bt-crypto: add option to use PSA APIs instead of TinyCrypt
This commit adds CONFIG_BT_USE_PSA_API to allow the end user to prefer PSA APIs over TinyCrypt for crypto operations in bluetooth. Of course, this is possible only if a PSA provider is available on the system, i.e. CONFIG_PSA_CRYPTO_CLIENT is set. This commit also extends tests/bluetooth/bt_crypto adding a test case for PSA. Signed-off-by: Valerio Setti <vsetti@baylibre.com>
This commit is contained in:
parent
a9f7788f9f
commit
9032f8d791
8 changed files with 123 additions and 25 deletions
|
@ -192,6 +192,13 @@ rsource "crypto/Kconfig"
|
|||
rsource "lib/Kconfig"
|
||||
rsource "Kconfig.logging"
|
||||
|
||||
config BT_USE_PSA_API
|
||||
bool "Use PSA APIs instead of TinyCrypt for crypto operations"
|
||||
depends on BT_CRYPTO || BT_HOST_CRYPTO
|
||||
depends on PSA_CRYPTO_CLIENT
|
||||
help
|
||||
Use PSA APIs instead of TinyCrypt for crypto operations
|
||||
|
||||
endif # BT_HCI
|
||||
|
||||
config BT_COMPANY_ID
|
||||
|
|
|
@ -4,6 +4,16 @@ zephyr_library()
|
|||
|
||||
zephyr_library_sources(bt_crypto.c)
|
||||
|
||||
if(CONFIG_BT_USE_PSA_API)
|
||||
zephyr_library_sources(bt_crypto_psa.c)
|
||||
zephyr_library_link_libraries_ifdef(CONFIG_MBEDTLS mbedTLS)
|
||||
zephyr_library_include_directories_ifdef(CONFIG_BUILD_WITH_TFM
|
||||
$<TARGET_PROPERTY:tfm,TFM_BINARY_DIR>/api_ns/interface/include
|
||||
)
|
||||
else()
|
||||
zephyr_library_sources(bt_crypto_tc.c)
|
||||
endif()
|
||||
|
||||
if(CONFIG_BT_CRYPTO_LOG_LEVEL_DBG)
|
||||
message(WARNING "CONFIG_BT_CRYPTO_LOG_LEVEL_DBG is enabled.
|
||||
Private security keys such as the Long Term Key will be printed out.
|
||||
|
|
|
@ -3,8 +3,10 @@
|
|||
|
||||
config BT_CRYPTO
|
||||
bool
|
||||
select TINYCRYPT
|
||||
select TINYCRYPT_AES
|
||||
select TINYCRYPT_AES_CMAC
|
||||
select TINYCRYPT if !BT_USE_PSA_API
|
||||
select TINYCRYPT_AES if !BT_USE_PSA_API
|
||||
select TINYCRYPT_AES_CMAC if !BT_USE_PSA_API
|
||||
select PSA_WANT_KEY_TYPE_AES if BT_USE_PSA_API
|
||||
select PSA_WANT_ALG_CMAC if BT_USE_PSA_API
|
||||
help
|
||||
This option enables the Bluetooth Cryptographic Toolbox.
|
||||
|
|
|
@ -7,8 +7,12 @@
|
|||
|
||||
#include <zephyr/sys/byteorder.h>
|
||||
|
||||
#if defined(CONFIG_BT_USE_PSA_API)
|
||||
#include "psa/crypto.h"
|
||||
#else
|
||||
#include <tinycrypt/cmac_mode.h>
|
||||
#include <tinycrypt/constants.h>
|
||||
#endif
|
||||
|
||||
#include "common/bt_str.h"
|
||||
#include "bt_crypto.h"
|
||||
|
@ -17,27 +21,6 @@
|
|||
#include <zephyr/logging/log.h>
|
||||
LOG_MODULE_REGISTER(bt_crypto);
|
||||
|
||||
|
||||
int bt_crypto_aes_cmac(const uint8_t *key, const uint8_t *in, size_t len, uint8_t *out)
|
||||
{
|
||||
struct tc_aes_key_sched_struct sched;
|
||||
struct tc_cmac_struct state;
|
||||
|
||||
if (tc_cmac_setup(&state, key, &sched) == TC_CRYPTO_FAIL) {
|
||||
return -EIO;
|
||||
}
|
||||
|
||||
if (tc_cmac_update(&state, in, len) == TC_CRYPTO_FAIL) {
|
||||
return -EIO;
|
||||
}
|
||||
|
||||
if (tc_cmac_final(out, &state) == TC_CRYPTO_FAIL) {
|
||||
return -EIO;
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
int bt_crypto_f4(const uint8_t *u, const uint8_t *v, const uint8_t *x, uint8_t z, uint8_t res[16])
|
||||
{
|
||||
uint8_t xs[16];
|
||||
|
|
46
subsys/bluetooth/crypto/bt_crypto_psa.c
Normal file
46
subsys/bluetooth/crypto/bt_crypto_psa.c
Normal file
|
@ -0,0 +1,46 @@
|
|||
/* Copyright (c) 2022 Nordic Semiconductor ASA
|
||||
* SPDX-License-Identifier: Apache-2.0
|
||||
*/
|
||||
|
||||
#include <errno.h>
|
||||
#include <string.h>
|
||||
|
||||
#include <zephyr/sys/byteorder.h>
|
||||
|
||||
#include "psa/crypto.h"
|
||||
|
||||
#include "common/bt_str.h"
|
||||
#include "bt_crypto.h"
|
||||
|
||||
#define LOG_LEVEL CONFIG_BT_CRYPTO_LOG_LEVEL
|
||||
#include <zephyr/logging/log.h>
|
||||
LOG_MODULE_DECLARE(bt_crypto);
|
||||
|
||||
int bt_crypto_aes_cmac(const uint8_t *key, const uint8_t *in, size_t len, uint8_t *out)
|
||||
{
|
||||
psa_key_id_t key_id;
|
||||
psa_key_attributes_t key_attr = PSA_KEY_ATTRIBUTES_INIT;
|
||||
size_t out_size;
|
||||
psa_status_t status, destroy_status;
|
||||
|
||||
psa_set_key_type(&key_attr, PSA_KEY_TYPE_AES);
|
||||
psa_set_key_bits(&key_attr, 128);
|
||||
psa_set_key_usage_flags(&key_attr, PSA_KEY_USAGE_SIGN_MESSAGE |
|
||||
PSA_KEY_USAGE_VERIFY_MESSAGE);
|
||||
psa_set_key_algorithm(&key_attr, PSA_ALG_CMAC);
|
||||
|
||||
status = psa_import_key(&key_attr, key, 16, &key_id);
|
||||
if (status != PSA_SUCCESS) {
|
||||
LOG_ERR("Failed to import AES key %d", status);
|
||||
return -EIO;
|
||||
}
|
||||
|
||||
status = psa_mac_compute(key_id, PSA_ALG_CMAC, in, len, out, 16, &out_size);
|
||||
destroy_status = psa_destroy_key(key_id);
|
||||
if ((status != PSA_SUCCESS) || (destroy_status != PSA_SUCCESS)) {
|
||||
LOG_ERR("Failed to compute MAC %d", status);
|
||||
return -EIO;
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
34
subsys/bluetooth/crypto/bt_crypto_tc.c
Normal file
34
subsys/bluetooth/crypto/bt_crypto_tc.c
Normal file
|
@ -0,0 +1,34 @@
|
|||
/* Copyright (c) 2022 Nordic Semiconductor ASA
|
||||
* SPDX-License-Identifier: Apache-2.0
|
||||
*/
|
||||
|
||||
#include <errno.h>
|
||||
#include <string.h>
|
||||
|
||||
#include <zephyr/sys/byteorder.h>
|
||||
|
||||
#include <tinycrypt/cmac_mode.h>
|
||||
#include <tinycrypt/constants.h>
|
||||
|
||||
#include "common/bt_str.h"
|
||||
#include "bt_crypto.h"
|
||||
|
||||
int bt_crypto_aes_cmac(const uint8_t *key, const uint8_t *in, size_t len, uint8_t *out)
|
||||
{
|
||||
struct tc_aes_key_sched_struct sched;
|
||||
struct tc_cmac_struct state;
|
||||
|
||||
if (tc_cmac_setup(&state, key, &sched) == TC_CRYPTO_FAIL) {
|
||||
return -EIO;
|
||||
}
|
||||
|
||||
if (tc_cmac_update(&state, in, len) == TC_CRYPTO_FAIL) {
|
||||
return -EIO;
|
||||
}
|
||||
|
||||
if (tc_cmac_final(out, &state) == TC_CRYPTO_FAIL) {
|
||||
return -EIO;
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
|
@ -12,3 +12,19 @@ tests:
|
|||
integration_platforms:
|
||||
- native_sim
|
||||
tags: bluetooth
|
||||
bluetooth.bt_crypto.psa:
|
||||
filter: CONFIG_PSA_CRYPTO_CLIENT
|
||||
extra_args:
|
||||
- EXTRA_DTC_OVERLAY_FILE="test.overlay"
|
||||
platform_allow:
|
||||
- native_posix
|
||||
- native_posix/native/64
|
||||
- native_sim
|
||||
- native_sim/native/64
|
||||
- qemu_x86
|
||||
- qemu_cortex_m3
|
||||
- nrf5340dk/nrf5340/cpuapp/ns
|
||||
- nrf52840dk/nrf52840
|
||||
integration_platforms:
|
||||
- native_sim
|
||||
tags: bluetooth
|
||||
|
|
|
@ -12,7 +12,7 @@ add_library(mocks STATIC
|
|||
mocks/hmac_prng_expects.c
|
||||
mocks/crypto_help_utils.c
|
||||
|
||||
${ZEPHYR_BASE}/subsys/bluetooth/host/crypto.c
|
||||
${ZEPHYR_BASE}/subsys/bluetooth/host/crypto_tc.c
|
||||
${ZEPHYR_BASE}/subsys/logging/log_minimal.c
|
||||
${ZEPHYR_BASE}/subsys/bluetooth/common/bt_str.c
|
||||
${ZEPHYR_BASE}/subsys/bluetooth/host/uuid.c
|
||||
|
|
Loading…
Add table
Add a link
Reference in a new issue