diff --git a/subsys/nrf_security/Kconfig.psa b/subsys/nrf_security/Kconfig.psa index 264f5fd08f01..31ef7d6c249c 100644 --- a/subsys/nrf_security/Kconfig.psa +++ b/subsys/nrf_security/Kconfig.psa @@ -12,6 +12,17 @@ config MBEDTLS_PSA_CRYPTO_C Enable the Platform Security Architecture cryptography API. Corresponds to setting in mbed TLS config file. +config MBEDTLS_PSA_CRYPTO_DISABLE_THREAD_SAFETY + bool + prompt "Disable PSA crypto thread safety" + help + Setting this configuration disables thread-safety for front-end PSA crypto APIs. + This disables the three mutexes that was added in Mbed TLS 3.6.0 that is built + into the PSA core without disabling mutexes used by the legacy Mbed TLS APIs or + in HW accelerators. + The addition of mutexes for legacy APIs and HW accelerators is still controlled + by enabling the Kconfig MBEDTLS_TREADING_C in the build. + if MBEDTLS_PSA_CRYPTO_C config MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER diff --git a/subsys/nrf_security/cmake/psa_crypto_want_config.cmake b/subsys/nrf_security/cmake/psa_crypto_want_config.cmake index 6a4439db0b9c..4f5ab5a93d4a 100644 --- a/subsys/nrf_security/cmake/psa_crypto_want_config.cmake +++ b/subsys/nrf_security/cmake/psa_crypto_want_config.cmake @@ -139,6 +139,12 @@ kconfig_check_and_set_base_to_one(PSA_WANT_ALG_SP800_108_COUNTER_HMAC) kconfig_check_and_set_base_int(PSA_MAX_RSA_KEY_BITS) +# Enable PSA crypto (core) thread safety based on checking that MBEDTLS_THREADING_C +# is set but not MBEDTLS_PSA_CRYPTO_DISABLE_THREAD_SAFETY +if(CONFIG_MBEDTLS_THREADING_C AND NOT CONFIG_MBEDTLS_PSA_CRYPTO_DISABLE_THREAD_SAFETY) + set(PSA_CRYPTO_THREAD_SAFE True) +endif() + # Create the Mbed TLS PSA crypto config file (Contains all the PSA_WANT definitions) configure_file(${NRF_SECURITY_ROOT}/configs/psa_crypto_want_config.h.template ${generated_include_path}/${CONFIG_MBEDTLS_PSA_CRYPTO_CONFIG_FILE} diff --git a/subsys/nrf_security/configs/psa_crypto_config.h.template b/subsys/nrf_security/configs/psa_crypto_config.h.template index 91866f9958dc..6a6fe7cb791d 100644 --- a/subsys/nrf_security/configs/psa_crypto_config.h.template +++ b/subsys/nrf_security/configs/psa_crypto_config.h.template @@ -446,6 +446,7 @@ #cmakedefine MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG #cmakedefine MBEDTLS_PSA_KEY_SLOT_COUNT @MBEDTLS_PSA_KEY_SLOT_COUNT@ + #include #include diff --git a/subsys/nrf_security/configs/psa_crypto_want_config.h.template b/subsys/nrf_security/configs/psa_crypto_want_config.h.template index e4c74944ec89..eb749a782bd5 100644 --- a/subsys/nrf_security/configs/psa_crypto_want_config.h.template +++ b/subsys/nrf_security/configs/psa_crypto_want_config.h.template @@ -145,4 +145,7 @@ /* The Adjusting is done in this file */ #define PSA_CRYPTO_ADJUST_KEYPAIR_TYPES_H +/* Configuration for PSA crypto front-end APIs being thread safe */ +#cmakedefine PSA_CRYPTO_THREAD_SAFE + #endif /* PSA_CRYPTO_CONFIG_H */ diff --git a/subsys/nrf_security/src/drivers/cracen/cracenpsa/src/cracen.c b/subsys/nrf_security/src/drivers/cracen/cracenpsa/src/cracen.c index cb6f136f52cc..bc716e498f2f 100644 --- a/subsys/nrf_security/src/drivers/cracen/cracenpsa/src/cracen.c +++ b/subsys/nrf_security/src/drivers/cracen/cracenpsa/src/cracen.c @@ -14,7 +14,7 @@ #include "common.h" #include "microcode_binary.h" -#include +#include #if !defined(CONFIG_BUILD_WITH_TFM) #define LOG_ERR_MSG(msg) LOG_ERR(msg) diff --git a/subsys/nrf_security/src/drivers/cracen/cracenpsa/src/ctr_drbg.c b/subsys/nrf_security/src/drivers/cracen/cracenpsa/src/ctr_drbg.c index 763053dfc115..fc0ab0fa637d 100644 --- a/subsys/nrf_security/src/drivers/cracen/cracenpsa/src/ctr_drbg.c +++ b/subsys/nrf_security/src/drivers/cracen/cracenpsa/src/ctr_drbg.c @@ -22,7 +22,7 @@ #include #include -#include +#include #define MAX_BITS_PER_REQUEST (1 << 19) /* NIST.SP.800-90Ar1:Table 3 */ #define RESEED_INTERVAL ((uint64_t)1 << 48) /* 2^48 as per NIST spec */ diff --git a/subsys/nrf_security/src/drivers/cracen/cracenpsa/src/key_management.c b/subsys/nrf_security/src/drivers/cracen/cracenpsa/src/key_management.c index c73bc288f0b0..727538ce1552 100644 --- a/subsys/nrf_security/src/drivers/cracen/cracenpsa/src/key_management.c +++ b/subsys/nrf_security/src/drivers/cracen/cracenpsa/src/key_management.c @@ -9,7 +9,7 @@ #include #include "cracen_psa.h" #include "platform_keys/platform_keys.h" -#include +#include #include #include diff --git a/subsys/nrf_security/src/drivers/cracen/cracenpsa/src/kmu.c b/subsys/nrf_security/src/drivers/cracen/cracenpsa/src/kmu.c index e96ba58f3322..b26efa496ab3 100644 --- a/subsys/nrf_security/src/drivers/cracen/cracenpsa/src/kmu.c +++ b/subsys/nrf_security/src/drivers/cracen/cracenpsa/src/kmu.c @@ -7,7 +7,7 @@ #include #include #include -#include +#include #include #include #include diff --git a/subsys/nrf_security/src/drivers/cracen/cracenpsa/src/prng_pool.c b/subsys/nrf_security/src/drivers/cracen/cracenpsa/src/prng_pool.c index 50712e8e2137..1f267a23cd46 100644 --- a/subsys/nrf_security/src/drivers/cracen/cracenpsa/src/prng_pool.c +++ b/subsys/nrf_security/src/drivers/cracen/cracenpsa/src/prng_pool.c @@ -10,7 +10,7 @@ #include #include #include -#include +#include /* We want to avoid reserving excessive RAM and invoking * the PRNG too often. 32 was arbitrarily chosen here diff --git a/subsys/nrf_security/src/drivers/cracen/silexpk/target/baremetal_ba414e_with_ik/pk_baremetal.c b/subsys/nrf_security/src/drivers/cracen/silexpk/target/baremetal_ba414e_with_ik/pk_baremetal.c index 9f7d381bcfa0..3b5c6b960d03 100644 --- a/subsys/nrf_security/src/drivers/cracen/silexpk/target/baremetal_ba414e_with_ik/pk_baremetal.c +++ b/subsys/nrf_security/src/drivers/cracen/silexpk/target/baremetal_ba414e_with_ik/pk_baremetal.c @@ -21,7 +21,7 @@ #include #include -#include +#include #ifndef ADDR_BA414EP_REGS_BASE #define ADDR_BA414EP_REGS_BASE CRACEN_ADDR_BA414EP_REGS_BASE diff --git a/subsys/nrf_security/src/drivers/cracen/sxsymcrypt/src/platform/baremetal/cmdma_hw.c b/subsys/nrf_security/src/drivers/cracen/sxsymcrypt/src/platform/baremetal/cmdma_hw.c index 9092a3422b5f..7f7d0c7bf289 100644 --- a/subsys/nrf_security/src/drivers/cracen/sxsymcrypt/src/platform/baremetal/cmdma_hw.c +++ b/subsys/nrf_security/src/drivers/cracen/sxsymcrypt/src/platform/baremetal/cmdma_hw.c @@ -12,7 +12,7 @@ #include #include -#include +#include #include /* Enable interrupts showing that an operation finished or aborted. diff --git a/subsys/nrf_security/src/threading/include/threading_alt.h b/subsys/nrf_security/src/threading/include/threading_alt.h index 006db566af48..79c9bea4a27b 100644 --- a/subsys/nrf_security/src/threading/include/threading_alt.h +++ b/subsys/nrf_security/src/threading/include/threading_alt.h @@ -10,4 +10,10 @@ #include "mbedtls/build_info.h" #include "nrf_security_mutexes.h" +/* Give access to the threading function-pointer prototypes (always used) */ +extern void (*mbedtls_mutex_init)(mbedtls_threading_mutex_t *mutex); +extern void (*mbedtls_mutex_free)(mbedtls_threading_mutex_t *mutex); +extern int (*mbedtls_mutex_lock)(mbedtls_threading_mutex_t *mutex); +extern int (*mbedtls_mutex_unlock)(mbedtls_threading_mutex_t *mutex); + #endif /* MBEDTLS_THREADING_ALT_H */ diff --git a/subsys/nrf_security/src/threading/threading.cmake b/subsys/nrf_security/src/threading/threading.cmake index 9bad488ad062..bbf0d34f05f6 100644 --- a/subsys/nrf_security/src/threading/threading.cmake +++ b/subsys/nrf_security/src/threading/threading.cmake @@ -7,7 +7,7 @@ # This file includes threading support required by the PSA crypto core # Which was added in Mbed TLS 3.6.0. -if(CONFIG_MBEDTLS_THREADING_C AND NOT (CONFIG_PSA_CRYPTO_DRIVER_CC3XX OR CONFIG_CC3XX_BACKEND)) +if(NOT (CONFIG_PSA_CRYPTO_DRIVER_CC3XX OR CONFIG_CC3XX_BACKEND)) append_with_prefix(src_crypto_base ${CMAKE_CURRENT_LIST_DIR} threading_alt.c diff --git a/west.yml b/west.yml index 999ce886f57e..40dcb5c7facd 100644 --- a/west.yml +++ b/west.yml @@ -145,7 +145,7 @@ manifest: - name: oberon-psa-crypto path: modules/crypto/oberon-psa-crypto repo-path: sdk-oberon-psa-crypto - revision: b41e899e7302462eb952b0b6a7c6903e368fb395 + revision: pull/16/head - name: nrfxlib repo-path: sdk-nrfxlib path: nrfxlib