From 1224b445c21f29c7e617f4c5112c48a4b3a33abb Mon Sep 17 00:00:00 2001 From: Markus Swarowsky Date: Wed, 23 Aug 2023 15:32:13 +0200 Subject: [PATCH 1/2] nrf_security: Remove secp521r1 Kconfig The config option give the impression that cryptocell supports secp521r1 but it doesn't so removing the Kconfig to make the Kconfig options more aligned to the actual capabilities. Ref: NCSDK-21666 Signed-off-by: Markus Swarowsky --- subsys/nrf_security/cmake/psa_crypto_config.cmake | 5 +---- subsys/nrf_security/src/drivers/nrf_cc3xx/Kconfig | 5 ----- 2 files changed, 1 insertion(+), 9 deletions(-) diff --git a/subsys/nrf_security/cmake/psa_crypto_config.cmake b/subsys/nrf_security/cmake/psa_crypto_config.cmake index eb0abf78de72..cdac3a627732 100644 --- a/subsys/nrf_security/cmake/psa_crypto_config.cmake +++ b/subsys/nrf_security/cmake/psa_crypto_config.cmake @@ -125,7 +125,6 @@ kconfig_check_and_set_base_to_one(PSA_CRYPTO_DRIVER_ECC_SECP_R1_192_CC3XX) kconfig_check_and_set_base_to_one(PSA_CRYPTO_DRIVER_ECC_SECP_R1_224_CC3XX) kconfig_check_and_set_base_to_one(PSA_CRYPTO_DRIVER_ECC_SECP_R1_256_CC3XX) kconfig_check_and_set_base_to_one(PSA_CRYPTO_DRIVER_ECC_SECP_R1_384_CC3XX) -kconfig_check_and_set_base_to_one(PSA_CRYPTO_DRIVER_ECC_SECP_R1_521_CC3XX) # Convert nrf_oberon driver configurations kconfig_check_and_set_base_to_one(PSA_CRYPTO_DRIVER_OBERON) @@ -262,9 +261,7 @@ kconfig_check_and_set_base_to_one(MBEDTLS_THREADING_C) kconfig_check_and_set_base_to_one(MBEDTLS_THREADING_ALT) # Set the max curve bits for the PSA APIs without using MBEDTLS defines -if (CONFIG_PSA_CRYPTO_DRIVER_ECC_SECP_R1_521_CC3XX) - set(PSA_VENDOR_ECC_MAX_CURVE_BITS 521) -elseif(CONFIG_PSA_CRYPTO_DRIVER_ECC_SECP_R1_384_CC3XX) +if(CONFIG_PSA_CRYPTO_DRIVER_ECC_SECP_R1_384_CC3XX) set(PSA_VENDOR_ECC_MAX_CURVE_BITS 384) elseif(CONFIG_PSA_CRYPTO_DRIVER_ECC_SECP_R1_256_CC3XX OR CONFIG_PSA_CRYPTO_DRIVER_ECC_SECP_R1_256 diff --git a/subsys/nrf_security/src/drivers/nrf_cc3xx/Kconfig b/subsys/nrf_security/src/drivers/nrf_cc3xx/Kconfig index 5b73af9050c1..be28fc0a20a3 100644 --- a/subsys/nrf_security/src/drivers/nrf_cc3xx/Kconfig +++ b/subsys/nrf_security/src/drivers/nrf_cc3xx/Kconfig @@ -252,11 +252,6 @@ config PSA_CRYPTO_DRIVER_ECC_SECP_R1_384_CC3XX prompt "PSA ECC secp384r1 - cc3xx" if !PSA_PROMPTLESS default y if !PSA_DEFAULT_OFF && PSA_WANT_ECC_SECP_R1_384 -config PSA_CRYPTO_DRIVER_ECC_SECP_R1_521_CC3XX - bool - prompt "PSA ECC secp521r1 - cc3xx" if !PSA_PROMPTLESS - default y if !PSA_DEFAULT_OFF && PSA_WANT_ECC_SECP_R1_521 - # PSA_CRYPTO_DRIVER_ALG_XTS_CC3XX - Currently not supported endif # PSA_CRYPTO_DRIVER_CC3XX From d950b8626514d978b2b2e87b8cc3d433ea3b4fe9 Mon Sep 17 00:00:00 2001 From: Markus Swarowsky Date: Wed, 23 Aug 2023 17:49:21 +0200 Subject: [PATCH 2/2] oberon: Fix re-define of PSA_VENDOR_ECC_MAX_CURVE_BITS PSA_VENDOR_ECC_MAX_CURVE_BITS gets in already defined in the autogenerated nrf-config-user.h and if these defines don't match it results in a redefined warning Ref: NCSDK-21666 Signed-off-by: Markus Swarowsky --- ext/oberon/psa/core/include/psa/crypto_sizes.h | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ext/oberon/psa/core/include/psa/crypto_sizes.h b/ext/oberon/psa/core/include/psa/crypto_sizes.h index 31ee596b57d8..2b1e8e072eae 100644 --- a/ext/oberon/psa/core/include/psa/crypto_sizes.h +++ b/ext/oberon/psa/core/include/psa/crypto_sizes.h @@ -196,6 +196,7 @@ /* The maximum size of an ECC key on this implementation, in bits. * This is a vendor-specific macro. */ +#ifndef PSA_VENDOR_ECC_MAX_CURVE_BITS #if defined(PSA_WANT_ECC_SECP_R1_521) /*!!OM*/ #define PSA_VENDOR_ECC_MAX_CURVE_BITS 521 #elif defined(PSA_WANT_ECC_BRAINPOOL_P_R1_512) @@ -229,6 +230,7 @@ #else #define PSA_VENDOR_ECC_MAX_CURVE_BITS 0 #endif +#endif /** This macro returns the maximum supported length of the PSK for the * TLS-1.2 PSK-to-MS key derivation