manifest: crypto: Adding a way to disable thread-safety for PSA core

-This commit adds PSA_CRYPTO_THREAD_SAFE as a configuration that filters thread-safety enablement for PSA crypto APIs (front-end). -This commit adds a version of oberon-psa-crypto which supports PSA_CRYPTO_THREAD_SAFE (by updating the manifest) -This commit adds the Kconfig MBEDTLS_PSA_CRYPTO_DISABLE_THREAD_SAFETY which is used to ensure PSA_CRYPTO_THREAD_SAFE can be disabled if there is a wish to not enable thread-safety for the PSA crypto front-end APIs (separated from thread-safety for legacy Mbed TLS APIs and HW accelerated drivers. -This update includes a manifest-update to ensure that this change is bisectable. -Enable Mbed TLS threading APIs in nrf_security regardless if MBEDTLS_THREADING_C is enabled so they can be shared with cracen. -Add external prototypes for mbedtls_mutex_xxxx APIs that is used regardless if threading is actually enabled Note: This commit is done to try to resolve an ABI compliance issue with pre-compiled OpenThread libraries. Signed-off-by: Frank Audun Kvamtrø <frank.kvamtro@nordicsemi.no>
nrfconnect · Oct 24, 2024 · 71dd95f · 71dd95f
1 parent 2ad6175
commit 71dd95f
Show file tree

Hide file tree

Showing 14 changed files with 36 additions and 9 deletions.
diff --git a/subsys/nrf_security/Kconfig.psa b/subsys/nrf_security/Kconfig.psa
@@ -12,6 +12,17 @@ config MBEDTLS_PSA_CRYPTO_C
 	  Enable the Platform Security Architecture cryptography API.
 	  Corresponds to setting in mbed TLS config file.
 
+config MBEDTLS_PSA_CRYPTO_DISABLE_THREAD_SAFETY
+	bool
+	prompt "Disable PSA crypto thread safety"
+	help
+	  Setting this configuration disables thread-safety for front-end PSA crypto APIs.
+	  This disables the three mutexes that was added in Mbed TLS 3.6.0 that is built
+	  into the PSA core without disabling mutexes used by the legacy Mbed TLS APIs or
+	  in HW accelerators.
+	  The addition of mutexes for legacy APIs and HW accelerators is still controlled
+	  by enabling the Kconfig MBEDTLS_TREADING_C in the build.
+
 if MBEDTLS_PSA_CRYPTO_C
 
 config MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER

diff --git a/subsys/nrf_security/cmake/psa_crypto_want_config.cmake b/subsys/nrf_security/cmake/psa_crypto_want_config.cmake
@@ -139,6 +139,12 @@ kconfig_check_and_set_base_to_one(PSA_WANT_ALG_SP800_108_COUNTER_HMAC)
 
 kconfig_check_and_set_base_int(PSA_MAX_RSA_KEY_BITS)
 
+# Enable PSA crypto (core) thread safety based on checking that MBEDTLS_THREADING_C
+# is set but not MBEDTLS_PSA_CRYPTO_DISABLE_THREAD_SAFETY
+if(CONFIG_MBEDTLS_THREADING_C AND NOT CONFIG_MBEDTLS_PSA_CRYPTO_DISABLE_THREAD_SAFETY)
+  set(PSA_CRYPTO_THREAD_SAFE True)
+endif()
+
 # Create the Mbed TLS PSA crypto config file (Contains all the PSA_WANT definitions)
 configure_file(${NRF_SECURITY_ROOT}/configs/psa_crypto_want_config.h.template
   ${generated_include_path}/${CONFIG_MBEDTLS_PSA_CRYPTO_CONFIG_FILE}

diff --git a/subsys/nrf_security/configs/psa_crypto_config.h.template b/subsys/nrf_security/configs/psa_crypto_config.h.template
@@ -446,6 +446,7 @@
 #cmakedefine MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG
 #cmakedefine MBEDTLS_PSA_KEY_SLOT_COUNT                         @MBEDTLS_PSA_KEY_SLOT_COUNT@
 
+
 #include <psa/core_unsupported_ciphers_check.h>
 
 #include <check_crypto_config.h>

diff --git a/subsys/nrf_security/configs/psa_crypto_want_config.h.template b/subsys/nrf_security/configs/psa_crypto_want_config.h.template
@@ -145,4 +145,7 @@
 /* The Adjusting is done in this file */
 #define PSA_CRYPTO_ADJUST_KEYPAIR_TYPES_H
 
+/* Configuration for PSA crypto front-end APIs being thread safe */
+#cmakedefine PSA_CRYPTO_THREAD_SAFE
+
 #endif /* PSA_CRYPTO_CONFIG_H */
diff --git a/subsys/nrf_security/src/drivers/cracen/cracenpsa/src/cracen.c b/subsys/nrf_security/src/drivers/cracen/cracenpsa/src/cracen.c
@@ -14,7 +14,7 @@
 
 #include "common.h"
 #include "microcode_binary.h"
-#include <nrf_security_mutexes.h>
+#include <threading_alt.h>
 
 #if !defined(CONFIG_BUILD_WITH_TFM)
 #define LOG_ERR_MSG(msg) LOG_ERR(msg)

diff --git a/subsys/nrf_security/src/drivers/cracen/cracenpsa/src/ctr_drbg.c b/subsys/nrf_security/src/drivers/cracen/cracenpsa/src/ctr_drbg.c
@@ -22,7 +22,7 @@
 #include <sxsymcrypt/keyref.h>
 
 #include <zephyr/kernel.h>
-#include <nrf_security_mutexes.h>
+#include <threading_alt.h>
 
 #define MAX_BITS_PER_REQUEST (1 << 19)		 /* NIST.SP.800-90Ar1:Table 3 */
 #define RESEED_INTERVAL	     ((uint64_t)1 << 48) /* 2^48 as per NIST spec */

diff --git a/subsys/nrf_security/src/drivers/cracen/cracenpsa/src/key_management.c b/subsys/nrf_security/src/drivers/cracen/cracenpsa/src/key_management.c
@@ -9,7 +9,7 @@
 #include <cracen/mem_helpers.h>
 #include "cracen_psa.h"
 #include "platform_keys/platform_keys.h"
-#include <nrf_security_mutexes.h>
+#include <threading_alt.h>
 
 #include <sicrypto/drbghash.h>
 #include <sicrypto/ecc.h>

diff --git a/subsys/nrf_security/src/drivers/cracen/cracenpsa/src/kmu.c b/subsys/nrf_security/src/drivers/cracen/cracenpsa/src/kmu.c
@@ -7,7 +7,7 @@
 #include <cracen/mem_helpers.h>
 #include <cracen/statuscodes.h>
 #include <cracen/lib_kmu.h>
-#include <nrf_security_mutexes.h>
+#include <threading_alt.h>
 #include <nrfx.h>
 #include <psa/crypto.h>
 #include <stdint.h>

diff --git a/subsys/nrf_security/src/drivers/cracen/cracenpsa/src/prng_pool.c b/subsys/nrf_security/src/drivers/cracen/cracenpsa/src/prng_pool.c
@@ -10,7 +10,7 @@
 #include <cracen/statuscodes.h>
 #include <security/cracen.h>
 #include <zephyr/kernel.h>
-#include <nrf_security_mutexes.h>
+#include <threading_alt.h>
 
 /* We want to avoid reserving excessive RAM and invoking
  * the PRNG too often. 32 was arbitrarily chosen here

diff --git a/...ys/nrf_security/src/drivers/cracen/silexpk/target/baremetal_ba414e_with_ik/pk_baremetal.c b/...ys/nrf_security/src/drivers/cracen/silexpk/target/baremetal_ba414e_with_ik/pk_baremetal.c
@@ -21,7 +21,7 @@
 
 #include <hal/nrf_cracen.h>
 #include <security/cracen.h>
-#include <nrf_security_mutexes.h>
+#include <threading_alt.h>
 
 #ifndef ADDR_BA414EP_REGS_BASE
 #define ADDR_BA414EP_REGS_BASE CRACEN_ADDR_BA414EP_REGS_BASE

diff --git a/subsys/nrf_security/src/drivers/cracen/sxsymcrypt/src/platform/baremetal/cmdma_hw.c b/subsys/nrf_security/src/drivers/cracen/sxsymcrypt/src/platform/baremetal/cmdma_hw.c
@@ -12,7 +12,7 @@
 #include <security/cracen.h>
 #include <cracen/statuscodes.h>
 
-#include <nrf_security_mutexes.h>
+#include <threading_alt.h>
 
 #include <zephyr/kernel.h>
 /* Enable interrupts showing that an operation finished or aborted.

diff --git a/subsys/nrf_security/src/threading/include/threading_alt.h b/subsys/nrf_security/src/threading/include/threading_alt.h
@@ -10,4 +10,10 @@
 #include "mbedtls/build_info.h"
 #include "nrf_security_mutexes.h"
 
+/* Give access to the threading function-pointer prototypes (always used) */
+extern void (*mbedtls_mutex_init)(mbedtls_threading_mutex_t *mutex);
+extern void (*mbedtls_mutex_free)(mbedtls_threading_mutex_t *mutex);
+extern int (*mbedtls_mutex_lock)(mbedtls_threading_mutex_t *mutex);
+extern int (*mbedtls_mutex_unlock)(mbedtls_threading_mutex_t *mutex);
+
 #endif /* MBEDTLS_THREADING_ALT_H */
diff --git a/subsys/nrf_security/src/threading/threading.cmake b/subsys/nrf_security/src/threading/threading.cmake
@@ -7,7 +7,7 @@
 # This file includes threading support required by the PSA crypto core
 # Which was added in Mbed TLS 3.6.0.
 
-if(CONFIG_MBEDTLS_THREADING_C AND NOT (CONFIG_PSA_CRYPTO_DRIVER_CC3XX OR CONFIG_CC3XX_BACKEND))
+if(NOT (CONFIG_PSA_CRYPTO_DRIVER_CC3XX OR CONFIG_CC3XX_BACKEND))
 
   append_with_prefix(src_crypto_base ${CMAKE_CURRENT_LIST_DIR}
     threading_alt.c

diff --git a/west.yml b/west.yml
@@ -145,7 +145,7 @@ manifest:
     - name: oberon-psa-crypto
       path: modules/crypto/oberon-psa-crypto
       repo-path: sdk-oberon-psa-crypto
-      revision: b41e899e7302462eb952b0b6a7c6903e368fb395
+      revision: pull/16/head
     - name: nrfxlib
       repo-path: sdk-nrfxlib
       path: nrfxlib