Skip to content

nrf_security: Refactor builtin key handling #17973

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Oct 22, 2024
Merged

nrf_security: Refactor builtin key handling #17973

merged 3 commits into from
Oct 22, 2024

Conversation

@Vge0rge
Copy link
Contributor

@Vge0rge Vge0rge commented Oct 17, 2024

This updates the way that we handle the configuration MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS so that it follows the same logic as all the other PSA core configurations. Also does minor cleanups for this option.

It also renames the configuration option
MBEDTLS_ENABLE_BUILTIN_KEYS->MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS.

This is a promptless option so need to update any sample/application because of this.

Ref: NCSDK-29543

@Vge0rge Vge0rge requested review from a team as code owners October 17, 2024 11:55
@github-actions github-actions bot added the changelog-entry-required Update changelog before merge. Remove label if entry is not needed or already added. label Oct 17, 2024
@NordicBuilder
Copy link
Contributor

NordicBuilder commented Oct 17, 2024
edited
Loading

CI Information

To view the history of this post, clich the 'edited' button above
Build number: 8

Inputs:

Sources:

sdk-nrf: PR head: dd3a5f855346ab4e3ce5805712d44a0130ad2648

more details

sdk-nrf:

PR head: dd3a5f855346ab4e3ce5805712d44a0130ad2648
merge base: 5d044fd32e7c9849fba4399156f7eda69be5a91c
target head (main): 5d044fd32e7c9849fba4399156f7eda69be5a91c
Diff

Github labels

Enabled Name Description
ci-disabled Disable the ci execution
ci-all-test Run all of ci, no test spec filtering will be done
ci-force-downstream Force execution of downstream even if twister fails
ci-run-twister Force run twister
ci-run-zephyr-twister Force run zephyr twister
List of changed files detected by CI (7) 
modules
│  ├── trusted-firmware-m
│  │  ├── tfm_boards
│  │  │  │ external_core.cmake
subsys
│  ├── nrf_security
│  │  ├── CMakeLists.txt
│  │  ├── Kconfig
│  │  ├── cmake
│  │  │  │ nrf_config.cmake
│  │  ├── configs
│  │  │  ├── legacy_crypto_config.h.template
│  │  │  │ nrf-config.h.template
│  │  ├── src
│  │  │  ├── drivers
│  │  │  │  ├── cracen
│  │  │  │  │  ├── cracenpsa
│  │  │  │  │  │  │ cracenpsa.cmake

Outputs:

Toolchain

Version: 3dd8985b56
Build docker image: docker-dtr.nordicsemi.no/sw-production/ncs-build:3dd8985b56_912848a074

Test Spec & Results: ✅ Success; ❌ Failure; 🟠 Queued; 🟡 Progress; ◻️ Skipped; ⚠️ Quarantine

  • ◻️ Toolchain - Skipped: existing toolchain is used
  • ✅ Build twister
    • sdk-nrf test count: 1460
  • ✅ Integration tests
    • ✅ test-fw-nrfconnect-chip
    • ✅ test-fw-nrfconnect-nrf-iot_cloud
    • ✅ test-fw-nrfconnect-nrf_crypto
    • ✅ test-fw-nrfconnect-tfm
    • ✅ test-sdk-find-my
    • ✅ test-sdk-sidewalk
    • ✅ test-sdk-dfu
Disabled integration tests
    • desktop52_verification
    • doc-internal
    • test_ble_nrf_config
    • test-fw-nrfconnect-apps
    • test-fw-nrfconnect-ble_mesh
    • test-fw-nrfconnect-ble_samples
    • test-fw-nrfconnect-boot
    • test-fw-nrfconnect-fem
    • test-fw-nrfconnect-nfc
    • test-fw-nrfconnect-nrf-iot_lwm2m
    • test-fw-nrfconnect-nrf-iot_mosh
    • test-fw-nrfconnect-nrf-iot_nrf_provisioning
    • test-fw-nrfconnect-nrf-iot_positioning
    • test-fw-nrfconnect-nrf-iot_samples
    • test-fw-nrfconnect-nrf-iot_serial_lte_modem
    • test-fw-nrfconnect-nrf-iot_thingy91
    • test-fw-nrfconnect-nrf-iot_zephyr_lwm2m
    • test-fw-nrfconnect-proprietary_esb
    • test-fw-nrfconnect-ps
    • test-fw-nrfconnect-rpc
    • test-fw-nrfconnect-rs
    • test-fw-nrfconnect-thread
    • test-fw-nrfconnect-zigbee
    • test-low-level
    • test-sdk-audio
    • test-sdk-mcuboot
    • test-sdk-pmic-samples
    • test-sdk-wifi
    • test-secdom-samples-public

Note: This message is automatically posted and updated by the CI

tomi-font
tomi-font approved these changes Oct 17, 2024
View reviewed changes
Copy link
Contributor

@tomi-font tomi-font left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nits in the commit message:

This updates the way that we handle the configuration

same logic as all the other PSA Crypto core configurations.

This is a promptless option so no need to update any sample/application

@NordicBuilder
Copy link
Contributor

NordicBuilder commented Oct 17, 2024

You can find the documentation preview for this PR at this link. It will be updated about 10 minutes after the documentation build succeeds.

Note: This comment is automatically posted by the Documentation Publishing GitHub Action.

@Vge0rge Vge0rge force-pushed the builtin_keys branch 2 times, most recently from cc4ccee to 813d61d Compare October 20, 2024 19:35
@Vge0rge Vge0rge mentioned this pull request Oct 20, 2024
Closed
Vge0rge and others added 3 commits October 21, 2024 09:41
@Vge0rge @tomi-font
nrf_security: Refactor builtin key handling
2f35117 
This updates the way we handle the configuration
MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS so that it follows the
same logic as all the other PSA Crypto core configurations.
Also does minor cleanups for this option.

It also renames the configuration option
MBEDTLS_ENABLE_BUILTIN_KEYS->MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS.

This is a promptless option so no need to update any
sample/application because of this.

Ref: NCSDK-29543

Signed-off-by: Georgios Vasilakis <[email protected]>

Update subsys/nrf_security/Kconfig

Co-authored-by: Tomi Fontanilles <[email protected]>
@Vge0rge
tfm: Fix licence issue
7bbb88e 
Licence was BSD which is not correct in the
external_core.cmake file.

Signed-off-by: Georgios Vasilakis <[email protected]>
@Vge0rge
nrf_security: Always enable builtin keys for 54L
dd3a5f8 
Enable the builtin keys for the nRF54L series when
nrf_security is being used. This option for
builtin keys is needed for the KMU keys which
don't always have dependencies on the hardware unique key
or the identity key.

We guard this option on the PSA Cracen driver because the
driver implements the necessary builtin key functions.

Signed-off-by: Georgios Vasilakis <[email protected]>
@Vge0rge Vge0rge added this to the 2.8.0 milestone Oct 21, 2024
@Vge0rge Vge0rge removed the changelog-entry-required Update changelog before merge. Remove label if entry is not needed or already added. label Oct 21, 2024
frkv
frkv approved these changes Oct 21, 2024
View reviewed changes
Copy link
Contributor

@frkv frkv left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

nvlsianpu
nvlsianpu approved these changes Oct 21, 2024
View reviewed changes
Copy link
Contributor

@nvlsianpu nvlsianpu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Works for Dominik's provisioning sample and allow testing nrfconnect/sdk-mcuboot#335 successfully.

@nvlsianpu nvlsianpu mentioned this pull request Oct 21, 2024
Merged
1 task
@nordicjm nordicjm merged commit c248288 into nrfconnect:main Oct 22, 2024
14 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nvlsianpu nvlsianpu nvlsianpu approved these changes

@frkv frkv frkv approved these changes

@nordicjm nordicjm nordicjm approved these changes

@tomi-font tomi-font tomi-font approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

2.8.0

Development

Successfully merging this pull request may close these issues.

6 participants

@Vge0rge @NordicBuilder @nvlsianpu @frkv @nordicjm @tomi-font