• State Not Answered
  • Replies 3 replies
  • Subscribers 87 subscribers
  • Views 376 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 349189
Options

[NCS v2.6.0 | nRF52840] Enable CC3XX Hardware Acceleration Only for RSA, Use Software for AES-256

sai varma datla

Hi Nordic team,

I'm currently working on a device onboarding flow using the nRF Connect SDK Toolchain v2.6.0 on an nRF52840 board. The onboarding process involves:

  • Generating RSA public/private key pairs

  • Performing AES-256 encryption

To improve performance, I have enabled the hardware crypto accelerator with:

CONFIG_PSA_CRYPTO_DRIVER_CC3XX=y

However, I discovered that the CC3XX does not support AES-256 key generation, so I need to fall back to software (e.g., Mbed TLS) for AES-256 operations.

The problem is, when I disable the hardware accelerator to make AES-256 work in software, the RSA key generation falls back to software as well, and takes more than 2 minutes, which is too slow for my use case.

What I'm Trying to Achieve:

I'd like to configure NCS v2.6.0 such that:

  • RSA key pair generation continues to use the CC3XX hardware accelerator

  • AES-256 encryption is performed using software fallback (Mbed TLS)

In short, I need selective hardware acceleration:

  • Use CC3XX only for RSA

  • Use software for AES-256

Questions:

  1. Is this type of configuration supported in NCS v2.6.0 for the nRF52840?

  2. If yes, what is the correct way to configure it (e.g., prj.conf or overlay settings)?

  3. Is there a way to confirm which crypto backend (hardware vs. software) is being used for each operation?

Any guidance, configuration examples, or best practices would be greatly appreciated.

Thanks in advance!

Parents Reply Children
  • 0 in reply to Amanda Hsieh

    Hi Amanda,

    Thanks for the detailed explanation.

    I followed your suggestion and enabled both drivers in my configuration:

    CONFIG_PSA_CRYPTO_DRIVER_CC3XX=y
    CONFIG_PSA_CRYPTO_DRIVER_OBERON=y
    CONFIG_PSA_WANT_AES_KEY_SIZE_256=y
    CONFIG_MBEDTLS_PSA_CRYPTO_C=y  

    I'm working on an nRF52840 with NCS v2.6.0, and RSA key generation is now working properly via the CC3XX hardware accelerator.

    However, I'm running into an issue with AES-256. Specifically, I'm using the legacy Mbed TLS API:

    int err = mbedtls_aes_setkey_enc(&aes, key, 256); if (err) { printk("AES setkey_enc failed\n"); return HIFE_CRYPTO_INVALID_INPUT; }

    This call fails at runtime with the log message:
    AES setkey_enc failed

    From what I understand, the PSA driver configuration is meant to support AES-256 via Oberon, but this function doesn't go through the PSA API. Is this expected behavior?

    Questions:

    1. Do I need to migrate to the PSA Crypto API (e.g., psa_cipher_encrypt) to get AES-256 working via Oberon?

    2. Alternatively, is there a way to make mbedtls_aes_setkey_enc() work with AES-256 under this configuration?

    Any clarification or example would be really helpful.

    Thanks again for the support!

  • 0 in reply to sai varma datla

    Hi, 

    1. Yes, you need to migrate to PSA crypto APIs to get driver multiplexing to reach AES-256
    2. No. The mbedtls_aes_setkey_enc function will be removed when TF-PSA-Crypto is given out as 1.0.0 in the very near future. When this is done, then anything _ALT related will be removed (it is already flagged as deprecated)

    -Amanda H.

Related
Terms of service