nrf_security: Guard IKG function with key type

Vge0rge · nordicjm · commit 166d9eb18228 · 2024-11-12T07:38:04.000Z
The IKG in Cracen only supports one asymmetric key
type, the SECP256R1. This guards the function call
to the IKG with the relevant configuration. This is
important because the PSA signing APIs can be used
with algorithms like EDDSA which have lower footprint
so it can reduce the flash usage when ECDSA is not
needed.

Signed-off-by: Georgios Vasilakis &lt;georgios.vasilakis@nordicsemi.no&gt;
diff --git a/subsys/nrf_security/src/drivers/cracen/cracenpsa/src/key_management.c b/subsys/nrf_security/src/drivers/cracen/cracenpsa/src/key_management.c
@@ -637,11 +637,15 @@ static psa_status_t export_ecc_public_key_from_keypair(const psa_key_attributes_
 		if (key_buffer_size != sizeof(ikg_opaque_key)) {
 			return PSA_ERROR_INVALID_ARGUMENT;
 		}
-		priv_key =
-			si_sig_fetch_ikprivkey(sx_curve, ((ikg_opaque_key *)key_buffer)->owner_id);
-		data[0] = SI_ECC_PUBKEY_UNCOMPRESSED;
-		pub_key.key.eckey.qx = &data[1];
-		pub_key.key.eckey.qy = &data[1 + sx_pk_curve_opsize(sx_curve)];
+
+		if (IS_ENABLED(PSA_NEED_CRACEN_ECDSA_SECP_R1_256)) {
+			priv_key = si_sig_fetch_ikprivkey(sx_curve, *key_buffer);
+			data[0] = SI_ECC_PUBKEY_UNCOMPRESSED;
+			pub_key.key.eckey.qx = &data[1];
+			pub_key.key.eckey.qy = &data[1 + sx_pk_curve_opsize(sx_curve)];
+		} else {
+			return PSA_ERROR_NOT_SUPPORTED;
+		}
 	} else {
 
 		switch (psa_curve) {
diff --git a/subsys/nrf_security/src/drivers/cracen/cracenpsa/src/sign.c b/subsys/nrf_security/src/drivers/cracen/cracenpsa/src/sign.c
@@ -100,15 +100,19 @@ static int cracen_signature_prepare_ec_prvkey(struct si_sig_privkey *privkey, ch
 		return status;
 	}
 
+	/* IKG supports one SECP256_R1 key */
 	if (PSA_KEY_LIFETIME_GET_LOCATION(psa_get_key_lifetime(attributes)) ==
 	    PSA_KEY_LOCATION_CRACEN) {
 		if (key_buffer_size != sizeof(ikg_opaque_key)) {
 			return SX_ERR_INVALID_ARG;
 		}
-		*privkey =
-			si_sig_fetch_ikprivkey(*sicurve, ((ikg_opaque_key *)key_buffer)->owner_id);
 
-		return status;
+		if (IS_ENABLED(PSA_NEED_CRACEN_ECDSA_SECP_R1_256)) {
+			*privkey = si_sig_fetch_ikprivkey(*sicurve, *key_buffer);
+			return status;
+		} else {
+			return SX_ERR_INCOMPATIBLE_HW;
+		}
 	}
 
 	if (key_buffer_size != PSA_BITS_TO_BYTES(psa_get_key_bits(attributes))) {
