From 0818474f7835cf2eabfbcaf3cf600de71bbff105 Mon Sep 17 00:00:00 2001 From: Arkadiusz Balys Date: Mon, 24 Jul 2023 16:20:26 +0200 Subject: [PATCH] Enable PSA crypto usage. - Selected OpenThread security PSA Crypto background - Switched to PSAOperationalKeystore when CHIP_CRYPTO_PSA is enabled - Changed definitions from CONFIG_NORDIC_SECURITY_BACKEND to CONFIG_NRF_SECURITY to avoid using MBEDTLS Legacy. --- config/nrfconnect/chip-module/CMakeLists.txt | 6 +++ .../nrfconnect/chip-module/Kconfig.defaults | 48 ++++++++++++++++--- config/zephyr/Kconfig | 1 + src/app/server/Server.cpp | 4 ++ src/app/server/Server.h | 16 ++++++- src/crypto/CHIPCryptoPAL.h | 2 +- src/platform/Zephyr/PlatformManagerImpl.cpp | 14 +++--- 7 files changed, 75 insertions(+), 16 deletions(-) diff --git a/config/nrfconnect/chip-module/CMakeLists.txt b/config/nrfconnect/chip-module/CMakeLists.txt index aa6aeda436..cba23d5ee9 100644 --- a/config/nrfconnect/chip-module/CMakeLists.txt +++ b/config/nrfconnect/chip-module/CMakeLists.txt @@ -66,6 +66,12 @@ if (CONFIG_NORDIC_SECURITY_BACKEND) elseif(CONFIG_MBEDTLS) zephyr_include_directories($) zephyr_compile_definitions($) +elseif(CONFIG_CHIP_CRYPTO_PSA) + # TODO remove mbedtls dependencies once mbedtls will be switched off + zephyr_include_directories($) + zephyr_include_directories($) + matter_add_flags(-DMBEDTLS_CONFIG_FILE=) + matter_add_flags(-DMBEDTLS_USER_CONFIG_FILE=) endif() if (CONFIG_NRF_802154_RADIO_DRIVER) diff --git a/config/nrfconnect/chip-module/Kconfig.defaults b/config/nrfconnect/chip-module/Kconfig.defaults index 79317e134e..fda46a7b70 100644 --- a/config/nrfconnect/chip-module/Kconfig.defaults +++ b/config/nrfconnect/chip-module/Kconfig.defaults @@ -271,11 +271,11 @@ config CHIP_MALLOC_SYS_HEAP_SIZE endif - # Enable mbedTLS from nrf_security library choice OPENTHREAD_SECURITY - default OPENTHREAD_NRF_SECURITY_CHOICE + default OPENTHREAD_NRF_SECURITY_CHOICE if !CHIP_CRYPTO_PSA + default OPENTHREAD_NRF_SECURITY_PSA_CHOICE if CHIP_CRYPTO_PSA endchoice config PSA_CRYPTO_DRIVER_CC3XX @@ -288,11 +288,45 @@ config MBEDTLS_ENABLE_HEAP default y config MBEDTLS_HEAP_SIZE - default 15360 + default 15360 if !CHIP_CRYPTO_PSA + default 17408 if CHIP_CRYPTO_PSA + +# Enable PSA Crypto dependencies for Matter + +if CHIP_CRYPTO_PSA + +config PSA_WANT_ALG_ECDSA + default y + +config PSA_WANT_ALG_ECDH + default y + +config MBEDTLS_PSA_CRYPTO_STORAGE_C + default y if !BUILD_WITH_TFM + +config PSA_NATIVE_ITS + default y if !BUILD_WITH_TFM + +config PSA_WANT_GENERATE_RANDOM + default y + +config PSA_WANT_ALG_CCM + default y + +config PSA_WANT_ALG_HMAC + default y -config MBEDTLS_TLS_LIBRARY +config PSA_WANT_ALG_HKDF default y +# TODO not implemented yet in Matter, but can be enabled already +config PSA_WANT_ALG_SPAKE2P + default y + +endif + +if !CHIP_CRYPTO_PSA + config NRF_SECURITY_ADVANCED default y @@ -324,10 +358,12 @@ config MBEDTLS_PK_WRITE_C default y config MBEDTLS_X509_CREATE_C - default y if !CHIP_CRYPTO_PSA + default y config MBEDTLS_X509_CSR_WRITE_C - default y if !CHIP_CRYPTO_PSA + default y + +endif # Disable unneeded crypto operations diff --git a/config/zephyr/Kconfig b/config/zephyr/Kconfig index e158a1efcd..fe4fb1bb86 100644 --- a/config/zephyr/Kconfig +++ b/config/zephyr/Kconfig @@ -266,6 +266,7 @@ config CHIP_OPERATIONAL_TIME_SAVE_INTERVAL config CHIP_CRYPTO_PSA bool "Use PSA crypto API for cryptographic operations" + select EXPERIMENTAL help Enables the implementation of the Matter cryptographic operations that is based on the PSA crypto API (instead of the default implementation, which diff --git a/src/app/server/Server.cpp b/src/app/server/Server.cpp index a9dd0cc35a..6eb15a8ff0 100644 --- a/src/app/server/Server.cpp +++ b/src/app/server/Server.cpp @@ -532,7 +532,11 @@ void Server::ResumeSubscriptions() #endif KvsPersistentStorageDelegate CommonCaseDeviceServerInitParams::sKvsPersistenStorageDelegate; +#if CHIP_CRYPTO_PSA +PSAOperationalKeystore CommonCaseDeviceServerInitParams::sPSAOperationalKeystore; +#else PersistentStorageOperationalKeystore CommonCaseDeviceServerInitParams::sPersistentStorageOperationalKeystore; +#endif Credentials::PersistentStorageOpCertStore CommonCaseDeviceServerInitParams::sPersistentStorageOpCertStore; Credentials::GroupDataProviderImpl CommonCaseDeviceServerInitParams::sGroupDataProvider; IgnoreCertificateValidityPolicy CommonCaseDeviceServerInitParams::sDefaultCertValidityPolicy; diff --git a/src/app/server/Server.h b/src/app/server/Server.h index 380e8240ab..38521561cc 100644 --- a/src/app/server/Server.h +++ b/src/app/server/Server.h @@ -40,7 +40,11 @@ #include #include #include +#if CHIP_CRYPTO_PSA +#include +#else #include +#endif #include #include #include @@ -89,7 +93,7 @@ struct ServerInitParams ServerInitParams() = default; // Not copyable - ServerInitParams(const ServerInitParams &) = delete; + ServerInitParams(const ServerInitParams &) = delete; ServerInitParams & operator=(const ServerInitParams &) = delete; // Application delegate to handle some commissioning lifecycle events @@ -205,7 +209,7 @@ struct CommonCaseDeviceServerInitParams : public ServerInitParams CommonCaseDeviceServerInitParams() = default; // Not copyable - CommonCaseDeviceServerInitParams(const CommonCaseDeviceServerInitParams &) = delete; + CommonCaseDeviceServerInitParams(const CommonCaseDeviceServerInitParams &) = delete; CommonCaseDeviceServerInitParams & operator=(const CommonCaseDeviceServerInitParams &) = delete; /** @@ -231,10 +235,14 @@ struct CommonCaseDeviceServerInitParams : public ServerInitParams // PersistentStorageDelegate "software-based" operational key access injection if (this->operationalKeystore == nullptr) { +#if CHIP_CRYPTO_PSA + this->operationalKeystore = &sPSAOperationalKeystore; +#else // WARNING: PersistentStorageOperationalKeystore::Finish() is never called. It's fine for // for examples and for now. ReturnErrorOnFailure(sPersistentStorageOperationalKeystore.Init(this->persistentStorageDelegate)); this->operationalKeystore = &sPersistentStorageOperationalKeystore; +#endif } // OpCertStore can be injected but default to persistent storage default @@ -286,7 +294,11 @@ struct CommonCaseDeviceServerInitParams : public ServerInitParams private: static KvsPersistentStorageDelegate sKvsPersistenStorageDelegate; +#if CHIP_CRYPTO_PSA + static PSAOperationalKeystore sPSAOperationalKeystore; +#else static PersistentStorageOperationalKeystore sPersistentStorageOperationalKeystore; +#endif static Credentials::PersistentStorageOpCertStore sPersistentStorageOpCertStore; static Credentials::GroupDataProviderImpl sGroupDataProvider; static IgnoreCertificateValidityPolicy sDefaultCertValidityPolicy; diff --git a/src/crypto/CHIPCryptoPAL.h b/src/crypto/CHIPCryptoPAL.h index 6df3dc3a63..23b927f4ac 100644 --- a/src/crypto/CHIPCryptoPAL.h +++ b/src/crypto/CHIPCryptoPAL.h @@ -797,7 +797,7 @@ CHIP_ERROR Hash_SHA1(const uint8_t * data, size_t data_length, uint8_t * out_buf * All implementations must check for std::is_trivially_copyable. **/ -struct alignas(size_t) HashSHA256OpaqueContext +struct alignas(uint64_t) HashSHA256OpaqueContext { uint8_t mOpaque[kMAX_Hash_SHA256_Context_Size]; }; diff --git a/src/platform/Zephyr/PlatformManagerImpl.cpp b/src/platform/Zephyr/PlatformManagerImpl.cpp index 0e5aac4bda..fba683f1ec 100644 --- a/src/platform/Zephyr/PlatformManagerImpl.cpp +++ b/src/platform/Zephyr/PlatformManagerImpl.cpp @@ -21,7 +21,7 @@ * for Zephyr platforms. */ -#if !CONFIG_NORDIC_SECURITY_BACKEND +#if !CONFIG_NRF_SECURITY #include // nogncheck #endif // !CONFIG_NORDIC_SECURITY_BACKEND @@ -45,7 +45,7 @@ PlatformManagerImpl PlatformManagerImpl::sInstance{ sChipThreadStack }; static k_timer sOperationalHoursSavingTimer; -#if !CONFIG_NORDIC_SECURITY_BACKEND +#if !CONFIG_NRF_SECURITY static int app_entropy_source(void * data, unsigned char * output, size_t len, size_t * olen) { const struct device * entropy = DEVICE_DT_GET(DT_CHOSEN(zephyr_entropy)); @@ -71,7 +71,7 @@ static int app_entropy_source(void * data, unsigned char * output, size_t len, s return ret; } -#endif // !CONFIG_NORDIC_SECURITY_BACKEND +#endif // !CONFIG_NRF_SECURITY void PlatformManagerImpl::OperationalHoursSavingTimerEventHandler(k_timer * timer) { @@ -108,20 +108,20 @@ CHIP_ERROR PlatformManagerImpl::_InitChipStack(void) { CHIP_ERROR err; -#if !CONFIG_NORDIC_SECURITY_BACKEND +#if !CONFIG_NRF_SECURITY // Minimum required from source before entropy is released ( with mbedtls_entropy_func() ) (in bytes) const size_t kThreshold = 16; -#endif // !CONFIG_NORDIC_SECURITY_BACKEND +#endif // !CONFIG_NRF_SECURITY // Initialize the configuration system. err = Internal::ZephyrConfig::Init(); SuccessOrExit(err); -#if !CONFIG_NORDIC_SECURITY_BACKEND +#if !CONFIG_NRF_SECURITY // Add entropy source based on Zephyr entropy driver err = chip::Crypto::add_entropy_source(app_entropy_source, NULL, kThreshold); SuccessOrExit(err); -#endif // !CONFIG_NORDIC_SECURITY_BACKEND +#endif // !CONFIG_NRF_SECURITY // Call _InitChipStack() on the generic implementation base class to finish the initialization process. err = Internal::GenericPlatformManagerImpl_Zephyr::_InitChipStack();