From 5d52b82994c9dd327df10af9263c235c8c79670d Mon Sep 17 00:00:00 2001
From: Dominik Ermel <dominik.ermel@nordicsemi.no>
Date: Wed, 24 Jul 2024 17:00:04 +0000
Subject: [PATCH] [nrf noup] PSA configuration required changes

Set of changes to Kconfig, CMakeLists.txt and some of headers
that are required for the PSA support to compile.

Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no>
---
 boot/bootutil/zephyr/CMakeLists.txt           |  14 ++-
 boot/zephyr/CMakeLists.txt                    |  39 +++++--
 boot/zephyr/Kconfig                           | 109 +++++++++++++++++-
 boot/zephyr/include/mcuboot-mbedtls-cfg.h     |   2 +-
 .../include/mcuboot_config/mcuboot_config.h   |   2 +
 5 files changed, 150 insertions(+), 16 deletions(-)

diff --git a/boot/bootutil/zephyr/CMakeLists.txt b/boot/bootutil/zephyr/CMakeLists.txt
index 72a6a8638..d5364d025 100644
--- a/boot/bootutil/zephyr/CMakeLists.txt
+++ b/boot/bootutil/zephyr/CMakeLists.txt
@@ -29,12 +29,18 @@ zephyr_library_link_libraries(MCUBOOT_BOOTUTIL)
 target_link_libraries(MCUBOOT_BOOTUTIL INTERFACE zephyr_interface)
 
 if(CONFIG_BOOT_USE_TINYCRYPT)
-target_include_directories(MCUBOOT_BOOTUTIL INTERFACE
-  ../../../ext/tinycrypt/lib/include
-)
+  target_include_directories(MCUBOOT_BOOTUTIL INTERFACE
+    ../../../ext/tinycrypt/lib/include
+  )
+endif()
+
+if(CONFIG_BOOT_USE_PSA_CRYPTO)
+  target_include_directories(MCUBOOT_BOOTUTIL INTERFACE
+     ${ZEPHYR_MBEDTLS_MODULE_DIR}/include
+  )
 endif()
 
-if(CONFIG_BOOT_USE_MBEDTLS)
+if(CONFIG_BOOT_USE_MBEDTLS OR CONFIG_BOOT_USE_PSA_CRYPTO AND NOT CONFIG_PSA_CORE_OBERON)
   zephyr_link_libraries(mbedTLS)
 endif()
 endif()
diff --git a/boot/zephyr/CMakeLists.txt b/boot/zephyr/CMakeLists.txt
index c26633d11..8a2c97ead 100644
--- a/boot/zephyr/CMakeLists.txt
+++ b/boot/zephyr/CMakeLists.txt
@@ -51,6 +51,12 @@ if(EXISTS targets/${BOARD}.h)
   zephyr_library_compile_definitions(MCUBOOT_TARGET_CONFIG="${BOARD}.h")
 endif()
 
+if(DEFINED CONFIG_MBEDTLS)
+  zephyr_library_include_directories(
+    ${ZEPHYR_MBEDTLS_MODULE_DIR}/include
+  )
+endif()
+
 # Zephyr port-specific sources.
 zephyr_library_sources(
   main.c
@@ -102,6 +108,10 @@ zephyr_library_sources(
   ${BOOT_DIR}/bootutil/src/fault_injection_hardening.c
   )
 
+if(DEFINED CONFIG_BOOT_ENCRYPT_X25519)
+  zephyr_library_sources(${BOOT_DIR}/bootutil/src/encrypted_psa.c)
+endif()
+
 if(DEFINED CONFIG_MEASURED_BOOT OR DEFINED CONFIG_BOOT_SHARE_DATA)
   zephyr_library_sources(
     ${BOOT_DIR}/bootutil/src/boot_record.c
@@ -230,19 +240,28 @@ elseif(CONFIG_BOOT_SIGNATURE_TYPE_ED25519 OR CONFIG_BOOT_ENCRYPT_X25519)
     ${FIAT_DIR}/include/
   )
 
-  zephyr_library_sources(
-    ${FIAT_DIR}/src/curve25519.c
-  )
+  if(NOT CONFIG_BOOT_ED25519_PSA)
+    zephyr_library_sources(
+      ${FIAT_DIR}/src/curve25519.c
+    )
+  else()
+    zephyr_library_sources(
+      ${MBEDTLS_ASN1_DIR}/src/asn1parse.c
+      ${BOOT_DIR}/bootutil/src/ed25519_psa.c
+    )
+  endif()
 endif()
 
-if(CONFIG_BOOT_ENCRYPT_EC256 OR CONFIG_BOOT_ENCRYPT_X25519)
-  zephyr_library_sources(
-    ${TINYCRYPT_DIR}/source/aes_encrypt.c
-    ${TINYCRYPT_DIR}/source/aes_decrypt.c
-    ${TINYCRYPT_DIR}/source/ctr_mode.c
-    ${TINYCRYPT_DIR}/source/hmac.c
-    ${TINYCRYPT_DIR}/source/ecc_dh.c
+if(NOT CONFIG_BOOT_ED25519_PSA)
+  if(CONFIG_BOOT_ENCRYPT_EC256 OR CONFIG_BOOT_ENCRYPT_X25519)
+    zephyr_library_sources(
+      ${TINYCRYPT_DIR}/source/aes_encrypt.c
+      ${TINYCRYPT_DIR}/source/aes_decrypt.c
+      ${TINYCRYPT_DIR}/source/ctr_mode.c
+      ${TINYCRYPT_DIR}/source/hmac.c
+      ${TINYCRYPT_DIR}/source/ecc_dh.c
     )
+  endif()
 endif()
 
 if(CONFIG_BOOT_ENCRYPT_EC256)
diff --git a/boot/zephyr/Kconfig b/boot/zephyr/Kconfig
index 28f40bf52..6810db812 100644
--- a/boot/zephyr/Kconfig
+++ b/boot/zephyr/Kconfig
@@ -27,6 +27,14 @@ config BOOT_USE_MBEDTLS
 	help
 	  Use mbedTLS for crypto primitives.
 
+config BOOT_USE_PSA_CRYPTO
+	bool
+	default y if NRF_SECURITY
+	# This is counter intuitive but that is how PSA heap is enabled.
+	select MBEDTLS_ENABLE_HEAP
+	help
+	  Hidden option set if using PSA crypt for cryptography functionality
+
 config BOOT_USE_TINYCRYPT
 	bool
 	# Hidden option
@@ -60,6 +68,55 @@ config NRF_CC310_BL
 	bool
 	default n
 
+if BOOT_USE_PSA_CRYPTO
+config BOOT_PSA_IMG_HASH_ALG_SHA256_DEPENDENCIES
+	bool
+	default y if BOOT_IMG_HASH_ALG_SHA256
+	select PSA_WANT_ALG_SHA_256
+	help
+	  Dependencies for hashing with SHA256
+
+config BOOT_ED25519_PSA_DEPENDENCIES
+	bool
+	select PSA_WANT_ALG_SHA_256
+	select PSA_WANT_ALG_SHA_512
+	select PSA_WANT_ALG_PURE_EDDSA
+	select PSA_WANT_ECC_TWISTED_EDWARDS_255
+	select PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT
+	help
+	  Dependencies for ed25519 signature
+
+if BOOT_ENCRYPT_IMAGE
+config BOOT_X25519_PSA_DEPENDENCIES
+	bool
+	select PSA_WANT_ALG_ECDH
+	select PSA_WANT_ALG_HMAC
+	select PSA_WANT_ALG_HKDF
+	select PSA_WANT_ALG_CTR
+	select PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT
+	select PSA_WANT_KEY_TYPE_DERIVE
+	select PSA_WANT_KEY_TYPE_AES
+	select PSA_WANT_ECC_MONTGOMERY_255
+	help
+	  Dependencies for x25519 shared-random key encryption and AES
+	  encryption. The PSA_WANT_ALG_CTR and PSA_WANT_KEY_TYPE_AES
+	  enable Counter based block cipher and AES key, and algorithm support,
+	  to use with it; the others are used for shared key decryption
+	  and derivation.
+endif
+
+if MBEDTLS_ENABLE_HEAP
+
+config MBEDTLS_HEAP_SIZE
+	default 2048 if BOOT_USE_PSA_CRYPTO
+	help
+	  The PSA internals need to be able to allocate memory for operation
+	  and it uses mbedTLS heap for that.
+
+endif # MBEDTLS_ENABLE_HEAP
+
+endif
+
 menu "MCUBoot settings"
 
 config SINGLE_APPLICATION_SLOT
@@ -70,13 +127,47 @@ config SINGLE_APPLICATION_SLOT
 	  uploading a new application overwrites the one that previously
 	  occupied the area.
 
+config BOOT_IMG_HASH_ALG_SHA256_ALLOW
+	bool
+	help
+	  Hidden option set by configurations that allow SHA256
+
+config BOOT_IMG_HASH_ALG_SHA384_ALLOW
+	bool
+	help
+	  Hidden option set by configurations that allow SHA384
+
+choice BOOT_IMG_HASH_ALG
+	prompt "Selected image hash algorithm"
+	default BOOT_IMG_HASH_ALG_SHA256 if BOOT_IMG_HASH_ALG_SHA256_ALLOW
+	default BOOT_IMG_HASH_ALG_SHA384 if BOOT_IMG_HASH_ALG_SHA384_ALLOW
+	help
+	  Hash algorithm used for image verification. Selection
+	  here may be limited by other configurations, like for
+	  example selected cryptographic signature.
+
+config BOOT_IMG_HASH_ALG_SHA256
+	bool "SHA256"
+	depends on BOOT_IMG_HASH_ALG_SHA256_ALLOW
+	help
+	  SHA256 algorithm
+
+config BOOT_IMG_HASH_ALG_SHA384
+	bool "SHA384"
+	depends on BOOT_IMG_HASH_ALG_SHA384_ALLOW
+	help
+	  SHA384 algorithm
+
+endchoice # BOOT_IMG_HASH_ALG
+
 choice BOOT_SIGNATURE_TYPE
 	prompt "Signature type"
+	default BOOT_SIGNATURE_TYPE_ED25519 if BOARD_NRF54L15PDK_NRF54L15_CPUAPP
 	default BOOT_SIGNATURE_TYPE_RSA
 
 config BOOT_SIGNATURE_TYPE_NONE
 	bool "No signature; use only hash check"
-	select BOOT_USE_TINYCRYPT
+	select BOOT_IMG_HASH_ALG_SHA256_ALLOW
 
 config BOOT_SIGNATURE_TYPE_RSA
 	bool "RSA signatures"
@@ -117,18 +208,30 @@ endif
 config BOOT_SIGNATURE_TYPE_ED25519
 	bool "Edwards curve digital signatures using ed25519"
 	select BOOT_ENCRYPTION_SUPPORT
+	select BOOT_IMG_HASH_ALG_SHA256_ALLOW
 
 if BOOT_SIGNATURE_TYPE_ED25519
 choice BOOT_ED25519_IMPLEMENTATION
 	prompt "Ecdsa implementation"
 	default BOOT_ED25519_TINYCRYPT
+
 config BOOT_ED25519_TINYCRYPT
 	bool "Use tinycrypt"
 	select BOOT_USE_TINYCRYPT
+	depends on !NRF_SECURITY
+
 config BOOT_ED25519_MBEDTLS
 	bool "Use mbedTLS"
 	select BOOT_USE_MBEDTLS
 	select MBEDTLS
+	depends on !NRF_SECURITY
+
+config BOOT_ED25519_PSA
+	bool "Use PSA crypto"
+	select BOOT_USE_PSA_CRYPTO
+	select BOOT_ED25519_PSA_DEPENDENCIES
+	select BOOT_X25519_PSA_DEPENDENCIES if BOOT_ENCRYPT_IMAGE
+
 endchoice
 endif
 
@@ -167,9 +270,13 @@ config MCUBOOT_CLEANUP_ARM_CORE
 	  start-up code which can cause a module fault and potentially make the
 	  module irrecoverable.
 
+if MBEDTLS
+
 config MBEDTLS_CFG_FILE
 	default "mcuboot-mbedtls-cfg.h"
 
+endif
+
 config BOOT_HW_KEY
 	bool "Use HW key for image verification"
 	default n
diff --git a/boot/zephyr/include/mcuboot-mbedtls-cfg.h b/boot/zephyr/include/mcuboot-mbedtls-cfg.h
index 2bab537d7..a46fbb09f 100644
--- a/boot/zephyr/include/mcuboot-mbedtls-cfg.h
+++ b/boot/zephyr/include/mcuboot-mbedtls-cfg.h
@@ -23,7 +23,7 @@
 
 #if defined(CONFIG_BOOT_SIGNATURE_TYPE_RSA) || defined(CONFIG_BOOT_ENCRYPT_RSA)
 #include "config-rsa.h"
-#elif defined(CONFIG_BOOT_SIGNATURE_TYPE_ECDSA_P256) || \
+#elif defined(CONFIG_BOOT_USE_PSA_CRYPTO) || defined(CONFIG_BOOT_SIGNATURE_TYPE_ECDSA_P256) || \
       defined(CONFIG_BOOT_ENCRYPT_EC256) || \
       (defined(CONFIG_BOOT_ENCRYPT_X25519) && !defined(CONFIG_BOOT_SIGNATURE_TYPE_ED25519))
 #include "config-asn1.h"
diff --git a/boot/zephyr/include/mcuboot_config/mcuboot_config.h b/boot/zephyr/include/mcuboot_config/mcuboot_config.h
index 824e83b75..b0f4e0cbd 100644
--- a/boot/zephyr/include/mcuboot_config/mcuboot_config.h
+++ b/boot/zephyr/include/mcuboot_config/mcuboot_config.h
@@ -40,6 +40,8 @@
 #define MCUBOOT_USE_TINYCRYPT
 #elif defined(CONFIG_BOOT_USE_CC310)
 #define MCUBOOT_USE_CC310
+#elif defined(CONFIG_MBEDTLS_PSA_CRYPTO_CLIENT)
+#define MCUBOOT_USE_PSA_CRYPTO
 #elif defined(CONFIG_BOOT_USE_NRF_EXTERNAL_CRYPTO)
 #define MCUBOOT_USE_NRF_EXTERNAL_CRYPTO
 #endif