[nrf noup] Handle moved PSA_EXPORT_KEY_PAIR_OR_PUBLIC_MAX_SIZE #39
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
-This checks if GCM_C is enabled in gcm.h before including the functions. This was causing build issues when the GCM is disabled but GCM_ALT is enabled. Signed-off-by: Georgios Vasilakis <[email protected]> Signed-off-by: Joakim Andersson <[email protected]> (cherry picked from commit 08e9148) (cherry picked from commit 125633d) (cherry picked from commit 8ffbcc1) Signed-off-by: Markus Swarowsky <[email protected]>
-Enable use of SNI without x509 by testing for MBEDTLS_SSL_SERVER_NAME_INDICATION -Note that this was updated for Mbed TLS v3.6.1 by additionally checking if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) is not defined to prevent duplicate symbols for mbedtls_ssl_check_cert_usage ref: NCSDK-15193 Signed-off-by: Pete Skeggs <[email protected]> Signed-off-by: Frank Audun Kvamtrø <[email protected]> Signed-off-by: Joakim Andersson <[email protected]> (cherry picked from commit a80889e) (cherry picked from commit 4bf3986) (cherry picked from commit ca1e6b2) Signed-off-by: Markus Swarowsky <[email protected]> (cherry picked from commit a1e46ca) Signed-off-by: Frank Audun Kvamtrø <[email protected]>
-Enable more TLS/DTLS types being auto-generated in documentation in Mbed TLS. Note that these are not in use in nRF Connect SDK documentation generation at the moment, this commit currently has no effect ref: NCSDK-15193 This one conflicted because PREDEFINED was removed in the doxyfile. Check if this commit can be dropped. Conflict resolution is to bring back the old defines. Signed-off-by: Pete Skeggs <[email protected]> Signed-off-by: Frank Audun Kvamtrø <[email protected]> Signed-off-by: Joakim Andersson <[email protected]> (cherry picked from commit b4e0e5c) (cherry picked from commit 6ef9f19) (cherry picked from commit dbbe35f) Signed-off-by: Markus Swarowsky <[email protected]>
-Disabling this prevents in-field devices from returning errors when non ECJPAKE PSK is used for OpenThread devices. ref: NCSDK-14629 Signed-off-by: Frank Audun Kvamtrø <[email protected]> Signed-off-by: Joakim Andersson <[email protected]> (cherry picked from commit 231620d) (cherry picked from commit 14c0a29) (cherry picked from commit 3da802b) Signed-off-by: Markus Swarowsky <[email protected]>
-The runtime library expects key-bits to be set when it is not for cipher and ECDSA, this is fixed here. This may be an issue either in Mbed TLS or in nrf_cc3xx v0.9.14. Hence setting as a noup ref: NCSDK-13857 Signed-off-by: Frank Audun Kvamtrø <[email protected]> Signed-off-by: Joakim Andersson <[email protected]> (cherry picked from commit 67cb08f) (cherry picked from commit 1707e93) (cherry picked from commit 2863179) Signed-off-by: Markus Swarowsky <[email protected]>
This makes sure that the content of the mutex inside the mbedtls_entropy_context is zeroed. This is a workaround because the CryptoCell runtime library will generate a fault if the mutex is not zeroed. This workaround will be reverted later when NCSDK-17004 is fixed. There is no reason to upstream this since it is a limitation in our CryptoCell runtime library and not an upstream limitation. Ref: NCSDK-8075 Signed-off-by: Georgios Vasilakis <[email protected]> Signed-off-by: Joakim Andersson <[email protected]> (cherry picked from commit 73337db) (cherry picked from commit 10d43b5) (cherry picked from commit c56a2ae) Signed-off-by: Markus Swarowsky <[email protected]>
Replace MBEDTLS_ACCEL symbols with the equivalent PSA_WANT symbols since we don't use the MBEDTLS_ACCEL symbols in sdk-nrf. Signed-off-by: Georgios Vasilakis <[email protected]> Signed-off-by: Frank Audun Kvamtrø <[email protected]>
The Oberon PSA core has some replacement headers but it also uses headers from the library folder. Since the headers and the C files in this folder perform inclusion with double quotes this can create issues since the Oberon PSA core may use headrs from this repo that it shouldn't. This moves the headers that the Oberon PSA core replaces with to another folder so that they don't accidentaly included from the Oberon PSA core. Signed-off-by: Georgios Vasilakis <[email protected]>
This is temporary fix until: NCSDK-26077 is fixed The given hash algorithm for an ecdsa verify operation was just omitted by setting the algorithm for psa_verify_hash to PSA_ALG_ECDSA_ANY. As the PSA spec states: This is the same signature scheme as PSA_ALG_ECDSA(), but without specifying a hash algorithm, and skipping the message hashing operation. This algorithm is only recommended to sign or verify a sequence of bytes that are an already-calculated hash. Note that the input is padded with zeros on the left or truncated on the right as required to fit the curve size. So the input should be hashed but thats not the case for ecdsa_verify_psa therefore changing it to PSA_ALG_ECDSA(hash_alg) Upstream PR: Mbed-TLS/mbedtls#8834 Signed-off-by: Markus Swarowsky <[email protected]>
This is a temporary noup as the mbed TLS PSA core hasn't adapted the final PSA PAKE APIS from the 1.2 spec. Once that is done this can be removed. Check the signature of psa_pake_setup and if psa_pake_get_implicit_key is removed and replaced with psa_pake_get_shared_key Signed-off-by: Markus Swarowsky <[email protected]>
-This is a [nrf noup] because Mbed TLS doesn't currently support proper MBEDTLS_PSA_CRYPTO_CLIENT vs CRYPTO_C abstraction, and the effort to fix this is delayed in the Mbed TLS project (tacked on to Mbed TLS 4.X.Y timelines) Signed-off-by: Frank Audun Kvamtrø <[email protected]>
-This commit is an [nrf noup] as there has been resistance to establishing a clear PSA crypto client dependency and currently it is dependent on setting MBEDTL_SPSA_CRYPTO_C + any of the MBEDTLS_PSA_ACCEL_XXXX type configurations that are generally not set in the NS image of a TF-M build Signed-off-by: Frank Audun Kvamtrø <[email protected]>
-This is a [nrf noup] because it does a change that is likely not easily supported in mainline Mbed TLS (where there is a clearer dependency on MBEDTLS_PSA_CRYPTO_C enabling legacy features and using a fallback to depend on e.g. MBEDTLS_ECP_C. -This adds include-folder additions for mbedtls/ecp.h in oid.c -This adds incldue-folder additions for mbedtls/ecp.h in pk_wrap.c and pk.h when MBEDTLS_USE_PSA_CRYPTO is set Signed-off-by: Frank Audun Kvamtrø <[email protected]>
-Hoping to not have this addition Signed-off-by: Frank Audun Kvamtrø <[email protected]>
-This allows TF-M minimal configuration to stil dispatch using legacy while we are waiting for more apps/samples to be ported to use PSA crypto APIs Signed-off-by: Frank Audun Kvamtrø <[email protected]>
…MD/CIPHER" This reverts commit 2e24f78.
…ig.h" This reverts commit 904de73.
This reverts commit 467178f.
This reverts commit 11f0c24.
This reverts commit 9e12479.
This reverts commit 8661245.
This reverts commit f7a5ed4.
This reverts commit eb1efbf.
This reverts commit 9762663.
This reverts commit 333c076.
This reverts commit 427c287.
This reverts commit 4c64e64.
This reverts commit d3cd22d.
This reverts commit 5081e5b.
This reverts commit 4269889.
-This checks if GCM_C is enabled in gcm.h before including the functions. This was causing build issues when the GCM is disabled but GCM_ALT is enabled. Signed-off-by: Georgios Vasilakis <[email protected]> (cherry picked from commit 819f6fe)
-Enable use of SNI without x509 by testing for MBEDTLS_SSL_SERVER_NAME_INDICATION -Note that this was updated for Mbed TLS v3.6.1 by additionally checking if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) is not defined to prevent duplicate symbols for mbedtls_ssl_check_cert_usage ref: NCSDK-15193 Signed-off-by: Frank Audun Kvamtrø <[email protected]> (cherry picked from commit 5081e5b)
-Enable more TLS/DTLS types being auto-generated in documentation in Mbed TLS. Note that these are not in use in nRF Connect SDK documentation generation at the moment, this commit currently has no effect ref: NCSDK-15193 This one conflicted because PREDEFINED was removed in the doxyfile. Check if this commit can be dropped. Conflict resolution is to bring back the old defines. Signed-off-by: Pete Skeggs <[email protected]> (cherry picked from commit b4e0e5c)
-Disabling this prevents in-field devices from returning errors when non ECJPAKE PSK is used for OpenThread devices. ref: NCSDK-14629 Signed-off-by: Frank Audun Kvamtrø <[email protected]> (cherry picked from commit 4c64e64)
-The runtime library expects key-bits to be set when it is not for cipher and ECDSA, this is fixed here. This may be an issue either in Mbed TLS or in nrf_cc3xx v0.9.14. Hence setting as a noup ref: NCSDK-13857 Signed-off-by: Frank Audun Kvamtrø <[email protected]> (cherry picked from commit 427c287)
This makes sure that the content of the mutex inside the mbedtls_entropy_context is zeroed. This is a workaround because the CryptoCell runtime library will generate a fault if the mutex is not zeroed. This workaround will be reverted later when NCSDK-17004 is fixed. There is no reason to upstream this since it is a limitation in our CryptoCell runtime library and not an upstream limitation. Ref: NCSDK-8075 Signed-off-by: Georgios Vasilakis <[email protected]> (cherry picked from commit 333c076)
Replace MBEDTLS_ACCEL symbols with the equivalent PSA_WANT symbols since we don't use the MBEDTLS_ACCEL symbols in sdk-nrf. Signed-off-by: Frank Audun Kvamtrø <[email protected]> (cherry picked from commit 9762663)
The Oberon PSA core has some replacement headers but it also uses headers from the library folder. Since the headers and the C files in this folder perform inclusion with double quotes this can create issues since the Oberon PSA core may use headrs from this repo that it shouldn't. This moves the headers that the Oberon PSA core replaces with to another folder so that they don't accidentaly included from the Oberon PSA core. Signed-off-by: Georgios Vasilakis <[email protected]> (cherry picked from commit d2d1dc7)
This is temporary fix until: NCSDK-26077 is fixed The given hash algorithm for an ecdsa verify operation was just omitted by setting the algorithm for psa_verify_hash to PSA_ALG_ECDSA_ANY. As the PSA spec states: This is the same signature scheme as PSA_ALG_ECDSA(), but without specifying a hash algorithm, and skipping the message hashing operation. This algorithm is only recommended to sign or verify a sequence of bytes that are an already-calculated hash. Note that the input is padded with zeros on the left or truncated on the right as required to fit the curve size. So the input should be hashed but thats not the case for ecdsa_verify_psa therefore changing it to PSA_ALG_ECDSA(hash_alg) Upstream PR: Mbed-TLS/mbedtls#8834 Signed-off-by: Markus Swarowsky <[email protected]> (cherry picked from commit 9462939)
This is a temporary noup as the mbed TLS PSA core hasn't adapted the final PSA PAKE APIS from the 1.2 spec. Once that is done this can be removed. Check the signature of psa_pake_setup and if psa_pake_get_implicit_key is removed and replaced with psa_pake_get_shared_key Signed-off-by: Markus Swarowsky <[email protected]> (cherry picked from commit 9beb52e)
-This is a [nrf noup] because Mbed TLS doesn't currently support proper MBEDTLS_PSA_CRYPTO_CLIENT vs CRYPTO_C abstraction, and the effort to fix this is delayed in the Mbed TLS project (tacked on to Mbed TLS 4.X.Y timelines) Signed-off-by: Frank Audun Kvamtrø <[email protected]> (cherry picked from commit 9e12479)
-This commit is an [nrf noup] as there has been resistance to establishing a clear PSA crypto client dependency and currently it is dependent on setting MBEDTL_SPSA_CRYPTO_C + any of the MBEDTLS_PSA_ACCEL_XXXX type configurations that are generally not set in the NS image of a TF-M build Signed-off-by: Frank Audun Kvamtrø <[email protected]> (cherry picked from commit 11f0c24)
-This is a [nrf noup] because it does a change that is likely not easily supported in mainline Mbed TLS (where there is a clearer dependency on MBEDTLS_PSA_CRYPTO_C enabling legacy features and using a fallback to depend on e.g. MBEDTLS_ECP_C. -This adds include-folder additions for mbedtls/ecp.h in oid.c -This adds incldue-folder additions for mbedtls/ecp.h in pk_wrap.c and pk.h when MBEDTLS_USE_PSA_CRYPTO is set Signed-off-by: Frank Audun Kvamtrø <[email protected]> (cherry picked from commit 467178f)
-Hoping to not have this addition Signed-off-by: Frank Audun Kvamtrø <[email protected]> (cherry picked from commit 904de73)
-This allows TF-M minimal configuration to stil dispatch using legacy while we are waiting for more apps/samples to be ported to use PSA crypto APIs Signed-off-by: Frank Audun Kvamtrø <[email protected]> (cherry picked from commit 2e24f78)
This commit takes only relevant changes of PR Mbed-TLS/mbedtls#9448 that was merged in upstream Mbed TLS in the LTS branch "mbedtls-3.6". Since the original PR was made of several commits, but most of them were only affecting tests cases (not used in Zephyr), only changes belonging to the "include" and "library" folders were included here. == IMPORTANT == Changes introduced in this commit will be automatically part of Mbed TLS release 3.6.3, so by the time Zephyr's Mbed TLS fork repo is bumbed to that official release, this commit MUST be discarded. This commit introduces the possibility to use static key slot buffers in the PSA core instead of dynamically allocating them when needed. This helps reducing heap memory usage as well as potentially removing heap management ROM code if heap is not used anywhere else in the Zephyr application. Signed-off-by: Valerio Setti <[email protected]> Signed-off-by: Frank Audun Kvamtrø <[email protected]> (Cherry-picked from commit 4952e13)
frkv
force-pushed
the
psa_crypto_static_slots
branch
from
7262b8c to
325d390
Compare
Collaborator
|
@frkv Is this still relevant? |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
6 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
DNM
Investigating possibility of static key sizes in updated oberon-psa-crypto