nrf_security: Add experimental legacy and PSA

Add experimental symbol for legacy and PSA crypto
usage. This feature might be removed without notice
and should not be used in production.

Signed-off-by: Georgios Vasilakis <georgios.vasilakis@nordicsemi.no>

Author: Vge0rge

subsys/nrf_security/Kconfig

@@ -44,6 +44,36 @@ config NRF_SECURITY
 	  Set this configuration to enable nRF Security. This provides
 	  Arm PSA cryptography APIs with RNG support (optionally).
 
+config NRF_SECURITY_LEGACY_AND_PSA
+	bool
+	default y
+	select EXPERIMENTAL
+	depends on MBEDTLS_LEGACY_CRYPTO_C && MBEDTLS_PSA_CRYPTO_C
+	# This configuration doesn't affect TF-M builds since the PSA
+	# APIs are provided by TF-M.
+	# When this configuration is enabled we manually enable
+	# some symbols in the build_config.h file in the Oberon PSA core.
+	# This requires only the Oberon PSA crypto driver to be enabled,
+	# it requires the CC3XX platform library to get random data and
+	# the trusted storage for ITS support. The depenedencies here
+	# match what we enable in the build_config.h file so if we need to
+	# modify the dependencies here we also need to modify the build_config.h.
+	depends on PSA_CRYPTO_DRIVER_OBERON && !PSA_CRYPTO_DRIVER_CC3XX
+	depends on NRF_CC3XX_PLATFORM
+	depends on TRUSTED_STORAGE
+	depends on !BUILD_WITH_TFM
+	help
+	   This is an option to support legacy mbedTLS and PSA crypto APIs
+	   at the same time. This is not recommended as it is not fully
+	   supported in our system. This feature might get changed/removed at
+	   any time in the future. You are advised to use the PSA APIs
+	   for any new developments.
+
+	   This option doesn't use the nrf_security for the internal
+	   PSA configuration. It always use the Oberon PSA driver
+	   for all the crypto operations expect for the PRNG which
+	   uses the nrf_cc3xx_platform library.
+
 config PSA_PROMPTLESS
 	bool
 

subsys/nrf_security/src/drivers/nrf_oberon/CMakeLists.txt

@@ -24,6 +24,8 @@ if(CONFIG_MBEDTLS_PSA_CRYPTO_C)
   )
 endif()
 
+if (COMPILE_PSA_APIS OR CONFIG_NRF_SECURITY_LEGACY_AND_PSA)
+
 if (COMPILE_PSA_APIS)
   list(APPEND src_crypto_oberon
        ${drivers_path}/oberon_helpers.c
@@ -55,6 +57,35 @@ if (COMPILE_PSA_APIS)
   append_with_prefix_ifdef(CONFIG_PSA_NEED_OBERON_CTR_DRBG_DRIVER              src_crypto_oberon ${drivers_path} oberon_ctr_drbg.c)
   append_with_prefix_ifdef(CONFIG_PSA_NEED_OBERON_HMAC_DRBG_DRIVER             src_crypto_oberon ${drivers_path} oberon_hmac_drbg.c)
 
+
+elseif(CONFIG_NRF_SECURITY_LEGACY_AND_PSA)
+  # When legacy and PSA are enabled, we need to include all the oberon drivers
+  # since we don't have PSA_NEED_* symbols in Kconfig.
+  list(APPEND src_crypto_oberon
+       ${drivers_path}/oberon_helpers.c
+       ${drivers_path}/oberon_ecdh.c
+       ${drivers_path}/oberon_ecdsa.c
+       ${drivers_path}/oberon_ec_keys.c
+       ${drivers_path}/oberon_jpake.c
+       ${drivers_path}/oberon_spake2p.c
+       ${drivers_path}/oberon_srp.c
+       ${drivers_path}/oberon_rsa.c
+       ${drivers_path}/oberon_key_management.c
+       ${drivers_path}/oberon_aead.c
+       ${drivers_path}/oberon_key_derivation.c
+       ${drivers_path}/oberon_mac.c
+       ${drivers_path}/oberon_cipher.c
+       ${drivers_path}/oberon_hash.c
+       ${drivers_path}/oberon_key_agreement.c
+       ${drivers_path}/oberon_pake.c
+       ${drivers_path}/oberon_asymmetric_signature.c
+       ${drivers_path}/oberon_asymmetric_encrypt.c
+       ${drivers_path}/oberon_ctr_drbg.c
+       ${drivers_path}/oberon_hmac_drbg.c)
+
+
+endif()
+
   target_sources(${mbedcrypto_target} PRIVATE ${src_crypto_oberon})
 
   # Turn off warnings that Oberon are systematically
@@ -66,4 +97,5 @@ if (COMPILE_PSA_APIS)
 	-Wno-uninitialized
 	-Wno-maybe-uninitialized
   )
+
 endif()