tests: crypto: Add support for testing wrapped keys in PSA crypto tests. #108
Conversation
Aasimshaik11
changed the title
TEST_WRAPPED_KEYS under siwx917 SoC to enable testing with wrapped keys. 2. Updated AEAD, Cipher, Hash, Key Agreement, and Sign test cases to: - Include sl_si91x_psa_wrap.h when CONFIG_TEST_WRAPPED_KEYS is set. - Configure key lifetime with PSA_KEY_VOLATILE_PERSISTENT_WRAP_IMPORT for wrapped key tests. - Print debug message when wrapper key mode is enabled. 3. Improved test clarity by updating assertion error messages and adding formatting for readability.
Aasimshaik11
force-pushed
the
zephyr-silabs-psa-crypto
branch
2 times, most recently
from
1192c41 to
dcad7b7
Compare
There was a problem hiding this comment.
Please ensure your PR follow the contribution workflow: https://docs.zephyrproject.org/latest/contribute/guidelines.html#contribution-workflow
Aasimshaik11
force-pushed
the
zephyr-silabs-psa-crypto
branch
from
2fb07ad to
87ee066
Compare
|
@Aasimshaik11 this PR still does not comply with the contribution workflow: Compliance also complains about the author names in the commit. Your |
Aasimshaik11
force-pushed
the
zephyr-silabs-psa-crypto
branch
12 times, most recently
from
94b5f0f to
8c02821
Compare
Aasimshaik11
requested review from
asmellby,
jerome-pouiller,
jhedberg and
silabs-AmerM
Aasimshaik11
force-pushed
the
zephyr-silabs-psa-crypto
branch
from
b1b08a6 to
ee71bcf
Compare
This commit consolidates and refactors wrapped key test functionality in
the PSA crypto test suite, improving maintainability and readability.
Key updates include:
1. Added support for testing wrapped keys in PSA crypto tests.
2. Introduced a new Kconfig option TEST_WRAPPED_KEYS to enable wrapped
key testing.
3. Updated AEAD, Cipher, Hash, Key Agreement, and Sign test cases to:
- Include sl_si91x_psa_wrap.h when CONFIG_TEST_WRAPPED_KEYS is set.
- Configure key lifetime using
PSA_KEY_LIFETIME_FROM_PERSISTENCE_AND_LOCATION for wrapped key tests.
- Import wrapped keys for AES, ChaChaPoly, and ECDSA when wrapper
mode is active.
- Print debug messages when wrapper key mode is enabled.
4. Moved wrapper key configuration to the 917-specific implementation
and cleaned up redundant SoC-level handling.
5. Replaced preprocessor checks with IS_ENABLED() to improve readability
and ensure both code paths are compiled and type-checked.
6. Cleaned up redundant preprocessor blocks, fixed indentation, and
resolved build and style compliance issues per Zephyr guidelines.
7. Normalized comment alignment and indentation to meet clang-format and
checkpatch requirements.
These updates enhance test coverage, maintain consistency, and simplify
wrapped key configuration across PSA crypto test modules.
Signed-off-by: Aasim Shaik <[email protected]>
Aasimshaik11
force-pushed
the
zephyr-silabs-psa-crypto
branch
from
6cf5509 to
dce4bb2
Compare
soc/silabs/silabs_siwx917/Kconfig
Outdated
| default "sl_mbedtls_config_zephyr.h" \ | ||
| if PSA_CRYPTO_DRIVER_SILABS_SIWX91X | ||
|
|
||
| if SOC_SERIES_SIWG917 |
There was a problem hiding this comment.
As mentioned before, there should be no change to this file.
There was a problem hiding this comment.
The MACRO "CONFIG_TEST_WRAPPED_KEYS" or "TEST_WRAPPED_KEYS" has to be made available to the compiler from kconfig file. the inclusion of this in testcase.yaml just includes the test. So, I think either both can be there or it can be added only in the kconfig. Yaml file is optional. Is my understanding wrong?
There was a problem hiding this comment.
This file defines the 917 SoC, it makes no sense for the TEST_WRAPPED_KEYS definition to escape the test. It's already set in the test as a CMake variable, what is the purpose of adding a new Kconfig for this (and not even replacing the existing variable, just adding an extra one)?
| psa_set_key_type(&attributes, PSA_KEY_TYPE_AES); | ||
| psa_set_key_bits(&attributes, 256); | ||
| if (IS_ENABLED(TEST_WRAPPED_KEYS)) { | ||
| if (IS_ENABLED(CONFIG_TEST_WRAPPED_KEYS)) { |
There was a problem hiding this comment.
Don't do this. The way it was is correct, the define is conditionally set by the testcase.
| if (IS_ENABLED(CONFIG_TEST_WRAPPED_KEYS)) { | ||
| psa_set_key_lifetime(&attributes, PSA_KEY_LIFETIME_FROM_PERSISTENCE_AND_LOCATION( | ||
| PSA_KEY_PERSISTENCE_VOLATILE, 1)); | ||
| PSA_KEY_PERSISTENCE_VOLATILE, 0)); |
There was a problem hiding this comment.
This is wrong. Location 1 is the default SE location, and it should stay that way. Using location 0 does not exercise opaque drivers (=wrapped keys).
There was a problem hiding this comment.
@asmellby , We discussed during the meeting that location 1 does not generate wrap the keys. Location 0 generates the keys and gets it wrapped and stored in Host RAM(local storage). So, it should be 0. To make it consistent with PSA, we would have to modify the wrapper file and as we discussed, we dont want to have conflicting code in Wiseconnect and Zephyr. 1 is used only for import local key
There was a problem hiding this comment.
Location 0 does not wrap the keys. By changing to location 0 you are no longer testing what you want to test.
| zassert_equal(decrypted_len, sizeof(decrypted), "Decrypted length mismatch"); | ||
| zassert_mem_equal(decrypted, plaintext, sizeof(plaintext)); | ||
|
|
||
| ciphertext_buffer_256[0] += 1; |
There was a problem hiding this comment.
Why are you removing tests?
There was a problem hiding this comment.
@asmellby , This should not be needed, right? I think this was added by you, not sure what was the purpose. Can you let us know
There was a problem hiding this comment.
This is a negative test demonstrating that decryption doesn't wrongly succeed on the wrong ciphertext. It is not a duplicate.
soc/silabs/silabs_siwx917/Kconfig
Outdated
| default "sl_mbedtls_config_zephyr.h" \ | ||
| if PSA_CRYPTO_DRIVER_SILABS_SIWX91X | ||
|
|
||
| if SOC_SERIES_SIWG917 |
There was a problem hiding this comment.
This statement is already under if SOC_FAMILY_SILABS_SIWX91X. Is it useful to add this condition?
|
|
||
| if SOC_SERIES_SIWG917 | ||
| config TEST_WRAPPED_KEYS | ||
| bool "Enable Wrapper keys - specific to SiWG917" |
There was a problem hiding this comment.
This item will only appears when SILABS_SIWX91X is selected. You don't need to specify - specific to SiWG917.
I believe this symbols is misplaced. I understand right, it is an option of test/crypto/psa_crypto application.
| #include <psa/crypto.h> | ||
|
|
||
| #include <zephyr/sys/util.h> /* for IS_ENABLED() */ | ||
| #include "test_vectors.h" |
There was a problem hiding this comment.
Keep code consistent: group <zephyr/...> headers.
There was a problem hiding this comment.
BTW, I am surprised you need this include while the original code didn't need it.
| 0xEF, 0x6E, 0xD4, 0xDA, 0x71, 0xBF, 0xED, 0x32, 0x0D, 0x76, | ||
| }; | ||
| static const uint8_t expected_shared_secret[] = { | ||
| static const uint8_t expected_shared_secret[] __unused = { |
There was a problem hiding this comment.
Usually, one of the benefits of if (IS_ENABLED(CONFIG_XXXX)) is you don't need these annotations. Can you confirm you need this change?
| 0x12, 0xFB, 0x12, 0x17, 0x31, 0x32, 0x1D, 0x79, 0xAF, 0x0A, 0x9F, | ||
| 0xAB, 0xAD, 0x34, 0x05, 0xA2, 0x07, 0x39, 0x9C, 0x5F, 0x15, | ||
| }; | ||
|
|
There was a problem hiding this comment.
Original code was correct.
| if (!IS_ENABLED(CONFIG_TEST_WRAPPED_KEYS)) { | ||
| /* Verify shared secret */ | ||
| zassert_mem_equal(shared_secret_buf, expected_shared_secret, | ||
| sizeof(expected_shared_secret), |
There was a problem hiding this comment.
Indent with opening parenthesis.
| - xg29_rb4412a | ||
| - siwx917_rb4338a | ||
| extra_args: | ||
| - TEST_WRAPPED_KEYS=1 |
There was a problem hiding this comment.
I am surprize this statement works. I believe you mean:
extra_configs: CONFIG_TEST_WRAPPED_KEYS=y
Alternately, if you don't want to use CONFIG_ mechanism, you can use
extra_args: EXTRA_CFLAGS=-DTEST_WRAPPED_KEYS=1
There was a problem hiding this comment.
I am surprize this statement works.
I missed the content of CMakelists.txt. If we consider the comment in CMakelist.txt, CONFIG_TEST_WRAPPED_KEYS is not an option.
| if (IS_ENABLED(CONFIG_TEST_WRAPPED_KEYS)) { | ||
| psa_set_key_lifetime(&attributes, PSA_KEY_LIFETIME_FROM_PERSISTENCE_AND_LOCATION( | ||
| PSA_KEY_PERSISTENCE_VOLATILE, 1)); | ||
| PSA_KEY_PERSISTENCE_VOLATILE, 0)); |
There was a problem hiding this comment.
@asmellby , We discussed during the meeting that location 1 does not generate wrap the keys. Location 0 generates the keys and gets it wrapped and stored in Host RAM(local storage). So, it should be 0. To make it consistent with PSA, we would have to modify the wrapper file and as we discussed, we dont want to have conflicting code in Wiseconnect and Zephyr. 1 is used only for import local key
| zassert_equal(decrypted_len, sizeof(decrypted), "Decrypted length mismatch"); | ||
| zassert_mem_equal(decrypted, plaintext, sizeof(plaintext)); | ||
|
|
||
| ciphertext_buffer_256[0] += 1; |
There was a problem hiding this comment.
@asmellby , This should not be needed, right? I think this was added by you, not sure what was the purpose. Can you let us know
| PSA_KEY_PERSISTENCE_VOLATILE, 0)); | ||
| zassert_equal(psa_generate_key(&attributes, &key_id), PSA_SUCCESS, | ||
| "Failed to generate key"); | ||
| } else { |
There was a problem hiding this comment.
@asmellby , as per you message on teams - you want us to remove the else part where import of local keys is being done, is my understanding right?
Removed conditional check for SOC_SERIES_SIWG917 around TEST_WRAPPED_KEYS configuration. Key updates include: 1. Edited Kconfig condition Signed-off-by: Aasim Shaik <[email protected]>
5 participants
Uh oh!
There was an error while loading. Please reload this page.