nrf_security: Refactor blkcipher in Cracen

Vge0rge · rlubos · commit 196d0eb47a95 · 2025-09-24T09:08:27.000+02:00
In the Cracen driver the PSA context cracen_cipher_operation_t
already contains a struct sxkeyref and also a struct sxblkcipher
which also contains a sxkeyref struct. Instead of keeping two
instanses of the sxkeyref keep the one in the PSA operation
and convert the other one to pointer and refactor the code
of blkcipher accordingly.

Signed-off-by: Georgios Vasilakis &lt;georgios.vasilakis@nordicsemi.no&gt;
diff --git a/subsys/nrf_security/src/drivers/cracen/cracenpsa/src/cipher.c b/subsys/nrf_security/src/drivers/cracen/cracenpsa/src/cipher.c
@@ -292,24 +292,24 @@ psa_status_t cracen_cipher_encrypt(const psa_key_attributes_t *attributes,
 	 * error and thus we don't need to write an else here.
 	 */
 	if (IS_ENABLED(PSA_NEED_CRACEN_ECB_NO_PADDING_AES) && alg == PSA_ALG_ECB_NO_PADDING) {
-		struct sxkeyref key;
 
-		status = cracen_load_keyref(attributes, key_buffer, key_buffer_size, &key);
+		status = cracen_load_keyref(attributes, key_buffer, key_buffer_size,
+					    &operation.keyref);
 		if (status != PSA_SUCCESS) {
 			return status;
 		}
-		return crypt_ecb(&operation.cipher, &key, input, input_length, output, output_size,
-				 output_length, CRACEN_ENCRYPT);
+
+		return crypt_ecb(&operation.cipher, &operation.keyref, input, input_length, output,
+				 output_size, output_length, CRACEN_ENCRYPT);
 	}
 	if (IS_ENABLED(PSA_NEED_CRACEN_CBC_PKCS7_AES) && alg == PSA_ALG_CBC_PKCS7) {
-		struct sxkeyref key;
-
-		status = cracen_load_keyref(attributes, key_buffer, key_buffer_size, &key);
+		status = cracen_load_keyref(attributes, key_buffer, key_buffer_size,
+					    &operation.keyref);
 		if (status != PSA_SUCCESS) {
 			return status;
 		}
-		return encrypt_cbc(&key, input, input_length, output, output_size, output_length,
-				   iv);
+		return encrypt_cbc(&operation.keyref, input, input_length, output, output_size,
+				   output_length, iv);
 	}
 
 	status = setup(CRACEN_ENCRYPT, &operation, attributes, key_buffer, key_buffer_size, alg);
@@ -339,7 +339,6 @@ psa_status_t cracen_cipher_decrypt(const psa_key_attributes_t *attributes,
 	psa_status_t status;
 	/* ChaCha20 only supports 12 bytes IV in the single part decryption function */
 	const size_t iv_size = (alg == PSA_ALG_STREAM_CIPHER) ? 12 : SX_BLKCIPHER_IV_SZ;
-	struct sxkeyref key;
 	*output_length = 0;
 
 	if (input_length == 0) {
@@ -350,20 +349,22 @@ psa_status_t cracen_cipher_decrypt(const psa_key_attributes_t *attributes,
 	 * error and thus we don't need to write an else here.
 	 */
 	if (IS_ENABLED(PSA_NEED_CRACEN_ECB_NO_PADDING_AES) && alg == PSA_ALG_ECB_NO_PADDING) {
-		status = cracen_load_keyref(attributes, key_buffer, key_buffer_size, &key);
+		status = cracen_load_keyref(attributes, key_buffer, key_buffer_size,
+					    &operation.keyref);
 		if (status != PSA_SUCCESS) {
 			return status;
 		}
-		return crypt_ecb(&operation.cipher, &key, input, input_length, output, output_size,
-				 output_length, CRACEN_DECRYPT);
+		return crypt_ecb(&operation.cipher, &operation.keyref, input, input_length, output,
+				 output_size, output_length, CRACEN_DECRYPT);
 	}
 	if (IS_ENABLED(PSA_NEED_CRACEN_CBC_PKCS7_AES) && alg == PSA_ALG_CBC_PKCS7) {
-		status = cracen_load_keyref(attributes, key_buffer, key_buffer_size, &key);
+		status = cracen_load_keyref(attributes, key_buffer, key_buffer_size,
+					    &operation.keyref);
 		if (status != PSA_SUCCESS) {
 			return status;
 		}
-		return decrypt_cbc(&key, input + iv_size, input_length - iv_size, output,
-				   output_size, output_length, input);
+		return decrypt_cbc(&operation.keyref, input + iv_size, input_length - iv_size,
+				   output, output_size, output_length, input);
 	}
 
 	if (input_length < iv_size) {
diff --git a/subsys/nrf_security/src/drivers/cracen/sxsymcrypt/include/sxsymcrypt/internal.h b/subsys/nrf_security/src/drivers/cracen/sxsymcrypt/include/sxsymcrypt/internal.h
@@ -111,7 +111,7 @@ struct sxaead {
  */
 struct sxblkcipher {
 	const struct sx_blkcipher_cmdma_cfg *cfg;
-	struct sxkeyref key;
+	const struct sxkeyref *key;
 	uint32_t textsz;
 	struct sx_dmactl dma;
 	struct sxdesc descs[5];
diff --git a/subsys/nrf_security/src/drivers/cracen/sxsymcrypt/src/blkcipher.c b/subsys/nrf_security/src/drivers/cracen/sxsymcrypt/src/blkcipher.c
@@ -81,8 +81,8 @@ static const struct sx_blkcipher_cmdma_cfg ba411xtscfg = {
 int sx_blkcipher_free(struct sxblkcipher *cipher_ctx)
 {
 	int sx_err = SX_OK;
-	if (cipher_ctx->key.clean_key) {
-		sx_err = cipher_ctx->key.clean_key(cipher_ctx->key.user_data);
+	if (cipher_ctx->key && cipher_ctx->key->clean_key) {
+		sx_err = cipher_ctx->key->clean_key(cipher_ctx->key->user_data);
 	}
 	sx_cmdma_release_hw(&cipher_ctx->dma);
 	return sx_err;
@@ -106,8 +106,8 @@ static int sx_blkcipher_hw_reserve(struct sxblkcipher *cipher_ctx)
 		goto exit;
 	}
 
-	if (cipher_ctx->key.prepare_key) {
-		err = cipher_ctx->key.prepare_key(cipher_ctx->key.user_data);
+	if (cipher_ctx->key && cipher_ctx->key->prepare_key) {
+		err = cipher_ctx->key->prepare_key(cipher_ctx->key->user_data);
 	}
 
 exit:
@@ -140,7 +140,7 @@ static int sx_blkcipher_create_aesxts(struct sxblkcipher *cipher_ctx, const stru
 		}
 	}
 
-	memcpy(&cipher_ctx->key, key1, sizeof(cipher_ctx->key));
+	cipher_ctx->key = key1;
 	err = sx_blkcipher_hw_reserve(cipher_ctx);
 	if (err != SX_OK) {
 		return err;
@@ -207,7 +207,7 @@ static int sx_blkcipher_create_aes_ba411(struct sxblkcipher *cipher_ctx, const s
 		}
 	}
 
-	memcpy(&cipher_ctx->key, key, sizeof(cipher_ctx->key));
+	cipher_ctx->key = key;
 	cipher_ctx->cfg = cfg;
 	cipher_ctx->textsz = 0;
 
@@ -324,8 +324,9 @@ int sx_blkcipher_resume_state(struct sxblkcipher *cipher_ctx)
 	cipher_ctx->dma.dmamem.cfg &= ~(cipher_ctx->cfg->ctxsave);
 	sx_cmdma_newcmd(&cipher_ctx->dma, cipher_ctx->descs, cipher_ctx->dma.dmamem.cfg,
 			cipher_ctx->cfg->dmatags->cfg);
-	if (KEYREF_IS_USR(&cipher_ctx->key)) {
-		ADD_CFGDESC(cipher_ctx->dma, cipher_ctx->key.key, cipher_ctx->key.sz,
+
+	if (cipher_ctx->key && KEYREF_IS_USR(cipher_ctx->key)) {
+		ADD_CFGDESC(cipher_ctx->dma, cipher_ctx->key->key, cipher_ctx->key->sz,
 			    cipher_ctx->cfg->dmatags->key);
 	}
 	/* Context will be transferred in the same place as the IV. However,
diff --git a/subsys/nrf_security/src/drivers/cracen/sxsymcrypt/src/chachapoly.c b/subsys/nrf_security/src/drivers/cracen/sxsymcrypt/src/chachapoly.c
@@ -151,9 +151,9 @@ static int sx_blkcipher_create_chacha20(struct sxblkcipher *cipher_ctx, struct s
 		return SX_ERR_INVALID_KEY_SZ;
 	}
 
-	memcpy(&cipher_ctx->key, key, sizeof(cipher_ctx->key));
 	sx_hw_reserve(&cipher_ctx->dma);
 	cipher_ctx->cfg = &ba417chacha20cfg;
+	cipher_ctx->key = key;
 
 	sx_cmdma_newcmd(&cipher_ctx->dma, cipher_ctx->descs, BA417_MODE_CHACHA20 | dir,
 			cipher_ctx->cfg->dmatags->cfg);

Original file line number	Diff line number	Diff line change
`@@ -81,8 +81,8 @@ static const struct sx_blkcipher_cmdma_cfg ba411xtscfg = {`
`81`	`81`	`int sx_blkcipher_free(struct sxblkcipher *cipher_ctx)`
`82`	`82`	`{`
`83`	`83`	`int sx_err = SX_OK;`
`84`		`- if (cipher_ctx->key.clean_key) {`
`85`		`- sx_err = cipher_ctx->key.clean_key(cipher_ctx->key.user_data);`
	`84`	`+ if (cipher_ctx->key && cipher_ctx->key->clean_key) {`
	`85`	`+ sx_err = cipher_ctx->key->clean_key(cipher_ctx->key->user_data);`
`86`	`86`	`}`
`87`	`87`	`sx_cmdma_release_hw(&cipher_ctx->dma);`
`88`	`88`	`return sx_err;`
`@@ -106,8 +106,8 @@ static int sx_blkcipher_hw_reserve(struct sxblkcipher *cipher_ctx)`
`106`	`106`	`goto exit;`
`107`	`107`	`}`
`108`	`108`
`109`		`- if (cipher_ctx->key.prepare_key) {`
`110`		`- err = cipher_ctx->key.prepare_key(cipher_ctx->key.user_data);`
	`109`	`+ if (cipher_ctx->key && cipher_ctx->key->prepare_key) {`
	`110`	`+ err = cipher_ctx->key->prepare_key(cipher_ctx->key->user_data);`
`111`	`111`	`}`
`112`	`112`
`113`	`113`	`exit:`
`@@ -140,7 +140,7 @@ static int sx_blkcipher_create_aesxts(struct sxblkcipher *cipher_ctx, const stru`
`140`	`140`	`}`
`141`	`141`	`}`
`142`	`142`
`143`		`- memcpy(&cipher_ctx->key, key1, sizeof(cipher_ctx->key));`
	`143`	`+ cipher_ctx->key = key1;`
`144`	`144`	`err = sx_blkcipher_hw_reserve(cipher_ctx);`
`145`	`145`	`if (err != SX_OK) {`
`146`	`146`	`return err;`
`@@ -207,7 +207,7 @@ static int sx_blkcipher_create_aes_ba411(struct sxblkcipher *cipher_ctx, const s`
`207`	`207`	`}`
`208`	`208`	`}`
`209`	`209`
`210`		`- memcpy(&cipher_ctx->key, key, sizeof(cipher_ctx->key));`
	`210`	`+ cipher_ctx->key = key;`
`211`	`211`	`cipher_ctx->cfg = cfg;`
`212`	`212`	`cipher_ctx->textsz = 0;`
`213`	`213`
`@@ -324,8 +324,9 @@ int sx_blkcipher_resume_state(struct sxblkcipher *cipher_ctx)`
`324`	`324`	`cipher_ctx->dma.dmamem.cfg &= ~(cipher_ctx->cfg->ctxsave);`
`325`	`325`	`sx_cmdma_newcmd(&cipher_ctx->dma, cipher_ctx->descs, cipher_ctx->dma.dmamem.cfg,`
`326`	`326`	`cipher_ctx->cfg->dmatags->cfg);`
`327`		`- if (KEYREF_IS_USR(&cipher_ctx->key)) {`
`328`		`- ADD_CFGDESC(cipher_ctx->dma, cipher_ctx->key.key, cipher_ctx->key.sz,`
	`327`	`+`
	`328`	`+ if (cipher_ctx->key && KEYREF_IS_USR(cipher_ctx->key)) {`
	`329`	`+ ADD_CFGDESC(cipher_ctx->dma, cipher_ctx->key->key, cipher_ctx->key->sz,`
`329`	`330`	`cipher_ctx->cfg->dmatags->key);`
`330`	`331`	`}`
`331`	`332`	`/* Context will be transferred in the same place as the IV. However,`
Original file line number	Diff line number	Diff line change
`@@ -151,9 +151,9 @@ static int sx_blkcipher_create_chacha20(struct sxblkcipher *cipher_ctx, struct s`
`151`	`151`	`return SX_ERR_INVALID_KEY_SZ;`
`152`	`152`	`}`
`153`	`153`
`154`		`- memcpy(&cipher_ctx->key, key, sizeof(cipher_ctx->key));`
`155`	`154`	`sx_hw_reserve(&cipher_ctx->dma);`
`156`	`155`	`cipher_ctx->cfg = &ba417chacha20cfg;`
	`156`	`+ cipher_ctx->key = key;`
`157`	`157`
`158`	`158`	`sx_cmdma_newcmd(&cipher_ctx->dma, cipher_ctx->descs, BA417_MODE_CHACHA20 \| dir,`
`159`	`159`	`cipher_ctx->cfg->dmatags->cfg);`