[SL-UP] Bring PSA crypto changes

examples/platform/silabs/FreeRTOSConfig.h

@@ -203,7 +203,10 @@ See http://www.FreeRTOS.org/RTOS-Cortex-M3-M4.html. */
 #define configENABLE_FPU 1
 #define configENABLE_MPU 0
 /* FreeRTOS Secure Side Only and TrustZone Security Extension */
+#ifndef configRUN_FREERTOS_SECURE_ONLY
+// prevent redefinition with Series 3
 #define configRUN_FREERTOS_SECURE_ONLY 1
+#endif
 #define configENABLE_TRUSTZONE 0
 /* FreeRTOS MPU specific definitions. */
 #define configINCLUDE_APPLICATION_DEFINED_PRIVILEGED_FUNCTIONS (0)

src/crypto/BUILD.gn

@@ -38,6 +38,18 @@ assert(
         chip_crypto == "platform",
     "Please select a valid crypto implementation: mbedtls, psa, openssl, boringssl, platform")
 
+if (chip_crypto_keystore == "") {
+  if (chip_crypto == "psa") {
+    chip_crypto_keystore = "psa"
+  } else {
+    chip_crypto_keystore = "raw"
+  }
+}
+
+assert(chip_crypto_keystore == "psa" || chip_crypto_keystore == "raw" ||
+           chip_crypto_keystore == "app",
+       "Please select a valid crypto keystore: psa, raw, app")
+
 buildconfig_header("crypto_buildconfig") {
   header = "CryptoBuildConfig.h"
   header_dir = "crypto"
@@ -47,11 +59,17 @@ buildconfig_header("crypto_buildconfig") {
   chip_crypto_openssl = chip_crypto == "openssl"
   chip_crypto_boringssl = chip_crypto == "boringssl"
   chip_crypto_platform = chip_crypto == "platform"
+  chip_crypto_keystore_psa = chip_crypto_keystore == "psa"
+  chip_crypto_keystore_raw = chip_crypto_keystore == "raw"
+  chip_crypto_keystore_app = chip_crypto_keystore == "app"
 
   defines = [
     "CHIP_CRYPTO_MBEDTLS=${chip_crypto_mbedtls}",
     "CHIP_CRYPTO_PSA=${chip_crypto_psa}",
     "CHIP_CRYPTO_PSA_SPAKE2P=${chip_crypto_psa_spake2p}",
+    "CHIP_CRYPTO_KEYSTORE_PSA=${chip_crypto_keystore_psa}",
+    "CHIP_CRYPTO_KEYSTORE_RAW=${chip_crypto_keystore_raw}",
+    "CHIP_CRYPTO_KEYSTORE_APP=${chip_crypto_keystore_app}",
     "CHIP_CRYPTO_OPENSSL=${chip_crypto_openssl}",
     "CHIP_CRYPTO_BORINGSSL=${chip_crypto_boringssl}",
     "CHIP_CRYPTO_PLATFORM=${chip_crypto_platform}",
@@ -144,18 +162,20 @@ static_library("crypto") {
     "RandUtils.h",
   ]
 
-  if (chip_crypto == "psa") {
+  if (chip_crypto_keystore == "psa") {
     sources += [
       "PSAOperationalKeystore.cpp",
       "PSAOperationalKeystore.h",
       "PSASessionKeystore.cpp",
       "PSASessionKeystore.h",
     ]
-  } else {
+  } else if (chip_crypto_keystore == "raw") {
     sources += [
       "RawKeySessionKeystore.cpp",
       "RawKeySessionKeystore.h",
     ]
+  } else {
+    # Keystore provided by app
   }
 
   if (chip_crypto_psa_spake2p) {

src/crypto/DefaultSessionKeystore.h

@@ -21,9 +21,9 @@
 #include <crypto/CryptoBuildConfig.h>
 #endif
 
-#if CHIP_CRYPTO_PSA
+#if CHIP_CRYPTO_KEYSTORE_PSA
 #include <crypto/PSASessionKeystore.h>
-#else
+#elif CHIP_CRYPTO_KEYSTORE_RAW
 #include <crypto/RawKeySessionKeystore.h>
 #endif
 
@@ -34,9 +34,9 @@ namespace Crypto {
 // when the PSA crypto backend is used, AES encryption/decryption function assume that the input
 // key handle carries a key reference instead of raw key material, so PSASessionKeystore must be
 // used instead of RawKeySessionKeystore to initialize the key handle.
-#if CHIP_CRYPTO_PSA
+#if CHIP_CRYPTO_KEYSTORE_PSA
 using DefaultSessionKeystore = PSASessionKeystore;
-#else
+#elif CHIP_CRYPTO_KEYSTORE_RAW
 using DefaultSessionKeystore = RawKeySessionKeystore;
 #endif
 

src/crypto/crypto.gni

@@ -22,6 +22,10 @@ declare_args() {
 
   # Use PSA Spake2+ implementation. Only used if chip_crypto == "psa"
   chip_crypto_psa_spake2p = false
+
+  # Crypto storage: psa, raw, app.
+  #   app: includes zero new files and disables the unit tests for the keystore.
+  chip_crypto_keystore = ""
 }
 
 assert(

src/crypto/tests/TestChipCryptoPAL.cpp

@@ -210,6 +210,7 @@ const AesCtrTestEntry theAesCtrTestVector[] = {
     }
 };
 
+#if !(CHIP_CRYPTO_KEYSTORE_APP)
 struct TestAesKey
 {
 public:
@@ -245,6 +246,7 @@ struct TestHmacKey
     DefaultSessionKeystore keystore;
     Hmac128KeyHandle key;
 };
+#endif
 
 static void TestAES_CTR_128_Encrypt(const AesCtrTestEntry * vector)
 {
@@ -964,6 +966,7 @@ TEST_F(TestChipCryptoPAL, TestHMAC_SHA256_RawKey)
     EXPECT_EQ(numOfTestsExecuted, numOfTestCases);
 }
 
+#if !(CHIP_CRYPTO_KEYSTORE_APP)
 TEST_F(TestChipCryptoPAL, TestHMAC_SHA256_KeyHandle)
 {
     HeapChecker heapChecker;
@@ -994,6 +997,7 @@ TEST_F(TestChipCryptoPAL, TestHMAC_SHA256_KeyHandle)
     }
     EXPECT_EQ(numOfTestsExecuted, numOfTestCases);
 }
+#endif
 
 TEST_F(TestChipCryptoPAL, TestHKDF_SHA256)
 {
@@ -1870,7 +1874,6 @@ TEST_F(TestChipCryptoPAL, TestSPAKE2P_RFC)
     size_t Pverifier_len = sizeof(Pverifier);
     uint8_t Vverifier[kMAX_Hash_Length];
     size_t Vverifier_len = sizeof(Vverifier);
-    DefaultSessionKeystore keystore;
 
     int numOfTestVectors = ArraySize(rfc_tvs);
     int numOfTestsRan    = 0;
@@ -1967,7 +1970,9 @@ TEST_F(TestChipCryptoPAL, TestSPAKE2P_RFC)
         error = Verifier.KeyConfirm(Pverifier, Pverifier_len);
         EXPECT_EQ(error, CHIP_NO_ERROR);
 
+#if !(CHIP_CRYPTO_KEYSTORE_APP)
         // Import HKDF key from the test vector to the keystore
+        DefaultSessionKeystore keystore;
         HkdfKeyHandle vectorKe;
         error = keystore.CreateKey(ByteSpan(vector->Ke, vector->Ke_len), vectorKe);
         EXPECT_EQ(error, CHIP_NO_ERROR);
@@ -1988,7 +1993,7 @@ TEST_F(TestChipCryptoPAL, TestSPAKE2P_RFC)
         keystore.DestroyKey(vectorKe);
         keystore.DestroyKey(PKe);
         keystore.DestroyKey(VKe);
-
+#endif
         numOfTestsRan += 1;
     }
     EXPECT_GT(numOfTestsRan, 0);