nrf_security: Add support for PBKDF2_*_OBERON

Add support for PBKDF2_HMAC_OBERON. This was already supported by the Oberon PSA Crypto driver and core. The configuration system was the only system that was not integrated. Add support for PBKDF2_AES_CMAC_PRF_128_OBERON. Fix doc issues with PAKE. Signed-off-by: Sebastian Bøe <sebastian.boe@nordicsemi.no>
nrfconnect · Jul 4, 2023 · 7083e45 · 7083e45
1 parent 533cbcc
commit 7083e45
Show file tree

Hide file tree

Showing 5 changed files with 62 additions and 24 deletions.
diff --git a/doc/nrf/libraries/nrf_security/doc/driver_config.rst b/doc/nrf/libraries/nrf_security/doc/driver_config.rst
@@ -91,33 +91,46 @@ Key Derivation Function
 
 To enable key derivation function (KDF) support, set one or more of the following Kconfig options:
 
-+--------------------------+------------------------------------------------------------+
-| KDF algorithm            | Configuration option                                       |
-+==========================+============================================================+
-| HKDF                     | :kconfig:option:`CONFIG_PSA_WANT_ALG_HKDF`                 |
-+--------------------------+------------------------------------------------------------+
-| TLS 1.2 PRF              | :kconfig:option:`CONFIG_PSA_WANT_ALG_TLS12_PRF`            |
-+--------------------------+------------------------------------------------------------+
-| TLS 1.2 PSK to MS        | :kconfig:option:`CONFIG_PSA_WANT_ALG_TLS12_PSK_TO_MS`      |
-+--------------------------+------------------------------------------------------------+
-| TLS 1.2 EC J-PAKE to PMS | :kconfig:option:`CONFIG_PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS` |
-+--------------------------+------------------------------------------------------------+
++--------------------------+---------------------------------------------------------------+
+| KDF algorithm            | Configuration option                                          |
++==========================+===============================================================+
+| HKDF                     | :kconfig:option:`CONFIG_PSA_WANT_ALG_HKDF`                    |
++--------------------------+---------------------------------------------------------------+
+| PBKDF2-HMAC              | :kconfig:option:`CONFIG_PSA_WANT_ALG_PBKDF2_HMAC`             |
++--------------------------+---------------------------------------------------------------+
+| PBKDF2-AES-CMAC-PRF-128  | :kconfig:option:`CONFIG_PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128` |
++--------------------------+---------------------------------------------------------------+
+| TLS 1.2 PRF              | :kconfig:option:`CONFIG_PSA_WANT_ALG_TLS12_PRF`               |
++--------------------------+---------------------------------------------------------------+
+| TLS 1.2 PSK to MS        | :kconfig:option:`CONFIG_PSA_WANT_ALG_TLS12_PSK_TO_MS`         |
++--------------------------+---------------------------------------------------------------+
+| TLS 1.2 EC J-PAKE to PMS | :kconfig:option:`CONFIG_PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS`    |
++-------------------------+----------------------------------------------------------------+
+
+.. note::
+   * PBKDF2 algorithms are not supported with TF-M.
 
 
 Key Derivation Function driver configurations
 =============================================
 
 You can use the following Kconfig options for fine-grained control over which drivers provide Key Derivation Function (KDF) support:
 
-+-------------------+--------------------------+-----------------------------------------------------------------------+
-| KDF algorithm     | nrf_cc3xx driver support | nrf_oberon driver support                                             |
-+===================+==========================+==========================================+============================+
-| HKDF              | Not supported            | :kconfig:option:`CONFIG_PSA_CRYPTO_DRIVER_ALG_HKDF_OBERON`            |
-+-------------------+--------------------------+-----------------------------------------------------------------------+
-| TLS 1.2 PRF       | Not supported            | :kconfig:option:`CONFIG_PSA_CRYPTO_DRIVER_ALG_TLS12_PRF_OBERON`       |
-+-------------------+--------------------------+-----------------------------------------------------------------------+
-| TLS 1.2 PSK to MS | Not supported            | :kconfig:option:`CONFIG_PSA_CRYPTO_DRIVER_ALG_TLS12_PSK_TO_MS_OBERON` |
-+-------------------+--------------------------+-----------------------------------------------------------------------+
++--------------------------+--------------------------+-------------------------------------------------------------------------------+
+| KDF algorithm            | nrf_cc3xx driver support | nrf_oberon driver support                                                     |
++==========================+==========================+==========================================+====================================+
+| HKDF                     | Not supported            | :kconfig:option:`CONFIG_PSA_CRYPTO_DRIVER_ALG_HKDF_OBERON`                    |
++--------------------------+--------------------------+-------------------------------------------------------------------------------+
+| PBKDF2-HMAC              | Not supported            | :kconfig:option:`CONFIG_PSA_CRYPTO_DRIVER_ALG_PBKDF2_HMAC_OBERON`             |
++--------------------------+--------------------------+-------------------------------------------------------------------------------+
+| PBKDF2-AES-CMAC-PRF-128  | Not supported            | :kconfig:option:`CONFIG_PSA_CRYPTO_DRIVER_ALG_PBKDF2_AES_CMAC_PRF_128_OBERON` |
++--------------------------+--------------------------+-------------------------------------------------------------------------------+
+| TLS 1.2 PRF              | Not supported            | :kconfig:option:`CONFIG_PSA_CRYPTO_DRIVER_ALG_TLS12_PRF_OBERON`               |
++--------------------------+--------------------------+-------------------------------------------------------------------------------+
+| TLS 1.2 PSK to MS        | Not supported            | :kconfig:option:`CONFIG_PSA_CRYPTO_DRIVER_ALG_TLS12_PSK_TO_MS_OBERON`         |
++--------------------------+--------------------------+-------------------------------------------------------------------------------+
+| TLS 1.2 EC J-PAKE to PMS | Not supported            | :kconfig:option:`CONFIG_PSA_CRYPTO_DRIVER_ALG_TLS12_ECJPAKE_TO_PMS_OBERON`    |
++--------------------------+--------------------------+-------------------------------------------------------------------------------+
 
 
 MAC configurations
@@ -432,7 +445,6 @@ To enable password-authenticated key agreement support, configure the related pa
 +-----------------------+-----------------------------------------------+
 
 .. note::
-   * The algorithms are only available together with the nrf_oberon PSA Core (:kconfig:option:`CONFIG_PSA_CORE_OBERON`).
    * The provided support is experimental.
    * Not supported with TF-M.
 

diff --git a/subsys/nrf_security/cmake/psa_crypto_config.cmake b/subsys/nrf_security/cmake/psa_crypto_config.cmake
@@ -43,6 +43,7 @@ kconfig_check_and_set_base_to_one(PSA_WANT_ALG_OFB)
 kconfig_check_and_set_base_to_one(PSA_WANT_ALG_XTS)
 kconfig_check_and_set_base_to_one(PSA_WANT_ALG_HKDF)
 kconfig_check_and_set_base_to_one(PSA_WANT_ALG_PBKDF2_HMAC)
+kconfig_check_and_set_base_to_one(PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128)
 kconfig_check_and_set_base_to_one(PSA_WANT_ALG_TLS12_PRF)
 kconfig_check_and_set_base_to_one(PSA_WANT_ALG_TLS12_PSK_TO_MS)
 kconfig_check_and_set_base_to_one(PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS)
@@ -155,6 +156,8 @@ kconfig_check_and_set_base_to_one(PSA_CRYPTO_DRIVER_ALG_ECDH_OBERON)
 kconfig_check_and_set_base_to_one(PSA_CRYPTO_DRIVER_ALG_ECDSA_OBERON)
 kconfig_check_and_set_base_to_one(PSA_CRYPTO_DRIVER_ALG_GCM_OBERON)
 kconfig_check_and_set_base_to_one(PSA_CRYPTO_DRIVER_ALG_HKDF_OBERON)
+kconfig_check_and_set_base_to_one(PSA_CRYPTO_DRIVER_ALG_PBKDF2_HMAC_OBERON)
+kconfig_check_and_set_base_to_one(PSA_CRYPTO_DRIVER_ALG_PBKDF2_AES_CMAC_PRF_128_OBERON)
 kconfig_check_and_set_base_to_one(PSA_CRYPTO_DRIVER_ALG_HMAC_OBERON)
 kconfig_check_and_set_base_to_one(PSA_CRYPTO_DRIVER_ALG_SHA_1_OBERON)
 kconfig_check_and_set_base_to_one(PSA_CRYPTO_DRIVER_ALG_RSA_OAEP_OBERON)

diff --git a/subsys/nrf_security/configs/psa_crypto_config.h.template b/subsys/nrf_security/configs/psa_crypto_config.h.template
@@ -35,9 +35,8 @@
 #cmakedefine PSA_WANT_ALG_HMAC                                  @PSA_WANT_ALG_HMAC@
 #cmakedefine PSA_WANT_ALG_MD5                                   @PSA_WANT_ALG_MD5@
 #cmakedefine PSA_WANT_ALG_OFB                                   @PSA_WANT_ALG_OFB@
-/* PBKDF2-HMAC is not yet supported via the PSA API in Mbed TLS.
- * Note: when adding support, also adjust include/mbedtls/config_psa.h */
-//#cmakedefine PSA_WANT_ALG_PBKDF2_HMAC                         @PSA_WANT_ALG_PBKDF2_HMAC@
+#cmakedefine PSA_WANT_ALG_PBKDF2_HMAC                           @PSA_WANT_ALG_PBKDF2_HMAC@
+#cmakedefine PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128               @PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128@
 #cmakedefine PSA_WANT_ALG_RIPEMD160                             @PSA_WANT_ALG_RIPEMD160@
 #cmakedefine PSA_WANT_ALG_RSA_OAEP                              @PSA_WANT_ALG_RSA_OAEP@
 #cmakedefine PSA_WANT_ALG_RSA_PKCS1V15_CRYPT                    @PSA_WANT_ALG_RSA_PKCS1V15_CRYPT@
@@ -194,6 +193,8 @@
 #cmakedefine PSA_CRYPTO_DRIVER_ALG_ECDSA_OBERON                 @PSA_CRYPTO_DRIVER_ALG_ECDSA_OBERON@
 #cmakedefine PSA_CRYPTO_DRIVER_ALG_GCM_OBERON                   @PSA_CRYPTO_DRIVER_ALG_GCM_OBERON@
 #cmakedefine PSA_CRYPTO_DRIVER_ALG_HKDF_OBERON                  @PSA_CRYPTO_DRIVER_ALG_HKDF_OBERON@
+#cmakedefine PSA_CRYPTO_DRIVER_ALG_PBKDF2_HMAC_OBERON           @PSA_CRYPTO_DRIVER_ALG_PBKDF2_HMAC_OBERON@
+#cmakedefine PSA_CRYPTO_DRIVER_ALG_PBKDF2_AES_CMAC_PRF_128_OBERON @PSA_CRYPTO_DRIVER_ALG_PBKDF2_AES_CMAC_PRF_128_OBERON@
 #cmakedefine PSA_CRYPTO_DRIVER_ALG_HMAC_OBERON                  @PSA_CRYPTO_DRIVER_ALG_HMAC_OBERON@
 #cmakedefine PSA_CRYPTO_DRIVER_ALG_RSA_OAEP_OBERON              @PSA_CRYPTO_DRIVER_ALG_RSA_OAEP_OBERON@
 #cmakedefine PSA_CRYPTO_DRIVER_ALG_RSA_PKCS1V15_CRYPT_OBERON    @PSA_CRYPTO_DRIVER_ALG_RSA_PKCS1V15_CRYPT_OBERON@

diff --git a/subsys/nrf_security/include/psa/psa_crypto_config_oberon.h b/subsys/nrf_security/include/psa/psa_crypto_config_oberon.h
@@ -81,6 +81,14 @@
 #define PSA_NEED_OBERON_HKDF_EXPAND                            1
 #endif
 
+#if defined(PSA_CRYPTO_DRIVER_ALG_PBKDF2_HMAC_OBERON)
+#define PSA_NEED_OBERON_PBKDF2_HMAC                            1
+#endif
+
+#if defined(PSA_CRYPTO_DRIVER_ALG_PBKDF2_AES_CMAC_PRF_128_OBERON)
+#define PSA_NEED_OBERON_PBKDF2_AES_CMAC_PRF_128                1
+#endif
+
 #if defined(PSA_CRYPTO_DRIVER_ALG_HMAC_OBERON)
 #define PSA_NEED_OBERON_HMAC                                   1
 #endif

diff --git a/subsys/nrf_security/src/drivers/nrf_oberon/Kconfig b/subsys/nrf_security/src/drivers/nrf_oberon/Kconfig
@@ -51,6 +51,8 @@ config PSA_CRYPTO_DRIVER_HAS_KDF_SUPPORT_OBERON
 	default y
 	depends on PSA_CRYPTO_DRIVER_ALG_HKDF_OBERON || \
 		   PSA_CRYPTO_DRIVER_ALG_TLS12_PRF_OBERON || \
+		   PSA_CRYPTO_DRIVER_ALG_PBKDF2_HMAC_OBERON || \
+		   PSA_CRYPTO_DRIVER_ALG_PBKDF2_AES_CMAC_PRF_128_OBERON || \
 		   PSA_CRYPTO_DRIVER_ALG_TLS12_PSK_TO_MS_OBERON
 
 config PSA_CRYPTO_DRIVER_HAS_ASYM_ENCRYPT_SUPPORT_OBERON
@@ -190,6 +192,18 @@ config PSA_CRYPTO_DRIVER_ALG_HKDF_OBERON
 	default y if !PSA_DEFAULT_OFF
 	depends on PSA_WANT_ALG_HKDF
 
+config PSA_CRYPTO_DRIVER_ALG_PBKDF2_HMAC_OBERON
+	bool
+	prompt "PSA PBKDF2-HMAC support - oberon" if !PSA_PROMPTLESS
+	default y if !PSA_DEFAULT_OFF
+	depends on PSA_WANT_ALG_PBKDF2_HMAC
+
+config PSA_CRYPTO_DRIVER_ALG_PBKDF2_AES_CMAC_PRF_128_OBERON
+	bool
+	prompt "PSA PBKDF2-AES-CMAC-PRF-128 - oberon" if !PSA_PROMPTLESS
+	default y if !PSA_DEFAULT_OFF
+	depends on PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128
+
 config PSA_CRYPTO_DRIVER_ALG_HMAC_OBERON
 	bool
 	prompt "PSA HMAC support - oberon" if !PSA_PROMPTLESS