Enable PSA crypto usage.

- Selected OpenThread security PSA Crypto background
- Switched to PSAOperationalKeystore when CHIP_CRYPTO_PSA is enabled
- Changed definitions from CONFIG_NORDIC_SECURITY_BACKEND to
CONFIG_NRF_SECURITY to avoid using MBEDTLS Legacy.

config/nrfconnect/chip-module/CMakeLists.txt

@@ -70,6 +70,12 @@ if (CONFIG_NORDIC_SECURITY_BACKEND)
 elseif(CONFIG_MBEDTLS)
     zephyr_include_directories($<TARGET_PROPERTY:mbedTLS,INTERFACE_INCLUDE_DIRECTORIES>)
     zephyr_compile_definitions($<TARGET_PROPERTY:mbedTLS,INTERFACE_COMPILE_DEFINITIONS>)
+elseif(CONFIG_CHIP_CRYPTO_PSA)
+    # TODO remove mbedtls dependencies once mbedtls will be switched off
+    zephyr_include_directories($<TARGET_PROPERTY:mbedtls_external,INTERFACE_INCLUDE_DIRECTORIES>)
+    zephyr_include_directories($<TARGET_PROPERTY:mbedcrypto_common,INTERFACE_INCLUDE_DIRECTORIES>)
+    matter_add_flags(-DMBEDTLS_CONFIG_FILE=<nrf-config.h>)
+    matter_add_flags(-DMBEDTLS_USER_CONFIG_FILE=<nrf-config-user.h>)
 endif()
 
 if (CONFIG_NRF_802154_RADIO_DRIVER)

config/nrfconnect/chip-module/Kconfig.defaults

@@ -267,7 +267,8 @@ endif # CHIP_WIFI
 # ==============================================================================
 
 choice OPENTHREAD_SECURITY
-    default OPENTHREAD_NRF_SECURITY_CHOICE if NET_L2_OPENTHREAD
+    default OPENTHREAD_NRF_SECURITY_CHOICE if !CHIP_CRYPTO_PSA
+    default OPENTHREAD_NRF_SECURITY_PSA_CHOICE if CHIP_CRYPTO_PSA
 endchoice
 
 choice RNG_GENERATOR_CHOICE
@@ -284,18 +285,59 @@ config MBEDTLS_ENABLE_HEAP
     default y
 
 config MBEDTLS_HEAP_SIZE
-    default 8192
+    default 15360 if !CHIP_CRYPTO_PSA
+    default 17408 if CHIP_CRYPTO_PSA
 
-config NRF_SECURITY_ADVANCED
+# Enable PSA Crypto dependencies for Matter
+
+if CHIP_CRYPTO_PSA
+
+config PSA_WANT_ALG_ECDSA
     default y
 
-config MBEDTLS_AES_C
+config PSA_WANT_ALG_ECDH
     default y
 
-config MBEDTLS_ECP_C
+config PSA_WANT_KEY_TYPE_ECC_KEY_PAIR
     default y
 
-config MBEDTLS_ECP_DP_SECP256R1_ENABLED
+config MBEDTLS_PSA_CRYPTO_STORAGE_C
+    default y if !BUILD_WITH_TFM
+
+config PSA_WANT_GENERATE_RANDOM
+    default y
+
+config PSA_WANT_ALG_CCM
+    default y
+
+config PSA_WANT_ALG_HMAC
+    default y
+
+config PSA_WANT_ALG_HKDF
+    default y
+
+config PSA_WANT_ALG_SHA_256
+    default y
+
+config PSA_WANT_ALG_SHA_224
+    default n
+
+config PSA_WANT_ALG_SPAKE2P
+    default y
+
+config PSA_WANT_ALG_SHA_256
+    default y
+
+# config PSA_CRYPTO_SPAKE2_USE_VERSION_04
+#     default y
+endif
+
+if !CHIP_CRYPTO_PSA
+
+config NRF_SECURITY_ADVANCED
+    default y
+
+config MBEDTLS_AES_C
     default y
 
 config MBEDTLS_CTR_DRBG_C
@@ -317,10 +359,18 @@ config MBEDTLS_PK_WRITE_C
     default y
 
 config MBEDTLS_X509_CREATE_C
-    default y if !CHIP_CRYPTO_PSA
+    default y
 
 config MBEDTLS_X509_CSR_WRITE_C
-    default y if !CHIP_CRYPTO_PSA
+    default y
+
+config MBEDTLS_ECP_C
+    default y
+
+config MBEDTLS_ECP_DP_SECP256R1_ENABLED
+    default y
+
+endif
 
 config MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG
     default n if CHIP_WIFI

config/zephyr/Kconfig

@@ -267,6 +267,7 @@ config CHIP_OPERATIONAL_TIME_SAVE_INTERVAL
 
 config CHIP_CRYPTO_PSA
 	bool "Use PSA crypto API for cryptographic operations"
+	select EXPERIMENTAL
 	help
 	  Enables the implementation of the Matter cryptographic operations that is
 	  based on the PSA crypto API (instead of the default implementation, which

src/app/server/Server.cpp

@@ -554,7 +554,11 @@ void Server::ResumeSubscriptions()
 Credentials::IgnoreCertificateValidityPeriodPolicy Server::sDefaultCertValidityPolicy;
 
 KvsPersistentStorageDelegate CommonCaseDeviceServerInitParams::sKvsPersistenStorageDelegate;
+#if CHIP_CRYPTO_PSA
+PSAOperationalKeystore CommonCaseDeviceServerInitParams::sPSAOperationalKeystore;
+#else
 PersistentStorageOperationalKeystore CommonCaseDeviceServerInitParams::sPersistentStorageOperationalKeystore;
+#endif
 Credentials::PersistentStorageOpCertStore CommonCaseDeviceServerInitParams::sPersistentStorageOpCertStore;
 Credentials::GroupDataProviderImpl CommonCaseDeviceServerInitParams::sGroupDataProvider;
 app::DefaultTimerDelegate CommonCaseDeviceServerInitParams::sTimerDelegate;

src/app/server/Server.h

@@ -40,7 +40,11 @@
 #include <credentials/PersistentStorageOpCertStore.h>
 #include <crypto/DefaultSessionKeystore.h>
 #include <crypto/OperationalKeystore.h>
+#if CHIP_CRYPTO_PSA
+#include <crypto/PSAOperationalKeystore.h>
+#else
 #include <crypto/PersistentStorageOperationalKeystore.h>
+#endif
 #include <inet/InetConfig.h>
 #include <lib/core/CHIPConfig.h>
 #include <lib/support/SafeInt.h>
@@ -203,10 +207,14 @@ struct CommonCaseDeviceServerInitParams : public ServerInitParams
         // PersistentStorageDelegate "software-based" operational key access injection
         if (this->operationalKeystore == nullptr)
         {
+#if CHIP_CRYPTO_PSA
+            this->operationalKeystore = &sPSAOperationalKeystore;
+#else
             // WARNING: PersistentStorageOperationalKeystore::Finish() is never called. It's fine for
             //          for examples and for now.
             ReturnErrorOnFailure(sPersistentStorageOperationalKeystore.Init(this->persistentStorageDelegate));
             this->operationalKeystore = &sPersistentStorageOperationalKeystore;
+#endif
         }
 
         // OpCertStore can be injected but default to persistent storage default
@@ -262,7 +270,11 @@ struct CommonCaseDeviceServerInitParams : public ServerInitParams
 
 private:
     static KvsPersistentStorageDelegate sKvsPersistenStorageDelegate;
+#if CHIP_CRYPTO_PSA
+    static PSAOperationalKeystore sPSAOperationalKeystore;
+#else
     static PersistentStorageOperationalKeystore sPersistentStorageOperationalKeystore;
+#endif
     static Credentials::PersistentStorageOpCertStore sPersistentStorageOpCertStore;
     static Credentials::GroupDataProviderImpl sGroupDataProvider;
     static chip::app::DefaultTimerDelegate sTimerDelegate;

src/platform/Zephyr/PlatformManagerImpl.cpp

@@ -21,7 +21,7 @@
  *          for Zephyr platforms.
  */
 
-#if !defined(CONFIG_NORDIC_SECURITY_BACKEND)
+#if !CONFIG_NRF_SECURITY
 #include <crypto/CHIPCryptoPAL.h> // nogncheck
 #endif                            // !defined(CONFIG_NORDIC_SECURITY_BACKEND)
 
@@ -45,7 +45,8 @@ PlatformManagerImpl PlatformManagerImpl::sInstance{ sChipThreadStack };
 
 static k_timer sOperationalHoursSavingTimer;
 
-#if !defined(CONFIG_NORDIC_SECURITY_BACKEND) && !defined(CONFIG_MBEDTLS_ZEPHYR_ENTROPY)
+
+#if !defined(CONFIG_NRF_SECURITY) && !defined(CONFIG_MBEDTLS_ZEPHYR_ENTROPY)
 static bool sChipStackEntropySourceAdded = false;
 static int app_entropy_source(void * data, unsigned char * output, size_t len, size_t * olen)
 {
@@ -72,7 +73,7 @@ static int app_entropy_source(void * data, unsigned char * output, size_t len, s
 
     return ret;
 }
-#endif // !defined(CONFIG_NORDIC_SECURITY_BACKEND) && !defined(CONFIG_MBEDTLS_ZEPHYR_ENTROPY)
+#endif // !defined(CONFIG_NRF_SECURITY) && !defined(CONFIG_MBEDTLS_ZEPHYR_ENTROPY)
 
 void PlatformManagerImpl::OperationalHoursSavingTimerEventHandler(k_timer * timer)
 {
@@ -109,7 +110,8 @@ CHIP_ERROR PlatformManagerImpl::_InitChipStack(void)
 {
     CHIP_ERROR err;
 
-#if !defined(CONFIG_NORDIC_SECURITY_BACKEND) && !defined(CONFIG_MBEDTLS_ZEPHYR_ENTROPY)
+
+#if !defined(CONFIG_NRF_SECURITY) && !defined(CONFIG_MBEDTLS_ZEPHYR_ENTROPY)
     // Minimum required from source before entropy is released ( with mbedtls_entropy_func() ) (in bytes)
     const size_t kThreshold = 16;
 #endif // !defined(CONFIG_NORDIC_SECURITY_BACKEND) && !defined(CONFIG_MBEDTLS_ZEPHYR_ENTROPY)
@@ -118,7 +120,7 @@ CHIP_ERROR PlatformManagerImpl::_InitChipStack(void)
     err = Internal::ZephyrConfig::Init();
     SuccessOrExit(err);
 
-#if !defined(CONFIG_NORDIC_SECURITY_BACKEND) && !defined(CONFIG_MBEDTLS_ZEPHYR_ENTROPY)
+#if !defined(CONFIG_NRF_SECURITY) && !defined(CONFIG_MBEDTLS_ZEPHYR_ENTROPY)
     if (!sChipStackEntropySourceAdded)
     {
         // Add entropy source based on Zephyr entropy driver

src/platform/nrfconnect/CHIPPlatformConfig.h

@@ -48,6 +48,10 @@
 #define CHIP_CONFIG_SHA256_CONTEXT_SIZE 208
 #endif
 
+#ifndef CHIP_CONFIG_SHA256_CONTEXT_ALIGN
+#define CHIP_CONFIG_SHA256_CONTEXT_ALIGN uint64_t
+#endif // CHIP_CONFIG_SHA256_CONTEXT_ALIGN
+
 // ==================== General Configuration Overrides ====================
 
 #ifndef CHIP_CONFIG_MAX_UNSOLICITED_MESSAGE_HANDLERS