nrf_security: cracen: Add support for ED25519PH

Adding ED25519PH to the supported algorithms for cracen
Updated logic for selecting which algorithm to use cracen
key_management.c to handle different algorithms using
same curve and key_bits

Signed-off-by: Dag Erik Gjørvad <[email protected]>

subsys/nrf_security/cmake/psa_crypto_config.cmake

@@ -60,6 +60,7 @@ kconfig_check_and_set_base_to_one(PSA_NEED_CRACEN_PURE_EDDSA_TWISTED_EDWARDS_255
 kconfig_check_and_set_base_to_one(PSA_NEED_CRACEN_PURE_EDDSA_TWISTED_EDWARDS_448)
 kconfig_check_and_set_base_to_one(PSA_NEED_CRACEN_PURE_EDDSA_TWISTED_EDWARDS)
 kconfig_check_and_set_base_to_one(PSA_NEED_CRACEN_RSA_PKCS1V15_SIGN)
+kconfig_check_and_set_base_to_one(PSA_NEED_CRACEN_ED25519PH)
 kconfig_check_and_set_base_to_one(PSA_NEED_CRACEN_RSA_PSS)
 kconfig_check_and_set_base_to_one(PSA_NEED_CRACEN_ASYMMETRIC_SIGNATURE_ANY_ECC)
 kconfig_check_and_set_base_to_one(PSA_NEED_CRACEN_ASYMMETRIC_SIGNATURE_ANY_RSA)

subsys/nrf_security/configs/psa_crypto_config.h.template

@@ -272,6 +272,7 @@
 #cmakedefine PSA_NEED_CRACEN_PURE_EDDSA_TWISTED_EDWARDS_255     @PSA_NEED_CRACEN_PURE_EDDSA_TWISTED_EDWARDS_255@
 #cmakedefine PSA_NEED_CRACEN_PURE_EDDSA_TWISTED_EDWARDS_448     @PSA_NEED_CRACEN_PURE_EDDSA_TWISTED_EDWARDS_448@
 #cmakedefine PSA_NEED_CRACEN_PURE_EDDSA_TWISTED_EDWARDS         @PSA_NEED_CRACEN_PURE_EDDSA_TWISTED_EDWARDS@
+#cmakedefine PSA_NEED_CRACEN_ED25519PH                          @PSA_NEED_CRACEN_ED25519PH@
 #cmakedefine PSA_NEED_CRACEN_RSA_PKCS1V15_SIGN                  @PSA_NEED_CRACEN_RSA_PKCS1V15_SIGN@
 #cmakedefine PSA_NEED_CRACEN_RSA_PSS                            @PSA_NEED_CRACEN_RSA_PSS@
 #cmakedefine PSA_NEED_CRACEN_RSA_OAEP                           @PSA_NEED_CRACEN_RSA_OAEP@

subsys/nrf_security/src/drivers/cracen/cracenpsa/src/key_management.c

@@ -15,6 +15,7 @@
 #include <sicrypto/ecc.h>
 #include <sicrypto/ecdsa.h>
 #include <sicrypto/ed25519.h>
+#include <sicrypto/ed25519ph.h>
 #include <sicrypto/ed448.h>
 #include <sicrypto/montgomery.h>
 #include <sicrypto/rsa_keygen.h>
@@ -602,6 +603,7 @@ static psa_status_t export_ecc_public_key_from_keypair(const psa_key_attributes_
 	psa_status_t psa_status;
 	size_t expected_pub_key_size = 0;
 	int si_status = 0;
+	psa_algorithm_t key_alg = psa_get_key_algorithm(attributes);
 	const struct sx_pk_ecurve *sx_curve;
 	struct sitask t;
 
@@ -672,7 +674,11 @@ static psa_status_t export_ecc_public_key_from_keypair(const psa_key_attributes_
 			}
 			break;
 		case PSA_ECC_FAMILY_TWISTED_EDWARDS:
-			if (key_bits_attr == 255) {
+			if (key_alg == PSA_ALG_ED25519PH) {
+				priv_key.def = si_sig_def_ed25519ph;
+				priv_key.key.ed25519 = (struct sx_ed25519_v *)key_buffer;
+				pub_key.key.ed25519 = (struct sx_ed25519_pt *)data;
+			} else if (key_alg == PSA_ALG_PURE_EDDSA) {
 				priv_key.def = si_sig_def_ed25519;
 				priv_key.key.ed25519 = (struct sx_ed25519_v *)key_buffer;
 				pub_key.key.ed25519 = (struct sx_ed25519_pt *)data;
@@ -700,6 +706,7 @@ static psa_status_t export_ecc_public_key_from_keypair(const psa_key_attributes_
 	*data_length = expected_pub_key_size;
 	return PSA_SUCCESS;
 }
+
 static psa_status_t export_rsa_public_key_from_keypair(const psa_key_attributes_t *attributes,
 						       const uint8_t *key_buffer,
 						       size_t key_buffer_size, uint8_t *data,

subsys/nrf_security/src/drivers/cracen/cracenpsa/src/sign.c

@@ -13,6 +13,7 @@
 #include <sicrypto/drbghash.h>
 #include <sicrypto/ecdsa.h>
 #include <sicrypto/ed25519.h>
+#include <sicrypto/ed25519ph.h>
 #include <sicrypto/ik.h>
 #include <sicrypto/internal.h>
 #include <sicrypto/rsapss.h>
@@ -127,6 +128,19 @@ static int cracen_signature_prepare_ec_prvkey(struct si_sig_privkey *privkey, ch
 		}
 	}
 
+	if (IS_ENABLED(PSA_NEED_CRACEN_ED25519PH)) {
+		if (alg == PSA_ALG_ED25519PH) {
+			privkey->def = si_sig_def_ed25519ph;
+			privkey->key.ed25519 = (struct sx_ed25519_v *)key_buffer;
+			if (message) {
+				return cracen_signature_set_hashalgo(&privkey->hashalg, alg);
+			} else {
+				return cracen_signature_set_hashalgo_from_digestsz(
+					&privkey->hashalg, alg, digestsz);
+			}
+		}
+	}
+
 	if (IS_ENABLED(PSA_NEED_CRACEN_ECDSA_SECP_R1) ||
 	    IS_ENABLED(PSA_NEED_CRACEN_ECDSA_SECP_K1) ||
 	    IS_ENABLED(PSA_NEED_CRACEN_ECDSA_BRAINPOOL_P_R1)) {
@@ -197,10 +211,17 @@ static int cracen_signature_prepare_ec_pubkey(struct sitask *t, struct si_sig_pu
 
 	if (IS_ENABLED(PSA_NEED_CRACEN_PURE_EDDSA_TWISTED_EDWARDS)) {
 		if (alg == PSA_ALG_PURE_EDDSA) {
-			pubkey->def = si_sig_def_ed25519;
+			pubkey->def = si_sig_def_ed25519ph;
 
 			if (PSA_KEY_TYPE_IS_ECC_PUBLIC_KEY(psa_get_key_type(attributes))) {
 				pubkey->key.ed25519 = (struct sx_ed25519_pt *)key_buffer;
+				if (message) {
+					status = cracen_signature_set_hashalgo(&pubkey->hashalg,
+									       alg);
+				} else {
+					status = cracen_signature_set_hashalgo_from_digestsz(
+						&pubkey->hashalg, alg, digestsz);
+				}
 				return SX_OK;
 			}
 			if (curvesz != key_buffer_size) {
@@ -209,6 +230,19 @@ static int cracen_signature_prepare_ec_pubkey(struct sitask *t, struct si_sig_pu
 			pubkey->key.ed25519 = (struct sx_ed25519_pt *)pubkey_buffer;
 		}
 	}
+	if (alg == PSA_ALG_ED25519PH) {
+		pubkey->def = si_sig_def_ed25519ph;
+		if (PSA_KEY_TYPE_IS_ECC_PUBLIC_KEY(psa_get_key_type(attributes))) {
+			pubkey->key.ed25519 = (struct sx_ed25519_pt *)key_buffer;
+			status = cracen_signature_set_hashalgo_from_digestsz(&pubkey->hashalg, alg,
+									     digestsz);
+			return SX_OK;
+		}
+		if (curvesz != key_buffer_size) {
+			return SX_ERR_INVALID_KEY_SZ;
+		}
+		pubkey->key.ed25519 = (struct sx_ed25519_pt *)pubkey_buffer;
+	}
 
 	if (IS_ENABLED(PSA_NEED_CRACEN_ECDSA_SECP_R1) ||
 	    IS_ENABLED(PSA_NEED_CRACEN_ECDSA_SECP_K1) ||
@@ -280,7 +314,7 @@ static psa_status_t cracen_signature_ecc_sign(int message, const psa_key_attribu
 		return silex_statuscodes_to_psa(SX_ERR_INCOMPATIBLE_HW);
 	}
 
-	if (!PSA_ALG_IS_ECDSA(alg) && alg != PSA_ALG_PURE_EDDSA) {
+	if (!PSA_ALG_IS_ECDSA(alg) && alg != PSA_ALG_PURE_EDDSA && alg != PSA_ALG_ED25519PH) {
 		return PSA_ERROR_INVALID_ARGUMENT;
 	}
 
@@ -289,6 +323,10 @@ static psa_status_t cracen_signature_ecc_sign(int message, const psa_key_attribu
 		return PSA_ERROR_INVALID_ARGUMENT;
 	}
 
+	/* Hashed eddsa only supports prehashed messages. psa calls for it suppporting sign message
+	 * so hash is called on message
+	 */
+
 	si_status =
 		cracen_signature_prepare_ec_prvkey(&privkey, (char *)key_buffer, key_buffer_size,
 						   &curve, alg, attributes, message, input_length);
@@ -306,14 +344,33 @@ static psa_status_t cracen_signature_ecc_sign(int message, const psa_key_attribu
 	sign.r = (char *)signature;
 	sign.s = (char *)signature + *signature_length / 2;
 
-	if (message) {
+	/* ED25519PH requires prehashing and supports sign and verify message
+	 * the message is therefore hashed here before si_sig_verify is called
+	 */
+	if (alg == PSA_ALG_ED25519PH && message) {
+		uint8_t status;
+		uint8_t hash[64];
+		size_t output_len;
+
+		status = psa_hash_compute(PSA_ALG_SHA_512,
+				input,
+				input_length,
+				hash,
+				64,
+				&output_len);
+
 		si_sig_create_sign(&t, &privkey, &sign);
-		si_task_consume(&t, (char *)input, input_length);
+		si_task_consume(&t, (char *)hash, 64);
 	} else {
-		si_sig_create_sign_digest(&t, &privkey, &sign);
-		si_task_consume(&t, (char *)input, sx_hash_get_alg_digestsz(privkey.hashalg));
+		if (message) {
+			si_sig_create_sign(&t, &privkey, &sign);
+			si_task_consume(&t, (char *)input, input_length);
+		} else {
+			si_sig_create_sign_digest(&t, &privkey, &sign);
+			si_task_consume(&t, (char *)input,
+					sx_hash_get_alg_digestsz(privkey.hashalg));
+		}
 	}
-
 	si_task_run(&t);
 	si_status = si_task_wait(&t);
 	safe_memzero(workmem, sizeof(workmem));
@@ -333,6 +390,8 @@ static psa_status_t cracen_signature_ecc_verify(int message, const psa_key_attri
 	struct si_sig_signature sign = {0};
 	char pubkey_buffer[132] = {0}; /* 521 bits * 2 */
 
+
+
 	/* Workmem for sicrypto ecc verify task is digest size. */
 	char workmem[PSA_HASH_MAX_SIZE];
 	struct sitask t;
@@ -342,7 +401,7 @@ static psa_status_t cracen_signature_ecc_verify(int message, const psa_key_attri
 		return silex_statuscodes_to_psa(SX_ERR_INCOMPATIBLE_HW);
 	}
 
-	if (!PSA_ALG_IS_ECDSA(alg) && alg != PSA_ALG_PURE_EDDSA) {
+	if (!PSA_ALG_IS_ECDSA(alg) && alg != PSA_ALG_PURE_EDDSA && !PSA_ALG_IS_HASH_EDDSA(alg)) {
 		return PSA_ERROR_NOT_SUPPORTED;
 	}
 
@@ -366,20 +425,37 @@ static psa_status_t cracen_signature_ecc_verify(int message, const psa_key_attri
 	sign.sz = signature_length;
 	sign.r = (char *)signature;
 	sign.s = (char *)signature + signature_length / 2;
+	/* ED25519PH requires prehashing and supports sign and verify message
+	 * the message is therefore hashed here before si_sig_verify is called
+	 */
+	if (alg == PSA_ALG_ED25519PH && message) {
+		psa_status_t status;
+		uint8_t hash[64];
+		uint32_t output_len;
+
+		status = psa_hash_compute(PSA_ALG_SHA_512,
+				input,
+				input_length,
+				hash,
+				64,
+				&output_len);
 
-	if (message) {
 		si_sig_create_verify(&t, &pubkey, &sign);
+		si_task_consume(&t, (char *)hash, 64);
 	} else {
-		if (sx_hash_get_alg_digestsz(pubkey.hashalg) != input_length) {
-			return PSA_ERROR_INVALID_ARGUMENT;
-		}
-		si_sig_create_verify_digest(&t, &pubkey, &sign);
+		if (message) {
+			si_sig_create_verify(&t, &pubkey, &sign);
+		} else {
+			if (sx_hash_get_alg_digestsz(pubkey.hashalg) != input_length) {
+				return PSA_ERROR_INVALID_ARGUMENT;
+			}
+			si_sig_create_verify_digest(&t, &pubkey, &sign);
 	}
 
 	si_task_consume(&t, (char *)input, input_length);
+	}
 	si_task_run(&t);
 	si_status = si_task_wait(&t);
-
 	safe_memzero(workmem, sizeof(workmem));
 	return silex_statuscodes_to_psa(si_status);
 }

subsys/nrf_security/src/drivers/cracen/psa_driver.Kconfig

@@ -364,6 +364,14 @@ config PSA_NEED_CRACEN_PURE_EDDSA_TWISTED_EDWARDS_448
 	depends on PSA_WANT_ECC_TWISTED_EDWARDS_448
 	depends on PSA_USE_CRACEN_ASYMMETRIC_DRIVER
 
+config PSA_NEED_CRACEN_ED25519PH
+	bool
+	default y
+	select PSA_ACCEL_ED25519PH
+	depends on PSA_WANT_ALG_ED25519PH
+	depends on PSA_WANT_ECC_TWISTED_EDWARDS_255
+	depends on PSA_USE_CRACEN_ASYMMETRIC_DRIVER
+
 config PSA_NEED_CRACEN_PURE_EDDSA_TWISTED_EDWARDS
 	bool
 	default y
@@ -376,6 +384,7 @@ config PSA_NEED_CRACEN_ASYMMETRIC_SIGNATURE_ANY_ECC
 	depends on PSA_NEED_CRACEN_ECDSA_BRAINPOOL_P_R1           || \
 		   PSA_NEED_CRACEN_ECDSA_SECP_R1                  || \
 		   PSA_NEED_CRACEN_ECDSA_SECP_K1                  || \
+		   PSA_NEED_CRACEN_ED25519PH			  || \
 		   PSA_NEED_CRACEN_PURE_EDDSA_TWISTED_EDWARDS
 
 config PSA_NEED_CRACEN_RSA_PKCS1V15_SIGN