• State Not Answered
  • Replies 3 replies
  • Subscribers 74 subscribers
  • Views 763 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 292364
Options

nRF5340 CryptoCell-312 SHA-1 Support via PSA Crypto API

chris_c

Hi,

According to CryptoCell-312 documentation, it supports the SHA-1 algorithm. I was able to successfully run the SHA-256 cryptography sample application in the nRF Connect SDK (v2.0.0/nrf/samples/crypto/sha256).  I made a copy of this app, and converted it to use SHA-1 instead of SHA-256, but am seeing a PSA_ERROR_NOT_SUPPORTED (-134) error being returned from psa_hash_compute() when using PSA_ALG_SHA_1.

Is CryptoCell-312 SHA-1 support exposed through the PSA Crypto API?

Thanks,

Chris

  • 0 in reply to Sigurd Hellesvik

    Hi Sigurd,

    Thanks for the suggestion!  Adding that to my prj.conf doesn't seem to change the behavior I'm seeing.

    My proj.conf looks like this:

    # The Zephyr CMSIS emulation assumes that ticks are ms, currently
    CONFIG_SYS_CLOCK_TICKS_PER_SEC=1000

    CONFIG_MAIN_STACK_SIZE=4096
    CONFIG_HEAP_MEM_POOL_SIZE=4096

    # Enable loging using RTT and UART
    CONFIG_CONSOLE=y
    CONFIG_LOG=y
    CONFIG_USE_SEGGER_RTT=y
    CONFIG_LOG_BACKEND_RTT=y
    CONFIG_LOG_BACKEND_UART=y
    CONFIG_LOG_BUFFER_SIZE=15360
    CONFIG_SEGGER_RTT_BUFFER_SIZE_UP=15360

    # Enable nordic security backend and PSA APIs
    CONFIG_NRF_SECURITY=y
    CONFIG_MBEDTLS_PSA_CRYPTO_C=y

    CONFIG_MBEDTLS_ENABLE_HEAP=y
    CONFIG_MBEDTLS_HEAP_SIZE=8192
    CONFIG_PSA_CRYPTO_DRIVER_OBERON=n
    CONFIG_PSA_CRYPTO_DRIVER_CC3XX=y
    CONFIG_PSA_WANT_ALG_SHA_1=y
    CONFIG_PSA_CRYPTO_DRIVER_ALG_SHA_1_CC3XX=y

    With my boards/nrf5340dk_nrf5340_cpuapp_ns.conf currently the same as the default sha256 sample:

    CONFIG_BUILD_WITH_TFM=y
    CONFIG_TFM_PROFILE_TYPE_NOT_SET=y

    Curiously, I did notice that when I comment out the following two code blocks inside the "v2.0.0/nrfxlib/nrf_security/src/psa_crypto_driver_wrappers.c the SHA-1 hash operation succeeds and another SHA-1 test I am doing with hash_setup() succeeds as expected:

    1. Inside psa_driver_wrapper_hash_compute():

    1687 /*#if defined(MBEDTLS_PSA_CRYPTO_SPM)
    1688 if (alg == PSA_ALG_SHA_1) {
    1689 return PSA_ERROR_NOT_SUPPORTED;
    1690 }
    1691 #endif*/

    2. Inside psa_driver_wrapper_hash_setup():

    1741 /*#if defined(MBEDTLS_PSA_CRYPTO_SPM)
    1742 if (alg == PSA_ALG_SHA_1) {
    1743 return PSA_ERROR_NOT_SUPPORTED;
    1744 }
    1745 #endif*/

    I'm not sure this is the correct approach, but an observation on what is working.

    Thanks,
    Chris

  • 0 in reply to chris_c

    Hi

    It turns out that SHA_1 is not allowed in Trusted Firmware-M.
    psa_unsupported_hash_test(PSA_ALG_SHA_1, ret);

    So either do not use SHA_1, or turn off TF-M.
    I would recommend using another hash algorithm.

    Regards,
    Sigurd Hellesvik

Related
Terms of service