modules: openthread: use PSA Crypto API as default choice for crypto #98088
Conversation
valeriosetti
force-pushed
the
openthread-use-psa
branch
2 times, most recently
from
5cdcab8 to
0086bd8
Compare
zephyrbot
added
area: Samples
zephyrbot
requested review from
canisLupus1313,
ceolin,
cfriedt,
d3zd3z,
edmont,
ithinuel,
jhedberg,
jukkar,
maciejbaczmanski,
mariuszpos,
pdgendt,
rlubos,
ssharks,
tomi-font and
wearyzen
valeriosetti
force-pushed
the
openthread-use-psa
branch
from
0086bd8 to
2ea6432
Compare
valeriosetti
force-pushed
the
openthread-use-psa
branch
3 times, most recently
from
3f04640 to
481eed1
Compare
samples/net/openthread/coap/prj.conf
Outdated
| CONFIG_OPENTHREAD_NETWORK_NAME="OpenThreadDemo" | ||
|
|
||
| # Use ZMS as storage backend for Secure Storage | ||
| CONFIG_SECURE_STORAGE_ITS_STORE_IMPLEMENTATION_ZMS=y |
There was a problem hiding this comment.
Wouldn't we need this in other samples as well? And those generic networking samples that have overlay-ot.conf?
There was a problem hiding this comment.
This is still no clear to me, do we need thsoe configs in other samples/OT overlays as well?
There was a problem hiding this comment.
I'm still working on making other samples building properly :). I think the CI is not even testing them and they need fixes for sure.
I just pushed the PR to let @tomi-font and other reviewers see requested changes in place ;)
There was a problem hiding this comment.
I added the DNM label to ensure that this PR is not merged accidentally before we're happy with test coverage
There was a problem hiding this comment.
I'd say just enable the Settings backend instead, it's the simplest to enable, just a Kconfig option, no DT overlay.
There was a problem hiding this comment.
Even with CONFIG_SECURE_STORAGE_ITS_STORE_IMPLEMENTATION_SETTINGS you need to select the backend for Settings, otherwise CONFIG_SETTINGS_NONE would be used.
Then if I enable Settings to use ZMS as backend, why not using ZMS directly from Secure Storage and save some footprint?
There was a problem hiding this comment.
This is still no clear to me, do we need thsoe configs in other samples/OT overlays as well?
@rlubos I finally had the time to check this question.
Apparently samples/net/openthread/border_router already enables NVS so we don't need ZMS in this case. The same holds also for samples/net/openthread/coprocessor and for samples/net/openthread/shell.
For sake of uniformity I think it's better to enable NVS also in the samples/net/openthread/border_router instead of ZMS as I did previously.
|
Hi @valeriosetti. I have been debugging more in OpenThread border router application from |
valeriosetti
force-pushed
the
openthread-use-psa
branch
from
5d37bbe to
b710852
Compare
This is an amazing feedback, thanks! I added a new commit in the series which hopefully should enable what was missing. Can you please give it another try? |
valeriosetti
force-pushed
the
openthread-use-psa
branch
from
b710852 to
f709285
Compare
Meanwhile I have managed to have a working joiner-commissioner scenario on OpenThread Border Router sample. I will compare my changes with yours and let you know. Thanks for the new commit! |
Hi @valeriosetti, Related to your commit from yesterday, Related to TREL initialization, I made use of PSA switch proposal from OpenThread, openthread/openthread@3a6573f#diff-8d6dc63e1ec9adacf9f4215b293513b17f39a8127ea4b89100db42976adace44, |
valeriosetti
force-pushed
the
openthread-use-psa
branch
from
f709285 to
fe92598
Compare
Thanks for the suggestion. I updated the commit with the information you provided.
I updated the companion PR to entirely cherry-pick the commit from the PR on the official OT repo. Previously I only took some part of it.
Done. Thanks. |
valeriosetti
force-pushed
the
openthread-use-psa
branch
from
fe92598 to
f602249
Compare
|
@Cristib05 did you have a chance to retest this PR after I applied all the changes you proposed in your last message? |
Hi @valeriosetti, I managed to re-test using your latest changes. I have tested the following:
Thanks for your updates! |
OpenThread needs a PSA ITS provider when using PSA Crypto API, therefore we enable Secure Storage in builds without TF-M. Signed-off-by: Valerio Setti <[email protected]>
Make CONFIG_OPENTHREAD_CRYPTO_PSA as enabled by default in order to use PSA Crypto API instead of legacy Mbed TLS' crypto. This is done with the final goal to deprecate and remove usage of legacy crypto support in the near future from Zephyr codebase. Signed-off-by: Valerio Setti <[email protected]>
Secure Storage is used as PSA ITS in builds where TF-M is not enabled, but it needs a storage backend where to physically save data. If CONFIG_SECURE_STORAGE_ITS_STORE_IMPLEMENTATION_ZMS is used then its "depends on" guarantee that there is a partition to use as physical storage. If CONFIG_SECURE_STORAGE_ITS_STORE_IMPLEMENTATION_SETTINGS is used instead we want to ensure that CONFIG_SETTINGS_NONE doesn't gets selected which would result in Settings not being able to store data anywhere. This commit add a depends_on for this last case. Signed-off-by: Valerio Setti <[email protected]>
Allow MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED to work with either legacy crypto (i.e. MBEDTLS_ECJPAKE_C) or PSA Crypto API (i.e. PSA_WANT_ALG_JPAKE). Signed-off-by: Valerio Setti <[email protected]>
When PSA Crypto API are used they need a PSA ITS implementation and this is provided by Secure Storage if TF-M is not enabled in the build. Secure Storage can use Settings as backend and Settings, on its turn, can use several other backends to store data (ex: ZMS, NVS, etc). Since NVS is already enabled in other OpenThread Zephyr samples, let's enable NVS also for this sample. While at it, also slightly re-organize "sample.yaml" to share more data between tests and allow building and testing also on the nrf52840dk board. Signed-off-by: Valerio Setti <[email protected]>
crypto_psa.c was missing an implementation for the following functions: - otPlatCryptoHkdfInit - otPlatCryptoHkdfExtract - otPlatCryptoHkdfExpand - otPlatCryptoHkdfDeinit which provide support for HKDF using PSA Crypto API. This commit fill this gap by copying the implementation from upstream PR 11445. Signed-off-by: Valerio Setti <[email protected]>
Select proper PSA_WANT requirements in CONFIG_OPENTHREAD_CRYPTO_PSA_CONFIG in order to enable KDF algorithms. Signed-off-by: Valerio Setti <[email protected]>
Increase heap memory when OpenThread is enabled and either "commissioner" or "joiner" roles are used. Signed-off-by: Valerio Setti <[email protected]>
Simply move the definition of OPENTHREAD_CRYPTO_PSA Konfig before crypto configuration related Kconfigs. Signed-off-by: Valerio Setti <[email protected]>
Include new definitions in crypto.h in order support HKDF algorithm. Signed-off-by: Valerio Setti <[email protected]>
valeriosetti
force-pushed
the
openthread-use-psa
branch
from
f602249 to
307ff11
Compare
|
9 participants
Modify OpenThread's Kconfig options in order to always use PSA Crypto API by default instead of legacy Mbed TLS crypto.
Please check commits messages for details.
These changes were tested with
zephyr/samples/net/openthread/coap/on 2xnrf52840dkboards .