Hi,
We are migrating from SDK 2.1.1 to SDK 2.5.0 on nrf5340.
The below is our crypto configuration when using SDK 2.1.1. We use both both PSA and mbedtls API(reason in the link below).
>>>>>>>>>
# Enable nordic security backend
CONFIG_NRF_SECURITY=y
# Select the Nordic Security Backend, as the default backednd does not support RSA OAEP 3072 [b],
# Refer (+) RSA example fails on psa_sign_hash returning -133 - Nordic Q&A - Nordic DevZone - Nordic DevZone (nordicsemi.com) Sigurd Hellesvik
# Refer (+) RSA example fails on psa_sign_hash returning -133 - Nordic Q&A - Nordic DevZone - Nordic DevZone (nordicsemi.com) Sigurd Hellesvik
CONFIG_NORDIC_SECURITY_BACKEND=y
# Enable PSA CryptoCell support.
CONFIG_PSA_CRYPTO_DRIVER_CC3XX=y
# Enable base64 API.
CONFIG_BASE64=y
# Mbedtls configuration.
CONFIG_MBEDTLS=y
CONFIG_MBEDTLS_ENABLE_HEAP=y
CONFIG_MBEDTLS_HEAP_SIZE=16384
# Enable cipers accessed through the mbed_tsl API.
CONFIG_MBEDTLS_RSA_C=y
CONFIG_MBEDTLS_ECDSA_C=y
CONFIG_MBEDTLS_PK_PARSE_C=y
CONFIG_MBEDTLS_ECDSA_DETERMINISTIC=n
>>>>>>>>>
Now, Iam able to build our application with the above configuration using SDK 2.5.0, but when trying to run the application (with above crypto configuration)
psa_driver_wrapper_cipher_decrypt_setup(blockDecrypt, blockDecryptKeyHandle, PSA_ALG_CBC_PKCS7) returns PSA_ERROR_NOT_SUPPORTED.
psa_driver_wrapper_cipher_decrypt_setup(blockDecrypt, blockDecryptKeyHandle, PSA_ALG_CBC_PKCS7) returns PSA_ERROR_NOT_SUPPORTED.
The release notes of 2.4 and 2.5 describes significant changes to the crypto support.
Iam trying to solve the following scenarios:
(a) Existing configuration(mbedtls API plus PSA API):
Is there a way to get the above configuration to work with SDK 2.5.0? I don't know if CONFIG_MBEDTLS_LEGACY_CRYPTO_C is relevant anymore. I did try to make configuration changes based on the release note and documentation, but can't resolve the above error.
Surprisingly there are no build errors while running with the above configuration on 2.5.0. I would have then expected the mbedTLS API to not work, but it's the PSA API that's failing.
Please suggest changes to the configuration that are needed to make the above work.
(b) New PSA only configuration, in future:
We would ideally like to stick to only PSA APIs and secure key storage, for our use case. And the choice of cryptocell/oberon for security and efficiency reasons.
Do the PSA APIs support the below cases?:
Please suggest changes to the configuration that are needed to make the above work.
(b) New PSA only configuration, in future:
We would ideally like to stick to only PSA APIs and secure key storage, for our use case. And the choice of cryptocell/oberon for security and efficiency reasons.
Do the PSA APIs support the below cases?:
RSAES-OAEP - Key length 3072
AES-CBC, key length 128
ECDSA, NIST-P256
Note: Our application is built as SECURE.
Thanks,
Mathi.
