PSA core lite PR #2 with fake sample #20813
Draft
+1,138
−2
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
github-actions
bot
added
the
changelog-entry-required
CI InformationTo view the history of this post, clich the 'edited' button above Inputs:Sources:more detailsGithub labels
List of changed files detected by CI (0)Outputs:ToolchainVersion: Test Spec & Results: ✅ Success; ❌ Failure; 🟠 Queued; 🟡 Progress; ◻️ Skipped;
|
|
You can find the documentation preview for this PR here. |
frkv
force-pushed
the
psa_core_lite_2_with_sample
branch
from
edb5b19 to
fe16f55
Compare
frkv
force-pushed
the
psa_core_lite_2_with_sample
branch
from
fe16f55 to
3a8922d
Compare
|
The following west manifest projects have changed revision in this Pull Request:
⛔ DNM label due to: 1 project with PR revision Note: This message is automatically posted and updated by the Manifest GitHub Action. |
|
frkv
force-pushed
the
psa_core_lite_2_with_sample
branch
from
3a8922d to
5a952f4
Compare
-Zephyr PR is work-in-progress. This message must be erased before it is ready to go in -Adds convenience-macros for muliple combined configurations IS_ENABLED_ANY, IS_ENABLED_ALL -Adds conenience-macros for aggregated configurations UTIL_CONCAT_OR and UTIL_CONCAT_AND Signed-off-by: Frank Audun Kvamtrø <frank.kvamtro@nordicsemi.no>
-This adds a PSA core that is size optimized. Its intended usage is builds that are severely size-limited like bootloaders (NSIB and MCUboot). -The functionality of the PSA core lite is limited to: -ECDSA/EdDSA verification (hash/message) -one-shot hash calculation -FW encryption/decryption (multi part operations) -This core only supports resolving keys on PSA crypto driver level and only a limited set of key management functions (resolve, lock and destroy). There is no volatile key support or PSA ITS support. -Added Kconfig PSA_CORE_LITE -Added psa_core_lite (.c/.h) NOTE: This commit requires a subsequent commit to allow for key and attribute retrieval from KMU. NOTE: PSA core lite is currently limited to nRF54L series devices Signed-off-by: Frank Audun Kvamtrø <frank.kvamtro@nordicsemi.no>
-Adding an ifdef to prevent call to psa_verfy_message_builtin. This API is only possible to use in a full PSA core and is unnecessary when the driver(s) provides explict support for verify message Signed-off-by: Frank Audun Kvamtrø <frank.kvamtro@nordicsemi.no>
-Providing an implementation for get_key_attributes (used for key management operations). When this API is called there are direct call to the following functions to populate psa_key_attributes_t: -cracen_kmu_get_key_slot -cracen_kmu_get_builtin_key -Providing an implementation for get_key_buffer to get the keys in RAM for usage (if RAM is used). The statement "old strategy" means that the convention of getting information about keys available "in hardware" by doing the following -Calling cracen_kmu_get_key_slot to get slot_number and lifetime -Calling cracen_kmu_get_builtin_key using slot_number and lifetime to retrieve attributes and optionally key_buffer. NOTE: This implementation uses direct calls to KMU APIs instead of calling the Mbed TLS API mbedtls_psa_platform_get_builtin_key to get slot_number and lifetime and using this in a call to psa_driver_wrapper_get_builtin_key to retrieve attributes and optionally the key buffer. This provides size optimization but prevent usage of IKG keys (identity key, MKEK and MEXT) Signed-off-by: Frank Audun Kvamtrø <frank.kvamtro@nordicsemi.no>
frkv
force-pushed
the
psa_core_lite_2_with_sample
branch
from
5a952f4 to
8e4acf2
Compare
-This commit adds Kconfig PSA_CORE_LITE_NSIB_ED25519_OPTIMIZATIONS which (when enabled) calls low-level APIs for Ed25519 verify APIs without going through PSA Crypto Driver Wrappers. This gives optimized builds for NSIB, but doesn't promote reuse. Signed-off-by: Frank Audun Kvamtrø <frank.kvamtro@nordicsemi.no>
-This sample is used to calculate the size of psa_core_lite version versus oberon-psa-core. -This sample is currently only usable for nRF54L15 -This sample is only usable for CRACEN -sample.yaml has targets for more and more enabled features: EDDSA -eddsa.cracen_lite/normal -eddsa_hash.cracen_lite/normal -eddsa_hash_encrypt.cracen_lite/normal -eddsa_hash_encrypt_rng.cracen_lite/normal ECDSA (verify_message) -ecdsa.cracen_lite/normal -ecdsa_hash.cracen_lite/normal -ecdsa_hash_encrypt.cracen_lite/normal -ecdsa_hash_encrypt_rng.cracen_lite/normal ECDSA (verify_hash) -ecdsa_verify_hash.cracen_lite/normal Please utilize build targets rom_report and ram_report to compare the build sizes between lite and normal NOTE: This sample is not functional at the moment as it would require provisioning keys on the device. It only ensures that all required APIs are called and all code-paths are compiled Signed-off-by: Frank Audun Kvamtrø <frank.kvamtro@nordicsemi.no>
-This commit adds a configuration in the lite.conf overlay to set CONFIG_PSA_CORE_LITE_NSIB_ED25519_OPTIMIZATIONS, which makes use of direct calls to Ed25519 APIs for CRACEN for optimized build-sizes. This adjustment makes the build-sizes slightly larger than the refactored CRACEN code in a coming pull request. Signed-off-by: Frank Audun Kvamtrø <frank.kvamtro@nordicsemi.no>
frkv
force-pushed
the
psa_core_lite_2_with_sample
branch
from
8e4acf2 to
ff833be
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This adds a fake sample in
nrf/samples/crypto/psa_core_litewhich can be used to compare build-sizes when enabling signature validation, encryption, hashing and RNG (with ED25519 optimizations for NSIB)It is a draft-PR as it is not intended to be added. Please see #20812 for the code that can be added to NCS