[nrf noup] PSA configuration required changes

de-nordic · rlubos · commit 3cdcdb32f254 · 2024-10-24T12:47:10.000+02:00
Set of changes to Kconfig, CMakeLists.txt and some of headers that are required for the PSA support to compile. Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no> (cherry picked from commit 6400cc8)
diff --git a/boot/bootutil/zephyr/CMakeLists.txt b/boot/bootutil/zephyr/CMakeLists.txt
@@ -29,12 +29,18 @@ zephyr_library_link_libraries(MCUBOOT_BOOTUTIL)
 target_link_libraries(MCUBOOT_BOOTUTIL INTERFACE zephyr_interface)
 
 if(CONFIG_BOOT_USE_TINYCRYPT)
-target_include_directories(MCUBOOT_BOOTUTIL INTERFACE
-  ../../../ext/tinycrypt/lib/include
-)
+  target_include_directories(MCUBOOT_BOOTUTIL INTERFACE
+    ../../../ext/tinycrypt/lib/include
+  )
+endif()
+
+if(CONFIG_BOOT_USE_PSA_CRYPTO)
+  target_include_directories(MCUBOOT_BOOTUTIL INTERFACE
+     ${ZEPHYR_MBEDTLS_MODULE_DIR}/include
+  )
 endif()
 
-if(CONFIG_BOOT_USE_MBEDTLS)
+if(CONFIG_BOOT_USE_MBEDTLS OR CONFIG_BOOT_USE_PSA_CRYPTO AND NOT CONFIG_PSA_CORE_OBERON)
   zephyr_link_libraries(mbedTLS)
 endif()
 endif()
diff --git a/boot/zephyr/CMakeLists.txt b/boot/zephyr/CMakeLists.txt
@@ -51,6 +51,12 @@ if(EXISTS targets/${BOARD}.h)
   zephyr_library_compile_definitions(MCUBOOT_TARGET_CONFIG="${BOARD}.h")
 endif()
 
+if(DEFINED CONFIG_MBEDTLS)
+  zephyr_library_include_directories(
+    ${ZEPHYR_MBEDTLS_MODULE_DIR}/include
+  )
+endif()
+
 # Zephyr port-specific sources.
 zephyr_library_sources(
   main.c
@@ -102,6 +108,10 @@ zephyr_library_sources(
   ${BOOT_DIR}/bootutil/src/fault_injection_hardening.c
   )
 
+if(DEFINED CONFIG_BOOT_ENCRYPT_X25519 AND DEFINED CONFIG_BOOT_ED25519_PSA)
+  zephyr_library_sources(${BOOT_DIR}/bootutil/src/encrypted_psa.c)
+endif()
+
 if(DEFINED CONFIG_MEASURED_BOOT OR DEFINED CONFIG_BOOT_SHARE_DATA)
   zephyr_library_sources(
     ${BOOT_DIR}/bootutil/src/boot_record.c
@@ -230,19 +240,28 @@ elseif(CONFIG_BOOT_SIGNATURE_TYPE_ED25519 OR CONFIG_BOOT_ENCRYPT_X25519)
     ${FIAT_DIR}/include/
   )
 
-  zephyr_library_sources(
-    ${FIAT_DIR}/src/curve25519.c
-  )
+  if(NOT CONFIG_BOOT_ED25519_PSA)
+    zephyr_library_sources(
+      ${FIAT_DIR}/src/curve25519.c
+    )
+  else()
+    zephyr_library_sources(
+      ${MBEDTLS_ASN1_DIR}/src/asn1parse.c
+      ${BOOT_DIR}/bootutil/src/ed25519_psa.c
+    )
+  endif()
 endif()
 
-if(CONFIG_BOOT_ENCRYPT_EC256 OR CONFIG_BOOT_ENCRYPT_X25519)
-  zephyr_library_sources(
-    ${TINYCRYPT_DIR}/source/aes_encrypt.c
-    ${TINYCRYPT_DIR}/source/aes_decrypt.c
-    ${TINYCRYPT_DIR}/source/ctr_mode.c
-    ${TINYCRYPT_DIR}/source/hmac.c
-    ${TINYCRYPT_DIR}/source/ecc_dh.c
+if(NOT CONFIG_BOOT_ED25519_PSA)
+  if(CONFIG_BOOT_ENCRYPT_EC256 OR CONFIG_BOOT_ENCRYPT_X25519)
+    zephyr_library_sources(
+      ${TINYCRYPT_DIR}/source/aes_encrypt.c
+      ${TINYCRYPT_DIR}/source/aes_decrypt.c
+      ${TINYCRYPT_DIR}/source/ctr_mode.c
+      ${TINYCRYPT_DIR}/source/hmac.c
+      ${TINYCRYPT_DIR}/source/ecc_dh.c
     )
+  endif()
 endif()
 
 if(CONFIG_BOOT_ENCRYPT_EC256)
diff --git a/boot/zephyr/Kconfig b/boot/zephyr/Kconfig
@@ -29,7 +29,10 @@ config BOOT_USE_MBEDTLS
 
 config BOOT_USE_PSA_CRYPTO
 	bool
-	# Hidden option
+	default y if NRF_SECURITY
+	# This is counter intuitive but that is how PSA heap is enabled.
+	select MBEDTLS_ENABLE_HEAP
+	select MBEDTLS_PSA_CRYPTO_C
 	help
 	  Hidden option set if using PSA crypt for cryptography functionality
 
@@ -66,6 +69,58 @@ config NRF_CC310_BL
 	bool
 	default n
 
+if BOOT_USE_PSA_CRYPTO
+
+config BOOT_PSA_IMG_HASH_ALG_SHA256_DEPENDENCIES
+	bool
+	default y if BOOT_IMG_HASH_ALG_SHA256
+	select PSA_WANT_ALG_SHA_256
+	help
+	  Dependencies for hashing with SHA256
+
+config BOOT_ED25519_PSA_DEPENDENCIES
+	bool
+	select PSA_WANT_ALG_SHA_256
+	select PSA_WANT_ALG_SHA_512
+	select PSA_WANT_ALG_PURE_EDDSA
+	select PSA_WANT_ECC_TWISTED_EDWARDS_255
+	select PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT
+	help
+	  Dependencies for ed25519 signature
+
+if BOOT_ENCRYPT_IMAGE
+
+config BOOT_X25519_PSA_DEPENDENCIES
+	bool
+	select PSA_WANT_ALG_ECDH
+	select PSA_WANT_ALG_HMAC
+	select PSA_WANT_ALG_HKDF
+	select PSA_WANT_ALG_CTR
+	select PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT
+	select PSA_WANT_KEY_TYPE_DERIVE
+	select PSA_WANT_KEY_TYPE_AES
+	select PSA_WANT_ECC_MONTGOMERY_255
+	help
+	  Dependencies for x25519 shared-random key encryption and AES
+	  encryption. The PSA_WANT_ALG_CTR and PSA_WANT_KEY_TYPE_AES
+	  enable Counter based block cipher and AES key, and algorithm support,
+	  to use with it; the others are used for shared key decryption
+	  and derivation.
+
+endif # BOOT_ENCRYPT_IMAGE
+
+if MBEDTLS_ENABLE_HEAP
+
+config MBEDTLS_HEAP_SIZE
+	default 2048 if BOOT_USE_PSA_CRYPTO
+	help
+	  The PSA internals need to be able to allocate memory for operation
+	  and it uses mbedTLS heap for that.
+
+endif # MBEDTLS_ENABLE_HEAP
+
+endif # BOOT_USE_PSA_CRYPTO
+
 menu "MCUBoot settings"
 
 config SINGLE_APPLICATION_SLOT
@@ -123,6 +178,7 @@ endchoice # BOOT_IMG_HASH_ALG
 
 choice BOOT_SIGNATURE_TYPE
 	prompt "Signature type"
+	default BOOT_SIGNATURE_TYPE_ED25519 if BOARD_NRF54L15PDK_NRF54L15_CPUAPP
 	default BOOT_SIGNATURE_TYPE_RSA
 
 config BOOT_SIGNATURE_TYPE_NONE
@@ -177,13 +233,24 @@ if BOOT_SIGNATURE_TYPE_ED25519
 choice BOOT_ED25519_IMPLEMENTATION
 	prompt "Ecdsa implementation"
 	default BOOT_ED25519_TINYCRYPT
+
 config BOOT_ED25519_TINYCRYPT
 	bool "Use tinycrypt"
 	select BOOT_USE_TINYCRYPT
+	depends on !NRF_SECURITY
+
 config BOOT_ED25519_MBEDTLS
 	bool "Use mbedTLS"
 	select BOOT_USE_MBEDTLS
 	select MBEDTLS
+	depends on !NRF_SECURITY
+
+config BOOT_ED25519_PSA
+	bool "Use PSA crypto"
+	select BOOT_USE_PSA_CRYPTO
+	select BOOT_ED25519_PSA_DEPENDENCIES
+	select BOOT_X25519_PSA_DEPENDENCIES if BOOT_ENCRYPT_IMAGE
+
 endchoice
 endif
 
@@ -222,9 +289,13 @@ config MCUBOOT_CLEANUP_ARM_CORE
 	  start-up code which can cause a module fault and potentially make the
 	  module irrecoverable.
 
+if MBEDTLS
+
 config MBEDTLS_CFG_FILE
 	default "mcuboot-mbedtls-cfg.h"
 
+endif
+
 config BOOT_HW_KEY
 	bool "Use HW key for image verification"
 	default n
diff --git a/boot/zephyr/include/mcuboot-mbedtls-cfg.h b/boot/zephyr/include/mcuboot-mbedtls-cfg.h
@@ -23,7 +23,7 @@
 
 #if defined(CONFIG_BOOT_SIGNATURE_TYPE_RSA) || defined(CONFIG_BOOT_ENCRYPT_RSA)
 #include "config-rsa.h"
-#elif defined(CONFIG_BOOT_SIGNATURE_TYPE_ECDSA_P256) || \
+#elif defined(CONFIG_BOOT_USE_PSA_CRYPTO) || defined(CONFIG_BOOT_SIGNATURE_TYPE_ECDSA_P256) || \
       defined(CONFIG_BOOT_ENCRYPT_EC256) || \
       (defined(CONFIG_BOOT_ENCRYPT_X25519) && !defined(CONFIG_BOOT_SIGNATURE_TYPE_ED25519))
 #include "config-asn1.h"
