From 90866b43e8115f4d7da86caf548b3905a08b54b2 Mon Sep 17 00:00:00 2001 From: Lena Boeckmann Date: Thu, 19 Oct 2023 14:26:22 +0200 Subject: [PATCH] sys/psa_crypto: Separate PSA operations by modules --- sys/include/psa_crypto/psa/crypto_sizes.h | 2 +- sys/include/psa_crypto/psa/crypto_struct.h | 70 +++++++++------- sys/psa_crypto/Kconfig.asymmetric | 3 +- sys/psa_crypto/Kconfig.ciphers | 3 +- sys/psa_crypto/Kconfig.hashes | 1 - sys/psa_crypto/Kconfig.keys | 5 ++ sys/psa_crypto/Kconfig.mac | 3 +- sys/psa_crypto/Makefile.dep | 15 +++- sys/psa_crypto/Makefile.include | 4 +- sys/psa_crypto/doc.txt | 28 ++++--- .../include/psa_crypto_algorithm_dispatch.h | 13 +++ .../include/psa_crypto_location_dispatch.h | 8 ++ sys/psa_crypto/psa_crypto.c | 81 ++++++++++++------- .../psa_crypto_algorithm_dispatch.c | 10 +++ sys/psa_crypto/psa_crypto_location_dispatch.c | 12 ++- sys/psa_crypto/psa_key_slot_mgmt/Kconfig | 1 + .../psa_crypto_slot_management.c | 2 +- sys/psa_crypto/psa_se_mgmt/Kconfig | 21 +++-- 18 files changed, 192 insertions(+), 90 deletions(-) diff --git a/sys/include/psa_crypto/psa/crypto_sizes.h b/sys/include/psa_crypto/psa/crypto_sizes.h index 8f0ce9230f908..7a0a8d9df9710 100644 --- a/sys/include/psa_crypto/psa/crypto_sizes.h +++ b/sys/include/psa_crypto/psa/crypto_sizes.h @@ -981,7 +981,7 @@ extern "C" { /** * @brief The maximum size of the used key data. */ -#if IS_USED(MODULE_PSA_SECURE_ELEMENT_ASYMMETRIC) || IS_USED(MODULE_PSA_ASYMMETRIC) +#if IS_USED(MODULE_PSA_ASYMMETRIC) #define PSA_MAX_KEY_DATA_SIZE (PSA_EXPORT_PUBLIC_KEY_MAX_SIZE) #else #define PSA_MAX_KEY_DATA_SIZE (CONFIG_PSA_MAX_KEY_SIZE) diff --git a/sys/include/psa_crypto/psa/crypto_struct.h b/sys/include/psa_crypto/psa/crypto_struct.h index 830c9722b0fc3..6a4ec4f8b98da 100644 --- a/sys/include/psa_crypto/psa/crypto_struct.h +++ b/sys/include/psa_crypto/psa/crypto_struct.h @@ -28,34 +28,7 @@ extern "C" { #include "crypto_sizes.h" #include "crypto_contexts.h" -/** - * @brief Structure containing a hash context and algorithm - */ -struct psa_hash_operation_s { - psa_algorithm_t alg; /**< Operation algorithm */ -#if IS_USED(MODULE_PSA_HASH) - psa_hash_context_t ctx; /**< Operation hash context */ -#endif -}; - -/** - * @brief This macro returns a suitable initializer for a hash operation object of type - * @ref psa_hash_operation_t. - */ -#define PSA_HASH_OPERATION_INIT { 0 } - -/** - * @brief Return an initial value for a hash operation object. - * - * @return struct psa_hash_operation_s - */ -static inline struct psa_hash_operation_s psa_hash_operation_init(void) -{ - const struct psa_hash_operation_s v = PSA_HASH_OPERATION_INIT; - - return v; -} - +#if IS_USED(MODULE_PSA_KEY_MANAGEMENT) || defined(DOXYGEN) /** * @brief Structure storing the key usage policies */ @@ -97,7 +70,9 @@ static inline struct psa_key_attributes_s psa_key_attributes_init(void) return v; } +#endif +#if IS_USED(MODULE_PSA_AEAD) || defined(DOXYGEN) /** * @brief Structure storing an AEAD operation context * @@ -124,7 +99,9 @@ static inline struct psa_aead_operation_s psa_aead_operation_init(void) return v; } +#endif +#if IS_USED(MODULE_PSA_CIPHER) || defined(DOXYGEN) /** * @brief Structure storing a cipher operation context */ @@ -135,9 +112,7 @@ struct psa_cipher_operation_s { psa_algorithm_t alg; /**< Operation algorithm*/ /** Union containing cipher contexts for the executing backend */ union cipher_context { -#if IS_USED(MODULE_PSA_CIPHER) psa_cipher_context_t cipher_ctx; /**< Cipher context */ -#endif #if IS_USED(MODULE_PSA_SECURE_ELEMENT_ATECCX08A) || defined(DOXYGEN) psa_se_cipher_context_t se_ctx; /**< SE Cipher context */ #endif @@ -161,7 +136,9 @@ static inline struct psa_cipher_operation_s psa_cipher_operation_init(void) return v; } +#endif /* MODULE_PSA_CIPHER */ +#if IS_USED(MODULE_PSA_KEY_DERIVATION) || defined(DOXYGEN) /** * @brief This macro returns a suitable initializer for a key derivation operation object of * type @ref psa_key_derivation_operation_t. @@ -188,7 +165,39 @@ static inline struct psa_key_derivation_operation_s psa_key_derivation_operation return v; } +#endif + +#if IS_USED(MODULE_PSA_HASH) || defined(DOXYGEN) +/** + * @brief Structure containing a hash context and algorithm + */ +struct psa_hash_operation_s { + psa_algorithm_t alg; /**< Operation algorithm */ +#if IS_USED(MODULE_PSA_HASH) + psa_hash_context_t ctx; /**< Operation hash context */ +#endif +}; + +/** + * @brief This macro returns a suitable initializer for a hash operation object of type + * @ref psa_hash_operation_t. + */ +#define PSA_HASH_OPERATION_INIT { 0 } +/** + * @brief Return an initial value for a hash operation object. + * + * @return struct psa_hash_operation_s + */ +static inline struct psa_hash_operation_s psa_hash_operation_init(void) +{ + const struct psa_hash_operation_s v = PSA_HASH_OPERATION_INIT; + + return v; +} +#endif /* MODULE_PSA_HASH */ + +#if IS_USED(MODULE_PSA_MAC) || defined(DOXYGEN) /** * @brief This macro returns a suitable initializer for a MAC operation object of type * @ref psa_mac_operation_t. @@ -215,6 +224,7 @@ static inline struct psa_mac_operation_s psa_mac_operation_init(void) return v; } +#endif #ifdef __cplusplus } diff --git a/sys/psa_crypto/Kconfig.asymmetric b/sys/psa_crypto/Kconfig.asymmetric index 358ba6af4e8c6..081d40a6c2add 100644 --- a/sys/psa_crypto/Kconfig.asymmetric +++ b/sys/psa_crypto/Kconfig.asymmetric @@ -7,8 +7,7 @@ menuconfig MODULE_PSA_ASYMMETRIC bool "PSA Asymmetric Crypto" - select PSA_KEY_CONFIG - select MODULE_PSA_KEY_SLOT_MGMT + select MODULE_PSA_KEY_MANAGEMENT if MODULE_PSA_ASYMMETRIC diff --git a/sys/psa_crypto/Kconfig.ciphers b/sys/psa_crypto/Kconfig.ciphers index e7d5303a9b25b..b6c2104864c48 100644 --- a/sys/psa_crypto/Kconfig.ciphers +++ b/sys/psa_crypto/Kconfig.ciphers @@ -7,8 +7,7 @@ menuconfig MODULE_PSA_CIPHER bool "PSA Ciphers" - select PSA_KEY_CONFIG - select MODULE_PSA_KEY_SLOT_MGMT + select MODULE_PSA_KEY_MANAGEMENT if MODULE_PSA_CIPHER diff --git a/sys/psa_crypto/Kconfig.hashes b/sys/psa_crypto/Kconfig.hashes index 6abf34ad9f357..8de33d66e3efb 100644 --- a/sys/psa_crypto/Kconfig.hashes +++ b/sys/psa_crypto/Kconfig.hashes @@ -7,7 +7,6 @@ menuconfig MODULE_PSA_HASH bool "PSA Hashes" - select PSA_KEY_CONFIG if MODULE_PSA_HASH diff --git a/sys/psa_crypto/Kconfig.keys b/sys/psa_crypto/Kconfig.keys index 03d0bc642aa96..a59a88458f746 100644 --- a/sys/psa_crypto/Kconfig.keys +++ b/sys/psa_crypto/Kconfig.keys @@ -7,6 +7,11 @@ menu "PSA Key Management Configuration" +config MODULE_PSA_KEY_MANAGEMENT + bool + help + Activates the PSA Key Management Module + config PSA_KEY_SIZE_128 bool "Application uses key of size 128 Bits" help diff --git a/sys/psa_crypto/Kconfig.mac b/sys/psa_crypto/Kconfig.mac index fcca459f10fbe..8cc8b8b1464f0 100644 --- a/sys/psa_crypto/Kconfig.mac +++ b/sys/psa_crypto/Kconfig.mac @@ -7,8 +7,7 @@ menuconfig MODULE_PSA_MAC bool "PSA Message Authenticated Ciphers" - select PSA_KEY_CONFIG - select MODULE_PSA_KEY_SLOT_MGMT + select MODULE_PSA_KEY_MANAGEMENT if MODULE_PSA_MAC diff --git a/sys/psa_crypto/Makefile.dep b/sys/psa_crypto/Makefile.dep index be403cae6a6d1..f187c498b0611 100644 --- a/sys/psa_crypto/Makefile.dep +++ b/sys/psa_crypto/Makefile.dep @@ -5,7 +5,7 @@ endif # Asymmetric ifneq (,$(filter psa_asymmetric,$(USEMODULE))) - USEMODULE += psa_key_slot_mgmt + USEMODULE += psa_key_management endif ## ECC_P192R1 backend @@ -82,7 +82,7 @@ endif # Cipher ifneq (,$(filter psa_cipher,$(USEMODULE))) - USEMODULE += psa_key_slot_mgmt + USEMODULE += psa_key_management endif ## AES-128-ECB backend @@ -228,7 +228,16 @@ ifneq (,$(filter psa_hash_sha_512_backend_periph,$(USEMODULE))) FEATURES_REQUIRED += periph_hash_sha_512 endif +# Key Management +ifneq (,$(filter psa_key_management,$(USEMODULE))) + USEMODULE += psa_key_slot_mgmt +endif + # MAC +ifneq (,$(filter psa_mac,$(USEMODULE))) + USEMODULE += psa_key_management +endif + ## HMAC SHA-256 ifneq (,$(filter psa_mac_hmac_sha_256,$(USEMODULE))) ifeq (,$(filter psa_mac_hmac_sha_256_custom_backend,$(USEMODULE))) @@ -256,7 +265,7 @@ endif # Secure Elements ifneq (,$(filter psa_secure_element,$(USEMODULE))) USEMODULE += psa_se_mgmt - USEMODULE += psa_key_slot_mgmt + USEMODULE += psa_key_management endif ifneq (,$(filter psa_secure_element_ateccx08a, $(USEMODULE))) diff --git a/sys/psa_crypto/Makefile.include b/sys/psa_crypto/Makefile.include index 9c64f712fde93..91a601da687ed 100644 --- a/sys/psa_crypto/Makefile.include +++ b/sys/psa_crypto/Makefile.include @@ -145,6 +145,9 @@ ifneq (,$(filter psa_hash_sha_512,$(USEMODULE))) endif endif +## Key Management +PSEUDOMODULES += psa_key_management + ## MAC PSEUDOMODULES += psa_mac PSEUDOMODULES += psa_mac_hmac_sha_256 @@ -161,6 +164,5 @@ endif ## Secure Elements PSEUDOMODULES += psa_secure_element -PSEUDOMODULES += psa_secure_element_asymmetric PSEUDOMODULES += psa_secure_element_config PSEUDOMODULES += psa_secure_element_multiple diff --git a/sys/psa_crypto/doc.txt b/sys/psa_crypto/doc.txt index 20624055595f7..6ea4620fa3064 100644 --- a/sys/psa_crypto/doc.txt +++ b/sys/psa_crypto/doc.txt @@ -315,13 +315,14 @@ * * ### Secure Elements * Base: - * * - psa_secure_element * - psa_secure_element_multiple * * #### SE Types * - psa_secure_element_ateccx08a + * - psa_secure_element_ateccx08a_cipher_aes_128 * - psa_secure_element_ateccx08a_ecc_p256 + * - psa_secure_element_ateccx08a_hmac_sha256 * * Random Number Generation {#rng} * === @@ -371,7 +372,7 @@ * @code * CONFIG_PSA_SECURE_ELEMENT=y * CONFIG_PSA_SECURE_ELEMENT_ATECCX08A=y // device example - * CONFIG_PSA_SECURE_ELEMENT_ATECCX08A_ECC=y + * CONFIG_PSA_SECURE_ELEMENT_ATECCX08A_ECC_P256=y * @endcode * * or added to the the Makefile: @@ -438,10 +439,10 @@ * In RIOT, module names are generated from path names, so if you create a directory for * your sourcefiles, the module name will be the same as the directory name. It is possible * to change that by declaring a new module name in the Makefile by adding the line - * your_module_name`. + * `MODULE := your_module_name`. * * If you leave it like this, all sourcefiles in the path corresponding to the module name will be - * built (e.g. if you choose to module `hashes`, all files in `sys/hashes` will be included). + * built (e.g. if you choose the module `hashes`, all files in `sys/hashes` will be included). * For better configurability it is possible to add submodules (see * `sys/hashes/psa_riot_hashes` for example). * In that case the base module name will be the directory name and each file inside the directory @@ -959,17 +960,20 @@ * key, which requires a lot less memory space. * * **BUT:** If your secure element supports asymmetric cryptography and exports a public key part - * during key generation, that key part must be stored somewhere. This is why there needs to be - * an option to tell PSA Crypto that an application is going to perform asymmetric operations. - * Only if that option is selected, the protected key slots will have the space to store a public + * during key generation, that key part must be stored somewhere. So when you choose an + * asymmetric operation, the protected key slots will have the space to store a public * key. * + * #### Dependencies + * Secure Element operations also depend on the PSA modules. E.g. when you want to use an ECC + * operation, you need to make sure that you also build the asymmetric PSA functions. + * * For this we need to add the following to the `superSE` menu: * @code * config MODULE_PSA_SECURE_ELEMENT_SUPERSE_ECC_P256 * bool "Our Vendor's Elliptic Curve P256" * select PSA_KEY_SIZE_256 - * select MODULE_PSA_SECURE_ELEMENT_ASYMMETRIC + * select MODULE_PSA_ASYMMETRIC * depends on MODULE_PSA_SECURE_ELEMENT_SUPERSE * @endcode * This tells us, what size a key slot should have to store the public key. If your SE supports @@ -994,9 +998,11 @@ * endif * * ifneq (,$(filter psa_secure_element_superse_ecc_p256, $(USEMODULE))) - * USEMODULE += psa_secure_element_asymmetric + * USEMODULE += psa_asymmetric * endif - * - * Now the secure element should be available for use with PSA Crypto. * @endcode + * This needs to be done for all other supported operations (e.g. ATECCX08 operations in + * `pkg/cryptoauthlib/Makefile.include`, `pkg/cryptoauthlib/Makefile.dep` and + * `sys/psa_crypto/psa_se_mgmt/Kconfig` Now the secure element should be available for use + * with PSA Crypto. */ diff --git a/sys/psa_crypto/include/psa_crypto_algorithm_dispatch.h b/sys/psa_crypto/include/psa_crypto_algorithm_dispatch.h index e17be73419643..6dc05604e4cdb 100644 --- a/sys/psa_crypto/include/psa_crypto_algorithm_dispatch.h +++ b/sys/psa_crypto/include/psa_crypto_algorithm_dispatch.h @@ -28,8 +28,12 @@ extern "C" { #include #include "kernel_defines.h" #include "psa/crypto.h" + +#if IS_USED(MODULE_PSA_KEY_MANAGEMENT) #include "psa_crypto_slot_management.h" +#endif +#if IS_USED(MODULE_PSA_HASH) /** * @brief Dispatch a hash setup function to a specific backend. * See @ref psa_hash_setup() @@ -68,7 +72,9 @@ psa_status_t psa_algorithm_dispatch_hash_finish(psa_hash_operation_t *operation, uint8_t *hash, size_t hash_size, size_t *hash_length); +#endif +#if IS_USED(MODULE_PSA_ASYMMETRIC) /** * @brief Dispatch a hash signature function to a specific backend. * See @ref psa_sign_hash() @@ -156,7 +162,9 @@ psa_status_t psa_algorithm_dispatch_verify_message( const psa_key_attributes_t * size_t input_length, const uint8_t *signature, size_t signature_length); +#endif +#if IS_USED(MODULE_PSA_KEY_MANAGEMENT) /** * @brief Dispatch the key generation function to a specific backend. * See @ref psa_generate_key() @@ -167,7 +175,9 @@ psa_status_t psa_algorithm_dispatch_verify_message( const psa_key_attributes_t * */ psa_status_t psa_algorithm_dispatch_generate_key( const psa_key_attributes_t *attributes, psa_key_slot_t *slot); +#endif +#if IS_USED(MODULE_PSA_CIPHER) /** * @brief Dispatch a cipher encrypt function to a specific backend. * See @ref psa_cipher_encrypt() @@ -213,7 +223,9 @@ psa_status_t psa_algorithm_dispatch_cipher_decrypt( const psa_key_attributes_t * uint8_t *output, size_t output_size, size_t *output_length); +#endif +#if IS_USED(MODULE_PSA_MAC) /** * @brief Dispatch a mac computation function to a specific backend. * See @ref psa_mac_compute() @@ -236,6 +248,7 @@ psa_status_t psa_algorithm_dispatch_mac_compute(const psa_key_attributes_t *attr uint8_t *mac, size_t mac_size, size_t *mac_length); +#endif #ifdef __cplusplus } diff --git a/sys/psa_crypto/include/psa_crypto_location_dispatch.h b/sys/psa_crypto/include/psa_crypto_location_dispatch.h index 4ec493fd01e91..f4c9754476839 100644 --- a/sys/psa_crypto/include/psa_crypto_location_dispatch.h +++ b/sys/psa_crypto/include/psa_crypto_location_dispatch.h @@ -29,6 +29,7 @@ extern "C" { #include "kernel_defines.h" #include "psa/crypto.h" +#if IS_USED(MODULE_PSA_ASYMMETRIC) /** * @brief Dispatch call of a hash signature function to a location specific backend. * See psa_sign_hash() @@ -116,7 +117,9 @@ psa_status_t psa_location_dispatch_verify_message(const psa_key_attributes_t *at size_t input_length, const uint8_t *signature, size_t signature_length); +#endif +#if IS_USED(MODULE_PSA_MAC) /** * @brief Dispatch call of a mac computation function to a location specific backend. * See psa_mac_compute() @@ -139,7 +142,9 @@ psa_status_t psa_location_dispatch_mac_compute(const psa_key_attributes_t *attri uint8_t *mac, size_t mac_size, size_t *mac_length); +#endif +#if IS_USED(MODULE_PSA_KEY_MANAGEMENT) /** * @brief Dispatch call of the key generation function to a location specific backend. * See psa_generate_key() @@ -165,7 +170,9 @@ psa_status_t psa_location_dispatch_generate_key(const psa_key_attributes_t *attr psa_status_t psa_location_dispatch_import_key( const psa_key_attributes_t *attributes, const uint8_t *data, size_t data_length, psa_key_slot_t *slot, size_t *bits); +#endif +#if IS_USED(MODULE_PSA_CIPHER) /** * @brief Dispatch call of a cipher encrypt setup function to a location specific backend. * See psa_cipher_setup() @@ -254,6 +261,7 @@ psa_status_t psa_location_dispatch_cipher_decrypt( const psa_key_attributes_t * uint8_t *output, size_t output_size, size_t *output_length); +#endif /** * @brief Dispatch call of a random number generator to a specific backend. diff --git a/sys/psa_crypto/psa_crypto.c b/sys/psa_crypto/psa_crypto.c index af0a9dab4c059..ed20e74ac5a61 100644 --- a/sys/psa_crypto/psa_crypto.c +++ b/sys/psa_crypto/psa_crypto.c @@ -20,9 +20,13 @@ #include #include "psa/crypto.h" + +#if IS_USED(MODULE_PSA_KEY_MANAGEMENT) +#include "psa_crypto_slot_management.h" +#endif + #include "psa_crypto_se_driver.h" #include "psa_crypto_se_management.h" -#include "psa_crypto_slot_management.h" #include "psa_crypto_location_dispatch.h" #include "psa_crypto_algorithm_dispatch.h" @@ -122,6 +126,7 @@ psa_status_t psa_crypto_init(void) return PSA_SUCCESS; } +#if IS_USED(MODULE_PSA_AEAD) psa_status_t psa_aead_abort(psa_aead_operation_t *operation) { (void)operation; @@ -291,7 +296,9 @@ psa_status_t psa_aead_verify( psa_aead_operation_t *operation, (void)tag_length; return PSA_ERROR_NOT_SUPPORTED; } +#endif /* MODULE_PSA_AEAD */ +#if IS_USED(MODULE_PSA_ASYMMETRIC) psa_status_t psa_asymmetric_decrypt(psa_key_id_t key, psa_algorithm_t alg, const uint8_t *input, @@ -335,7 +342,9 @@ psa_status_t psa_asymmetric_encrypt(psa_key_id_t key, (void)output_length; return PSA_ERROR_NOT_SUPPORTED; } +#endif /* MODULE_PSA_ASYMMETRIC */ +#if IS_USED(MODULE_PSA_KEY_MANAGEMENT) /** * @brief Checks whether a key's policy permits the usage of a given algorithm * @@ -414,7 +423,9 @@ static psa_status_t psa_get_and_lock_key_slot_with_policy( psa_key_id_t id, } return PSA_SUCCESS; } +#endif /* MODULE_PSA_KEY_MANAGEMENT */ +#if IS_USED(MODULE_PSA_CIPHER) psa_status_t psa_cipher_abort(psa_cipher_operation_t *operation) { if (!lib_initialized) { @@ -690,6 +701,9 @@ psa_status_t psa_cipher_update(psa_cipher_operation_t *operation, return PSA_ERROR_NOT_SUPPORTED; } +#endif /* MODULE_PSA_CIPHER */ + +#if IS_USED(MODULE_PSA_HASH) psa_status_t psa_hash_setup(psa_hash_operation_t *operation, psa_algorithm_t alg) { @@ -917,8 +931,36 @@ psa_status_t psa_hash_compute(psa_algorithm_t alg, return PSA_SUCCESS; } +#endif /* MODULE_PSA_HASH */ + +psa_status_t psa_builtin_generate_random(uint8_t *output, + size_t output_size) +{ + if (!output) { + return PSA_ERROR_INVALID_ARGUMENT; + } + + /* TODO: Should point to a CSPRNG API in the future */ + random_bytes(output, output_size); + return PSA_SUCCESS; +} + +psa_status_t psa_generate_random(uint8_t *output, + size_t output_size) +{ + if (!lib_initialized) { + return PSA_ERROR_BAD_STATE; + } + + if (!output) { + return PSA_ERROR_INVALID_ARGUMENT; + } + + return psa_location_dispatch_generate_random(output, output_size); +} /* Key Management */ +#if IS_USED(MODULE_PSA_KEY_MANAGEMENT) /** * @brief Check whether the key policy is valid * @@ -990,7 +1032,7 @@ static psa_status_t psa_validate_key_for_key_generation(psa_key_type_t type, siz if (PSA_KEY_TYPE_IS_UNSTRUCTURED(type)) { return psa_validate_unstructured_key_size(type, bits); } -#if IS_USED(MODULE_PSA_ASYMMETRIC) || IS_USED(MODULE_PSA_SECURE_ELEMENT_ASYMMETRIC) +#if IS_USED(MODULE_PSA_ASYMMETRIC) else if (PSA_KEY_TYPE_IS_ECC_KEY_PAIR(type)) { return PSA_ECC_KEY_SIZE_IS_VALID(type, bits) ? PSA_SUCCESS : PSA_ERROR_INVALID_ARGUMENT; } @@ -1347,32 +1389,6 @@ psa_status_t psa_generate_key(const psa_key_attributes_t *attributes, return status; } -psa_status_t psa_builtin_generate_random( uint8_t *output, - size_t output_size) -{ - if (!output) { - return PSA_ERROR_INVALID_ARGUMENT; - } - - /* TODO: Should point to a CSPRNG API in the future */ - random_bytes(output, output_size); - return PSA_SUCCESS; -} - -psa_status_t psa_generate_random(uint8_t *output, - size_t output_size) -{ - if (!lib_initialized) { - return PSA_ERROR_BAD_STATE; - } - - if (!output) { - return PSA_ERROR_INVALID_ARGUMENT; - } - - return psa_location_dispatch_generate_random(output, output_size); -} - psa_status_t psa_get_key_attributes(psa_key_id_t key, psa_key_attributes_t *attributes) { @@ -1496,7 +1512,9 @@ psa_status_t psa_import_key(const psa_key_attributes_t *attributes, return status; } +#endif /* MODULE_PSA_KEY_MANAGEMENT */ +#if IS_USED(MODULE_PSA_KEY_DERIVATION) psa_status_t psa_key_derivation_abort(psa_key_derivation_operation_t *operation) { (void)operation; @@ -1582,7 +1600,9 @@ psa_status_t psa_key_derivation_setup(psa_key_derivation_operation_t *operation, (void)alg; return PSA_ERROR_NOT_SUPPORTED; } +#endif /* MODULE_PSA_KEY_DERIVATION */ +#if IS_USED(MODULE_PSA_MAC) psa_status_t psa_mac_abort(psa_mac_operation_t *operation) { if (!lib_initialized) { @@ -1759,7 +1779,9 @@ psa_status_t psa_purge_key(psa_key_id_t key) (void)key; return PSA_ERROR_NOT_SUPPORTED; } +#endif /* MODULE_PSA_MAC */ +#if IS_USED(MODULE_PSA_KEY_AGREEMENT) psa_status_t psa_raw_key_agreement(psa_algorithm_t alg, psa_key_id_t private_key, const uint8_t *peer_key, @@ -1777,7 +1799,9 @@ psa_status_t psa_raw_key_agreement(psa_algorithm_t alg, (void)output_length; return PSA_ERROR_NOT_SUPPORTED; } +#endif /* MODULE_PSA_KEY_AGREEMENT */ +#if IS_USED(MODULE_PSA_ASYMMETRIC) psa_status_t psa_sign_hash(psa_key_id_t key, psa_algorithm_t alg, const uint8_t *hash, @@ -1996,3 +2020,4 @@ psa_status_t psa_verify_message(psa_key_id_t key, unlock_status = psa_unlock_key_slot(slot); return ((status == PSA_SUCCESS) ? unlock_status : status); } +#endif /* MODULE_PSA_ASYMMETRIC */ diff --git a/sys/psa_crypto/psa_crypto_algorithm_dispatch.c b/sys/psa_crypto/psa_crypto_algorithm_dispatch.c index 44c2f0532ddb8..b8bcee1edfd7a 100644 --- a/sys/psa_crypto/psa_crypto_algorithm_dispatch.c +++ b/sys/psa_crypto/psa_crypto_algorithm_dispatch.c @@ -27,6 +27,7 @@ #include "psa_ciphers.h" #include "psa_crypto_operation_encoder.h" +#if IS_USED(MODULE_PSA_HASH) psa_status_t psa_algorithm_dispatch_hash_setup(psa_hash_operation_t *operation, psa_algorithm_t alg) { @@ -150,7 +151,9 @@ psa_status_t psa_algorithm_dispatch_hash_finish(psa_hash_operation_t *operation, return PSA_ERROR_NOT_SUPPORTED; } } +#endif /* MODULE_PSA_HASH */ +#if IS_USED(MODULE_PSA_ASYMMETRIC) psa_status_t psa_algorithm_dispatch_sign_hash( const psa_key_attributes_t *attributes, psa_algorithm_t alg, const psa_key_slot_t *slot, @@ -353,7 +356,9 @@ psa_status_t psa_algorithm_dispatch_verify_message(const psa_key_attributes_t *a return PSA_ERROR_NOT_SUPPORTED; } } +#endif /* MODULE_PSA_ASYMMETRIC */ +#if IS_USED(MODULE_PSA_KEY_MANAGEMENT) psa_status_t psa_algorithm_dispatch_generate_key( const psa_key_attributes_t *attributes, psa_key_slot_t *slot) { @@ -407,7 +412,9 @@ psa_status_t psa_algorithm_dispatch_generate_key( const psa_key_attributes_t * return psa_builtin_generate_key(attributes, key_data, *key_bytes, key_bytes); } +#endif /* MODULE_PSA_KEY_MANAGEMENT */ +#if IS_USED(MODULE_PSA_CIPHER) psa_status_t psa_algorithm_dispatch_cipher_encrypt( const psa_key_attributes_t *attributes, psa_algorithm_t alg, const psa_key_slot_t *slot, @@ -499,7 +506,9 @@ psa_status_t psa_algorithm_dispatch_cipher_decrypt( const psa_key_attributes_t * return PSA_ERROR_NOT_SUPPORTED; } } +#endif /* MODULE_PSA_CIPHER */ +#if IS_USED(MODULE_PSA_MAC) psa_status_t psa_algorithm_dispatch_mac_compute(const psa_key_attributes_t *attributes, psa_algorithm_t alg, const psa_key_slot_t *slot, @@ -538,3 +547,4 @@ psa_status_t psa_algorithm_dispatch_mac_compute(const psa_key_attributes_t *attr (void)mac_length; return PSA_SUCCESS; } +#endif /* MODULE_PSA_MAC */ diff --git a/sys/psa_crypto/psa_crypto_location_dispatch.c b/sys/psa_crypto/psa_crypto_location_dispatch.c index 367de7afe0573..d23fde67dfb93 100644 --- a/sys/psa_crypto/psa_crypto_location_dispatch.c +++ b/sys/psa_crypto/psa_crypto_location_dispatch.c @@ -22,10 +22,12 @@ #include "kernel_defines.h" #include "psa/crypto.h" #include "psa_crypto_algorithm_dispatch.h" -#include "psa_crypto_slot_management.h" #include "psa_crypto_se_management.h" #include "psa_crypto_se_driver.h" +#if IS_USED(MODULE_PSA_KEY_MANAGEMENT) +#include "psa_crypto_slot_management.h" + psa_status_t psa_location_dispatch_generate_key(const psa_key_attributes_t *attributes, psa_key_slot_t *slot) { @@ -104,7 +106,9 @@ psa_status_t psa_location_dispatch_import_key( const psa_key_attributes_t *attri return PSA_ERROR_NOT_SUPPORTED; } } +#endif /* MODULE_PSA_KEY_MANAGEMENT */ +#if IS_USED(MODULE_PSA_CIPHER) psa_status_t psa_location_dispatch_cipher_encrypt_setup( psa_cipher_operation_t *operation, const psa_key_attributes_t *attributes, const psa_key_slot_t *slot, @@ -335,6 +339,9 @@ psa_status_t psa_location_dispatch_cipher_decrypt( const psa_key_attributes_t * output, output_size, output_length); } +#endif /* MODULE_PSA_CIPHER */ + +#if IS_USED(MODULE_PSA_ASYMMETRIC) psa_status_t psa_location_dispatch_sign_hash( const psa_key_attributes_t *attributes, psa_algorithm_t alg, const psa_key_slot_t *slot, @@ -428,7 +435,9 @@ psa_status_t psa_location_dispatch_verify_message( const psa_key_attributes_t * return psa_algorithm_dispatch_verify_message(attributes, alg, slot, input, input_length, signature, signature_length); } +#endif /* MODULE_PSA_ASYMMETRIC */ +#if IS_USED(MODULE_PSA_MAC) psa_status_t psa_location_dispatch_mac_compute(const psa_key_attributes_t *attributes, psa_algorithm_t alg, const psa_key_slot_t *slot, @@ -462,6 +471,7 @@ psa_status_t psa_location_dispatch_mac_compute(const psa_key_attributes_t *attri return psa_algorithm_dispatch_mac_compute(attributes, alg, slot, input, input_length, mac, mac_size, mac_length); } +#endif /* MODULE_PSA_MAC */ psa_status_t psa_location_dispatch_generate_random(uint8_t *output, size_t output_size) diff --git a/sys/psa_crypto/psa_key_slot_mgmt/Kconfig b/sys/psa_crypto/psa_key_slot_mgmt/Kconfig index a064bf1b2598e..7f78aee24c692 100644 --- a/sys/psa_crypto/psa_key_slot_mgmt/Kconfig +++ b/sys/psa_crypto/psa_key_slot_mgmt/Kconfig @@ -7,4 +7,5 @@ config MODULE_PSA_KEY_SLOT_MGMT bool + default y if MODULE_PSA_KEY_MANAGEMENT default y if PACKAGE_PSA_ARCH_TESTS diff --git a/sys/psa_crypto/psa_key_slot_mgmt/psa_crypto_slot_management.c b/sys/psa_crypto/psa_key_slot_mgmt/psa_crypto_slot_management.c index c21654b48d2a2..0e450a08a3e69 100644 --- a/sys/psa_crypto/psa_key_slot_mgmt/psa_crypto_slot_management.c +++ b/sys/psa_crypto/psa_key_slot_mgmt/psa_crypto_slot_management.c @@ -37,7 +37,7 @@ typedef struct { psa_key_attributes_t attr; struct prot_key_data { psa_key_slot_number_t slot_number; -#if IS_USED(MODULE_PSA_SECURE_ELEMENT_ASYMMETRIC) +#if IS_USED(MODULE_PSA_ASYMMETRIC) uint8_t pubkey_data[PSA_EXPORT_PUBLIC_KEY_MAX_SIZE]; size_t pubkey_data_len; #endif diff --git a/sys/psa_crypto/psa_se_mgmt/Kconfig b/sys/psa_crypto/psa_se_mgmt/Kconfig index 80f017ad799a3..ceefd97647912 100644 --- a/sys/psa_crypto/psa_se_mgmt/Kconfig +++ b/sys/psa_crypto/psa_se_mgmt/Kconfig @@ -7,7 +7,7 @@ menuconfig MODULE_PSA_SECURE_ELEMENT bool "PSA Secure Elements" - select MODULE_PSA_KEY_SLOT_MGMT + select MODULE_PSA_KEY_MANAGEMENT select MODULE_PSA_SE_MGMT if MODULE_PSA_SECURE_ELEMENT @@ -33,16 +33,23 @@ menuconfig MODULE_PSA_SECURE_ELEMENT_ATECCX08A config MODULE_PSA_SECURE_ELEMENT_ATECCX08A_ECC_P256 bool "Microchip ATECCX08A Elliptic Curve P256" select PSA_KEY_SIZE_256 - select MODULE_PSA_SECURE_ELEMENT_ASYMMETRIC + select MODULE_PSA_ASYMMETRIC depends on MODULE_PSA_SECURE_ELEMENT_ATECCX08A -config MODULE_PSA_SE_MGMT - bool +config MODULE_PSA_SECURE_ELEMENT_ATECCX08A_CIPHER_AES_128 + bool "Microchip ATECCX08A Cipher AES 128" + select PSA_KEY_SIZE_128 + select MODULE_PSA_CIPHER + depends on MODULE_PSA_SECURE_ELEMENT_ATECCX08A -config MODULE_PSA_SECURE_ELEMENT_ASYMMETRIC +config MODULE_PSA_SECURE_ELEMENT_ATECCX08A_HMAC_SHA256 + bool "Microchip ATECCX08A HMAC SHA-256" + select PSA_KEY_SIZE_128 + select MODULE_PSA_MAC + depends on MODULE_PSA_SECURE_ELEMENT_ATECCX08A + +config MODULE_PSA_SE_MGMT bool - help - Indicates that an asymmetric operation is used with secure elements. config MODULE_PSA_SECURE_ELEMENT_CONFIG bool