Enable PSA crypto usage.

- Selected OpenThread security PSA Crypto background
- Switched to PSAOperationalKeystore when CHIP_CRYPTO_PSA is enabled
- Changed definitions from CONFIG_NORDIC_SECURITY_BACKEND to
CONFIG_NRF_SECURITY to avoid using MBEDTLS Legacy.

config/nrfconnect/chip-module/CMakeLists.txt

@@ -66,6 +66,12 @@ if (CONFIG_NORDIC_SECURITY_BACKEND)
 elseif(CONFIG_MBEDTLS)
     zephyr_include_directories($<TARGET_PROPERTY:mbedTLS,INTERFACE_INCLUDE_DIRECTORIES>)
     zephyr_compile_definitions($<TARGET_PROPERTY:mbedTLS,INTERFACE_COMPILE_DEFINITIONS>)
+elseif(CONFIG_CHIP_CRYPTO_PSA)
+    # TODO remove mbedtls dependencies once mbedtls will be switched off
+    zephyr_include_directories($<TARGET_PROPERTY:mbedtls_external,INTERFACE_INCLUDE_DIRECTORIES>)
+    zephyr_include_directories($<TARGET_PROPERTY:mbedcrypto_common,INTERFACE_INCLUDE_DIRECTORIES>)
+    matter_add_flags(-DMBEDTLS_CONFIG_FILE=<nrf-config.h>)
+    matter_add_flags(-DMBEDTLS_USER_CONFIG_FILE=<nrf-config-user.h>)
 endif()
 
 if (CONFIG_NRF_802154_RADIO_DRIVER)

config/nrfconnect/chip-module/Kconfig.defaults

@@ -275,7 +275,8 @@ endif
 # Enable mbedTLS from nrf_security library
 
 choice OPENTHREAD_SECURITY
-	default OPENTHREAD_NRF_SECURITY_CHOICE
+    default OPENTHREAD_NRF_SECURITY_CHOICE if !CHIP_CRYPTO_PSA
+    default OPENTHREAD_NRF_SECURITY_PSA_CHOICE if CHIP_CRYPTO_PSA
 endchoice
 
 config PSA_CRYPTO_DRIVER_CC3XX
@@ -288,40 +289,38 @@ config MBEDTLS_ENABLE_HEAP
     default y
 
 config MBEDTLS_HEAP_SIZE
-    default 15360
-
-config MBEDTLS_TLS_LIBRARY
-    default y
+    default 15360 if !CHIP_CRYPTO_PSA
+    default 32768 if CHIP_CRYPTO_PSA
 
 config NRF_SECURITY_ADVANCED
-    default y
+    default y if !CHIP_CRYPTO_PSA
 
 config MBEDTLS_AES_C
-    default y
+    default y if !CHIP_CRYPTO_PSA
 
 config MBEDTLS_ECP_C
-    default y
+    default y if !CHIP_CRYPTO_PSA
 
 config MBEDTLS_ECP_DP_SECP256R1_ENABLED
-    default y
+    default y if !CHIP_CRYPTO_PSA
 
 config MBEDTLS_CTR_DRBG_C
-    default y
+    default y if !CHIP_CRYPTO_PSA
 
 config MBEDTLS_CIPHER_MODE_CTR
-    default y
+    default y if !CHIP_CRYPTO_PSA
 
 config MBEDTLS_ECJPAKE_C
-    default y
+    default y if !CHIP_CRYPTO_PSA
 
 config MBEDTLS_SHA256_C
-    default y
+    default y if !CHIP_CRYPTO_PSA
 
 config MBEDTLS_PK_C
-    default y
+    default y if !CHIP_CRYPTO_PSA
 
 config MBEDTLS_PK_WRITE_C
-    default y
+    default y if !CHIP_CRYPTO_PSA
 
 config MBEDTLS_X509_CREATE_C
     default y if !CHIP_CRYPTO_PSA

config/zephyr/Kconfig

@@ -266,6 +266,7 @@ config CHIP_OPERATIONAL_TIME_SAVE_INTERVAL
 
 config CHIP_CRYPTO_PSA
 	bool "Use PSA crypto API for cryptographic operations"
+	select EXPERIMENTAL
 	help
 	  Enables the implementation of the Matter cryptographic operations that is
 	  based on the PSA crypto API (instead of the default implementation, which

src/app/server/Server.cpp

@@ -532,7 +532,11 @@ void Server::ResumeSubscriptions()
 #endif
 
 KvsPersistentStorageDelegate CommonCaseDeviceServerInitParams::sKvsPersistenStorageDelegate;
+#if CHIP_CRYPTO_PSA
+PSAOperationalKeystore CommonCaseDeviceServerInitParams::sPSAOperationalKeystore;
+#else
 PersistentStorageOperationalKeystore CommonCaseDeviceServerInitParams::sPersistentStorageOperationalKeystore;
+#endif
 Credentials::PersistentStorageOpCertStore CommonCaseDeviceServerInitParams::sPersistentStorageOpCertStore;
 Credentials::GroupDataProviderImpl CommonCaseDeviceServerInitParams::sGroupDataProvider;
 IgnoreCertificateValidityPolicy CommonCaseDeviceServerInitParams::sDefaultCertValidityPolicy;

src/app/server/Server.h

@@ -40,7 +40,11 @@
 #include <credentials/PersistentStorageOpCertStore.h>
 #include <crypto/DefaultSessionKeystore.h>
 #include <crypto/OperationalKeystore.h>
+#if CHIP_CRYPTO_PSA
+#include <crypto/PSAOperationalKeystore.h>
+#else
 #include <crypto/PersistentStorageOperationalKeystore.h>
+#endif
 #include <inet/InetConfig.h>
 #include <lib/core/CHIPConfig.h>
 #include <lib/support/SafeInt.h>
@@ -231,10 +235,14 @@ struct CommonCaseDeviceServerInitParams : public ServerInitParams
         // PersistentStorageDelegate "software-based" operational key access injection
         if (this->operationalKeystore == nullptr)
         {
+            #if CHIP_CRYPTO_PSA
+            this->operationalKeystore = &sPSAOperationalKeystore;
+            #else
             // WARNING: PersistentStorageOperationalKeystore::Finish() is never called. It's fine for
             //          for examples and for now.
             ReturnErrorOnFailure(sPersistentStorageOperationalKeystore.Init(this->persistentStorageDelegate));
             this->operationalKeystore = &sPersistentStorageOperationalKeystore;
+            #endif
         }
 
         // OpCertStore can be injected but default to persistent storage default
@@ -286,7 +294,11 @@ struct CommonCaseDeviceServerInitParams : public ServerInitParams
 
 private:
     static KvsPersistentStorageDelegate sKvsPersistenStorageDelegate;
+    #if CHIP_CRYPTO_PSA
+    static PSAOperationalKeystore sPSAOperationalKeystore;
+    #else
     static PersistentStorageOperationalKeystore sPersistentStorageOperationalKeystore;
+    #endif
     static Credentials::PersistentStorageOpCertStore sPersistentStorageOpCertStore;
     static Credentials::GroupDataProviderImpl sGroupDataProvider;
     static IgnoreCertificateValidityPolicy sDefaultCertValidityPolicy;

src/crypto/CHIPCryptoPAL.h

@@ -797,7 +797,7 @@ CHIP_ERROR Hash_SHA1(const uint8_t * data, size_t data_length, uint8_t * out_buf
  *        All implementations must check for std::is_trivially_copyable.
  **/
 
-struct alignas(size_t) HashSHA256OpaqueContext
+struct alignas(uint64_t) HashSHA256OpaqueContext
 {
     uint8_t mOpaque[kMAX_Hash_SHA256_Context_Size];
 };

src/platform/Zephyr/PlatformManagerImpl.cpp

@@ -21,7 +21,7 @@
  *          for Zephyr platforms.
  */
 
-#if !CONFIG_NORDIC_SECURITY_BACKEND
+#if !CONFIG_NRF_SECURITY
 #include <crypto/CHIPCryptoPAL.h> // nogncheck
 #endif                            // !CONFIG_NORDIC_SECURITY_BACKEND
 
@@ -45,7 +45,7 @@ PlatformManagerImpl PlatformManagerImpl::sInstance{ sChipThreadStack };
 
 static k_timer sOperationalHoursSavingTimer;
 
-#if !CONFIG_NORDIC_SECURITY_BACKEND
+#if !CONFIG_NRF_SECURITY
 static int app_entropy_source(void * data, unsigned char * output, size_t len, size_t * olen)
 {
     const struct device * entropy = DEVICE_DT_GET(DT_CHOSEN(zephyr_entropy));
@@ -71,7 +71,7 @@ static int app_entropy_source(void * data, unsigned char * output, size_t len, s
 
     return ret;
 }
-#endif // !CONFIG_NORDIC_SECURITY_BACKEND
+#endif // !CONFIG_NRF_SECURITY
 
 void PlatformManagerImpl::OperationalHoursSavingTimerEventHandler(k_timer * timer)
 {
@@ -108,20 +108,20 @@ CHIP_ERROR PlatformManagerImpl::_InitChipStack(void)
 {
     CHIP_ERROR err;
 
-#if !CONFIG_NORDIC_SECURITY_BACKEND
+#if !CONFIG_NRF_SECURITY
     // Minimum required from source before entropy is released ( with mbedtls_entropy_func() ) (in bytes)
     const size_t kThreshold = 16;
-#endif // !CONFIG_NORDIC_SECURITY_BACKEND
+#endif // !CONFIG_NRF_SECURITY
 
     // Initialize the configuration system.
     err = Internal::ZephyrConfig::Init();
     SuccessOrExit(err);
 
-#if !CONFIG_NORDIC_SECURITY_BACKEND
+#if !CONFIG_NRF_SECURITY
     // Add entropy source based on Zephyr entropy driver
     err = chip::Crypto::add_entropy_source(app_entropy_source, NULL, kThreshold);
     SuccessOrExit(err);
-#endif // !CONFIG_NORDIC_SECURITY_BACKEND
+#endif // !CONFIG_NRF_SECURITY
 
     // Call _InitChipStack() on the generic implementation base class to finish the initialization process.
     err = Internal::GenericPlatformManagerImpl_Zephyr<PlatformManagerImpl>::_InitChipStack();