-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
nrf_security: Add Oberon PSA configurations in Kconfig #11676
Conversation
Test specificationCI/Jenkins/NRF
CI/Jenkins/integration
Detailed information of selected test modules Note: This message is automatically posted and updated by the CI |
You can find the documentation preview for this PR at this link. It will be updated about 10 minutes after the documentation build succeeds. Note: This comment is automatically posted by the Documentation Publishing GitHub Action. |
bdd9e5a
to
2f0f829
Compare
The following west manifest projects have been modified in this Pull Request:
Note: This message is automatically posted and updated by the Manifest GitHub Action. |
45eec76
to
9df6d43
Compare
2890801
to
a954331
Compare
|
||
The option :kconfig:option:`CONFIG_PSA_USE_CC3XX_SIGNATURE_DRIVER` enables the driver :ref:`nrf_security_drivers_cc3xx` for the RSA PKCS#1 v1.5 signing algorithm. | ||
|
||
The option :kconfig:option:`CONFIG_PSA_USE_CC3XX_ASYMMETRIC_DRIVER` enables the driver :ref:`nrf_security_drivers_cc3xx` for RSA PKCS#1 v1.5 and RSA OAEP encryption. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The option :kconfig:option:`CONFIG_PSA_USE_CC3XX_ASYMMETRIC_DRIVER` enables the driver :ref:`nrf_security_drivers_cc3xx` for RSA PKCS#1 v1.5 and RSA OAEP encryption. | |
The option :kconfig:option:`CONFIG_PSA_USE_CC3XX_ASYMMETRIC_DRIVER` enables the driver :ref:`nrf_security_drivers_cc3xx` for RSA PKCS#1 v1.5 and RSA OAEP encryption. |
+-----------------------+--------------------------------------------------------------------------+--------------------------------------------------------------------------+ | ||
| RSA PSS | Not supported | :kconfig:option:`CONFIG_PSA_CRYPTO_DRIVER_ALG_RSA_PSS_OBERON` | | ||
+-----------------------+--------------------------------------------------------------------------+--------------------------------------------------------------------------+ | ||
Configuration of the :ref:`nrf_security_drivers_oberon` driver is automatically generated based on the user enabled algorithms in `RSA configurations`_. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Configuration of the :ref:`nrf_security_drivers_oberon` driver is automatically generated based on the user enabled algorithms in `RSA configurations`_. | |
Configuration of the :ref:`nrf_security_drivers_oberon` driver is automatically generated based on the user-enabled algorithms in `RSA configurations`_. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
search replaced user enabled with user-enabled in the file.
| RIPEMD-160 | Not supported | Not supported | | ||
+-----------------------+---------------------------------------------------------------+---------------------------------------------------------------+ | ||
|
||
You can use the following table to check the Hash algorithm support of each driver: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You can use the following table to check the Hash algorithm support of each driver: | |
Use the following table to check the Hash algorithm support of each driver: |
Please apply this change to other instances of this, where we changed 'you can use the following configurations' to 'you can check the table'.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Search-replaced "You can use" with "Use" in the file
|
||
The option :kconfig:option:`CONFIG_PSA_USE_CC3XX_HASH_DRIVER` enables the driver :ref:`nrf_security_drivers_cc3xx` for all the supported algorithms. | ||
|
||
The driver configuration of the :ref:`nrf_security_drivers_oberon` driver is automatically generated based on the user enabled algorithms in `HASH configurations`_. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The driver configuration of the :ref:`nrf_security_drivers_oberon` driver is automatically generated based on the user enabled algorithms in `HASH configurations`_. | |
The configuration of the :ref:`nrf_security_drivers_oberon` driver is automatically generated based on the user enabled algorithms in `HASH configurations`_. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Search-replaced "The driver configuration" with "The configuration" in the file
| SRP | Not supported | Supported | | ||
+-----------------------+--------------------------+---------------------------+ | ||
|
||
Configuration of the :ref:`nrf_security_drivers_oberon` driver is automatically generated based on the user enabled algorithms in `Password-authenticated key agreement configurations`_. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Configuration of the :ref:`nrf_security_drivers_oberon` driver is automatically generated based on the user enabled algorithms in `Password-authenticated key agreement configurations`_. | |
Configuration of the :ref:`nrf_security_drivers_oberon` driver is automatically generated based on the user-enabled algorithms in `Password-authenticated key agreement configurations`_. |
494d658
to
33358e2
Compare
e231c8f
to
e73fb29
Compare
e73fb29
to
efe3d60
Compare
+-----------------------+---------------------------------------------------------------------+----------------------------------------------------------------------+ | ||
| Stream cipher | :kconfig:option:`CONFIG_PSA_CRYPTO_DRIVER_ALG_STREAM_CIPHER_CC3XX` | :kconfig:option:`CONFIG_PSA_CRYPTO_DRIVER_ALG_STREAM_CIPHER_OBERON` | | ||
+-----------------------+---------------------------------------------------------------------+----------------------------------------------------------------------+ | ||
Cipher algorithm support for each driver: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Cipher algorithm support for each driver: | |
The following table shows cipher algorithm support for each driver: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
While I personally prefer your more straightforward way of introducing tables, it seems that 'the following table shows' is a standard stylistic choice throughout NCS. Can you apply these throughout, or would you like me to add a suggestion for each?
@@ -272,17 +300,24 @@ The ECC algorithm support is dependent on one or more Kconfig options enabling c | |||
ECC driver configurations | |||
========================= | |||
|
|||
You can use the following Kconfig options for fine-grained control over which drivers provide ECC support: | |||
Use the following table to check the ECC algorithm support of each driver: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Think we should follow the same form for these as well. 'The following table shows ECC algorithim support of each driver'...
+--------------------+-----------------------------------------------------+ | ||
|
||
.. note:: | ||
* All RSA key size configurations are introduced by :ref:`nrf_security` and are not described by the PSA Crypto specification. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't remember if it was in reference to this or another PR, but I checked this formatting with Bartek. He said that notes should have bullet points only if there are multiple items in the list.
Please remove bullet points for notes with only one item.
efe3d60
to
10c4b3f
Compare
c453f78
to
282dfa1
Compare
The Oberon core uses a configuration scheme where the user chooses the PSA_WANT and the PSA_USE options and the core itself derives the PSA_NEED configurations which are used internally. This change adapts this new configuration scheme in nrf_security. With this change the user still have the option to explicitely enable/disable drivers with the previous options: PSA_CRYPTO_DRIVER_OBERON PSA_CRYPTO_DRIVER_CC3XX Signed-off-by: Georgios Vasilakis <georgios.vasilakis@nordicsemi.no>
Update the documentation files for the NRF security configurations of the PSA APIs to follow the Oberon PSA configuration scheme. Signed-off-by: Georgios Vasilakis <georgios.vasilakis@nordicsemi.no>
Update the psa_tls sample to follow the new configuration scheme from Oberon PSA core. Signed-off-by: Georgios Vasilakis <georgios.vasilakis@nordicsemi.no> Signed-off-by: Joakim Andersson <joakim.andersson@nordicsemi.no>
282dfa1
to
4bf84ea
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Matter/Chip plans failed on nRF7002 while connecting to the wifi:
|
Two runs ago CHIP was green. (Check run 90). It seems to me like a CI issue CHIP/MATTER. |
Thanks for info |
Change the nrf_security configurations to follow the configuration scheme from the Oberon PSA core.
Signed-off-by: Georgios Vasilakis georgios.vasilakis@nordicsemi.no
test-sdk-nrf: geva-11676