nrf_security: cracen: Add IK support directly to cracen_psa

Add support for signing with identity key to cracen_psa
Remove support for using identity key through sicrypto
Remove sitask usage from ecc sign and verify

Signed-off-by: Dag Erik Gjørvad <[email protected]>

Author: degjorva

subsys/nrf_security/src/drivers/cracen/cracenpsa/cracenpsa.cmake

@@ -17,6 +17,7 @@ list(APPEND cracen_driver_sources
   ${CMAKE_CURRENT_LIST_DIR}/src/ec_helpers.c
   ${CMAKE_CURRENT_LIST_DIR}/src/ecc.c
   ${CMAKE_CURRENT_LIST_DIR}/src/rndinrange.c
+  ${CMAKE_CURRENT_LIST_DIR}/src/ikg_signature.c
 
   # Note: We always need to have blkcipher.c and ctr_drbg.c since it
   # is used directly by many Cracen drivers.

subsys/nrf_security/src/drivers/cracen/cracenpsa/include/cracen_psa_ikg.h

@@ -0,0 +1,24 @@
+/*
+ * Copyright (c) 2025 Nordic Semiconductor ASA
+ *
+ * SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
+ */
+
+#ifndef CRACEN_PSA_IKG_H
+#define CRACEN_PSA_IKG_H
+
+#include <stddef.h>
+#include <stdbool.h>
+#include <stdint.h>
+
+int cracen_ikg_sign_message(int identity_key_index, const struct sxhashalg *hashalg,
+			    const struct sx_pk_ecurve *curve, const uint8_t *message,
+			    size_t message_length, uint8_t *signature);
+
+int cracen_ikg_sign_digest(int identity_key_index, const struct sxhashalg *hashalg,
+			   const struct sx_pk_ecurve *curve, const uint8_t *digest,
+			   size_t digest_length, uint8_t *signature);
+
+int cracen_ikg_create_pub_key(int identity_key_index, uint8_t *pub_key);
+
+#endif /* CRACEN_PSA_IKG_H */

subsys/nrf_security/src/drivers/cracen/cracenpsa/src/ikg_signature.c

@@ -0,0 +1,185 @@
+/* Isolated key operations (signature generation, ...)
+ *
+ * Copyright (c) 2025 Nordic Semiconductor ASA
+ *
+ * SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
+ *
+ * Workmem layout for the sign operation:
+ *      1. Hash digest of the message to be signed (size: digestsz).
+ *
+ * Workmem layout for the sign digest operation:
+ *      1. Hash digest of the message to be signed (size: digestsz).
+ *
+ * Other IKG tasks don't need workmem memory.
+ */
+
+#include <stdint.h>
+#include <string.h>
+#include <silexpk/core.h>
+#include <silexpk/iomem.h>
+#include <sxsymcrypt/hash.h>
+#include <sxsymcrypt/hashdefs.h>
+#include <silexpk/ik.h>
+#include <cracen/statuscodes.h>
+#include <cracen_psa_ikg.h>
+#include <cracen_psa_primitives.h>
+#include "common.h"
+
+#define MAX_ECDSA_ATTEMPTS 255
+
+/** Convert a digest into an operand for ECDSA
+ *
+ * The raw digest may need to be padded or truncated to fit the curve
+ * operand used for ECDSA.
+ *
+ * Conversion could also imply byte order inversion, but that is not
+ * implemented here. It's expected that SilexPK takes big endian
+ * operands here.
+ *
+ * As the digest size is expressed in bytes, this procedure does not
+ * work for curves which have sizes not multiples of 8 bits.
+ */
+static void digest2op(const uint8_t *digest, size_t sz, uint8_t *dst, size_t opsz)
+{
+	if (opsz > sz) {
+		sx_clrpkmem(dst, opsz - sz);
+		dst += opsz - sz;
+	}
+	sx_wrpkmem(dst, digest, opsz);
+}
+
+static void ecdsa_read_sig(struct ecdsa_signature *sig, const uint8_t *r, const uint8_t *s,
+			   size_t opsz)
+{
+	sx_rdpkmem(sig->r, r, opsz);
+	if (!sig->s) {
+		sig->s = sig->r + opsz;
+	}
+	sx_rdpkmem(sig->s, s, opsz);
+}
+
+static int exit_ikg(struct sx_pk_acq_req *pkreq)
+{
+
+	int status;
+
+	sx_pk_release_req(pkreq->req);
+	*pkreq = sx_pk_acquire_req(SX_PK_CMD_IK_EXIT);
+	pkreq->status = sx_pk_list_ik_inslots(pkreq->req, 0, NULL);
+	if (pkreq->status) {
+		return pkreq->status;
+	}
+	sx_pk_run(pkreq->req);
+	status = sx_pk_wait(pkreq->req);
+	if (status != SX_OK) {
+		return status;
+	}
+	sx_pk_release_req(pkreq->req);
+	return SX_OK;
+}
+
+int cracen_ikg_sign_message(int identity_key_index, const struct sxhashalg *hashalg,
+			    const struct sx_pk_ecurve *curve, const uint8_t *message,
+			    size_t message_length, uint8_t *signature)
+{
+	int status;
+	size_t digestsz = sx_hash_get_alg_digestsz(hashalg);
+	uint8_t digest[digestsz];
+
+	status = hash_input(message, message_length, hashalg, digest);
+	if (status != SX_OK) {
+		return status;
+	}
+
+	return cracen_ikg_sign_digest(identity_key_index, hashalg, curve, digest, digestsz,
+				      signature);
+}
+
+int cracen_ikg_sign_digest(int identity_key_index, const struct sxhashalg *hashalg,
+			   const struct sx_pk_ecurve *curve, const uint8_t *digest,
+			   size_t digest_length, uint8_t *signature)
+{
+	int status;
+	size_t opsz = sx_pk_curve_opsize(curve);
+	struct sx_pk_acq_req pkreq;
+	struct sx_pk_inops_ik_ecdsa_sign inputs;
+	size_t digestsz = sx_hash_get_alg_digestsz(hashalg);
+	const uint8_t *curve_n;
+	uint8_t workmem[digestsz];
+	struct ecdsa_signature internal_signature = {0};
+
+	memcpy(workmem, digest, digest_length);
+	curve_n = sx_pk_curve_order(curve);
+
+	internal_signature.r = signature;
+	internal_signature.s = signature + opsz;
+
+	for (int i = 0; i <= MAX_ECDSA_ATTEMPTS; i++) {
+
+		pkreq = sx_pk_acquire_req(SX_PK_CMD_IK_ECDSA_SIGN);
+		if (pkreq.status) {
+			return pkreq.status;
+		}
+		pkreq.status = sx_pk_list_ik_inslots(pkreq.req, identity_key_index,
+						     (struct sx_pk_slot *)&inputs);
+		if (pkreq.status) {
+			return pkreq.status;
+		}
+
+		digest2op(workmem, digestsz, inputs.h.addr, opsz);
+		sx_pk_run(pkreq.req);
+		status = sx_pk_wait(pkreq.req);
+		if (status != SX_OK) {
+			return status;
+		}
+
+		/* SX_ERR_NOT_INVERTIBLE may be due to silexpk countermeasures. */
+		if ((status == SX_ERR_INVALID_SIGNATURE) || (status == SX_ERR_NOT_INVERTIBLE)) {
+			sx_pk_release_req(pkreq.req);
+			if (i == MAX_ECDSA_ATTEMPTS) {
+				return SX_ERR_TOO_MANY_ATTEMPTS;
+			}
+		} else {
+			break;
+		}
+	}
+	if (status != SX_OK) {
+		sx_pk_release_req(pkreq.req);
+		return status;
+	}
+
+	const uint8_t **outputs = (const uint8_t **)sx_pk_get_output_ops(pkreq.req);
+
+	ecdsa_read_sig(&internal_signature, outputs[0], outputs[1], opsz);
+	safe_memzero(workmem, digestsz);
+
+	return exit_ikg(&pkreq);
+}
+
+int cracen_ikg_create_pub_key(int identity_key_index, uint8_t *pub_key)
+{
+	int status;
+	struct sx_pk_acq_req pkreq;
+
+	pkreq = sx_pk_acquire_req(SX_PK_CMD_IK_PUBKEY_GEN);
+	if (pkreq.status) {
+		return pkreq.status;
+	}
+	pkreq.status = sx_pk_list_ik_inslots(pkreq.req, identity_key_index, NULL);
+	if (pkreq.status) {
+		return pkreq.status;
+	}
+
+	sx_pk_run(pkreq.req);
+	status = sx_pk_wait(pkreq.req);
+	if (status != SX_OK) {
+		return status;
+	}
+	const uint8_t **outputs = (const uint8_t **)sx_pk_get_output_ops(pkreq.req);
+	const int opsz = sx_pk_get_opsize(pkreq.req);
+
+	sx_rdpkmem(pub_key, outputs[0], opsz);
+	sx_rdpkmem(pub_key + opsz, outputs[1], opsz);
+
+	return exit_ikg(&pkreq);
+}

subsys/nrf_security/src/drivers/cracen/cracenpsa/src/key_management.c

@@ -8,16 +8,16 @@
 #include <cracen/ec_helpers.h>
 #include <cracen/mem_helpers.h>
 #include "cracen_psa.h"
+#include "cracen_psa_ecdsa.h"
 #include "cracen_psa_eddsa.h"
 #include "cracen_psa_montgomery.h"
 #include "platform_keys/platform_keys.h"
 #include <nrf_security_mutexes.h>
 #include <sicrypto/drbghash.h>
 #include "ecc.h"
-#include <sicrypto/ed448.h>
+#include <cracen_psa_ikg.h>
 #include <sicrypto/rsa_keygen.h>
 #include <sicrypto/util.h>
-#include <silexpk/ed448.h>
 #include <silexpk/sxops/rsa.h>
 #include <sicrypto/ik.h>
 #include <silexpk/ik.h>
@@ -569,30 +569,22 @@ static size_t get_expected_pub_key_size(psa_ecc_family_t psa_curve, size_t key_b
 }
 
 static psa_status_t handle_identity_key(const uint8_t *key_buffer, size_t key_buffer_size,
-					       const struct sx_pk_ecurve *sx_curve, uint8_t *data,
-					       struct si_sig_privkey *priv_key,
-					       struct si_sig_pubkey *pub_key)
+					       const struct sx_pk_ecurve *sx_curve, uint8_t *data)
 {
 	if (key_buffer_size != sizeof(ikg_opaque_key)) {
 		return PSA_ERROR_INVALID_ARGUMENT;
 	}
 
 	if (IS_ENABLED(PSA_NEED_CRACEN_ECDSA_SECP_R1_256)) {
-		*priv_key = si_sig_fetch_ikprivkey(sx_curve, *key_buffer);
 		data[0] = SI_ECC_PUBKEY_UNCOMPRESSED;
-		pub_key->key.eckey.qx = &data[1];
-		pub_key->key.eckey.qy = &data[1 + sx_pk_curve_opsize(sx_curve)];
-	} else {
-		return PSA_ERROR_NOT_SUPPORTED;
+		return silex_statuscodes_to_psa(cracen_ikg_create_pub_key(key_buffer[0], data + 1));
 	}
-	return PSA_SUCCESS;
+	return PSA_ERROR_NOT_SUPPORTED;
 }
 
 static psa_status_t handle_curve_family(psa_ecc_family_t psa_curve, size_t key_bits_attr,
 					const uint8_t *key_buffer, uint8_t *data,
-					const struct sx_pk_ecurve *sx_curve,
-					struct si_sig_privkey *priv_key,
-					struct si_sig_pubkey *pub_key)
+					const struct sx_pk_ecurve *sx_curve)
 {
 
 	switch (psa_curve) {
@@ -629,9 +621,10 @@ static psa_status_t handle_curve_family(psa_ecc_family_t psa_curve, size_t key_b
 				cracen_ed25519_create_pubkey(key_buffer, data));
 		} else if (key_bits_attr == 448 &&
 			   IS_ENABLED(PSA_NEED_CRACEN_PURE_EDDSA_TWISTED_EDWARDS_448)) {
-			priv_key->def = si_sig_def_ed448;
-			priv_key->key.ed448 = (struct sx_ed448_v *)key_buffer;
-			pub_key->key.ed448 = (struct sx_ed448_pt *)data;
+			/* This if-statement is kept to make it easier to add ed448 in the future
+			 * even though it does nothing.
+			 */
+			return PSA_ERROR_NOT_SUPPORTED;
 		} else {
 			return PSA_ERROR_NOT_SUPPORTED;
 		}
@@ -644,22 +637,11 @@ static psa_status_t handle_curve_family(psa_ecc_family_t psa_curve, size_t key_b
 	return PSA_SUCCESS;
 }
 
-static bool requires_sitask(const psa_key_attributes_t *attributes, psa_ecc_family_t curve)
-{
-	if (!IS_ENABLED(PSA_NEED_CRACEN_ECDSA_SECP_R1_256)) {
-		return false;
-	}
-	return PSA_KEY_LIFETIME_GET_LOCATION(psa_get_key_lifetime(attributes)) ==
-	       PSA_KEY_LOCATION_CRACEN;
-}
-
 static psa_status_t export_ecc_public_key_from_keypair(const psa_key_attributes_t *attributes,
 						       const uint8_t *key_buffer,
 						       size_t key_buffer_size, uint8_t *data,
 						       size_t data_size, size_t *data_length)
 {
-	struct si_sig_privkey priv_key;
-	struct si_sig_pubkey pub_key;
 	psa_status_t status;
 
 	size_t key_bits_attr = psa_get_key_bits(attributes);
@@ -679,31 +661,14 @@ static psa_status_t export_ecc_public_key_from_keypair(const psa_key_attributes_
 
 	if (PSA_KEY_LIFETIME_GET_LOCATION(psa_get_key_lifetime(attributes)) ==
 	    PSA_KEY_LOCATION_CRACEN) {
-		status = handle_identity_key(key_buffer, key_buffer_size, sx_curve, data, &priv_key,
-					     &pub_key);
+		status = handle_identity_key(key_buffer, key_buffer_size, sx_curve, data);
 	} else {
-		status = handle_curve_family(psa_curve, key_bits_attr, key_buffer, data, sx_curve,
-					     &priv_key, &pub_key);
+		status = handle_curve_family(psa_curve, key_bits_attr, key_buffer, data, sx_curve);
 	}
 	if (status != PSA_SUCCESS) {
 		return status;
 	}
-	bool is_sitask = requires_sitask(attributes, psa_curve);
-
-	if (is_sitask) {
-		char workmem[SX_ED448_DGST_SZ] = {};
-		struct sitask t;
-
-		si_task_init(&t, workmem, sizeof(workmem));
-		si_sig_create_pubkey(&t, &priv_key, &pub_key);
-		si_task_run(&t);
 
-		status = silex_statuscodes_to_psa(si_task_wait(&t));
-		safe_memzero(workmem, sizeof(workmem));
-		if (status != PSA_SUCCESS) {
-			return status;
-		}
-	}
 	*data_length = expected_pub_key_size;
 	return PSA_SUCCESS;
 }