From 64164e88c4fb1336ba4c3bae25f65a76bb2ec57b Mon Sep 17 00:00:00 2001
From: Arkadiusz Balys <arkadiusz.balys@nordicsemi.no>
Date: Mon, 24 Jul 2023 16:20:26 +0200
Subject: [PATCH] Enable PSA crypto usage.

- Selected OpenThread security PSA Crypto background
- Switched to PSAOperationalKeystore when CHIP_CRYPTO_PSA is enabled
- Changed definitions from CONFIG_NORDIC_SECURITY_BACKEND to
CONFIG_NRF_SECURITY to avoid using MBEDTLS Legacy.
---
 config/nrfconnect/chip-module/CMakeLists.txt  |  6 ++++
 .../nrfconnect/chip-module/Kconfig.defaults   | 29 +++++++++----------
 config/zephyr/Kconfig                         |  1 +
 src/app/server/Server.cpp                     |  4 +++
 src/app/server/Server.h                       | 12 ++++++++
 src/crypto/CHIPCryptoPAL.h                    |  2 +-
 src/platform/Zephyr/PlatformManagerImpl.cpp   | 14 ++++-----
 7 files changed, 45 insertions(+), 23 deletions(-)

diff --git a/config/nrfconnect/chip-module/CMakeLists.txt b/config/nrfconnect/chip-module/CMakeLists.txt
index aa6aeda436..cba23d5ee9 100644
--- a/config/nrfconnect/chip-module/CMakeLists.txt
+++ b/config/nrfconnect/chip-module/CMakeLists.txt
@@ -66,6 +66,12 @@ if (CONFIG_NORDIC_SECURITY_BACKEND)
 elseif(CONFIG_MBEDTLS)
     zephyr_include_directories($<TARGET_PROPERTY:mbedTLS,INTERFACE_INCLUDE_DIRECTORIES>)
     zephyr_compile_definitions($<TARGET_PROPERTY:mbedTLS,INTERFACE_COMPILE_DEFINITIONS>)
+elseif(CONFIG_CHIP_CRYPTO_PSA)
+    # TODO remove mbedtls dependencies once mbedtls will be switched off
+    zephyr_include_directories($<TARGET_PROPERTY:mbedtls_external,INTERFACE_INCLUDE_DIRECTORIES>)
+    zephyr_include_directories($<TARGET_PROPERTY:mbedcrypto_common,INTERFACE_INCLUDE_DIRECTORIES>)
+    matter_add_flags(-DMBEDTLS_CONFIG_FILE=<nrf-config.h>)
+    matter_add_flags(-DMBEDTLS_USER_CONFIG_FILE=<nrf-config-user.h>)
 endif()
 
 if (CONFIG_NRF_802154_RADIO_DRIVER)
diff --git a/config/nrfconnect/chip-module/Kconfig.defaults b/config/nrfconnect/chip-module/Kconfig.defaults
index 79317e134e..bc4f09ff9f 100644
--- a/config/nrfconnect/chip-module/Kconfig.defaults
+++ b/config/nrfconnect/chip-module/Kconfig.defaults
@@ -275,7 +275,8 @@ endif
 # Enable mbedTLS from nrf_security library
 
 choice OPENTHREAD_SECURITY
-	default OPENTHREAD_NRF_SECURITY_CHOICE
+    default OPENTHREAD_NRF_SECURITY_CHOICE if !CHIP_CRYPTO_PSA
+    default OPENTHREAD_NRF_SECURITY_PSA_CHOICE if CHIP_CRYPTO_PSA
 endchoice
 
 config PSA_CRYPTO_DRIVER_CC3XX
@@ -288,40 +289,38 @@ config MBEDTLS_ENABLE_HEAP
     default y
 
 config MBEDTLS_HEAP_SIZE
-    default 15360
-
-config MBEDTLS_TLS_LIBRARY
-    default y
+    default 15360 if !CHIP_CRYPTO_PSA
+    default 32768 if CHIP_CRYPTO_PSA
 
 config NRF_SECURITY_ADVANCED
-    default y
+    default y if !CHIP_CRYPTO_PSA
 
 config MBEDTLS_AES_C
-    default y
+    default y if !CHIP_CRYPTO_PSA
 
 config MBEDTLS_ECP_C
-    default y
+    default y if !CHIP_CRYPTO_PSA
 
 config MBEDTLS_ECP_DP_SECP256R1_ENABLED
-    default y
+    default y if !CHIP_CRYPTO_PSA
 
 config MBEDTLS_CTR_DRBG_C
-    default y
+    default y if !CHIP_CRYPTO_PSA
 
 config MBEDTLS_CIPHER_MODE_CTR
-    default y
+    default y if !CHIP_CRYPTO_PSA
 
 config MBEDTLS_ECJPAKE_C
-    default y
+    default y if !CHIP_CRYPTO_PSA
 
 config MBEDTLS_SHA256_C
-    default y
+    default y if !CHIP_CRYPTO_PSA
 
 config MBEDTLS_PK_C
-    default y
+    default y if !CHIP_CRYPTO_PSA
 
 config MBEDTLS_PK_WRITE_C
-    default y
+    default y if !CHIP_CRYPTO_PSA
 
 config MBEDTLS_X509_CREATE_C
     default y if !CHIP_CRYPTO_PSA
diff --git a/config/zephyr/Kconfig b/config/zephyr/Kconfig
index e158a1efcd..fe4fb1bb86 100644
--- a/config/zephyr/Kconfig
+++ b/config/zephyr/Kconfig
@@ -266,6 +266,7 @@ config CHIP_OPERATIONAL_TIME_SAVE_INTERVAL
 
 config CHIP_CRYPTO_PSA
 	bool "Use PSA crypto API for cryptographic operations"
+	select EXPERIMENTAL
 	help
 	  Enables the implementation of the Matter cryptographic operations that is
 	  based on the PSA crypto API (instead of the default implementation, which
diff --git a/src/app/server/Server.cpp b/src/app/server/Server.cpp
index a9dd0cc35a..6eb15a8ff0 100644
--- a/src/app/server/Server.cpp
+++ b/src/app/server/Server.cpp
@@ -532,7 +532,11 @@ void Server::ResumeSubscriptions()
 #endif
 
 KvsPersistentStorageDelegate CommonCaseDeviceServerInitParams::sKvsPersistenStorageDelegate;
+#if CHIP_CRYPTO_PSA
+PSAOperationalKeystore CommonCaseDeviceServerInitParams::sPSAOperationalKeystore;
+#else
 PersistentStorageOperationalKeystore CommonCaseDeviceServerInitParams::sPersistentStorageOperationalKeystore;
+#endif
 Credentials::PersistentStorageOpCertStore CommonCaseDeviceServerInitParams::sPersistentStorageOpCertStore;
 Credentials::GroupDataProviderImpl CommonCaseDeviceServerInitParams::sGroupDataProvider;
 IgnoreCertificateValidityPolicy CommonCaseDeviceServerInitParams::sDefaultCertValidityPolicy;
diff --git a/src/app/server/Server.h b/src/app/server/Server.h
index 380e8240ab..c1c78cbc31 100644
--- a/src/app/server/Server.h
+++ b/src/app/server/Server.h
@@ -40,7 +40,11 @@
 #include <credentials/PersistentStorageOpCertStore.h>
 #include <crypto/DefaultSessionKeystore.h>
 #include <crypto/OperationalKeystore.h>
+#if CHIP_CRYPTO_PSA
+#include <crypto/PSAOperationalKeystore.h>
+#else
 #include <crypto/PersistentStorageOperationalKeystore.h>
+#endif
 #include <inet/InetConfig.h>
 #include <lib/core/CHIPConfig.h>
 #include <lib/support/SafeInt.h>
@@ -231,10 +235,14 @@ struct CommonCaseDeviceServerInitParams : public ServerInitParams
         // PersistentStorageDelegate "software-based" operational key access injection
         if (this->operationalKeystore == nullptr)
         {
+            #if CHIP_CRYPTO_PSA
+            this->operationalKeystore = &sPSAOperationalKeystore;
+            #else
             // WARNING: PersistentStorageOperationalKeystore::Finish() is never called. It's fine for
             //          for examples and for now.
             ReturnErrorOnFailure(sPersistentStorageOperationalKeystore.Init(this->persistentStorageDelegate));
             this->operationalKeystore = &sPersistentStorageOperationalKeystore;
+            #endif
         }
 
         // OpCertStore can be injected but default to persistent storage default
@@ -286,7 +294,11 @@ struct CommonCaseDeviceServerInitParams : public ServerInitParams
 
 private:
     static KvsPersistentStorageDelegate sKvsPersistenStorageDelegate;
+    #if CHIP_CRYPTO_PSA
+    static PSAOperationalKeystore sPSAOperationalKeystore;
+    #else
     static PersistentStorageOperationalKeystore sPersistentStorageOperationalKeystore;
+    #endif
     static Credentials::PersistentStorageOpCertStore sPersistentStorageOpCertStore;
     static Credentials::GroupDataProviderImpl sGroupDataProvider;
     static IgnoreCertificateValidityPolicy sDefaultCertValidityPolicy;
diff --git a/src/crypto/CHIPCryptoPAL.h b/src/crypto/CHIPCryptoPAL.h
index 6df3dc3a63..23b927f4ac 100644
--- a/src/crypto/CHIPCryptoPAL.h
+++ b/src/crypto/CHIPCryptoPAL.h
@@ -797,7 +797,7 @@ CHIP_ERROR Hash_SHA1(const uint8_t * data, size_t data_length, uint8_t * out_buf
  *        All implementations must check for std::is_trivially_copyable.
  **/
 
-struct alignas(size_t) HashSHA256OpaqueContext
+struct alignas(uint64_t) HashSHA256OpaqueContext
 {
     uint8_t mOpaque[kMAX_Hash_SHA256_Context_Size];
 };
diff --git a/src/platform/Zephyr/PlatformManagerImpl.cpp b/src/platform/Zephyr/PlatformManagerImpl.cpp
index 0e5aac4bda..fba683f1ec 100644
--- a/src/platform/Zephyr/PlatformManagerImpl.cpp
+++ b/src/platform/Zephyr/PlatformManagerImpl.cpp
@@ -21,7 +21,7 @@
  *          for Zephyr platforms.
  */
 
-#if !CONFIG_NORDIC_SECURITY_BACKEND
+#if !CONFIG_NRF_SECURITY
 #include <crypto/CHIPCryptoPAL.h> // nogncheck
 #endif                            // !CONFIG_NORDIC_SECURITY_BACKEND
 
@@ -45,7 +45,7 @@ PlatformManagerImpl PlatformManagerImpl::sInstance{ sChipThreadStack };
 
 static k_timer sOperationalHoursSavingTimer;
 
-#if !CONFIG_NORDIC_SECURITY_BACKEND
+#if !CONFIG_NRF_SECURITY
 static int app_entropy_source(void * data, unsigned char * output, size_t len, size_t * olen)
 {
     const struct device * entropy = DEVICE_DT_GET(DT_CHOSEN(zephyr_entropy));
@@ -71,7 +71,7 @@ static int app_entropy_source(void * data, unsigned char * output, size_t len, s
 
     return ret;
 }
-#endif // !CONFIG_NORDIC_SECURITY_BACKEND
+#endif // !CONFIG_NRF_SECURITY
 
 void PlatformManagerImpl::OperationalHoursSavingTimerEventHandler(k_timer * timer)
 {
@@ -108,20 +108,20 @@ CHIP_ERROR PlatformManagerImpl::_InitChipStack(void)
 {
     CHIP_ERROR err;
 
-#if !CONFIG_NORDIC_SECURITY_BACKEND
+#if !CONFIG_NRF_SECURITY
     // Minimum required from source before entropy is released ( with mbedtls_entropy_func() ) (in bytes)
     const size_t kThreshold = 16;
-#endif // !CONFIG_NORDIC_SECURITY_BACKEND
+#endif // !CONFIG_NRF_SECURITY
 
     // Initialize the configuration system.
     err = Internal::ZephyrConfig::Init();
     SuccessOrExit(err);
 
-#if !CONFIG_NORDIC_SECURITY_BACKEND
+#if !CONFIG_NRF_SECURITY
     // Add entropy source based on Zephyr entropy driver
     err = chip::Crypto::add_entropy_source(app_entropy_source, NULL, kThreshold);
     SuccessOrExit(err);
-#endif // !CONFIG_NORDIC_SECURITY_BACKEND
+#endif // !CONFIG_NRF_SECURITY
 
     // Call _InitChipStack() on the generic implementation base class to finish the initialization process.
     err = Internal::GenericPlatformManagerImpl_Zephyr<PlatformManagerImpl>::_InitChipStack();