From f185cba99f4c5e025cf944517e6f9e5e5f38a502 Mon Sep 17 00:00:00 2001 From: Arkadiusz Balys Date: Mon, 24 Jul 2023 16:20:26 +0200 Subject: [PATCH] [nrf noup] Add PSA crypto usage and enable by default. - PSA Crypto API can be disabled by setting the CONFIG_CHIP_CRYPTO_PSA config to "n". - Selected OpenThread security PSA Crypto background - Enabled required PSA_WANT configs - Extended maximum PSA key slots to fit Matter requirements. --- config/nrfconnect/chip-module/CMakeLists.txt | 5 +- config/nrfconnect/chip-module/Kconfig | 4 ++ .../nrfconnect/chip-module/Kconfig.defaults | 50 +++++++++++++++---- src/app/server/Server.cpp | 4 ++ src/app/server/Server.h | 12 +++++ src/crypto/PSASpake2p.cpp | 2 +- src/platform/Zephyr/PlatformManagerImpl.cpp | 12 ++--- src/platform/nrfconnect/CHIPPlatformConfig.h | 6 +++ 8 files changed, 76 insertions(+), 19 deletions(-) diff --git a/config/nrfconnect/chip-module/CMakeLists.txt b/config/nrfconnect/chip-module/CMakeLists.txt index 5bdb2d8808..82e45f6459 100644 --- a/config/nrfconnect/chip-module/CMakeLists.txt +++ b/config/nrfconnect/chip-module/CMakeLists.txt @@ -60,13 +60,16 @@ if (CONFIG_ARM) matter_add_cflags(--specs=nosys.specs) endif() -if (CONFIG_NORDIC_SECURITY_BACKEND) +if (CONFIG_NRF_SECURITY) zephyr_include_directories($) zephyr_include_directories($) if(TARGET platform_cc3xx) zephyr_include_directories($) endif() matter_add_flags(-DMBEDTLS_CONFIG_FILE=) + if(CONFIG_CHIP_CRYPTO_PSA) + matter_add_flags(-DMBEDTLS_USER_CONFIG_FILE=) + endif() elseif(CONFIG_MBEDTLS) zephyr_include_directories($) zephyr_compile_definitions($) diff --git a/config/nrfconnect/chip-module/Kconfig b/config/nrfconnect/chip-module/Kconfig index 3414bdd26c..6afd11cca2 100644 --- a/config/nrfconnect/chip-module/Kconfig +++ b/config/nrfconnect/chip-module/Kconfig @@ -107,6 +107,10 @@ config CHIP_FACTORY_DATA bool "Factory data provider" select ZCBOR imply FPROTECT + imply MBEDTLS_X509_LIBRARY if CHIP_CRYPTO_PSA + imply MBEDTLS_X509_CRT_PARSE_C if CHIP_CRYPTO_PSA + imply MBEDTLS_PK_PARSE_C if CHIP_CRYPTO_PSA + imply MBEDTLS_TLS_LIBRARY if CHIP_CRYPTO_PSA help Enables the default nRF Connect factory data provider implementation that supports reading the factory data encoded in the CBOR format from the diff --git a/config/nrfconnect/chip-module/Kconfig.defaults b/config/nrfconnect/chip-module/Kconfig.defaults index 5495b3eb77..371d375aaa 100644 --- a/config/nrfconnect/chip-module/Kconfig.defaults +++ b/config/nrfconnect/chip-module/Kconfig.defaults @@ -267,16 +267,15 @@ endif # CHIP_WIFI # ============================================================================== choice OPENTHREAD_SECURITY - default OPENTHREAD_NRF_SECURITY_CHOICE if NET_L2_OPENTHREAD + default OPENTHREAD_NRF_SECURITY_PSA_CHOICE if CHIP_CRYPTO_PSA + default OPENTHREAD_NRF_SECURITY_CHOICE + endchoice choice RNG_GENERATOR_CHOICE default XOROSHIRO_RANDOM_GENERATOR if SOC_SERIES_NRF53X endchoice -config PSA_CRYPTO_DRIVER_CC3XX - default n - config OBERON_BACKEND default y @@ -285,17 +284,38 @@ config MBEDTLS_ENABLE_HEAP config MBEDTLS_HEAP_SIZE default 8192 + +# Enable PSA Crypto dependencies for Matter -config NRF_SECURITY_ADVANCED - default y +config CHIP_CRYPTO_PSA + default y if !CHIP_WIFI + imply PSA_WANT_ALG_SPAKE2P + # Set SPAKE2P to version 4 to be compatible with Matter specification. + imply PSA_CRYPTO_SPAKE2P_USE_VERSION_04 -config MBEDTLS_AES_C +if CHIP_CRYPTO_PSA + +config PSA_CRYPTO_DRIVER_CC3XX + default n + +config PSA_WANT_ALG_SHA_224 + default n + +config PSA_WANT_ALG_SPAKE2P default y -config MBEDTLS_ECP_C +# Extend the maximum number of PSA key slots to fit Matter requirements +config MBEDTLS_PSA_KEY_SLOT_COUNT + default 64 + +endif + +if !CHIP_CRYPTO_PSA + +config NRF_SECURITY_ADVANCED default y -config MBEDTLS_ECP_DP_SECP256R1_ENABLED +config MBEDTLS_AES_C default y config MBEDTLS_CTR_DRBG_C @@ -317,10 +337,18 @@ config MBEDTLS_PK_WRITE_C default y config MBEDTLS_X509_CREATE_C - default y if !CHIP_CRYPTO_PSA + default y config MBEDTLS_X509_CSR_WRITE_C - default y if !CHIP_CRYPTO_PSA + default y + +config MBEDTLS_ECP_C + default y + +config MBEDTLS_ECP_DP_SECP256R1_ENABLED + default y + +endif config MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG default n if CHIP_WIFI diff --git a/src/app/server/Server.cpp b/src/app/server/Server.cpp index 20846078ba..d6d04f3438 100644 --- a/src/app/server/Server.cpp +++ b/src/app/server/Server.cpp @@ -554,7 +554,11 @@ void Server::ResumeSubscriptions() Credentials::IgnoreCertificateValidityPeriodPolicy Server::sDefaultCertValidityPolicy; KvsPersistentStorageDelegate CommonCaseDeviceServerInitParams::sKvsPersistenStorageDelegate; +#if CHIP_CRYPTO_PSA +PSAOperationalKeystore CommonCaseDeviceServerInitParams::sPSAOperationalKeystore; +#else PersistentStorageOperationalKeystore CommonCaseDeviceServerInitParams::sPersistentStorageOperationalKeystore; +#endif Credentials::PersistentStorageOpCertStore CommonCaseDeviceServerInitParams::sPersistentStorageOpCertStore; Credentials::GroupDataProviderImpl CommonCaseDeviceServerInitParams::sGroupDataProvider; app::DefaultTimerDelegate CommonCaseDeviceServerInitParams::sTimerDelegate; diff --git a/src/app/server/Server.h b/src/app/server/Server.h index 89dc4f12cf..b7430d704d 100644 --- a/src/app/server/Server.h +++ b/src/app/server/Server.h @@ -40,7 +40,11 @@ #include #include #include +#if CHIP_CRYPTO_PSA +#include +#else #include +#endif #include #include #include @@ -203,10 +207,14 @@ struct CommonCaseDeviceServerInitParams : public ServerInitParams // PersistentStorageDelegate "software-based" operational key access injection if (this->operationalKeystore == nullptr) { +#if CHIP_CRYPTO_PSA + this->operationalKeystore = &sPSAOperationalKeystore; +#else // WARNING: PersistentStorageOperationalKeystore::Finish() is never called. It's fine for // for examples and for now. ReturnErrorOnFailure(sPersistentStorageOperationalKeystore.Init(this->persistentStorageDelegate)); this->operationalKeystore = &sPersistentStorageOperationalKeystore; +#endif } // OpCertStore can be injected but default to persistent storage default @@ -262,7 +270,11 @@ struct CommonCaseDeviceServerInitParams : public ServerInitParams private: static KvsPersistentStorageDelegate sKvsPersistenStorageDelegate; +#if CHIP_CRYPTO_PSA + static PSAOperationalKeystore sPSAOperationalKeystore; +#else static PersistentStorageOperationalKeystore sPersistentStorageOperationalKeystore; +#endif static Credentials::PersistentStorageOpCertStore sPersistentStorageOpCertStore; static Credentials::GroupDataProviderImpl sGroupDataProvider; static chip::app::DefaultTimerDelegate sTimerDelegate; diff --git a/src/crypto/PSASpake2p.cpp b/src/crypto/PSASpake2p.cpp index 55a0b1d906..ecbc72426e 100644 --- a/src/crypto/PSASpake2p.cpp +++ b/src/crypto/PSASpake2p.cpp @@ -189,7 +189,7 @@ CHIP_ERROR PSASpake2p_P256_SHA256_HKDF_HMAC::GetKeys(uint8_t * out, size_t * out * - use psa_pake_shared_secret() proposed in https://github.com/ARM-software/psa-api/issues/86 * - refactor Matter's GetKeys API to take an abstract shared secret instead of raw secret bytes. */ - oberon_spake2p_operation_t & oberonCtx = mOperation.MBEDTLS_PRIVATE(ctx).oberon_spake2p_ctx; + oberon_spake2p_operation_t & oberonCtx = mOperation.MBEDTLS_PRIVATE(ctx).oberon_pake_ctx.ctx.oberon_spake2p_ctx; VerifyOrReturnError((oberonCtx.hash_len / 2) <= *out_len, CHIP_ERROR_BUFFER_TOO_SMALL); diff --git a/src/platform/Zephyr/PlatformManagerImpl.cpp b/src/platform/Zephyr/PlatformManagerImpl.cpp index 59f3a0df45..17e476085d 100644 --- a/src/platform/Zephyr/PlatformManagerImpl.cpp +++ b/src/platform/Zephyr/PlatformManagerImpl.cpp @@ -21,9 +21,9 @@ * for Zephyr platforms. */ -#if !defined(CONFIG_NORDIC_SECURITY_BACKEND) +#if !defined(CONFIG_NRF_SECURITY) #include // nogncheck -#endif // !defined(CONFIG_NORDIC_SECURITY_BACKEND) +#endif #include @@ -45,7 +45,7 @@ PlatformManagerImpl PlatformManagerImpl::sInstance{ sChipThreadStack }; static k_timer sOperationalHoursSavingTimer; -#if !defined(CONFIG_NORDIC_SECURITY_BACKEND) && !defined(CONFIG_MBEDTLS_ZEPHYR_ENTROPY) +#if !defined(CONFIG_NRF_SECURITY) && !defined(CONFIG_MBEDTLS_ZEPHYR_ENTROPY) static bool sChipStackEntropySourceAdded = false; static int app_entropy_source(void * data, unsigned char * output, size_t len, size_t * olen) { @@ -72,7 +72,7 @@ static int app_entropy_source(void * data, unsigned char * output, size_t len, s return ret; } -#endif // !defined(CONFIG_NORDIC_SECURITY_BACKEND) && !defined(CONFIG_MBEDTLS_ZEPHYR_ENTROPY) +#endif // !defined(CONFIG_NRF_SECURITY) && !defined(CONFIG_MBEDTLS_ZEPHYR_ENTROPY) void PlatformManagerImpl::OperationalHoursSavingTimerEventHandler(k_timer * timer) { @@ -109,7 +109,7 @@ CHIP_ERROR PlatformManagerImpl::_InitChipStack(void) { CHIP_ERROR err; -#if !defined(CONFIG_NORDIC_SECURITY_BACKEND) && !defined(CONFIG_MBEDTLS_ZEPHYR_ENTROPY) +#if !defined(CONFIG_NRF_SECURITY) && !defined(CONFIG_MBEDTLS_ZEPHYR_ENTROPY) // Minimum required from source before entropy is released ( with mbedtls_entropy_func() ) (in bytes) const size_t kThreshold = 16; #endif // !defined(CONFIG_NORDIC_SECURITY_BACKEND) && !defined(CONFIG_MBEDTLS_ZEPHYR_ENTROPY) @@ -118,7 +118,7 @@ CHIP_ERROR PlatformManagerImpl::_InitChipStack(void) err = Internal::ZephyrConfig::Init(); SuccessOrExit(err); -#if !defined(CONFIG_NORDIC_SECURITY_BACKEND) && !defined(CONFIG_MBEDTLS_ZEPHYR_ENTROPY) +#if !defined(CONFIG_NRF_SECURITY) && !defined(CONFIG_MBEDTLS_ZEPHYR_ENTROPY) if (!sChipStackEntropySourceAdded) { // Add entropy source based on Zephyr entropy driver diff --git a/src/platform/nrfconnect/CHIPPlatformConfig.h b/src/platform/nrfconnect/CHIPPlatformConfig.h index 778372394b..c8d67115f9 100644 --- a/src/platform/nrfconnect/CHIPPlatformConfig.h +++ b/src/platform/nrfconnect/CHIPPlatformConfig.h @@ -48,6 +48,12 @@ #define CHIP_CONFIG_SHA256_CONTEXT_SIZE 208 #endif +#ifdef CONFIG_CHIP_CRYPTO_PSA +#ifndef CHIP_CONFIG_SHA256_CONTEXT_ALIGN +#define CHIP_CONFIG_SHA256_CONTEXT_ALIGN psa_hash_operation_t +#endif // CHIP_CONFIG_SHA256_CONTEXT_ALIGN +#endif // CONFIG_CHIP_CRYPTO_PSA + // ==================== General Configuration Overrides ==================== #ifndef CHIP_CONFIG_MAX_UNSOLICITED_MESSAGE_HANDLERS