIVATION) || defined(DOXYGEN)
 /**
  * @brief   This macro returns a suitable initializer for a key derivation operation object of
  *          type @ref psa_key_derivation_operation_t.
@@ -188,7 +165,39 @@ static inline struct psa_key_derivation_operation_s psa_key_derivation_operation
 
     return v;
 }
+#endif
+
+#if IS_USED(MODULE_PSA_HASH) || defined(DOXYGEN)
+/**
+ * @brief   Structure containing a hash context and algorithm
+ */
+struct psa_hash_operation_s {
+    psa_algorithm_t alg;        /**< Operation algorithm */
+#if IS_USED(MODULE_PSA_HASH)
+    psa_hash_context_t ctx;     /**< Operation hash context */
+#endif
+};
+
+/**
+ * @brief   This macro returns a suitable initializer for a hash operation object of type
+ *          @ref psa_hash_operation_t.
+ */
+#define PSA_HASH_OPERATION_INIT { 0 }
 
+/**
+ * @brief   Return an initial value for a hash operation object.
+ *
+ * @return  struct psa_hash_operation_s
+ */
+static inline struct psa_hash_operation_s psa_hash_operation_init(void)
+{
+    const struct psa_hash_operation_s v = PSA_HASH_OPERATION_INIT;
+
+    return v;
+}
+#endif /* MODULE_PSA_HASH */
+
+#if IS_USED(MODULE_PSA_MAC) || defined(DOXYGEN)
 /**
  * @brief   This macro returns a suitable initializer for a MAC operation object of type
  *          @ref psa_mac_operation_t.
@@ -215,6 +224,7 @@ static inline struct psa_mac_operation_s psa_mac_operation_init(void)
 
     return v;
 }
+#endif
 
 #ifdef __cplusplus
 }

diff --git a/sys/psa_crypto/Kconfig.asymmetric b/sys/psa_crypto/Kconfig.asymmetric
@@ -7,8 +7,7 @@
 
 menuconfig MODULE_PSA_ASYMMETRIC
     bool "PSA Asymmetric Crypto"
-    select PSA_KEY_CONFIG
-    select MODULE_PSA_KEY_SLOT_MGMT
+    select MODULE_PSA_KEY_MANAGEMENT
 
 if MODULE_PSA_ASYMMETRIC
 

diff --git a/sys/psa_crypto/Kconfig.ciphers b/sys/psa_crypto/Kconfig.ciphers
@@ -7,8 +7,7 @@
 
 menuconfig MODULE_PSA_CIPHER
     bool "PSA Ciphers"
-    select PSA_KEY_CONFIG
-    select MODULE_PSA_KEY_SLOT_MGMT
+    select MODULE_PSA_KEY_MANAGEMENT
 
 if MODULE_PSA_CIPHER
 

diff --git a/sys/psa_crypto/Kconfig.hashes b/sys/psa_crypto/Kconfig.hashes
@@ -7,7 +7,6 @@
 
 menuconfig MODULE_PSA_HASH
     bool "PSA Hashes"
-    select PSA_KEY_CONFIG
 
 if MODULE_PSA_HASH
 

diff --git a/sys/psa_crypto/Kconfig.keys b/sys/psa_crypto/Kconfig.keys
@@ -7,6 +7,11 @@
 
 menu "PSA Key Management Configuration"
 
+config MODULE_PSA_KEY_MANAGEMENT
+    bool
+    help
+        Activates the PSA Key Management Module
+
 config PSA_KEY_SIZE_128
     bool "Application uses key of size 128 Bits"
     help

diff --git a/sys/psa_crypto/Kconfig.mac b/sys/psa_crypto/Kconfig.mac
@@ -7,8 +7,7 @@
 
 menuconfig MODULE_PSA_MAC
     bool "PSA Message Authenticated Ciphers"
-    select PSA_KEY_CONFIG
-    select MODULE_PSA_KEY_SLOT_MGMT
+    select MODULE_PSA_KEY_MANAGEMENT
 
 if MODULE_PSA_MAC
 

diff --git a/sys/psa_crypto/Makefile.dep b/sys/psa_crypto/Makefile.dep
@@ -5,7 +5,7 @@ endif
 
 # Asymmetric
 ifneq (,$(filter psa_asymmetric,$(USEMODULE)))
-  USEMODULE += psa_key_slot_mgmt
+  USEMODULE += psa_key_management
 endif
 
 ## ECC_P192R1 backend
@@ -82,7 +82,7 @@ endif
 
 # Cipher
 ifneq (,$(filter psa_cipher,$(USEMODULE)))
-  USEMODULE += psa_key_slot_mgmt
+  USEMODULE += psa_key_management
 endif
 
 ## AES-128-ECB backend
@@ -228,7 +228,16 @@ ifneq (,$(filter psa_hash_sha_512_backend_periph,$(USEMODULE)))
   FEATURES_REQUIRED += periph_hash_sha_512
 endif
 
+# Key Management
+ifneq (,$(filter psa_key_management,$(USEMODULE)))
+  USEMODULE += psa_key_slot_mgmt
+endif
+
 # MAC
+ifneq (,$(filter psa_mac,$(USEMODULE)))
+  USEMODULE += psa_key_management
+endif
+
 ## HMAC SHA-256
 ifneq (,$(filter psa_mac_hmac_sha_256,$(USEMODULE)))
   ifeq (,$(filter psa_mac_hmac_sha_256_custom_backend,$(USEMODULE)))
@@ -256,7 +265,7 @@ endif
 # Secure Elements
 ifneq (,$(filter psa_secure_element,$(USEMODULE)))
   USEMODULE += psa_se_mgmt
-  USEMODULE += psa_key_slot_mgmt
+  USEMODULE += psa_key_management
 endif
 
 ifneq (,$(filter psa_secure_element_ateccx08a, $(USEMODULE)))

diff --git a/sys/psa_crypto/Makefile.include b/sys/psa_crypto/Makefile.include
@@ -145,6 +145,9 @@ ifneq (,$(filter psa_hash_sha_512,$(USEMODULE)))
   endif
 endif
 
+## Key Management
+PSEUDOMODULES += psa_key_management
+
 ## MAC
 PSEUDOMODULES += psa_mac
 PSEUDOMODULES += psa_mac_hmac_sha_256
@@ -161,6 +164,5 @@ endif
 
 ## Secure Elements
 PSEUDOMODULES += psa_secure_element
-PSEUDOMODULES += psa_secure_element_asymmetric
 PSEUDOMODULES += psa_secure_element_config
 PSEUDOMODULES += psa_secure_element_multiple
diff --git a/sys/psa_crypto/doc.txt b/sys/psa_crypto/doc.txt
@@ -315,13 +315,14 @@
  *
  * ### Secure Elements
  * Base:
- *
  * - psa_secure_element
  * - psa_secure_element_multiple
  *
  * #### SE Types
  * - psa_secure_element_ateccx08a
+ * - psa_secure_element_ateccx08a_cipher_aes_128
  * - psa_secure_element_ateccx08a_ecc_p256
+ * - psa_secure_element_ateccx08a_hmac_sha256
  *
  * Random Number Generation {#rng}
  * ===
@@ -371,7 +372,7 @@
  * @code
  * CONFIG_PSA_SECURE_ELEMENT=y
  * CONFIG_PSA_SECURE_ELEMENT_ATECCX08A=y        // device example
- * CONFIG_PSA_SECURE_ELEMENT_ATECCX08A_ECC=y
+ * CONFIG_PSA_SECURE_ELEMENT_ATECCX08A_ECC_P256=y
  * @endcode
  *
  * or added to the the Makefile:
@@ -438,10 +439,10 @@
  * In RIOT, module names are generated from path names, so if you create a directory for
  * your sourcefiles, the module name will be the same as the directory name. It is possible
  * to change that by declaring a new module name in the Makefile by adding the line
- * your_module_name`.
+ * `MODULE := your_module_name`.
  *
  * If you leave it like this, all sourcefiles in the path corresponding to the module name will be
- * built (e.g. if you choose to module `hashes`, all files in `sys/hashes` will be included).
+ * built (e.g. if you choose the module `hashes`, all files in `sys/hashes` will be included).
  * For better configurability it is possible to add submodules (see
  * `sys/hashes/psa_riot_hashes` for example).
  * In that case the base module name will be the directory name and each file inside the directory
@@ -959,17 +960,20 @@
  * key, which requires a lot less memory space.
  *
  * **BUT:** If your secure element supports asymmetric cryptography and exports a public key part
- * during key generation, that key part must be stored somewhere. This is why there needs to be
- * an option to tell PSA Crypto that an application is going to perform asymmetric operations.
- * Only if that option is selected, the protected key slots will have the space to store a public
+ * during key generation, that key part must be stored somewhere. So when you choose an
+ * asymmetric operation, the protected key slots will have the space to store a public
  * key.
  *
+ * #### Dependencies
+ * Secure Element operations also depend on the PSA modules. E.g. when you want to use an ECC
+ * operation, you need to make sure that you also build the asymmetric PSA functions.
+ *
  * For this we need to add the following to the `superSE` menu:
  * @code
  * config MODULE_PSA_SECURE_ELEMENT_SUPERSE_ECC_P256
  *     bool "Our Vendor's Elliptic Curve P256"
  *     select PSA_KEY_SIZE_256
- *     select MODULE_PSA_SECURE_ELEMENT_ASYMMETRIC
+ *     select MODULE_PSA_ASYMMETRIC
  *     depends on MODULE_PSA_SECURE_ELEMENT_SUPERSE
  * @endcode
  * This tells us, what size a key slot should have to store the public key. If your SE supports
@@ -994,9 +998,11 @@
  * endif
  *
  * ifneq (,$(filter psa_secure_element_superse_ecc_p256, $(USEMODULE)))
- *   USEMODULE += psa_secure_element_asymmetric
+ *   USEMODULE += psa_asymmetric
  * endif
- *
- * Now the secure element should be available for use with PSA Crypto.
  * @endcode
+ * This needs to be done for all other supported operations (e.g. ATECCX08 operations in
+ * `pkg/cryptoauthlib/Makefile.include`, `pkg/cryptoauthlib/Makefile.dep` and
+ * `sys/psa_crypto/psa_se_mgmt/Kconfig` Now the secure element should be available for use
+ * with PSA Crypto.
  */
diff --git a/sys/psa_crypto/include/psa_crypto_algorithm_dispatch.h b/sys/psa_crypto/include/psa_crypto_algorithm_dispatch.h
@@ -28,8 +28,12 @@ extern "C" {
 #include <stdlib.h>
 #include "kernel_defines.h"
 #include "psa/crypto.h"
+
+#if IS_USED(MODULE_PSA_KEY_MANAGEMENT)
 #include "psa_crypto_slot_management.h"
+#endif
 
+#if IS_USED(MODULE_PSA_HASH)
 /**
  * @brief   Dispatch a hash setup function to a specific backend.
  *          See @ref psa_hash_setup()
@@ -68,7 +72,9 @@ psa_status_t psa_algorithm_dispatch_hash_finish(psa_hash_operation_t *operation,
                                                 uint8_t *hash,
                                                 size_t hash_size,
                                                 size_t *hash_length);
+#endif
 
+#if IS_USED(MODULE_PSA_ASYMMETRIC)
 /**
  * @brief   Dispatch a hash signature function to a specific backend.
  *          See @ref psa_sign_hash()
@@ -156,7 +162,9 @@ psa_status_t psa_algorithm_dispatch_verify_message( const psa_key_attributes_t *
                                                     size_t input_length,
                                                     const uint8_t *signature,
                                                     size_t signature_length);
+#endif
 
+#if IS_USED(MODULE_PSA_KEY_MANAGEMENT)
 /**
  * @brief   Dispatch the key generation function to a specific backend.
  *          See @ref psa_generate_key()
@@ -167,7 +175,9 @@ psa_status_t psa_algorithm_dispatch_verify_message( const psa_key_attributes_t *
  */
 psa_status_t psa_algorithm_dispatch_generate_key(   const psa_key_attributes_t *attributes,
                                                     psa_key_slot_t *slot);
+#endif
 
+#if IS_USED(MODULE_PSA_CIPHER)
 /**
  * @brief   Dispatch a cipher encrypt function to a specific backend.
  *          See @ref psa_cipher_encrypt()
@@ -213,7 +223,9 @@ psa_status_t psa_algorithm_dispatch_cipher_decrypt( const psa_key_attributes_t *
                                                     uint8_t *output,
                                                     size_t output_size,
                                                     size_t *output_length);
+#endif
 
+#if IS_USED(MODULE_PSA_MAC)
 /**
  * @brief   Dispatch a mac computation function to a specific backend.
  *          See @ref psa_mac_compute()
@@ -236,6 +248,7 @@ psa_status_t psa_algorithm_dispatch_mac_compute(const psa_key_attributes_t *attr
                                                 uint8_t *mac,
                                                 size_t mac_size,
                                                 size_t *mac_length);
+#endif
 
 #ifdef __cplusplus
 }