[nrf noup] boards: nordic: Enable PSA RNG for secdom devices #2135
+25,492
−7,716
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
-This commit is a [nrf noup] because it removes configuration options for cryptographic algortihms available in Mbed TLS but which is not actively supported in nRF Connect SDK. The list of algorithms removed: - AES CFB - Cipher Feedback block cipher - AES OFB - Output Feedback block cipher - FFDH - RIPEMD160 - Aria - Camellia - DES The removal of these algorithms is based both on a wish to remove weaker cryptography and unsupported features in the products we have today. Signed-off-by: Frank Audun Kvamtrø <[email protected]>
-This is a [nrf noup] as this the upstream version of PSA crypto configs is generated by tooling, and there is no mechanisms to qualify that dependent configurations are enabled (by depends or select). -This adds dependency-mapping between configurations in the Kconfigs added for PSA crypto in upstream. Signed-off-by: Frank Audun Kvamtrø <[email protected]>
-This commit is a [nrf noup] because PSA crypto configs in upstream Zephyr doesn't have help-text in their configurations and we don't want to duplicate configurations to control the value -This adds warning for SHA-1 and MD5 usage Signed-off-by: Frank Audun Kvamtrø <[email protected]>
-This is a [nrf noup] because the upstream Zephyr is generated using a script and is not committed as-is as source-code. The relevant responsible person for this feature has received information about the missing configuration and this will be resolved upstream in Mbed TLS and will propagate down to zephyr. Once this has happened, this [nrf noup] can be dropped. -Add missing PSA_WANT_KEY_TYPE_RSA_KEY_DERIVE Signed-off-by: Frank Audun Kvamtrø <[email protected]>
-This commit contains all Nordic-specific configurations for PSA crypto These have been separated from Kconfig.psa, as this file is now auto-generated in the upstream project. This commit may be reworked later, in case more features are supported in Kconfig.psa -Add Kconfig.psa.nordic containing Nordics PSA crypto addition -Add reading this file from modules/mbedtls/Kconfig Signed-off-by: Frank Audun Kvamtrø <[email protected]>
-This commit is a [nrf noup] as Kconfig.psa is an auto-generated file. The changes reflected here has been reported to maintainers in upstream Zephyr. Change: Mbed TLS resolves PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC and PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT internally from the other types. Signed-off-by: Frank Audun Kvamtrø <[email protected]>
-PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC is internally resolved by Mbed TLS. It has been made promptless in a previous commit. Keeping this change separated since the Kconfig.psa is auto-generated and it would likely be a bit more complex to handle this in a single commit. Upstream maintainers have been notified about this mismatch in configurations. Signed-off-by: Frank Audun Kvamtrø <[email protected]>
Update path for autoconf.h which is now in zephyr/autoconf.h Signed-off-by: Frank Audun Kvamtrø <[email protected]>
Add board support for the nrf7002eb shield. This shield uses the nordic edge-connector to be compatible with multiple boards. Signed-off-by: Bjarki Arge Andreasen <[email protected]> Upstream PR: zephyrproject-rtos/zephyr#78330
Add build for nrf7002eb shield on thingy53 board. Signed-off-by: Bjarki Arge Andreasen <[email protected]> Upstream PR: zephyrproject-rtos/zephyr#78330
Makes the boot banner function weak, this resolves an issue when building with llext enabled which uses different build options than a normal zephyr build Signed-off-by: Jamie McCrae <[email protected]>
…ken from dt Currently a user, or a shield definition, must select a Kconfig to signal that the iovdd_ctrl and bucken GPIOs are connected to the same pin. We can instead check this in the driver by simply checking if the iovdd_ctrl_spec and bucken_spec are the same pin. Update the nrfwifi driver and remove the redundant NRF_WIFI_COMBINED_BUCKEN_IOVDD_GPIO config. Signed-off-by: Bjarki Arge Andreasen <[email protected]> Upstream PR: zephyrproject-rtos/zephyr#78485
In NCS to leverage HW acceleration, use nRF security. Also, fix Kconfig warnings in NCS compliance for CRYPTO_ALT. Signed-off-by: Chaitanya Tata <[email protected]>
External flash support is still WIP, so, to get sysbuild working add dummy Kconfig options. Signed-off-by: Chaitanya Tata <[email protected]>
fixup! [nrf noup] mbedtls: Add dependency logic for PSA crypto configurations -Selecting CHACHA20 key type if PSA_WANT_ALG_STREAM_CIPHER is enabled (fixup of commit 47a1e03) Signed-off-by: Frank Audun Kvamtrø <[email protected]>
Although ZVFS is experimental, the warning is annoying the matter team. Therefore, remove the experimental selection. This may be reverted once upstream unselects experimental. Signed-off-by: Bjarki Arge Andreasen <[email protected]>
External projects building the documentation may not clone all modules, as they have manifest filtering. Therefore, not having access to a module should not produce a fatal documentation build error. Convert the error to a debug log, so it is at least traced. Upstream PR: zephyrproject-rtos/zephyr#78876 Signed-off-by: Gerard Marull-Paretas <[email protected]> Signed-off-by: Bjarki Arge Andreasen <[email protected]>
-Enabling MBEDTLS_ECP_DP_SECP256R1_ENABLED curve type to ensure we don't get error-warnings about MBEDTLS_ECP_C dependencies not being met for WIFI samples. Signed-off-by: Frank Audun Kvamtrø <[email protected]>
[SHEL-2054] Adding a kconfig option for WMM. By default it will be enabled. If user needs to disable it, set it as n. Tagged as "noup" because I had to fix a conflict because of another "noup". Upstream PR: zephyrproject-rtos/zephyr#76754 Signed-off-by: Kapil Bhatt <[email protected]>
…d FAE table Adds HCI support for: - LE CS Read Remote Supported Capabilities - LE CS Read Remote FAE Table Callbacks have been added to the conn object to allow upper layers to make use of the cache commands, with which it will be possible to store this information and provide it again in the case of a disconnect and reconnect to the same device. (cherry picked from commit 947a294) Signed-off-by: Olivier Lesage <[email protected]>
Adds HCI support for the LE CS Test command. (cherry picked from commit fb9a8eb) Signed-off-by: Olivier Lesage <[email protected]>
Some of the http_server tests suites were missing netif dependency. (cherry picked from commit 1dca822) Signed-off-by: Robert Lubos <[email protected]>
- We don't use this mechanism in nRF Connect SDK Signed-off-by: Frank Audun Kvamtrø <[email protected]>
…nload -We handle legacy Crypto API support specially (favoring PSA crypto) the tests here require MD interface to build, which needs the config MBEDTLS_LEGACY_CRYPTO_C to be enable to get access to Signed-off-by: Frank Audun Kvamtrø <[email protected]>
-This adds crypto support for ipv6 tests by enabling CONFIG_MBEDTLS_LEGACY_CRYPTO_C Signed-off-by: Frank Audun Kvamtrø <[email protected]>
Reorder functions in order to remove forward function defitions. No functional changes. Signed-off-by: Tomasz Moń <[email protected]> (cherry picked from commit 2c78a4d)
When the queue is full, all messages posted inside interrupt handlers are simply dropped. This problem can be remedied by having the message queue large enough, but determining the maximum number of messages that can ever be posted in the system is really complex task. Hopefully in DWC2 driver there is finite number of events that have to be processed inside thread handler. Therefore it is unnecessary to determine the maximum queue size for the events if the events are posted to k_event object instead of send to k_msgq object. Use combination of three k_event structures to handle all possible event sources. This not only guarantees by design that no event will be lost, but also slightly reduces the memory usage. Signed-off-by: Tomasz Moń <[email protected]> (cherry picked from commit c2f2d8c)
UDC API handlers and DWC2 driver thread share not only software constructs, but also the underlying hardware. Ensure that any UDC API call is not preempted by DWC2 driver thread (and vice versa) by acquiring the lock in thread handler. Signed-off-by: Tomasz Moń <[email protected]> (cherry picked from commit 5fc0405)
Enter hibernation in thread context with the lock held to make sure to not queue any transfers when the core is hibernated. Signed-off-by: Tomasz Moń <[email protected]> (cherry picked from commit f765026)
The PMU is not reset by core reset and therefore it is necessary to exit hibernation on DWC2 disable to prevent endless PMU interrupt loop when the driver is enabled again. Signed-off-by: Tomasz Moń <[email protected]> (cherry picked from commit b89b7ed)
Adds HCI support for LE CS subevent result continue event and the reassembly logic for the partial results. When subevent results are completed or the subevent is aborted, the user callback is invoked with a buffer pointing to the HCI event buffer, so no copy is done. When subevent results are incomplete, then a reassembly buffer is allocated from a fixed sized pool. This buffer is used for the reassembling of the subevent result containing all of the step data, which is then passed to the user via the callback. kconfigs have been added to set the size and the count of the reassembly buffer. Signed-off-by: Burak Gorduk <[email protected]> (cherry picked from commit c5a126c)
… types Modifies the CS bitfields that are used for accessing HCI event data to take platform endiannes into consideration. Signed-off-by: Burak Gorduk <[email protected]> (cherry picked from commit bfe3c43)
…TX power The values were swapped, leading to the opposite of the intended behavior Signed-off-by: Olivier Lesage <[email protected]> (cherry picked from commit 51a0e94)
These options are in microseconds but not fully configurable, document what options are allowed in 6.0 Signed-off-by: Olivier Lesage <[email protected]> (cherry picked from commit 5d03664)
These are signed 16-bit integers by spec Signed-off-by: Olivier Lesage <[email protected]> (cherry picked from commit b1f34a1)
… and RSSI Add some defines for packet quality and rssi for RTT, these are useful for filtering out steps where the RTT exchange was unsuccessful Signed-off-by: Olivier Lesage <[email protected]> (cherry picked from commit 6c95478)
…p_data_parse() This function can be used to parse HCI-formatted subevent results regardless of whether they come from CS Test or not Signed-off-by: Olivier Lesage <[email protected]> (cherry picked from commit 60a2d7d)
Adds HCI support for: - LE CS Security Enable - LE CS Procedure Enable - LE CS Set Procedure Parameters - LE CS Set Channel Classification - LE CS Read Local Supported Capabilities - LE CS Write Cached Remote Supported Capabilities - LE CS Write Cached Remote FAE Table Signed-off-by: Adam Cavender <[email protected]> (cherry picked from commit 18f5081)
Add runtime PM to the driver. Signed-off-by: Krzysztof Chruściński <[email protected]> (cherry picked from commit b773306)
… nrf54l Add common overlay for nrf54l15pdk targets. Signed-off-by: Krzysztof Chruściński <[email protected]> (cherry picked from commit 7fc7361)
…uration Add configuration to the test which is using runtime PM on qdec. Signed-off-by: Krzysztof Chruściński <[email protected]> (cherry picked from commit 5371eff)
…dec.pm_runtime Test was failing because after re-enabling QDEC there is an interrupt REPORTRDY coming after some time. Test had k_msleep(100) added to accomodate for that but it was added after sensor_sample_fetch and should be added before so that sample with data from REPORTRDY event is fetched so that next read is empty as expected. Upstream PR: zephyrproject-rtos/zephyr#80051 Signed-off-by: Krzysztof Chruściński <[email protected]>
Noup since secdom is not available upstream. This enables the PSA RNG as the default Zephyr entropy provider for the following secdom enabled targets: nrf54h20_cpuapp and cpurad nrf9280_cpuapp Signed-off-by: Georgios Vasilakis <[email protected]> Signed-off-by: Frank Audun Kvamtrø <[email protected]>
-Disabling some configurations for OSDP (mgmt subsys): -CRYPTO -CRYPTO_MBEDTLS_SHIM -Filter enablement of MBEDTLS_CIPHER_AES_ENABLED on MBEDTLS_BUILTIN -Filter enablement of MBEDTLS_CIPHER_CCM_ENABLED on MBEDTLS_BUILTIN Signed-off-by: Frank Audun Kvamtrø <[email protected]>
Vge0rge
approved these changes
Oct 23, 2024
| @@ -28,7 +28,7 @@ | |||
| zephyr,bt-hci = &bt_hci_ipc0; | |||
| nordic,802154-spinel-ipc = &ipc0; | |||
| zephyr,canbus = &can120; | |||
| zephyr,entropy = &prng; | |||
| zephyr,entropy = &psa_rng; | |||
There was a problem hiding this comment.
Just a suggestion and not a blocker but you can even just leave that as it was with the prng. I removed that before because I was trying to remove the prng all together. But now the prng cannot be removed since there are more platforms using it, so this can stay as it was before if you want.
Noup since secdom is not available upstream and it is required for PSA RNG. Enable the cpusec ipc and the bellboard nodes for the nrf54h20dk cpuapp and cpurad targets. These are required for the PSA crypto service to work. Signed-off-by: Georgios Vasilakis <[email protected]>
Noup since secdom is not available upstream and it is required for PSA RNG. This adds the Kconfig requirements for the PSA RNG service. This affects the nrf54h20dk cpuapp and cpurad targets. Signed-off-by: Georgios Vasilakis <[email protected]>
When the secure domain services are enabled. Noup since the symbol SDFW_SERVICES_ENABLED is not available upstream. This is required specifically for the PSA crypto secure service but I cannot use SSF_PSA_CRYPTO_SERVICE_ENABLED here so I used the SDFW_SERVICES_ENABLED option. This is temporary since we expect to add support for data cache later. This affects the nrf54h20dk cpuapp and cpurad targets. Signed-off-by: Georgios Vasilakis <[email protected]>
rlubos
requested review from
carlescufi,
de-nordic,
nordic-krch and
a team
as code owners
|
removed 2.8.0 milestone as it was tagged already |
|
Needs rebase if still valid. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Noup since secdom is not available upstream.
This enables the PSA RNG as the default Zephyr entropy provider for the following secdom enabled targets:
nrf54h20_cpuapp and cpurad
nrf9280_cpuapp