pal: crypto use internal key storage

[KRKNWK-19108] Use default trusted key storage Signed-off-by: Krzysztof Taborowski <[email protected]>
nrfconnect · Jul 25, 2024 · a07de24 · a07de24
1 parent 2a6f796
commit a07de24
Show file tree

Hide file tree

Showing 6 changed files with 69 additions and 16 deletions.
diff --git a/Kconfig.dependencies b/Kconfig.dependencies
@@ -76,6 +76,7 @@ config SIDEWALK_CRYPTO
 	imply PSA_WANT_KEY_TYPE_HMAC
 	imply PSA_WANT_GENERATE_RANDOM
 	imply MBEDTLS_ENABLE_HEAP
+	imply MBEDTLS_PSA_CRYPTO_STORAGE_C
 	help
 	   Sidewalk security module
 

diff --git a/subsys/sal/sid_pal/src/sid_crypto_keys.c b/subsys/sal/sid_pal/src/sid_crypto_keys.c
@@ -9,13 +9,41 @@
 #include <zephyr/logging/log.h>
 
 LOG_MODULE_REGISTER(sid_crypto_key, CONFIG_SIDEWALK_CRYPTO_LOG_LEVEL);
-
 #define ESUCCESS (0)
 
+#ifdef CONFIG_TRUSTED_STORAGE_BACKEND_AEAD_KEY_DERIVE_FROM_HUK
+#include <hw_unique_key.h>
+#ifndef HUK_HAS_KMU
+#include <zephyr/sys/reboot.h>
+#endif /* HUK_HAS_KMU */
+
+static int write_huk(void)
+{
+	if (!hw_unique_key_are_any_written()) {
+		int result = hw_unique_key_write_random();
+		if (result != HW_UNIQUE_KEY_SUCCESS) {
+			LOG_ERR("hw_unique_key_write_random error: %d", result);
+			return 0;
+		}
+		LOG_INF("Writing random keys to KMU Success!");
+#if !defined(HUK_HAS_KMU)
+		/* Reboot to allow the bootloader to load the key into CryptoCell. */
+		sys_reboot(0);
+#endif /* !defined(HUK_HAS_KMU) */
+	}
+
+	return 0;
+}
+#endif /* CONFIG_TRUSTED_STORAGE_BACKEND_AEAD_KEY_DERIVE_FROM_HUK */
+
 int sid_crypto_keys_init(void)
 {
-	/* TODO: intilize secure key sotrage */
-	return ESUCCESS;
+	int err = ESUCCESS;
+#ifdef CONFIG_TRUSTED_STORAGE_BACKEND_AEAD_KEY_DERIVE_FROM_HUK
+	err = write_huk();
+#endif /* CONFIG_TRUSTED_STORAGE_BACKEND_AEAD_KEY_DERIVE_FROM_HUK */
+
+	return err;
 }
 
 int sid_crypto_keys_set(psa_key_id_t id, uint8_t *data, size_t size)
@@ -55,7 +83,7 @@ int sid_crypto_keys_set(psa_key_id_t id, uint8_t *data, size_t size)
 		alg = PSA_ALG_CMAC;
 		type = PSA_KEY_TYPE_AES;
 		key_bits = 128;
-        /* TODO: What if one key can be used with two algs, eg PSA_ALG_CMAC and PSA_ALG_CTR? Should it be saved twice? */
+		/* TODO: What if one key can be used with two algs, eg PSA_ALG_CMAC and PSA_ALG_CTR? Should it be saved twice? */
 		break;
 	default:
 		LOG_ERR("No such key id %d", id);
@@ -105,6 +133,7 @@ int sid_crypto_keys_get(psa_key_id_t *id, uint8_t *data, size_t size)
 		return -EINVAL;
 	}
 
+	/* Check if a key data cosists only of key id and zeros */
 	psa_key_id_t *data_id = (psa_key_id_t *)data;
 	if (SID_CRYPTO_KEY_ID_LAST <= *data_id || PSA_KEY_ID_USER_MIN > *data_id) {
 		return -ENOENT;
@@ -123,7 +152,6 @@ int sid_crypto_keys_get(psa_key_id_t *id, uint8_t *data, size_t size)
 
 int sid_crypto_keys_deinit(void)
 {
-	/* TODO: is it needed? */
-
+	/* Nothing to do, left for stable api for future features */
 	return ESUCCESS;
 }
diff --git a/tests/functional/crypto_keys/CMakeLists.txt b/tests/functional/crypto_keys/CMakeLists.txt
@@ -12,4 +12,4 @@ project(sidewalk_functional_test)
 # add test file
 FILE(GLOB app_sources src/*.c)
 target_sources(app PRIVATE ${app_sources})
-target_include_directories(app PRIVATE .)
+target_include_directories(app PRIVATE . src)
diff --git a/tests/functional/crypto_keys/Kconfig b/tests/functional/crypto_keys/Kconfig
@@ -9,6 +9,9 @@ config SIDEWALK_BUILD
 config SIDEWALK_CRYPTO
 	default y
 
+config SIDEWALK_STORAGE
+	default y
+
 config SIDEWALK_CRYPTO_PSA_KEY_STORAGE
 	default y
 

diff --git a/tests/functional/crypto_keys/boards/nrf54l15pdk_nrf54l15_cpuapp.conf b/tests/functional/crypto_keys/boards/nrf54l15pdk_nrf54l15_cpuapp.conf
@@ -0,0 +1,10 @@
+#
+# Copyright (c) 2024 Nordic Semiconductor ASA
+#
+# SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
+#
+
+CONFIG_SOC_FLASH_NRF_TIMEOUT_MULTIPLIER=100
+
+# Use TRUSTED_STORAGE because this is a secure-only board
+CONFIG_TRUSTED_STORAGE=y
diff --git a/tests/functional/crypto_keys/src/main.c b/tests/functional/crypto_keys/src/main.c
@@ -6,37 +6,48 @@
 #include <zephyr/ztest.h>
 #include <sid_crypto_keys.h>
 #include <sid_pal_crypto_ifc.h>
+#include <sid_pal_storage_kv_ifc.h>
+
+#include <errno.h>
 
 #define TEST_KEY_SIZE (16)
 
+uint8_t test_key_data[TEST_KEY_SIZE] = { 0xA1, 0xA2, 0xA3, 0xA4, 0xA5, 0xA6, 0xA7, 0xA8,
+					 0xA9, 0xAA, 0xAB, 0xAC, 0xAD, 0xAE, 0xAF, 0xB0 };
+psa_key_id_t test_key_id = SID_CRYPTO_KV_APP_KEY_KEY_ID;
+
 static void *setup(void)
 {
+	zassert_equal(SID_ERROR_NONE, sid_pal_storage_kv_init());
 	zassert_equal(SID_ERROR_NONE, sid_pal_crypto_init());
 
 	return NULL;
 }
 
 static void teardown(void *f)
 {
+	zassert_equal(PSA_SUCCESS, psa_destroy_key(test_key_id));
 	zassert_equal(SID_ERROR_NONE, sid_pal_crypto_deinit());
 }
 
-ZTEST(crypto_keys, test_sid_crypto_key)
+ZTEST(crypto_keys, test_sid_crypto_key_positive)
 {
 	psa_key_id_t new_key_id = PSA_KEY_ID_NULL;
-	psa_key_id_t key_id = SID_CRYPTO_KV_APP_KEY_KEY_ID;
-	uint8_t key_data[TEST_KEY_SIZE] = { 0xA1, 0xA2, 0xA3, 0xA4, 0xA5, 0xA6, 0xA7, 0xA8,
-					    0xA9, 0xAA, 0xAB, 0xAC, 0xAD, 0xAE, 0xAF, 0xB0 };
+	int err = -ENOEXEC;
 
-	zassert_ok(sid_crypto_keys_init());
+	err = sid_crypto_keys_init();
+	zassert_equal(0, err, "code: %d", err);
 
-	zassert_ok(sid_crypto_keys_set(key_id, key_data, TEST_KEY_SIZE));
+	err = sid_crypto_keys_set(test_key_id, test_key_data, TEST_KEY_SIZE);
+	zassert_equal(0, err, "code: %d", err);
 
-	zassert_ok(sid_crypto_keys_get(&new_key_id, key_data, TEST_KEY_SIZE));
+	err = sid_crypto_keys_get(&new_key_id, test_key_data, TEST_KEY_SIZE);
+	zassert_equal(0, err, "code: %d", err);
 
-	zassert_equal(new_key_id, key_id);
+	zassert_equal(new_key_id, test_key_id);
 
-	zassert_ok(sid_crypto_keys_deinit());
+	err = sid_crypto_keys_deinit();
+	zassert_equal(0, err, "code: %d", err);
 }
 
 ZTEST_SUITE(crypto_keys, NULL, setup, NULL, NULL, teardown);