Hi,
I am trying to enable the oberon crypto aead drivers. I believe I have the Kconfigs set correctly, but I can confirm through print statements that the define `PSA_NEED_OBERON_AEAD_DRIVER` is not enabled. I can also confirm that the corresponding Kconfig `CONFIG_PSA_NEED_OBERON_AEAD_DRIVER` is enabled through menuconfig and print statements.
Below is the `psa_driver_wrapper_aead_decrypt` function with some print statements added.
psa_status_t psa_driver_wrapper_aead_decrypt(const psa_key_attributes_t *attributes,
const uint8_t *key_buffer, size_t key_buffer_size,
psa_algorithm_t alg, const uint8_t *nonce,
size_t nonce_length, const uint8_t *additional_data,
size_t additional_data_length,
const uint8_t *ciphertext, size_t ciphertext_length,
uint8_t *plaintext, size_t plaintext_size,
size_t *plaintext_length)
{
printk("psa_driver_wrapper_aead_decrypt nrf_security\n");
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
psa_key_location_t location = PSA_KEY_LIFETIME_GET_LOCATION(attributes->core.lifetime);
switch (location) {
case PSA_KEY_LOCATION_LOCAL_STORAGE:
#if defined(PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER)
case TFM_BUILTIN_KEY_LOADER_KEY_LOCATION:
#endif /* defined(PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER) */
/* Key is stored in the slot in export representation, so
* cycle through all known transparent accelerators
*/
#if defined(PSA_NEED_CRACEN_AEAD_DRIVER)
printk("cracen_aead_decrypt\n");
status = cracen_aead_decrypt(attributes, key_buffer, key_buffer_size, alg, nonce,
nonce_length, additional_data, additional_data_length,
ciphertext, ciphertext_length, plaintext,
plaintext_size, plaintext_length);
if (status != PSA_ERROR_NOT_SUPPORTED) {
return status;
}
#endif /* PSA_NEED_CRACEN_AEAD_DRIVER */
#if defined(PSA_NEED_CC3XX_AEAD_DRIVER)
printk("cc3xx_aead_decrypt\n");
status = cc3xx_aead_decrypt(attributes, key_buffer, key_buffer_size, alg, nonce,
nonce_length, additional_data, additional_data_length,
ciphertext, ciphertext_length, plaintext,
plaintext_size, plaintext_length);
if (status != PSA_ERROR_NOT_SUPPORTED) {
return status;
}
#endif /* PSA_NEED_CC3XX_AEAD_DRIVER */
printk("config %d\n", CONFIG_PSA_NEED_OBERON_AEAD_DRIVER);
#if defined(PSA_NEED_OBERON_AEAD_DRIVER)
printk("oberon_aead_decrypt\n");
status = oberon_aead_decrypt(attributes, key_buffer, key_buffer_size, alg, nonce,
nonce_length, additional_data, additional_data_length,
ciphertext, ciphertext_length, plaintext,
plaintext_size, plaintext_length);
if (status != PSA_ERROR_NOT_SUPPORTED) {
return status;
}
#endif /* PSA_NEED_OBERON_AEAD_DRIVER */
(void)attributes;
(void)attributes;
(void)key_buffer;
(void)key_buffer_size;
(void)alg;
(void)nonce;
(void)nonce_length;
(void)additional_data;
(void)additional_data_length;
(void)ciphertext;
(void)ciphertext_length;
(void)plaintext;
(void)plaintext_size;
(void)plaintext_length;
printk("not supported\n");
return PSA_ERROR_NOT_SUPPORTED;
default:
/* Key is declared with a lifetime not known to us */
(void)status;
return PSA_ERROR_INVALID_ARGUMENT;
}
}After running with these modification, the following gets printed:
psa_driver_wrapper_aead_decrypt nrf_security config 1 not supported
As you can see, no drivers are ever called, including the oberon one, but the Kconfig is clearly enabled, since it's printed with a value of 1.
Looking at where `PSA_NEED_OBERON_AEAD_DRIVER` is defined, in `nrf/ext/oberon/psa/core/library/oberon_config.h`, All the conditions necessary for enabling it should be met (confirmed through menuconfig)
#if defined(PSA_WANT_KEY_TYPE_AES) && defined(PSA_WANT_ALG_CCM) #if defined(PSA_WANT_AES_KEY_SIZE_128) && !defined(PSA_ACCEL_CCM_AES_128) #define PSA_NEED_OBERON_AEAD_DRIVER 2 #define PSA_NEED_OBERON_CCM_AES 1 #endif #if defined(PSA_WANT_AES_KEY_SIZE_192) && !defined(PSA_ACCEL_CCM_AES_192) #define PSA_NEED_OBERON_AEAD_DRIVER 1 #define PSA_NEED_OBERON_CCM_AES 1 #endif #if defined(PSA_WANT_AES_KEY_SIZE_256) && !defined(PSA_ACCEL_CCM_AES_256) #define PSA_NEED_OBERON_AEAD_DRIVER 1 #define PSA_NEED_OBERON_CCM_AES 1 #endif #endif #if defined(PSA_WANT_KEY_TYPE_AES) && defined(PSA_WANT_ALG_GCM) #if defined(PSA_WANT_AES_KEY_SIZE_128) && !defined(PSA_ACCEL_GCM_AES_128) #define PSA_NEED_OBERON_AEAD_DRIVER 1 #define PSA_NEED_OBERON_GCM_AES 1 #endif #if defined(PSA_WANT_AES_KEY_SIZE_192) && !defined(PSA_ACCEL_GCM_AES_192) #define PSA_NEED_OBERON_AEAD_DRIVER 1 #define PSA_NEED_OBERON_GCM_AES 1 #endif #if defined(PSA_WANT_AES_KEY_SIZE_256) && !defined(PSA_ACCEL_GCM_AES_256) #define PSA_NEED_OBERON_AEAD_DRIVER 1 #define PSA_NEED_OBERON_GCM_AES 1 #endif #endif #if defined(PSA_WANT_ALG_CHACHA20_POLY1305) && !defined(PSA_ACCEL_CHACHA20_POLY1305) #define PSA_NEED_OBERON_AEAD_DRIVER 1 #define PSA_NEED_OBERON_CHACHA20_POLY1305 1 #endif
It seems like it may also be defined in Cmake files, but I'm assuming it would just take the value of CONFIG_PSA_NEED_OBERON_AEAD_DRIVER`, which is also enabled.
Is there any other reason why this could not be working as expected?
Thanks,
Alex
