diff --git a/examples/psa_crypto/Makefile b/examples/psa_crypto/Makefile index 9c38666bff..1ea1d07937 100644 --- a/examples/psa_crypto/Makefile +++ b/examples/psa_crypto/Makefile @@ -5,121 +5,115 @@ APPLICATION = example_psa_crypto BOARD ?= native -# Necessary configurations when using Kconfig dependency resolution -# The file `app.config.test` is always used for the build configuration. -# The config files below are only added if needed. -ifeq (1, $(TEST_KCONFIG)) - ifeq (1, $(SECURE_ELEMENT)) - CFLAGS += -DSECURE_ELEMENT # Application specific (not needed by PSA) - CFLAGS += -DCUSTOM_ATCA_PARAMS # Application specific (not needed by PSA) - INCLUDES += -I$(APPDIR) # Application specific (not needed by PSA) - KCONFIG_ADD_CONFIG += $(APPDIR)/app.config.test.se - else ifeq (2, $(SECURE_ELEMENT)) - CFLAGS += -DSECURE_ELEMENT # Application specific (not needed by PSA) - CFLAGS += -DMULTIPLE_SE # Application specific (not needed by PSA) - CFLAGS += -DCUSTOM_ATCA_PARAMS # Application specific (not needed by PSA) - INCLUDES += -I$(APPDIR) - KCONFIG_ADD_CONFIG += $(APPDIR)/app.config.test.multi_se - else ifdef CUSTOM_BACKEND - KCONFIG_ADD_CONFIG += $(APPDIR)/app.config.test.base - KCONFIG_ADD_CONFIG += $(APPDIR)/app.config.test.custom - else - KCONFIG_ADD_CONFIG += $(APPDIR)/app.config.test.base - endif +ifeq (2, $(SECURE_ELEMENT)) + CFLAGS += -DSECURE_ELEMENT # Application specific (not needed by PSA) + CFLAGS += -DMULTIPLE_SE # Application specific (not needed by PSA) + CFLAGS += -DCUSTOM_ATCA_PARAMS # Application specific (not needed by PSA) + INCLUDES += -I$(APPDIR) + KCONFIG_ADD_CONFIG += $(APPDIR)/app.config.multi_se else - USEMODULE += ztimer - USEMODULE += ztimer_usec + KCONFIG_ADD_CONFIG += $(APPDIR)/app.config.base +endif - USEMODULE += psa_crypto +USEMODULE += ztimer +USEMODULE += ztimer_usec - # Hashes are needed for ECDSA operations (including secure elements), which - # is why we always build them - USEMODULE += psa_hash - USEMODULE += psa_hash_sha_256 +USEMODULE += psa_crypto - ifeq (1, $(SECURE_ELEMENT)) - # When using a secure element, the type is required. - # Also you can specify the number of key slots required to store keys. - CFLAGS += -DSECURE_ELEMENT # Application specific (not needed by PSA) - CFLAGS += -DCUSTOM_ATCA_PARAMS # Application specific (not needed by PSA) - INCLUDES += -I$(APPDIR) # Application specific (not needed by PSA) +# Hashes are needed for ECDSA operations (including secure elements), which +# is why we always build them +USEMODULE += psa_hash +USEMODULE += psa_hash_sha_256 +ifeq (1, $(SECURE_ELEMENT)) + # When using a secure element, the type is required. + # Also you can specify the number of key slots required to store keys. + CFLAGS += -DSECURE_ELEMENT # Application specific (not needed by PSA) + CFLAGS += -DCUSTOM_ATCA_PARAMS # Application specific (not needed by PSA) + INCLUDES += -I$(APPDIR) # Application specific (not needed by PSA) + ifneq (1, $(SHOULD_RUN_KCONFIG)) CFLAGS += -DCONFIG_PSA_PROTECTED_KEY_COUNT=4 CFLAGS += -DCONFIG_PSA_SINGLE_KEY_COUNT=1 - USEMODULE += psa_secure_element - USEMODULE += psa_secure_element_ateccx08a - USEMODULE += psa_secure_element_ateccx08a_cipher_aes_128 - USEMODULE += psa_secure_element_ateccx08a_hmac_sha256 - USEMODULE += psa_secure_element_ateccx08a_ecc_p256 - else ifeq (2, $(SECURE_ELEMENT)) - CFLAGS += -DSECURE_ELEMENT # Application specific (not needed by PSA) - CFLAGS += -DMULTIPLE_SE # Application specific (not needed by PSA) - CFLAGS += -DCUSTOM_ATCA_PARAMS # Application specific (not needed by PSA) - INCLUDES += -I$(APPDIR) # Application specific (not needed by PSA) + else + KCONFIG_ADD_CONFIG += $(APPDIR)/app.config.se + endif + USEMODULE += psa_secure_element + USEMODULE += psa_secure_element_ateccx08a + USEMODULE += psa_secure_element_ateccx08a_cipher_aes_128 + USEMODULE += psa_secure_element_ateccx08a_hmac_sha256 + USEMODULE += psa_secure_element_ateccx08a_ecc_p256 +else ifeq (2, $(SECURE_ELEMENT)) + CFLAGS += -DSECURE_ELEMENT # Application specific (not needed by PSA) + CFLAGS += -DMULTIPLE_SE # Application specific (not needed by PSA) + CFLAGS += -DCUSTOM_ATCA_PARAMS # Application specific (not needed by PSA) + INCLUDES += -I$(APPDIR) # Application specific (not needed by PSA) + ifneq (1, $(SHOULD_RUN_KCONFIG)) CFLAGS += -DCONFIG_PSA_MAX_SE_COUNT=2 CFLAGS += -DCONFIG_PSA_PROTECTED_KEY_COUNT=8 CFLAGS += -DCONFIG_PSA_SINGLE_KEY_COUNT=2 - USEMODULE += psa_secure_element - USEMODULE += psa_secure_element_multiple - USEMODULE += psa_secure_element_ateccx08a - USEMODULE += psa_secure_element_ateccx08a_cipher_aes_128 - USEMODULE += psa_secure_element_ateccx08a_hmac_sha256 - USEMODULE += psa_secure_element_ateccx08a_ecc_p256 - else ifdef CUSTOM_BACKEND - # Necessary configuration when using Make dependency resolution - # This first part chooses the operation. If nothing else is specified, - # a default backend is built depending on the platform capabilities. - USEMODULE += psa_cipher - USEMODULE += psa_cipher_aes_128_cbc - - USEMODULE += psa_mac - USEMODULE += psa_mac_hmac_sha_256 - - USEMODULE += psa_asymmetric - USEMODULE += psa_asymmetric_ecc_p256r1 - USEMODULE += psa_asymmetric_ecc_ed25519 - - # If you want to use a custom backend, you need to do it this way. - USEMODULE += psa_cipher_aes_128_cbc_custom_backend - USEMODULE += psa_cipher_aes_128_cbc_backend_riot # force custom backend - - USEMODULE += psa_mac_hmac_sha_256_custom_backend - USEMODULE += psa_mac_hmac_sha_256_backend_riot # force custom backend - - USEMODULE += psa_hash_sha_256_custom_backend - USEMODULE += psa_hash_sha_256_backend_riot - - USEMODULE += psa_asymmetric_ecc_p256r1_custom_backend - USEMODULE += psa_asymmetric_ecc_p256r1_backend_microecc # force custom backend - - USEMODULE += psa_asymmetric_ecc_ed25519_custom_backend - USEMODULE += psa_asymmetric_ecc_ed25519_backend_c25519 # force custom backend else - # Necessary configuration when using Make dependency resolution - # This part only chooses the operation. If nothing else es specified, - # a default backend is built depending on the platform capabilities. - USEMODULE += psa_cipher - USEMODULE += psa_cipher_aes_128_cbc - - USEMODULE += psa_mac - USEMODULE += psa_mac_hmac_sha_256 - - USEMODULE += psa_asymmetric - USEMODULE += psa_asymmetric_ecc_p256r1 - USEMODULE += psa_asymmetric_ecc_ed25519 + KCONFIG_ADD_CONFIG += $(APPDIR)/app.config.multi_se endif + USEMODULE += psa_secure_element + USEMODULE += psa_secure_element_multiple + USEMODULE += psa_secure_element_ateccx08a + USEMODULE += psa_secure_element_ateccx08a_cipher_aes_128 + USEMODULE += psa_secure_element_ateccx08a_hmac_sha256 + USEMODULE += psa_secure_element_ateccx08a_ecc_p256 +else ifdef CUSTOM_BACKEND + # Necessary configuration when using Make dependency resolution + # This first part chooses the operation. If nothing else is specified, + # a default backend is built depending on the platform capabilities. + USEMODULE += psa_cipher + USEMODULE += psa_cipher_aes_128_cbc + + USEMODULE += psa_mac + USEMODULE += psa_mac_hmac_sha_256 + + USEMODULE += psa_asymmetric + USEMODULE += psa_asymmetric_ecc_p256r1 + USEMODULE += psa_asymmetric_ecc_ed25519 + + # If you want to use a custom backend, you need to do it this way. + USEMODULE += psa_cipher_aes_128_cbc_custom_backend + USEMODULE += psa_cipher_aes_128_cbc_backend_riot # force custom backend + + USEMODULE += psa_mac_hmac_sha_256_custom_backend + USEMODULE += psa_mac_hmac_sha_256_backend_riot # force custom backend + + USEMODULE += psa_hash_sha_256_custom_backend + USEMODULE += psa_hash_sha_256_backend_riot + + USEMODULE += psa_asymmetric_ecc_p256r1_custom_backend + USEMODULE += psa_asymmetric_ecc_p256r1_backend_microecc # force custom backend + + USEMODULE += psa_asymmetric_ecc_ed25519_custom_backend + USEMODULE += psa_asymmetric_ecc_ed25519_backend_c25519 # force custom backend +else + # Necessary configuration when using Make dependency resolution + # This part only chooses the operation. If nothing else es specified, + # a default backend is built depending on the platform capabilities. + USEMODULE += psa_cipher + USEMODULE += psa_cipher_aes_128_cbc + + USEMODULE += psa_mac + USEMODULE += psa_mac_hmac_sha_256 + + USEMODULE += psa_asymmetric + USEMODULE += psa_asymmetric_ecc_p256r1 + USEMODULE += psa_asymmetric_ecc_ed25519 - ifndef SECURE_ELEMENT - CFLAGS += -DCONFIG_PSA_ASYMMETRIC_KEYPAIR_COUNT=2 - CFLAGS += -DCONFIG_PSA_SINGLE_KEY_COUNT=4 - endif endif ifndef SECURE_ELEMENT # The software implementations need a larger stack, so we increase the stack size. CFLAGS += -DTHREAD_STACKSIZE_MAIN=\(12*THREAD_STACKSIZE_DEFAULT\) + ifneq (1, $(SHOULD_RUN_KCONFIG)) + CFLAGS += -DCONFIG_PSA_ASYMMETRIC_KEYPAIR_COUNT=2 + CFLAGS += -DCONFIG_PSA_SINGLE_KEY_COUNT=4 + else + KCONFIG_ADD_CONFIG += $(APPDIR)/app.config.base + endif endif -SHOULD_RUN_KCONFIG := - include $(RIOTBASE)/Makefile.include diff --git a/examples/psa_crypto/README.md b/examples/psa_crypto/README.md index 28263ecbc6..76b1698eb0 100644 --- a/examples/psa_crypto/README.md +++ b/examples/psa_crypto/README.md @@ -29,48 +29,23 @@ for software and hardware backends as well as secure elements, measured on the n ## Configuration of the API -There are two ways to configure the API: module selection via Kconfig and module selection -via Makefiles. +The module selection must be done with Make but the compile-time configuration +settings can be done with Kconfig and `menuconfig`. -To see which modules should be chosen for each configuration, please read the Makefile and -the `app.config.test.*` files. - -### Kconfig -> **NOTE:** In this application all the configurations are in separate app.config files -> for demonstration purposes. You can also write all configs into one file or choose them -> via `menuconfig`. -> To access the GUI, run `TEST_KCONFIG=1 BOARD= make menuconfig`. - -When building the application with the `TEST_KCONFIG=1` option, the first config file parsed by the build system is `app.config.test`. This selects the PSA Crypto module and other modules our application needs (e.g. ztimer). If you need cryptographic keys, you can specify the number of key slots needed for key storage (the default is set to 5). -The graph below shows how the `app.config` files in this application are included. -Selections in `app.config.test` are always applied. -The others are only added, if you specify the corresponding build option. - -```mermaid - flowchart TD; - app.config.test -- default --> app.config.test.base; - app.config.test.base -- CUSTOM_BACKEND=1 --> app.config.test.custom; - app.config.test -- SECURE_ELEMENT=1 --> app.config.test.se; - app.config.test -- SECURE_ELEMENT=2 --> app.config.test.multi_se; -``` -If you build this without specifying anything else, the symbols in `app.config.test.base` -are added and PSA Crypto will automatically choose a default crypto backend depending on the platform you're building for. +If you build this without specifying anything, PSA Crypto will automatically +choose a default crypto backend depending on the platform you're building for. For example when your platform is `native`, software implementations are built. -When you specify `BOARD=nrf52840dk`, the hardware accelerator of the board will be built. +When you specify `BOARD=nrf52840dk`, the hardware accelerator of the board will +be built. -If you want to force a custom backend, you can specify that in the Kconfig file. This application already contains the configuration for a custom backend (see `app.config.test.custom`), which will be added to the application build when you define `CUSTOM_BACKEND=1`. - -Instead of or in addition to the default and custom implementations you can use a secure element as a backend (see Section [Using Secure Elements](#using-secure-elements]). +Instead of or in addition to the default and custom implementations you can use +a secure element as a backend (see Section [Using Secure Elements](#using-secure-elements]). Secure elements are independent of the other backends. In this application, when you choose secure elements, they are built instead of the other backends. -Please note that the build options `CUSTOM_BACKEND` and `SECURE_ELEMENT` only apply to this specific application and have nothing to do with the PSA implementation. - -### Make -All the configurations in the Kconfig files can also be applied using Make dependency resolution. The Makefile contains all the modules that must be selected when building the different configurations. -They can all be built as described above, but *without* defining TEST_KCONFIG. - -To prevent conflicts when building this application multiple times with different backends, it is best to remove the `bin` directory in between builds. +Please note that the build options `CUSTOM_BACKEND` and `SECURE_ELEMENT` only +apply to this specific application and have nothing to do with the PSA +implementation. ## Using Secure Elements > **NOTE:** diff --git a/examples/psa_crypto/app.config.base b/examples/psa_crypto/app.config.base new file mode 100644 index 0000000000..147037b108 --- /dev/null +++ b/examples/psa_crypto/app.config.base @@ -0,0 +1,2 @@ +CONFIG_PSA_ASYMMETRIC_KEYPAIR_COUNT=2 +CONFIG_PSA_SINGLE_KEY_COUNT=4 diff --git a/examples/psa_crypto/app.config.multi_se b/examples/psa_crypto/app.config.multi_se new file mode 100644 index 0000000000..c430f6d05e --- /dev/null +++ b/examples/psa_crypto/app.config.multi_se @@ -0,0 +1,3 @@ +CONFIG_PSA_MAX_SE_COUNT=2 +CONFIG_PSA_PROTECTED_KEY_COUNT=8 +CONFIG_PSA_SINGLE_KEY_COUNT=2 diff --git a/examples/psa_crypto/app.config.se b/examples/psa_crypto/app.config.se new file mode 100644 index 0000000000..762dc2300b --- /dev/null +++ b/examples/psa_crypto/app.config.se @@ -0,0 +1,2 @@ +CONFIG_PSA_PROTECTED_KEY_COUNT=4 +CONFIG_PSA_SINGLE_KEY_COUNT=1 diff --git a/tests/sys/psa_crypto_cipher/Makefile b/tests/sys/psa_crypto_cipher/Makefile index 44b4b8f059..2e8dd0ae2b 100644 --- a/tests/sys/psa_crypto_cipher/Makefile +++ b/tests/sys/psa_crypto_cipher/Makefile @@ -8,10 +8,8 @@ USEMODULE += psa_crypto USEMODULE += psa_cipher USEMODULE += psa_cipher_aes_128_cbc -ifneq (1, $(TEST_KCONFIG)) +ifneq (1, $(SHOULD_RUN_KCONFIG)) CFLAGS += -DCONFIG_PSA_SINGLE_KEY_COUNT=1 endif -SHOULD_RUN_KCONFIG := - include $(RIOTBASE)/Makefile.include diff --git a/tests/sys/psa_crypto_ecdsa/Makefile b/tests/sys/psa_crypto_ecdsa/Makefile index 1ffb6ed268..8b529ac266 100644 --- a/tests/sys/psa_crypto_ecdsa/Makefile +++ b/tests/sys/psa_crypto_ecdsa/Makefile @@ -10,13 +10,11 @@ USEMODULE += psa_hash_sha_256 USEMODULE += psa_asymmetric USEMODULE += psa_asymmetric_ecc_p256r1 -ifneq (1, $(TEST_KCONFIG)) +ifneq (1, $(SHOULD_RUN_KCONFIG)) CFLAGS += -DCONFIG_PSA_ASYMMETRIC_KEYPAIR_COUNT=1 CFLAGS += -DCONFIG_PSA_SINGLE_KEY_COUNT=1 endif -SHOULD_RUN_KCONFIG := - CFLAGS += -DTHREAD_STACKSIZE_MAIN=4096 include $(RIOTBASE)/Makefile.include diff --git a/tests/sys/psa_crypto_eddsa/Makefile b/tests/sys/psa_crypto_eddsa/Makefile index f8cd240318..578eeaf747 100644 --- a/tests/sys/psa_crypto_eddsa/Makefile +++ b/tests/sys/psa_crypto_eddsa/Makefile @@ -8,13 +8,11 @@ USEMODULE += psa_crypto USEMODULE += psa_asymmetric USEMODULE += psa_asymmetric_ecc_ed25519 -ifneq (1, $(TEST_KCONFIG)) +ifneq (1, $(SHOULD_RUN_KCONFIG)) CFLAGS += -DCONFIG_PSA_ASYMMETRIC_KEYPAIR_COUNT=1 CFLAGS += -DCONFIG_PSA_SINGLE_KEY_COUNT=1 endif -SHOULD_RUN_KCONFIG := - CFLAGS += -DTHREAD_STACKSIZE_MAIN=4096 include $(RIOTBASE)/Makefile.include diff --git a/tests/sys/psa_crypto_mac/Makefile b/tests/sys/psa_crypto_mac/Makefile index ee2bd15508..126d573540 100644 --- a/tests/sys/psa_crypto_mac/Makefile +++ b/tests/sys/psa_crypto_mac/Makefile @@ -8,10 +8,8 @@ USEMODULE += psa_crypto USEMODULE += psa_mac USEMODULE += psa_mac_hmac_sha_256 -ifneq (1, $(TEST_KCONFIG)) +ifneq (1, $(SHOULD_RUN_KCONFIG)) CFLAGS += -DCONFIG_PSA_SINGLE_KEY_COUNT=1 endif -SHOULD_RUN_KCONFIG := - include $(RIOTBASE)/Makefile.include diff --git a/tests/sys/psa_crypto_se/Makefile b/tests/sys/psa_crypto_se/Makefile index 4e1286028a..9186bbff11 100644 --- a/tests/sys/psa_crypto_se/Makefile +++ b/tests/sys/psa_crypto_se/Makefile @@ -15,7 +15,7 @@ USEMODULE += psa_secure_element_ateccx08a_cipher_aes_128 USEMODULE += psa_secure_element_ateccx08a_hmac_sha256 USEMODULE += psa_secure_element_ateccx08a_ecc_p256 -ifneq (1, $(TEST_KCONFIG)) +ifneq (1, $(SHOULD_RUN_KCONFIG)) CFLAGS += -DCONFIG_PSA_PROTECTED_KEY_COUNT=3 CFLAGS += -DCONFIG_PSA_SINGLE_KEY_COUNT=1 endif @@ -25,6 +25,4 @@ CFLAGS += -DCUSTOM_ATCA_PARAMS INCLUDES += -I$(APPDIR) # Application specific (not needed by PSA) -SHOULD_RUN_KCONFIG := - include $(RIOTBASE)/Makefile.include diff --git a/tests/sys/psa_crypto_se_cipher/Makefile b/tests/sys/psa_crypto_se_cipher/Makefile index 61e4949d5b..f0eca74b1c 100644 --- a/tests/sys/psa_crypto_se_cipher/Makefile +++ b/tests/sys/psa_crypto_se_cipher/Makefile @@ -11,8 +11,7 @@ USEMODULE += psa_secure_element USEMODULE += psa_secure_element_ateccx08a USEMODULE += psa_secure_element_ateccx08a_cipher_aes_128 - -ifneq (1, $(TEST_KCONFIG)) +ifneq (1, $(SHOULD_RUN_KCONFIG)) CFLAGS += -DCONFIG_PSA_PROTECTED_KEY_COUNT=1 endif @@ -21,6 +20,4 @@ CFLAGS += -DCUSTOM_ATCA_PARAMS INCLUDES += -I$(APPDIR) # Application specific (not needed by PSA) -SHOULD_RUN_KCONFIG := - include $(RIOTBASE)/Makefile.include diff --git a/tests/sys/psa_crypto_se_ecdsa/Makefile b/tests/sys/psa_crypto_se_ecdsa/Makefile index d0f6cadc62..afba066b1d 100644 --- a/tests/sys/psa_crypto_se_ecdsa/Makefile +++ b/tests/sys/psa_crypto_se_ecdsa/Makefile @@ -13,7 +13,7 @@ USEMODULE += psa_secure_element USEMODULE += psa_secure_element_ateccx08a USEMODULE += psa_secure_element_ateccx08a_ecc_p256 -ifneq (1, $(TEST_KCONFIG)) +ifneq (1, $(SHOULD_RUN_KCONFIG)) CFLAGS += -DCONFIG_PSA_SINGLE_KEY_COUNT=1 CFLAGS += -DCONFIG_PSA_PROTECTED_KEY_COUNT=1 endif @@ -23,6 +23,5 @@ CFLAGS += -DCUSTOM_ATCA_PARAMS INCLUDES += -I$(APPDIR) # Application specific (not needed by PSA) -SHOULD_RUN_KCONFIG := include $(RIOTBASE)/Makefile.include diff --git a/tests/sys/psa_crypto_se_mac/Makefile b/tests/sys/psa_crypto_se_mac/Makefile index 5130e9acad..3783b8062f 100644 --- a/tests/sys/psa_crypto_se_mac/Makefile +++ b/tests/sys/psa_crypto_se_mac/Makefile @@ -11,7 +11,7 @@ USEMODULE += psa_secure_element USEMODULE += psa_secure_element_ateccx08a USEMODULE += psa_secure_element_ateccx08a_hmac_sha256 -ifneq (1, $(TEST_KCONFIG)) +ifneq (1, $(SHOULD_RUN_KCONFIG)) CFLAGS += -DCONFIG_PSA_PROTECTED_KEY_COUNT=1 endif