From 6cc205111be2d622ea19f41620564f2cbe3105b9 Mon Sep 17 00:00:00 2001
From: Chaitanya Tata <Chaitanya.Tata@nordicsemi.no>
Date: Thu, 17 Oct 2024 17:42:19 +0530
Subject: [PATCH] [nrf noup] modules: hostap: Add NCS PSA for hostap crypto ALT

This brings in PSA Kconfig and CMakelist.txt changes to NCS.
Currently, it contains known PSA configurations and source files
that are needed or will be needed in the future. WPA3 and
Enterprise is currently disabled with this setting.

Signed-off-by: Vivekananda Uppunda <vivekananda.uppunda@nordicsemi.no>
Signed-off-by: Chaitanya Tata <Chaitanya.Tata@nordicsemi.no>
---
 modules/hostap/CMakeLists.txt | 38 ++++++++++++++++++++++++++++++++
 modules/hostap/Kconfig        | 41 +++++++++++++++++++++++++++++++++--
 2 files changed, 77 insertions(+), 2 deletions(-)

diff --git a/modules/hostap/CMakeLists.txt b/modules/hostap/CMakeLists.txt
index cdada314d3e..ada63d65290 100644
--- a/modules/hostap/CMakeLists.txt
+++ b/modules/hostap/CMakeLists.txt
@@ -603,6 +603,44 @@ zephyr_library_sources_ifdef(CONFIG_WIFI_NM_WPA_SUPPLICANT_CRYPTO_TEST
 )
 endif()
 
+if(DEFINED CONFIG_WIFI_NM_WPA_SUPPLICANT_CRYPTO_ALT_NCS_PSA)
+zephyr_include_directories(
+	${HOSTAP_BASE}/port/mbedtls
+)
+
+zephyr_library_sources(
+	${HOSTAP_SRC_BASE}/crypto/aes-wrap.c
+	${HOSTAP_SRC_BASE}/crypto/aes-unwrap.c
+	${HOSTAP_SRC_BASE}/crypto/aes-internal-dec.c
+	${HOSTAP_SRC_BASE}/crypto/aes-internal.c
+	${HOSTAP_SRC_BASE}/crypto/aes-internal-enc.c
+	${HOSTAP_SRC_BASE}/crypto/rc4.c
+	${HOSTAP_SRC_BASE}/crypto/crypto_mbedtls_alt.c
+	${HOSTAP_SRC_BASE}/crypto/tls_mbedtls_alt.c
+	${HOSTAP_SRC_BASE}/crypto/sha256-kdf.c
+	${HOSTAP_BASE}/port/mbedtls/supp_psa_api.c
+)
+endif()
+
+if(DEFINED CONFIG_WIFI_NM_WPA_SUPPLICANT_CRYPTO_ALT_NCS_PSA)
+zephyr_include_directories(
+	${HOSTAP_BASE}/port/mbedtls
+)
+
+zephyr_library_sources(
+	${HOSTAP_SRC_BASE}/crypto/aes-wrap.c
+	${HOSTAP_SRC_BASE}/crypto/aes-unwrap.c
+	${HOSTAP_SRC_BASE}/crypto/aes-internal-dec.c
+	${HOSTAP_SRC_BASE}/crypto/aes-internal.c
+	${HOSTAP_SRC_BASE}/crypto/aes-internal-enc.c
+	${HOSTAP_SRC_BASE}/crypto/rc4.c
+	${HOSTAP_SRC_BASE}/crypto/crypto_mbedtls_alt.c
+	${HOSTAP_SRC_BASE}/crypto/tls_mbedtls_alt.c
+	${HOSTAP_SRC_BASE}/crypto/sha256-kdf.c
+	${HOSTAP_BASE}/port/mbedtls/supp_psa_api.c
+)
+endif()
+
 zephyr_library_link_libraries_ifndef(CONFIG_WIFI_NM_WPA_SUPPLICANT_CRYPTO_NONE
 	mbedTLS)
 
diff --git a/modules/hostap/Kconfig b/modules/hostap/Kconfig
index 3b229f3feb2..683eeba0cfa 100644
--- a/modules/hostap/Kconfig
+++ b/modules/hostap/Kconfig
@@ -228,6 +228,42 @@ config WIFI_NM_WPA_SUPPLICANT_CRYPTO_ALT_LEGACY_NCS
 	select MBEDTLS_PK_WRITE_C
 	select MBEDTLS_KEY_EXCHANGE_ALL_ENABLED
 
+config WIFI_NM_WPA_SUPPLICANT_CRYPTO_ALT_NCS_PSA
+	bool "PSA Crypto support for WiFi WPA2 using nRF security"
+	select MBEDTLS
+	select NRF_SECURITY
+	select PSA_WANT_GENERATE_RANDOM
+	select MBEDTLS_TLS_LIBRARY
+	select MBEDTLS_PK_C
+	select MBEDTLS_PK_WRITE_C
+	select MBEDTLS_X509_LIBRARY
+	select MBEDTLS_X509_CRT_PARSE_C
+	select MBEDTLS_SSL_TLS_C
+	select MBEDTLS_ENABLE_HEAP
+	select MBEDTLS_PSA_CRYPTO_C
+	select MBEDTLS_USE_PSA_CRYPTO
+	select PSA_WANT_ALG_HMAC
+	select PSA_WANT_ALG_CMAC
+	select PSA_WANT_ALG_ECB_NO_PADDING
+	select PSA_WANT_ALG_CBC_PKCS7
+	select PSA_ACCEL_CBC_MAC_AES_128
+	select PSA_ACCEL_CBC_MAC_AES_192
+	select PSA_ACCEL_CBC_MAC_AES_256
+	select PSA_WANT_ALG_CCM
+	select PSA_WANT_ALG_GCM
+	select PSA_WANT_ALG_CTR
+	select PSA_WANT_ALG_MD5
+	select PSA_ACCEL_MD5
+	select PSA_WANT_ALG_SHA_1
+	select PSA_WANT_ALG_SHA_256
+	select PSA_WANT_ALG_SHA_224
+	select PSA_WANT_ALG_SHA_384
+	select PSA_WANT_ALG_SHA_512
+	select PSA_WANT_ALG_PBKDF2_HMAC
+	select PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128
+	select PSA_WANT_KEY_TYPE_AES
+	select PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY
+
 config WIFI_NM_WPA_SUPPLICANT_CRYPTO_NONE
 	bool "No Crypto support for WiFi"
 
@@ -235,13 +271,14 @@ endchoice
 
 config WIFI_NM_WPA_SUPPLICANT_CRYPTO_MBEDTLS_PSA
 	bool "Crypto Platform Secure Architecture support for WiFi"
+	default y if WIFI_NM_WPA_SUPPLICANT_CRYPTO_ALT_NCS_PSA
 	help
 	  Support Mbedtls 3.x to use PSA apis instead of legacy apis.
 
 config WIFI_NM_WPA_SUPPLICANT_CRYPTO_ENTERPRISE
 	bool "Enterprise Crypto support for WiFi"
 	select MBEDTLS_PEM_CERTIFICATE_FORMAT
-	depends on !WIFI_NM_WPA_SUPPLICANT_CRYPTO_NONE
+	depends on !WIFI_NM_WPA_SUPPLICANT_CRYPTO_NONE && !WIFI_NM_WPA_SUPPLICANT_CRYPTO_ALT_NCS_PSA
 
 config EAP_TLS
 	bool "EAP-TLS support"
@@ -295,7 +332,7 @@ config EAP_ALL
 
 config WIFI_NM_WPA_SUPPLICANT_WPA3
 	bool "WPA3 support"
-	depends on !WIFI_NM_WPA_SUPPLICANT_CRYPTO_NONE
+	depends on !WIFI_NM_WPA_SUPPLICANT_CRYPTO_NONE && !WIFI_NM_WPA_SUPPLICANT_CRYPTO_ALT_NCS_PSA
 	default y
 
 config WIFI_NM_WPA_SUPPLICANT_AP