From cb8ffcc8372cb7d8e1cb9ac40f56b03e4e41aa8f Mon Sep 17 00:00:00 2001 From: Georgios Vasilakis Date: Tue, 12 Nov 2024 14:53:01 +0100 Subject: [PATCH 1/2] sdfw_services: Init ssf_client earlier Initialize the ssf_client earlier during the boot process during post kernel. ssf_client needs to be initialized before the CONFIG_NRF_802154_SER_RADIO_INIT_PRIO since it is used by the "nRF IEEE 802.15.4" protocol. It also needs to be initialied after the IPC IPC_SERVICE_REG_BACKEND_PRIORITY since the IPC expects the protocol to be initialized. Failing to do that will also trigger an assertion in Zephyr. Signed-off-by: Georgios Vasilakis --- subsys/sdfw_services/Kconfig | 5 +++++ subsys/sdfw_services/os/ssf_client_zephyr.c | 17 ++++++++++++++++- 2 files changed, 21 insertions(+), 1 deletion(-) diff --git a/subsys/sdfw_services/Kconfig b/subsys/sdfw_services/Kconfig index 8247209ddec8..57b3982c80a7 100644 --- a/subsys/sdfw_services/Kconfig +++ b/subsys/sdfw_services/Kconfig @@ -38,6 +38,11 @@ config SSF_CLIENT_SYS_INIT bool "Start SDFW Service Framework client on boot" default y +config SSF_CLIENT_SYS_INIT_PRIORITY + int + default 47 + depends on SSF_CLIENT_SYS_INIT + config SSF_CLIENT_REGISTERED_LISTENERS_MAX int "Maximum number of simultaneous registered listeners" default 1 diff --git a/subsys/sdfw_services/os/ssf_client_zephyr.c b/subsys/sdfw_services/os/ssf_client_zephyr.c index 4d1f30cc7e32..10bd8627fa29 100644 --- a/subsys/sdfw_services/os/ssf_client_zephyr.c +++ b/subsys/sdfw_services/os/ssf_client_zephyr.c @@ -45,10 +45,25 @@ void ssf_client_sem_give(struct ssf_client_sem *sem) } #if CONFIG_SSF_CLIENT_SYS_INIT + +#ifdef CONFIG_IPC_SERVICE_REG_BACKEND_PRIORITY +BUILD_ASSERT(CONFIG_SSF_CLIENT_SYS_INIT_PRIORITY > CONFIG_IPC_SERVICE_REG_BACKEND_PRIORITY, + "SSF_CLIENT_SYS_INIT_PRIORITY must be higher than IPC_SERVICE_REG_BACKEND_PRIORITY"); +#endif + +#ifdef CONFIG_NRF_802154_SER_RADIO_INIT_PRIO +BUILD_ASSERT(CONFIG_SSF_CLIENT_SYS_INIT_PRIORITY < CONFIG_NRF_802154_SER_RADIO_INIT_PRIO, + "SSF_CLIENT_SYS_INIT_PRIORITY must be lower than NRF_802154_SER_RADIO_INIT_PRIO"); +#endif + +BUILD_ASSERT( + CONFIG_SSF_CLIENT_SYS_INIT_PRIORITY > CONFIG_KERNEL_INIT_PRIORITY_DEFAULT, + "SSF_CLIENT_SYS_INIT_PRIORITY must be higher than the IPC ICMSG initialization priority"); + static int client_init(void) { return ssf_client_init(); } -SYS_INIT(client_init, POST_KERNEL, CONFIG_APPLICATION_INIT_PRIORITY); +SYS_INIT(client_init, POST_KERNEL, CONFIG_SSF_CLIENT_SYS_INIT_PRIORITY); #endif From 9819aeec0deb0dd22ce7266fc215d8dadc78bd3b Mon Sep 17 00:00:00 2001 From: Georgios Vasilakis Date: Fri, 17 Jan 2025 10:52:42 +0100 Subject: [PATCH 2/2] nrf_security: Add PSA compatibility layer for SSF There are two functions which are defined in the psa_crypto_core.h and are implemented in psa_crypto.c which are used by the TLS library. These functions are: psa_can_do_hash psa_can_do_cipher These functions just check if the drivers are initialized before the relevant PSA crypto functions can be used. In the case of SSF there is no initialization needed because the PSA initialization happens inside the secure domain firmware before the application boots. These functions are added in a separate file since they only exist to maintain compatibility with the PSA core from Oberon/mbedTLS and they don't need to forward any call to the secure domain. Signed-off-by: Georgios Vasilakis --- .../src/ssf_secdom/CMakeLists.txt | 1 + .../ssf_secdom/ssf_psa_core_compatibility.c | 38 +++++++++++++++++++ 2 files changed, 39 insertions(+) create mode 100644 subsys/nrf_security/src/ssf_secdom/ssf_psa_core_compatibility.c diff --git a/subsys/nrf_security/src/ssf_secdom/CMakeLists.txt b/subsys/nrf_security/src/ssf_secdom/CMakeLists.txt index d26957d88b2b..d13ee5b0c99c 100644 --- a/subsys/nrf_security/src/ssf_secdom/CMakeLists.txt +++ b/subsys/nrf_security/src/ssf_secdom/CMakeLists.txt @@ -7,4 +7,5 @@ target_sources(${mbedcrypto_target} PRIVATE ${CMAKE_CURRENT_LIST_DIR}/ssf_crypto.c + ${CMAKE_CURRENT_LIST_DIR}/ssf_psa_core_compatibility.c ) diff --git a/subsys/nrf_security/src/ssf_secdom/ssf_psa_core_compatibility.c b/subsys/nrf_security/src/ssf_secdom/ssf_psa_core_compatibility.c new file mode 100644 index 000000000000..1f5c314a2cac --- /dev/null +++ b/subsys/nrf_security/src/ssf_secdom/ssf_psa_core_compatibility.c @@ -0,0 +1,38 @@ +/* + * Copyright (c) 2025 Nordic Semiconductor ASA + * + * SPDX-License-Identifier: LicenseRef-Nordic-5-Clause + */ + +#include + +/* This define exists in the psa_crypto.c file, I kept the same + * name here so that it can be searched the same way. + * In the psa_crypto.c file this define is the concatenation of + * PSA_CRYPTO_SUBSYSTEM_DRIVER_WRAPPERS_INITIALIZED (=0x1)| + * PSA_CRYPTO_SUBSYSTEM_KEY_SLOTS_INITIALIZED (=0x2)| + * PSA_CRYPTO_SUBSYSTEM_TRANSACTION_INITIALIZED (=0x4) + * Just for conformity I kept the same value here. + */ +#define PSA_CRYPTO_SUBSYSTEM_ALL_INITIALISED (0x7) + +/* This function is declared in psa_crypto_core.h */ +int psa_can_do_hash(psa_algorithm_t hash_alg) +{ + (void)hash_alg; + /* No initialization is needed when SSF is used, so just return the + * expected value here. + */ + return PSA_CRYPTO_SUBSYSTEM_ALL_INITIALISED; +} + +/* This function is declared in psa_crypto_core.h */ +int psa_can_do_cipher(psa_key_type_t key_type, psa_algorithm_t cipher_alg) +{ + (void)key_type; + (void)cipher_alg; + /* No initialization is needed when SSF is used, so just return the + * expected value here. + */ + return PSA_CRYPTO_SUBSYSTEM_ALL_INITIALISED; +}