nrf_security: Added support for PSA Crypto service

Added support for PSA Crypto service

-Adding configuration PSA_SSF_CRYPTO_CLIENT for a local domain build
 which enables PSA core-less build where ssf_crypto provides the
 PSA crypto APIs directly.
-Adding Kconfig in PSA_CORE choice: PSA_CORE_DISABLED when  SSF_CLIENT
 is enabled which provides PSA crypto built into the SDFW image.
-Enabling MBEDTLS_PSA_CRYPTO_SPM for builds when SSF_SERVER is enabled
 (zephyr based build with no TF-M in SDFW).
-Add MBEDTLS_USE_PSA_CRYPTO for legacy build to ensure it is using
 PSA APIs based on SSF_CLIENT enabled.
-Add logic to give SSF_CLIENT access to the psa/crypto.h from Oberon
 without building the PSA core locally.
-Add logic to consider both BUILD_WITH_TFM or SSF_CLIENT as something
 that provides PSA crypto services as a client.

Ref: NCSDK-15632

Signed-off-by: Ole Sæther <[email protected]>
Signed-off-by: Frank Audun Kvamtrø <[email protected]>

subsys/nrf_security/CMakeLists.txt

@@ -27,15 +27,17 @@ set(ARM_MBEDTLS_PATH ${ZEPHYR_MBEDTLS_MODULE_DIR})
 set(CONFIG_MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER     False)
 
 if(CONFIG_BUILD_WITH_TFM)
-  # TF-M is enabled and we are not inside the TF-M build system.
-  # Thus, do not build regular `mbedcrypto` library, instead export
-  # needed settings to the TF-M build system using TFM_CMAKE_OPTIONS.
-
-  # NS-build: PSA APIs are already compiled in TF-M image
-  set(COMPILE_PSA_APIS                          False)
-
   # Execute Cmake logic to forward configurations to TF-M build
   include(${NRF_SECURITY_ROOT}/cmake/config_to_tf-m.cmake)
+endif()
+
+if(CONFIG_BUILD_WITH_TFM OR CONFIG_PSA_SSF_CRYPTO_CLIENT)
+  # We enable either TF-M or the SSF client PSA crypto interface but we are
+  # not in the secure image build
+
+  # NS-build: PSA APIs are already compiled in the secure image and is
+  # exposed as a service
+  set(COMPILE_PSA_APIS                          False)
 
   # Add replacement platform.c for NS build
   list(APPEND src_zephyr
@@ -49,7 +51,7 @@ if(CONFIG_BUILD_WITH_TFM)
 
   get_cmake_property(all_vars VARIABLES)
 
-  # 1. Non-secure should not build anything PSA related
+  # 1. Non-secure should not build the PSA core or drivers
   set(CONFIG_MBEDTLS_PSA_CRYPTO_C               False)
 
   # 2. Enable OBERON_BACKEND, disable CC3XX_BACKEND

subsys/nrf_security/Kconfig.psa

@@ -25,6 +25,8 @@ config MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG
 
 rsource "src/core/Kconfig"
 
+rsource "src/ssf_secdom/Kconfig"
+
 comment "PSA Driver Support"
 
 config MBEDTLS_PSA_CRYPTO_DRIVERS
@@ -46,9 +48,12 @@ menu "PSA API support"
 
 config MBEDTLS_PSA_CRYPTO_SPM
 	bool
+	default y if SSF_SERVER
 	help
 	  Configation that enables alternate naming of mbedcrypto symbols in
 	  scope of TF-M build (Prefixes with mbedcrypto__)
+	  This is default-enabled for the SSF server to ensure that
+	  TLS and DTLS is not built by the SDFW.
 
 config MBEDTLS_PSA_CRYPTO_STORAGE_C
 	bool "PSA storage for persistent keys" if !BUILD_WITH_TFM

subsys/nrf_security/cmake/legacy_crypto_config.cmake

@@ -102,6 +102,8 @@ kconfig_check_and_set_base(MBEDTLS_MEMORY_DEBUG)
 kconfig_check_and_set_base(MBEDTLS_PSA_CRYPTO_SPM)
 
 kconfig_check_and_set_base(MBEDTLS_PSA_CRYPTO_C)
+kconfig_check_and_set_base(MBEDTLS_USE_PSA_CRYPTO)
+kconfig_check_and_set_base(MBEDTLS_PSA_CRYPTO_CLIENT)
 
 kconfig_check_and_set_base_to_one(MBEDTLS_PLATFORM_EXIT_ALT)
 kconfig_check_and_set_base_to_one(MBEDTLS_PLATFORM_FPRINTF_ALT)

subsys/nrf_security/src/CMakeLists.txt

@@ -110,6 +110,10 @@ add_library(${mbedcrypto_target}
     ${src_crypto}
 )
 
+if(CONFIG_PSA_SSF_CRYPTO_CLIENT)
+  add_subdirectory(ssf_secdom)
+endif()
+
 nrf_security_add_zephyr_options(${mbedcrypto_target})
 
 # Base mbed TLS files (not in drivers or builtin's)

subsys/nrf_security/src/core/Kconfig

@@ -6,10 +6,15 @@
 
 choice PSA_CORE
 	prompt "PSA Core implementation"
-	default PSA_CORE_OBERON
+
+config PSA_CORE_DISABLED
+	bool
+	prompt "PSA core-less for SSF crypto client support"
+	depends on SSF_CLIENT && SSF_PSA_CRYPTO_SERVICE_ENABLED
 
 config PSA_CORE_OBERON
-	bool "PSA Core implementation - Oberon"
+	bool
+	prompt "PSA Core implementation - Oberon"
 	select PSA_WANT_AES_KEY_SIZE_128
 	select PSA_WANT_AES_KEY_SIZE_192
 	select PSA_WANT_AES_KEY_SIZE_256

subsys/nrf_security/src/ssf_secdom/CMakeLists.txt

@@ -0,0 +1,35 @@
+#
+# Copyright (c) 2024 Nordic Semiconductor
+#
+# SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
+#
+
+# NOTE that this is added as a duplication to ensure that SSF client gets
+# access to the relevant include folders, without PSA core or PSA drivers
+# being built.
+
+
+# Add generated path first in list (order dependent)
+target_include_directories(mbedcrypto_common
+    INTERFACE
+      ${generated_include_path}
+)
+
+# Add regular includes
+# Note, the order of include matters
+target_include_directories(mbedcrypto_common
+  INTERFACE
+    # Nordic PSA headers
+    ${NRF_SECURITY_ROOT}/include
+    # Oberon PSA headers
+    ${OBERON_PSA_PATH}/include
+    ${OBERON_PSA_PATH}/library
+    # Mbed TLS (mbedcrypto) PSA headers
+    ${ARM_MBEDTLS_PATH}/include
+    ${ARM_MBEDTLS_PATH}/library
+)
+
+target_sources(${mbedcrypto_target}
+  PRIVATE
+    ${CMAKE_CURRENT_LIST_DIR}/ssf_crypto.c
+)

subsys/nrf_security/src/ssf_secdom/Kconfig

@@ -0,0 +1,11 @@
+#
+# Copyright (c) 2024 Nordic Semiconductor
+#
+# SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
+#
+
+config PSA_SSF_CRYPTO_CLIENT
+	bool
+	prompt "PSA crypto provided through SSF"
+	default y
+	depends on SSF_CLIENT && SSF_PSA_CRYPTO_SERVICE_ENABLED