doc: crypto: updates to crypto samples, part 1

Updated the documentation of crypto samples.
Added sample output, cross-links to recently updated docs,
more details in the overview sections.
Edited sample.yaml for term and style consistency.
Future PRs will edit remaining crypto samples.
NCSDK-33435.

Signed-off-by: Grzegorz Ferenc <[email protected]>

Author: greg-fer

doc/nrf/samples/tfm.rst

@@ -3,7 +3,7 @@
 Trusted Firmware-M (TF-M) samples
 #################################
 
-This section lists the available |NCS| samples and tests for :ref:`ug_tfm`, one of the :ref:`security` features of the |NCS|.
+This section lists the available |NCS| samples and tests for :ref:`Trusted Firmware-M <ug_tfm>`, one of the :ref:`security` features of the |NCS|.
 
 You can start by checking the :ref:`tfm_hello_world` sample, which demonstrates how to add TF-M to an application.
 

doc/nrf/security/crypto/crypto_supported_features.rst

@@ -6599,6 +6599,8 @@ Based on this setting, Oberon PSA Crypto selects the most appropriate driver for
                    | :kconfig:option:`CONFIG_PSA_WANT_ECC_SECP_R1_256`
                    | :kconfig:option:`CONFIG_PSA_WANT_ECC_SECP_R1_384`
 
+.. _ug_crypto_supported_features_rng_algorithms:
+
 RNG algorithms
 ==============
 

doc/nrf/security/crypto/drivers.rst

@@ -69,6 +69,8 @@ Hardware drivers take precedence over software drivers, which provide fallback o
 
 .. psa_crypto_driver_table_end
 
+.. _crypto_drivers_driver_selection:
+
 Driver selection
 ****************
 

samples/crypto/aes_cbc/README.rst

@@ -7,7 +7,7 @@ Crypto: AES CBC
    :local:
    :depth: 2
 
-The AES CBC sample shows how to perform AES encryption and decryption operations using the CBC block cipher mode without padding and a 128-bit AES key.
+The AES CBC sample demonstrates how to use the :ref:`PSA Crypto API <ug_psa_certified_api_overview_crypto>` to perform AES encryption and decryption operations using the CBC block cipher mode without padding and a 128-bit AES key.
 
 Requirements
 ************
@@ -21,22 +21,38 @@ The sample supports the following development kits:
 Overview
 ********
 
-The sample performs the following operations:
+The sample :ref:`enables PSA Crypto API <psa_crypto_support_enable>` and configures the following Kconfig options for the cryptographic features:
+
+* :kconfig:option:`CONFIG_PSA_WANT_KEY_TYPE_AES` - Used to enable support for AES key types from among the supported cryptographic operations for :ref:`ug_crypto_supported_features_key_types`.
+* :kconfig:option:`CONFIG_PSA_WANT_ALG_CBC_NO_PADDING` - Used to enable support for the CBC cipher mode without padding from among the supported cryptographic operations for :ref:`ug_crypto_supported_features_cipher_modes`.
+* :kconfig:option:`CONFIG_PSA_WANT_GENERATE_RANDOM` - Used to enable random number generation for key and IV generation from among the supported cryptographic operations for :ref:`ug_crypto_supported_features_rng_algorithms`.
+
+The sample also configures the cryptographic drivers for each board target using Kconfig options in the overlay files in the :file:`boards` directory.
+
+These Kconfig options are then used by Oberon PSA Crypto to compile the required cryptographic PSA directives and select the cryptographic drivers.
+See :ref:`crypto_drivers_driver_selection` for more information about the driver selection process.
+
+Once built and run, the sample performs the following operations:
 
 1. Initialization:
 
-   a. The Platform Security Architecture (PSA) API is initialized.
-   #. A random AES key is generated and imported into the PSA crypto keystore.
+   a. The PSA Crypto API is initialized using :c:func:`psa_crypto_init`.
+   #. A random 128-bit AES key is generated using :c:func:`psa_generate_key` and stored in the PSA crypto keystore.
+      The key is configured with usage flags for both encryption and decryption.
 
 #. Encryption and decryption of a sample plaintext:
 
-   a. A random initialization vector (IV) is generated.
-   #. Encryption is performed.
-   #. Decryption is performed.
+   a. An encryption operation is set up using :c:func:`psa_cipher_encrypt_setup` with the ``PSA_ALG_CBC_NO_PADDING`` algorithm.
+   #. A random initialization vector (IV) is generated using :c:func:`psa_cipher_generate_iv`.
+   #. Encryption is performed using :c:func:`psa_cipher_update` and finalized with :c:func:`psa_cipher_finish`.
+   #. A decryption operation is set up using :c:func:`psa_cipher_decrypt_setup`.
+   #. The IV from the encryption step is set using :c:func:`psa_cipher_set_iv`.
+   #. Decryption is performed using :c:func:`psa_cipher_update` and finalized with :c:func:`psa_cipher_finish`.
+   #. The decrypted text is compared with the original plaintext to verify correctness.
 
 #. Cleanup:
 
-   a. The AES key is removed from the PSA crypto keystore.
+   a. The AES key is removed from the PSA crypto keystore using :c:func:`psa_destroy_key`.
 
 Building and running
 ********************
@@ -50,6 +66,49 @@ Testing
 
 After programming the sample to your development kit, complete the following steps to test it:
 
+.. crypto_sample_testing_start
+
 1. |connect_terminal|
-#. Compile and program the application.
-#. Observe the logs from the application using a terminal emulator.
+#. Build and program the application.
+#. Observe the logs from the application using the terminal emulator.
+   For example, the log output should look like this:
+
+.. crypto_sample_testing_end
+
+.. code-block:: text
+
+   *** Booting nRF Connect SDK v3.1.0-6c6e5b32496e ***
+   *** Using Zephyr OS v4.1.99-1612683d4010 ***
+   [00:00:00.251,159] <inf> aes_cbc: Starting AES-CBC-NO-PADDING example...
+   [00:00:00.251,190] <inf> aes_cbc: Generating random AES key...
+   [00:00:00.251,342] <inf> aes_cbc: AES key generated successfully!
+   [00:00:00.251,373] <inf> aes_cbc: Encrypting using AES CBC MODE...
+   [00:00:00.251,708] <inf> aes_cbc: Encryption successful!
+   [00:00:00.251,708] <inf> aes_cbc: ---- IV (len: 16): ----
+   [00:00:00.251,739] <inf> aes_cbc: Content:
+                                    c3 1e 5b 35 97 25 ee a3  ef ba 66 c3 f9 81 37 2a |..[5.%.. ..f...7*
+   [00:00:00.251,770] <inf> aes_cbc: ---- IV end  ----
+   [00:00:00.251,800] <inf> aes_cbc: ---- Plaintext (len: 64): ----
+   [00:00:00.251,831] <inf> aes_cbc: Content:
+                                    45 78 61 6d 70 6c 65 20  73 74 72 69 6e 67 20 74 |Example  string t
+                                    6f 20 64 65 6d 6f 6e 73  74 72 61 74 65 20 62 61 |o demons trate ba
+                                    73 69 63 20 75 73 61 67  65 20 6f 66 20 41 45 53 |sic usag e of AES
+                                    20 43 42 43 20 6d 6f 64  65 2e 00 00 00 00 00 00 | CBC mod e.......
+   [00:00:00.251,831] <inf> aes_cbc: ---- Plaintext end  ----
+   [00:00:00.251,861] <inf> aes_cbc: ---- Encrypted text (len: 64): ----
+   [00:00:00.251,892] <inf> aes_cbc: Content:
+                                    cc 7d c0 ed 63 5b df 28  08 2b 03 33 a4 3c dc 1d |.}..c[.( .+.3.<..
+                                    76 9d a9 cb 1c 49 4f 6d  ef b8 a2 aa 11 2c fc bd |v....IOm .....,..
+                                    39 56 54 b5 96 6e 13 e2  7d 22 26 1e 3c 7c 3e eb |9VT..n.. }"&.<|>.
+                                    15 60 31 d3 58 02 b6 85  98 63 2c e6 ad dc aa 19 |.`1.X... .c,.....
+   [00:00:00.251,922] <inf> aes_cbc: ---- Encrypted text end  ----
+   [00:00:00.251,953] <inf> aes_cbc: Decrypting using AES CBC MODE...
+   [00:00:00.252,166] <inf> aes_cbc: ---- Decrypted text (len: 64): ----
+   [00:00:00.252,197] <inf> aes_cbc: Content:
+                                    45 78 61 6d 70 6c 65 20  73 74 72 69 6e 67 20 74 |Example  string t
+                                    6f 20 64 65 6d 6f 6e 73  74 72 61 74 65 20 62 61 |o demons trate ba
+                                    73 69 63 20 75 73 61 67  65 20 6f 66 20 41 45 53 |sic usag e of AES
+                                    20 43 42 43 20 6d 6f 64  65 2e 00 00 00 00 00 00 | CBC mod e.......
+   [00:00:00.252,227] <inf> aes_cbc: ---- Decrypted text end  ----
+   [00:00:00.252,258] <inf> aes_cbc: Decryption successful!
+   [00:00:00.252,288] <inf> aes_cbc: Example finished successfully!

samples/crypto/aes_cbc/sample.yaml

@@ -1,8 +1,7 @@
 sample:
   description: |
-    This app provides an example of performing AES encryption and decryption
-    using AES CBC mode
-  name: AES CBC example
+    This sample demonstrates AES encryption and decryption using the AES CBC mode.
+  name: AES CBC sample
 tests:
   sample.aes_cbc.cc3xx:
     sysbuild: true

samples/crypto/aes_ccm/README.rst

@@ -7,8 +7,8 @@ Crypto: AES CCM
    :local:
    :depth: 2
 
-The AES CCM sample shows how to perform authenticated encryption and decryption operations using the CCM algorithm and a 128-bit key.
-The sample uses additional data and a random nonce.
+The AES CCM sample demonstrates how to use the :ref:`PSA Crypto API <ug_psa_certified_api_overview_crypto>` to perform authenticated encryption and decryption operations using the CCM AEAD algorithm with a 128-bit AES key.
+The sample uses additional authenticated data (AAD) and a random nonce.
 
 Requirements
 ************
@@ -22,22 +22,36 @@ The sample supports the following development kits:
 Overview
 ********
 
-The sample performs the following operations:
+The sample :ref:`enables PSA Crypto API <psa_crypto_support_enable>` and configures the following Kconfig options for the cryptographic features:
+
+* :kconfig:option:`CONFIG_PSA_WANT_KEY_TYPE_AES` - Used to enable support for AES key types from among the supported cryptographic operations for :ref:`ug_crypto_supported_features_key_types`.
+* :kconfig:option:`CONFIG_PSA_WANT_ALG_CCM` - Used to enable support for the CCM AEAD algorithm from among the supported cryptographic operations for :ref:`ug_crypto_supported_features_aead_algorithms`.
+* :kconfig:option:`CONFIG_PSA_WANT_GENERATE_RANDOM` - Used to enable random number generation for key generation from among the supported cryptographic operations for :ref:`ug_crypto_supported_features_rng_algorithms`.
+
+The sample also configures the cryptographic drivers for each board target using Kconfig options in the overlay files in the :file:`boards` directory.
+
+These Kconfig options are then used by Oberon PSA Crypto to compile the required cryptographic PSA directives and select the cryptographic drivers.
+See :ref:`crypto_drivers_driver_selection` for more information about the driver selection process.
+
+Once built and run, the sample performs the following operations:
 
 1. Initialization:
 
-   a. The Platform Security Architecture (PSA) API is initialized.
-   #. A random AES key is generated and imported into the PSA crypto keystore.
+   a. The PSA Crypto API is initialized using :c:func:`psa_crypto_init`.
+   #. A random 128-bit AES key is generated using :c:func:`psa_generate_key` and stored in the PSA crypto keystore.
+      The key is configured with usage flags for both encryption and decryption.
 
-#. Encryption and decryption of a sample plaintext:
+#. Authenticated encryption and decryption of a sample plaintext:
 
-   a. A random nonce is generated.
-   #. Authenticated encryption is performed.
-   #. Authenticated decryption is performed.
+   a. Authenticated encryption is performed using :c:func:`psa_aead_encrypt` with the ``PSA_ALG_CCM`` algorithm.
+      This function encrypts the plaintext with the provided nonce and additional authenticated data, and appends an authentication tag to the ciphertext.
+   #. Authenticated decryption is performed using :c:func:`psa_aead_decrypt`.
+      This function decrypts the ciphertext, verifies the authentication tag, and authenticates the additional data.
+   #. The decrypted text is compared with the original plaintext to verify correctness.
 
 #. Cleanup:
 
-   a. The AES key is removed from the PSA crypto keystore.
+   a. The AES key is removed from the PSA crypto keystore using :c:func:`psa_destroy_key`.
 
 Building and running
 ********************
@@ -51,6 +65,37 @@ Testing
 
 After programming the sample to your development kit, complete the following steps to test it:
 
-1. |connect_terminal|
-#. Compile and program the application.
-#. Observe the logs from the application using a terminal emulator.
+.. include:: /samples/crypto/aes_cbc/README.rst
+   :start-after: crypto_sample_testing_start
+   :end-before: crypto_sample_testing_end
+
+.. code-block::
+
+   *** Booting nRF Connect SDK v3.1.0-6c6e5b32496e ***
+   *** Using Zephyr OS v4.1.99-1612683d4010 ***
+   [00:00:00.251,159] <inf> aes_ccm: Starting AES CCM example...
+   [00:00:00.251,190] <inf> aes_ccm: Generating random AES key...
+   [00:00:00.251,342] <inf> aes_ccm: AES key generated successfully!
+   [00:00:00.251,373] <inf> aes_ccm: Encrypting using AES CCM MODE...
+   [00:00:00.251,708] <inf> aes_ccm: Encryption successful!
+   [00:00:00.251,708] <inf> aes_ccm: ---- Nonce (len: 13): ----
+   [00:00:00.251,739] <inf> aes_ccm: Content:
+                                    SAMPLE NONCE
+   [00:00:00.251,770] <inf> aes_ccm: ---- Nonce end  ----
+   [00:00:00.251,800] <inf> aes_ccm: ---- Additional data (len: 35): ----
+   [00:00:00.251,831] <inf> aes_ccm: Content:
+                                    Example string of additional data
+   [00:00:00.251,831] <inf> aes_ccm: ---- Additional data end  ----
+   [00:00:00.251,861] <inf> aes_ccm: ---- Encrypted text (len: 115): ----
+   [00:00:00.251,892] <inf> aes_ccm: Content:
+                                    c4 36 60 2b 45 59 5b 12  35 00 00 00 00 00 00 00 |.6.+EY[..5.......
+                                b3 5d 47 06 89 a5 08 3b  e6 54 57 25 b9 49 02 50 |.]G....;.TW%.I.P
+                                d1 55 49 58 11 00 00 00  00 00 00 00 00 00 00 00 |.UX.............
+   [00:00:00.251,922] <inf> aes_ccm: ---- Encrypted text end  ----
+   [00:00:00.251,953] <inf> aes_ccm: Decrypting using AES CCM MODE...
+   [00:00:00.252,166] <inf> aes_ccm: ---- Decrypted text (len: 100): ----
+   [00:00:00.252,197] <inf> aes_ccm: Content:
+                                    Example string to demonstrate basic usage of AES CCM mode.
+   [00:00:00.252,227] <inf> aes_ccm: ---- Decrypted text end  ----
+   [00:00:00.252,258] <inf> aes_ccm: Decryption and authentication successful!
+   [00:00:00.252,288] <inf> aes_ccm: Example finished successfully!

samples/crypto/aes_ccm/sample.yaml

@@ -1,8 +1,7 @@
 sample:
   description: |
-    This app provides an example of performing AES encryption and decryption
-    using AES CCM mode
-  name: AES CCM example
+    This sample demonstrates AES encryption and decryption using the AES CCM mode.
+  name: AES CCM sample
 tests:
   sample.aes_ccm.cc3xx:
     sysbuild: true

samples/crypto/aes_ctr/README.rst

@@ -7,7 +7,7 @@ Crypto: AES CTR
    :local:
    :depth: 2
 
-The AES CTR sample shows how to perform AES encryption and decryption operations using the CTR block cipher mode without padding and a 128-bit AES key.
+The AES CTR sample demonstrates how to use the :ref:`PSA Crypto API <ug_psa_certified_api_overview_crypto>` to perform AES encryption and decryption operations using the CTR block cipher mode and a 128-bit AES key.
 
 Requirements
 ************
@@ -21,22 +21,38 @@ The sample supports the following development kits:
 Overview
 ********
 
-The sample performs the following operations:
+The sample :ref:`enables PSA Crypto API <psa_crypto_support_enable>` and configures the following Kconfig options for the cryptographic features:
+
+* :kconfig:option:`CONFIG_PSA_WANT_KEY_TYPE_AES` - Used to enable support for AES key types from among the supported cryptographic operations for :ref:`ug_crypto_supported_features_key_types`.
+* :kconfig:option:`CONFIG_PSA_WANT_ALG_CTR` - Used to enable support for the CTR cipher mode from among the supported cryptographic operations for :ref:`ug_crypto_supported_features_cipher_modes`.
+* :kconfig:option:`CONFIG_PSA_WANT_GENERATE_RANDOM` - Used to enable random number generation for key and IV generation from among the supported cryptographic operations for :ref:`ug_crypto_supported_features_rng_algorithms`.
+
+The sample also configures the cryptographic drivers for each board target using Kconfig options in the overlay files in the :file:`boards` directory.
+
+These Kconfig options are then used by Oberon PSA Crypto to compile the required cryptographic PSA directives and select the cryptographic drivers.
+See :ref:`crypto_drivers_driver_selection` for more information about the driver selection process.
+
+Once built and run, the sample performs the following operations:
 
 1. Initialization:
 
-   a. The Platform Security Architecture (PSA) API is initialized.
-   #. A random AES key is generated and imported into the PSA crypto keystore.
+   a. The PSA Crypto API is initialized using :c:func:`psa_crypto_init`.
+   #. A random 128-bit AES key is generated using :c:func:`psa_generate_key` and stored in the PSA crypto keystore.
+      The key is configured with usage flags for both encryption and decryption.
 
 #. Encryption and decryption of a sample plaintext:
 
-   a. A random initialization vector (IV) is generated.
-   #. Encryption is performed.
-   #. Decryption is performed.
+   a. An encryption operation is set up using :c:func:`psa_cipher_encrypt_setup` with the ``PSA_ALG_CTR`` algorithm.
+   #. A random initialization vector (IV) is generated using :c:func:`psa_cipher_generate_iv`.
+   #. Encryption is performed using :c:func:`psa_cipher_update` and finalized with :c:func:`psa_cipher_finish`.
+   #. A decryption operation is set up using :c:func:`psa_cipher_decrypt_setup`.
+   #. The IV from the encryption step is set using :c:func:`psa_cipher_set_iv`.
+   #. Decryption is performed using :c:func:`psa_cipher_update` and finalized with :c:func:`psa_cipher_finish`.
+   #. The decrypted text is compared with the original plaintext to verify correctness.
 
 #. Cleanup:
 
-   a. The AES key is removed from the PSA crypto keystore.
+   a. The AES key is removed from the PSA crypto keystore using :c:func:`psa_destroy_key`.
 
 Building and running
 ********************
@@ -51,6 +67,34 @@ Testing
 
 After programming the sample to your development kit, complete the following steps to test it:
 
-1. |connect_terminal|
-#. Compile and program the application.
-#. Observe the logs from the application using a terminal emulator.
+.. include:: /samples/crypto/aes_cbc/README.rst
+   :start-after: crypto_sample_testing_start
+   :end-before: crypto_sample_testing_end
+
+.. code-block:: text
+
+   *** Booting nRF Connect SDK v3.1.0-6c6e5b32496e ***
+   *** Using Zephyr OS v4.1.99-1612683d4010 ***
+   [00:00:00.123,456] <inf> aes_ctr: Starting AES CTR example...
+   [00:00:00.123,489] <inf> aes_ctr: Generating random AES key...
+   [00:00:00.123,512] <inf> aes_ctr: AES key generated successfully!
+   [00:00:00.123,545] <inf> aes_ctr: Encrypting using AES CTR MODE...
+   [00:00:00.123,567] <inf> aes_ctr: Encryption successful!
+   [00:00:00.123,589] <inf> aes_ctr: ---- IV (len: 16): ----
+   [00:00:00.123,611] <inf> aes_ctr: Content:
+                                01 02 03 04 05 06 07 08  09 0a 0b 0c 0d 0e 0f 10 |................
+   [00:00:00.123,633] <inf> aes_ctr: ---- IV end  ----
+   [00:00:00.123,655] <inf> aes_ctr: ---- Encrypted text (len: 56): ----
+   [00:00:00.123,677] <inf> aes_ctr: Content:
+                                5e 3a a2 c6 2f 8d 57 89  3c 90 1e a0 b2 d5 6c 48 |^:../.W.<.....lH
+                                d8 61 aa 35 4b da 09 83  a4 f6 18 e3 0b dd 92 0c |.a.5K...........
+                                7b 61 95 44 09 64 ea ef  ad b8 72 59 65 4f 6a 7c |{a.D.d....rYeOj|
+                                7f 81 f4 2a 3b 9d 3e 66  42 e5 db 87 4c 16        |...*;..fB...L.
+   [00:00:00.123,699] <inf> aes_ctr: ---- Encrypted text end  ----
+   [00:00:00.123,721] <inf> aes_ctr: Decrypting using AES CTR MODE...
+   [00:00:00.123,743] <inf> aes_ctr: ---- Decrypted text (len: 56): ----
+   [00:00:00.123,765] <inf> aes_ctr: Content:
+                                Example string to demonstrate basic usage of AES CTR mode.
+   [00:00:00.123,787] <inf> aes_ctr: ---- Decrypted text end  ----
+   [00:00:00.123,809] <inf> aes_ctr: Decryption successful!
+   [00:00:00.123,831] <inf> aes_ctr: Example finished successfully!

samples/crypto/aes_ctr/sample.yaml

@@ -1,8 +1,7 @@
 sample:
   description: |
-    This app provides an example of performing AES encryption and decryption
-    using AES CTR mode
-  name: AES CTR example
+    This sample demonstrates AES encryption and decryption using the AES CTR mode.
+  name: AES CTR sample
 tests:
   sample.aes_ctr.cc3xx:
     sysbuild: true