nrf_security: CRACEN: Changed PSA_WANT_ to PSA_NEED_CRACEN_ for KMU

AntonZma · nordicjm · commit d4e4d8ac0d3c · 2025-10-28T11:19:07.000Z
All CONFIG_PSA_WANT_ALG_ use cases exchanged
with PSA_NEED_CRACEN_ configs.
Added new config: PSA_NEED_CRACEN_ECDH.

Signed-off-by: Anton Zyma &lt;anton.zyma@nordicsemi.no&gt;
diff --git a/subsys/nrf_security/cmake/psa_crypto_config.cmake b/subsys/nrf_security/cmake/psa_crypto_config.cmake
@@ -67,6 +67,7 @@ kconfig_check_and_set_base_to_one(PSA_NEED_CRACEN_RSA_PSS)
 kconfig_check_and_set_base_to_one(PSA_NEED_CRACEN_ASYMMETRIC_SIGNATURE_ANY_ECC)
 kconfig_check_and_set_base_to_one(PSA_NEED_CRACEN_ASYMMETRIC_SIGNATURE_ANY_RSA)
 kconfig_check_and_set_base_to_one(PSA_NEED_CRACEN_ASYMMETRIC_SIGNATURE_DRIVER)
+kconfig_check_and_set_base_to_one(PSA_NEED_CRACEN_ECDH)
 kconfig_check_and_set_base_to_one(PSA_NEED_CRACEN_RSA_OAEP)
 kconfig_check_and_set_base_to_one(PSA_NEED_CRACEN_RSA_PKCS1V15_CRYPT)
 kconfig_check_and_set_base_to_one(PSA_NEED_CRACEN_ASYMMETRIC_ENCRYPTION_DRIVER)
diff --git a/subsys/nrf_security/configs/psa_crypto_config.h.template b/subsys/nrf_security/configs/psa_crypto_config.h.template
@@ -301,6 +301,7 @@
 #cmakedefine PSA_NEED_CRACEN_ECDH_SECP_K1_192                   @PSA_NEED_CRACEN_ECDH_SECP_K1_192@
 #cmakedefine PSA_NEED_CRACEN_ECDH_SECP_K1_256                   @PSA_NEED_CRACEN_ECDH_SECP_K1_256@
 #cmakedefine PSA_NEED_CRACEN_ECDH_SECP_K1                       @PSA_NEED_CRACEN_ECDH_SECP_K1@
+#cmakedefine PSA_NEED_CRACEN_ECDH                               @PSA_NEED_CRACEN_ECDH@
 #cmakedefine PSA_NEED_CRACEN_ASYMMETRIC_SIGNATURE_ANY_RSA       @PSA_NEED_CRACEN_ASYMMETRIC_SIGNATURE_ANY_RSA@
 #cmakedefine PSA_NEED_CRACEN_ASYMMETRIC_SIGNATURE_ANY_ECC       @PSA_NEED_CRACEN_ASYMMETRIC_SIGNATURE_ANY_ECC@
 #cmakedefine PSA_NEED_CRACEN_ECDSA_BRAINPOOL_P_R1_192           @PSA_NEED_CRACEN_ECDSA_BRAINPOOL_P_R1_192@
diff --git a/subsys/nrf_security/src/drivers/cracen/cracenpsa/src/kmu.c b/subsys/nrf_security/src/drivers/cracen/cracenpsa/src/kmu.c
@@ -364,21 +364,23 @@ static psa_status_t get_kmu_slot_id_and_metadata(mbedtls_svc_key_id_t key_id,
 	return read_primary_slot_metadata(*slot_id, metadata);
 }
 
-#if defined(CONFIG_PSA_WANT_ALG_PURE_EDDSA) || defined(CONFIG_PSA_WANT_ALG_ED25519PH) || \
-	defined CONFIG_PSA_WANT_ALG_ECDSA || defined(CONFIG_PSA_WANT_ALG_HMAC)
+#if	defined(PSA_NEED_CRACEN_PURE_EDDSA_TWISTED_EDWARDS) || \
+	defined(PSA_NEED_CRACEN_ED25519PH)		    || \
+	defined(PSA_NEED_CRACEN_ECDSA)			    || \
+	defined(PSA_NEED_CRACEN_HMAC)
 static bool can_sign(const psa_key_attributes_t *key_attr)
 {
 	return (psa_get_key_usage_flags(key_attr) & PSA_KEY_USAGE_SIGN_MESSAGE) ||
 	       (psa_get_key_usage_flags(key_attr) & PSA_KEY_USAGE_SIGN_HASH);
 }
-#endif /* defined(CONFIG_PSA_WANT_ALG_PURE_EDDSA) || define(CONFIG_PSA_WANT_ALG_ED25519PH) */
+#endif
 
-#if defined(CONFIG_PSA_WANT_ALG_ECDH)
+#if defined(PSA_NEED_CRACEN_ECDH)
 static bool can_derive(const psa_key_attributes_t *key_attr)
 {
 	return psa_get_key_usage_flags(key_attr) & PSA_KEY_USAGE_DERIVE;
 }
-#endif
+#endif /* PSA_NEED_CRACEN_ECDH */
 
 /**
  * @brief Check provisioning state, and delete slots that were not completely provisioned.
@@ -598,61 +600,61 @@ static psa_status_t convert_to_psa_attributes(kmu_metadata *metadata,
 	psa_set_key_usage_flags(key_attr, usage_flags);
 
 	switch (metadata->algorithm) {
-#ifdef CONFIG_PSA_WANT_ALG_STREAM_CIPHER
+#ifdef PSA_NEED_CRACEN_STREAM_CIPHER_CHACHA20
 	case METADATA_ALG_CHACHA20:
 		psa_set_key_type(key_attr, PSA_KEY_TYPE_CHACHA20);
 		psa_set_key_algorithm(key_attr, PSA_ALG_STREAM_CIPHER);
 		break;
-#endif
-#ifdef CONFIG_PSA_WANT_ALG_CHACHA20_POLY1305
+#endif /* PSA_NEED_CRACEN_STREAM_CIPHER_CHACHA20 */
+#ifdef PSA_NEED_CRACEN_CHACHA20_POLY1305
 	case METADATA_ALG_CHACHA20_POLY1305:
 		psa_set_key_type(key_attr, PSA_KEY_TYPE_CHACHA20);
 		psa_set_key_algorithm(key_attr, PSA_ALG_CHACHA20_POLY1305);
 		break;
-#endif
-#ifdef CONFIG_PSA_WANT_ALG_GCM
+#endif /* PSA_NEED_CRACEN_CHACHA20_POLY1305 */
+#ifdef PSA_NEED_CRACEN_GCM_AES
 	case METADATA_ALG_AES_GCM:
 		psa_set_key_type(key_attr, PSA_KEY_TYPE_AES);
 		psa_set_key_algorithm(key_attr, PSA_ALG_GCM);
 		break;
-#endif
-#ifdef CONFIG_PSA_WANT_ALG_CCM
+#endif /* PSA_NEED_CRACEN_GCM_AES */
+#ifdef PSA_NEED_CRACEN_CCM_AES
 	case METADATA_ALG_AES_CCM:
 		psa_set_key_type(key_attr, PSA_KEY_TYPE_AES);
 		psa_set_key_algorithm(key_attr, PSA_ALG_CCM);
 		break;
-#endif
-#ifdef CONFIG_PSA_WANT_ALG_ECB_NO_PADDING
+#endif /* PSA_NEED_CRACEN_CCM_AES */
+#ifdef PSA_NEED_CRACEN_ECB_NO_PADDING_AES
 	case METADATA_ALG_AES_ECB:
 		psa_set_key_type(key_attr, PSA_KEY_TYPE_AES);
 		psa_set_key_algorithm(key_attr, PSA_ALG_ECB_NO_PADDING);
 		break;
-#endif
-#ifdef CONFIG_PSA_WANT_ALG_CTR
+#endif /* PSA_NEED_CRACEN_ECB_NO_PADDING_AES */
+#ifdef PSA_NEED_CRACEN_CTR_AES
 	case METADATA_ALG_AES_CTR:
 		psa_set_key_type(key_attr, PSA_KEY_TYPE_AES);
 		psa_set_key_algorithm(key_attr, PSA_ALG_CTR);
 		break;
-#endif
-#ifdef CONFIG_PSA_WANT_ALG_CBC_NO_PADDING
+#endif /* PSA_NEED_CRACEN_CTR_AES */
+#ifdef PSA_NEED_CRACEN_CBC_NO_PADDING_AES
 	case METADATA_ALG_AES_CBC:
 		psa_set_key_type(key_attr, PSA_KEY_TYPE_AES);
 		psa_set_key_algorithm(key_attr, PSA_ALG_CBC_NO_PADDING);
 		break;
-#endif
-#ifdef CONFIG_PSA_WANT_ALG_SP800_108_COUNTER_CMAC
+#endif /* PSA_NEED_CRACEN_CBC_NO_PADDING_AES */
+#ifdef PSA_NEED_CRACEN_SP800_108_COUNTER_CMAC
 	case METADATA_ALG_SP800_108_COUNTER_CMAC:
 		psa_set_key_type(key_attr, PSA_KEY_TYPE_AES);
 		psa_set_key_algorithm(key_attr, PSA_ALG_SP800_108_COUNTER_CMAC);
 		break;
-#endif
-#ifdef CONFIG_PSA_WANT_ALG_CMAC
+#endif /* PSA_NEED_CRACEN_SP800_108_COUNTER_CMAC */
+#ifdef PSA_NEED_CRACEN_CMAC
 	case METADATA_ALG_CMAC:
 		psa_set_key_type(key_attr, PSA_KEY_TYPE_AES);
 		psa_set_key_algorithm(key_attr, PSA_ALG_CMAC);
 		break;
-#endif
-#ifdef CONFIG_PSA_WANT_ALG_PURE_EDDSA
+#endif /* PSA_NEED_CRACEN_CMAC */
+#ifdef PSA_NEED_CRACEN_PURE_EDDSA_TWISTED_EDWARDS
 	case METADATA_ALG_ED25519:
 		/* If the key can sign it is assumed it is a private key */
 		psa_set_key_type(
@@ -662,8 +664,8 @@ static psa_status_t convert_to_psa_attributes(kmu_metadata *metadata,
 				: PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_TWISTED_EDWARDS));
 		psa_set_key_algorithm(key_attr, PSA_ALG_PURE_EDDSA);
 		break;
-#endif
-#ifdef CONFIG_PSA_WANT_ALG_ED25519PH
+#endif /* PSA_NEED_CRACEN_PURE_EDDSA_TWISTED_EDWARDS */
+#ifdef PSA_NEED_CRACEN_ED25519PH
 	case METADATA_ALG_ED25519PH:
 		/* If the key can sign it is assumed it is a private key */
 		psa_set_key_type(
@@ -673,23 +675,23 @@ static psa_status_t convert_to_psa_attributes(kmu_metadata *metadata,
 				: PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_TWISTED_EDWARDS));
 		psa_set_key_algorithm(key_attr, PSA_ALG_ED25519PH);
 		break;
-#endif
-#ifdef CONFIG_PSA_WANT_ALG_ECDSA
+#endif /* PSA_NEED_CRACEN_ED25519PH */
+#ifdef PSA_NEED_CRACEN_ECDSA
 	case METADATA_ALG_ECDSA:
 		psa_set_key_type(key_attr,
 				 can_sign(key_attr)
 					 ? PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1)
 					 : PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1));
 		psa_set_key_algorithm(key_attr, PSA_ALG_ECDSA(PSA_ALG_ANY_HASH));
 		break;
-#endif
-#ifdef CONFIG_PSA_WANT_ALG_HMAC
+#endif /* PSA_NEED_CRACEN_ECDSA */
+#ifdef PSA_NEED_CRACEN_HMAC
 	case METADATA_ALG_HMAC:
 		psa_set_key_type(key_attr, PSA_KEY_TYPE_HMAC);
 		psa_set_key_algorithm(key_attr, PSA_ALG_HMAC(PSA_ALG_SHA_256));
 		break;
-#endif
-#ifdef CONFIG_PSA_WANT_ALG_ECDH
+#endif /* PSA_NEED_CRACEN_HMAC */
+#ifdef PSA_NEED_CRACEN_ECDH
 	case METADATA_ALG_ECDH:
 		psa_set_key_type(key_attr, PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1));
 		psa_set_key_algorithm(key_attr, PSA_ALG_ECDH);
@@ -770,80 +772,80 @@ static psa_status_t convert_from_psa_attributes(const psa_key_attributes_t *key_
 	}
 
 	switch (psa_get_key_algorithm(key_attr)) {
-#ifdef CONFIG_PSA_WANT_ALG_STREAM_CIPHER
+#ifdef PSA_NEED_CRACEN_STREAM_CIPHER_CHACHA20
 	case PSA_ALG_STREAM_CIPHER:
 		metadata->algorithm = METADATA_ALG_CHACHA20;
 		if (psa_get_key_type(key_attr) != PSA_KEY_TYPE_CHACHA20) {
 			return PSA_ERROR_NOT_SUPPORTED;
 		}
 		break;
-#endif
-#ifdef CONFIG_PSA_WANT_ALG_CHACHA20_POLY1305
+#endif /* PSA_NEED_CRACEN_STREAM_CIPHER_CHACHA20 */
+#ifdef PSA_NEED_CRACEN_CHACHA20_POLY1305
 	case PSA_ALG_CHACHA20_POLY1305:
 		metadata->algorithm = METADATA_ALG_CHACHA20_POLY1305;
 		if (psa_get_key_type(key_attr) != PSA_KEY_TYPE_CHACHA20) {
 			return PSA_ERROR_NOT_SUPPORTED;
 		}
 		break;
-#endif
-#ifdef CONFIG_PSA_WANT_ALG_GCM
+#endif /* PSA_NEED_CRACEN_CHACHA20_POLY1305 */
+#ifdef PSA_NEED_CRACEN_GCM_AES
 	case PSA_ALG_GCM:
 		metadata->algorithm = METADATA_ALG_AES_GCM;
 		if (psa_get_key_type(key_attr) != PSA_KEY_TYPE_AES) {
 			return PSA_ERROR_NOT_SUPPORTED;
 		}
 		break;
-#endif
-#ifdef CONFIG_PSA_WANT_ALG_CCM
+#endif /* PSA_NEED_CRACEN_GCM_AES */
+#ifdef PSA_NEED_CRACEN_CCM_AES
 	case PSA_ALG_CCM:
 		metadata->algorithm = METADATA_ALG_AES_CCM;
 		if (psa_get_key_type(key_attr) != PSA_KEY_TYPE_AES) {
 			return PSA_ERROR_NOT_SUPPORTED;
 		}
 		break;
-#endif
-#ifdef CONFIG_PSA_WANT_ALG_ECB_NO_PADDING
+#endif /* PSA_NEED_CRACEN_CCM_AES */
+#ifdef PSA_NEED_CRACEN_ECB_NO_PADDING_AES
 	case PSA_ALG_ECB_NO_PADDING:
 		metadata->algorithm = METADATA_ALG_AES_ECB;
 		if (psa_get_key_type(key_attr) != PSA_KEY_TYPE_AES) {
 			return PSA_ERROR_NOT_SUPPORTED;
 		}
 		break;
-#endif
-#ifdef CONFIG_PSA_WANT_ALG_CTR
+#endif /* PSA_NEED_CRACEN_ECB_NO_PADDING_AES */
+#ifdef PSA_NEED_CRACEN_CTR_AES
 	case PSA_ALG_CTR:
 		metadata->algorithm = METADATA_ALG_AES_CTR;
 		if (psa_get_key_type(key_attr) != PSA_KEY_TYPE_AES) {
 			return PSA_ERROR_NOT_SUPPORTED;
 		}
 		break;
-#endif
-#ifdef CONFIG_PSA_WANT_ALG_CBC_NO_PADDING
+#endif /* PSA_NEED_CRACEN_CTR_AES */
+#ifdef PSA_NEED_CRACEN_CBC_NO_PADDING_AES
 	case PSA_ALG_CBC_NO_PADDING:
 		metadata->algorithm = METADATA_ALG_AES_CBC;
 		if (psa_get_key_type(key_attr) != PSA_KEY_TYPE_AES) {
 			return PSA_ERROR_NOT_SUPPORTED;
 		}
 		break;
-#endif
-#ifdef CONFIG_PSA_WANT_ALG_SP800_108_COUNTER_CMAC
+#endif /* PSA_NEED_CRACEN_CBC_NO_PADDING_AES */
+#ifdef PSA_NEED_CRACEN_SP800_108_COUNTER_CMAC
 	case PSA_ALG_SP800_108_COUNTER_CMAC:
 		metadata->algorithm = METADATA_ALG_SP800_108_COUNTER_CMAC;
 		if (psa_get_key_type(key_attr) != PSA_KEY_TYPE_AES) {
 			return PSA_ERROR_NOT_SUPPORTED;
 		}
 		break;
-#endif
-#ifdef CONFIG_PSA_WANT_ALG_CMAC
+#endif /* PSA_NEED_CRACEN_SP800_108_COUNTER_CMAC */
+#ifdef PSA_NEED_CRACEN_CMAC
 	case PSA_ALG_CMAC:
 		metadata->algorithm = METADATA_ALG_CMAC;
 		if (psa_get_key_type(key_attr) != PSA_KEY_TYPE_AES) {
 			return PSA_ERROR_NOT_SUPPORTED;
 		}
 		break;
 
-#endif
-#ifdef CONFIG_PSA_WANT_ALG_ED25519PH
+#endif /* PSA_NEED_CRACEN_CMAC */
+#ifdef PSA_NEED_CRACEN_ED25519PH
 	case PSA_ALG_ED25519PH:
 		if (PSA_KEY_TYPE_ECC_GET_FAMILY(psa_get_key_type(key_attr)) !=
 		    PSA_ECC_FAMILY_TWISTED_EDWARDS) {
@@ -856,8 +858,8 @@ static psa_status_t convert_from_psa_attributes(const psa_key_attributes_t *key_
 		}
 		metadata->algorithm = METADATA_ALG_ED25519PH;
 		break;
-#endif
-#ifdef CONFIG_PSA_WANT_ALG_PURE_EDDSA
+#endif /* PSA_NEED_CRACEN_ED25519PH */
+#ifdef PSA_NEED_CRACEN_PURE_EDDSA_TWISTED_EDWARDS
 	case PSA_ALG_PURE_EDDSA:
 		if (PSA_KEY_TYPE_ECC_GET_FAMILY(psa_get_key_type(key_attr)) !=
 		    PSA_ECC_FAMILY_TWISTED_EDWARDS) {
@@ -870,8 +872,8 @@ static psa_status_t convert_from_psa_attributes(const psa_key_attributes_t *key_
 		}
 		metadata->algorithm = METADATA_ALG_ED25519;
 		break;
-#endif
-#ifdef CONFIG_PSA_WANT_ALG_ECDSA
+#endif /* PSA_NEED_CRACEN_PURE_EDDSA_TWISTED_EDWARDS */
+#ifdef PSA_NEED_CRACEN_ECDSA
 	case PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):
 	case PSA_ALG_ECDSA(PSA_ALG_SHA_256):
 		if (PSA_KEY_TYPE_ECC_GET_FAMILY(psa_get_key_type(key_attr)) !=
@@ -886,24 +888,24 @@ static psa_status_t convert_from_psa_attributes(const psa_key_attributes_t *key_
 		}
 		metadata->algorithm = METADATA_ALG_ECDSA;
 		break;
-#endif
-#ifdef CONFIG_PSA_WANT_ALG_HMAC
+#endif /* PSA_NEED_CRACEN_ECDSA */
+#ifdef PSA_NEED_CRACEN_HMAC
 	case PSA_ALG_HMAC(PSA_ALG_SHA_256):
 		if (!can_sign(key_attr) && PSA_ALG_IS_HMAC(psa_get_key_type(key_attr))) {
 			return PSA_ERROR_NOT_SUPPORTED;
 		}
 		metadata->algorithm = METADATA_ALG_HMAC;
 		break;
-#endif
-#ifdef CONFIG_PSA_WANT_ALG_ECDH
+#endif /* PSA_NEED_CRACEN_HMAC */
+#ifdef PSA_NEED_CRACEN_ECDH
 	case PSA_ALG_ECDH:
 		if (!can_derive(key_attr) || PSA_KEY_TYPE_ECC_GET_FAMILY(psa_get_key_type(
 						     key_attr)) != PSA_ECC_FAMILY_SECP_R1) {
 			return PSA_ERROR_NOT_SUPPORTED;
 		}
 		metadata->algorithm = METADATA_ALG_ECDH;
 		break;
-#endif
+#endif /* PSA_NEED_CRACEN_ECDH */
 	default:
 		/* Ignore the algorithm for the protected ram invalidation kmu slot because
 		 * it will never be used for crypto operations.
diff --git a/subsys/nrf_security/src/drivers/cracen/psa_driver.Kconfig b/subsys/nrf_security/src/drivers/cracen/psa_driver.Kconfig
@@ -460,6 +460,14 @@ config PSA_NEED_CRACEN_ASYMMETRIC_SIGNATURE_DRIVER
 	depends on PSA_NEED_CRACEN_ASYMMETRIC_SIGNATURE_ANY_ECC || \
 		   PSA_NEED_CRACEN_ASYMMETRIC_SIGNATURE_ANY_RSA
 
+config PSA_NEED_CRACEN_ECDH
+	bool
+	default y
+	depends on PSA_NEED_CRACEN_ECDH_BRAINPOOL_P_R1 || \
+		   PSA_NEED_CRACEN_ECDH_SECP_R1        || \
+		   PSA_NEED_CRACEN_ECDH_MONTGOMERY     || \
+		   PSA_NEED_CRACEN_ECDH_SECP_K1
+
 # CRACEN Asymmetric Encryption Driver
 
 config PSA_NEED_CRACEN_RSA_OAEP
