nrf_security: Don't enable RSA code by default

SebastianBoe · rlubos · commit 0692684d0e0b · 2024-01-29T15:14:14.000+01:00
Follow good practice by not enabling features by default.

The RSA code is particularly large.

This patch reduces the code and read-only data from 113kB to 80kB in
the sha256 sample using 53_ns.

Signed-off-by: Sebastian Bøe &lt;sebastian.boe@nordicsemi.no&gt;
diff --git a/applications/serial_lte_modem/overlay-native_tls.conf b/applications/serial_lte_modem/overlay-native_tls.conf
@@ -44,6 +44,8 @@ CONFIG_MBEDTLS_ECDSA_C=y
 CONFIG_PSA_WANT_ALG_ECDSA=y
 CONFIG_MBEDTLS_ECDSA_DETERMINISTIC=y
 CONFIG_PSA_WANT_ALG_DETERMINISTIC_ECDSA=y
+CONFIG_PSA_WANT_KEY_TYPE_ECC_KEY_PAIR=y # dep for DETERMINISTIC_ECDSA
+CONFIG_PSA_WANT_ALG_HMAC=y # dep for DETERMINISTIC_ECDSA
 # Enable ECDH
 CONFIG_MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED=y
 CONFIG_MBEDTLS_ECDH_C=y
diff --git a/doc/nrf/releases_and_maturity/releases/release-notes-changelog.rst b/doc/nrf/releases_and_maturity/releases/release-notes-changelog.rst
@@ -859,7 +859,11 @@ Libraries for NFC
 nRF Security
 ------------
 
-|no_changes_yet_note|
+* Updated the library to no longer enable RSA keys by default.
+  This reduces the code size by 30 kB for those that are not using RSA keys.
+  This will also break the configuration for those using the RSA keys without explicitly enabling an RSA key size.
+  Enable the required key size to fix the configuration, for example by setting the Kconfig option :kconfig:option:`CONFIG_PSA_WANT_RSA_KEY_SIZE_2048` if 2048-bit RSA keys are required.
+
 
 Other libraries
 ---------------
diff --git a/samples/crypto/rsa/prj.conf b/samples/crypto/rsa/prj.conf
@@ -16,3 +16,5 @@ CONFIG_MBEDTLS_HEAP_SIZE=16384
 CONFIG_PSA_WANT_ALG_RSA_PKCS1V15_SIGN=y
 CONFIG_PSA_WANT_KEY_TYPE_RSA_KEY_PAIR=y
 CONFIG_PSA_WANT_ALG_SHA_256=y
+
+CONFIG_PSA_WANT_RSA_KEY_SIZE_1024=y
diff --git a/subsys/nrf_security/src/core/Kconfig b/subsys/nrf_security/src/core/Kconfig
@@ -13,7 +13,5 @@ config PSA_CORE_OBERON
 	select PSA_WANT_AES_KEY_SIZE_128
 	select PSA_WANT_AES_KEY_SIZE_192
 	select PSA_WANT_AES_KEY_SIZE_256
-	select PSA_WANT_RSA_KEY_SIZE_2048
-	select PSA_WANT_RSA_KEY_SIZE_3072
 
 endchoice
diff --git a/subsys/nrf_security/src/drivers/Kconfig b/subsys/nrf_security/src/drivers/Kconfig
@@ -160,7 +160,6 @@ menu "RSA key size configuration"
 config PSA_WANT_RSA_KEY_SIZE_1024
 	prompt "RSA 1024 bits key (weak)"
 	bool
-	default y
 	help
 	  RSA with 1024 bit keys are not recommended for new designs.
 	  Please see https://www.keylength.com/
diff --git a/tests/tfm/tfm_psa_test/prj.conf b/tests/tfm/tfm_psa_test/prj.conf
@@ -61,6 +61,9 @@ CONFIG_PSA_WANT_ALG_RSA_PKCS1V15_CRYPT=y
 CONFIG_PSA_WANT_ALG_RSA_PKCS1V15_SIGN=y
 CONFIG_PSA_WANT_ALG_RSA_PSS=y
 
+# RSA requires at least one key size to be enabled
+CONFIG_PSA_WANT_RSA_KEY_SIZE_1024=y
+
 # HASH
 CONFIG_PSA_WANT_ALG_SHA_1=n # This is used to test not supported return code
 CONFIG_PSA_WANT_ALG_SHA_224=y
diff --git a/tests/tfm/tfm_regression_test/prj.conf b/tests/tfm/tfm_regression_test/prj.conf
@@ -63,6 +63,8 @@ CONFIG_PSA_WANT_ALG_RSA_PKCS1V15_CRYPT=y
 CONFIG_PSA_WANT_ALG_RSA_PKCS1V15_SIGN=y
 CONFIG_PSA_WANT_ALG_RSA_PSS=y
 
+CONFIG_PSA_WANT_RSA_KEY_SIZE_1024=y
+
 # HASH
 CONFIG_PSA_WANT_ALG_SHA_1=n # This is used to test not supported return code
 CONFIG_PSA_WANT_ALG_SHA_224=y
