Cracen drivers preventing some ciphers from being compiled in

Hello,

I am trying to upgrade my project from ncs 2.1.0 to ncs 2.6.1. I am running into some strange issues with mbedtls and I suspect it's because the same ciphers enabled when we were using ncs 2.1.0 are no longer enabled now that we have upgraded.

One such cipher is CFB AES 128. I have set `CONFIG_PSA_WANT_ALG_CFB=y` and I am getting the error `error: #error "No software implementation for 128 bit AES-CFB"`. This is because the config `PSA_ACCEL_CFB_AES_128` is not defined.

The direct dependencies for this are:

     MBEDTLS_PSA_CRYPTO_C(=y) && NRF_SECURITY(=y)  (=y)
  || PSA_CRYPTO_DRIVER_CRACEN(=n) && MBEDTLS_PSA_CRYPTO_C(=y) && NRF_SECURITY(=y)  (=n)

This config seems to be defined in two places `nrf/subsys/nrf_security/src/drivers/Kconfig.psa` and `nrf/subsys/nrf_security/src/drivers/cracen/psa_driver.Kconfig`. The requirements are met for the former but not the latter which seems to be taking precedence and not allowing me to enable this config. Below is the full Kconfig definition for this config.

At /home/alex/mesomat/p100_development/new-gateway/nrf/subsys/nrf_security/src/drivers/Kconfig.psa_accel:86
Included via /home/alex/mesomat/p100_development/new-gateway/p100_gateway/Kconfig:23 -> Kconfig.zephyr:41 -> modules/Kconfig:13 -> /home/alex/mesomat/p100_development/new-gateway/p100_gateway/build/Kconfig/Kconfig.modules:2 -> /home/alex/mesomat/p100_development/new-gateway/nrf/Kconfig.nrf:115 -> /home/alex/mesomat/p100_development/new-gateway/nrf/subsys/
Menu path: (Top) -> Modules -> nrf (/home/alex/mesomat/p100_development/new-gateway/nrf) -> Nordic nRF Connect -> Subsystems -> nRF Security -> Enable PSA crypto APIs -> PSA ACCEL - invisible

config PSA_ACCEL_CFB_AES_128
bool
depends on MBEDTLS_PSA_CRYPTO_C(=y) && NRF_SECURITY(=y)

At /home/alex/mesomat/p100_development/new-gateway/nrf/subsys/nrf_security/src/drivers/cracen/psa_driver.Kconfig:550
Included via /home/alex/mesomat/p100_development/new-gateway/p100_gateway/Kconfig:23 -> Kconfig.zephyr:41 -> modules/Kconfig:13 -> /home/alex/mesomat/p100_development/new-gateway/p100_gateway/build/Kconfig/Kconfig.modules:2 -> /home/alex/mesomat/p100_development/new-gateway/nrf/Kconfig.nrf:115 -> /home/alex/mesomat/p100_development/new-gateway/nrf/subsys/
Menu path: (Top) -> Modules -> nrf (/home/alex/mesomat/p100_development/new-gateway/nrf) -> Nordic nRF Connect -> Subsystems -> nRF Security -> Enable PSA crypto APIs -> PSA NEED CRACEN - invisible

config PSA_ACCEL_CFB_AES_128
bool
default y
depends on PSA_CRYPTO_DRIVER_CRACEN(=n) && MBEDTLS_PSA_CRYPTO_C(=y) && NRF_SECURITY(=y)

Is there a way to simply remove the cracen drivers from my project? I don't believe I have the hardware for it and I was able to enable this cipher in this same project in ncs 2.1.0.

Thanks

Alex

Parents
  • Hi, 

    Is there a way to simply remove the cracen drivers from my project?

    nRF Security drivers documentation webpage specifies how to disable cracen driver. Kconfig option CONFIG_PSA_CRYPTO_DRIVER_CRACEN is used to enable/disable CRACEN driver.

    Best regards,
    Dejan

  • Hi Dejan,

    That is already disabled, you can see that one in the dependencies

         MBEDTLS_PSA_CRYPTO_C(=y) && NRF_SECURITY(=y)  (=y)
      || PSA_CRYPTO_DRIVER_CRACEN(=n) && MBEDTLS_PSA_CRYPTO_C(=y) && NRF_SECURITY(=y)  (=n)



    The first term in the OR is true ` MBEDTLS_PSA_CRYPTO_C(=y) && NRF_SECURITY(=y) (=y)`

    But the second term is false `PSA_CRYPTO_DRIVER_CRACEN(=n) && MBEDTLS_PSA_CRYPTO_C(=y) && NRF_SECURITY(=y) (=n)`

     And for some reason that is causing the value of `PSA_ACCEL_CFB_AES_128` to be set to no, even though it is OR'd, so it should be set to yes. Is that correct?

  •                                                                                                 Symbol information
    Name: PSA_ACCEL_CFB_AES_128
    Type: bool
    Value: n
    
    Direct dependencies (=y):
         MBEDTLS_PSA_CRYPTO_C(=y) && NRF_SECURITY(=y)  (=y)
      || PSA_CRYPTO_DRIVER_CRACEN(=n) && MBEDTLS_PSA_CRYPTO_C(=y) && NRF_SECURITY(=y)  (=n)
    
    Default:
      - y

    Here's the menuconfig symbol info. The dependencies are met, the default value is `y`, yet the value is no. I cannot set this symbol to yes manually cause it's not user configurable. So why is it being set to no?

  • For some context. The issue is when connecting to our CoAP server over DTLS. Every time I try I get the error

    [00:00:36.675,292] <err> net_sock_tls: TLS handshake error: -0x6e00
    [00:00:36.685,180] <err> mm_file_transfer: Failed to send block request (-1, -113)
    [00:00:36.699,493] <err> mm_file_transfer: Failed to send block request -1

    Looking at the exchange on wireshark, it seems normal, but then they exchange encrypted alerts and no more traffic follows. Here's a screenshot of the exchange:

    So I suspect some ciphers/curves are enabled in the old version but not in the new version. One that I can see is PSA_WANT_ALG_CFB is enabled in the old version but setting that  same config in the new version gives the error in the OP:

    `error: #error "No software implementation for 128 bit AES-CFB"` among others

Reply
  • For some context. The issue is when connecting to our CoAP server over DTLS. Every time I try I get the error

    [00:00:36.675,292] <err> net_sock_tls: TLS handshake error: -0x6e00
    [00:00:36.685,180] <err> mm_file_transfer: Failed to send block request (-1, -113)
    [00:00:36.699,493] <err> mm_file_transfer: Failed to send block request -1

    Looking at the exchange on wireshark, it seems normal, but then they exchange encrypted alerts and no more traffic follows. Here's a screenshot of the exchange:

    So I suspect some ciphers/curves are enabled in the old version but not in the new version. One that I can see is PSA_WANT_ALG_CFB is enabled in the old version but setting that  same config in the new version gives the error in the OP:

    `error: #error "No software implementation for 128 bit AES-CFB"` among others

Children
Related