Skip to content

Commit

Permalink
[SL-UP] Bring PSA crypto changes (#152)
Browse files Browse the repository at this point in the history
Co-authored-by: Ricardo Casallas <[email protected]>
  • Loading branch information
jmartinez-silabs and rcasallas-silabs authored Dec 6, 2024
1 parent 7f377ac commit 85bf162
Show file tree
Hide file tree
Showing 9 changed files with 500 additions and 1,652 deletions.
3 changes: 3 additions & 0 deletions examples/platform/silabs/FreeRTOSConfig.h
Original file line number Diff line number Diff line change
Expand Up @@ -203,7 +203,10 @@ See http://www.FreeRTOS.org/RTOS-Cortex-M3-M4.html. */
#define configENABLE_FPU 1
#define configENABLE_MPU 0
/* FreeRTOS Secure Side Only and TrustZone Security Extension */
#ifndef configRUN_FREERTOS_SECURE_ONLY
// prevent redefinition with Series 3
#define configRUN_FREERTOS_SECURE_ONLY 1
#endif
#define configENABLE_TRUSTZONE 0
/* FreeRTOS MPU specific definitions. */
#define configINCLUDE_APPLICATION_DEFINED_PRIVILEGED_FUNCTIONS (0)
Expand Down
24 changes: 22 additions & 2 deletions src/crypto/BUILD.gn
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,18 @@ assert(
chip_crypto == "platform",
"Please select a valid crypto implementation: mbedtls, psa, openssl, boringssl, platform")

if (chip_crypto_keystore == "") {
if (chip_crypto == "psa") {
chip_crypto_keystore = "psa"
} else {
chip_crypto_keystore = "raw"
}
}

assert(chip_crypto_keystore == "psa" || chip_crypto_keystore == "raw" ||
chip_crypto_keystore == "app",
"Please select a valid crypto keystore: psa, raw, app")

buildconfig_header("crypto_buildconfig") {
header = "CryptoBuildConfig.h"
header_dir = "crypto"
Expand All @@ -47,11 +59,17 @@ buildconfig_header("crypto_buildconfig") {
chip_crypto_openssl = chip_crypto == "openssl"
chip_crypto_boringssl = chip_crypto == "boringssl"
chip_crypto_platform = chip_crypto == "platform"
chip_crypto_keystore_psa = chip_crypto_keystore == "psa"
chip_crypto_keystore_raw = chip_crypto_keystore == "raw"
chip_crypto_keystore_app = chip_crypto_keystore == "app"

defines = [
"CHIP_CRYPTO_MBEDTLS=${chip_crypto_mbedtls}",
"CHIP_CRYPTO_PSA=${chip_crypto_psa}",
"CHIP_CRYPTO_PSA_SPAKE2P=${chip_crypto_psa_spake2p}",
"CHIP_CRYPTO_KEYSTORE_PSA=${chip_crypto_keystore_psa}",
"CHIP_CRYPTO_KEYSTORE_RAW=${chip_crypto_keystore_raw}",
"CHIP_CRYPTO_KEYSTORE_APP=${chip_crypto_keystore_app}",
"CHIP_CRYPTO_OPENSSL=${chip_crypto_openssl}",
"CHIP_CRYPTO_BORINGSSL=${chip_crypto_boringssl}",
"CHIP_CRYPTO_PLATFORM=${chip_crypto_platform}",
Expand Down Expand Up @@ -144,18 +162,20 @@ static_library("crypto") {
"RandUtils.h",
]

if (chip_crypto == "psa") {
if (chip_crypto_keystore == "psa") {
sources += [
"PSAOperationalKeystore.cpp",
"PSAOperationalKeystore.h",
"PSASessionKeystore.cpp",
"PSASessionKeystore.h",
]
} else {
} else if (chip_crypto_keystore == "raw") {
sources += [
"RawKeySessionKeystore.cpp",
"RawKeySessionKeystore.h",
]
} else {
# Keystore provided by app
}

if (chip_crypto_psa_spake2p) {
Expand Down
8 changes: 4 additions & 4 deletions src/crypto/DefaultSessionKeystore.h
Original file line number Diff line number Diff line change
Expand Up @@ -21,9 +21,9 @@
#include <crypto/CryptoBuildConfig.h>
#endif

#if CHIP_CRYPTO_PSA
#if CHIP_CRYPTO_KEYSTORE_PSA
#include <crypto/PSASessionKeystore.h>
#else
#elif CHIP_CRYPTO_KEYSTORE_RAW
#include <crypto/RawKeySessionKeystore.h>
#endif

Expand All @@ -34,9 +34,9 @@ namespace Crypto {
// when the PSA crypto backend is used, AES encryption/decryption function assume that the input
// key handle carries a key reference instead of raw key material, so PSASessionKeystore must be
// used instead of RawKeySessionKeystore to initialize the key handle.
#if CHIP_CRYPTO_PSA
#if CHIP_CRYPTO_KEYSTORE_PSA
using DefaultSessionKeystore = PSASessionKeystore;
#else
#elif CHIP_CRYPTO_KEYSTORE_RAW
using DefaultSessionKeystore = RawKeySessionKeystore;
#endif

Expand Down
4 changes: 4 additions & 0 deletions src/crypto/crypto.gni
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,10 @@ declare_args() {

# Use PSA Spake2+ implementation. Only used if chip_crypto == "psa"
chip_crypto_psa_spake2p = false

# Crypto storage: psa, raw, app.
# app: includes zero new files and disables the unit tests for the keystore.
chip_crypto_keystore = ""
}

assert(
Expand Down
9 changes: 7 additions & 2 deletions src/crypto/tests/TestChipCryptoPAL.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -210,6 +210,7 @@ const AesCtrTestEntry theAesCtrTestVector[] = {
}
};

#if !(CHIP_CRYPTO_KEYSTORE_APP)
struct TestAesKey
{
public:
Expand Down Expand Up @@ -245,6 +246,7 @@ struct TestHmacKey
DefaultSessionKeystore keystore;
Hmac128KeyHandle key;
};
#endif

static void TestAES_CTR_128_Encrypt(const AesCtrTestEntry * vector)
{
Expand Down Expand Up @@ -964,6 +966,7 @@ TEST_F(TestChipCryptoPAL, TestHMAC_SHA256_RawKey)
EXPECT_EQ(numOfTestsExecuted, numOfTestCases);
}

#if !(CHIP_CRYPTO_KEYSTORE_APP)
TEST_F(TestChipCryptoPAL, TestHMAC_SHA256_KeyHandle)
{
HeapChecker heapChecker;
Expand Down Expand Up @@ -994,6 +997,7 @@ TEST_F(TestChipCryptoPAL, TestHMAC_SHA256_KeyHandle)
}
EXPECT_EQ(numOfTestsExecuted, numOfTestCases);
}
#endif

TEST_F(TestChipCryptoPAL, TestHKDF_SHA256)
{
Expand Down Expand Up @@ -1870,7 +1874,6 @@ TEST_F(TestChipCryptoPAL, TestSPAKE2P_RFC)
size_t Pverifier_len = sizeof(Pverifier);
uint8_t Vverifier[kMAX_Hash_Length];
size_t Vverifier_len = sizeof(Vverifier);
DefaultSessionKeystore keystore;

int numOfTestVectors = ArraySize(rfc_tvs);
int numOfTestsRan = 0;
Expand Down Expand Up @@ -1967,7 +1970,9 @@ TEST_F(TestChipCryptoPAL, TestSPAKE2P_RFC)
error = Verifier.KeyConfirm(Pverifier, Pverifier_len);
EXPECT_EQ(error, CHIP_NO_ERROR);

#if !(CHIP_CRYPTO_KEYSTORE_APP)
// Import HKDF key from the test vector to the keystore
DefaultSessionKeystore keystore;
HkdfKeyHandle vectorKe;
error = keystore.CreateKey(ByteSpan(vector->Ke, vector->Ke_len), vectorKe);
EXPECT_EQ(error, CHIP_NO_ERROR);
Expand All @@ -1988,7 +1993,7 @@ TEST_F(TestChipCryptoPAL, TestSPAKE2P_RFC)
keystore.DestroyKey(vectorKe);
keystore.DestroyKey(PKe);
keystore.DestroyKey(VKe);

#endif
numOfTestsRan += 1;
}
EXPECT_GT(numOfTestsRan, 0);
Expand Down
Loading

0 comments on commit 85bf162

Please sign in to comment.