Changes after the recent review

config/nrfconnect/chip-module/CMakeLists.txt

@@ -60,22 +60,19 @@ if (CONFIG_ARM)
     matter_add_cflags(--specs=nosys.specs)
 endif()
 
-if (CONFIG_NORDIC_SECURITY_BACKEND)
+if (CONFIG_NRF_SECURITY)
     zephyr_include_directories($<TARGET_PROPERTY:mbedtls_external,INTERFACE_INCLUDE_DIRECTORIES>)
     zephyr_include_directories($<TARGET_PROPERTY:mbedcrypto_common,INTERFACE_INCLUDE_DIRECTORIES>)
     if(TARGET platform_cc3xx)
         zephyr_include_directories($<TARGET_PROPERTY:platform_cc3xx,INTERFACE_INCLUDE_DIRECTORIES>)
     endif()
     matter_add_flags(-DMBEDTLS_CONFIG_FILE=<nrf-config.h>)
+    if(CONFIG_CHIP_CRYPTO_PSA)
+        matter_add_flags(-DMBEDTLS_USER_CONFIG_FILE=<nrf-config-user.h>)
+    endif()
 elseif(CONFIG_MBEDTLS)
     zephyr_include_directories($<TARGET_PROPERTY:mbedTLS,INTERFACE_INCLUDE_DIRECTORIES>)
     zephyr_compile_definitions($<TARGET_PROPERTY:mbedTLS,INTERFACE_COMPILE_DEFINITIONS>)
-elseif(CONFIG_CHIP_CRYPTO_PSA)
-    # TODO remove mbedtls dependencies once mbedtls will be switched off
-    zephyr_include_directories($<TARGET_PROPERTY:mbedtls_external,INTERFACE_INCLUDE_DIRECTORIES>)
-    zephyr_include_directories($<TARGET_PROPERTY:mbedcrypto_common,INTERFACE_INCLUDE_DIRECTORIES>)
-    matter_add_flags(-DMBEDTLS_CONFIG_FILE=<nrf-config.h>)
-    matter_add_flags(-DMBEDTLS_USER_CONFIG_FILE=<nrf-config-user.h>)
 endif()
 
 if (CONFIG_NRF_802154_RADIO_DRIVER)

config/nrfconnect/chip-module/Kconfig.defaults

@@ -267,8 +267,9 @@ endif # CHIP_WIFI
 # ==============================================================================
 
 choice OPENTHREAD_SECURITY
-    default OPENTHREAD_NRF_SECURITY_CHOICE if !CHIP_CRYPTO_PSA
     default OPENTHREAD_NRF_SECURITY_PSA_CHOICE if CHIP_CRYPTO_PSA
+    default OPENTHREAD_NRF_SECURITY_CHOICE
+
 endchoice
 
 choice RNG_GENERATOR_CHOICE
@@ -285,8 +286,9 @@ config MBEDTLS_ENABLE_HEAP
     default y
 
 config MBEDTLS_HEAP_SIZE
-    default 15360 if !CHIP_CRYPTO_PSA
     default 17408 if CHIP_CRYPTO_PSA
+    default 8192
+
 
 # Enable PSA Crypto dependencies for Matter
 
@@ -328,8 +330,15 @@ config PSA_WANT_ALG_SPAKE2P
 config PSA_WANT_ALG_SHA_256
     default y
 
-# config PSA_CRYPTO_SPAKE2_USE_VERSION_04
-#     default y
+config PSA_CRYPTO_SPAKE2P_USE_VERSION_04
+    default y
+
+# Disable secure storage for NRF52X and NRF53X
+choice SECURE_STORAGE_BACKEND_AEAD_KEY
+    default SECURE_STORAGE_BACKEND_AEAD_KEY_HASH_UID
+
+endchoice
+
 endif
 
 if !CHIP_CRYPTO_PSA

src/platform/Zephyr/PlatformManagerImpl.cpp

@@ -21,9 +21,9 @@
  *          for Zephyr platforms.
  */
 
-#if !CONFIG_NRF_SECURITY
+#if !defined(CONFIG_NRF_SECURITY)
 #include <crypto/CHIPCryptoPAL.h> // nogncheck
-#endif                            // !defined(CONFIG_NORDIC_SECURITY_BACKEND)
+#endif
 
 #include <platform/internal/CHIPDeviceLayerInternal.h>
 
@@ -45,7 +45,6 @@ PlatformManagerImpl PlatformManagerImpl::sInstance{ sChipThreadStack };
 
 static k_timer sOperationalHoursSavingTimer;
 
-
 #if !defined(CONFIG_NRF_SECURITY) && !defined(CONFIG_MBEDTLS_ZEPHYR_ENTROPY)
 static bool sChipStackEntropySourceAdded = false;
 static int app_entropy_source(void * data, unsigned char * output, size_t len, size_t * olen)
@@ -110,7 +109,6 @@ CHIP_ERROR PlatformManagerImpl::_InitChipStack(void)
 {
     CHIP_ERROR err;
 
-
 #if !defined(CONFIG_NRF_SECURITY) && !defined(CONFIG_MBEDTLS_ZEPHYR_ENTROPY)
     // Minimum required from source before entropy is released ( with mbedtls_entropy_func() ) (in bytes)
     const size_t kThreshold = 16;

src/platform/nrfconnect/CHIPPlatformConfig.h

@@ -48,9 +48,11 @@
 #define CHIP_CONFIG_SHA256_CONTEXT_SIZE 208
 #endif
 
+#ifdef CONFIG_CHIP_CRYPTO_PSA
 #ifndef CHIP_CONFIG_SHA256_CONTEXT_ALIGN
-#define CHIP_CONFIG_SHA256_CONTEXT_ALIGN uint64_t
+#define CHIP_CONFIG_SHA256_CONTEXT_ALIGN psa_hash_operation_t
 #endif // CHIP_CONFIG_SHA256_CONTEXT_ALIGN
+#endif // CONFIG_CHIP_CRYPTO_PSA
 
 // ==================== General Configuration Overrides ====================