nrf_security: Adjust the size of hash operation in Cracen

Vge0rge · rlubos · commit c087be84eec5 · 2025-04-08T15:16:50.000+02:00
This updates the hash operation size depending on the enabled
algorithms.

This is an optimization which will reduce stack usage for use
cases which only require a subset of the enabled algorithms.

Notice that the nrf-psa-crypto-user-config.h header is used
directly here instead of the psa/crypto.h. This is done
because including the psa/crypto.h creates circular dependencies
in the headers. The sxsymcrypt is in a lower layer than then PSA
crypto driver layer so it makes sense to avoid going from a lower
layer in the driver to a higher one. The PSA configuration is still
being used since this is the only way to do crypto configuration.
Since the nrf-psa-crypto-user-config.h is a static configuration
file without any dependencies it is reasonable to use it inside
the lower layers of the driver.

Signed-off-by: Georgios Vasilakis &lt;georgios.vasilakis@nordicsemi.no&gt;
diff --git a/subsys/nrf_security/src/drivers/cracen/sxsymcrypt/include/sxsymcrypt/hashdefs.h b/subsys/nrf_security/src/drivers/cracen/sxsymcrypt/include/sxsymcrypt/hashdefs.h
@@ -10,9 +10,37 @@
 #include <stddef.h>
 #include <stdint.h>
 #include "internal.h"
+#include "nrf-psa-crypto-user-config.h"
 
-#ifndef SX_HASH_PRIV_SZ
+/* These are not magic numbers, the number here is the size in bytes of the
+ * extramem field of sxhash. The extra memory holds the data for saving/resuming
+ * the state and should have the size of statesz + maxpadsz.
+ * The size here is the MAX of this sum from the enabled algorithms.
+ *
+ * !!! ORDER MATTERS !!!
+ */
+#if defined(PSA_NEED_CRACEN_SHA3_224)
 #define SX_HASH_PRIV_SZ 344
+#elif defined(PSA_NEED_CRACEN_SHA3_256)
+/* SHAKE256 has the same size but doesn't have a PSA_NEED yet */
+#define SX_HASH_PRIV_SZ 336
+#elif defined(PSA_NEED_CRACEN_SHA3_384)
+#define SX_HASH_PRIV_SZ 304
+#elif defined(PSA_NEED_CRACEN_SHA3_512)
+#define SX_HASH_PRIV_SZ 272
+#elif defined(PSA_NEED_CRACEN_SHA_512) || defined(PSA_NEED_CRACEN_SHA_384)
+#define SX_HASH_PRIV_SZ 208
+#elif defined(PSA_NEED_CRACEN_SHA_256) || defined(PSA_NEED_CRACEN_SHA_224)
+/* SM3 has the same size but doesn't have a PSA_NEED yet */
+#define SX_HASH_PRIV_SZ 104
+#elif defined(PSA_NEED_CRACEN_SHA_1)
+#define SX_HASH_PRIV_SZ 92
+#else
+/* A default value is needed to avoid building failures when no hash is
+ * enabled. A small number is used because it will enforce a runtime failure
+ * if the sx_hash APIs are called while no algorithm is enabled.
+ */
+#define SX_HASH_PRIV_SZ 1
 #endif
 
 struct sx_digesttags {
