• State Not Answered
  • Replies 3 replies
  • Subscribers 87 subscribers
  • Views 376 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 349189
Options

[NCS v2.6.0 | nRF52840] Enable CC3XX Hardware Acceleration Only for RSA, Use Software for AES-256

sai varma datla

Hi Nordic team,

I'm currently working on a device onboarding flow using the nRF Connect SDK Toolchain v2.6.0 on an nRF52840 board. The onboarding process involves:

  • Generating RSA public/private key pairs

  • Performing AES-256 encryption

To improve performance, I have enabled the hardware crypto accelerator with:

CONFIG_PSA_CRYPTO_DRIVER_CC3XX=y

However, I discovered that the CC3XX does not support AES-256 key generation, so I need to fall back to software (e.g., Mbed TLS) for AES-256 operations.

The problem is, when I disable the hardware accelerator to make AES-256 work in software, the RSA key generation falls back to software as well, and takes more than 2 minutes, which is too slow for my use case.

What I'm Trying to Achieve:

I'd like to configure NCS v2.6.0 such that:

  • RSA key pair generation continues to use the CC3XX hardware accelerator

  • AES-256 encryption is performed using software fallback (Mbed TLS)

In short, I need selective hardware acceleration:

  • Use CC3XX only for RSA

  • Use software for AES-256

Questions:

  1. Is this type of configuration supported in NCS v2.6.0 for the nRF52840?

  2. If yes, what is the correct way to configure it (e.g., prj.conf or overlay settings)?

  3. Is there a way to confirm which crypto backend (hardware vs. software) is being used for each operation?

Any guidance, configuration examples, or best practices would be greatly appreciated.

Thanks in advance!

Parents
  • 0

    Hi, 

    It is required to enable both CryptoCell and Oberon drivers, like the psa_tls sample is doing (here it is done in an overlay file, but the configuration can be given on board-level, or prj.conf if more convenient. https://github.com/nrfconnect/sdk-nrf/blob/main/samples/crypto/psa_tls/overlays/cc3xx-oberon-psa.conf

    Note that the support for 256-bit keys is controlled by enabled driver features. As you have pointed out, AES-256 is not supported in CryptoCell on nRF52840 devices

    Configuring the specific key size is done in a Nordic/Oberon PSA crypto specific configuration CONFIG_PSA_WANT_AES_KEY_SIZE_256.

    When this configuration is set, the system will try to allow for this to be used based on the drivers that are enabled. If only CryptoCell is enabled, then it will not have support. If CryptoCell and Oberon are enabled, then any enabled AES cipher will resolve to enable Oberon. 

    Regards,
    Amanda H.

  • 0 in reply to Amanda Hsieh

    Hi Amanda,

    Thanks for the detailed explanation.

    I followed your suggestion and enabled both drivers in my configuration:

    CONFIG_PSA_CRYPTO_DRIVER_CC3XX=y
    CONFIG_PSA_CRYPTO_DRIVER_OBERON=y
    CONFIG_PSA_WANT_AES_KEY_SIZE_256=y
    CONFIG_MBEDTLS_PSA_CRYPTO_C=y  

    I'm working on an nRF52840 with NCS v2.6.0, and RSA key generation is now working properly via the CC3XX hardware accelerator.

    However, I'm running into an issue with AES-256. Specifically, I'm using the legacy Mbed TLS API:

    int err = mbedtls_aes_setkey_enc(&aes, key, 256); if (err) { printk("AES setkey_enc failed\n"); return HIFE_CRYPTO_INVALID_INPUT; }

    This call fails at runtime with the log message:
    AES setkey_enc failed

    From what I understand, the PSA driver configuration is meant to support AES-256 via Oberon, but this function doesn't go through the PSA API. Is this expected behavior?

    Questions:

    1. Do I need to migrate to the PSA Crypto API (e.g., psa_cipher_encrypt) to get AES-256 working via Oberon?

    2. Alternatively, is there a way to make mbedtls_aes_setkey_enc() work with AES-256 under this configuration?

    Any clarification or example would be really helpful.

    Thanks again for the support!

Reply
  • 0 in reply to Amanda Hsieh

    Hi Amanda,

    Thanks for the detailed explanation.

    I followed your suggestion and enabled both drivers in my configuration:

    CONFIG_PSA_CRYPTO_DRIVER_CC3XX=y
    CONFIG_PSA_CRYPTO_DRIVER_OBERON=y
    CONFIG_PSA_WANT_AES_KEY_SIZE_256=y
    CONFIG_MBEDTLS_PSA_CRYPTO_C=y  

    I'm working on an nRF52840 with NCS v2.6.0, and RSA key generation is now working properly via the CC3XX hardware accelerator.

    However, I'm running into an issue with AES-256. Specifically, I'm using the legacy Mbed TLS API:

    int err = mbedtls_aes_setkey_enc(&aes, key, 256); if (err) { printk("AES setkey_enc failed\n"); return HIFE_CRYPTO_INVALID_INPUT; }

    This call fails at runtime with the log message:
    AES setkey_enc failed

    From what I understand, the PSA driver configuration is meant to support AES-256 via Oberon, but this function doesn't go through the PSA API. Is this expected behavior?

    Questions:

    1. Do I need to migrate to the PSA Crypto API (e.g., psa_cipher_encrypt) to get AES-256 working via Oberon?

    2. Alternatively, is there a way to make mbedtls_aes_setkey_enc() work with AES-256 under this configuration?

    Any clarification or example would be really helpful.

    Thanks again for the support!

Children
Related
Terms of service