library: key policies with persistence #19
Draft
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
-Remove legacy header files from oberon-psa-crypto that are duplicates of files from standard Mbed TLS distribution (modules/crypto/ Signed-off-by: Sebastian Bøe <sebastian.boe@nordicsemi.no> Signed-off-by: Frank Audun Kvamtrø <frank.kvamtro@nordicsemi.no>
-This removes the redefinition of the define PSA_VENDOR_ECC_MAX_CURVE_BITS which we allow to be set in our configuration file from nrf security. Signed-off-by: Georgios Vasilakis <georgios.vasilakis@nordicsemi.no>
The core doesn't include some brainpool key sizes, this change adds these bit sizes: 160 192 224 256 320 Signed-off-by: Georgios Vasilakis <georgios.vasilakis@nordicsemi.no>
We don't use the file in our system, we use the generated headers (nrf-config.h and nrf-config-user.h) from nrf_security. Signed-off-by: Georgios Vasilakis <georgios.vasilakis@nordicsemi.no>
The PSA driver for CryptoCell uses the PSA crypto driver wrapper calls for the hash operation. The Oberon context size therefore needs to be static. Signed-off-by: Georgios Vasilakis <georgios.vasilakis@nordicsemi.no>
Turn the repo into a Zephyr module so we can use the ZEPHYR_bla_bla_MODULE_DIR CMake variable. Signed-off-by: Sebastian Bøe <sebastian.boe@nordicsemi.no>
-This updates the build_info.h to match with Mbed TLS v3.6.1 distribution and is done to ensure that legacy support and TLS/DTLS and X.509 support Signed-off-by: Sebastian Bøe <sebastian.boe@nordicsemi.no> Signed-off-by: Frank Audun Kvamtrø <frank.kvamtro@nordicsemi.no>
Patch to enable more key types for KDF. Signed-off-by: Vidar Lillebø <vidar.lillebo@nordicsemi.no> Signed-off-by: Frank Audun Kvamtrø <frank.kvamtro@nordicsemi.no>
Add checks for the key attributes, key sizes and a zero check for ecc keys for importing keys. Also a attribute check for psa_generate_key. This was [nrf fromlist] and is now [nrf noup] Upstream PR:oberon-psa-crypto-nrf/pull/15 (closed) Ref: NCSDK-24820 Signed-off-by: Markus Swarowsky <markus.swarowsky@nordicsemi.no> Signed-off-by: Frank Audun Kvamtrø <frank.kvamtro@nordicsemi.no>
The psa_crypto_storage_store retuns DATA_INVALID for all the error codes coming from psa_its_set. This causes some issues for our testing infanstructure since it doesn't follow the PSA spec recomendation for return codes. This was a [nrf fromlist] but it has become a [nrf noup] Upstream PR: pull/14 (Closed) Signed-off-by: Georgios Vasilakis <georgios.vasilakis@nordicsemi.no> Signed-off-by: Frank Audun Kvamtrø <frank.kvamtro@nordicsemi.no>
Run crypto and TF-M tests on sdk-nrf downstream Signed-off-by: Stephen Kingston <stephen.kingston@nordicsemi.no> Signed-off-by: Frank Audun Kvamtrø <frank.kvamtro@nordicsemi.no>
Opens the full range of vendor keys to be used via builtin key mechanism. Signed-off-by: Vidar Lillebø <vidar.lillebo@nordicsemi.no>
Adds the capability of import and destroying persistent keys that are "builtin" i.e. handled fully by PSA driver implementation. Signed-off-by: Vidar Lillebø <vidar.lillebo@nordicsemi.no> Signed-off-by: Frank Audun Kvamtrø <frank.kvamtro@nordicsemi.no>
In line 568 of this file we use this function when either of these two defines are set: defined(PSA_NEED_OBERON_TLS12_PRF) || defined(PSA_NEED_OBERON_TLS12_PSK_TO_MS) Add these two defines here as well to avoid a missing function warning that we are getting. Upstream PR: oberon-psa-crypto-nrf/pull/16 Signed-off-by: Georgios Vasilakis <georgios.vasilakis@nordicsemi.no>
Signed-off-by: Vidar Lillebø <vidar.lillebo@nordicsemi.no> Signed-off-by: Frank Audun Kvamtrø <frank.kvamtro@nordicsemi.no>
Patch to make server and client attributes compatible. Oberon will support this in the future. Reworked from commit 5bfe42c Reworded due to psa_core_key_attributes_t being removed in Mbed TLS 3.6.0 The psa_core_key_attributes_t declaration is now integrated into psa_key_attributes_s and the macro PSA_CORE_KEY_ATTRIBUTES_INIT has been replaced with PSA_KEY_ATTRIBUTES_INIT. Signed-off-by: Vidar Lillebø <vidar.lillebo@nordicsemi.no> Signed-off-by: Frank Audun Kvamtrø <frank.kvamtro@nordicsemi.no>
-This simplifies PSA crypto operation struct initialization to better tailor to the SSF use-case. This simplifies the initializers to only be empty brackets, assuming zero-initialized structs without the added complexities of writing every sub-type out. This is done to prevent compilation warnings for PSA crypto builds. Signed-off-by: Frank Audun Kvamtrø <frank.kvamtro@nordicsemi.no>
-This comes from a change in Mbed TLS 3.6.0 where the attributes type has changed (was wrapped type before) Signed-off-by: Frank Audun Kvamtrø <frank.kvamtro@nordicsemi.no>
-This is a [nrf noup] as we are using MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG more actively then Oberon PSA core. This commit ensures we are only enabling mbedtls_psa_crypto_configure_entropy_sources when entropy/rng is not enabled by external sources Signed-off-by: Frank Audun Kvamtrø <frank.kvamtro@nordicsemi.no>
Zephyr has a global list of include directories that is applicable for all modules unless specifically excluded by using "targets", and using a generic named header can cause issues if there are duplicate headers files and depending on the inclusion order. So, rename the header with module prefix to avoid naming collision. Signed-off-by: Chaitanya Tata <Chaitanya.Tata@nordicsemi.no>
allow any key policy with storage. Signed-off-by: Mateusz Michalek <mateusz.michalek@nordicsemi.no>
michalek-no
requested review from
nvlsianpu,
fundakol,
nordicjm,
de-nordic,
gchwier and
frkv
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
allow any key policy with storage.