PSA core lite PR #1 #20810
Closed
PSA core lite PR #1 #20810
+460
−2
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
github-actions
bot
added
the
changelog-entry-required
CI InformationTo view the history of this post, clich the 'edited' button above Inputs:Sources:sdk-nrf: PR head: d16705012eea8b07db7fd8789d91e6dd7beafcf3 more detailssdk-nrf:
zephyr:
Github labels
List of changed files detected by CI (12)Outputs:ToolchainVersion: 4ffa2202d5 Test Spec & Results: ✅ Success; ❌ Failure; 🟠 Queued; 🟡 Progress; ◻️ Skipped;
|
This was referenced Mar 9, 2025
Open
|
You can find the documentation preview for this PR here. |
frkv
force-pushed
the
psa_core_lite_1
branch
3 times, most recently
from
e70a15d to
c78fd5a
Compare
nordicjm
reviewed
Mar 13, 2025
| { | ||
| psa_status_t status = PSA_ERROR_NOT_SUPPORTED; | ||
| psa_key_attributes_t attr; | ||
| uint8t_t pub_key[pub_key_max_size]; |
There was a problem hiding this comment.
Ah. No coverage on lite + verify hash yet. This will be fixed
There was a problem hiding this comment.
Would be good to add some twister test scenario so that the code you are adding is at the very least compiled as part of PR CI.
Comment on lines
+26
to
+27
| psa_key_attributes_t *attributes, uint8_t *key_buffer, | ||
| size_t key_buffer_size, size_t *key_buffer_length); |
|
The following west manifest projects have changed revision in this Pull Request:
⛔ DNM label due to: 1 project with PR revision Note: This message is automatically posted and updated by the Manifest GitHub Action. |
|
-Zephyr PR is work-in-progress. This message must be erased before it is ready to go in -Adds convenience-macros for muliple combined configurations IS_ENABLED_ANY, IS_ENABLED_ALL -Adds conenience-macros for aggregated configurations UTIL_CONCAT_OR and UTIL_CONCAT_AND Signed-off-by: Frank Audun Kvamtrø <frank.kvamtro@nordicsemi.no>
-This adds a PSA core that is size optimized. Its intended usage is builds that are severely size-limited like bootloaders (NSIB and MCUboot). -The functionality of the PSA core lite is limited to: -ECDSA/EdDSA verification (hash/message) -one-shot hash calculation -FW encryption/decryption (multi part operations) -This core only supports resolving keys on PSA crypto driver level and only a limited set of key management functions (resolve, lock and destroy). There is no volatile key support or PSA ITS support. -Added Kconfig PSA_CORE_LITE -Added psa_core_lite (.c/.h) NOTE: This commit requires a subsequent commit to allow for key and attribute retrieval from KMU. NOTE: PSA core lite is currently limited to nRF54L series devices Signed-off-by: Frank Audun Kvamtrø <frank.kvamtro@nordicsemi.no>
-Adding an ifdef to prevent call to psa_verfy_message_builtin. This API is only possible to use in a full PSA core and is unnecessary when the driver(s) provides explict support for verify message Signed-off-by: Frank Audun Kvamtrø <frank.kvamtro@nordicsemi.no>
-Providing an implementation for get_key_attributes (used for key management operations). When this API is called there are direct call to the following functions to populate psa_key_attributes_t: -cracen_kmu_get_key_slot -cracen_kmu_get_builtin_key -Providing an implementation for get_key_buffer to get the keys in RAM for usage (if RAM is used). The statement "old strategy" means that the convention of getting information about keys available "in hardware" by doing the following -Calling cracen_kmu_get_key_slot to get slot_number and lifetime -Calling cracen_kmu_get_builtin_key using slot_number and lifetime to retrieve attributes and optionally key_buffer. NOTE: This implementation uses direct calls to KMU APIs instead of calling the Mbed TLS API mbedtls_psa_platform_get_builtin_key to get slot_number and lifetime and using this in a call to psa_driver_wrapper_get_builtin_key to retrieve attributes and optionally the key buffer. This provides size optimization but prevent usage of IKG keys (identity key, MKEK and MEXT) Signed-off-by: Frank Audun Kvamtrø <frank.kvamtro@nordicsemi.no>
|
Closed PR, please see: #20812 instead |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This commit adds a thin PSA core to use instead of the regular PSA core (oberon-psa-core).
It is only supported for nRF54L15 devices, and it enabled CRACEN by default
This can be enabled by setting
CONFIG_PSA_CORE_LITE=yIt decreases code-size for an NSIB-build with Ed25519 by ~2.7KB
Closed PR, please see: #20812 instead