[crypto] PSA API: enable native ITS in build system

LuDuda · LuDuda · commit f9b76041d294 · 2025-12-12T19:32:49.000+01:00
This commit enables PSA native ITS implementation in the build system
for simulation and test platforms.

Signed-off-by: Łukasz Duda &lt;lukasz.duda@nordicsemi.no&gt;
diff --git a/examples/apps/cli/ftd.cmake b/examples/apps/cli/ftd.cmake
@@ -48,9 +48,9 @@ target_link_libraries(ot-cli-ftd PRIVATE
     openthread-cli-ftd
     ${OT_PLATFORM_LIB_FTD}
     openthread-ftd
-    ${OT_PLATFORM_LIB_FTD}
     openthread-cli-ftd
     ${OT_MBEDTLS}
+    ${OT_PLATFORM_LIB_FTD}
     ot-config-ftd
     ot-config
 )
diff --git a/examples/apps/cli/mtd.cmake b/examples/apps/cli/mtd.cmake
@@ -48,9 +48,9 @@ target_link_libraries(ot-cli-mtd PRIVATE
     openthread-cli-mtd
     ${OT_PLATFORM_LIB_MTD}
     openthread-mtd
-    ${OT_PLATFORM_LIB_MTD}
     openthread-cli-mtd
     ${OT_MBEDTLS}
+    ${OT_PLATFORM_LIB_MTD}
     ot-config-mtd
     ot-config
 )
diff --git a/examples/apps/ncp/ftd.cmake b/examples/apps/ncp/ftd.cmake
@@ -41,9 +41,9 @@ target_link_libraries(ot-ncp-ftd PRIVATE
     openthread-ncp-ftd
     ${OT_PLATFORM_LIB_FTD}
     openthread-ftd
-    ${OT_PLATFORM_LIB_FTD}
     openthread-ncp-ftd
     ${OT_MBEDTLS}
+    ${OT_PLATFORM_LIB_FTD}
     ot-config-ftd
     ot-config
 )
diff --git a/examples/apps/ncp/mtd.cmake b/examples/apps/ncp/mtd.cmake
@@ -41,9 +41,9 @@ target_link_libraries(ot-ncp-mtd PRIVATE
     openthread-ncp-mtd
     ${OT_PLATFORM_LIB_MTD}
     openthread-mtd
-    ${OT_PLATFORM_LIB_MTD}
     openthread-ncp-mtd
     ${OT_MBEDTLS}
+    ${OT_PLATFORM_LIB_MTD}
     ot-config-mtd
     ot-config
 )
diff --git a/examples/platforms/simulation/CMakeLists.txt b/examples/platforms/simulation/CMakeLists.txt
@@ -103,9 +103,10 @@ endif()
 
 target_link_libraries(openthread-simulation PRIVATE
     openthread-platform
+    mbedtls
+    openthread-native-its-file
     ot-simulation-config
     ot-config
-    mbedtls
 )
 
 target_compile_options(openthread-simulation PRIVATE
diff --git a/examples/platforms/simulation/system.c b/examples/platforms/simulation/system.c
@@ -64,6 +64,11 @@ extern otRadioCaps gRadioCaps;
 
 static volatile bool gTerminate = false;
 
+#if OPENTHREAD_PSA_CRYPTO_NATIVE_ITS_FILE && (OPENTHREAD_CONFIG_CRYPTO_LIB == OPENTHREAD_CONFIG_CRYPTO_LIB_PSA)
+static char        sNativeItsFileNamePrefix[256];
+extern const char *gItsFileNamePrefix;
+#endif
+
 static void handleSignal(int aSignal)
 {
     OT_UNUSED_VARIABLE(aSignal);
@@ -196,6 +201,12 @@ void otSysInit(int aArgCount, char *aArgVector[])
     signal(SIGTERM, &handleSignal);
     signal(SIGHUP, &handleSignal);
 
+#if OPENTHREAD_PSA_CRYPTO_NATIVE_ITS_FILE && (OPENTHREAD_CONFIG_CRYPTO_LIB == OPENTHREAD_CONFIG_CRYPTO_LIB_PSA)
+    snprintf(sNativeItsFileNamePrefix, sizeof(sNativeItsFileNamePrefix), "%s/%s_%d_",
+             OPENTHREAD_CONFIG_POSIX_SETTINGS_PATH, getenv("PORT_OFFSET") ? getenv("PORT_OFFSET") : "0", gNodeId);
+    gItsFileNamePrefix = sNativeItsFileNamePrefix;
+#endif
+
     platformLoggingInit(basename(aArgVector[0]));
     platformAlarmInit(speedUpFactor);
     platformRadioInit();
diff --git a/examples/platforms/simulation/virtual_time/platform-sim.c b/examples/platforms/simulation/virtual_time/platform-sim.c
@@ -64,6 +64,11 @@ static bool sUseUnixSocket = false;
 int    gArgumentsCount = 0;
 char **gArguments      = NULL;
 
+#if OPENTHREAD_PSA_CRYPTO_NATIVE_ITS_FILE && (OPENTHREAD_CONFIG_CRYPTO_LIB == OPENTHREAD_CONFIG_CRYPTO_LIB_PSA)
+static char        sNativeItsFileNamePrefix[256];
+extern const char *gItsFileNamePrefix;
+#endif
+
 uint64_t sNow = 0; // microseconds
 int      sSockFd;
 uint16_t sPortBase = 9000;
@@ -273,6 +278,12 @@ void otSysInit(int argc, char *argv[])
         DieNow(OT_EXIT_FAILURE);
     }
 
+#if OPENTHREAD_PSA_CRYPTO_NATIVE_ITS_FILE && (OPENTHREAD_CONFIG_CRYPTO_LIB == OPENTHREAD_CONFIG_CRYPTO_LIB_PSA)
+    snprintf(sNativeItsFileNamePrefix, sizeof(sNativeItsFileNamePrefix), "%s/%s_%d_",
+             OPENTHREAD_CONFIG_POSIX_SETTINGS_PATH, getenv("PORT_OFFSET") ? getenv("PORT_OFFSET") : "0", gNodeId);
+    gItsFileNamePrefix = sNativeItsFileNamePrefix;
+#endif
+
     socket_init();
 
     platformAlarmInit(1);
diff --git a/src/core/instance/instance.cpp b/src/core/instance/instance.cpp
@@ -309,6 +309,7 @@ Instance::Instance(void)
     , mIsInitialized(false)
     , mId(Random::NonCrypto::GetUint32())
 {
+#if OPENTHREAD_MTD || OPENTHREAD_FTD
 #if OPENTHREAD_CONFIG_MULTIPLE_INSTANCE_ENABLE && OPENTHREAD_CONFIG_PLATFORM_KEY_REFERENCES_ENABLE
 #if OPENTHREAD_CONFIG_MULTIPLE_STATIC_INSTANCE_ENABLE
     mCryptoStorageKeyRefManager.SetKeyRefExtraOffset(Crypto::Storage::KeyRefManager::kKeyRefExtraOffset * GetIdx(this));
@@ -317,6 +318,7 @@ Instance::Instance(void)
        "The `KeyRef` values will be shared across different `Instance` objects"
 #endif
 #endif
+#endif
 }
 
 #if (OPENTHREAD_MTD || OPENTHREAD_FTD) && !OPENTHREAD_CONFIG_HEAP_EXTERNAL_ENABLE
diff --git a/tests/gtest/CMakeLists.txt b/tests/gtest/CMakeLists.txt
@@ -42,6 +42,8 @@ add_library(ot-fake-platform
 )
 target_link_libraries(ot-fake-platform
     ot-config
+    ${OT_MBEDTLS}
+    openthread-native-its-ram
 )
 
 add_library(ot-fake-ftd INTERFACE)
diff --git a/tests/gtest/fake_platform.cpp b/tests/gtest/fake_platform.cpp
@@ -50,6 +50,10 @@
 #include <openthread/platform/trel.h>
 #include <openthread/platform/udp.h>
 
+#if (OPENTHREAD_CONFIG_CRYPTO_LIB == OPENTHREAD_CONFIG_CRYPTO_LIB_PSA)
+#include <psa/crypto.h>
+#endif
+
 using namespace ot;
 
 bool operator<(const otExtAddress &aLeft, const otExtAddress &aRight)
@@ -482,6 +486,36 @@ otError otPlatEntropyGet(uint8_t *aOutput, uint16_t aOutputLength)
     return error;
 }
 
+#if (OPENTHREAD_CONFIG_CRYPTO_LIB == OPENTHREAD_CONFIG_CRYPTO_LIB_PSA) && defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG)
+/**
+ * When OpenThread is compiled with the PSA Crypto backend using Mbed TLS 3.x, there is no
+ * API to configure a dedicated non-default entropy source. It is documented that a future version of
+ * Mbed TLS (likely 4.x) will include a PSA interface for configuring entropy sources.
+ *
+ * For now, we need to define the external RNG. Since the implementation of `otPlatEntropyGet` already
+ * uses CSPRNG, we will call it here as well.
+ */
+extern "C" psa_status_t mbedtls_psa_external_get_random(mbedtls_psa_external_random_context_t *context,
+                                                        uint8_t                               *output,
+                                                        size_t                                 output_size,
+                                                        size_t                                *output_length)
+{
+    OT_UNUSED_VARIABLE(context);
+
+    otError      error;
+    psa_status_t status = PSA_ERROR_GENERIC_ERROR;
+
+    error = otPlatEntropyGet(output, (uint16_t)output_size);
+    if (error == OT_ERROR_NONE)
+    {
+        *output_length = output_size;
+        status         = PSA_SUCCESS;
+    }
+
+    return status;
+}
+#endif
+
 void otPlatDiagSetOutputCallback(otInstance *, otPlatDiagOutputCallback, void *) {}
 
 void otPlatDiagModeSet(bool) {}
diff --git a/tests/unit/CMakeLists.txt b/tests/unit/CMakeLists.txt
@@ -117,10 +117,11 @@ set(COMMON_LIBS
     ot-test-platform-ftd
     openthread-ftd
     ot-test-platform-ftd
-    ${OT_MBEDTLS}
     ot-config
     openthread-ftd
     openthread-url
+    ${OT_MBEDTLS}
+    openthread-native-its-ram
 )
 
 set(COMMON_LIBS_RCP
diff --git a/third_party/CMakeLists.txt b/third_party/CMakeLists.txt
@@ -28,6 +28,7 @@
 
 if(NOT OT_EXTERNAL_MBEDTLS)
     add_subdirectory(mbedtls)
+    add_subdirectory(mbedtls/native_its)
 endif()
 
 add_subdirectory(tcplp)
diff --git a/third_party/mbedtls/CMakeLists.txt b/third_party/mbedtls/CMakeLists.txt
@@ -140,4 +140,5 @@ target_include_directories(mbedcrypto
     PRIVATE
         ${OT_PUBLIC_INCLUDES}
         $<TARGET_PROPERTY:ot-config,INTERFACE_INCLUDE_DIRECTORIES>
+        native_its/include
 )

Original file line number	Diff line number	Diff line change
`@@ -309,6 +309,7 @@ Instance::Instance(void)`
`309`	`309`	`, mIsInitialized(false)`
`310`	`310`	`, mId(Random::NonCrypto::GetUint32())`
`311`	`311`	`{`
	`312`	`+#if OPENTHREAD_MTD \|\| OPENTHREAD_FTD`
`312`	`313`	`#if OPENTHREAD_CONFIG_MULTIPLE_INSTANCE_ENABLE && OPENTHREAD_CONFIG_PLATFORM_KEY_REFERENCES_ENABLE`
`313`	`314`	`#if OPENTHREAD_CONFIG_MULTIPLE_STATIC_INSTANCE_ENABLE`
`314`	`315`	`mCryptoStorageKeyRefManager.SetKeyRefExtraOffset(Crypto::Storage::KeyRefManager::kKeyRefExtraOffset * GetIdx(this));`
`@@ -317,6 +318,7 @@ Instance::Instance(void)`
`317`	`318`	"The `KeyRef` values will be shared across different `Instance` objects"
`318`	`319`	`#endif`
`319`	`320`	`#endif`
	`321`	`+#endif`
`320`	`322`	`}`
`321`	`323`
`322`	`324`	`#if (OPENTHREAD_MTD \|\| OPENTHREAD_FTD) && !OPENTHREAD_CONFIG_HEAP_EXTERNAL_ENABLE`
Original file line number	Diff line number	Diff line change
`@@ -42,6 +42,8 @@ add_library(ot-fake-platform`
`42`	`42`	`)`
`43`	`43`	`target_link_libraries(ot-fake-platform`
`44`	`44`	`ot-config`
	`45`	`+ ${OT_MBEDTLS}`
	`46`	`+ openthread-native-its-ram`
`45`	`47`	`)`
`46`	`48`
`47`	`49`	`add_library(ot-fake-ftd INTERFACE)`