Oberon AEAD drivers not enabled even though configs are set.

Hi,

I am trying to enable the oberon crypto aead drivers. I believe I have the Kconfigs set correctly, but I can confirm through print statements that the define `PSA_NEED_OBERON_AEAD_DRIVER` is not enabled. I can also confirm that the corresponding Kconfig `CONFIG_PSA_NEED_OBERON_AEAD_DRIVER` is enabled through menuconfig and print statements.

Below is the `psa_driver_wrapper_aead_decrypt` function with some print statements added.

psa_status_t psa_driver_wrapper_aead_decrypt(const psa_key_attributes_t *attributes,
					     const uint8_t *key_buffer, size_t key_buffer_size,
					     psa_algorithm_t alg, const uint8_t *nonce,
					     size_t nonce_length, const uint8_t *additional_data,
					     size_t additional_data_length,
					     const uint8_t *ciphertext, size_t ciphertext_length,
					     uint8_t *plaintext, size_t plaintext_size,
					     size_t *plaintext_length)
{
	printk("psa_driver_wrapper_aead_decrypt nrf_security\n");

	psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
	psa_key_location_t location = PSA_KEY_LIFETIME_GET_LOCATION(attributes->core.lifetime);

	switch (location) {
	case PSA_KEY_LOCATION_LOCAL_STORAGE:
#if defined(PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER)
	case TFM_BUILTIN_KEY_LOADER_KEY_LOCATION:
#endif		/* defined(PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER) */
		/* Key is stored in the slot in export representation, so
		 * cycle through all known transparent accelerators
		 */
#if defined(PSA_NEED_CRACEN_AEAD_DRIVER)
		printk("cracen_aead_decrypt\n");
		status = cracen_aead_decrypt(attributes, key_buffer, key_buffer_size, alg, nonce,
					     nonce_length, additional_data, additional_data_length,
					     ciphertext, ciphertext_length, plaintext,
					     plaintext_size, plaintext_length);

		if (status != PSA_ERROR_NOT_SUPPORTED) {
			return status;
		}
#endif /* PSA_NEED_CRACEN_AEAD_DRIVER */
#if defined(PSA_NEED_CC3XX_AEAD_DRIVER)
		printk("cc3xx_aead_decrypt\n");
		status = cc3xx_aead_decrypt(attributes, key_buffer, key_buffer_size, alg, nonce,
					    nonce_length, additional_data, additional_data_length,
					    ciphertext, ciphertext_length, plaintext,
					    plaintext_size, plaintext_length);

		if (status != PSA_ERROR_NOT_SUPPORTED) {
			return status;
		}
#endif /* PSA_NEED_CC3XX_AEAD_DRIVER */
		printk("config %d\n", CONFIG_PSA_NEED_OBERON_AEAD_DRIVER);
#if defined(PSA_NEED_OBERON_AEAD_DRIVER)
		printk("oberon_aead_decrypt\n");
		status = oberon_aead_decrypt(attributes, key_buffer, key_buffer_size, alg, nonce,
					     nonce_length, additional_data, additional_data_length,
					     ciphertext, ciphertext_length, plaintext,
					     plaintext_size, plaintext_length);

		if (status != PSA_ERROR_NOT_SUPPORTED) {
			return status;
		}
#endif /* PSA_NEED_OBERON_AEAD_DRIVER */

		(void)attributes;
		(void)attributes;
		(void)key_buffer;
		(void)key_buffer_size;
		(void)alg;
		(void)nonce;
		(void)nonce_length;
		(void)additional_data;
		(void)additional_data_length;
		(void)ciphertext;
		(void)ciphertext_length;
		(void)plaintext;
		(void)plaintext_size;
		(void)plaintext_length;
		printk("not supported\n");
		return PSA_ERROR_NOT_SUPPORTED;
	default:
		/* Key is declared with a lifetime not known to us */
		(void)status;
		return PSA_ERROR_INVALID_ARGUMENT;
	}
}


After running with these modification, the following gets printed:

psa_driver_wrapper_aead_decrypt nrf_security
config 1
not supported

As you can see, no drivers are ever called, including the oberon one, but the Kconfig is clearly enabled, since it's printed with a value of 1.

Looking at where `PSA_NEED_OBERON_AEAD_DRIVER` is defined, in `nrf/ext/oberon/psa/core/library/oberon_config.h`, All the conditions necessary for enabling it should be met (confirmed through menuconfig)

#if defined(PSA_WANT_KEY_TYPE_AES) && defined(PSA_WANT_ALG_CCM)
#if defined(PSA_WANT_AES_KEY_SIZE_128) && !defined(PSA_ACCEL_CCM_AES_128)
#define PSA_NEED_OBERON_AEAD_DRIVER 2
#define PSA_NEED_OBERON_CCM_AES 1
#endif
#if defined(PSA_WANT_AES_KEY_SIZE_192) && !defined(PSA_ACCEL_CCM_AES_192)
#define PSA_NEED_OBERON_AEAD_DRIVER 1
#define PSA_NEED_OBERON_CCM_AES 1
#endif
#if defined(PSA_WANT_AES_KEY_SIZE_256) && !defined(PSA_ACCEL_CCM_AES_256)
#define PSA_NEED_OBERON_AEAD_DRIVER 1
#define PSA_NEED_OBERON_CCM_AES 1
#endif
#endif

#if defined(PSA_WANT_KEY_TYPE_AES) && defined(PSA_WANT_ALG_GCM)
#if defined(PSA_WANT_AES_KEY_SIZE_128) && !defined(PSA_ACCEL_GCM_AES_128)
#define PSA_NEED_OBERON_AEAD_DRIVER 1
#define PSA_NEED_OBERON_GCM_AES 1
#endif
#if defined(PSA_WANT_AES_KEY_SIZE_192) && !defined(PSA_ACCEL_GCM_AES_192)
#define PSA_NEED_OBERON_AEAD_DRIVER 1
#define PSA_NEED_OBERON_GCM_AES 1
#endif
#if defined(PSA_WANT_AES_KEY_SIZE_256) && !defined(PSA_ACCEL_GCM_AES_256)
#define PSA_NEED_OBERON_AEAD_DRIVER 1
#define PSA_NEED_OBERON_GCM_AES 1
#endif
#endif

#if defined(PSA_WANT_ALG_CHACHA20_POLY1305) && !defined(PSA_ACCEL_CHACHA20_POLY1305)
#define PSA_NEED_OBERON_AEAD_DRIVER 1
#define PSA_NEED_OBERON_CHACHA20_POLY1305 1
#endif

It seems like it may also be defined in Cmake files, but I'm assuming it would just take the value of CONFIG_PSA_NEED_OBERON_AEAD_DRIVER`, which is also enabled.

Is there any other reason why this could not be working as expected?

Thanks,

Alex

Related