entropy: Add PSA rng as the entropy provider for the nrf54h20 #17200
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
github-actions
bot
added
manifest
changelog-entry-required
|
The following west manifest projects have changed revision in this Pull Request:
⛔ DNM label due to: 2 projects with PR revision Note: This message is automatically posted and updated by the Manifest GitHub Action. |
CI InformationTo view the history of this post, clich the 'edited' button above Inputs:Sources:sdk-nrf: PR head: 7c7f4eea769568c3681ff4e11078535c3591d141 more detailssdk-nrf:
nrfxlib:
zephyr:
Github labels
List of changed files detected by CI (46)Outputs:ToolchainVersion: 342151af73 Test Spec & Results: ✅ Success; ❌ Failure; 🟠 Queued; 🟡 Progress; ◻️ Skipped;
|
Vge0rge
force-pushed
the
54h20_psa_rng
branch
from
387c99f to
1a1154a
Compare
|
You can find the documentation preview for this PR at this link. It will be updated about 10 minutes after the documentation build succeeds. Note: This comment is automatically posted by the Documentation Publishing GitHub Action. |
Vge0rge
force-pushed
the
54h20_psa_rng
branch
7 times, most recently
from
114059e to
6ed58b2
Compare
endre-nordic
approved these changes
Oct 1, 2024
tomi-font
previously requested changes
Oct 3, 2024
There was a problem hiding this comment.
Again in this PR you have a commit that is later reverted (nrf_security: Enabled by default for nRF54H20)?
frkv
requested changes
Oct 18, 2024
Vge0rge
force-pushed
the
54h20_psa_rng
branch
4 times, most recently
from
b8fb7cd to
7e9300c
Compare
Make all PSA drivers depend on the OBERON_PSA_CORE since we cannot use the drivers without it. Signed-off-by: Georgios Vasilakis <[email protected]>
Brings Zephyr changes which automatically enable the PSA crypto as the entropy generator for Zephyr. Signed-off-by: Georgios Vasilakis <[email protected]>
Add configuration to allow enabling the SSF PSA client when nrf_security is not enabled. This is particularly useful for the applications that only want to use the PSA rng and no other crypto. Enabling nrf_security in these applications will result to an increased application footprint and configuration complexity without any reason. This configuration provides the PSA implementation from the secure domain through the SSF client and it has no configurability yet. So there is no need to enforce NRF_SECURITY with this configuration. Signed-off-by: Georgios Vasilakis <[email protected]>
Add overlay to reduce the footprint of the matter_bridge application. Signed-off-by: Georgios Vasilakis <[email protected]>
Remove prng dts node since this is removed from the nrf54h20 board file. Signed-off-by: Georgios Vasilakis <[email protected]>
Remove the call to the ssf_psa_crypto_init since the psa_crypto is initialiazed in SDFW and it doesn't need to get initialized from the application. Signed-off-by: Georgios Vasilakis <[email protected]>
Disable the IPC and bellboard nodes since these tests don't use communication between domains. Signed-off-by: Georgios Vasilakis <[email protected]>
In a comment, tHe -> The Signed-off-by: Georgios Vasilakis <[email protected]>
Initialize the ssf_client earlier during the boot process during post kernel. ssf_client needs to be initialized before the CONFIG_NRF_802154_SER_RADIO_INIT_PRIO since it is used by the "nRF IEEE 802.15.4" protocol. It also needs to be initialied after the IPC IPC_SERVICE_REG_BACKEND_PRIORITY since the IPC expects the protocol to be initialized. Failing to do that will also trigger an assertion in Zephyr. Signed-off-by: Georgios Vasilakis <[email protected]>
Use nrf_rpc_init_group when ssf_client is being initalized since it will happen before other nrf_rpc groups are initialized. Signed-off-by: Georgios Vasilakis <[email protected]>
Disable the cpusec related nodes in the multicore benchmark since it increases power consumption and IPC communication with secure domain is not needed for this test. Signed-off-by: Georgios Vasilakis <[email protected]>
The cpuapp_ram0x_region has been changed in the global dtsi file in Zephyr and we need to align all dts overlay entries to that change. Signed-off-by: Arkadiusz Balys <[email protected]>
Updates the nrf_rpc library to allow initialization of single nrf_rpc groups. Signed-off-by: Georgios Vasilakis <[email protected]>
This sample require entropy from Zephyr, in nRF54h20 this is provided by PSA RNG driver and from the secure domain. The PSA RNG driver brings IPC dependencies which increase the flash footprint of this sample and this was not an acceptable increase for the mainttainers of the sample. It was concluded that as a temporary solution this sample will keep using the non cryptographically secure, deterministic software RNG. The dependency on the PRNG node needs to be removed later and it is tracked in NCSDK-30805. Signed-off-by: Georgios Vasilakis <[email protected]>
Enabling real entropy for the radio core through the ssf_client and the secure domain increased the stack requirements of the hci_ipc used in this sample. I couldn't run THREAD_ANALYZER in this application because of flash overflows and other issues. I did practical tests with 50 byte intervals and I know that 900 bytes is the least memory that could boot the radio core. I updated this to have the same configuration as the ipc_radio (2048 bytes) application since the usage of the hci_ipc here will be replaced with the ipc_radio later. Signed-off-by: Georgios Vasilakis <[email protected]>
Add function nrf_rpc_os_fatal_error function to handle fatal_errors using the Zephyr's fatal error hanlding. Signed-off-by: Georgios Vasilakis <[email protected]>
Vge0rge
force-pushed
the
54h20_psa_rng
branch
3 times, most recently
from
665bcc3 to
b013a62
Compare
|
There are some reviews missing here from the codeowners, could you have a look on your relevant domains: |
rlubos
approved these changes
Jan 16, 2025
kapbh
approved these changes
Jan 16, 2025
krish2718
reviewed
Jan 16, 2025
There was a problem hiding this comment.
Since wifi relies on the mbedTLS legacy crypto functionality
we need to make sure that it continues to work as before.
This was broken a while back, on 54H20 Wi-Fi uses PSA only crypto (restricted to WPA2), so, we can go ahead and enable PSA RNG for Wi-Fi samples too.
That seems like my mistake then, sorry, I was not aware of that. |
Vge0rge
force-pushed
the
54h20_psa_rng
branch
2 times, most recently
from
60d37c1 to
c464501
Compare
There are two functions which are defined in the psa_crypto_core.h and are implemented in psa_crypto.c which are used by the TLS library. These functions are: psa_can_do_hash psa_can_do_cipher These functions just check if the drivers are initialized before the relevant PSA crypto functions can be used. In the case of SSF there is no initialization needed because the PSA initialization happens inside the secure domain firmware before the application boots. These functions are added in a separate file since they only exist to maintain compatibility with the PSA core from Oberon/mbedTLS and they have don't need to forward any call to the secure domain. Signed-off-by: Georgios Vasilakis <[email protected]>
Vge0rge
force-pushed
the
54h20_psa_rng
branch
from
c464501 to
7c7f4ee
Compare
krish2718
approved these changes
Jan 17, 2025
D-Triveni
approved these changes
Jan 20, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.