Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[nrfconnect] Allow to use PSA crypto API backend #23340

Merged
merged 1 commit into from
Oct 26, 2022
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions config/nrfconnect/chip-module/CMakeLists.txt
Original file line number Diff line number Diff line change
Expand Up @@ -236,6 +236,10 @@ if (CONFIG_CHIP_ENABLE_DNSSD_SRP)
chip_gn_arg_string("chip_mdns" "platform")
endif()

if (CONFIG_CHIP_CRYPTO_PSA)
chip_gn_arg_string("chip_crypto" "psa")
endif()

if (CHIP_PROJECT_CONFIG)
chip_gn_arg_string("chip_project_config_include" ${CHIP_PROJECT_CONFIG})
chip_gn_arg_string("chip_system_project_config_include" ${CHIP_PROJECT_CONFIG})
Expand Down
56 changes: 50 additions & 6 deletions config/nrfconnect/chip-module/Kconfig.defaults
Original file line number Diff line number Diff line change
Expand Up @@ -281,11 +281,11 @@ config MBEDTLS_PK_WRITE_C

config MBEDTLS_X509_CREATE_C
bool
default y
default y if !CHIP_CRYPTO_PSA

config MBEDTLS_X509_CSR_WRITE_C
bool
default y
default y if !CHIP_CRYPTO_PSA

# Disable unneeded crypto operations

Expand All @@ -297,10 +297,6 @@ config MBEDTLS_SHA512_C
bool
default n

config PSA_WANT_ALG_SHA_512
bool
default n

config MBEDTLS_CIPHER_MODE_XTS
bool
default n
Expand All @@ -325,6 +321,54 @@ config MBEDTLS_RSA_C
bool
default n

config PSA_WANT_KEY_TYPE_ARIA
bool
default n

config PSA_WANT_KEY_TYPE_CHACHA20
bool
default n

config PSA_WANT_ALG_GCM
bool
default n

config PSA_WANT_ALG_CHACHA20_POLY1305
bool
default n

config PSA_WANT_ALG_SHA_1
bool
default n

config PSA_WANT_ALG_SHA_224
bool
default n

config PSA_WANT_ALG_SHA_384
bool
default n

config PSA_WANT_ALG_SHA_512
bool
default n

config PSA_WANT_ALG_RIPEMD160
bool
default n

config PSA_WANT_ALG_MD5
bool
default n

config PSA_WANT_ALG_CFB
bool
default n

config PSA_WANT_ALG_OFB
bool
default n

# Disable not used shell modules

config SENSOR_SHELL
Expand Down
6 changes: 6 additions & 0 deletions config/zephyr/Kconfig
Original file line number Diff line number Diff line change
Expand Up @@ -196,6 +196,12 @@ config CHIP_OPERATIONAL_TIME_SAVE_INTERVAL
precisely operation time in case of device reboot and maximizing flash memory
lifetime.

config CHIP_CRYPTO_PSA
bool "Use PSA crypto API for cryptographic operations"
help
Use the backend for the Matter crypto layer that is based on PSA crypto
API instead of the default, based on legacy mbedTLS APIs.

config CHIP_MALLOC_SYS_HEAP
bool "Memory allocator based on Zephyr sys_heap"
imply SYS_HEAP_RUNTIME_STATS
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,10 @@

#include <zephyr/sys/reboot.h>

#ifdef CONFIG_CHIP_CRYPTO_PSA
#include <psa/crypto.h>
#endif

#define DEFAULT_MIN_SLEEP_PERIOD (60 * 60 * 24 * 30) // Month [sec]

namespace chip {
Expand Down Expand Up @@ -69,6 +73,10 @@ CHIP_ERROR GenericPlatformManagerImpl_Zephyr<ImplClass>::_InitChipStack(void)

mShouldRunEventLoop = false;

#ifdef CONFIG_CHIP_CRYPTO_PSA
VerifyOrReturnError(psa_crypto_init() == PSA_SUCCESS, CHIP_ERROR_INTERNAL);
#endif

// Call up to the base class _InitChipStack() to perform the bulk of the initialization.
err = GenericPlatformManagerImpl<ImplClass>::_InitChipStack();
SuccessOrExit(err);
Expand Down
8 changes: 7 additions & 1 deletion src/platform/nrfconnect/CHIPPlatformConfig.h
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,10 @@

#pragma once

#ifdef CONFIG_CHIP_CRYPTO_PSA
#include <psa/crypto.h>
#endif

// ==================== General Platform Adaptations ====================

#define CHIP_CONFIG_ABORT() abort()
Expand All @@ -34,9 +38,11 @@

// ==================== Security Adaptations ====================

#ifdef CONFIG_CHIP_CRYPTO_PSA
#define CHIP_CONFIG_SHA256_CONTEXT_SIZE sizeof(psa_hash_operation_t)
#elif defined(CONFIG_CC3XX_BACKEND)
// Size of the statically allocated context for SHA256 operations in CryptoPAL
// determined empirically.
#ifdef CONFIG_CC3XX_BACKEND
#define CHIP_CONFIG_SHA256_CONTEXT_SIZE 244
#else
#define CHIP_CONFIG_SHA256_CONTEXT_SIZE 208
Expand Down