nrf_security: cracen: Remove CRACEN_PLATFORM_KEYS

This code has bit rotted and it will be replaced.

Ref: NCSDK-33162
Signed-off-by: Grzegorz Swiderski <[email protected]>

Author: 57300

subsys/nrf_security/Kconfig

@@ -66,7 +66,6 @@ endchoice
 config MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS
 	bool
 	default y if HAS_HW_NRF_CRACEN && PSA_CRYPTO_DRIVER_CRACEN
-	default y if PSA_WANT_PLATFORM_KEYS
 	help
 	  Promptless option used to control if the PSA Crypto core should have support for builtin keys or not.
 

subsys/nrf_security/cmake/psa_crypto_config.cmake

@@ -239,7 +239,6 @@ kconfig_check_and_set_base_to_one(PSA_NEED_CRACEN_KEY_TYPE_RSA_KEY_PAIR_GENERATE
 kconfig_check_and_set_base_to_one(PSA_NEED_CRACEN_KEY_MANAGEMENT_DRIVER)
 kconfig_check_and_set_base_to_one(PSA_NEED_CRACEN_KMU_ENCRYPTED_KEYS)
 kconfig_check_and_set_base_to_one(PSA_NEED_CRACEN_KMU_DRIVER)
-kconfig_check_and_set_base_to_one(PSA_NEED_CRACEN_PLATFORM_KEYS)
 
 # MAC driver configurations
 kconfig_check_and_set_base_to_one(PSA_NEED_CRACEN_HMAC)

subsys/nrf_security/configs/psa_crypto_config.h.template

@@ -267,7 +267,6 @@
 #cmakedefine PSA_NEED_CRACEN_HASH_DRIVER                        @PSA_NEED_CRACEN_HASH_DRIVER@
 #cmakedefine PSA_NEED_CRACEN_KEY_MANAGEMENT_DRIVER              @PSA_NEED_CRACEN_KEY_MANAGEMENT_DRIVER@
 #cmakedefine PSA_NEED_CRACEN_KMU_DRIVER                         @PSA_NEED_CRACEN_KMU_DRIVER@
-#cmakedefine PSA_NEED_CRACEN_PLATFORM_KEYS                      @PSA_NEED_CRACEN_PLATFORM_KEYS@
 #cmakedefine PSA_NEED_CRACEN_MAC_DRIVER                         @PSA_NEED_CRACEN_MAC_DRIVER@
 #cmakedefine PSA_NEED_CRACEN_PAKE_DRIVER                        @PSA_NEED_CRACEN_PAKE_DRIVER@
 #cmakedefine PSA_NEED_CRACEN_KEY_DERIVATION_DRIVER              @PSA_NEED_CRACEN_KEY_DERIVATION_DRIVER@

subsys/nrf_security/src/drivers/Kconfig

@@ -36,11 +36,6 @@ config PSA_CRYPTO_DRIVER_CRACEN
 	help
 	  PSA crypto driver for the CRACEN HW peripheral.
 
-config PSA_WANT_PLATFORM_KEYS
-	bool
-	help
-	  Hidden option if platform keys are supported.
-
 menu "Choose DRBG algorithm"
 config PSA_WANT_ALG_CTR_DRBG
 	prompt "CTR_DRBG"

subsys/nrf_security/src/drivers/cracen/cracenpsa/cracenpsa.cmake

@@ -161,9 +161,3 @@ if(CONFIG_PSA_NEED_CRACEN_KEY_AGREEMENT_DRIVER OR CONFIG_PSA_NEED_CRACEN_KEY_DER
     ${CMAKE_CURRENT_LIST_DIR}/src/key_derivation.c
   )
 endif()
-
-if(CONFIG_PSA_NEED_CRACEN_PLATFORM_KEYS)
-  list(APPEND cracen_driver_sources
-    ${CMAKE_CURRENT_LIST_DIR}/src/platform_keys/platform_keys.c
-  )
-endif()

subsys/nrf_security/src/drivers/cracen/cracenpsa/src/common.c

@@ -5,9 +5,6 @@
  */
 
 #include "common.h"
-#ifdef PSA_NEED_CRACEN_PLATFORM_KEYS
-#include "platform_keys/platform_keys.h"
-#endif
 
 #include <hal/nrf_cracen.h>
 #include <cracen/lib_kmu.h>
@@ -30,19 +27,10 @@
 #include "rsa_key.h"
 
 LOG_MODULE_DECLARE(cracen, CONFIG_CRACEN_LOG_LEVEL);
-#ifdef PSA_NEED_CRACEN_PLATFORM_KEYS
-#include "platform_keys/platform_keys.h"
-#endif
 
 #define NOT_ENABLED_CURVE    (0)
 #define NOT_ENABLED_HASH_ALG (0)
 
-#ifdef PSA_NEED_CRACEN_PLATFORM_KEYS
-/* Address from the IPS. May come from the MDK in the future. */
-#define DEVICE_SECRET_LENGTH  4
-#define DEVICE_SECRET_ADDRESS ((uint32_t *)0x0E001620)
-#endif
-
 static const uint8_t RSA_ALGORITHM_IDENTIFIER[] = {0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7,
 						   0x0d, 0x01, 0x01, 0x01, 0x05, 0x00};
 
@@ -689,51 +677,6 @@ int cracen_prepare_ik_key(const uint8_t *user_data)
 
 	__attribute__((unused)) struct sx_pk_config_ik cfg = {};
 
-#ifdef PSA_NEED_CRACEN_PLATFORM_KEYS
-	cfg.device_secret = DEVICE_SECRET_ADDRESS;
-	cfg.device_secret_sz = DEVICE_SECRET_LENGTH;
-
-	switch (((uint32_t *)user_data)[0]) {
-		/* Helper macro to set up an array containing the personalization string.
-		 * The array is a multiple of 4, since the IKG takes a number of uint32_t
-		 * as personalization string.
-		 */
-#define SET_STR(x)                                                                                 \
-	{                                                                                          \
-		static const char lstr_##x[((sizeof(#x) + 3) / 4) * 4] = #x;                       \
-		cfg.key_bundle = (uint32_t *)lstr_##x;                                             \
-		cfg.key_bundle_sz = sizeof(lstr_##x) / sizeof(uint32_t);                           \
-	}
-	case DOMAIN_NONE:
-		SET_STR(NONE0);
-		break;
-	case DOMAIN_SECURE:
-		SET_STR(SECURE0);
-		break;
-	case DOMAIN_APPLICATION:
-		SET_STR(APPLICATION0);
-		break;
-	case DOMAIN_RADIO:
-		SET_STR(RADIOCORE0);
-		break;
-	case DOMAIN_CELL:
-		SET_STR(CELL0);
-		break;
-	case DOMAIN_ISIM:
-		SET_STR(ISIM0);
-		break;
-	case DOMAIN_WIFI:
-		SET_STR(WIFI0);
-		break;
-	case DOMAIN_SYSCTRL:
-		SET_STR(SYSCTRL0);
-		break;
-
-	default:
-		return SX_ERR_INVALID_KEYREF;
-	}
-#endif
-
 #ifdef CONFIG_CRACEN_IKG_PERSONALIZED_KEYS
 	cfg.key_bundle = (const uint32_t *)user_data;
 	cfg.key_bundle_sz = 1; /* size of the owner_id is one 32-bit word */
@@ -753,9 +696,6 @@ static int cracen_clean_ik_key(const uint8_t *user_data)
 
 static bool cracen_is_ikg_key(const psa_key_attributes_t *attributes)
 {
-#ifdef PSA_NEED_CRACEN_PLATFORM_KEYS
-	return cracen_platform_keys_is_ikg_key(attributes);
-#else
 	switch (MBEDTLS_SVC_KEY_ID_GET_KEY_ID(psa_get_key_id(attributes))) {
 	case CRACEN_BUILTIN_IDENTITY_KEY_ID:
 	case CRACEN_BUILTIN_MKEK_ID:
@@ -764,7 +704,6 @@ static bool cracen_is_ikg_key(const psa_key_attributes_t *attributes)
 	default:
 		return false;
 	}
-#endif
 };
 
 static psa_status_t cracen_load_ikg_keyref(const psa_key_attributes_t *attributes,
@@ -774,14 +713,6 @@ static psa_status_t cracen_load_ikg_keyref(const psa_key_attributes_t *attribute
 	k->prepare_key = cracen_prepare_ik_key;
 	k->clean_key = cracen_clean_ik_key;
 
-#ifdef PSA_NEED_CRACEN_PLATFORM_KEYS
-	if (key_buffer_size != sizeof(ikg_opaque_key)) {
-		return PSA_ERROR_INVALID_ARGUMENT;
-	}
-
-	k->cfg = ((ikg_opaque_key *)key_buffer)->slot_number;
-	k->owner_id = ((ikg_opaque_key *)key_buffer)->owner_id;
-#else
 	/* IKG keys are identified from the ID */
 	(void)key_buffer;
 	(void)key_buffer_size;
@@ -798,7 +729,6 @@ static psa_status_t cracen_load_ikg_keyref(const psa_key_attributes_t *attribute
 	};
 
 	k->owner_id = MBEDTLS_SVC_KEY_ID_GET_OWNER_ID(psa_get_key_id(attributes));
-#endif
 	k->user_data = (uint8_t *)&k->owner_id;
 	return PSA_SUCCESS;
 }
@@ -878,9 +808,6 @@ psa_status_t cracen_load_keyref(const psa_key_attributes_t *attributes, const ui
 static psa_status_t cracen_get_ikg_opaque_key_size(const psa_key_attributes_t *attributes,
 						   size_t *key_size)
 {
-#ifdef PSA_NEED_CRACEN_PLATFORM_KEYS
-	return cracen_platform_keys_get_size(attributes, key_size);
-#else
 	switch (MBEDTLS_SVC_KEY_ID_GET_KEY_ID(psa_get_key_id(attributes))) {
 	case CRACEN_BUILTIN_IDENTITY_KEY_ID:
 		if (psa_get_key_type(attributes) ==
@@ -899,7 +826,6 @@ static psa_status_t cracen_get_ikg_opaque_key_size(const psa_key_attributes_t *a
 	}
 
 	return PSA_ERROR_INVALID_ARGUMENT;
-#endif /* PSA_NEED_CRACEN_PLATFORM_KEYS */
 }
 
 psa_status_t cracen_get_opaque_size(const psa_key_attributes_t *attributes, size_t *key_size)

subsys/nrf_security/src/drivers/cracen/cracenpsa/src/key_management.c

@@ -14,7 +14,6 @@
 #include <cracen_psa_montgomery.h>
 #include <cracen_psa_ikg.h>
 #include <cracen_psa_rsa_keygen.h>
-#include "platform_keys/platform_keys.h"
 #include <nrf_security_mutexes.h>
 #include "ecc.h"
 #include <silexpk/sxops/rsa.h>
@@ -989,35 +988,6 @@ psa_status_t cracen_import_key(const psa_key_attributes_t *attributes, const uin
 		return status;
 	}
 #endif
-#ifdef PSA_NEED_CRACEN_PLATFORM_KEYS
-	if (location == PSA_KEY_LOCATION_CRACEN) {
-		psa_key_lifetime_t lifetime;
-		psa_drv_slot_number_t slot_id;
-		psa_key_attributes_t stored_attributes;
-		psa_status_t status = cracen_platform_keys_provision(attributes, data, data_length);
-
-		if (status != PSA_SUCCESS) {
-			return status;
-		}
-		status = cracen_platform_get_key_slot(psa_get_key_id(attributes), &lifetime,
-						      &slot_id);
-
-		if (status != PSA_SUCCESS) {
-			return status;
-		}
-
-		status = cracen_platform_get_builtin_key(slot_id, &stored_attributes, key_buffer,
-							 key_buffer_size, key_buffer_length);
-
-		if (status != PSA_SUCCESS) {
-			return status;
-		}
-
-		*key_bits = psa_get_key_bits(&stored_attributes);
-
-		return status;
-	}
-#endif
 
 	if (location != PSA_KEY_LOCATION_LOCAL_STORAGE) {
 		return PSA_ERROR_NOT_SUPPORTED;
@@ -1374,9 +1344,6 @@ psa_status_t cracen_get_builtin_key(psa_drv_slot_number_t slot_number,
 #ifdef PSA_NEED_CRACEN_KMU_DRIVER
 		return cracen_kmu_get_builtin_key(slot_number, attributes, key_buffer,
 						  key_buffer_size, key_buffer_length);
-#elif PSA_NEED_CRACEN_PLATFORM_KEYS
-		return cracen_platform_get_builtin_key(slot_number, attributes, key_buffer,
-						       key_buffer_size, key_buffer_length);
 #else
 		return PSA_ERROR_DOES_NOT_EXIST;
 #endif
@@ -1387,17 +1354,6 @@ psa_status_t mbedtls_psa_platform_get_builtin_key(mbedtls_svc_key_id_t key_id,
 						  psa_key_lifetime_t *lifetime,
 						  psa_drv_slot_number_t *slot_number)
 {
-/* For nRF54H20 devices all the builtin keys are considered platform keys,
- * these include the IKG keys. The IKG keys in these devices don't directly
- * use the CRACEN_BUILTIN_ ids, they use the IDs defined in  the file
- * nrf_platform_key_ids.h.
- * The function cracen_platform_get_key_slot will do the matching between the
- * platform key ids and the Cracen bulitin ids.
- */
-#ifdef PSA_NEED_CRACEN_PLATFORM_KEYS
-	return cracen_platform_get_key_slot(key_id, lifetime, slot_number);
-#else
-
 	switch (MBEDTLS_SVC_KEY_ID_GET_KEY_ID(key_id)) {
 	case CRACEN_BUILTIN_IDENTITY_KEY_ID:
 		*slot_number = CRACEN_BUILTIN_IDENTITY_KEY_ID;
@@ -1420,7 +1376,6 @@ psa_status_t mbedtls_psa_platform_get_builtin_key(mbedtls_svc_key_id_t key_id,
 								   PSA_KEY_LOCATION_CRACEN);
 
 	return PSA_SUCCESS;
-#endif /* PSA_NEED_CRACEN_PLATFORM_KEYS */
 }
 
 psa_status_t cracen_export_key(const psa_key_attributes_t *attributes, const uint8_t *key_buffer,
@@ -1537,9 +1492,6 @@ psa_status_t cracen_destroy_key(const psa_key_attributes_t *attributes)
 #ifdef PSA_NEED_CRACEN_KMU_DRIVER
 	return cracen_kmu_destroy_key(attributes);
 #endif
-#ifdef PSA_NEED_CRACEN_PLATFORM_KEYS
-	return cracen_platform_destroy_key(attributes);
-#endif
 
 	return PSA_ERROR_DOES_NOT_EXIST;
 }