manifest: crypto: nsib: Ensure nrf_cc310_bl is only used in bootloaders

-NOTE: Manifest combined with code change for bisectability. This pulls in items dependent items from nrfxlib. -This ensures that nrf_cc310_bl library is only used for bootloaders and is not linked into main application. ref: NCSDK-25144 Signed-off-by: Frank Audun Kvamtrø <[email protected]>
D-Triveni · Dec 18, 2023 · 7a6ee9a · 7a6ee9a
1 parent a8a0be4
commit 7a6ee9a
Show file tree

Hide file tree

Showing 5 changed files with 38 additions and 33 deletions.
diff --git a/drivers/entropy/Kconfig b/drivers/entropy/Kconfig
@@ -8,6 +8,7 @@ config ENTROPY_CC3XX
 	bool "Arm CC3XX RNG driver for Nordic devices"
 	depends on (CRYPTOCELL_USABLE && !BUILD_WITH_TFM)
 	depends on ENTROPY_GENERATOR
+	depends on !IS_SECURE_BOOTLOADER
 	select ENTROPY_HAS_DRIVER
 	default y
 	help

diff --git a/drivers/hw_cc310/Kconfig b/drivers/hw_cc310/Kconfig
@@ -24,6 +24,7 @@ config HW_CC3XX
 	depends on HAS_HW_NRF_CC310 || HAS_HW_NRF_CC312
 	depends on !TRUSTED_EXECUTION_NONSECURE
 	select NRF_CC3XX_PLATFORM
+	depends on !IS_SECURE_BOOTLOADER
 	default y
 	help
 	  This option enables the Arm CC3xx hw devices in nRF52840, nRF53, and nRF9160 devices.

diff --git a/subsys/bootloader/bl_crypto/CMakeLists.txt b/subsys/bootloader/bl_crypto/CMakeLists.txt
@@ -4,37 +4,39 @@
 # SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
 #
 
-zephyr_library()
-zephyr_library_sources(bl_crypto.c)
-zephyr_library_link_libraries(nrfxlib_crypto)
-zephyr_link_libraries(nrfxlib_crypto)
+if(CONFIG_IS_SECURE_BOOTLOADER OR CONFIG_ZTEST)
+  zephyr_library()
+  zephyr_library_sources(bl_crypto.c)
+  zephyr_library_link_libraries(nrfxlib_crypto)
+  zephyr_link_libraries(nrfxlib_crypto)
 
-if (CONFIG_SB_CRYPTO_OBERON_ECDSA_SECP256R1)
-  zephyr_library_sources(bl_crypto_oberon_ecdsa.c)
-elseif (CONFIG_SB_CRYPTO_CC310_ECDSA_SECP256R1)
-  zephyr_library_sources(
-    bl_crypto_cc310_ecdsa.c
-    bl_crypto_cc310_common.c
-    )
-elseif (CONFIG_SB_CRYPTO_CLIENT_ECDSA_SECP256R1)
-  zephyr_library_sources(../bl_crypto_client/bl_crypto_client.c)
-elseif (CONFIG_SB_CRYPTO_NO_ECDSA_SECP256R1)
-  # Do nothing
-else()
-  message(FATAL_ERROR "No signature implementation chosen for bootloader.")
-endif()
+  if (CONFIG_SB_CRYPTO_OBERON_ECDSA_SECP256R1)
+    zephyr_library_sources(bl_crypto_oberon_ecdsa.c)
+  elseif (CONFIG_SB_CRYPTO_CC310_ECDSA_SECP256R1)
+    zephyr_library_sources(
+      bl_crypto_cc310_ecdsa.c
+      bl_crypto_cc310_common.c
+      )
+  elseif (CONFIG_SB_CRYPTO_CLIENT_ECDSA_SECP256R1)
+    zephyr_library_sources(../bl_crypto_client/bl_crypto_client.c)
+  elseif (CONFIG_SB_CRYPTO_NO_ECDSA_SECP256R1)
+    # Do nothing
+  else()
+    message(FATAL_ERROR "No signature implementation chosen for bootloader.")
+  endif()
 
-if (CONFIG_SB_CRYPTO_OBERON_SHA256)
-  zephyr_library_sources(bl_crypto_oberon_hash.c)
-elseif (CONFIG_SB_CRYPTO_CC310_SHA256)
-  zephyr_library_sources(
-    bl_crypto_cc310_hash.c
-    bl_crypto_cc310_common.c
-    )
-elseif (CONFIG_SB_CRYPTO_CLIENT_SHA256)
-  zephyr_library_sources(../bl_crypto_client/bl_crypto_client.c)
-elseif (CONFIG_SB_CRYPTO_NO_SHA256)
-  # Do nothing
-else()
-  message(FATAL_ERROR "No hash implementation chosen for bootloader.")
+  if (CONFIG_SB_CRYPTO_OBERON_SHA256)
+    zephyr_library_sources(bl_crypto_oberon_hash.c)
+  elseif (CONFIG_SB_CRYPTO_CC310_SHA256)
+    zephyr_library_sources(
+      bl_crypto_cc310_hash.c
+      bl_crypto_cc310_common.c
+      )
+  elseif (CONFIG_SB_CRYPTO_CLIENT_SHA256)
+    zephyr_library_sources(../bl_crypto_client/bl_crypto_client.c)
+  elseif (CONFIG_SB_CRYPTO_NO_SHA256)
+    # Do nothing
+  else()
+    message(FATAL_ERROR "No hash implementation chosen for bootloader.")
+  endif()
 endif()
diff --git a/subsys/bootloader/bl_crypto/Kconfig b/subsys/bootloader/bl_crypto/Kconfig
@@ -47,7 +47,8 @@ choice SB_CRYPTO_SIG
 
 	config SB_CRYPTO_CC310_ECDSA_SECP256R1
 		bool "Hardware ECDSA secp256r1" if HAS_HW_NRF_CC310
-		select NRF_CC310_BL
+		select NRF_CC310_BL if (IS_SECURE_BOOTLOADER || MCUBOOT) && \
+				       !(NORDIC_SECURITY_BACKEND || NRF_SECURITY)
 		select SB_ECDSA_SECP256R1
 		help
 		  Hardware implementation of ECDSA with NIST curve secp256r1.

diff --git a/west.yml b/west.yml
@@ -141,7 +141,7 @@ manifest:
     - name: nrfxlib
       repo-path: sdk-nrfxlib
       path: nrfxlib
-      revision: v2.5.1-rc1
+      revision: ab72f33c86db7252dbf9a3ffec86c6b7fc6a9da7
     - name: trusted-firmware-m
       repo-path: sdk-trusted-firmware-m
       path: modules/tee/tf-m/trusted-firmware-m