Utilizing hardware-accelerated or software-based PSA Crypto API

Hi Nordic team,

I would like to compare the differences between hardware-accelerated and software-based encryption to encrypt a small message. When I tried the crypto example, I was unsure whether I was using the hardware crypto engine. When I looked at the library documentation, I got confused about the different components and layers of implementation. Before moving into my main question, I would like to clarify my understanding of Crypto Library and CryptoCell.

As far as I understand, the PSA API comes from the TFM side. It requires underly drivers to support crypto operations, namely the Arm CryptoCell cc3xx binary and nrf_oberon binary.

My Questions are:

  1. Only the CryptoCell cc3xx driver utilizes CC310 to perform crypto operations, while the Oberon driver performs the operations by the MCU Core?
  2. Do all crypto samples by default utilize CC310?
  3. It mentioned in the documentation, [CONFIG_HW_CC3XX] has a default value of y. In my project, this value is n due to TRUSTED_EXECUTION_NONSECURE =n, what is the implication of this?
  4. What is the difference between [CONFIG_PSA_CRYPTO_DRIVER_CC3XX][CONFIG_HW_CC3XX]and [CONFIG_CC3XX_BACKEND]?
  5. How can I correctly configure to use either hardware-accelerated or software-based implementation?

  6. Does the current PSA AIP support to use along with KMU?



Best Regards,
Anthony

  • Hi,

    Which board do you use?

    Which NRF Connect SDK version do you use?

    In my project,

    Is your project based on any of the crypto samples?

    When I tried the crypto example, I was unsure whether I was using the hardware crypto engine.

    Which sample did you try?

    Best regards,
    Dejan

  • Hello Dejan,

    I am currently testing on the NCS2.4.2 with Thingy91. I mainly tried the AES series sample. My project is based on the AES CCM sample. Thank you.


    Best regards,

    Anthony

  • Hi Anthony,

    Only the CryptoCell cc3xx driver utilizes CC310 to perform crypto operations, while the Oberon driver performs the operations by the MCU Core?

    There are 2 types of drivers - ARM CryptoCell cc3xx driver (more information is available in documentation) which enables/disables specific PSA APIs and nrf_oberon driver (more information is available in documentation) which is more granular and can enable/disable individual algorithms as well.
    ARM CryptoCell CC3XX driver provides hardware-accelerated cryptography using ARM CryptoCell cc310/cc312 hardware.
    nrf oberon driver provides support for different cryptographic algorithms.

    Do all crypto samples by default utilize CC310?

    It depends on the board you use and sample support for a specific board. You can read in hardware unique key functionality that nrf9160 and nrf52840 use cc310, but nrf5340 uses cc312.

    It mentioned in the documentation, [CONFIG_HW_CC3XX] has a default value of y. In my project, this value is n due to TRUSTED_EXECUTION_NONSECURE =n, what is the implication of this?

    TRUSTED_EXECUTION_NONSECURE=n means non-secure image will not be built. If this option is enabled, it enables building non-secure image for a platform which supports Trusted Execution. If TF-M is supported for a specific board then this option should be enabled TRUSTED_EXECUTION_NONSECURE=y. You can enable TF-M support for a board using CONFIG_BUILD_WITH_TFM.

    What is the difference between [CONFIG_PSA_CRYPTO_DRIVER_CC3XX][CONFIG_HW_CC3XX]and [CONFIG_CC3XX_BACKEND]?

    CONFIG_HW_CC3XX enables the ARM CC3XX hardware device in nrf52840, nrf53 and nrf9160 devices.
    CONFIG_PSA_CRYPTO_DRIVER_CC3XX enables the usage of CryptoCell for supported operations. If disabled, all operations go through Oberon PSA driver.
    CONFIG_PSA_CRYPTO_DRIVER_CC3XX is config option for nrf_cc3xx PSA driver.
    CONFIG_PSA_CRYPTO_DRIVER_OBERON is config option for nrf_oberon PSA driver.
    You can read more about driver configuration in the documentation.
    CONFIG_CC3XX_BACKEND is config option used to enable CryptoCell CC3XX for legacy mbed TLS APIs
    You can find more information about backend configuration in the documentation.

    How can I correctly configure to use either hardware-accelerated or software-based implementation?

    Hardware-accelerated implementation uses CryptoCell. Therefore, you would need to enable hardware-accelerated cryptography using ARM CryptoCell CC3xx driver. Software implementation can be done using nrf_oberon driver.

    Does the current PSA AIP support to use along with KMU?

    You can read more about KMU in the documentation.

    Best regards,
    Dejan

Related