In an effort to shave off code size, remove out-of-the-box
enabling of crypto features (except SHA-256).
Configurations are adjusted to enable what they need.
Bonuses:
- When enabled, AES now defaults to using a smaller version
(`CONFIG_MBEDTLS_AES_ROM_TABLES` isn't default enabled anymore,
and if enabled, `CONFIG_MBEDTLS_AES_FEWER_TABLES` defaults to y).
- Conditions around Mbed TLS Kconfig options have been improved
to reflect the reality of the dependencies.
Signed-off-by: Tomi Fontanilles <tomi.fontanilles@nordicsemi.no>
With TF-M updated to 2.1.0 it now makes the signature type default
to EC-P256 for the mps2/an521/cpu0/ns board.
So far Zephyr had only supported and assumed that it was RSA-3072.
This brings support for other signature types, and changes the global
default to EC-P256.
The switch from RSA-3072 to EC-P256 reduces the flash usage by ~3.3KB
while having a negligible impact on RAM usage (increase of ~70 bytes)
when compiling the tfm_psa_test sample on mps2/an521/cpu0/ns and
nrf9160dk/nrf9160/ns without explicit optimizations.
The TFM_KEY_FILE_{S,NS} Kconfig options are moved inside an
`if TFM_BL2` as they are only used if MCUboot is included in TF-M.
The TF-M CMake variables MCUBOOT_KEY_{S,NS} are now set so that it's
possible to use signing keys located elsewhere than the default
location.
Signed-off-by: Tomi Fontanilles <tomi.fontanilles@nordicsemi.no>
Restore the check that was introduced in
cd8d4ccad5 and removed in
cac7f4058f, rather than checking only
CONFIG_TFM_PSA_TEST_INITIAL_ATTESTATION in the tfm_psa_test sample.
Signed-off-by: Tomi Fontanilles <tomi.fontanilles@nordicsemi.no>
Define and pass down PSA_ARCH_TESTS_PATH only in the sample that
needs it (tfm_psa_test).
Otherwise, it provokes a CMake warning because the variable does not
get used in TF-M.
Signed-off-by: Tomi Fontanilles <tomi.fontanilles@nordicsemi.no>
This reverts commit 33786b55ab.
Reverting it because the upstream PR has been abandoned, and
this extra CMake variable is causing the warning
"Manually-specified variables were not used by the project".
As of now the version warning doesn't come up.
Signed-off-by: Tomi Fontanilles <tomi.fontanilles@nordicsemi.no>
Permanently disable the revision checks made in the tf-m-tests
repository that were introduced with TF-M 2.1.0.
They fail because the expected upstream tags are not found in Zephyr's
tf-m-tests.
Signed-off-by: Tomi Fontanilles <tomi.fontanilles@nordicsemi.no>
Remove the `_MAC` part because those Kconfig options enable only hash
algorithms, nothing MAC-related, and the `_ENABLED` part to align the
naming to the Mbed TLS defines (plus we don't need such a part).
As a bonus, enabling SHA-256 does not automatically enable SHA-224
anymore.
See the migration guide entries for more details on the practical
changes.
Signed-off-by: Tomi Fontanilles <tomi.fontanilles@nordicsemi.no>
This commit aligns the GRTC driver to changes introduced in
hal_nordic. Some of the features regarding GRTC sleep/wakeup
functionality has been modified and moved out to the nrfx
driver's code.
Signed-off-by: Adam Kondraciuk <adam.kondraciuk@nordicsemi.no>
On SoC like nrf54h20 GPIOTE channels are split between cores. They
are reserved at compile time in devicetree. We need to ensure that
dynamically allocated channels are used only from pool assigned to
the given core. This is done using NRFX_GPIOTE130_CHANNELS_USED mask
which contains data from the device tree.
Signed-off-by: Krzysztof Chruściński <krzysztof.chruscinski@nordicsemi.no>
https://github.com/zephyrproject-rtos/zephyr/pull/70541 has an
issue where if the screen has been rotated, values calculated if
invert-x or invert-y are set will be overwritten.
This breaks the adafruit_2_8_tft_touch_v2 touchscreen as the
display is rotated by 90 degrees but uses invert-x and invert-y.
This change makes the invert-x and invert-y options independent
of screen rotation.
Signed-off-by: Glenn Andrews <glenn.andrews.42@gmail.com>
Some Ambiq Apollox Blue SOC (e.g. Apollo3 Blue) uses internal designed
BLEIF module which is different from the general IOM module for SPI
transceiver. The called HAL API will also be independent. This driver is
implemented for the BLEIF module usage scenarios.
Signed-off-by: Aaron Ye <aye@ambiq.com>
Fixing a bug where wrong instance was enabled when SPIS137 was supposed
to be used.
Signed-off-by: Krzysztof Chruściński <krzysztof.chruscinski@nordicsemi.no>
Added NXP_FW_LOADER for NXP platforms.
Added NXP_RF_IMU for NXP platforms.
Added MONOLITHIC Flags for NXP platforms.
Signed-off-by: Axel Le Bourhis <axel.lebourhis@nxp.com>
- Add initial version of CYW920829M2EVK-02 board
- [drivers: clock_control] Make it possible to set up both iho and imo
clocks instead of just one or the other
Signed-off-by: Sreeram Tatapudi <sreeram.praveen@infineon.com>
This definition is no longer supported by the nrfx_gpiote driver (since
nrfx 3.2.0, reserved channels need to be defined per GPIOTE instance),
so remove it to not mislead users.
Signed-off-by: Andrzej Głąbek <andrzej.glabek@nordicsemi.no>
By default PSA crypto library copies all the buffers that are passed
in into the heap before further processing them. This is required
when the PSA crypto library is on the secure side and it accepts
buffers from a non-secure code. However this case in Zephyr
is already handled by TF-M, so when the PSA crypto library is
built (CONFIG_MBEDTLS_PSA_CRYPTO_C) then it will be on the
non-secure side. Therefore this malloc copy is useless and
it consumes heap memory. Setting MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS
at Mbed TLS build time helps in removing this mechanism and
it saves heap memory.
Signed-off-by: Valerio Setti <vsetti@baylibre.com>
Instead of selecting legacy MBEDTLS symbols, use corresponding
PSA_WANT ones when possible (note: some legacy symbols do not
have a PSA correspondance).
Signed-off-by: Valerio Setti <vsetti@baylibre.com>
Add "sha3.c" source file that was previously missing from
CMakeLists.txt and that has been added in MbedTLS 3.6 release.
Signed-off-by: Valerio Setti <vsetti@baylibre.com>
Using MBEDTLS_PSA_CRYPTO_CLIENT to guard all PSA_WANT symbols is
not completely correct because:
1. the prefix MBEDTLS suggests that it's something related to
MbedTLS, while actually PSA APIs can be provided also
by other implementations (ex: TFM)
2. there might applications which are willing to use PSA APIs
without using MbedTLS at all. For example computing an hash
can be as simple as writing psa_hash_compute() and, if the
PSA function is provided thorugh TFM, then MbedTLS is not
required at all
Therefore this commit:
- moves MBEDTLS_PSA_CRYPTO_CLIENT to Kconfig.tls-generic since
that symbol belongs to MbedTLS
- adds a new symbol named PSA_CRYPTO_CLIENT as a generic way
to state that there is "some" PSA crypto API provider
- let MBEDTLS_PSA_CRYPTO_CLIENT automatically select
PSA_CRYPTO_CLIENT, since the former is an implementation of
the latter.
Signed-off-by: Valerio Setti <vsetti@baylibre.com>
Now that support for all PSA_WANT symbols is in place, we can
enable MBEDTLS_USE_PSA_CRYPTO when MBEDTLS_PSA_CRYPTO_C is
enabled as well.
Note: this commit also moves USE_PSA_CRYPTO out of CRYPTO_C
dependency in config-tls-generic.h because TLS/DTLS/X509 modules
of MbedTLS can rely on *any* implementation of PSA crypto APIs
not only the MbedTLS one. TFM is for example an alternative
to this.
Signed-off-by: Valerio Setti <vsetti@baylibre.com>
Since PSA has several different symbols defined and since it's
better to keep them aligned with the current MbedTLS release,
a python script is used to generate both:
- Kconfig.psa
- config-psa-generic.h
Signed-off-by: Valerio Setti <vsetti@baylibre.com>
Adding a Kconfig and a header file to control which PSA features
are to be used from MbedTLS:
- new kconfig symbols are placed in a separate header file
(Kconfig.psa) and are guarded by MBEDTLS_PSA_CRYPTO_CLIENT. The
reason for this is that TLS/X509 can either rely on PSA functions
provided by MbedTLS (when MBEDTLS_PSA_CRYPTO_C is defined) or
TFM (when BUILD_WITH_TFM is selected). Therefore we could
not make these new Kconfigs depending on MBEDTLS_PSA_CRYPTO_C.
- by default all PSA symbols are enabled, but they can be
disabled by respective Kconfigs in order to reduce the image
size.
- the new header file (config-psa-generic.h) mimics what
config-tls-generic.h does for MbedTLS builtin symbols: it
enables a build symbol for every Kconfig one. The name is
kept identical in the 2 cases (a part from the initial CONFIG_
in order to simplify the mechanism).
- MBEDTLS_PSA_CRYPTO_CONFIG is finally enabled whenever there
is any PSA crypto provider (either MBEDTLS_PSA_CRYPTO_C or
TFM)
Signed-off-by: Valerio Setti <vsetti@baylibre.com>
It made the build of
`samples/tfm_integration/tfm_psa_test/sample.tfm.psa_test_crypto`
break since the update of Mbed TLS to 3.6.0 (#71118), apparently because
`${ZEPHYR_BASE}` wasn't set, and the include doesn't seem to be needed.
Signed-off-by: Tomi Fontanilles <tomi.fontanilles@nordicsemi.no>
Add new Microchip MEC chips using the new MEC5 HAL and
add a HAL version of a legacy chip named MECH172x.
Signed-off-by: Scott Worley <scott.worley@microchip.com>
Fix undefined reference to mbedtls_pk_ecc_xxx functions following update
to latest mbedtls version.
Signed-off-by: Joel Guittet <joelguittet@gmail.com>
The new kconfig options intend to represent a final
nRF54L product, let's handle them appropriately.
Signed-off-by: Alberto Escolar Piedras <alberto.escolar.piedras@nordicsemi.no>
- Do not set CONFIG_MBEDTLS_ZEPHYR_ENTROPY in
tests/crypto/mbedtls because this can cause test failure on
real devices in which test thread do not have access to
drivers.
- make MBEDTLS_PSA_CRYPTO_RND_SOURCE depending on
MBEDTLS_PSA_CRYPTO_C because it only makes sense when the
latter is defined
Signed-off-by: Valerio Setti <vsetti@baylibre.com>
Two Kconfig symbols were tied to a board-specific DT nodelabel - namely
the `NRFX_UARTE_CONFIG_RX_CACHE_ENABLED` and `UART_<n>_RX_CACHE_SIZE`
were tied to `shared_ram3x_region` - but this is not necessary.
That DT node is where the UARTE driver RX/TX cache buffers are placed
in the default nRF54H20 DK memory map, but on another board, they could
be located somewhere else.
The exact memory sub-regions used for this purpose are indicated using
the `memory-regions` property on each UARTE instance, which should be
generic enough already, so let's use that instead.
Signed-off-by: Grzegorz Swiderski <grzegorz.swiderski@nordicsemi.no>
It is meant specifically for configuration of the PSA crypto library.
The underlying PSA configuration items are guarded by the condition
that a PSA crypto provider must be present, which is the case when
either TF-M is in use or MbedTLS's PSA core is built as part of
the application image.
Signed-off-by: Tomi Fontanilles <tomi.fontanilles@nordicsemi.no>
The HAS_MCUX_CSI (as well as all the HAS_MCUX_XXX) config was obsolete
and has been replaced by the DT_HAS_NXP_IMX_CSI_ENABLED (i.e.
DT_HAS_XXX_ENABLED). Drop it as well as all the dependencies on it.
Signed-off-by: Phi Bang Nguyen <phibang.nguyen@nxp.com>
The network CPU must be requested explicitly by the 802.15.4 driver for
the sharing mechanism to work correctly.
Signed-off-by: Jędrzej Ciupis <jedrzej.ciupis@nordicsemi.no>
MBEDTLS_PSA_CRYPTO_C and MBEDTLS_USE_PSA_CRYPTO are 2 different
things and the former should not automatically enable the
latter. The reson is that the user might want the MbedTLS
PSA crypto toolbox to be built, but at the same time he/she
does not want TLS/DTLS (and other intermediate modules such
as PK, MD and Cipher) to use PSA APIs.
For this reason this commit introduces a new Kconfig option
named CONFIG_MBEDTLS_USE_PSA_CRYPTO to enable the corresponding
build symbol. By default USE_PSA_CRYPTO is disabled. It is
only explicilty enabled in tests/samples that were previously
setting CRYPTO_C (since in those cases USE_PSA was set).
Signed-off-by: Valerio Setti <vsetti@baylibre.com>
PICOLIBC misses the dirent.h header which is required
to emulate ITS (internal trusted storage) in PSA APIs.
Signed-off-by: Valerio Setti <vsetti@baylibre.com>
Add a choice to select between legacy modules
(i.e. ENTROPY + CTR_DRBG/HMAC_DRBG) and CSPRNG as random generators
for PSA_CRYPTO_C.
Signed-off-by: Valerio Setti <vsetti@baylibre.com>
Create a new Kconfig named CONFIG_PSA_WANT_ALG_SHA_256 which allows to
enable PSA_WANT_ALG_SHA_256. This allows to use PSA functions to
compute SHA256 hashes. When PSA is provided by TFM this allows also
to remove legacy mbedtls_sha256() support and therefore reduce
footprint for the NS side.
Signed-off-by: Valerio Setti <vsetti@baylibre.com>
Include `psa_crypto_ffdh.c` when compiling MbedTLS with PSA support, as
`MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_PUBLIC_KEY` references the included
functions.
Signed-off-by: Jordan Yates <jordan@embeint.com>
The wpas_to_wifi_mgmt_diconn_status() was missing "s" char,
so name it to wpas_to_wifi_mgmt_disconn_status() as that is
more descriptive.
Signed-off-by: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
