Tests: Crypto: Added tests for kmu and ikg functionality

Added tests for writing to and using keys from the kmu.
Added tests for using the ikg to derive a key and signing.

Signed-off-by: Dag Erik Gjørvad <[email protected]>

CODEOWNERS

@@ -824,6 +824,7 @@
 /tests/modules/mcuboot/direct_xip/        @nrfconnect/ncs-pluto
 /tests/modules/mcuboot/external_flash/    @nrfconnect/ncs-pluto
 /tests/nrf5340_audio/                     @nrfconnect/ncs-audio @nordic-auko
+/tests/psa_crypto/                        @nrfconnect/ncs-aegir
 /tests/subsys/app_event_manager/          @nrfconnect/ncs-si-muffin @nrfconnect/ncs-si-bluebagel
 /tests/subsys/audio/audio_module_template/ @nrfconnect/ncs-audio
 /tests/subsys/audio_module/               @nrfconnect/ncs-audio

tests/psa_crypto/CMakeLists.txt

@@ -0,0 +1,16 @@
+#
+# Copyright (c) 2024 Nordic Semiconductor ASA
+#
+# SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
+#
+
+cmake_minimum_required(VERSION 3.13.1)
+
+find_package(Zephyr REQUIRED HINTS $ENV{ZEPHYR_BASE})
+project(NONE)
+
+FILE(GLOB app_sources src/*.c)
+target_sources(app PRIVATE ${app_sources})
+target_include_directories(app PRIVATE src)
+
+add_subdirectory(tests)

tests/psa_crypto/prj.conf

@@ -0,0 +1,41 @@
+#
+# Copyright (c) 2021-2024 Nordic Semiconductor ASA
+#
+# SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
+#
+
+CONFIG_ZTEST=y
+CONFIG_ZTEST_STACK_SIZE=15360
+
+CONFIG_SYS_CLOCK_TICKS_PER_SEC=1000
+CONFIG_MAIN_STACK_SIZE=8192
+CONFIG_HEAP_MEM_POOL_SIZE=8192
+
+# Enable logging
+CONFIG_CONSOLE=y
+CONFIG_LOG=n
+
+# Enable nordic security backend and PSA APIs
+CONFIG_NRF_SECURITY=y
+CONFIG_MBEDTLS_PSA_CRYPTO_C=y
+CONFIG_PSA_CRYPTO_DRIVER_CRACEN=y
+
+CONFIG_HW_UNIQUE_KEY=y
+CONFIG_HW_UNIQUE_KEY_WRITE_ON_CRYPTO_INIT=y
+
+CONFIG_MBEDTLS_ENABLE_HEAP=y
+CONFIG_MBEDTLS_HEAP_SIZE=8192
+
+CONFIG_PSA_WANT_ECC_TWISTED_EDWARDS_255=y
+CONFIG_PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT=y
+
+CONFIG_PSA_WANT_ALG_ECDSA=y
+CONFIG_PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT=y
+CONFIG_PSA_WANT_ECC_SECP_R1_256=y
+CONFIG_PSA_WANT_ALG_SHA_256=y
+CONFIG_PSA_WANT_ALG_SHA_512=y
+CONFIG_PSA_WANT_KEY_TYPE_AES=y
+CONFIG_PSA_WANT_ALG_PURE_EDDSA=y
+
+CONFIG_PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE=y
+CONFIG_PSA_WANT_GENERATE_RANDOM=y

tests/psa_crypto/src/psa_tests_common.c

@@ -0,0 +1,69 @@
+/*
+ * Copyright (c) 2024 Nordic Semiconductor ASA
+ *
+ * SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
+ */
+
+#include <stdarg.h>
+#include <string.h>
+#include <stdint.h>
+#include <stddef.h>
+#include <zephyr/sys/printk.h>
+
+#include <psa/crypto.h>
+#include <psa/crypto_values.h>
+#include <psa/crypto_extra.h>
+
+#include <zephyr/sys/util.h>
+#include <zephyr/sys_clock.h>
+#include <zephyr/logging/log.h>
+#include <zephyr/ztest.h>
+#include <pm_config.h>
+#include "psa_tests_common.h"
+#include <hw_unique_key.h>
+
+#ifdef CONFIG_BUILD_WITH_TFM
+#include <tfm_ns_interface.h>
+#include <tfm_builtin_key_ids.h>
+#include "cracen_psa_kmu.h"
+#include <tfm_crypto_defs.h>
+#else
+#include <cracen_psa.h>
+#endif
+
+LOG_MODULE_REGISTER(ikg, LOG_LEVEL_INF);
+
+ZTEST_SUITE(test_suite_ikg, NULL, NULL, NULL, NULL, NULL);
+
+static psa_key_id_t key_id;
+
+int crypto_init(void)
+{
+	psa_status_t status;
+
+#if !defined(CONFIG_BUILD_WITH_TFM)
+	if (!hw_unique_key_are_any_written()) {
+		status = hw_unique_key_write_random();
+		if (status != HW_UNIQUE_KEY_SUCCESS) {
+			return status;
+		}
+	}
+#endif
+	status = psa_crypto_init();
+	if (status != PSA_SUCCESS) {
+		return status;
+	}
+	return APP_SUCCESS;
+}
+
+int crypto_finish(void)
+{
+	psa_status_t status;
+
+	status = psa_destroy_key(key_id);
+	if (status != PSA_SUCCESS) {
+		return status;
+	}
+
+	return APP_SUCCESS;
+}

tests/psa_crypto/src/psa_tests_common.h

@@ -0,0 +1,47 @@
+/*
+ * Copyright (c) 2024 Nordic Semiconductor ASA
+ *
+ * SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
+ */
+
+#include <stdio.h>
+#include <stdarg.h>
+#include <stdint.h>
+#include "common.h"
+#include <zephyr/toolchain.h>
+#include <zephyr/sys/util.h>
+#include <zephyr/drivers/entropy.h>
+
+#if defined(CONFIG_ZTEST)
+#include <zephyr/ztest.h>
+#endif
+
+#define APP_SUCCESS		(0)
+#define APP_ERROR		(-1)
+#define APP_SUCCESS_MESSAGE "Example finished successfully!"
+#define APP_ERROR_MESSAGE "Example exited with error!"
+
+#ifndef TEST_MEMCMP
+#define TEST_MEMCMP(x, y, size) ((memcmp(x, y, size) == 0) ? 0 : 1)
+#endif
+
+/**@brief Macro asserting equality.
+ */
+#ifndef TEST_VECTOR_ASSERT_EQUAL
+#define TEST_VECTOR_ASSERT_EQUAL(expected, actual)                             \
+	zassert_equal((expected), (actual),                                    \
+			  "\tAssert values: 0x%04X != -0x%04X", (expected),        \
+			  (-actual))
+#endif
+
+/**@brief Macro asserting inequality.
+ */
+#ifndef TEST_VECTOR_ASSERT_NOT_EQUAL
+#define TEST_VECTOR_ASSERT_NOT_EQUAL(expected, actual)                         \
+	zassert_not_equal((expected), (actual),                                \
+			  "\tAssert values: 0x%04X == -0x%04X", (expected),    \
+			  (-actual))
+#endif
+
+int crypto_finish(void);
+int crypto_init(void);

tests/psa_crypto/testcase.yaml

@@ -0,0 +1,11 @@
+tests:
+  crypto.cracen:
+    sysbuild: true
+    platform_allow:
+      - nrf54l15dk/nrf54l15/cpuapp
+      - nrf54l15dk/nrf54l15/cpuapp/ns
+
+    tags: tfm psa_crypto sysbuild ci_tests_tfm
+    integration_platforms:
+      - nrf54l15dk/nrf54l15/cpuapp
+      - nrf54l15dk/nrf54l15/cpuapp/ns

tests/psa_crypto/tests/CMakeLists.txt

@@ -0,0 +1,13 @@
+#
+# Copyright (c) 2024 Nordic Semiconductor ASA
+#
+# SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
+#
+
+zephyr_include_directories(
+    ${CMAKE_CURRENT_SOURCE_DIR}/../src
+)
+zephyr_sources(test_ikg_identity_key_sign_verify.c)
+zephyr_sources(test_ikg_key_derivation.c)
+zephyr_sources(test_kmu_write.c)
+zephyr_sources(test_kmu_use.c)

tests/psa_crypto/tests/test_ikg_identity_key_sign_verify.c

@@ -0,0 +1,163 @@
+/*
+ * Copyright (c) 2024 Nordic Semiconductor ASA
+ *
+ * SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
+ */
+
+#include <zephyr/ztest.h>
+#include <pm_config.h>
+#include <zephyr/kernel.h>
+#include <zephyr/sys/printk.h>
+#include <zephyr/logging/log.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <psa/crypto.h>
+#include <psa/crypto_values.h>
+#include <psa/crypto_extra.h>
+#include <zephyr/sys/printk.h>
+#include "psa_tests_common.h"
+
+#ifdef CONFIG_BUILD_WITH_TFM
+#include <tfm_ns_interface.h>
+#include <tfm_builtin_key_ids.h>
+#include "cracen_psa_kmu.h"
+static psa_key_id_t identity_key_id = TFM_BUILTIN_KEY_ID_IAK;
+#else
+#include <cracen_psa.h>
+static psa_key_id_t identity_key_id = CRACEN_BUILTIN_IDENTITY_KEY_ID;
+#endif
+
+/* ====================================================================== */
+/*			Global variables/defines for the IKG signing tests		  */
+
+#define NRF_CRYPTO_TEST_IKG_TEXT_SIZE (68)
+#define NRF_CRYPTO_TEST_IKG_SIGNATURE_SIZE (64)
+#define NRF_CRYPTO_EXAMPLE_ECDSA_PUBLIC_KEY_SIZE (65)
+
+
+/* Below text is used as plaintext for signing/verification */
+static uint8_t m_plain_text[NRF_CRYPTO_TEST_IKG_TEXT_SIZE] = {
+	"Example string to demonstrate basic usage of the IKG identity key."
+};
+
+static uint8_t m_pub_key[NRF_CRYPTO_EXAMPLE_ECDSA_PUBLIC_KEY_SIZE];
+static uint8_t m_signature[NRF_CRYPTO_TEST_IKG_SIGNATURE_SIZE];
+static psa_key_handle_t key_handle;
+static psa_key_id_t key_id;
+/* ====================================================================== */
+
+LOG_MODULE_DECLARE(app, LOG_LEVEL_DBG);
+
+int get_identity_key(void)
+{
+	psa_status_t status;
+	psa_key_attributes_t key_attributes = PSA_KEY_ATTRIBUTES_INIT;
+	size_t data_length;
+
+	key_handle = mbedtls_svc_key_id_make(0, identity_key_id);
+	psa_key_attributes_t attr = key_attributes;
+
+	status = psa_get_key_attributes(key_handle, &attr);
+	if (status != APP_SUCCESS) {
+		return status;
+	}
+
+	status = psa_export_public_key(key_handle,
+		m_pub_key,
+		sizeof(m_pub_key),
+		&data_length);
+
+	if (status != PSA_SUCCESS) {
+		return status;
+	}
+	return APP_SUCCESS;
+}
+
+int import_ecdsa_pub_key(void)
+{
+	psa_key_attributes_t key_attributes = PSA_KEY_ATTRIBUTES_INIT;
+	psa_status_t status;
+
+	psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_VERIFY_MESSAGE);
+	psa_set_key_lifetime(&key_attributes, PSA_KEY_LIFETIME_VOLATILE);
+	psa_set_key_algorithm(&key_attributes, PSA_ALG_ECDSA(PSA_ALG_SHA_256));
+	psa_set_key_type(&key_attributes, PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1));
+	psa_set_key_bits(&key_attributes, 256);
+
+	status = psa_import_key(&key_attributes, m_pub_key, sizeof(m_pub_key), &key_id);
+	if (status != PSA_SUCCESS) {
+		return status;
+	}
+
+	psa_reset_key_attributes(&key_attributes);
+
+	return APP_SUCCESS;
+}
+
+int sign_message(void)
+{
+	uint32_t output_len;
+	psa_status_t status;
+
+	status = psa_sign_message(identity_key_id,
+		PSA_ALG_ECDSA(PSA_ALG_SHA_256),
+		m_plain_text,
+		sizeof(m_plain_text),
+		m_signature,
+		sizeof(m_signature),
+		&output_len);
+
+	if (status != PSA_SUCCESS) {
+		return status;
+	}
+
+	return APP_SUCCESS;
+}
+
+int verify_message(void)
+{
+	psa_status_t status;
+
+	status = psa_verify_message(key_id,
+		PSA_ALG_ECDSA(PSA_ALG_SHA_256),
+		m_plain_text,
+		sizeof(m_plain_text),
+		m_signature,
+		NRF_CRYPTO_TEST_IKG_SIGNATURE_SIZE);
+
+	if (status != PSA_SUCCESS) {
+		return status;
+	}
+
+	return APP_SUCCESS;
+}
+
+int ikg_identity_key_test(void)
+{
+	int status;
+
+	status = crypto_init();
+	TEST_VECTOR_ASSERT_EQUAL(APP_SUCCESS, status);
+
+	status = get_identity_key();
+	TEST_VECTOR_ASSERT_EQUAL(APP_SUCCESS, status);
+
+	status = import_ecdsa_pub_key();
+	TEST_VECTOR_ASSERT_EQUAL(APP_SUCCESS, status);
+
+	status = sign_message();
+	TEST_VECTOR_ASSERT_EQUAL(APP_SUCCESS, status);
+
+	status = verify_message();
+	TEST_VECTOR_ASSERT_EQUAL(APP_SUCCESS, status);
+
+	status = crypto_finish();
+	TEST_VECTOR_ASSERT_EQUAL(APP_SUCCESS, status);
+
+	return status;
+}
+
+ZTEST(test_suite_ikg, ikg_identity_key_test)
+{
+	ikg_identity_key_test();
+}