[WCBRD-2007] updates related to performace improvements

- Added check for use of SHA1 of els_pkc from psa-crypto-driver - Added an earlier return with PSA_ERROR_NOT_SUPPORTED to allow fallback to mbedtls SW for case of HMAC with SHA1 while els_pkc is enabled Signed-off-by: Waqar Tahir <[email protected]>
NXP · Oct 25, 2024 · db9f9ed · db9f9ed
1 parent 70d8afa
commit db9f9ed
Show file tree

Hide file tree

Showing 5 changed files with 58 additions and 1 deletion.
diff --git a/CMakeLists.txt b/CMakeLists.txt
@@ -40,6 +40,14 @@ if(CONFIG_SOC_SERIES_RW6XX)
             CPU_RW612ETA1I
     )
 
+    if (CONFIG_MCUX_PSA_CRYPTO_DRIVER_USE_ELS_PKC_SHA1)
+        target_compile_definitions(
+            McuxPsaCryptoDriverElsPkc 
+            PRIVATE
+                MCUX_PSA_CRYPTO_DRIVER_USE_ELS_PKC_SHA1
+        )
+    endif()
+
     target_compile_definitions(
         McuxPsaCryptoDriverElsPkc 
         PRIVATE

diff --git a/els_pkc/src/opaque/mcux_psa_els_pkc_opaque_mac.c b/els_pkc/src/opaque/mcux_psa_els_pkc_opaque_mac.c
@@ -34,6 +34,12 @@ psa_status_t els_pkc_opaque_mac_compute(const psa_key_attributes_t *attributes,
 {
     psa_status_t status;
 
+    /* els-pkc does not support SHA1 with HMAC, hence return from here with PSA_ERROR_NOT_SUPPORTED*/
+    if (((PSA_ALG_IS_HMAC(alg)) == true) && (PSA_ALG_HMAC_GET_HASH(alg) != PSA_ALG_SHA_256))
+    {
+        return PSA_ERROR_NOT_SUPPORTED;
+    }
+
 #if defined(PSA_CRYPTO_DRIVER_THREAD_EN)
     if (mcux_mutex_lock(&els_pkc_hwcrypto_mutex)) {
         return PSA_ERROR_GENERIC_ERROR;
@@ -86,6 +92,12 @@ psa_status_t els_pkc_opaque_mac_sign_setup(els_pkc_opaque_mac_operation_t *opera
 {
     psa_status_t status;
 
+    /* els-pkc does not support SHA1 with HMAC, hence return from here with PSA_ERROR_NOT_SUPPORTED*/
+    if (((PSA_ALG_IS_HMAC(alg)) == true) && (PSA_ALG_HMAC_GET_HASH(alg) != PSA_ALG_SHA_256))
+    {
+        return PSA_ERROR_NOT_SUPPORTED;
+    }
+
 #if defined(PSA_CRYPTO_DRIVER_THREAD_EN)
     if (mcux_mutex_lock(&els_pkc_hwcrypto_mutex)) {
         return PSA_ERROR_GENERIC_ERROR;

diff --git a/els_pkc/src/transparent/mcux_psa_els_pkc_hash.c b/els_pkc/src/transparent/mcux_psa_els_pkc_hash.c
@@ -35,6 +35,15 @@ psa_status_t els_pkc_transparent_hash_setup(els_pkc_hash_operation_t *operation,
 {
     psa_status_t status;
 
+    /* Use of SHA1 from els_pkc is restricted as it takes more time
+    in comparison to mbedTLS SW implementation of SHA1*/
+#if !defined(MCUX_PSA_CRYPTO_DRIVER_USE_ELS_PKC_SHA1)
+    if (PSA_ALG_SHA_1 == alg)
+    {
+        return PSA_ERROR_NOT_SUPPORTED;
+    }
+#endif
+
 #if defined(PSA_CRYPTO_DRIVER_THREAD_EN)
     if (mcux_mutex_lock(&els_pkc_hwcrypto_mutex)) {
         return PSA_ERROR_GENERIC_ERROR;
@@ -58,6 +67,15 @@ psa_status_t els_pkc_transparent_hash_compute(psa_algorithm_t alg, const uint8_t
 {
     psa_status_t status;
 
+    /* Use of SHA1 from els_pkc is restricted as it takes more time
+    in comparison to mbedTLS SW implementation of SHA1*/
+#if !defined(MCUX_PSA_CRYPTO_DRIVER_USE_ELS_PKC_SHA1)
+    if (PSA_ALG_SHA_1 == alg)
+    {
+        return PSA_ERROR_NOT_SUPPORTED;
+    }
+#endif
+
 #if defined(PSA_CRYPTO_DRIVER_THREAD_EN)
     if (mcux_mutex_lock(&els_pkc_hwcrypto_mutex)) {
         return PSA_ERROR_GENERIC_ERROR;

diff --git a/els_pkc/src/transparent/mcux_psa_els_pkc_mac.c b/els_pkc/src/transparent/mcux_psa_els_pkc_mac.c
@@ -33,6 +33,12 @@ psa_status_t els_pkc_transparent_mac_compute(const psa_key_attributes_t *attribu
 {
     psa_status_t status;
 
+    /* els-pkc does not support SHA1 with HMAC, hence return from here with PSA_ERROR_NOT_SUPPORTED*/
+    if (((PSA_ALG_IS_HMAC(alg)) == true) && (PSA_ALG_HMAC_GET_HASH(alg) != PSA_ALG_SHA_256))
+    {
+        return PSA_ERROR_NOT_SUPPORTED;
+    }
+
 #if defined(PSA_CRYPTO_DRIVER_THREAD_EN)
     if (mcux_mutex_lock(&els_pkc_hwcrypto_mutex)) {
         return PSA_ERROR_GENERIC_ERROR;
@@ -85,6 +91,12 @@ psa_status_t els_pkc_transparent_mac_sign_setup(els_pkc_transparent_mac_operatio
 {
     psa_status_t status;
 
+    /* els-pkc does not support SHA1 with HMAC, hence return from here with PSA_ERROR_NOT_SUPPORTED*/
+    if (((PSA_ALG_IS_HMAC(alg)) == true) && (PSA_ALG_HMAC_GET_HASH(alg) != PSA_ALG_SHA_256))
+    {
+        return PSA_ERROR_NOT_SUPPORTED;
+    }
+
 #if defined(PSA_CRYPTO_DRIVER_THREAD_EN)
     if (mcux_mutex_lock(&els_pkc_hwcrypto_mutex)) {
         return PSA_ERROR_GENERIC_ERROR;

diff --git a/zephyr/Kconfig b/zephyr/Kconfig
@@ -1,7 +1,8 @@
 # psa-crypto-driver configuration options
 
 # Copyright 2024 NXP
-# SPDX-License-Identifier: Apache-2.0
+#
+# SPDX-License-Identifier: BSD-3-Clause
 
 #
 # HW Acceleration Configs psa-crypto-driver
@@ -23,3 +24,9 @@ config MCUX_PSA_CRYPTO_DRIVER_ELS_PKC_THREAD
 	default n if BUILD_WITH_TFM
 	help
 	    Enables threading support in psa-crypto-driver component.
+
+config MCUX_PSA_CRYPTO_DRIVER_USE_ELS_PKC_SHA1
+	bool "Enables use of SHA1 from els-pkc via psa-crypto-driver"
+	depends on MCUX_ELS_PKC && MCUX_PSA_CRYPTO_DRIVER_ELS_PKC
+	help
+	    Enables use of SHA1 from els-pkc via psa-crypto-driver component.