From 761b83e7c56aede2590df472a3645320c6b7e8c2 Mon Sep 17 00:00:00 2001 From: Eduardo Montoya Date: Thu, 2 Jan 2025 14:54:47 +0100 Subject: [PATCH 1/2] subsys: remove unused configuration Remove `CONFIG_ZIGBEE_USE_SOFTWARE_AES`. Signed-off-by: Eduardo Montoya --- subsys/CMakeLists.txt | 1 - subsys/Kconfig | 7 +------ 2 files changed, 1 insertion(+), 7 deletions(-) diff --git a/subsys/CMakeLists.txt b/subsys/CMakeLists.txt index 7e40e931..f1525c5b 100644 --- a/subsys/CMakeLists.txt +++ b/subsys/CMakeLists.txt @@ -14,7 +14,6 @@ zephyr_library() zephyr_library_link_libraries(zigbee) -zephyr_link_libraries_ifdef(CONFIG_ZIGBEE_USE_SOFTWARE_AES nrfxlib_crypto) # Source files zephyr_library_sources(osif/zb_nrf_platform.c) diff --git a/subsys/Kconfig b/subsys/Kconfig index 477e6b45..27473358 100644 --- a/subsys/Kconfig +++ b/subsys/Kconfig @@ -23,7 +23,7 @@ menuconfig ZIGBEE_ADD_ON imply FLASH_PAGE_LAYOUT imply FLASH_MAP imply MPU_ALLOW_FLASH_WRITE - depends on (SOC_NRF52840 || SOC_NRF54L15) + depends on SOC_NRF54L15 if ZIGBEE_ADD_ON @@ -336,11 +336,6 @@ config ZIGBEE_UART_TX_BUF_LEN endif #ZIGBEE_HAVE_ASYNC_SERIAL -config ZIGBEE_USE_SOFTWARE_AES - bool "Use software based AES" - select NRF_OBERON - default n - config NRF_SECURITY default y From 97dbf0e3f3b5ea85c7203b729586054d263f84d0 Mon Sep 17 00:00:00 2001 From: Eduardo Montoya Date: Thu, 2 Jan 2025 14:57:58 +0100 Subject: [PATCH 2/2] osif: use Cracen for `zb_osif_scalarmult` Switch to Cracen based `zb_hw_crypto_scalarmult`. Signed-off-by: Eduardo Montoya --- subsys/Kconfig | 9 +++++---- subsys/osif/zb_nrf_crypto.c | 27 +++++++++++++++++++++++++-- 2 files changed, 30 insertions(+), 6 deletions(-) diff --git a/subsys/Kconfig b/subsys/Kconfig index 27473358..ed8ec6d7 100644 --- a/subsys/Kconfig +++ b/subsys/Kconfig @@ -15,7 +15,11 @@ menuconfig ZIGBEE_ADD_ON select NET_PKT_TXTIME select REBOOT select PSA_WANT_ALG_ECB_NO_PADDING if NRF_SECURITY + select PSA_WANT_ALG_ECDH if NRF_SECURITY select PSA_WANT_KEY_TYPE_AES if NRF_SECURITY + select PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT if NRF_SECURITY + select PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE if NRF_SECURITY + select PSA_WANT_ECC_MONTGOMERY_255 if NRF_SECURITY select MBEDTLS_ENABLE_HEAP if NRF_SECURITY imply ENTROPY_GENERATOR imply POLL @@ -341,10 +345,7 @@ config NRF_SECURITY if NRF_SECURITY -config MBEDTLS_HEAP_SIZE - default 2048 - -config PSA_CRYPTO_DRIVER_OBERON +config PSA_CRYPTO_DRIVER_CRACEN default y endif diff --git a/subsys/osif/zb_nrf_crypto.c b/subsys/osif/zb_nrf_crypto.c index cc1a05ed..a8733534 100644 --- a/subsys/osif/zb_nrf_crypto.c +++ b/subsys/osif/zb_nrf_crypto.c @@ -9,7 +9,6 @@ #include #if CONFIG_NRF_SECURITY #include -#include #else #error No crypto suite for Zigbee stack has been selected #endif @@ -87,6 +86,30 @@ zb_int_t zb_osif_scalarmult(zb_uint8_t *result_point, const zb_uint8_t *scalar, const zb_uint8_t *point) { - ocrypto_curve25519_scalarmult(result_point, scalar, point); + psa_status_t status; + mbedtls_svc_key_id_t key_id; + size_t output_length; + + ZVUNUSED(status); + + psa_init(); + + psa_key_attributes_t key_attributes = PSA_KEY_ATTRIBUTES_INIT; + psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_DERIVE); + psa_set_key_lifetime(&key_attributes, PSA_KEY_LIFETIME_VOLATILE); + psa_set_key_algorithm(&key_attributes, PSA_ALG_ECDH); + psa_set_key_type(&key_attributes, PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_MONTGOMERY)); + + status = psa_import_key(&key_attributes, scalar, ZB_ECC_CURVE25519_BASE_POINT_LEN, &key_id); + __ASSERT(status == PSA_SUCCESS, "psa_import failed! (Error: %d)", status); + + psa_reset_key_attributes(&key_attributes); + + status = psa_raw_key_agreement(PSA_ALG_ECDH, key_id, point, ZB_ECC_CURVE25519_BASE_POINT_LEN, + result_point, ZB_ECC_SECRET_MAX_LEN, &output_length); + __ASSERT(status == PSA_SUCCESS, "psa_raw_key_agreement failed! (Error: %d)", status); + + psa_destroy_key(key_id); + return 0; }