nrf_security: Move PSA_WANTS from drivers Kconfig

Move some PSA_WANTs from the drivers Kconfig in nrf_security
to the Kconfig file which contains the rest of the PSA_WANT
configurations.

During the upmerge support for OFB and CFB modes of AES
was removed so here we remove the relevant code in the drivers
as well.

Signed-off-by: Georgios Vasilakis <[email protected]>

Author: Vge0rge

doc/nrf/libraries/security/nrf_security/doc/driver_config.rst

@@ -122,12 +122,8 @@ To enable cipher modes, set one or more of the Kconfig options in the following
 +-----------------------+------------------------------------------------------+
 | CBC PKCS#7 padding    | :kconfig:option:`CONFIG_PSA_WANT_ALG_CBC_PKCS7`      |
 +-----------------------+------------------------------------------------------+
-| CFB                   | :kconfig:option:`CONFIG_PSA_WANT_ALG_CFB`            |
-+-----------------------+------------------------------------------------------+
 | CTR                   | :kconfig:option:`CONFIG_PSA_WANT_ALG_CTR`            |
 +-----------------------+------------------------------------------------------+
-| OFB                   | :kconfig:option:`CONFIG_PSA_WANT_ALG_OFB`            |
-+-----------------------+------------------------------------------------------+
 | CCM* no tag           | :kconfig:option:`CONFIG_PSA_WANT_ALG_CCM_STAR_NO_TAG`|
 +-----------------------+------------------------------------------------------+
 | XTS                   | :kconfig:option:`CONFIG_PSA_WANT_ALG_XTS`            |
@@ -149,12 +145,8 @@ The following table shows cipher algorithm support for each driver:
 +-----------------------+---------------------------+----------------------------+---------------------------+
 | CBC PKCS#7 padding    | Supported                 | Supported                  | Supported                 |
 +-----------------------+---------------------------+----------------------------+---------------------------+
-| CFB                   | Not supported             | Not supported              | Not supported             |
-+-----------------------+---------------------------+----------------------------+---------------------------+
 | CTR                   | Supported                 | Supported                  | Supported                 |
 +-----------------------+---------------------------+----------------------------+---------------------------+
-| OFB                   | Supported                 | Not supported              | Supported                 |
-+-----------------------+---------------------------+----------------------------+---------------------------+
 | CCM* no tag           | Not supported             | Supported                  | Not supported             |
 +-----------------------+---------------------------+----------------------------+---------------------------+
 | XTS                   | Not supported             | Not supported              | Not supported             |

subsys/nrf_security/Kconfig

@@ -193,9 +193,7 @@ config MBEDTLS_CIPHER_ALL_ENABLED
 	select PSA_WANT_ALG_ECB_NO_PADDING
 	select PSA_WANT_ALG_CBC_NO_PADDING
 	select PSA_WANT_ALG_CBC_PKCS7
-	select PSA_WANT_ALG_CFB
 	select PSA_WANT_ALG_CTR
-	select PSA_WANT_ALG_OFB
 	select PSA_WANT_ALG_CCM
 	select PSA_WANT_ALG_GCM
 	select PSA_WANT_KEY_TYPE_CHACHA20

subsys/nrf_security/Kconfig.psa.nordic

@@ -296,6 +296,14 @@ config PSA_WANT_ECC_SECT_R2_163
 config PSA_WANT_ECC_FRP_V1_256
 	bool "PSA ECC FRP256v1 support" if !PSA_PROMPTLESS
 
+config PSA_WANT_ALG_CHACHA20
+	bool "PSA CHACHA20 stream cipher support" if !PSA_PROMPTLESS
+	default y if PSA_CRYPTO_ENABLE_ALL
+
+config PSA_WANT_ALG_SHAKE256_512
+	bool "PSA SHAKE256 512 bits support" if !PSA_PROMPTLESS
+	default y if PSA_CRYPTO_ENABLE_ALL
+
 comment "Nordic addded RNG configuration"
 
 config PSA_WANT_GENERATE_RANDOM

subsys/nrf_security/src/drivers/Kconfig

@@ -59,18 +59,6 @@ config PSA_USE_HMAC_DRBG_DRIVER
 
 endmenu
 
-config PSA_WANT_ALG_CFB
-	bool "PSA stream cipher using CFB block cipher mode support"
-
-config PSA_WANT_ALG_OFB
-	bool "PSA stream cipher using OFB block cipher mode support"
-
-config PSA_WANT_ALG_CHACHA20
-	bool "PSA stream cipher using CHACHA20 support"
-
-config PSA_WANT_ALG_SHAKE256_512
-	bool "PSA SHAKE256 512 bits support"
-
 menu "CryptoCell PSA Driver Configuration"
 if PSA_CRYPTO_DRIVER_CC3XX
 

subsys/nrf_security/src/drivers/cracen/cracenpsa/src/blkcipher.c

@@ -228,10 +228,6 @@ static bool is_alg_supported(psa_algorithm_t alg, const psa_key_attributes_t *at
 		IF_ENABLED(PSA_NEED_CRACEN_ECB_NO_PADDING_AES,
 			   (is_supported = psa_get_key_type(attributes) == PSA_KEY_TYPE_AES));
 		break;
-	case PSA_ALG_OFB:
-		IF_ENABLED(PSA_NEED_CRACEN_OFB_AES,
-			   (is_supported = psa_get_key_type(attributes) == PSA_KEY_TYPE_AES));
-		break;
 	default:
 		is_supported = false;
 		break;
@@ -267,17 +263,6 @@ static psa_status_t initialize_cipher(cracen_cipher_operation_t *operation)
 									     operation->iv);
 		}
 		break;
-	case PSA_ALG_OFB:
-		if (IS_ENABLED(PSA_NEED_CRACEN_OFB_AES)) {
-			sx_status = operation->dir == CRACEN_DECRYPT
-					    ? sx_blkcipher_create_aesofb_dec(&operation->cipher,
-									     &operation->keyref,
-									     operation->iv)
-					    : sx_blkcipher_create_aesofb_enc(&operation->cipher,
-									     &operation->keyref,
-									     operation->iv);
-		}
-		break;
 	case PSA_ALG_CTR:
 		if (IS_ENABLED(PSA_NEED_CRACEN_CTR_AES)) {
 			sx_status = operation->dir == CRACEN_DECRYPT

subsys/nrf_security/src/drivers/cracen/psa_driver.Kconfig

@@ -89,17 +89,6 @@ config PSA_NEED_CRACEN_ECB_NO_PADDING_AES
 	depends on PSA_WANT_KEY_TYPE_AES
 	depends on PSA_USE_CRACEN_CIPHER_DRIVER
 
-config PSA_NEED_CRACEN_OFB_AES
-	bool
-	default y
-	select PSA_ACCEL_OFB_AES_128
-	select PSA_ACCEL_OFB_AES_192
-	select PSA_ACCEL_OFB_AES_256
-	depends on PSA_WANT_AES_KEY_SIZE_128 || PSA_WANT_AES_KEY_SIZE_192 || PSA_WANT_AES_KEY_SIZE_256
-	depends on PSA_WANT_ALG_OFB
-	depends on PSA_WANT_KEY_TYPE_AES
-	depends on PSA_USE_CRACEN_CIPHER_DRIVER
-
 config PSA_NEED_CRACEN_STREAM_CIPHER_CHACHA20
 	bool
 	default y
@@ -116,7 +105,6 @@ config PSA_NEED_CRACEN_CIPHER_DRIVER
 		   PSA_NEED_CRACEN_CBC_PKCS7_AES      || \
 		   PSA_NEED_CRACEN_CBC_NO_PADDING_AES || \
 		   PSA_NEED_CRACEN_ECB_NO_PADDING_AES || \
-		   PSA_NEED_CRACEN_OFB_AES            || \
 		   PSA_NEED_CRACEN_STREAM_CIPHER_CHACHA20
 
 # CRACEN Key Agreement Driver

subsys/nrf_security/src/drivers/cracen/sxsymcrypt/include/sxsymcrypt/aes.h

@@ -232,106 +232,6 @@ int sx_blkcipher_create_aescbc_enc(struct sxblkcipher *c, const struct sxkeyref
 int sx_blkcipher_create_aescbc_dec(struct sxblkcipher *c, const struct sxkeyref *key,
 				   const char *iv);
 
-/** Prepares an AES CFB block cipher encryption.
- *
- * This function initializes the user allocated object \p c with a new block
- * cipher operation context needed to run the AES CFB encryption and reserves
- * the HW resource.
- *
- * After successful execution of this function, the context \p c can be passed
- * to any of the block cipher functions.
- *
- * @param[out] c block cipher operation context
- * @param[in] key key used for the block cipher operation, expected size
- *                16, 24 or 32 bytes
- * @param[in] iv initialization vector, size must be 16 bytes
- * @return ::SX_OK
- * @return ::SX_ERR_INVALID_KEYREF
- * @return ::SX_ERR_INVALID_KEY_SZ
- * @return ::SX_ERR_INCOMPATIBLE_HW
- * @return ::SX_ERR_RETRY
- *
- * @pre - key reference provided by \p key must be initialized using
- *        sx_keyref_load_material() or sx_keyref_load_by_id()
- */
-int sx_blkcipher_create_aescfb_enc(struct sxblkcipher *c, const struct sxkeyref *key,
-				   const char *iv);
-
-/** Prepares an AES CFB block cipher decryption
- *
- * This function initializes the user allocated object \p c with a new block
- * cipher operation context needed to run the AES CFB decryption and reserves
- * the HW resource.
- *
- * After successful execution of this function, the context \p c can be passed
- * to any of the block cipher functions.
- *
- * @param[out] c block cipher operation context
- * @param[in] key key used for the block cipher operation, expected size
- *                16, 24 or 32 bytes
- * @param[in] iv initialization vector, size must be 16 bytes
- * @return ::SX_OK
- * @return ::SX_ERR_INVALID_KEYREF
- * @return ::SX_ERR_INVALID_KEY_SZ
- * @return ::SX_ERR_INCOMPATIBLE_HW
- * @return ::SX_ERR_RETRY
- *
- * @pre - key reference provided by \p key must be initialized using
- *        sx_keyref_load_material() or sx_keyref_load_by_id()
- */
-int sx_blkcipher_create_aescfb_dec(struct sxblkcipher *c, const struct sxkeyref *key,
-				   const char *iv);
-
-/** Prepares an AES OFB block cipher encryption.
- *
- * This function initializes the user allocated object \p c with a new block
- * cipher operation context needed to run the AES OFB encryption and reserves
- * the HW resource.
- *
- * After successful execution of this function, the context \p c can be passed
- * to any of the block cipher functions.
- *
- * @param[out] c block cipher operation context
- * @param[in] key key used for the block cipher operation, expected size
- *                16, 24 or 32 bytes
- * @param[in] iv initialization vector, size must be 16 bytes
- * @return ::SX_OK
- * @return ::SX_ERR_INVALID_KEYREF
- * @return ::SX_ERR_INVALID_KEY_SZ
- * @return ::SX_ERR_INCOMPATIBLE_HW
- * @return ::SX_ERR_RETRY
- *
- * @pre - key reference provided by \p key must be initialized using
- *        sx_keyref_load_material() or sx_keyref_load_by_id()
- */
-int sx_blkcipher_create_aesofb_enc(struct sxblkcipher *c, const struct sxkeyref *key,
-				   const char *iv);
-
-/** Prepares an AES OFB block cipher decryption
- *
- * This function initializes the user allocated object \p c with a new block
- * cipher operation context needed to run the AES OFB decryption and reserves
- * the HW resource.
- *
- * After successful execution of this function, the context \p c can be passed
- * to any of the block cipher functions.
- *
- * @param[out] c block cipher operation context
- * @param[in] key key used for the block cipher operation, expected size
- *                16, 24 or 32 bytes
- * @param[in] iv initialization vector, size must be 16 bytes
- * @return ::SX_OK
- * @return ::SX_ERR_INVALID_KEYREF
- * @return ::SX_ERR_INVALID_KEY_SZ
- * @return ::SX_ERR_INCOMPATIBLE_HW
- * @return ::SX_ERR_RETRY
- *
- * @pre - key reference provided by \p key must be initialized using
- *        sx_keyref_load_material() or sx_keyref_load_by_id()
- */
-int sx_blkcipher_create_aesofb_dec(struct sxblkcipher *c, const struct sxkeyref *key,
-				   const char *iv);
-
 /** Prepares an AES GCM AEAD encryption operation.
  *
  * This function initializes the user allocated object \p c with a new AEAD

subsys/nrf_security/src/drivers/cracen/sxsymcrypt/include/sxsymcrypt/blkcipher.h

@@ -81,8 +81,6 @@ struct sxblkcipher;
  *  --------: | :----------: | :-----------
  *        ECB | N * 16 bytes | N > 0
  *        CBC | N * 16 bytes | N > 0
- *        CFB | N * 16 bytes | N > 0
- *        OFB | N * 16 bytes | N > 0
  *        XTS | >= 16 bytes  | none
  *        CTR | > 0 bytes    | none
  *

subsys/nrf_security/src/drivers/cracen/sxsymcrypt/src/blkcipher.c

@@ -252,38 +252,6 @@ int sx_blkcipher_create_aescbc_dec(struct sxblkcipher *c, const struct sxkeyref
 	return sx_blkcipher_create_aes_ba411(c, key, iv, BLKCIPHER_MODEID_CBC, ba411cfg.decr);
 }
 
-int sx_blkcipher_create_aescfb_enc(struct sxblkcipher *c, const struct sxkeyref *key,
-				   const char *iv)
-{
-	c->inminsz = 16;
-	c->granularity = 16;
-	return sx_blkcipher_create_aes_ba411(c, key, iv, BLKCIPHER_MODEID_CFB, ba411cfg.encr);
-}
-
-int sx_blkcipher_create_aescfb_dec(struct sxblkcipher *c, const struct sxkeyref *key,
-				   const char *iv)
-{
-	c->inminsz = 16;
-	c->granularity = 16;
-	return sx_blkcipher_create_aes_ba411(c, key, iv, BLKCIPHER_MODEID_CFB, ba411cfg.decr);
-}
-
-int sx_blkcipher_create_aesofb_enc(struct sxblkcipher *c, const struct sxkeyref *key,
-				   const char *iv)
-{
-	c->inminsz = 1;
-	c->granularity = 1;
-	return sx_blkcipher_create_aes_ba411(c, key, iv, BLKCIPHER_MODEID_OFB, ba411cfg.encr);
-}
-
-int sx_blkcipher_create_aesofb_dec(struct sxblkcipher *c, const struct sxkeyref *key,
-				   const char *iv)
-{
-	c->inminsz = 1;
-	c->granularity = 1;
-	return sx_blkcipher_create_aes_ba411(c, key, iv, BLKCIPHER_MODEID_OFB, ba411cfg.decr);
-}
-
 int sx_blkcipher_crypt(struct sxblkcipher *c, const char *datain, size_t sz, char *dataout)
 {
 	if (!c->dma.hw_acquired) {

subsys/nrf_security/src/drivers/cracen/sxsymcrypt/src/blkcipherdefs.h

@@ -14,8 +14,6 @@
 #define BLKCIPHER_MODEID_ECB	 0
 #define BLKCIPHER_MODEID_CBC	 1
 #define BLKCIPHER_MODEID_CTR	 2
-#define BLKCIPHER_MODEID_CFB	 3
-#define BLKCIPHER_MODEID_OFB	 4
 #define BLKCIPHER_MODEID_XTS	 7
 #define BLKCIPHER_MODEID_CHACH20 8