Enable PSA crypto usage.

- Selected OpenThread security PSA Crypto background
- Switched to PSAOperationalKeystore when CHIP_CRYPTO_PSA is enabled
- Changed definitions from CONFIG_NORDIC_SECURITY_BACKEND to
CONFIG_NRF_SECURITY to avoid using MBEDTLS Legacy.

config/nrfconnect/chip-module/CMakeLists.txt

@@ -66,6 +66,12 @@ if (CONFIG_NORDIC_SECURITY_BACKEND)
 elseif(CONFIG_MBEDTLS)
     zephyr_include_directories($<TARGET_PROPERTY:mbedTLS,INTERFACE_INCLUDE_DIRECTORIES>)
     zephyr_compile_definitions($<TARGET_PROPERTY:mbedTLS,INTERFACE_COMPILE_DEFINITIONS>)
+elseif(CONFIG_CHIP_CRYPTO_PSA)
+    # TODO remove mbedtls dependencies once mbedtls will be switched off
+    zephyr_include_directories($<TARGET_PROPERTY:mbedtls_external,INTERFACE_INCLUDE_DIRECTORIES>)
+    zephyr_include_directories($<TARGET_PROPERTY:mbedcrypto_common,INTERFACE_INCLUDE_DIRECTORIES>)
+    matter_add_flags(-DMBEDTLS_CONFIG_FILE=<nrf-config.h>)
+    matter_add_flags(-DMBEDTLS_USER_CONFIG_FILE=<nrf-config-user.h>)
 endif()
 
 if (CONFIG_NRF_802154_RADIO_DRIVER)

config/nrfconnect/chip-module/Kconfig.defaults

@@ -271,11 +271,11 @@ config CHIP_MALLOC_SYS_HEAP_SIZE
 
 endif
 
-
 # Enable mbedTLS from nrf_security library
 
 choice OPENTHREAD_SECURITY
-	default OPENTHREAD_NRF_SECURITY_CHOICE
+    default OPENTHREAD_NRF_SECURITY_CHOICE if !CHIP_CRYPTO_PSA
+    default OPENTHREAD_NRF_SECURITY_PSA_CHOICE if CHIP_CRYPTO_PSA
 endchoice
 
 config PSA_CRYPTO_DRIVER_CC3XX
@@ -288,21 +288,58 @@ config MBEDTLS_ENABLE_HEAP
     default y
 
 config MBEDTLS_HEAP_SIZE
-    default 15360
+    default 15360 if !CHIP_CRYPTO_PSA
+    default 17408 if CHIP_CRYPTO_PSA
+
+# Enable PSA Crypto dependencies for Matter
+
+if CHIP_CRYPTO_PSA
 
-config MBEDTLS_TLS_LIBRARY
+config PSA_WANT_ALG_ECDSA
     default y
 
-config NRF_SECURITY_ADVANCED
+config PSA_WANT_ALG_ECDH
     default y
 
-config MBEDTLS_AES_C
+config PSA_WANT_KEY_TYPE_ECC_KEY_PAIR
     default y
 
-config MBEDTLS_ECP_C
+config MBEDTLS_PSA_CRYPTO_STORAGE_C
+    default y if !BUILD_WITH_TFM
+
+config PSA_NATIVE_ITS 
+    default y if !BUILD_WITH_TFM
+
+config PSA_WANT_GENERATE_RANDOM
     default y
 
-config MBEDTLS_ECP_DP_SECP256R1_ENABLED
+config PSA_WANT_ALG_CCM
+    default y
+
+config PSA_WANT_ALG_HMAC
+    default y
+
+config PSA_WANT_ALG_HKDF
+    default y
+
+config PSA_WANT_ALG_SHA_256
+    default y
+
+config PSA_WANT_ALG_SHA_224
+    default n
+
+# TODO not implemented yet in Matter, but can be enabled already
+config PSA_WANT_ALG_SPAKE2P
+    default y
+
+endif
+
+if !CHIP_CRYPTO_PSA
+
+config NRF_SECURITY_ADVANCED
+    default y
+
+config MBEDTLS_AES_C
     default y
 
 config MBEDTLS_CTR_DRBG_C
@@ -324,10 +361,18 @@ config MBEDTLS_PK_WRITE_C
     default y
 
 config MBEDTLS_X509_CREATE_C
-    default y if !CHIP_CRYPTO_PSA
+    default y
 
 config MBEDTLS_X509_CSR_WRITE_C
-    default y if !CHIP_CRYPTO_PSA
+    default y
+
+config MBEDTLS_ECP_C
+    default y
+
+config MBEDTLS_ECP_DP_SECP256R1_ENABLED
+    default y
+
+endif
 
 # Disable unneeded crypto operations
 

config/zephyr/Kconfig

@@ -266,6 +266,7 @@ config CHIP_OPERATIONAL_TIME_SAVE_INTERVAL
 
 config CHIP_CRYPTO_PSA
 	bool "Use PSA crypto API for cryptographic operations"
+	select EXPERIMENTAL
 	help
 	  Enables the implementation of the Matter cryptographic operations that is
 	  based on the PSA crypto API (instead of the default implementation, which

src/app/server/Server.cpp

@@ -532,7 +532,11 @@ void Server::ResumeSubscriptions()
 #endif
 
 KvsPersistentStorageDelegate CommonCaseDeviceServerInitParams::sKvsPersistenStorageDelegate;
+#if CHIP_CRYPTO_PSA
+PSAOperationalKeystore CommonCaseDeviceServerInitParams::sPSAOperationalKeystore;
+#else
 PersistentStorageOperationalKeystore CommonCaseDeviceServerInitParams::sPersistentStorageOperationalKeystore;
+#endif
 Credentials::PersistentStorageOpCertStore CommonCaseDeviceServerInitParams::sPersistentStorageOpCertStore;
 Credentials::GroupDataProviderImpl CommonCaseDeviceServerInitParams::sGroupDataProvider;
 IgnoreCertificateValidityPolicy CommonCaseDeviceServerInitParams::sDefaultCertValidityPolicy;

src/app/server/Server.h

@@ -40,7 +40,11 @@
 #include <credentials/PersistentStorageOpCertStore.h>
 #include <crypto/DefaultSessionKeystore.h>
 #include <crypto/OperationalKeystore.h>
+#if CHIP_CRYPTO_PSA
+#include <crypto/PSAOperationalKeystore.h>
+#else
 #include <crypto/PersistentStorageOperationalKeystore.h>
+#endif
 #include <inet/InetConfig.h>
 #include <lib/core/CHIPConfig.h>
 #include <lib/support/SafeInt.h>
@@ -89,7 +93,7 @@ struct ServerInitParams
     ServerInitParams() = default;
 
     // Not copyable
-    ServerInitParams(const ServerInitParams &) = delete;
+    ServerInitParams(const ServerInitParams &)             = delete;
     ServerInitParams & operator=(const ServerInitParams &) = delete;
 
     // Application delegate to handle some commissioning lifecycle events
@@ -205,7 +209,7 @@ struct CommonCaseDeviceServerInitParams : public ServerInitParams
     CommonCaseDeviceServerInitParams() = default;
 
     // Not copyable
-    CommonCaseDeviceServerInitParams(const CommonCaseDeviceServerInitParams &) = delete;
+    CommonCaseDeviceServerInitParams(const CommonCaseDeviceServerInitParams &)             = delete;
     CommonCaseDeviceServerInitParams & operator=(const CommonCaseDeviceServerInitParams &) = delete;
 
     /**
@@ -231,10 +235,14 @@ struct CommonCaseDeviceServerInitParams : public ServerInitParams
         // PersistentStorageDelegate "software-based" operational key access injection
         if (this->operationalKeystore == nullptr)
         {
+#if CHIP_CRYPTO_PSA
+            this->operationalKeystore = &sPSAOperationalKeystore;
+#else
             // WARNING: PersistentStorageOperationalKeystore::Finish() is never called. It's fine for
             //          for examples and for now.
             ReturnErrorOnFailure(sPersistentStorageOperationalKeystore.Init(this->persistentStorageDelegate));
             this->operationalKeystore = &sPersistentStorageOperationalKeystore;
+#endif
         }
 
         // OpCertStore can be injected but default to persistent storage default
@@ -286,7 +294,11 @@ struct CommonCaseDeviceServerInitParams : public ServerInitParams
 
 private:
     static KvsPersistentStorageDelegate sKvsPersistenStorageDelegate;
+#if CHIP_CRYPTO_PSA
+    static PSAOperationalKeystore sPSAOperationalKeystore;
+#else
     static PersistentStorageOperationalKeystore sPersistentStorageOperationalKeystore;
+#endif
     static Credentials::PersistentStorageOpCertStore sPersistentStorageOpCertStore;
     static Credentials::GroupDataProviderImpl sGroupDataProvider;
     static IgnoreCertificateValidityPolicy sDefaultCertValidityPolicy;

src/platform/Zephyr/PlatformManagerImpl.cpp

@@ -21,7 +21,7 @@
  *          for Zephyr platforms.
  */
 
-#if !CONFIG_NORDIC_SECURITY_BACKEND
+#if !CONFIG_NRF_SECURITY
 #include <crypto/CHIPCryptoPAL.h> // nogncheck
 #endif                            // !CONFIG_NORDIC_SECURITY_BACKEND
 
@@ -45,7 +45,7 @@ PlatformManagerImpl PlatformManagerImpl::sInstance{ sChipThreadStack };
 
 static k_timer sOperationalHoursSavingTimer;
 
-#if !CONFIG_NORDIC_SECURITY_BACKEND
+#if !CONFIG_NRF_SECURITY
 static int app_entropy_source(void * data, unsigned char * output, size_t len, size_t * olen)
 {
     const struct device * entropy = DEVICE_DT_GET(DT_CHOSEN(zephyr_entropy));
@@ -71,7 +71,7 @@ static int app_entropy_source(void * data, unsigned char * output, size_t len, s
 
     return ret;
 }
-#endif // !CONFIG_NORDIC_SECURITY_BACKEND
+#endif // !CONFIG_NRF_SECURITY
 
 void PlatformManagerImpl::OperationalHoursSavingTimerEventHandler(k_timer * timer)
 {
@@ -108,20 +108,20 @@ CHIP_ERROR PlatformManagerImpl::_InitChipStack(void)
 {
     CHIP_ERROR err;
 
-#if !CONFIG_NORDIC_SECURITY_BACKEND
+#if !CONFIG_NRF_SECURITY
     // Minimum required from source before entropy is released ( with mbedtls_entropy_func() ) (in bytes)
     const size_t kThreshold = 16;
-#endif // !CONFIG_NORDIC_SECURITY_BACKEND
+#endif // !CONFIG_NRF_SECURITY
 
     // Initialize the configuration system.
     err = Internal::ZephyrConfig::Init();
     SuccessOrExit(err);
 
-#if !CONFIG_NORDIC_SECURITY_BACKEND
+#if !CONFIG_NRF_SECURITY
     // Add entropy source based on Zephyr entropy driver
     err = chip::Crypto::add_entropy_source(app_entropy_source, NULL, kThreshold);
     SuccessOrExit(err);
-#endif // !CONFIG_NORDIC_SECURITY_BACKEND
+#endif // !CONFIG_NRF_SECURITY
 
     // Call _InitChipStack() on the generic implementation base class to finish the initialization process.
     err = Internal::GenericPlatformManagerImpl_Zephyr<PlatformManagerImpl>::_InitChipStack();

src/platform/nrfconnect/CHIPPlatformConfig.h

@@ -48,6 +48,10 @@
 #define CHIP_CONFIG_SHA256_CONTEXT_SIZE 208
 #endif
 
+#ifndef CHIP_CONFIG_SHA256_CONTEXT_ALIGN
+#define CHIP_CONFIG_SHA256_CONTEXT_ALIGN uint64_t
+#endif // CHIP_CONFIG_SHA256_CONTEXT_ALIGN
+
 // ==================== General Configuration Overrides ====================
 
 #ifndef CHIP_CONFIG_MAX_UNSOLICITED_MESSAGE_HANDLERS