doc: crypto: updates to crypto samples, part 2

Updated the documentation of crypto samples.
Added sample output, cross-links to recently updated docs,
more details in the overview sections. Edited sample.yaml
for term and style consistency.
Future PRs will edit remaining crypto samples.
NCSDK-33435. Follow-up to #25032.

Signed-off-by: Grzegorz Ferenc <[email protected]>

Author: greg-fer

doc/nrf/security/crypto/crypto_supported_features.rst

@@ -2503,6 +2503,7 @@ Based on this setting, Oberon PSA Crypto selects the most appropriate driver for
                    | :kconfig:option:`CONFIG_PSA_WANT_ALG_CCM_STAR_NO_TAG`
                    | :kconfig:option:`CONFIG_PSA_WANT_ALG_STREAM_CIPHER`
 
+.. _ug_crypto_supported_features_key_agreement_algorithms:
 
 Key agreement algorithms
 ========================
@@ -4455,6 +4456,8 @@ Based on this setting, Oberon PSA Crypto selects the most appropriate driver for
                    | :kconfig:option:`CONFIG_PSA_WANT_ALG_CHACHA20_POLY1305`
                    | :kconfig:option:`CONFIG_PSA_WANT_ALG_XCHACHA20_POLY1305`
 
+.. _ug_crypto_supported_features_signature_algorithms:
+
 Asymmetric signature algorithms
 ===============================
 
@@ -7240,6 +7243,8 @@ Based on this setting, Oberon PSA Crypto selects the most appropriate driver for
                  - | :kconfig:option:`CONFIG_PSA_WANT_ALG_CTR_DRBG`
                    | :kconfig:option:`CONFIG_PSA_WANT_ALG_HMAC_DRBG` (software implementation, entropy provided by the hardware RNG peripheral)
 
+.. _ug_crypto_supported_features_hash_algorithms:
+
 Hash algorithms
 ===============
 

samples/crypto/aes_cbc/README.rst

@@ -27,10 +27,14 @@ The sample :ref:`enables PSA Crypto API <psa_crypto_support_enable>` and configu
 * :kconfig:option:`CONFIG_PSA_WANT_ALG_CBC_NO_PADDING` - Used to enable support for the CBC cipher mode without padding from among the supported cryptographic operations for :ref:`ug_crypto_supported_features_cipher_modes`.
 * :kconfig:option:`CONFIG_PSA_WANT_GENERATE_RANDOM` - Used to enable random number generation for key and IV generation from among the supported cryptographic operations for :ref:`ug_crypto_supported_features_rng_algorithms`.
 
+.. crypto_sample_overview_driver_selection_start
+
 The sample also configures the cryptographic drivers for each board target using Kconfig options in the overlay files in the :file:`boards` directory.
 
-These Kconfig options are then used by Oberon PSA Crypto to compile the required cryptographic PSA directives and select the cryptographic drivers.
-See :ref:`crypto_drivers_driver_selection` for more information about the driver selection process.
+These Kconfig options are then used by the build system to compile the required cryptographic PSA directives and make the configured cryptographic drivers available at runtime.
+See :ref:`crypto_drivers_driver_selection` for more information about this process.
+
+.. crypto_sample_overview_driver_selection_end
 
 Once built and run, the sample performs the following operations:
 
@@ -64,10 +68,10 @@ Building and running
 Testing
 =======
 
-After programming the sample to your development kit, complete the following steps to test it:
-
 .. crypto_sample_testing_start
 
+After programming the sample to your development kit, complete the following steps to test it:
+
 1. |connect_terminal|
 #. Build and program the application.
 #. Observe the logs from the application using the terminal emulator.
@@ -82,7 +86,7 @@ After programming the sample to your development kit, complete the following ste
    [00:00:00.251,159] <inf> aes_cbc: Starting AES-CBC-NO-PADDING example...
    [00:00:00.251,190] <inf> aes_cbc: Generating random AES key...
    [00:00:00.251,342] <inf> aes_cbc: AES key generated successfully!
-   [00:00:00.251,373] <inf> aes_cbc: Encrypting using AES CBC MODE...
+   [00:00:00.251,373] <inf> aes_cbc: Encrypting using the AES CBC mode...
    [00:00:00.251,708] <inf> aes_cbc: Encryption successful!
    [00:00:00.251,708] <inf> aes_cbc: ---- IV (len: 16): ----
    [00:00:00.251,739] <inf> aes_cbc: Content:
@@ -102,7 +106,7 @@ After programming the sample to your development kit, complete the following ste
                                     39 56 54 b5 96 6e 13 e2  7d 22 26 1e 3c 7c 3e eb |9VT..n.. }"&.<|>.
                                     15 60 31 d3 58 02 b6 85  98 63 2c e6 ad dc aa 19 |.`1.X... .c,.....
    [00:00:00.251,922] <inf> aes_cbc: ---- Encrypted text end  ----
-   [00:00:00.251,953] <inf> aes_cbc: Decrypting using AES CBC MODE...
+   [00:00:00.251,953] <inf> aes_cbc: Decrypting using the AES CBC mode...
    [00:00:00.252,166] <inf> aes_cbc: ---- Decrypted text (len: 64): ----
    [00:00:00.252,197] <inf> aes_cbc: Content:
                                     45 78 61 6d 70 6c 65 20  73 74 72 69 6e 67 20 74 |Example  string t

samples/crypto/aes_cbc/src/main.c

@@ -112,7 +112,7 @@ int encrypt_cbc_aes(void)
 	psa_status_t status;
 	psa_cipher_operation_t operation = PSA_CIPHER_OPERATION_INIT;
 
-	LOG_INF("Encrypting using AES CBC MODE...");
+	LOG_INF("Encrypting using the AES CBC mode...");
 
 	/* Setup the encryption operation */
 	status = psa_cipher_encrypt_setup(&operation, key_id, PSA_ALG_CBC_NO_PADDING);
@@ -163,7 +163,7 @@ int decrypt_cbc_aes(void)
 	psa_status_t status;
 	psa_cipher_operation_t operation = PSA_CIPHER_OPERATION_INIT;
 
-	LOG_INF("Decrypting using AES CBC MODE...");
+	LOG_INF("Decrypting using the AES CBC mode...");
 
 	/* Setup the decryption operation */
 	status = psa_cipher_decrypt_setup(&operation, key_id, PSA_ALG_CBC_NO_PADDING);

samples/crypto/aes_ccm/README.rst

@@ -28,10 +28,9 @@ The sample :ref:`enables PSA Crypto API <psa_crypto_support_enable>` and configu
 * :kconfig:option:`CONFIG_PSA_WANT_ALG_CCM` - Used to enable support for the CCM AEAD algorithm from among the supported cryptographic operations for :ref:`ug_crypto_supported_features_aead_algorithms`.
 * :kconfig:option:`CONFIG_PSA_WANT_GENERATE_RANDOM` - Used to enable random number generation for key generation from among the supported cryptographic operations for :ref:`ug_crypto_supported_features_rng_algorithms`.
 
-The sample also configures the cryptographic drivers for each board target using Kconfig options in the overlay files in the :file:`boards` directory.
-
-These Kconfig options are then used by Oberon PSA Crypto to compile the required cryptographic PSA directives and select the cryptographic drivers.
-See :ref:`crypto_drivers_driver_selection` for more information about the driver selection process.
+.. include:: /samples/crypto/aes_cbc/README.rst
+   :start-after: crypto_sample_overview_driver_selection_start
+   :end-before: crypto_sample_overview_driver_selection_end
 
 Once built and run, the sample performs the following operations:
 
@@ -63,8 +62,6 @@ Building and running
 Testing
 =======
 
-After programming the sample to your development kit, complete the following steps to test it:
-
 .. include:: /samples/crypto/aes_cbc/README.rst
    :start-after: crypto_sample_testing_start
    :end-before: crypto_sample_testing_end
@@ -76,7 +73,7 @@ After programming the sample to your development kit, complete the following ste
    [00:00:00.251,159] <inf> aes_ccm: Starting AES CCM example...
    [00:00:00.251,190] <inf> aes_ccm: Generating random AES key...
    [00:00:00.251,342] <inf> aes_ccm: AES key generated successfully!
-   [00:00:00.251,373] <inf> aes_ccm: Encrypting using AES CCM MODE...
+   [00:00:00.251,373] <inf> aes_ccm: Encrypting using the AES CCM mode...
    [00:00:00.251,708] <inf> aes_ccm: Encryption successful!
    [00:00:00.251,708] <inf> aes_ccm: ---- Nonce (len: 13): ----
    [00:00:00.251,739] <inf> aes_ccm: Content:
@@ -92,7 +89,7 @@ After programming the sample to your development kit, complete the following ste
                                 b3 5d 47 06 89 a5 08 3b  e6 54 57 25 b9 49 02 50 |.]G....;.TW%.I.P
                                 d1 55 49 58 11 00 00 00  00 00 00 00 00 00 00 00 |.UX.............
    [00:00:00.251,922] <inf> aes_ccm: ---- Encrypted text end  ----
-   [00:00:00.251,953] <inf> aes_ccm: Decrypting using AES CCM MODE...
+   [00:00:00.251,953] <inf> aes_ccm: Decrypting using the AES CCM mode...
    [00:00:00.252,166] <inf> aes_ccm: ---- Decrypted text (len: 100): ----
    [00:00:00.252,197] <inf> aes_ccm: Content:
                                     Example string to demonstrate basic usage of AES CCM mode.

samples/crypto/aes_ccm/src/main.c

@@ -124,7 +124,7 @@ int encrypt_ccm_aes(void)
 	uint32_t output_len;
 	psa_status_t status;
 
-	LOG_INF("Encrypting using AES CCM MODE...");
+	LOG_INF("Encrypting using the AES CCM mode...");
 
 	/* Encrypt the plaintext and create the authentication tag */
 	status = psa_aead_encrypt(key_id,
@@ -160,7 +160,7 @@ int decrypt_ccm_aes(void)
 	uint32_t output_len;
 	psa_status_t status;
 
-	LOG_INF("Decrypting using AES CCM MODE...");
+	LOG_INF("Decrypting using the AES CCM mode...");
 
 	/* Decrypt the encrypted data and authenticate the tag */
 	status = psa_aead_decrypt(key_id,

samples/crypto/aes_ctr/README.rst

@@ -27,10 +27,9 @@ The sample :ref:`enables PSA Crypto API <psa_crypto_support_enable>` and configu
 * :kconfig:option:`CONFIG_PSA_WANT_ALG_CTR` - Used to enable support for the CTR cipher mode from among the supported cryptographic operations for :ref:`ug_crypto_supported_features_cipher_modes`.
 * :kconfig:option:`CONFIG_PSA_WANT_GENERATE_RANDOM` - Used to enable random number generation for key and IV generation from among the supported cryptographic operations for :ref:`ug_crypto_supported_features_rng_algorithms`.
 
-The sample also configures the cryptographic drivers for each board target using Kconfig options in the overlay files in the :file:`boards` directory.
-
-These Kconfig options are then used by Oberon PSA Crypto to compile the required cryptographic PSA directives and select the cryptographic drivers.
-See :ref:`crypto_drivers_driver_selection` for more information about the driver selection process.
+.. include:: /samples/crypto/aes_cbc/README.rst
+   :start-after: crypto_sample_overview_driver_selection_start
+   :end-before: crypto_sample_overview_driver_selection_end
 
 Once built and run, the sample performs the following operations:
 
@@ -65,8 +64,6 @@ Building and running
 Testing
 =======
 
-After programming the sample to your development kit, complete the following steps to test it:
-
 .. include:: /samples/crypto/aes_cbc/README.rst
    :start-after: crypto_sample_testing_start
    :end-before: crypto_sample_testing_end
@@ -78,7 +75,7 @@ After programming the sample to your development kit, complete the following ste
    [00:00:00.123,456] <inf> aes_ctr: Starting AES CTR example...
    [00:00:00.123,489] <inf> aes_ctr: Generating random AES key...
    [00:00:00.123,512] <inf> aes_ctr: AES key generated successfully!
-   [00:00:00.123,545] <inf> aes_ctr: Encrypting using AES CTR MODE...
+   [00:00:00.123,545] <inf> aes_ctr: Encrypting using the AES CTR mode...
    [00:00:00.123,567] <inf> aes_ctr: Encryption successful!
    [00:00:00.123,589] <inf> aes_ctr: ---- IV (len: 16): ----
    [00:00:00.123,611] <inf> aes_ctr: Content:
@@ -91,7 +88,7 @@ After programming the sample to your development kit, complete the following ste
                                 7b 61 95 44 09 64 ea ef  ad b8 72 59 65 4f 6a 7c |{a.D.d....rYeOj|
                                 7f 81 f4 2a 3b 9d 3e 66  42 e5 db 87 4c 16        |...*;..fB...L.
    [00:00:00.123,699] <inf> aes_ctr: ---- Encrypted text end  ----
-   [00:00:00.123,721] <inf> aes_ctr: Decrypting using AES CTR MODE...
+   [00:00:00.123,721] <inf> aes_ctr: Decrypting using the AES CTR mode...
    [00:00:00.123,743] <inf> aes_ctr: ---- Decrypted text (len: 56): ----
    [00:00:00.123,765] <inf> aes_ctr: Content:
                                 Example string to demonstrate basic usage of AES CTR mode.

samples/crypto/aes_ctr/src/main.c

@@ -114,7 +114,7 @@ int encrypt_ctr_aes(void)
 	psa_status_t status;
 	psa_cipher_operation_t operation = PSA_CIPHER_OPERATION_INIT;
 
-	LOG_INF("Encrypting using AES CTR MODE...");
+	LOG_INF("Encrypting using the AES CTR mode...");
 
 	/* Setup the encryption operation */
 	status = psa_cipher_encrypt_setup(&operation, key_id, PSA_ALG_CTR);
@@ -174,7 +174,7 @@ int decrypt_ctr_aes(void)
 	psa_status_t status;
 	psa_cipher_operation_t operation = PSA_CIPHER_OPERATION_INIT;
 
-	LOG_INF("Decrypting using AES CTR MODE...");
+	LOG_INF("Decrypting using the AES CTR mode...");
 
 	/* Setup the decryption operation */
 	status = psa_cipher_decrypt_setup(&operation, key_id, PSA_ALG_CTR);

samples/crypto/aes_gcm/README.rst

@@ -7,7 +7,7 @@ Crypto: AES GCM
    :local:
    :depth: 2
 
-The AES GCM sample shows how to perform authenticated encryption and decryption operations using the GCM algorithm and a 128-bit key.
+The AES GCM sample demonstrates how to use the :ref:`PSA Crypto API <ug_psa_certified_api_overview_crypto>` to perform authenticated encryption and decryption operations using the GCM AEAD algorithm with a 128-bit AES key.
 
 Requirements
 ************
@@ -21,22 +21,36 @@ The sample supports the following development kits:
 Overview
 ********
 
-The sample performs the following operations:
+The sample :ref:`enables PSA Crypto API <psa_crypto_support_enable>` and configures the following Kconfig options for the cryptographic features:
+
+* :kconfig:option:`CONFIG_PSA_WANT_KEY_TYPE_AES` - Used to enable support for AES key types from among the supported cryptographic operations for :ref:`ug_crypto_supported_features_key_types`.
+* :kconfig:option:`CONFIG_PSA_WANT_ALG_GCM` - Used to enable support for the GCM AEAD algorithm from among the supported cryptographic operations for :ref:`ug_crypto_supported_features_aead_algorithms`.
+* :kconfig:option:`CONFIG_PSA_WANT_GENERATE_RANDOM` - Used to enable random number generation for key and IV generation from among the supported cryptographic operations for :ref:`ug_crypto_supported_features_rng_algorithms`.
+
+.. include:: /samples/crypto/aes_cbc/README.rst
+   :start-after: crypto_sample_overview_driver_selection_start
+   :end-before: crypto_sample_overview_driver_selection_end
+
+Once built and run, the sample performs the following operations:
 
 1. Initialization:
 
-   a. The Platform Security Architecture (PSA) API is initialized.
-   #. A random AES key is generated and imported into the PSA crypto keystore.
+   a. The PSA Crypto API is initialized using :c:func:`psa_crypto_init`.
+   #. A random 128-bit AES key is generated using :c:func:`psa_generate_key` and stored in the PSA crypto keystore.
+      The key is configured with usage flags for both encryption and decryption.
 
-#. Encryption and decryption of a sample plaintext:
+#. Authenticated encryption and decryption of a sample plaintext:
 
-   a. A random initialization vector (IV) is generated.
-   #. Authenticated encryption is performed.
-   #. Authenticated decryption is performed.
+   a. A random initialization vector (IV) is generated using :c:func:`psa_generate_random`.
+   #. Authenticated encryption is performed using :c:func:`psa_aead_encrypt` with the ``PSA_ALG_GCM`` algorithm.
+      This function encrypts the plaintext with the provided IV and additional authenticated data, and appends an authentication tag to the ciphertext.
+   #. Authenticated decryption is performed using :c:func:`psa_aead_decrypt`.
+      This function decrypts the ciphertext, verifies the authentication tag, and authenticates the additional data.
+   #. The decrypted text is compared with the original plaintext to verify correctness.
 
 #. Cleanup:
 
-   a. The AES key is removed from the PSA crypto keystore.
+   a. The AES key is removed from the PSA crypto keystore using :c:func:`psa_destroy_key`.
 
 .. note::
    The CRACEN driver only supports a 96-bit IV for :ref:`AES GCM<ug_crypto_supported_features_key_size>`.
@@ -51,8 +65,43 @@ Building and running
 Testing
 =======
 
-After programming the sample to your development kit, complete the following steps to test it:
-
-1. |connect_terminal|
-#. Compile and program the application.
-#. Observe the logs from the application using a terminal emulator.
+.. include:: /samples/crypto/aes_cbc/README.rst
+   :start-after: crypto_sample_testing_start
+   :end-before: crypto_sample_testing_end
+
+.. code-block:: text
+
+   *** Booting nRF Connect SDK v3.1.0-6c6e5b32496e ***
+   *** Using Zephyr OS v4.1.99-1612683d4010 ***
+   [00:00:00.251,159] <inf> aes_gcm: Starting AES GCM example...
+   [00:00:00.251,190] <inf> aes_gcm: Generating random AES key...
+   [00:00:00.251,342] <inf> aes_gcm: AES key generated successfully!
+   [00:00:00.251,373] <inf> aes_gcm: Encrypting using the AES GCM mode...
+   [00:00:00.251,708] <inf> aes_gcm: Encryption successful!
+   [00:00:00.251,708] <inf> aes_gcm: ---- IV (len: 12): ----
+   [00:00:00.251,739] <inf> aes_gcm: Content:
+                                    c3 1e 5b 35 97 25 ee a3  ef ba 66 c3 |..[5.%.. ..f.
+   [00:00:00.251,770] <inf> aes_gcm: ---- IV end  ----
+   [00:00:00.251,800] <inf> aes_gcm: ---- Additional data (len: 35): ----
+   [00:00:00.251,831] <inf> aes_gcm: Content:
+                                    Example string of additional data
+   [00:00:00.251,831] <inf> aes_gcm: ---- Additional data end  ----
+   [00:00:00.251,861] <inf> aes_gcm: ---- Plaintext (len: 100): ----
+   [00:00:00.251,892] <inf> aes_gcm: Content:
+                                    Example string to demonstrate basic usage of AES GCM mode.
+   [00:00:00.251,922] <inf> aes_gcm: ---- Plaintext end  ----
+   [00:00:00.251,953] <inf> aes_gcm: ---- Encrypted text (len: 116): ----
+   [00:00:00.251,984] <inf> aes_gcm: Content:
+                                    cc 7d c0 ed 63 5b df 28  08 2b 03 33 a4 3c dc 1d |.}..c[.( .+.3.<..
+                                    76 9d a9 cb 1c 49 4f 6d  ef b8 a2 aa 11 2c fc bd |v....IOm .....,..
+                                    39 56 54 b5 96 6e 13 e2  7d 22 26 1e 3c 7c 3e eb |9VT..n.. }"&.<|>.
+                                    15 60 31 d3 58 02 b6 85  98 63 2c e6 ad dc aa 19 |.`1.X... .c,.....
+                                    4a 2b 3c 1d 5e 6f 7a 8b  9c ad be cf d0 e1 f2 03 |J+<.^oz. ........
+   [00:00:00.252,014] <inf> aes_gcm: ---- Encrypted text end  ----
+   [00:00:00.252,045] <inf> aes_gcm: Decrypting using the AES GCM mode...
+   [00:00:00.252,166] <inf> aes_gcm: ---- Decrypted text (len: 100): ----
+   [00:00:00.252,197] <inf> aes_gcm: Content:
+                                    Example string to demonstrate basic usage of AES GCM mode.
+   [00:00:00.252,227] <inf> aes_gcm: ---- Decrypted text end  ----
+   [00:00:00.252,258] <inf> aes_gcm: Decryption and authentication successful!
+   [00:00:00.252,288] <inf> aes_gcm: Example finished successfully!

samples/crypto/aes_gcm/sample.yaml

@@ -1,8 +1,7 @@
 sample:
-  description: >
-    This app provides an example of performing authenticated
-    AES encryption and decryption using AES GCM mode
-  name: AES GCM example
+  description: |
+    This sample demonstrates AES encryption and decryption using the AES GCM mode.
+  name: AES GCM sample
 tests:
   sample.aes_gcm.cc312:
     sysbuild: true

samples/crypto/aes_gcm/src/main.c

@@ -124,7 +124,7 @@ int encrypt_aes_gcm(void)
 	uint32_t output_len;
 	psa_status_t status;
 
-	LOG_INF("Encrypting using AES GCM MODE...");
+	LOG_INF("Encrypting using the AES GCM mode...");
 
 	/* Generate a random IV */
 	status = psa_generate_random(m_iv, NRF_CRYPTO_EXAMPLE_AES_IV_SIZE);
@@ -164,7 +164,7 @@ int decrypt_aes_gcm(void)
 	uint32_t output_len;
 	psa_status_t status;
 
-	LOG_INF("Decrypting using AES GCM MODE...");
+	LOG_INF("Decrypting using the AES GCM mode...");
 
 	/* Decrypt and authenticate the encrypted data */
 	status = psa_aead_decrypt(key_id,
@@ -200,7 +200,7 @@ int main(void)
 {
 	int status;
 
-	LOG_INF("Starting AES-GCM example...");
+	LOG_INF("Starting AES GCM example...");
 
 	status = crypto_init();
 	if (status != APP_SUCCESS) {