Testing 1.5.4 #36
Draft
Testing 1.5.4 #36
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Clean up as a preparation for PSA arch tests v1.9.
This commit message is changed by Vge0rge to avoid confusion in our public repository. There was a typo in the release here which wrongly set the release to 1.5.3 instead of 1.5.4. Signed-off-by: Georgios Vasilakis <[email protected]>
-Remove legacy header files from oberon-psa-crypto that are duplicates of files from standard Mbed TLS distribution (modules/crypto/) Signed-off-by: Sebastian Bøe <[email protected]> Signed-off-by: Frank Audun Kvamtrø <[email protected]>
GCC supports _Static_assert from version 4.6 as a builtin feature even when you compile with std=99. Use this _Static_assert for the implementation of MBEDTLS_STATIC_ASSERT if there is no defined static_assert. I opened a PR in the MbedTLS PSA core to include that: Mbed-TLS/TF-PSA-Crypto#190 Hopefully they will accept that and then we can remove this commit in the next release. Signed-off-by: Georgios Vasilakis <[email protected]>
-This removes the redefinition of the define PSA_VENDOR_ECC_MAX_CURVE_BITS which we allow to be set in our configuration file from nrf security. Signed-off-by: Georgios Vasilakis <[email protected]>
The core doesn't include some brainpool key sizes, this change adds these bit sizes: 160 192 224 320 Signed-off-by: Georgios Vasilakis <[email protected]>
We don't use the file in our system, we use the generated headers (nrf-config.h and nrf-config-user.h) from nrf_security. Signed-off-by: Georgios Vasilakis <[email protected]>
Turn the repo into a Zephyr module so we can use the ZEPHYR_bla_bla_MODULE_DIR CMake variable. Signed-off-by: Sebastian Bøe <[email protected]>
Patch to enable more key types for KDF. Signed-off-by: Vidar Lillebø <[email protected]> Signed-off-by: Frank Audun Kvamtrø <[email protected]>
Add checks for the key attributes, key sizes and a zero check for ecc keys for importing keys. Also a attribute check for psa_generate_key. This was [nrf fromlist] and is now [nrf noup] Upstream PR:oberon-psa-crypto-nrf/pull/15 (closed) Ref: NCSDK-24820 Signed-off-by: Markus Swarowsky <[email protected]> Signed-off-by: Frank Audun Kvamtrø <[email protected]>
The psa_crypto_storage_store retuns DATA_INVALID for all the error codes coming from psa_its_set. This causes some issues for our testing infanstructure since it doesn't follow the PSA spec recomendation for return codes. This was a [nrf fromlist] but it has become a [nrf noup] Upstream PR: pull/14 (Closed) Signed-off-by: Georgios Vasilakis <[email protected]> Signed-off-by: Frank Audun Kvamtrø <[email protected]>
Run crypto and TF-M tests on sdk-nrf downstream Signed-off-by: Stephen Kingston <[email protected]> Signed-off-by: Frank Audun Kvamtrø <[email protected]>
Opens the full range of vendor keys to be used via builtin key mechanism. This change makes the version of the Oberon PSA core 1.3.4 incompatible with the volatile keys when MBEDTLS_PSA_STATIC_KEY_SLOTS is NOT enabled. Since we decided to set the starting range of the builtin keys to be the first section of the vendor key id range (PSA_KEY_ID_VENDOR_*) these now overlaped with the volatile keys. So to fix this we move the volatile key ids after the builtin key ids. Signed-off-by: Vidar Lillebø <[email protected]> Signed-off-by: Georgios Vasilakis <[email protected]>
Adds the capability of import and destroying persistent keys that are "builtin" i.e. handled fully by PSA driver implementation. Signed-off-by: Vidar Lillebø <[email protected]> Signed-off-by: Frank Audun Kvamtrø <[email protected]> Signed-off-by: Anton Zyma <[email protected]>
Patch to make server and client attributes compatible. Oberon will support this in the future. Reworked from commit 5bfe42c Reworded due to psa_core_key_attributes_t being removed in Mbed TLS 3.6.0 The psa_core_key_attributes_t declaration is now integrated into psa_key_attributes_s and the macro PSA_CORE_KEY_ATTRIBUTES_INIT has been replaced with PSA_KEY_ATTRIBUTES_INIT. Signed-off-by: Vidar Lillebø <[email protected]> Signed-off-by: Frank Audun Kvamtrø <[email protected]>
-This simplifies PSA crypto operation struct initialization to better tailor to the SSF use-case. This simplifies the initializers to only be empty brackets, assuming zero-initialized structs without the added complexities of writing every sub-type out. This is done to prevent compilation warnings for PSA crypto builds. Signed-off-by: Frank Audun Kvamtrø <[email protected]>
Zephyr has a global list of include directories that is applicable for all modules unless specifically excluded by using "targets", and using a generic named header can cause issues if there are duplicate headers files and depending on the inclusion order. So, rename the header with module prefix to avoid naming collision. Signed-off-by: Chaitanya Tata <[email protected]>
Added a tests in the EDDSA sign_message and verify_message to return non supported if the prehashed version was chosen. Signed-off-by: Georgios Vasilakis <[email protected]>
RFC8032 mentions the length of a key for ed448 and ed448ph to be 57 bytes (456 bits). Using 448 bits as a max length creates a buffer overflow warning when building with ED448 enabled. Signed-off-by: Georgios Vasilakis <[email protected]>
This updates the oberon_check_unsupported.h file: 1) The inclusion of the crypto_driver_config.h is removed since we don't use that with nrf_security 2) All the PSA_ACCEL and PSA_WANT symbols are prefixed with CONFIG_ so that we can use them directly from the Zephyr autconf. Signed-off-by: Georgios Vasilakis <[email protected]>
The Oberon PSA v1.3.4 removed the inclusion of the MbedTLS headers which do adjustments when building the SSL library in build_info.h Add these headers back since they are required when nrf_security is build with PSA and SSL enabled. Signed-off-by: Georgios Vasilakis <[email protected]>
Fix an unused variable warning that happens when building with the LLVM toolchain. Adding the `unused` attribute to the variable to mark it as potentially unused is the simplest as it's used in different `#ifdef` scenarios. This should be communicated to Oberon and fixed upstream. Signed-off-by: Tomi Fontanilles <[email protected]>
* The intention is to catch yaml files that are not parsable * [yamllint action with all the rules definition](https://github.com/nrfconnect/action-yamllint/blob/main/action.yml) Signed-off-by: Sebastian Wezel <[email protected]> Signed-off-by: Georgios Vasilakis <[email protected]>
When not finding a given key in memory, the implementation would try to find it from the persistent keys regardless of the actual key type (volatile/builtin/persistent). Don't try to find inexistent volatile/builtin keys from persistent ones. In addition to the calls being superflous, the problem that was happening here is that the ITS implementation (Secure Storage subsystem) returns `PSA_ERROR_INVALID_ARGUMENT` because the ID is not in the persistent key range, and because it doesn't return `PSA_ERROR_DOES_NOT_EXIST` then the wrong error code is propagated back to the caller. `toup` as the issue has been communicated to Mbed TLS and should be fixed there. See: - Mbed-TLS/TF-PSA-Crypto#488 - Mbed-TLS/TF-PSA-Crypto#492 Signed-off-by: Tomi Fontanilles <[email protected]>
If the target key ID is in the built-in range, then creation of the key should be handled by a driver. Otherwise, there's no way for the key to be persisted. I don't know if this is acceptable upstream, since Mbed TLS and Oberon openly state that they don't support creating built-in keys through the PSA Crypto API, even though there are ways around this limitation. At first, out of abundance of caution, this change will only be applied for a single platform: Haltium (nRF54H, nRF92). Signed-off-by: Grzegorz Swiderski <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
11 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.