[Silabs] Adds support for both PSA and TinyCrypt on SiWx917 SoC (#29776)

* Refactor SiWx917 for mbedtls usage * Refactor PlatformManagerImpl initialization * Remove experimental ECDSA support * Adds multithreaded safety in crypto operations * Adds changes for use of SL_MBEDTLS_USE_TINYCRYPT * Adds changes for use of SL_MBEDTLS_USE_TINYCRYPT * addressed comments * Updated as per comments --------- Co-authored-by: Rohan S <[email protected]>
project-chip · Jun 27, 2024 · 3fc8d67 · 3fc8d67
1 parent 6a72fd1
commit 3fc8d67
Show file tree

Hide file tree

Showing 7 changed files with 398 additions and 199 deletions.
diff --git a/examples/platform/silabs/SiWx917/SiWx917/sl_wifi_if.cpp b/examples/platform/silabs/SiWx917/SiWx917/sl_wifi_if.cpp
@@ -74,10 +74,10 @@ extern "C" {
 #include "sl_wifi.h"
 #include "sl_wifi_callback_framework.h"
 #include "wfx_host_events.h"
-#if SLI_SI91X_MCU_INTERFACE
+#if SL_MBEDTLS_USE_TINYCRYPT
+#include "sl_si91x_constants.h"
 #include "sl_si91x_trng.h"
-#define TRNGKEY_SIZE 4
-#endif // SLI_SI91X_MCU_INTERFACE
+#endif // SL_MBEDTLS_USE_TINYCRYPT
 }
 
 WfxRsi_t wfx_rsi;
@@ -456,8 +456,8 @@ static sl_status_t wfx_rsi_init(void)
         return status;
     }
 
-#ifdef SLI_SI91X_MCU_INTERFACE
-    const uint32_t trngKey[TRNGKEY_SIZE] = { 0x16157E2B, 0xA6D2AE28, 0x8815F7AB, 0x3C4FCF09 };
+#ifdef SL_MBEDTLS_USE_TINYCRYPT
+    const uint32_t trngKey[TRNG_KEY_SIZE] = { 0x16157E2B, 0xA6D2AE28, 0x8815F7AB, 0x3C4FCF09 };
 
     // To check the Entropy of TRNG and verify TRNG functioning.
     status = sl_si91x_trng_entropy();
@@ -468,13 +468,13 @@ static sl_status_t wfx_rsi_init(void)
     }
 
     // Initiate and program the key required for TRNG hardware engine
-    status = sl_si91x_trng_program_key((uint32_t *) trngKey, TRNGKEY_SIZE);
+    status = sl_si91x_trng_program_key((uint32_t *) trngKey, TRNG_KEY_SIZE);
     if (status != SL_STATUS_OK)
     {
         SILABS_LOG("TRNG Key Programming Failed");
         return status;
     }
-#endif // SLI_SI91X_MCU_INTERFACE
+#endif // SL_MBEDTLS_USE_TINYCRYPT
 
     wfx_rsi.events = xEventGroupCreateStatic(&rsiDriverEventGroup);
     wfx_rsi.dev_state |= WFX_RSI_ST_DEV_READY;

diff --git a/src/platform/silabs/PlatformManagerImpl.cpp b/src/platform/silabs/PlatformManagerImpl.cpp
@@ -31,9 +31,9 @@
 #include <platform/internal/GenericPlatformManagerImpl_FreeRTOS.ipp>
 #include <platform/silabs/DiagnosticDataProviderImpl.h>
 
-#if defined(TINYCRYPT_PRIMITIVES)
+#if defined(SL_MBEDTLS_USE_TINYCRYPT)
 #include "tinycrypt/ecc.h"
-#endif // TINYCRYPT_PRIMITIVES
+#endif // SL_MBEDTLS_USE_TINYCRYPT
 
 #if CHIP_SYSTEM_CONFIG_USE_LWIP
 #include <lwip/tcpip.h>
@@ -46,7 +46,7 @@ namespace DeviceLayer {
 
 PlatformManagerImpl PlatformManagerImpl::sInstance;
 
-#if defined(TINYCRYPT_PRIMITIVES)
+#if defined(SL_MBEDTLS_USE_TINYCRYPT)
 sys_mutex_t PlatformManagerImpl::rngMutexHandle = NULL;
 
 int PlatformManagerImpl::uECC_RNG_Function(uint8_t * dest, unsigned int size)
@@ -76,12 +76,10 @@ static int app_entropy_source(void * data, unsigned char * output, size_t len, s
     return 0;
 }
 #endif // !SLI_SI91X_MCU_INTERFACE
-#endif // TINYCRYPT_PRIMITIVES
-
+#endif // SL_MBEDTLS_USE_TINYCRYPT
 CHIP_ERROR PlatformManagerImpl::_InitChipStack(void)
 {
     CHIP_ERROR err;
-
     // Initialize the configuration system.
     err = chip::DeviceLayer::PersistedStorage::KeyValueStoreMgrImpl().Init();
     SuccessOrExit(err);
@@ -93,14 +91,15 @@ CHIP_ERROR PlatformManagerImpl::_InitChipStack(void)
 
     ReturnErrorOnFailure(System::Clock::InitClock_RealTime());
 
-#if defined(TINYCRYPT_PRIMITIVES)
+#if defined(SL_MBEDTLS_USE_TINYCRYPT)
 #if !(SLI_SI91X_MCU_INTERFACE)
-    ReturnErrorOnFailure(chip::Crypto::add_entropy_source(app_entropy_source, NULL, 16 /*Threshold value*/));
+    // 16 : Threshold value
+    ReturnErrorOnFailure(chip::Crypto::add_entropy_source(app_entropy_source, NULL, 16));
 #endif // !SLI_SI91X_MCU_INTERFACE
     /* Set RNG function for tinycrypt operations. */
     VerifyOrExit(sys_mutex_new(&rngMutexHandle) == ERR_OK, err = CHIP_ERROR_NO_MEMORY);
     uECC_set_rng(PlatformManagerImpl::uECC_RNG_Function);
-#endif // TINYCRYPT_PRIMITIVES
+#endif // SL_MBEDTLS_USE_TINYCRYPT
 
     // Call _InitChipStack() on the generic implementation base class
     // to finish the initialization process.

diff --git a/src/platform/silabs/PlatformManagerImpl.h b/src/platform/silabs/PlatformManagerImpl.h
@@ -41,7 +41,7 @@ class PlatformManagerImpl final : public PlatformManager, public Internal::Gener
     // the implementation methods provided by this class.
     friend PlatformManager;
 
-#if defined(TINYCRYPT_PRIMITIVES)
+#if defined(SL_MBEDTLS_USE_TINYCRYPT)
     // Since the RNG callback will be called from multiple threads,
     // use this mutex to lock/unlock the call to Matter RNG API, which
     // uses some global variables.
@@ -51,7 +51,7 @@ class PlatformManagerImpl final : public PlatformManager, public Internal::Gener
     // It must be set before calling any sign operations,
     // which are used in both Matter and OT threads.
     static int uECC_RNG_Function(uint8_t * dest, unsigned int size);
-#endif
+#endif // SL_MBEDTLS_USE_TINYCRYPT
 
     // Allow the generic implementation base class to call helper methods on
     // this class.

diff --git a/src/platform/silabs/SiWx917/BUILD.gn b/src/platform/silabs/SiWx917/BUILD.gn
@@ -18,11 +18,14 @@ import("${chip_root}/src/platform/device.gni")
 
 import("${chip_root}/build/chip/buildconfig_header.gni")
 import("${chip_root}/src/crypto/crypto.gni")
+import("${chip_root}/src/platform/silabs/wifi_args.gni")
+import("${chip_root}/third_party/silabs/SiWx917_sdk.gni")
 import("${chip_root}/third_party/silabs/silabs_board.gni")
 
 silabs_platform_dir = "${chip_root}/src/platform/silabs"
 
 assert(chip_device_platform == "SiWx917")
+
 if (chip_crypto == "platform") {
   import("//build_overrides/mbedtls.gni")
 }
@@ -80,7 +83,14 @@ static_library("SiWx917") {
 
   # Add platform crypto implementation
   if (chip_crypto == "platform") {
-    sources += [ "CHIPCryptoPALTinyCrypt.cpp" ]
+    if (sl_si91x_crypto_flavor == "tinycrypt") {
+      sources += [ "CHIPCryptoPALTinyCrypt.cpp" ]
+    }
+
+    if (sl_si91x_crypto_flavor == "psa") {
+      sources += [ "${silabs_platform_dir}/efr32/CHIPCryptoPALPsaEfr32.cpp" ]
+    }
+
     public_deps += [
       "${chip_root}/src/crypto",
       "${mbedtls_root}:mbedtls",

diff --git a/src/platform/silabs/SiWx917/siwx917-chip-mbedtls-config.h b/src/platform/silabs/SiWx917/siwx917-chip-mbedtls-config.h
@@ -1,111 +1,86 @@
 /*
- *  Copyright (c) 2021, The OpenThread Authors.
- *  All rights reserved.
  *
- *  Redistribution and use in source and binary forms, with or without
- *  modification, are permitted provided that the following conditions are met:
- *  1. Redistributions of source code must retain the above copyright
- *     notice, this list of conditions and the following disclaimer.
- *  2. Redistributions in binary form must reproduce the above copyright
- *     notice, this list of conditions and the following disclaimer in the
- *     documentation and/or other materials provided with the distribution.
- *  3. Neither the name of the copyright holder nor the
- *     names of its contributors may be used to endorse or promote products
- *     derived from this software without specific prior written permission.
+ *    Copyright (c) 2024 Project CHIP Authors
+ *    All rights reserved.
  *
- *  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
- *  AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- *  IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- *  ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
- *  LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
- *  CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- *  SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- *  INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- *  CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- *  ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- *  POSSIBILITY OF SUCH DAMAGE.
+ *    Licensed under the Apache License, Version 2.0 (the "License");
+ *    you may not use this file except in compliance with the License.
+ *    You may obtain a copy of the License at
+ *
+ *        http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *    Unless required by applicable law or agreed to in writing, software
+ *    distributed under the License is distributed on an "AS IS" BASIS,
+ *    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *    See the License for the specific language governing permissions and
+ *    limitations under the License.
  */
 
 #pragma once
 
-#include <limits.h>
-#include <stdio.h>
-#include <stdlib.h>
-/**
- * Enable FreeRTOS threading support
- */
-#define MBEDTLS_FREERTOS
+#define MBEDTLS_PLATFORM_C
+#define MBEDTLS_PLATFORM_MEMORY
+#define MBEDTLS_VERSION_C
+#define MBEDTLS_VERSION_FEATURES
 
-/**
- * Enable H Crypto and Entropy modules
- */
-#define MBEDTLS_AES_C
-#define MBEDTLS_ECP_C
-#define MBEDTLS_ECDH_C
-#define MBEDTLS_ENTROPY_C
-#define MBEDTLS_SHA256_C
-#define MBEDTLS_CIPHER_MODE_CTR
-#define MBEDTLS_TRNG_C
+#define MBEDTLS_HKDF_C
+#define MBEDTLS_PKCS5_C
 
-#define MBEDTLS_NO_PLATFORM_ENTROPY
-#define MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES
+// DIC Specific Configurations
+#ifdef DIC_ENABLE
 
-#if defined(MBEDTLS_ECP_ALT) && !defined(MBEDTLS_ECP_RESTARTABLE)
-typedef void mbedtls_ecp_restart_ctx;
-#endif
+#define MBEDTLS_MPI_MAX_SIZE 512
 
-#ifdef DIC_ENABLE
-#define MBEDTLS_PKCS1_V15
-#define MBEDTLS_RSA_NO_CRT
 #define MBEDTLS_CIPHER_MODE_CBC
+#define MBEDTLS_CIPHER_MODE_WITH_PADDING
 #define MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
+#define MBEDTLS_PKCS1_V15
 #define MBEDTLS_RSA_C
+#define MBEDTLS_RSA_NO_CRT
 #define MBEDTLS_SHA1_C
 #define MBEDTLS_SSL_IN_CONTENT_LEN 5120
+#define MBEDTLS_SSL_MAX_CONTENT_LEN 5120
 #define MBEDTLS_SSL_OUT_CONTENT_LEN 1560
-#define MBEDTLS_DEBUG_C
-#define MBEDTLS_CIPHER_MODE_WITH_PADDING
-#endif
+
+#endif // DIC_ENABLE
+
+#ifdef SL_MBEDTLS_USE_TINYCRYPT
+#define TINYCRYPT_PRIMITIVES
+#define OPTIMIZE_TINYCRYPT_ASM
+
+#define MBEDTLS_FREERTOS
+
+#if (!(DIC_ENABLE) || !defined(DIC_ENABLE))
+/**< Maximum windows size used. */
+#define MBEDTLS_MPI_WINDOW_SIZE 1
+
+/**< Maximum number of bytes for usable MPIs. */
+#define MBEDTLS_MPI_MAX_SIZE 32
+/**< Maxium fragment length in bytes */
+#define MBEDTLS_SSL_MAX_CONTENT_LEN 768
+#endif // !(DIC_ENABLE)
+
+#define MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES
 #define MBEDTLS_PLATFORM_SNPRINTF_MACRO snprintf
 
 #define MBEDTLS_AES_ROM_TABLES
-#define MBEDTLS_ASN1_PARSE_C
-#define MBEDTLS_ASN1_WRITE_C
-#define MBEDTLS_BASE64_C
-#define MBEDTLS_BIGNUM_C
 #define MBEDTLS_CCM_C
-#define MBEDTLS_CIPHER_C
 #define MBEDTLS_CIPHER_MODE_CBC
 #define MBEDTLS_CIPHER_MODE_CFB
-#define MBEDTLS_CMAC_C
-#define MBEDTLS_CTR_DRBG_C
+#define MBEDTLS_CIPHER_MODE_CTR
+#define MBEDTLS_ECDH_C
 #define MBEDTLS_ECDH_LEGACY_CONTEXT
-#define MBEDTLS_ECDSA_C
 #define MBEDTLS_ECDSA_DETERMINISTIC
 #define MBEDTLS_ECJPAKE_C
-#define MBEDTLS_ECP_DP_SECP256R1_ENABLED
+#define MBEDTLS_ECP_FIXED_POINT_OPTIM 0
 #define MBEDTLS_ECP_NIST_OPTIM
-#define MBEDTLS_ENTROPY_FORCE_SHA256
-// TODO: 3R
-// #define MBEDTLS_ENTROPY_HARDWARE_ALT
-
+#define MBEDTLS_ECP_WINDOW_SIZE 2
 #define MBEDTLS_ERROR_STRERROR_DUMMY
 #define MBEDTLS_HAVE_ASM
-#define MBEDTLS_HKDF_C
 #define MBEDTLS_HMAC_DRBG_C
 #define MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
 #define MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED
 #define MBEDTLS_KEY_EXCHANGE_PSK_ENABLED
-#define MBEDTLS_MD_C
-#define MBEDTLS_OID_C
-#define MBEDTLS_PEM_PARSE_C
-#define MBEDTLS_PEM_WRITE_C
-#define MBEDTLS_PK_C
-#define MBEDTLS_PK_PARSE_C
-#define MBEDTLS_PK_WRITE_C
-#define MBEDTLS_PKCS5_C
-#define MBEDTLS_PLATFORM_C
-#define MBEDTLS_PLATFORM_MEMORY
 #define MBEDTLS_SHA256_SMALLER
 #define MBEDTLS_SHA512_C
 #define MBEDTLS_SSL_CLI_C
@@ -115,38 +90,17 @@ typedef void mbedtls_ecp_restart_ctx;
 #define MBEDTLS_SSL_EXPORT_KEYS
 #define MBEDTLS_SSL_KEEP_PEER_CERTIFICATE
 #define MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
-#define MBEDTLS_SSL_PROTO_TLS1_2
 #define MBEDTLS_SSL_PROTO_DTLS
+#define MBEDTLS_SSL_PROTO_TLS1_2
 #define MBEDTLS_SSL_SRV_C
 #define MBEDTLS_SSL_TLS_C
-#define MBEDTLS_X509_CREATE_C
-#define MBEDTLS_X509_CSR_WRITE_C
-#define MBEDTLS_X509_CRL_PARSE_C
-#define MBEDTLS_X509_CRT_PARSE_C
-#define MBEDTLS_X509_CSR_PARSE_C
-#define MBEDTLS_X509_USE_C
-
-#define MBEDTLS_MPI_WINDOW_SIZE 1 /**< Maximum windows size used. */
-#ifdef DIC_ENABLE
-#define MBEDTLS_MPI_MAX_SIZE 512 /**< Maximum number of bytes for usable MPIs. */
-#else
-#define MBEDTLS_MPI_MAX_SIZE 32 /**< Maximum number of bytes for usable MPIs. */
-#endif
-#define MBEDTLS_ECP_MAX_BITS 256        /**< Maximum bit size of groups */
-#define MBEDTLS_ECP_WINDOW_SIZE 2       /**< Maximum window size used */
-#define MBEDTLS_ECP_FIXED_POINT_OPTIM 0 /**< Enable fixed-point speed-up */
-#define MBEDTLS_ENTROPY_MAX_SOURCES 2   /**< Maximum number of sources supported */
-
-#if OPENTHREAD_CONFIG_COAP_SECURE_API_ENABLE
-#define MBEDTLS_SSL_MAX_CONTENT_LEN 900 /**< Maxium fragment length in bytes */
-#else
-#ifdef DIC_ENABLE
-#define MBEDTLS_SSL_MAX_CONTENT_LEN 5120 /**< Maxium fragment length in bytes */
-#else
-#define MBEDTLS_SSL_MAX_CONTENT_LEN 768 /**< Maxium fragment length in bytes */
-#endif                                  // DIC
+#define MBEDTLS_TRNG_C
+
+#if defined(MBEDTLS_ECP_ALT) && !defined(MBEDTLS_ECP_RESTARTABLE)
+typedef void mbedtls_ecp_restart_ctx;
 #endif
 
-#define MBEDTLS_SSL_CIPHERSUITES MBEDTLS_TLS_ECJPAKE_WITH_AES_128_CCM_8
+#endif // SL_MBEDTLS_USE_TINYCRYPT
 
-#include "mbedtls/check_config.h"
+// SLC GENERATED
+#include "sl_mbedtls_config.h"
diff --git a/src/platform/silabs/SiWx917/siwx917-chip-psa-config.h b/src/platform/silabs/SiWx917/siwx917-chip-psa-config.h
@@ -0,0 +1,32 @@
+/*
+ *
+ *    Copyright (c) 2024 Project CHIP Authors
+ *    All rights reserved.
+ *
+ *    Licensed under the Apache License, Version 2.0 (the "License");
+ *    you may not use this file except in compliance with the License.
+ *    You may obtain a copy of the License at
+ *
+ *        http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *    Unless required by applicable law or agreed to in writing, software
+ *    distributed under the License is distributed on an "AS IS" BASIS,
+ *    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *    See the License for the specific language governing permissions and
+ *    limitations under the License.
+ */
+
+#pragma once
+
+// DIC Specific Configurations
+#ifdef DIC_ENABLE
+#define MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF
+
+#define PSA_WANT_ALG_CBC_NO_PADDING
+#define PSA_WANT_ALG_RSA_PKCS1V15_SIGN
+#define PSA_WANT_ALG_SOME_PAKE
+#define PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY
+#endif // DIC_ENABLE
+
+// SLC GENERATED
+#include "psa_crypto_config.h"