Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

entropy: Add PSA rng as the entropy provider for the nrf54h20 #17200

Open
wants to merge 17 commits into
base: main
Choose a base branch
from
Open

entropy: Add PSA rng as the entropy provider for the nrf54h20 #17200

wants to merge 17 commits into from

Conversation

Vge0rge
Copy link
Contributor

@Vge0rge Vge0rge commented Sep 5, 2024
edited
Loading

No description provided.

@github-actions github-actions bot added manifest changelog-entry-required Update changelog before merge. Remove label if entry is not needed or already added. labels Sep 5, 2024
@NordicBuilder
Copy link
Contributor

NordicBuilder commented Sep 5, 2024
edited
Loading

The following west manifest projects have changed revision in this Pull Request:

Name Old Revision New Revision Diff
nrfxlib nrfconnect/sdk-nrfxlib@3189339 (main) nrfconnect/sdk-nrfxlib#1593 nrfconnect/sdk-nrfxlib#1593/files
zephyr nrfconnect/sdk-zephyr@09b87e9 nrfconnect/sdk-zephyr#2420 nrfconnect/sdk-zephyr#2420/files

DNM label due to: 2 projects with PR revision

Note: This message is automatically posted and updated by the Manifest GitHub Action.

@NordicBuilder
Copy link
Contributor

NordicBuilder commented Sep 5, 2024
edited
Loading

CI Information

To view the history of this post, clich the 'edited' button above
Build number: 101

Inputs:

Sources:

sdk-nrf: PR head: d88d0dcbaf663aae16ad0cb9ca6a6f24e3f01de4
nrfxlib: PR head: 905cc1ab59c339ba521d5ae4d9d00727ce89c969
zephyr: PR head: bdc2c6ff356f3cc9b3245e0db322a7f501b94370

more details

sdk-nrf:

PR head: d88d0dcbaf663aae16ad0cb9ca6a6f24e3f01de4
merge base: 296fa39d3256542decafb1cd53d0f50beda2b5d9
target head (main): 01afac7220d75197122b87a78b00971867b019c3
Diff

nrfxlib:

PR head: 905cc1ab59c339ba521d5ae4d9d00727ce89c969
merge base: 3189339e38f52a92098945a3c7f070810a067390
target head (main): 3189339e38f52a92098945a3c7f070810a067390
Diff

zephyr:

PR head: bdc2c6ff356f3cc9b3245e0db322a7f501b94370
merge base: 09b87e9262d6bc87206114dc14d1d10c585fbc0f
target head (main): 2c7f6efa7220ef2fbdd70e8597aedf1a07e86067
Diff

Github labels

Enabled Name Description
ci-disabled Disable the ci execution
ci-all-test Run all of ci, no test spec filtering will be done
ci-force-downstream Force execution of downstream even if twister fails
ci-run-twister Force run twister
ci-run-zephyr-twister Force run zephyr twister
List of changed files detected by CI (61) 
applications
│  ├── matter_bridge
│  │  ├── sysbuild
│  │  │  ├── ipc_radio
│  │  │  │  ├── boards
│  │  │  │  │  │ nrf54h20dk_nrf54h20_cpurad.conf
nrfxlib
│  ├── nrf_rpc
│  │  ├── include
│  │  │  │ nrf_rpc.h
│  │  │ nrf_rpc.c
samples
│  ├── matter
│  │  ├── common
│  │  │  ├── dts
│  │  │  │  ├── nrf54h20
│  │  │  │  │  │ nrf54h20_ram_allocation.dtsi
│  ├── suit
│  │  ├── flash_companion
│  │  │  ├── boards
│  │  │  │  │ nrf54h20dk_nrf54h20_cpuapp.overlay
│  │  ├── smp_transfer
│  │  │  ├── sysbuild
│  │  │  │  ├── hci_ipc.conf
│  │  │  │  │ recovery_hci_ipc.overlay
│  ├── wifi
│  │  ├── ble_coex
│  │  │  ├── boards
│  │  │  │  │ nrf54h20dk_nrf54h20_cpuapp.overlay
│  │  ├── monitor
│  │  │  ├── boards
│  │  │  │  │ nrf54h20dk_nrf54h20_cpuapp.overlay
│  │  ├── offloaded_raw_tx
│  │  │  ├── boards
│  │  │  │  │ nrf54h20dk_nrf54h20_cpuapp.overlay
│  │  ├── promiscuous
│  │  │  ├── boards
│  │  │  │  │ nrf54h20dk_nrf54h20_cpuapp.overlay
│  │  ├── provisioning
│  │  │  ├── boards
│  │  │  │  │ nrf54h20dk_nrf54h20_cpuapp.overlay
│  │  ├── radio_test
│  │  │  ├── boards
│  │  │  │  │ nrf54h20dk_nrf54h20_cpuapp.overlay
│  │  ├── raw_tx_packet
│  │  │  ├── boards
│  │  │  │  │ nrf54h20dk_nrf54h20_cpuapp.overlay
│  │  ├── scan
│  │  │  ├── boards
│  │  │  │  │ nrf54h20dk_nrf54h20_cpuapp.overlay
│  │  ├── shell
│  │  │  ├── boards
│  │  │  │  │ nrf54h20dk_nrf54h20_cpuapp.overlay
│  │  ├── shutdown
│  │  │  ├── boards
│  │  │  │  │ nrf54h20dk_nrf54h20_cpuapp.overlay
│  │  ├── softap
│  │  │  ├── boards
│  │  │  │  │ nrf54h20dk_nrf54h20_cpuapp.overlay
│  │  ├── sta
│  │  │  ├── boards
│  │  │  │  │ nrf54h20dk_nrf54h20_cpuapp.overlay
│  │  ├── thread_coex
│  │  │  ├── boards
│  │  │  │  │ nrf54h20dk_nrf54h20_cpuapp.overlay
│  │  ├── throughput
│  │  │  ├── boards
│  │  │  │  │ nrf54h20dk_nrf54h20_cpuapp.overlay
│  │  ├── twt
│  │  │  ├── boards
│  │  │  │  │ nrf54h20dk_nrf54h20_cpuapp.overlay
│  │  ├── wfa_qt_app
│  │  │  ├── boards
│  │  │  │  │ nrf54h20dk_nrf54h20_cpuapp.overlay
subsys
│  ├── CMakeLists.txt
│  ├── nrf_rpc
│  │  ├── include
│  │  │  │ nrf_rpc_os.h
│  ├── nrf_security
│  │  ├── CMakeLists.txt
│  │  ├── Kconfig
│  │  ├── Kconfig.psa
│  │  ├── include
│  │  │  │ ssf_crypto_config_empty.h
│  │  ├── src
│  │  │  ├── drivers
│  │  │  │  │ Kconfig
│  │  │  ├── ssf_secdom
│  │  │  │  │ Kconfig
│  ├── sdfw_services
│  │  ├── Kconfig
│  │  ├── os
│  │  │  │ ssf_client_zephyr.c
│  │  ├── services
│  │  │  ├── psa_crypto
│  │  │  │  │ psa_crypto_service.c
│  │  ├── transport
│  │  │  ├── nrf_rpc
│  │  │  │  │ ssf_client_nrf_rpc.c
tests
│  ├── benchmarks
│  │  ├── multicore
│  │  │  ├── idle
│  │  │  │  ├── boards
│  │  │  │  │  ├── nrf54h20dk_nrf54h20_cpuapp_ram_high_usage.overlay
│  │  │  │  │  ├── nrf54h20dk_nrf54h20_cpuapp_ram_low_usage.overlay
│  │  │  │  │  │ nrf54h20dk_nrf54h20_cpurad.overlay
│  ├── subsys
│  │  ├── dfu
│  │  │  ├── dfu_target
│  │  │  │  ├── suit
│  │  │  │  │  ├── boards
│  │  │  │  │  │  │ nrf54h20dk_nrf54h20_cpuapp.overlay
west.yml
zephyr
│  ├── boards
│  │  ├── nordic
│  │  │  ├── nrf54h20dk
│  │  │  │  ├── Kconfig.defconfig
│  │  │  │  ├── nrf54h20dk_nrf54h20-memory_map.dtsi
│  │  │  │  ├── nrf54h20dk_nrf54h20_cpuapp.dts
│  │  │  │  │ nrf54h20dk_nrf54h20_cpurad.dts
│  ├── drivers
│  │  ├── entropy
│  │  │  │ Kconfig.psa_crypto
│  ├── include
│  │  ├── zephyr
│  │  │  ├── drivers
│  │  │  │  ├── clock_control
│  │  │  │  │  │ nrf_clock_control.h
│  ├── soc
│  │  ├── nordic
│  │  │  ├── nrf54h
│  │  │  │  │ Kconfig
│  ├── tests
│  │  ├── arch
│  │  │  ├── arm
│  │  │  │  ├── arm_irq_vector_table
│  │  │  │  │  ├── boards
│  │  │  │  │  │  ├── nrf54h20dk_nrf54h20_cpuapp.overlay
│  │  │  │  │  │  ├── nrf54h20dk_nrf54h20_cpurad.overlay
│  │  │  │  │  │  ├── nrf9280pdk_nrf9280_cpuapp.overlay
│  │  │  │  │  │  │ nrf9280pdk_nrf9280_cpurad.overlay
│  │  │  │  ├── arm_thread_swap
│  │  │  │  │  ├── boards
│  │  │  │  │  │  │ nrf54h20dk_nrf54h20_cpuapp.overlay
│  │  ├── crypto
│  │  │  ├── mbedtls
│  │  │  │  │ testcase.yaml
│  │  │  ├── mbedtls_psa
│  │  │  │  │ testcase.yaml
│  │  │  ├── secp256r1
│  │  │  │  │ testcase.yaml
│  │  ├── kernel
│  │  │  ├── sched
│  │  │  │  ├── schedule_api
│  │  │  │  │  ├── boards
│  │  │  │  │  │  ├── nrf54h20dk_nrf54h20_cpuapp.conf
│  │  │  │  │  │  │ nrf54h20dk_nrf54h20_cpurad.conf
│  │  │  ├── threads
│  │  │  │  ├── dynamic_thread_stack
│  │  │  │  │  ├── boards
│  │  │  │  │  │  ├── nrf54h20dk_nrf54h20_cpuapp.conf
│  │  │  │  │  │  │ nrf54h20dk_nrf54h20_cpurad.conf
│  │  ├── net
│  │  │  ├── socket
│  │  │  │  ├── tls_configurations
│  │  │  │  │  │ overlay-ec.conf
│  │  ├── subsys
│  │  │  ├── portability
│  │  │  │  ├── cmsis_rtos_v2
│  │  │  │  │  │ prj.conf

Outputs:

Toolchain

Version:
Build docker image:

Test Spec & Results: ✅ Success; ❌ Failure; 🟠 Queued; 🟡 Progress; ◻️ Skipped; ⚠️ Quarantine

  • 🟠 Toolchain
  • 🟠 Build twister
  • 🟠 Integration tests
    • 🟠 test-sdk-audio
    • 🟠 desktop52_verification
    • 🟠 test-fw-nrfconnect-boot
    • 🟠 test-fw-nrfconnect-apps
    • 🟠 test_ble_nrf_config
    • 🟠 test-fw-nrfconnect-ble_mesh
    • 🟠 test-fw-nrfconnect-ble_samples
    • 🟠 test-fw-nrfconnect-chip
    • 🟠 test-fw-nrfconnect-nfc
    • 🟠 test-fw-nrfconnect-nrf-iot_libmodem-nrf
    • 🟠 test-fw-nrfconnect-nrf-iot_serial_lte_modem
    • 🟠 test-fw-nrfconnect-nrf-iot_zephyr_lwm2m
    • 🟠 test-fw-nrfconnect-nrf-iot_samples
    • 🟠 doc-internal
    • 🟠 test-fw-nrfconnect-nrf-iot_thingy91
    • 🟠 test-fw-nrfconnect-nrf_crypto
    • 🟠 test-fw-nrfconnect-rpc
    • 🟠 test-fw-nrfconnect-rs
    • 🟠 test-fw-nrfconnect-fem
    • 🟠 test-fw-nrfconnect-tfm
    • 🟠 test-fw-nrfconnect-thread
    • 🟠 test-fw-nrfconnect-zigbee
    • 🟠 test-sdk-find-my
    • 🟠 test-fw-nrfconnect-nrf-iot_mosh
    • 🟠 test-fw-nrfconnect-nrf-iot_positioning
    • 🟠 test-sdk-sidewalk
    • 🟠 test-sdk-wifi
    • 🟠 test-low-level
    • 🟠 test-fw-nrfconnect-nrf-iot_nrf_provisioning
    • 🟠 test-sdk-pmic-samples
    • 🟠 test-sdk-mcuboot
    • 🟠 test-sdk-dfu
    • 🟠 test-fw-nrfconnect-ps
    • 🟠 test-secdom-samples-public
    • ⚠️ test-fw-nrfconnect-fw-update
    • ⚠️ test-fw-nrfconnect-nrf-iot_cloud
    • ⚠️ test-sdk-dfu

Note: This message is automatically posted and updated by the CI

@Vge0rge Vge0rge marked this pull request as ready for review September 24, 2024 10:48
@Vge0rge Vge0rge requested review from a team as code owners September 24, 2024 10:48
@NordicBuilder
Copy link
Contributor

You can find the documentation preview for this PR at this link. It will be updated about 10 minutes after the documentation build succeeds.

Note: This comment is automatically posted by the Documentation Publishing GitHub Action.

@Vge0rge Vge0rge force-pushed the 54h20_psa_rng branch 7 times, most recently from 114059e to 6ed58b2 Compare September 27, 2024 12:24
@Vge0rge Vge0rge requested a review from a team as a code owner October 1, 2024 07:43
@Vge0rge Vge0rge requested a review from a team as a code owner October 1, 2024 12:40
tomi-font
tomi-font previously requested changes Oct 3, 2024
View reviewed changes
Copy link
Contributor

@tomi-font tomi-font left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Again in this PR you have a commit that is later reverted (nrf_security: Enabled by default for nRF54H20)?

subsys/nrf_security/Kconfig Show resolved Hide resolved
subsys/nrf_security/Kconfig Outdated Show resolved Hide resolved
subsys/nrf_security/CMakeLists.txt Outdated Show resolved Hide resolved
@endre-nordic endre-nordic added this to the 2.8.0 milestone Oct 18, 2024
@frkv frkv self-requested a review October 18, 2024 08:08
frkv
frkv requested changes Oct 18, 2024
View reviewed changes
Copy link
Contributor

@frkv frkv left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There are lots of complex additions in this PR that seem to be tailored towards a special case without PSA crypto which is the default enabled and default supported in nRF54H20 devices

@Vge0rge Vge0rge force-pushed the 54h20_psa_rng branch 4 times, most recently from b8fb7cd to 7e9300c Compare October 21, 2024 10:32
@NordicBuilder
Copy link
Contributor

Memory footprint analysis revealed the following potential issues

sample.matter.template.release[nrf7002dk/nrf5340/cpuapp]: High ROM usage: 820770[B] - link (cc: @kkasperczyk-no @ArekBalysNordic @markaj-nordic)
sample.matter.template.debug[nrf7002dk/nrf5340/cpuapp]: High ROM usage: 911938[B] - link (cc: @kkasperczyk-no @ArekBalysNordic @markaj-nordic)

Note: This message is automatically posted and updated by the CI (latest/sdk-nrf/PR-17200/96)

@Vge0rge Vge0rge mentioned this pull request Jan 13, 2025
Merged
@Vge0rge
nrf_security: Make PSA drivers depend on PSA core
a5f5e2b 
Make all PSA drivers depend on the OBERON_PSA_CORE
since we cannot use the drivers without it.

Signed-off-by: Georgios Vasilakis <[email protected]>
Vge0rge and others added 15 commits January 13, 2025 14:09
@Vge0rge
manifest: Bring Zephyr with PSA RNG for NRF54H20
ad330cc 
Brings Zephyr changes which automatically enable
the PSA crypto as the entropy generator for Zephyr.

Signed-off-by: Georgios Vasilakis <[email protected]>
@Vge0rge
nrf_security: Make PSA SSF client independent
6bd0a2c 
Add configuration to allow enabling the SSF PSA client
when nrf_security is not enabled.
This is particularly useful for the applications that only
want to use the PSA rng and no other crypto. Enabling
nrf_security in these applications will result to an
increased application footprint and configuration complexity
without any reason.

This configuration provides the PSA implementation
from the secure domain through the SSF client and
it has no configurability yet. So there is no need
to enforce NRF_SECURITY with this configuration.

Signed-off-by: Georgios Vasilakis <[email protected]>
@Vge0rge
application: matter_bridge: Add overlay for 54h20
b1fab54 
Add overlay to reduce the footprint of the matter_bridge
application.

Signed-off-by: Georgios Vasilakis <[email protected]>
@Vge0rge
samples: suit: flash_compantion: Remove prng
a4224e3 
Remove prng dts node since this is removed from the
nrf54h20 board file.

Signed-off-by: Georgios Vasilakis <[email protected]>
@Vge0rge
sdfw_services: Remove call to psa_crypto_init from ssf
d90de9f 
Remove the call to the ssf_psa_crypto_init since the
psa_crypto is initialiazed in SDFW and it doesn't need
to get initialized from the application.

Signed-off-by: Georgios Vasilakis <[email protected]>
@Vge0rge
tests: suit: Disable cpusec IPC and bellboard
c4a993b 
Disable the IPC and bellboard nodes since these
tests don't use communication between domains.

Signed-off-by: Georgios Vasilakis <[email protected]>
@Vge0rge
manifest: Fix capitalization
9c36abc 
In a comment, tHe -> The

Signed-off-by: Georgios Vasilakis <[email protected]>
@Vge0rge
sdfw_services: Init ssf_client earlier
6832373 
Initialize the ssf_client earlier during the boot
process during post kernel.

ssf_client needs to be initialized before the
CONFIG_NRF_802154_SER_RADIO_INIT_PRIO since it is
used by the "nRF IEEE 802.15.4" protocol.

It also needs to be initialied after the IPC
IPC_SERVICE_REG_BACKEND_PRIORITY since the
IPC expects the protocol to be initialized.
Failing to do that will also trigger an assertion
in Zephyr.

Signed-off-by: Georgios Vasilakis <[email protected]>
@Vge0rge
sdfw_services: Use nrf_rpc_init_group in ssf_client init
25afe1c 
Use nrf_rpc_init_group when ssf_client is being initalized
since it will happen before other nrf_rpc groups are initialized.

Signed-off-by: Georgios Vasilakis <[email protected]>
@Vge0rge
test: benchmarks: Disable cpusec nodes for multicore test
afe7caa 
Disable the cpusec related nodes in the multicore benchmark
since it increases power consumption and IPC communication
with secure domain is not needed for this test.

Signed-off-by: Georgios Vasilakis <[email protected]>
@ArekBalysNordic @Vge0rge
samples: Aligned ram0x overlays in Multicore Tests/Matter samples
ba24d3e 
The cpuapp_ram0x_region has been changed in the global dtsi file in
Zephyr and we need to align all dts overlay entries to that change.

Signed-off-by: Arkadiusz Balys <[email protected]>
@Vge0rge
manifest: Update nrfxlib
f7fd9d5 
Updates the nrf_rpc library to allow initialization
of single nrf_rpc groups.

Signed-off-by: Georgios Vasilakis <[email protected]>
@Vge0rge
samples: suit: smp_transfer: Use PRNG entropy
254f283 
This sample require entropy from Zephyr, in nRF54h20
this is provided by PSA RNG driver and from the secure domain.

The PSA RNG driver brings IPC dependencies which increase the
flash footprint of this sample and this was not an acceptable
increase for the mainttainers of the sample.

It was concluded that as a temporary solution this sample  will keep
using the non cryptographically secure, deterministic software RNG.

The dependency on the PRNG node needs to be removed later and it is
tracked in NCSDK-30805.

Signed-off-by: Georgios Vasilakis <[email protected]>
@Vge0rge
samples: suit: smp_transfer: Change hci_ipc stack defaults
f7e6e1a 
Enabling real entropy for the radio core through the ssf_client and
the secure domain increased the stack requirements of the hci_ipc
used in this sample.

I couldn't run THREAD_ANALYZER in this application because of flash
overflows and other issues. I did practical tests with 50 byte intervals
and I know that 900 bytes is the least memory that could boot the radio
core.

I updated this to have the same configuration as the ipc_radio (2048
bytes)
application since the usage of the hci_ipc here will be replaced
with the ipc_radio later.

Signed-off-by: Georgios Vasilakis <[email protected]>
@Vge0rge
nrf_rpc: Add nrf_rpc_os_fatal_error
ceb2112 
Add function nrf_rpc_os_fatal_error function to
handle fatal_errors using the Zephyr's fatal error hanlding.

Signed-off-by: Georgios Vasilakis <[email protected]>
@Vge0rge
samples: wifi: Disable PSA RNG for all samples
d88d0dc 
The PSA RNG will be the default entropy provider for
nrf54h20. This change affects the crypto functionality
in general since it makes the secure domain the sole provider
of crypto through the PSA APIs. This has the sideffect that the
legacy mbecrypto APIs are not currently supported.

Since wifi relies on the mbedTLS legacy crypto functionality
we need to make sure that it continues to work as before.

In this change we disable the PSA RNG as the entropy provider and
we explicitely set it to be the PRNG. This makes sure that the crypto
funcionality is provided by the software implementation which supports
the legacy APIs and not from the secure domain.

This should not change anything functionaly. It only makes sure that the
wifi samples do not inherit enabling the PSA RNG as the entropy provider
by default.

Signed-off-by: Georgios Vasilakis <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tomi-font tomi-font tomi-font left review comments

@nordic-piks nordic-piks nordic-piks left review comments

@nordicjm nordicjm nordicjm left review comments

@endre-nordic endre-nordic endre-nordic approved these changes

@ArekBalysNordic ArekBalysNordic ArekBalysNordic approved these changes

@ahasztag ahasztag ahasztag approved these changes

@anhmolt anhmolt anhmolt approved these changes

@dchat-nordic dchat-nordic dchat-nordic approved these changes

@adamkondraciuk adamkondraciuk adamkondraciuk approved these changes

@jonathannilsen jonathannilsen jonathannilsen approved these changes

@frkv frkv frkv approved these changes

@tomchy tomchy tomchy approved these changes

@kapbh kapbh Awaiting requested review from kapbh kapbh is a code owner

@sachinthegreen sachinthegreen Awaiting requested review from sachinthegreen sachinthegreen is a code owner

@D-Triveni D-Triveni Awaiting requested review from D-Triveni D-Triveni is a code owner

@krish2718 krish2718 Awaiting requested review from krish2718 krish2718 is a code owner

@muraliThokala muraliThokala Awaiting requested review from muraliThokala muraliThokala is a code owner

@bama-nordic bama-nordic Awaiting requested review from bama-nordic bama-nordic is a code owner

@rado17 rado17 Awaiting requested review from rado17 rado17 is a code owner

At least 2 approving reviews are required to merge this pull request.

Assignees
No one assigned
Labels
changelog-entry-required Update changelog before merge. Remove label if entry is not needed or already added. CI-all-test Run All integration tests DNM manifest manifest-nrfxlib manifest-zephyr
Projects
None yet
Milestone
2.9.0-nRF54H20-2
Development

Successfully merging this pull request may close these issues.