From c6fd0f54f76894725dca14ca25a33784830e9c21 Mon Sep 17 00:00:00 2001 From: Georgios Vasilakis Date: Tue, 8 Oct 2024 10:49:14 +0200 Subject: [PATCH] nrf_security: Move PSA_WANTS from drivers Kconfig Move some PSA_WANTs from the drivers Kconfig in nrf_security to the Kconfig file which contains the rest of the PSA_WANT configurations. During the upmerge support for OFB and CFB modes of AES was removed so here we remove the relevant code in the drivers as well. Signed-off-by: Georgios Vasilakis --- subsys/nrf_security/Kconfig | 2 - subsys/nrf_security/Kconfig.psa.nordic | 8 ++ subsys/nrf_security/src/drivers/Kconfig | 12 --- .../drivers/cracen/cracenpsa/src/blkcipher.c | 15 --- .../src/drivers/cracen/psa_driver.Kconfig | 12 --- .../sxsymcrypt/include/sxsymcrypt/aes.h | 100 ------------------ .../sxsymcrypt/include/sxsymcrypt/blkcipher.h | 2 - .../drivers/cracen/sxsymcrypt/src/blkcipher.c | 32 ------ .../cracen/sxsymcrypt/src/blkcipherdefs.h | 2 - .../src/drivers/nrf_cc3xx/Kconfig | 12 --- 10 files changed, 8 insertions(+), 189 deletions(-) diff --git a/subsys/nrf_security/Kconfig b/subsys/nrf_security/Kconfig index 731c62ad204..ca6ed06cac9 100644 --- a/subsys/nrf_security/Kconfig +++ b/subsys/nrf_security/Kconfig @@ -194,9 +194,7 @@ config MBEDTLS_CIPHER_ALL_ENABLED select PSA_WANT_ALG_ECB_NO_PADDING select PSA_WANT_ALG_CBC_NO_PADDING select PSA_WANT_ALG_CBC_PKCS7 - select PSA_WANT_ALG_CFB select PSA_WANT_ALG_CTR - select PSA_WANT_ALG_OFB select PSA_WANT_ALG_CCM select PSA_WANT_ALG_GCM select PSA_WANT_KEY_TYPE_CHACHA20 diff --git a/subsys/nrf_security/Kconfig.psa.nordic b/subsys/nrf_security/Kconfig.psa.nordic index 832f2e63357..f7cf3f15b48 100644 --- a/subsys/nrf_security/Kconfig.psa.nordic +++ b/subsys/nrf_security/Kconfig.psa.nordic @@ -296,6 +296,14 @@ config PSA_WANT_ECC_SECT_R2_163 config PSA_WANT_ECC_FRP_V1_256 bool "PSA ECC FRP256v1 support" if !PSA_PROMPTLESS +config PSA_WANT_ALG_CHACHA20 + bool "PSA CHACHA20 stream cipher support" if !PSA_PROMPTLESS + default y if PSA_CRYPTO_ENABLE_ALL + +config PSA_WANT_ALG_SHAKE256_512 + bool "PSA SHAKE256 512 bits support" if !PSA_PROMPTLESS + default y if PSA_CRYPTO_ENABLE_ALL + comment "Nordic addded RNG configuration" config PSA_WANT_GENERATE_RANDOM diff --git a/subsys/nrf_security/src/drivers/Kconfig b/subsys/nrf_security/src/drivers/Kconfig index f13b735ab15..5581badb09a 100644 --- a/subsys/nrf_security/src/drivers/Kconfig +++ b/subsys/nrf_security/src/drivers/Kconfig @@ -59,18 +59,6 @@ config PSA_USE_HMAC_DRBG_DRIVER endmenu -config PSA_WANT_ALG_CFB - bool "PSA stream cipher using CFB block cipher mode support" - -config PSA_WANT_ALG_OFB - bool "PSA stream cipher using OFB block cipher mode support" - -config PSA_WANT_ALG_CHACHA20 - bool "PSA stream cipher using CHACHA20 support" - -config PSA_WANT_ALG_SHAKE256_512 - bool "PSA SHAKE256 512 bits support" - menu "CryptoCell PSA Driver Configuration" if PSA_CRYPTO_DRIVER_CC3XX diff --git a/subsys/nrf_security/src/drivers/cracen/cracenpsa/src/blkcipher.c b/subsys/nrf_security/src/drivers/cracen/cracenpsa/src/blkcipher.c index 61df8592892..4cf5ab2a7fe 100644 --- a/subsys/nrf_security/src/drivers/cracen/cracenpsa/src/blkcipher.c +++ b/subsys/nrf_security/src/drivers/cracen/cracenpsa/src/blkcipher.c @@ -228,10 +228,6 @@ static bool is_alg_supported(psa_algorithm_t alg, const psa_key_attributes_t *at IF_ENABLED(PSA_NEED_CRACEN_ECB_NO_PADDING_AES, (is_supported = psa_get_key_type(attributes) == PSA_KEY_TYPE_AES)); break; - case PSA_ALG_OFB: - IF_ENABLED(PSA_NEED_CRACEN_OFB_AES, - (is_supported = psa_get_key_type(attributes) == PSA_KEY_TYPE_AES)); - break; default: is_supported = false; break; @@ -267,17 +263,6 @@ static psa_status_t initialize_cipher(cracen_cipher_operation_t *operation) operation->iv); } break; - case PSA_ALG_OFB: - if (IS_ENABLED(PSA_NEED_CRACEN_OFB_AES)) { - sx_status = operation->dir == CRACEN_DECRYPT - ? sx_blkcipher_create_aesofb_dec(&operation->cipher, - &operation->keyref, - operation->iv) - : sx_blkcipher_create_aesofb_enc(&operation->cipher, - &operation->keyref, - operation->iv); - } - break; case PSA_ALG_CTR: if (IS_ENABLED(PSA_NEED_CRACEN_CTR_AES)) { sx_status = operation->dir == CRACEN_DECRYPT diff --git a/subsys/nrf_security/src/drivers/cracen/psa_driver.Kconfig b/subsys/nrf_security/src/drivers/cracen/psa_driver.Kconfig index 9a852ab4baf..5d1f4ac7aa2 100644 --- a/subsys/nrf_security/src/drivers/cracen/psa_driver.Kconfig +++ b/subsys/nrf_security/src/drivers/cracen/psa_driver.Kconfig @@ -89,17 +89,6 @@ config PSA_NEED_CRACEN_ECB_NO_PADDING_AES depends on PSA_WANT_KEY_TYPE_AES depends on PSA_USE_CRACEN_CIPHER_DRIVER -config PSA_NEED_CRACEN_OFB_AES - bool - default y - select PSA_ACCEL_OFB_AES_128 - select PSA_ACCEL_OFB_AES_192 - select PSA_ACCEL_OFB_AES_256 - depends on PSA_WANT_AES_KEY_SIZE_128 || PSA_WANT_AES_KEY_SIZE_192 || PSA_WANT_AES_KEY_SIZE_256 - depends on PSA_WANT_ALG_OFB - depends on PSA_WANT_KEY_TYPE_AES - depends on PSA_USE_CRACEN_CIPHER_DRIVER - config PSA_NEED_CRACEN_STREAM_CIPHER_CHACHA20 bool default y @@ -116,7 +105,6 @@ config PSA_NEED_CRACEN_CIPHER_DRIVER PSA_NEED_CRACEN_CBC_PKCS7_AES || \ PSA_NEED_CRACEN_CBC_NO_PADDING_AES || \ PSA_NEED_CRACEN_ECB_NO_PADDING_AES || \ - PSA_NEED_CRACEN_OFB_AES || \ PSA_NEED_CRACEN_STREAM_CIPHER_CHACHA20 # CRACEN Key Agreement Driver diff --git a/subsys/nrf_security/src/drivers/cracen/sxsymcrypt/include/sxsymcrypt/aes.h b/subsys/nrf_security/src/drivers/cracen/sxsymcrypt/include/sxsymcrypt/aes.h index ebfa1a9f042..9fc2c251947 100644 --- a/subsys/nrf_security/src/drivers/cracen/sxsymcrypt/include/sxsymcrypt/aes.h +++ b/subsys/nrf_security/src/drivers/cracen/sxsymcrypt/include/sxsymcrypt/aes.h @@ -232,106 +232,6 @@ int sx_blkcipher_create_aescbc_enc(struct sxblkcipher *c, const struct sxkeyref int sx_blkcipher_create_aescbc_dec(struct sxblkcipher *c, const struct sxkeyref *key, const char *iv); -/** Prepares an AES CFB block cipher encryption. - * - * This function initializes the user allocated object \p c with a new block - * cipher operation context needed to run the AES CFB encryption and reserves - * the HW resource. - * - * After successful execution of this function, the context \p c can be passed - * to any of the block cipher functions. - * - * @param[out] c block cipher operation context - * @param[in] key key used for the block cipher operation, expected size - * 16, 24 or 32 bytes - * @param[in] iv initialization vector, size must be 16 bytes - * @return ::SX_OK - * @return ::SX_ERR_INVALID_KEYREF - * @return ::SX_ERR_INVALID_KEY_SZ - * @return ::SX_ERR_INCOMPATIBLE_HW - * @return ::SX_ERR_RETRY - * - * @pre - key reference provided by \p key must be initialized using - * sx_keyref_load_material() or sx_keyref_load_by_id() - */ -int sx_blkcipher_create_aescfb_enc(struct sxblkcipher *c, const struct sxkeyref *key, - const char *iv); - -/** Prepares an AES CFB block cipher decryption - * - * This function initializes the user allocated object \p c with a new block - * cipher operation context needed to run the AES CFB decryption and reserves - * the HW resource. - * - * After successful execution of this function, the context \p c can be passed - * to any of the block cipher functions. - * - * @param[out] c block cipher operation context - * @param[in] key key used for the block cipher operation, expected size - * 16, 24 or 32 bytes - * @param[in] iv initialization vector, size must be 16 bytes - * @return ::SX_OK - * @return ::SX_ERR_INVALID_KEYREF - * @return ::SX_ERR_INVALID_KEY_SZ - * @return ::SX_ERR_INCOMPATIBLE_HW - * @return ::SX_ERR_RETRY - * - * @pre - key reference provided by \p key must be initialized using - * sx_keyref_load_material() or sx_keyref_load_by_id() - */ -int sx_blkcipher_create_aescfb_dec(struct sxblkcipher *c, const struct sxkeyref *key, - const char *iv); - -/** Prepares an AES OFB block cipher encryption. - * - * This function initializes the user allocated object \p c with a new block - * cipher operation context needed to run the AES OFB encryption and reserves - * the HW resource. - * - * After successful execution of this function, the context \p c can be passed - * to any of the block cipher functions. - * - * @param[out] c block cipher operation context - * @param[in] key key used for the block cipher operation, expected size - * 16, 24 or 32 bytes - * @param[in] iv initialization vector, size must be 16 bytes - * @return ::SX_OK - * @return ::SX_ERR_INVALID_KEYREF - * @return ::SX_ERR_INVALID_KEY_SZ - * @return ::SX_ERR_INCOMPATIBLE_HW - * @return ::SX_ERR_RETRY - * - * @pre - key reference provided by \p key must be initialized using - * sx_keyref_load_material() or sx_keyref_load_by_id() - */ -int sx_blkcipher_create_aesofb_enc(struct sxblkcipher *c, const struct sxkeyref *key, - const char *iv); - -/** Prepares an AES OFB block cipher decryption - * - * This function initializes the user allocated object \p c with a new block - * cipher operation context needed to run the AES OFB decryption and reserves - * the HW resource. - * - * After successful execution of this function, the context \p c can be passed - * to any of the block cipher functions. - * - * @param[out] c block cipher operation context - * @param[in] key key used for the block cipher operation, expected size - * 16, 24 or 32 bytes - * @param[in] iv initialization vector, size must be 16 bytes - * @return ::SX_OK - * @return ::SX_ERR_INVALID_KEYREF - * @return ::SX_ERR_INVALID_KEY_SZ - * @return ::SX_ERR_INCOMPATIBLE_HW - * @return ::SX_ERR_RETRY - * - * @pre - key reference provided by \p key must be initialized using - * sx_keyref_load_material() or sx_keyref_load_by_id() - */ -int sx_blkcipher_create_aesofb_dec(struct sxblkcipher *c, const struct sxkeyref *key, - const char *iv); - /** Prepares an AES GCM AEAD encryption operation. * * This function initializes the user allocated object \p c with a new AEAD diff --git a/subsys/nrf_security/src/drivers/cracen/sxsymcrypt/include/sxsymcrypt/blkcipher.h b/subsys/nrf_security/src/drivers/cracen/sxsymcrypt/include/sxsymcrypt/blkcipher.h index 6a68c229f41..12f3d4a7121 100644 --- a/subsys/nrf_security/src/drivers/cracen/sxsymcrypt/include/sxsymcrypt/blkcipher.h +++ b/subsys/nrf_security/src/drivers/cracen/sxsymcrypt/include/sxsymcrypt/blkcipher.h @@ -81,8 +81,6 @@ struct sxblkcipher; * --------: | :----------: | :----------- * ECB | N * 16 bytes | N > 0 * CBC | N * 16 bytes | N > 0 - * CFB | N * 16 bytes | N > 0 - * OFB | N * 16 bytes | N > 0 * XTS | >= 16 bytes | none * CTR | > 0 bytes | none * diff --git a/subsys/nrf_security/src/drivers/cracen/sxsymcrypt/src/blkcipher.c b/subsys/nrf_security/src/drivers/cracen/sxsymcrypt/src/blkcipher.c index e34cc4cc1b1..d247f2a5f54 100644 --- a/subsys/nrf_security/src/drivers/cracen/sxsymcrypt/src/blkcipher.c +++ b/subsys/nrf_security/src/drivers/cracen/sxsymcrypt/src/blkcipher.c @@ -252,38 +252,6 @@ int sx_blkcipher_create_aescbc_dec(struct sxblkcipher *c, const struct sxkeyref return sx_blkcipher_create_aes_ba411(c, key, iv, BLKCIPHER_MODEID_CBC, ba411cfg.decr); } -int sx_blkcipher_create_aescfb_enc(struct sxblkcipher *c, const struct sxkeyref *key, - const char *iv) -{ - c->inminsz = 16; - c->granularity = 16; - return sx_blkcipher_create_aes_ba411(c, key, iv, BLKCIPHER_MODEID_CFB, ba411cfg.encr); -} - -int sx_blkcipher_create_aescfb_dec(struct sxblkcipher *c, const struct sxkeyref *key, - const char *iv) -{ - c->inminsz = 16; - c->granularity = 16; - return sx_blkcipher_create_aes_ba411(c, key, iv, BLKCIPHER_MODEID_CFB, ba411cfg.decr); -} - -int sx_blkcipher_create_aesofb_enc(struct sxblkcipher *c, const struct sxkeyref *key, - const char *iv) -{ - c->inminsz = 1; - c->granularity = 1; - return sx_blkcipher_create_aes_ba411(c, key, iv, BLKCIPHER_MODEID_OFB, ba411cfg.encr); -} - -int sx_blkcipher_create_aesofb_dec(struct sxblkcipher *c, const struct sxkeyref *key, - const char *iv) -{ - c->inminsz = 1; - c->granularity = 1; - return sx_blkcipher_create_aes_ba411(c, key, iv, BLKCIPHER_MODEID_OFB, ba411cfg.decr); -} - int sx_blkcipher_crypt(struct sxblkcipher *c, const char *datain, size_t sz, char *dataout) { if (!c->dma.hw_acquired) { diff --git a/subsys/nrf_security/src/drivers/cracen/sxsymcrypt/src/blkcipherdefs.h b/subsys/nrf_security/src/drivers/cracen/sxsymcrypt/src/blkcipherdefs.h index d4f448466a7..f2d91977afe 100644 --- a/subsys/nrf_security/src/drivers/cracen/sxsymcrypt/src/blkcipherdefs.h +++ b/subsys/nrf_security/src/drivers/cracen/sxsymcrypt/src/blkcipherdefs.h @@ -14,8 +14,6 @@ #define BLKCIPHER_MODEID_ECB 0 #define BLKCIPHER_MODEID_CBC 1 #define BLKCIPHER_MODEID_CTR 2 -#define BLKCIPHER_MODEID_CFB 3 -#define BLKCIPHER_MODEID_OFB 4 #define BLKCIPHER_MODEID_XTS 7 #define BLKCIPHER_MODEID_CHACH20 8 diff --git a/subsys/nrf_security/src/drivers/nrf_cc3xx/Kconfig b/subsys/nrf_security/src/drivers/nrf_cc3xx/Kconfig index 2af92ef65dc..ad721d5ed0c 100644 --- a/subsys/nrf_security/src/drivers/nrf_cc3xx/Kconfig +++ b/subsys/nrf_security/src/drivers/nrf_cc3xx/Kconfig @@ -91,17 +91,6 @@ config PSA_NEED_CC3XX_ECB_NO_PADDING_AES depends on PSA_WANT_KEY_TYPE_AES depends on PSA_USE_CC3XX_CIPHER_DRIVER -config PSA_NEED_CC3XX_OFB_AES - bool - default y - select PSA_ACCEL_OFB_AES_128 - select PSA_ACCEL_OFB_AES_192 if HAS_HW_NRF_CC312 - select PSA_ACCEL_OFB_AES_256 if HAS_HW_NRF_CC312 - depends on PSA_WANT_AES_KEY_SIZE_128 || !HAS_HW_NRF_CC310 - depends on PSA_WANT_ALG_OFB - depends on PSA_WANT_KEY_TYPE_AES - depends on PSA_USE_CC3XX_CIPHER_DRIVER - config PSA_NEED_CC3XX_STREAM_CIPHER_CHACHA20 bool default y @@ -117,7 +106,6 @@ config PSA_NEED_CC3XX_CIPHER_DRIVER PSA_NEED_CC3XX_CBC_PKCS7_AES || \ PSA_NEED_CC3XX_CBC_NO_PADDING_AES || \ PSA_NEED_CC3XX_ECB_NO_PADDING_AES || \ - PSA_NEED_CC3XX_OFB_AES || \ PSA_NEED_CC3XX_STREAM_CIPHER_CHACHA20 # CC3xx Key Agreement Driver