nrf_security: drivers: cracen: adding support for ed25519 without sicrypto #19812
Conversation
github-actions
bot
added
the
changelog-entry-required
degjorva
removed
the
changelog-entry-required
CI InformationTo view the history of this post, clich the 'edited' button above Inputs:Sources:sdk-nrf: PR head: db636a58569784f6ed4d7c7e21bad1f5be2fff0c more detailssdk-nrf:
Github labels
List of changed files detected by CI (5)Outputs:ToolchainVersion: 342151af73 Test Spec & Results: ✅ Success; ❌ Failure; 🟠 Queued; 🟡 Progress; ◻️ Skipped;
|
|
You can find the documentation preview for this PR at this link. It will be updated about 10 minutes after the documentation build succeeds. Note: This comment is automatically posted by the Documentation Publish GitHub Action. |
degjorva
force-pushed
the
no-sicrypto-ED25519
branch
from
0c0a5d5 to
933f5a8
Compare
github-actions
bot
added
the
changelog-entry-required
degjorva
force-pushed
the
no-sicrypto-ED25519
branch
3 times, most recently
from
21feb07 to
e54e7e5
Compare
subsys/nrf_security/src/drivers/cracen/cracenpsa/include/cracen_psa.h
Outdated
Show resolved
Hide resolved
subsys/nrf_security/src/drivers/cracen/cracenpsa/src/key_management.c
Outdated
Show resolved
Hide resolved
| @@ -605,8 +608,10 @@ static psa_status_t export_ecc_public_key_from_keypair(const psa_key_attributes_ | |||
| int si_status = 0; | |||
| psa_algorithm_t key_alg = psa_get_key_algorithm(attributes); | |||
| const struct sx_pk_ecurve *sx_curve; | |||
| #if CONFIG_PSA_NEED_NO_SI_CRYPTO_ED25519 | |||
subsys/nrf_security/src/drivers/cracen/cracenpsa/src/key_management.c
Outdated
Show resolved
Hide resolved
degjorva
force-pushed
the
no-sicrypto-ED25519
branch
13 times, most recently
from
718033c to
66dcd8a
Compare
degjorva
force-pushed
the
no-sicrypto-ED25519
branch
2 times, most recently
from
758768d to
0ace2dc
Compare
degjorva
force-pushed
the
no-sicrypto-ED25519
branch
4 times, most recently
from
0900053 to
d77b2a5
Compare
degjorva
force-pushed
the
no-sicrypto-ED25519
branch
3 times, most recently
from
4aee94c to
c8b7ced
Compare
| int cracen_ed25519_sign(const uint8_t *priv_key, char *signature, const uint8_t *message, | ||
| size_t message_length); | ||
|
|
||
| int cracen_ed25519_verify(const uint8_t *pub_key, const char *message, size_t message_length, | ||
| const char *signature); | ||
|
|
||
| int cracen_ed25519ph_sign(const uint8_t *priv_key, char *signature, const uint8_t *message, | ||
| size_t message_length, int ismessage); | ||
|
|
||
| int cracen_ed25519ph_verify(const uint8_t *pub_key, const char *message, size_t message_length, | ||
| const char *signature, int ismessage); | ||
|
|
||
| int cracen_ed25519_create_pubkey(const uint8_t *priv_key, uint8_t *pub_key); |
There was a problem hiding this comment.
Why do those functions return int and not psa_status_t like all the rest in this header file?
There was a problem hiding this comment.
I can move them out to their own header file if that is wanted. They return ints because that is the type of the silex status codes. Could have the functions themselves return the silex_statuscodes_to_psa, but as the psa functions sign/verify etc functions so far all handle that themselves so it seemed better to keep it the same. Could make sense to change that when all the sicrypto stuff is removed
There was a problem hiding this comment.
I think the best would be to just convert those functions to return psa_status_t and adapt the caller functions accordingly. It's not that much work really.
There was a problem hiding this comment.
While I agree that is a better solution when everything returns it, for now doing that makes it quite messy as it means maintaining two different status codes, si_status and psa_status in each function. It also means you can't use the same return, return silex_statuscodes_to_psa(si_status); at the end of the function anymore, and instead need to make sure each return is handled separately. Does not matter in the eddsa case, but does matter for other sicrypto functions.
There was a problem hiding this comment.
Of those functions, all except cracen_ed25519_create_pubkey() are called and their return codes directly converted to psa_status_t.
For cracen_ed25519_create_pubkey(), there is cracen_signature_prepare_ec_pubkey() which returns its code directly without converting it. But the only caller of that function, cracen_signature_ecc_verify(), directly converts the return value to a psa_status_t.
It doesn't seem like it would be a hassle to change those functions to psa_status_t.
But I'll let you do as you want.
subsys/nrf_security/src/drivers/cracen/cracenpsa/include/cracen_psa.h
Outdated
Show resolved
Hide resolved
subsys/nrf_security/src/drivers/cracen/cracenpsa/src/key_management.c
Outdated
Show resolved
Hide resolved
| size_t offset = prehash ? 0 : 1; | ||
|
|
||
| return hash_all_inputs(&hash_array[offset], &hash_array_lengths[offset], input_count, | ||
| &sxhashalg_sha2_512, workmem + 2 * SX_ED25519_SZ); |
There was a problem hiding this comment.
Yeah no, those new defines don't convey proper meaning. Also, here I was pointing at + 2 * SX_ED25519_SZ, not input_count/offset. I think it's better to remove those defines you added.
| size_t message_length); | ||
|
|
||
| int cracen_ed25519_verify(const uint8_t *pubkey, const char *message, size_t message_length, | ||
| const char *signature); | ||
|
|
||
| int cracen_ed25519ph_sign(const uint8_t *ed25519, char *signature, const uint8_t *message, | ||
| size_t message_length, int ismessage); | ||
|
|
||
| int cracen_ed25519ph_verify(const uint8_t *pubkey, const char *message, size_t message_length, | ||
| const char *signature, int ismessage); |
There was a problem hiding this comment.
alignment on second lines is wrong
subsys/nrf_security/src/drivers/cracen/cracenpsa/src/key_management.c
Outdated
Show resolved
Hide resolved
| int cracen_ed25519_sign(const uint8_t *priv_key, char *signature, const uint8_t *message, | ||
| size_t message_length); | ||
|
|
||
| int cracen_ed25519_verify(const uint8_t *pub_key, const char *message, size_t message_length, | ||
| const char *signature); | ||
|
|
||
| int cracen_ed25519ph_sign(const uint8_t *priv_key, char *signature, const uint8_t *message, | ||
| size_t message_length, int ismessage); | ||
|
|
||
| int cracen_ed25519ph_verify(const uint8_t *pub_key, const char *message, size_t message_length, | ||
| const char *signature, int ismessage); | ||
|
|
||
| int cracen_ed25519_create_pubkey(const uint8_t *priv_key, uint8_t *pub_key); |
There was a problem hiding this comment.
I think the best would be to just convert those functions to return psa_status_t and adapt the caller functions accordingly. It's not that much work really.
degjorva
force-pushed
the
no-sicrypto-ED25519
branch
from
c8b7ced to
e3cfb62
Compare
| &privkey->hashalg, alg, digestsz); | ||
| } | ||
| } | ||
| if (alg == PSA_ALG_PURE_EDDSA || alg == PSA_ALG_ED25519PH) { |
There was a problem hiding this comment.
Was that intentional to remove the IS_ENABLED statement which requires the relevant PSA_NEED to be enabled here?
There was a problem hiding this comment.
Yes, but actually this statement is not needed either anymore. cracen_signature_prepare_ec_prvkey is never called while using eddsa, as cracen_signature_prepare_ec_prvkey is a support function for sicrypto
| if (status != SX_OK) | ||
| return status; | ||
|
|
||
| memcpy(pub_key, pub_key_A, SX_ED25519_SZ); |
There was a problem hiding this comment.
Does it make sense to clear the scalar stored in the first part of the digest buffer here?
Maybe the workbuf in the other functions is also worth considering to clear before exiting the function.
There was a problem hiding this comment.
That does make sense
degjorva
force-pushed
the
no-sicrypto-ED25519
branch
3 times, most recently
from
9c701f7 to
f9ea2ff
Compare
degjorva
force-pushed
the
no-sicrypto-ED25519
branch
2 times, most recently
from
a55a562 to
833596b
Compare
| priv_key.key.ed25519 = (struct sx_ed25519_v *)key_buffer; | ||
| pub_key.key.ed25519 = (struct sx_ed25519_pt *)data; | ||
| si_status = cracen_ed25519_create_pubkey(key_buffer, data); | ||
| if (!si_status) { |
| } else { | ||
| priv_key.def = si_sig_def_ed25519; | ||
| priv_key.key.ed25519 = (struct sx_ed25519_v *)key_buffer; | ||
| pub_key.key.ed25519 = (struct sx_ed25519_pt *)data; | ||
| priv_key.def = si_sig_def_ed448; | ||
| priv_key.key.ed448 = (struct sx_ed448_v *)key_buffer; | ||
| pub_key.key.ed448 = (struct sx_ed448_pt *)data; | ||
| } | ||
| } else { | ||
| priv_key.def = si_sig_def_ed448; | ||
| priv_key.key.ed448 = (struct sx_ed448_v *)key_buffer; | ||
| pub_key.key.ed448 = (struct sx_ed448_pt *)data; | ||
| break; | ||
| default: | ||
| return PSA_ERROR_NOT_SUPPORTED; |
| @@ -88,7 +85,7 @@ static int cracen_signature_prepare_ec_prvkey(struct si_sig_privkey *privkey, ch | |||
| size_t key_buffer_size, | |||
| const struct sx_pk_ecurve **sicurve, | |||
| psa_algorithm_t alg, | |||
| const psa_key_attributes_t *attributes, int message, | |||
| const psa_key_attributes_t *attributes, bool message, | |||
There was a problem hiding this comment.
IMO could still be changed to <is/has>_message in this file to be more explicit because message would rather be a pointer to data. It's just a quick search & replace and makes code more obvious.
| const uint8_t *key_buffer, size_t key_buffer_size, | ||
| psa_algorithm_t alg, const uint8_t *input, | ||
| size_t input_length, uint8_t *signature, | ||
| size_t signature_size, size_t *signature_length) | ||
| { | ||
| int si_status; | ||
| int status; |
There was a problem hiding this comment.
| int status; | |
| psa_status_t psa_status; |
|
|
||
| if ((int)signature_size < 2 * curve->sz) { | ||
| return PSA_ERROR_BUFFER_TOO_SMALL; | ||
| } | ||
|
|
||
| if (!PSA_KEY_TYPE_IS_ECC_KEY_PAIR(psa_get_key_type(attributes))) { | ||
| return silex_statuscodes_to_psa(SX_ERR_INCOMPATIBLE_HW); |
There was a problem hiding this comment.
Could do the same here, return directly the correct PSA error code.
| if (alg == PSA_ALG_ED25519PH) { | ||
| si_status = cracen_ed25519ph_verify(pubkey_buffer, (char *)input, input_length, | ||
| signature, message); | ||
| (void)t; |
There was a problem hiding this comment.
| (void)t; |
same below
| if (si_status) { | ||
| return silex_statuscodes_to_psa(si_status); | ||
| } | ||
|
|
There was a problem hiding this comment.
| if (si_status) { | |
| return silex_statuscodes_to_psa(si_status); | |
| } |
| return status; | ||
| } | ||
|
|
||
| if (message) { |
There was a problem hiding this comment.
| if (message) { | |
| if (message) { |
| status = cracen_ecc_get_ecurve_from_psa( | ||
| PSA_KEY_TYPE_ECC_GET_FAMILY(psa_get_key_type(attributes)), | ||
| psa_get_key_bits(attributes), &curve); | ||
|
|
| int cracen_ed25519_sign(const uint8_t *priv_key, char *signature, const uint8_t *message, | ||
| size_t message_length); | ||
|
|
||
| int cracen_ed25519_verify(const uint8_t *pub_key, const char *message, size_t message_length, | ||
| const char *signature); | ||
|
|
||
| int cracen_ed25519ph_sign(const uint8_t *priv_key, char *signature, const uint8_t *message, | ||
| size_t message_length, int ismessage); | ||
|
|
||
| int cracen_ed25519ph_verify(const uint8_t *pub_key, const char *message, size_t message_length, | ||
| const char *signature, int ismessage); | ||
|
|
||
| int cracen_ed25519_create_pubkey(const uint8_t *priv_key, uint8_t *pub_key); |
There was a problem hiding this comment.
Of those functions, all except cracen_ed25519_create_pubkey() are called and their return codes directly converted to psa_status_t.
For cracen_ed25519_create_pubkey(), there is cracen_signature_prepare_ec_pubkey() which returns its code directly without converting it. But the only caller of that function, cracen_signature_ecc_verify(), directly converts the return value to a psa_status_t.
It doesn't seem like it would be a hassle to change those functions to psa_status_t.
But I'll let you do as you want.
degjorva
force-pushed
the
no-sicrypto-ED25519
branch
4 times, most recently
from
fb96622 to
6ca35d7
Compare
degjorva
force-pushed
the
no-sicrypto-ED25519
branch
from
6ca35d7 to
c3ab354
Compare
Add support for Ed25519 and Ed25519ph in cracenpsa directly using silexpk/sxsymcrypt. This bypasses sicrypto, which saves on flash usage Remove sicrypto implementation of Ed25519 from being accessible from cracenpsa. Signed-off-by: Dag Erik Gjørvad <[email protected]>
degjorva
force-pushed
the
no-sicrypto-ED25519
branch
from
c3ab354 to
db636a5
Compare
Added implementation in cracenpsa of ed25519 and ed25519ph without using sicrypto
Removed the possibility of using the sicrypto implementation of ed25519 and ed25519ph through cracenpsa
Updated cracenpsa to support new implementation and
remove references to old