Oberon AEAD drivers not enabled even though configs are set.

Hi,

I am trying to enable the oberon crypto aead drivers. I believe I have the Kconfigs set correctly, but I can confirm through print statements that the define `PSA_NEED_OBERON_AEAD_DRIVER` is not enabled. I can also confirm that the corresponding Kconfig `CONFIG_PSA_NEED_OBERON_AEAD_DRIVER` is enabled through menuconfig and print statements.

Below is the `psa_driver_wrapper_aead_decrypt` function with some print statements added.

psa_status_t psa_driver_wrapper_aead_decrypt(const psa_key_attributes_t *attributes,
					     const uint8_t *key_buffer, size_t key_buffer_size,
					     psa_algorithm_t alg, const uint8_t *nonce,
					     size_t nonce_length, const uint8_t *additional_data,
					     size_t additional_data_length,
					     const uint8_t *ciphertext, size_t ciphertext_length,
					     uint8_t *plaintext, size_t plaintext_size,
					     size_t *plaintext_length)
{
	printk("psa_driver_wrapper_aead_decrypt nrf_security\n");

	psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
	psa_key_location_t location = PSA_KEY_LIFETIME_GET_LOCATION(attributes->core.lifetime);

	switch (location) {
	case PSA_KEY_LOCATION_LOCAL_STORAGE:
#if defined(PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER)
	case TFM_BUILTIN_KEY_LOADER_KEY_LOCATION:
#endif		/* defined(PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER) */
		/* Key is stored in the slot in export representation, so
		 * cycle through all known transparent accelerators
		 */
#if defined(PSA_NEED_CRACEN_AEAD_DRIVER)
		printk("cracen_aead_decrypt\n");
		status = cracen_aead_decrypt(attributes, key_buffer, key_buffer_size, alg, nonce,
					     nonce_length, additional_data, additional_data_length,
					     ciphertext, ciphertext_length, plaintext,
					     plaintext_size, plaintext_length);

		if (status != PSA_ERROR_NOT_SUPPORTED) {
			return status;
		}
#endif /* PSA_NEED_CRACEN_AEAD_DRIVER */
#if defined(PSA_NEED_CC3XX_AEAD_DRIVER)
		printk("cc3xx_aead_decrypt\n");
		status = cc3xx_aead_decrypt(attributes, key_buffer, key_buffer_size, alg, nonce,
					    nonce_length, additional_data, additional_data_length,
					    ciphertext, ciphertext_length, plaintext,
					    plaintext_size, plaintext_length);

		if (status != PSA_ERROR_NOT_SUPPORTED) {
			return status;
		}
#endif /* PSA_NEED_CC3XX_AEAD_DRIVER */
		printk("config %d\n", CONFIG_PSA_NEED_OBERON_AEAD_DRIVER);
#if defined(PSA_NEED_OBERON_AEAD_DRIVER)
		printk("oberon_aead_decrypt\n");
		status = oberon_aead_decrypt(attributes, key_buffer, key_buffer_size, alg, nonce,
					     nonce_length, additional_data, additional_data_length,
					     ciphertext, ciphertext_length, plaintext,
					     plaintext_size, plaintext_length);

		if (status != PSA_ERROR_NOT_SUPPORTED) {
			return status;
		}
#endif /* PSA_NEED_OBERON_AEAD_DRIVER */

		(void)attributes;
		(void)attributes;
		(void)key_buffer;
		(void)key_buffer_size;
		(void)alg;
		(void)nonce;
		(void)nonce_length;
		(void)additional_data;
		(void)additional_data_length;
		(void)ciphertext;
		(void)ciphertext_length;
		(void)plaintext;
		(void)plaintext_size;
		(void)plaintext_length;
		printk("not supported\n");
		return PSA_ERROR_NOT_SUPPORTED;
	default:
		/* Key is declared with a lifetime not known to us */
		(void)status;
		return PSA_ERROR_INVALID_ARGUMENT;
	}
}


After running with these modification, the following gets printed:

psa_driver_wrapper_aead_decrypt nrf_security
config 1
not supported

As you can see, no drivers are ever called, including the oberon one, but the Kconfig is clearly enabled, since it's printed with a value of 1.

Looking at where `PSA_NEED_OBERON_AEAD_DRIVER` is defined, in `nrf/ext/oberon/psa/core/library/oberon_config.h`, All the conditions necessary for enabling it should be met (confirmed through menuconfig)

#if defined(PSA_WANT_KEY_TYPE_AES) && defined(PSA_WANT_ALG_CCM)
#if defined(PSA_WANT_AES_KEY_SIZE_128) && !defined(PSA_ACCEL_CCM_AES_128)
#define PSA_NEED_OBERON_AEAD_DRIVER 2
#define PSA_NEED_OBERON_CCM_AES 1
#endif
#if defined(PSA_WANT_AES_KEY_SIZE_192) && !defined(PSA_ACCEL_CCM_AES_192)
#define PSA_NEED_OBERON_AEAD_DRIVER 1
#define PSA_NEED_OBERON_CCM_AES 1
#endif
#if defined(PSA_WANT_AES_KEY_SIZE_256) && !defined(PSA_ACCEL_CCM_AES_256)
#define PSA_NEED_OBERON_AEAD_DRIVER 1
#define PSA_NEED_OBERON_CCM_AES 1
#endif
#endif

#if defined(PSA_WANT_KEY_TYPE_AES) && defined(PSA_WANT_ALG_GCM)
#if defined(PSA_WANT_AES_KEY_SIZE_128) && !defined(PSA_ACCEL_GCM_AES_128)
#define PSA_NEED_OBERON_AEAD_DRIVER 1
#define PSA_NEED_OBERON_GCM_AES 1
#endif
#if defined(PSA_WANT_AES_KEY_SIZE_192) && !defined(PSA_ACCEL_GCM_AES_192)
#define PSA_NEED_OBERON_AEAD_DRIVER 1
#define PSA_NEED_OBERON_GCM_AES 1
#endif
#if defined(PSA_WANT_AES_KEY_SIZE_256) && !defined(PSA_ACCEL_GCM_AES_256)
#define PSA_NEED_OBERON_AEAD_DRIVER 1
#define PSA_NEED_OBERON_GCM_AES 1
#endif
#endif

#if defined(PSA_WANT_ALG_CHACHA20_POLY1305) && !defined(PSA_ACCEL_CHACHA20_POLY1305)
#define PSA_NEED_OBERON_AEAD_DRIVER 1
#define PSA_NEED_OBERON_CHACHA20_POLY1305 1
#endif

It seems like it may also be defined in Cmake files, but I'm assuming it would just take the value of CONFIG_PSA_NEED_OBERON_AEAD_DRIVER`, which is also enabled.

Is there any other reason why this could not be working as expected?

Thanks,

Alex

Parents Reply
  • Hi Alex,

    I did a quick test with the Crypto: AES GCM sample running on the nRF52840 DK, and this runs out of the box, using Oberon AEAD, and oberon_aead_decrypt_setup() is called from psa_driver_wrapper_aead_decrypt_setup() in psa_crypto_driver_wrappers.c as it should. So I wonder if there is somethign else with your project.

    Have you tested the sample and verified that it works also on your end? If you don't make progress on getting it to work in your application as well, perhaps you can share a complete failing project that I can test on a DK on my end?

Children
Related