[crypto] PSA API: enable native ITS

LuDuda · LuDuda · commit 2955fcce8072 · 2025-04-24T00:33:16.000+02:00
This commit enables PSA native ITS implementation in the build system
for simulation and test platforms.

Signed-off-by: Łukasz Duda &lt;lukasz.duda@nordicsemi.no&gt;
diff --git a/examples/apps/cli/ftd.cmake b/examples/apps/cli/ftd.cmake
@@ -41,9 +41,9 @@ target_link_libraries(ot-cli-ftd PRIVATE
     openthread-cli-ftd
     ${OT_PLATFORM_LIB_FTD}
     openthread-ftd
-    ${OT_PLATFORM_LIB_FTD}
     openthread-cli-ftd
     ${OT_MBEDTLS}
+    ${OT_PLATFORM_LIB_FTD}
     ot-config-ftd
     ot-config
 )
diff --git a/examples/apps/cli/mtd.cmake b/examples/apps/cli/mtd.cmake
@@ -41,9 +41,9 @@ target_link_libraries(ot-cli-mtd PRIVATE
     openthread-cli-mtd
     ${OT_PLATFORM_LIB_MTD}
     openthread-mtd
-    ${OT_PLATFORM_LIB_MTD}
     openthread-cli-mtd
     ${OT_MBEDTLS}
+    ${OT_PLATFORM_LIB_MTD}
     ot-config-mtd
     ot-config
 )
diff --git a/examples/apps/ncp/ftd.cmake b/examples/apps/ncp/ftd.cmake
@@ -41,9 +41,9 @@ target_link_libraries(ot-ncp-ftd PRIVATE
     openthread-ncp-ftd
     ${OT_PLATFORM_LIB_FTD}
     openthread-ftd
-    ${OT_PLATFORM_LIB_FTD}
     openthread-ncp-ftd
     ${OT_MBEDTLS}
+    ${OT_PLATFORM_LIB_FTD}
     ot-config-ftd
     ot-config
 )
diff --git a/examples/apps/ncp/mtd.cmake b/examples/apps/ncp/mtd.cmake
@@ -41,9 +41,9 @@ target_link_libraries(ot-ncp-mtd PRIVATE
     openthread-ncp-mtd
     ${OT_PLATFORM_LIB_MTD}
     openthread-mtd
-    ${OT_PLATFORM_LIB_MTD}
     openthread-ncp-mtd
     ${OT_MBEDTLS}
+    ${OT_PLATFORM_LIB_MTD}
     ot-config-mtd
     ot-config
 )
diff --git a/examples/platforms/simulation/CMakeLists.txt b/examples/platforms/simulation/CMakeLists.txt
@@ -103,9 +103,10 @@ endif()
 
 target_link_libraries(openthread-simulation PRIVATE
     openthread-platform
+    mbedtls
+    openthread-native-its-file
     ot-simulation-config
     ot-config
-    mbedtls
 )
 
 target_compile_options(openthread-simulation PRIVATE
diff --git a/examples/platforms/simulation/system.c b/examples/platforms/simulation/system.c
@@ -61,6 +61,11 @@ extern otRadioCaps gRadioCaps;
 
 static volatile bool gTerminate = false;
 
+#if OPENTHREAD_PSA_CRYPTO_NATIVE_ITS_FILE && (OPENTHREAD_CONFIG_CRYPTO_LIB == OPENTHREAD_CONFIG_CRYPTO_LIB_PSA)
+static char        sNativeItsFileNamePrefix[256];
+extern const char *gItsFileNamePrefix;
+#endif
+
 static void handleSignal(int aSignal)
 {
     OT_UNUSED_VARIABLE(aSignal);
@@ -193,6 +198,12 @@ void otSysInit(int aArgCount, char *aArgVector[])
     signal(SIGTERM, &handleSignal);
     signal(SIGHUP, &handleSignal);
 
+#if OPENTHREAD_PSA_CRYPTO_NATIVE_ITS_FILE && (OPENTHREAD_CONFIG_CRYPTO_LIB == OPENTHREAD_CONFIG_CRYPTO_LIB_PSA)
+    snprintf(sNativeItsFileNamePrefix, sizeof(sNativeItsFileNamePrefix), "%s/%s_%d_",
+             OPENTHREAD_CONFIG_POSIX_SETTINGS_PATH, getenv("PORT_OFFSET") ? getenv("PORT_OFFSET") : "0", gNodeId);
+    gItsFileNamePrefix = sNativeItsFileNamePrefix;
+#endif
+
     platformLoggingInit(basename(aArgVector[0]));
     platformAlarmInit(speedUpFactor);
     platformRadioInit();
diff --git a/examples/platforms/simulation/virtual_time/platform-sim.c b/examples/platforms/simulation/virtual_time/platform-sim.c
@@ -60,6 +60,11 @@ static volatile bool gTerminate = false;
 int    gArgumentsCount = 0;
 char **gArguments      = NULL;
 
+#if OPENTHREAD_PSA_CRYPTO_NATIVE_ITS_FILE && (OPENTHREAD_CONFIG_CRYPTO_LIB == OPENTHREAD_CONFIG_CRYPTO_LIB_PSA)
+static char        sNativeItsFileNamePrefix[256];
+extern const char *gItsFileNamePrefix;
+#endif
+
 uint64_t sNow = 0; // microseconds
 int      sSockFd;
 uint16_t sPortBase = 9000;
@@ -222,6 +227,12 @@ void otSysInit(int argc, char *argv[])
         DieNow(OT_EXIT_FAILURE);
     }
 
+#if OPENTHREAD_PSA_CRYPTO_NATIVE_ITS_FILE && (OPENTHREAD_CONFIG_CRYPTO_LIB == OPENTHREAD_CONFIG_CRYPTO_LIB_PSA)
+    snprintf(sNativeItsFileNamePrefix, sizeof(sNativeItsFileNamePrefix), "%s/%s_%d_",
+             OPENTHREAD_CONFIG_POSIX_SETTINGS_PATH, getenv("PORT_OFFSET") ? getenv("PORT_OFFSET") : "0", gNodeId);
+    gItsFileNamePrefix = sNativeItsFileNamePrefix;
+#endif
+
     socket_init();
 
     platformAlarmInit(1);
diff --git a/tests/gtest/CMakeLists.txt b/tests/gtest/CMakeLists.txt
@@ -42,6 +42,8 @@ add_library(ot-fake-platform
 )
 target_link_libraries(ot-fake-platform
     ot-config
+    ${OT_MBEDTLS}
+    openthread-native-its-ram
 )
 
 add_library(ot-fake-ftd INTERFACE)
diff --git a/tests/gtest/fake_platform.cpp b/tests/gtest/fake_platform.cpp
@@ -49,6 +49,10 @@
 #include <openthread/platform/trel.h>
 #include <openthread/platform/udp.h>
 
+#if (OPENTHREAD_CONFIG_CRYPTO_LIB == OPENTHREAD_CONFIG_CRYPTO_LIB_PSA)
+#include <psa/crypto.h>
+#endif
+
 using namespace ot;
 
 bool operator<(const otExtAddress &aLeft, const otExtAddress &aRight)
@@ -480,6 +484,38 @@ otError otPlatEntropyGet(uint8_t *aOutput, uint16_t aOutputLength)
     return error;
 }
 
+#if (OPENTHREAD_CONFIG_CRYPTO_LIB == OPENTHREAD_CONFIG_CRYPTO_LIB_PSA) && defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG)
+/**
+ * When OpenThread is compiled with the PSA Crypto backend using Mbed TLS 3.x, there is no
+ * API to configure a dedicated non-default entropy source. It is documented that a future version of
+ * Mbed TLS (likely 4.x) will include a PSA interface for configuring entropy sources.
+ *
+ * For now, we need to define the external RNG. Since the implementation of `otPlatEntropyGet` already
+ * uses CSPRNG, we will call it here as well.
+ */
+extern "C" psa_status_t mbedtls_psa_external_get_random(mbedtls_psa_external_random_context_t *context,
+                                                        uint8_t                               *output,
+                                                        size_t                                 output_size,
+                                                        size_t                                *output_length)
+{
+    OT_UNUSED_VARIABLE(context);
+
+    otError      error;
+    psa_status_t status = PSA_ERROR_GENERIC_ERROR;
+
+    error = otPlatEntropyGet(output, (uint16_t)output_size);
+    if (error == OT_ERROR_NONE)
+    {
+        *output_length = output_size;
+        status         = PSA_SUCCESS;
+    }
+
+    return status;
+}
+#endif
+
+// otError otPlatCryptoExportKey(otCryptoKeyRef, uint8_t *, size_t, size_t *) { return OT_ERROR_NONE; }
+
 void otPlatDiagSetOutputCallback(otInstance *, otPlatDiagOutputCallback, void *) {}
 
 void otPlatDiagModeSet(bool) {}
diff --git a/tests/unit/CMakeLists.txt b/tests/unit/CMakeLists.txt
@@ -117,10 +117,11 @@ set(COMMON_LIBS
     ot-test-platform-ftd
     openthread-ftd
     ot-test-platform-ftd
-    ${OT_MBEDTLS}
     ot-config
     openthread-ftd
     openthread-url
+    ${OT_MBEDTLS}
+    openthread-native-its-ram
 )
 
 set(COMMON_LIBS_RCP
diff --git a/third_party/CMakeLists.txt b/third_party/CMakeLists.txt
@@ -28,6 +28,7 @@
 
 if(NOT OT_EXTERNAL_MBEDTLS)
     add_subdirectory(mbedtls)
+    add_subdirectory(mbedtls/native_its)
 endif()
 
 add_subdirectory(tcplp)
diff --git a/third_party/mbedtls/CMakeLists.txt b/third_party/mbedtls/CMakeLists.txt
@@ -140,4 +140,5 @@ target_include_directories(mbedcrypto
     PRIVATE
         ${OT_PUBLIC_INCLUDES}
         $<TARGET_PROPERTY:ot-config,INTERFACE_INCLUDE_DIRECTORIES>
+        native_its/include
 )

Original file line number	Diff line number	Diff line change
`@@ -42,6 +42,8 @@ add_library(ot-fake-platform`
`42`	`42`	`)`
`43`	`43`	`target_link_libraries(ot-fake-platform`
`44`	`44`	`ot-config`
	`45`	`+ ${OT_MBEDTLS}`
	`46`	`+ openthread-native-its-ram`
`45`	`47`	`)`
`46`	`48`
`47`	`49`	`add_library(ot-fake-ftd INTERFACE)`