samples: Change PSA WANT ECC key pair

Adapt to the new configurations from the Oberon PSA core. Signed-off-by: Georgios Vasilakis <georgios.vasilakis@nordicsemi.no>
dchat-nordic · Apr 18, 2024 · e51875c · e51875c
1 parent 9bf8147
commit e51875c
Show file tree

Hide file tree

Showing 15 changed files with 42 additions and 15 deletions.
diff --git a/applications/serial_lte_modem/overlay-native_tls.conf b/applications/serial_lte_modem/overlay-native_tls.conf
@@ -48,7 +48,7 @@ CONFIG_MBEDTLS_ECDSA_C=y
 CONFIG_PSA_WANT_ALG_ECDSA=y
 CONFIG_MBEDTLS_ECDSA_DETERMINISTIC=y
 CONFIG_PSA_WANT_ALG_DETERMINISTIC_ECDSA=y
-CONFIG_PSA_WANT_KEY_TYPE_ECC_KEY_PAIR=y # dep for DETERMINISTIC_ECDSA
+CONFIG_PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT=y # dep for DETERMINISTIC_ECDSA
 CONFIG_PSA_WANT_ALG_HMAC=y # dep for DETERMINISTIC_ECDSA
 # Enable ECDH
 CONFIG_MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED=y

diff --git a/lib/identity_key/Kconfig b/lib/identity_key/Kconfig
@@ -21,7 +21,8 @@ if IDENTITY_KEY
 
 config IDENTITY_KEY_RANDOM
 	bool "Enable writing random Identity Keys"
-	select PSA_WANT_KEY_TYPE_ECC_KEY_PAIR
+	select PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE
+	select PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT
 	select PSA_WANT_ECC_SECP_R1_256
 	help
 	  Enable the identity_key_write_random() function.

diff --git a/modules/hostap/Kconfig b/modules/hostap/Kconfig
@@ -101,7 +101,9 @@ config WPA_SUPP_CRYPTO_PSA
 	select PSA_WANT_GENERATE_RANDOM
 	select PSA_WANT_ALG_RSA_PSS
 	select PSA_WANT_ALG_DETERMINISTIC_ECDSA
-	select PSA_WANT_KEY_TYPE_ECC_KEY_PAIR # dep for DETERMINISTIC_ECDSA
+	select PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE # ECC_KEY_PAIR* deps for DETERMINISTIC_ECDSA
+	select PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT
+	select PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT
 	select PSA_WANT_ALG_SHA_512
 	select PSA_WANT_ALG_SHA_1
 	select PSA_WANT_KEY_TYPE_RSA_KEY_PAIR

diff --git a/modules/trusted-firmware-m/Kconfig.tfm.defconfig b/modules/trusted-firmware-m/Kconfig.tfm.defconfig
@@ -60,7 +60,8 @@ config TFM_PARTITION_INITIAL_ATTESTATION
 	# The identity key is a secp256r1 key pair.
 	# The ECDSA algorithm and the cc3xx boot seed requires RNG.
 	select PSA_WANT_ALG_SHA_256
-	select PSA_WANT_KEY_TYPE_ECC_KEY_PAIR
+	select PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE
+	select PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT
 	select PSA_WANT_ALG_ECDSA
 	select PSA_WANT_ECC_SECP_R1_256
 	select PSA_WANT_GENERATE_RANDOM

diff --git a/samples/crypto/ecdh/prj.conf b/samples/crypto/ecdh/prj.conf
@@ -16,7 +16,9 @@ CONFIG_MBEDTLS_ENABLE_HEAP=y
 CONFIG_MBEDTLS_HEAP_SIZE=8192
 
 CONFIG_PSA_WANT_ALG_ECDH=y
-CONFIG_PSA_WANT_KEY_TYPE_ECC_KEY_PAIR=y
+CONFIG_PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE=y
+CONFIG_PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT=y
+CONFIG_PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT=y
 CONFIG_PSA_WANT_ECC_SECP_R1_256=y
 
 # For key generation

diff --git a/samples/crypto/ecdsa/prj.conf b/samples/crypto/ecdsa/prj.conf
@@ -16,7 +16,9 @@ CONFIG_MBEDTLS_ENABLE_HEAP=y
 CONFIG_MBEDTLS_HEAP_SIZE=8192
 
 CONFIG_PSA_WANT_ALG_ECDSA=y
-CONFIG_PSA_WANT_KEY_TYPE_ECC_KEY_PAIR=y
+CONFIG_PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE=y
+CONFIG_PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT=y
+CONFIG_PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT=y
 CONFIG_PSA_WANT_ECC_SECP_R1_256=y
 CONFIG_PSA_WANT_ALG_SHA_256=y
 

diff --git a/samples/crypto/eddsa/prj.conf b/samples/crypto/eddsa/prj.conf
@@ -15,7 +15,9 @@ CONFIG_MBEDTLS_PSA_CRYPTO_C=y
 CONFIG_MBEDTLS_ENABLE_HEAP=y
 CONFIG_MBEDTLS_HEAP_SIZE=8192
 
-CONFIG_PSA_WANT_KEY_TYPE_ECC_KEY_PAIR=y
+CONFIG_PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE=y
+CONFIG_PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT=y
+CONFIG_PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT=y
 CONFIG_PSA_WANT_ECC_TWISTED_EDWARDS_255=y
 CONFIG_PSA_WANT_ALG_SHA_512=y
 CONFIG_PSA_WANT_ALG_PURE_EDDSA=y

diff --git a/samples/crypto/psa_tls/prj.conf b/samples/crypto/psa_tls/prj.conf
@@ -78,7 +78,10 @@ CONFIG_PSA_WANT_ALG_ECDH=y
 CONFIG_PSA_WANT_ALG_ECDSA=y
 CONFIG_PSA_WANT_ALG_DETERMINISTIC_ECDSA=y
 CONFIG_PSA_WANT_ECC_SECP_R1_256=y
-CONFIG_PSA_WANT_KEY_TYPE_ECC_KEY_PAIR=y
+CONFIG_PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT=y
+CONFIG_PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT=y
+CONFIG_PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE=y
+CONFIG_PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE=y
 CONFIG_PSA_WANT_ALG_STREAM_CIPHER=y
 CONFIG_PSA_WANT_KEY_TYPE_CHACHA20=y
 CONFIG_PSA_WANT_ALG_TLS12_PSK_TO_MS=y

diff --git a/samples/keys/identity_key_usage/prj.conf b/samples/keys/identity_key_usage/prj.conf
@@ -30,4 +30,4 @@ CONFIG_LOG_BACKEND_UART=y
 CONFIG_LOG_BUFFER_SIZE=15360
 CONFIG_SEGGER_RTT_BUFFER_SIZE_UP=15360
 
-CONFIG_PSA_WANT_KEY_TYPE_ECC_KEY_PAIR=y
+CONFIG_PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT=y
diff --git a/samples/net/http_server/overlay-tls-nrf91.conf b/samples/net/http_server/overlay-tls-nrf91.conf
@@ -42,7 +42,7 @@ CONFIG_PSA_WANT_ALG_ECDSA=y
 CONFIG_MBEDTLS_ECDSA_DETERMINISTIC=y
 CONFIG_PSA_WANT_ALG_DETERMINISTIC_ECDSA=y
 CONFIG_PSA_WANT_ALG_HMAC=y # dependency for DETERMINISTIC_ECDSA
-CONFIG_PSA_WANT_KEY_TYPE_ECC_KEY_PAIR=y # dependency for DETERMINISTIC_ECDSA
+CONFIG_PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT=y # dependency for DETERMINISTIC_ECDSA
 
 # Enable ECDH
 CONFIG_MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED=y

diff --git a/subsys/bluetooth/mesh/Kconfig b/subsys/bluetooth/mesh/Kconfig
@@ -120,7 +120,9 @@ config BT_MESH_USES_TFM_PSA
 	select PSA_WANT_ALG_HMAC
 	select PSA_WANT_ALG_ECDH
 	select PSA_WANT_ECC_SECP_R1_256
-	select PSA_WANT_KEY_TYPE_ECC_KEY_PAIR
+	select PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE
+	select PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT
+	select PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT
 
 choice TFM_PROFILE_TYPE
 	depends on BT_MESH_USES_TFM_PSA

diff --git a/subsys/net/openthread/Kconfig b/subsys/net/openthread/Kconfig
@@ -51,7 +51,10 @@ config OPENTHREAD_NRF_SECURITY_PSA
 	select PSA_WANT_ECC_SECP_R1_256
 	select PSA_WANT_GENERATE_RANDOM
 	select PSA_WANT_KEY_TYPE_AES
-	select PSA_WANT_KEY_TYPE_ECC_KEY_PAIR
+	select PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE
+	select PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT
+	select PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT
+	select PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE
 	imply OPENTHREAD_CRYPTO_PSA
 	help
 	  Enables nrf_security module for use by OpenThread with PSA Crypto enabled.

diff --git a/subsys/nrf_security/Kconfig b/subsys/nrf_security/Kconfig
@@ -207,7 +207,10 @@ config MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED
 
 config MBEDTLS_ECP_ALL_ENABLED
 	bool "Enable all available elliptic curves"
-	select PSA_WANT_KEY_TYPE_ECC_KEY_PAIR
+	select PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE
+	select PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT
+	select PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT
+	select PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE
 	select PSA_WANT_ECC_SECP_R1_192
 	select PSA_WANT_ECC_SECP_R1_224
 	select PSA_WANT_ECC_SECP_R1_256

diff --git a/tests/tfm/tfm_psa_test/prj.conf b/tests/tfm/tfm_psa_test/prj.conf
@@ -19,7 +19,10 @@ CONFIG_PSA_WANT_GENERATE_RANDOM=y
 # Keys
 CONFIG_PSA_WANT_KEY_TYPE_AES=y
 CONFIG_PSA_WANT_KEY_TYPE_CHACHA20=y
-CONFIG_PSA_WANT_KEY_TYPE_ECC_KEY_PAIR=y
+CONFIG_PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT=y
+CONFIG_PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT=y
+CONFIG_PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE=y
+CONFIG_PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE=y
 CONFIG_PSA_WANT_KEY_TYPE_RSA_KEY_PAIR=y
 
 # Ciphers

diff --git a/tests/tfm/tfm_regression_test/prj.conf b/tests/tfm/tfm_regression_test/prj.conf
@@ -28,7 +28,10 @@ CONFIG_PSA_WANT_GENERATE_RANDOM=y
 
 # Keys
 CONFIG_PSA_WANT_KEY_TYPE_AES=y
-CONFIG_PSA_WANT_KEY_TYPE_ECC_KEY_PAIR=y
+CONFIG_PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT=y
+CONFIG_PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT=y
+CONFIG_PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE=y
+CONFIG_PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE=y
 CONFIG_PSA_WANT_KEY_TYPE_RSA_KEY_PAIR=y
 
 # Ciphers