Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

entropy: Add PSA rng as the entropy provider for the nrf54h20 #17200

Open
wants to merge 19 commits into
base: main
Choose a base branch
from

Conversation

Vge0rge
Copy link
Contributor

@Vge0rge Vge0rge commented Sep 5, 2024

No description provided.

@github-actions github-actions bot added manifest changelog-entry-required Update changelog before merge. Remove label if entry is not needed or already added. labels Sep 5, 2024
@NordicBuilder
Copy link
Contributor

NordicBuilder commented Sep 5, 2024

The following west manifest projects have changed revision in this Pull Request:

Name Old Revision New Revision Diff
nrfxlib nrfconnect/sdk-nrfxlib@de671be nrfconnect/sdk-nrfxlib#1593 nrfconnect/sdk-nrfxlib#1593/files
zephyr nrfconnect/sdk-zephyr@3098bb2 nrfconnect/sdk-zephyr#2420 nrfconnect/sdk-zephyr#2420/files

DNM label due to: 2 projects with PR revision

Note: This message is automatically posted and updated by the Manifest GitHub Action.

@NordicBuilder
Copy link
Contributor

NordicBuilder commented Sep 5, 2024

CI Information

To view the history of this post, clich the 'edited' button above
Build number: 105

Inputs:

Sources:

sdk-nrf: PR head: 665bcc37443425aacbc7f3236ac97b4042dc7499
nrfxlib: PR head: d72722719f1407152b5e27e713875068f468050c
zephyr: PR head: 271164f635a8b56ce3d4e097653495fe030e65b0

more details

sdk-nrf:

PR head: 665bcc37443425aacbc7f3236ac97b4042dc7499
merge base: b65f69a952107a821e23c0a222a1d2545db8b437
target head (main): d899e22404f40e028cc7c1cbf71930e06e321cd3
Diff

nrfxlib:

PR head: d72722719f1407152b5e27e713875068f468050c
merge base: de671be0d84ffd92a7643b18a4dd64b735a4e028
target head (main): 666064133f8dac62ee7ecbc797ede2d0c8635b7e
Diff

zephyr:

PR head: 271164f635a8b56ce3d4e097653495fe030e65b0
merge base: 3098bb289f1050f5984e9fefdb1d12ea450234a4
target head (main): 52a1ceee359c93ecf0cfeee835b60e7b4c8c78a5
Diff

Github labels

Enabled Name Description
ci-disabled Disable the ci execution
ci-all-test Run all of ci, no test spec filtering will be done
ci-force-downstream Force execution of downstream even if twister fails
ci-run-twister Force run twister
ci-run-zephyr-twister Force run zephyr twister
List of changed files detected by CI (86)
applications
│  ├── matter_bridge
│  │  ├── sysbuild
│  │  │  ├── ipc_radio
│  │  │  │  ├── boards
│  │  │  │  │  │ nrf54h20dk_nrf54h20_cpurad.conf
nrfxlib
│  ├── nrf_rpc
│  │  ├── include
│  │  │  │ nrf_rpc.h
│  │  │ nrf_rpc.c
samples
│  ├── matter
│  │  ├── common
│  │  │  ├── dts
│  │  │  │  ├── nrf54h20
│  │  │  │  │  │ nrf54h20_ram_allocation.dtsi
│  ├── suit
│  │  ├── flash_companion
│  │  │  ├── boards
│  │  │  │  │ nrf54h20dk_nrf54h20_cpuapp.overlay
│  │  ├── smp_transfer
│  │  │  ├── sysbuild
│  │  │  │  ├── hci_ipc.conf
│  │  │  │  │ recovery_hci_ipc.overlay
│  ├── wifi
│  │  ├── ble_coex
│  │  │  ├── boards
│  │  │  │  │ nrf54h20dk_nrf54h20_cpuapp.overlay
│  │  ├── monitor
│  │  │  ├── boards
│  │  │  │  │ nrf54h20dk_nrf54h20_cpuapp.overlay
│  │  ├── offloaded_raw_tx
│  │  │  ├── boards
│  │  │  │  │ nrf54h20dk_nrf54h20_cpuapp.overlay
│  │  ├── promiscuous
│  │  │  ├── boards
│  │  │  │  │ nrf54h20dk_nrf54h20_cpuapp.overlay
│  │  ├── provisioning
│  │  │  ├── boards
│  │  │  │  │ nrf54h20dk_nrf54h20_cpuapp.overlay
│  │  ├── radio_test
│  │  │  ├── boards
│  │  │  │  │ nrf54h20dk_nrf54h20_cpuapp.overlay
│  │  ├── raw_tx_packet
│  │  │  ├── boards
│  │  │  │  │ nrf54h20dk_nrf54h20_cpuapp.overlay
│  │  ├── scan
│  │  │  ├── boards
│  │  │  │  │ nrf54h20dk_nrf54h20_cpuapp.overlay
│  │  ├── shell
│  │  │  ├── boards
│  │  │  │  │ nrf54h20dk_nrf54h20_cpuapp.overlay
│  │  ├── shutdown
│  │  │  ├── boards
│  │  │  │  │ nrf54h20dk_nrf54h20_cpuapp.overlay
│  │  ├── softap
│  │  │  ├── boards
│  │  │  │  │ nrf54h20dk_nrf54h20_cpuapp.overlay
│  │  ├── sta
│  │  │  ├── boards
│  │  │  │  │ nrf54h20dk_nrf54h20_cpuapp.overlay
│  │  ├── thread_coex
│  │  │  ├── boards
│  │  │  │  │ nrf54h20dk_nrf54h20_cpuapp.overlay
│  │  ├── throughput
│  │  │  ├── boards
│  │  │  │  │ nrf54h20dk_nrf54h20_cpuapp.overlay
│  │  ├── twt
│  │  │  ├── boards
│  │  │  │  │ nrf54h20dk_nrf54h20_cpuapp.overlay
│  │  ├── wfa_qt_app
│  │  │  ├── boards
│  │  │  │  │ nrf54h20dk_nrf54h20_cpuapp.overlay
subsys
│  ├── CMakeLists.txt
│  ├── nrf_rpc
│  │  ├── include
│  │  │  │ nrf_rpc_os.h
│  ├── nrf_security
│  │  ├── CMakeLists.txt
│  │  ├── Kconfig
│  │  ├── Kconfig.psa
│  │  ├── include
│  │  │  │ ssf_crypto_config_empty.h
│  │  ├── src
│  │  │  ├── drivers
│  │  │  │  │ Kconfig
│  │  │  ├── ssf_secdom
│  │  │  │  │ Kconfig
│  ├── sdfw_services
│  │  ├── Kconfig
│  │  ├── os
│  │  │  │ ssf_client_zephyr.c
│  │  ├── services
│  │  │  ├── echo
│  │  │  │  ├── zcbor_generated
│  │  │  │  │  ├── CMakeLists.txt
│  │  │  │  │  ├── echo_service_decode.c
│  │  │  │  │  ├── echo_service_decode.h
│  │  │  │  │  ├── echo_service_encode.c
│  │  │  │  │  ├── echo_service_encode.h
│  │  │  │  │  │ echo_service_types.h
│  │  │  ├── psa_crypto
│  │  │  │  ├── Kconfig
│  │  │  │  ├── psa_crypto_service.c
│  │  │  │  ├── psa_crypto_service.cddl
│  │  │  │  ├── zcbor_generated
│  │  │  │  │  ├── CMakeLists.txt
│  │  │  │  │  ├── psa_crypto_service_decode.c
│  │  │  │  │  ├── psa_crypto_service_decode.h
│  │  │  │  │  ├── psa_crypto_service_encode.c
│  │  │  │  │  ├── psa_crypto_service_encode.h
│  │  │  │  │  │ psa_crypto_service_types.h
│  │  │  ├── reset_evt
│  │  │  │  ├── zcbor_generated
│  │  │  │  │  ├── CMakeLists.txt
│  │  │  │  │  ├── reset_evt_service_decode.c
│  │  │  │  │  ├── reset_evt_service_decode.h
│  │  │  │  │  ├── reset_evt_service_encode.c
│  │  │  │  │  ├── reset_evt_service_encode.h
│  │  │  │  │  │ reset_evt_service_types.h
│  │  │  ├── sdfw_update
│  │  │  │  ├── zcbor_generated
│  │  │  │  │  ├── CMakeLists.txt
│  │  │  │  │  ├── sdfw_update_service_decode.c
│  │  │  │  │  ├── sdfw_update_service_decode.h
│  │  │  │  │  ├── sdfw_update_service_encode.c
│  │  │  │  │  ├── sdfw_update_service_encode.h
│  │  │  │  │  │ sdfw_update_service_types.h
│  │  ├── transport
│  │  │  ├── nrf_rpc
│  │  │  │  │ ssf_client_nrf_rpc.c
tests
│  ├── benchmarks
│  │  ├── multicore
│  │  │  ├── idle
│  │  │  │  ├── boards
│  │  │  │  │  ├── nrf54h20dk_nrf54h20_cpuapp_ram_high_usage.overlay
│  │  │  │  │  ├── nrf54h20dk_nrf54h20_cpuapp_ram_low_usage.overlay
│  │  │  │  │  │ nrf54h20dk_nrf54h20_cpurad.overlay
│  ├── subsys
│  │  ├── dfu
│  │  │  ├── dfu_target
│  │  │  │  ├── suit
│  │  │  │  │  ├── boards
│  │  │  │  │  │  │ nrf54h20dk_nrf54h20_cpuapp.overlay
west.yml
zephyr
│  ├── boards
│  │  ├── nordic
│  │  │  ├── nrf54h20dk
│  │  │  │  ├── Kconfig.defconfig
│  │  │  │  ├── nrf54h20dk_nrf54h20-memory_map.dtsi
│  │  │  │  ├── nrf54h20dk_nrf54h20_cpuapp.dts
│  │  │  │  │ nrf54h20dk_nrf54h20_cpurad.dts
│  ├── drivers
│  │  ├── entropy
│  │  │  │ Kconfig.psa_crypto
│  ├── soc
│  │  ├── nordic
│  │  │  ├── nrf54h
│  │  │  │  │ Kconfig
│  ├── tests
│  │  ├── arch
│  │  │  ├── arm
│  │  │  │  ├── arm_irq_vector_table
│  │  │  │  │  ├── boards
│  │  │  │  │  │  ├── nrf54h20dk_nrf54h20_cpuapp.overlay
│  │  │  │  │  │  ├── nrf54h20dk_nrf54h20_cpurad.overlay
│  │  │  │  │  │  ├── nrf9280pdk_nrf9280_cpuapp.overlay
│  │  │  │  │  │  │ nrf9280pdk_nrf9280_cpurad.overlay
│  │  │  │  ├── arm_thread_swap
│  │  │  │  │  ├── boards
│  │  │  │  │  │  │ nrf54h20dk_nrf54h20_cpuapp.overlay
│  │  ├── crypto
│  │  │  ├── mbedtls
│  │  │  │  │ testcase.yaml
│  │  │  ├── mbedtls_psa
│  │  │  │  │ testcase.yaml
│  │  │  ├── secp256r1
│  │  │  │  │ testcase.yaml
│  │  ├── kernel
│  │  │  ├── sched
│  │  │  │  ├── schedule_api
│  │  │  │  │  ├── prj.conf
│  │  │  │  │  ├── prj_dumb.conf
│  │  │  │  │  │ prj_multiq.conf
│  │  │  ├── threads
│  │  │  │  ├── dynamic_thread_stack
│  │  │  │  │  │ prj.conf
│  │  ├── net
│  │  │  ├── socket
│  │  │  │  ├── tls_configurations
│  │  │  │  │  │ overlay-ec.conf
│  │  ├── subsys
│  │  │  ├── portability
│  │  │  │  ├── cmsis_rtos_v2
│  │  │  │  │  │ prj.conf

Outputs:

Toolchain

Version: 342151af73
Build docker image: docker-dtr.nordicsemi.no/sw-production/ncs-build:342151af73_912848a074

Test Spec & Results: ✅ Success; ❌ Failure; 🟠 Queued; 🟡 Progress; ◻️ Skipped; ⚠️ Quarantine

  • ◻️ Toolchain - Skipped: existing toolchain is used
  • ✅ Build twister
  • ❌ Integration tests
    • ✅ test-sdk-audio
    • ✅ desktop52_verification
    • ✅ test-fw-nrfconnect-boot
    • ❌ test-fw-nrfconnect-apps
    • ✅ test_ble_nrf_config
    • ✅ test-fw-nrfconnect-ble_mesh
    • ✅ test-fw-nrfconnect-ble_samples
    • ✅ test-fw-nrfconnect-chip
    • ✅ test-fw-nrfconnect-nfc
    • ✅ test-fw-nrfconnect-nrf-iot_libmodem-nrf
    • ✅ test-fw-nrfconnect-nrf-iot_serial_lte_modem
    • ✅ test-fw-nrfconnect-nrf-iot_zephyr_lwm2m
    • ✅ test-fw-nrfconnect-nrf-iot_samples
    • ✅ test-fw-nrfconnect-nrf-iot_lwm2m
    • ✅ doc-internal
    • ✅ test-fw-nrfconnect-nrf-iot_thingy91
    • ✅ test-fw-nrfconnect-nrf_crypto
    • ✅ test-fw-nrfconnect-rpc
    • ✅ test-fw-nrfconnect-rs
    • ✅ test-fw-nrfconnect-fem
    • ✅ test-fw-nrfconnect-tfm
    • ✅ test-fw-nrfconnect-thread
    • ✅ test-fw-nrfconnect-zigbee
    • ✅ test-sdk-find-my
    • ✅ test-fw-nrfconnect-nrf-iot_mosh
    • ✅ test-fw-nrfconnect-nrf-iot_positioning
    • ✅ test-sdk-sidewalk
    • ✅ test-sdk-wifi
    • ❌ test-low-level
    • ✅ test-fw-nrfconnect-nrf-iot_nrf_provisioning
    • ✅ test-sdk-pmic-samples
    • ✅ test-sdk-mcuboot
    • ✅ test-sdk-dfu
    • ✅ test-fw-nrfconnect-ps
    • ✅ test-secdom-samples-public
    • ⚠️ test-fw-nrfconnect-fw-update
    • ⚠️ test-fw-nrfconnect-nrf-iot_cloud
    • ⚠️ test-sdk-dfu

Note: This message is automatically posted and updated by the CI

@Vge0rge Vge0rge marked this pull request as ready for review September 24, 2024 10:48
@Vge0rge Vge0rge requested review from a team as code owners September 24, 2024 10:48
@NordicBuilder
Copy link
Contributor

You can find the documentation preview for this PR at this link. It will be updated about 10 minutes after the documentation build succeeds.

Note: This comment is automatically posted by the Documentation Publishing GitHub Action.

@Vge0rge Vge0rge force-pushed the 54h20_psa_rng branch 7 times, most recently from 114059e to 6ed58b2 Compare September 27, 2024 12:24
@Vge0rge Vge0rge requested a review from a team as a code owner October 1, 2024 07:43
@Vge0rge Vge0rge requested a review from a team as a code owner October 1, 2024 12:40
Copy link
Contributor

@tomi-font tomi-font left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Again in this PR you have a commit that is later reverted (nrf_security: Enabled by default for nRF54H20)?

subsys/nrf_security/Kconfig Show resolved Hide resolved
subsys/nrf_security/Kconfig Outdated Show resolved Hide resolved
subsys/nrf_security/CMakeLists.txt Outdated Show resolved Hide resolved
@endre-nordic endre-nordic added this to the 2.8.0 milestone Oct 18, 2024
@frkv frkv self-requested a review October 18, 2024 08:08
Copy link
Contributor

@frkv frkv left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There are lots of complex additions in this PR that seem to be tailored towards a special case without PSA crypto which is the default enabled and default supported in nRF54H20 devices

@Vge0rge Vge0rge force-pushed the 54h20_psa_rng branch 4 times, most recently from b8fb7cd to 7e9300c Compare October 21, 2024 10:32
@Vge0rge Vge0rge force-pushed the 54h20_psa_rng branch 2 times, most recently from 2a6c56a to d88d0dc Compare January 13, 2025 13:10
Vge0rge and others added 17 commits January 14, 2025 16:13
Make all PSA drivers depend on the OBERON_PSA_CORE
since we cannot use the drivers without it.

Signed-off-by: Georgios Vasilakis <[email protected]>
Brings Zephyr changes which automatically enable
the PSA crypto as the entropy generator for Zephyr.

Signed-off-by: Georgios Vasilakis <[email protected]>
Add configuration to allow enabling the SSF PSA client
when nrf_security is not enabled.
This is particularly useful for the applications that only
want to use the PSA rng and no other crypto. Enabling
nrf_security in these applications will result to an
increased application footprint and configuration complexity
without any reason.

This configuration provides the PSA implementation
from the secure domain through the SSF client and
it has no configurability yet. So there is no need
to enforce NRF_SECURITY with this configuration.

Signed-off-by: Georgios Vasilakis <[email protected]>
Add overlay to reduce the footprint of the matter_bridge
application.

Signed-off-by: Georgios Vasilakis <[email protected]>
Remove prng dts node since this is removed from the
nrf54h20 board file.

Signed-off-by: Georgios Vasilakis <[email protected]>
Remove the call to the ssf_psa_crypto_init since the
psa_crypto is initialiazed in SDFW and it doesn't need
to get initialized from the application.

Signed-off-by: Georgios Vasilakis <[email protected]>
Disable the IPC and bellboard nodes since these
tests don't use communication between domains.

Signed-off-by: Georgios Vasilakis <[email protected]>
In a comment, tHe -> The

Signed-off-by: Georgios Vasilakis <[email protected]>
Initialize the ssf_client earlier during the boot
process during post kernel.

ssf_client needs to be initialized before the
CONFIG_NRF_802154_SER_RADIO_INIT_PRIO since it is
used by the "nRF IEEE 802.15.4" protocol.

It also needs to be initialied after the IPC
IPC_SERVICE_REG_BACKEND_PRIORITY since the
IPC expects the protocol to be initialized.
Failing to do that will also trigger an assertion
in Zephyr.

Signed-off-by: Georgios Vasilakis <[email protected]>
Use nrf_rpc_init_group when ssf_client is being initalized
since it will happen before other nrf_rpc groups are initialized.

Signed-off-by: Georgios Vasilakis <[email protected]>
Disable the cpusec related nodes in the multicore benchmark
since it increases power consumption and IPC communication
with secure domain is not needed for this test.

Signed-off-by: Georgios Vasilakis <[email protected]>
The cpuapp_ram0x_region has been changed in the global dtsi file in
Zephyr and we need to align all dts overlay entries to that change.

Signed-off-by: Arkadiusz Balys <[email protected]>
Updates the nrf_rpc library to allow initialization
of single nrf_rpc groups.

Signed-off-by: Georgios Vasilakis <[email protected]>
This sample require entropy from Zephyr, in nRF54h20
this is provided by PSA RNG driver and from the secure domain.

The PSA RNG driver brings IPC dependencies which increase the
flash footprint of this sample and this was not an acceptable
increase for the mainttainers of the sample.

It was concluded that as a temporary solution this sample  will keep
using the non cryptographically secure, deterministic software RNG.

The dependency on the PRNG node needs to be removed later and it is
tracked in NCSDK-30805.

Signed-off-by: Georgios Vasilakis <[email protected]>
Enabling real entropy for the radio core through the ssf_client and
the secure domain increased the stack requirements of the hci_ipc
used in this sample.

I couldn't run THREAD_ANALYZER in this application because of flash
overflows and other issues. I did practical tests with 50 byte intervals
and I know that 900 bytes is the least memory that could boot the radio
core.

I updated this to have the same configuration as the ipc_radio (2048
bytes)
application since the usage of the hci_ipc here will be replaced
with the ipc_radio later.

Signed-off-by: Georgios Vasilakis <[email protected]>
Add function nrf_rpc_os_fatal_error function to
handle fatal_errors using the Zephyr's fatal error hanlding.

Signed-off-by: Georgios Vasilakis <[email protected]>
The PSA RNG will be the default entropy provider for
nrf54h20. This change affects the crypto functionality
in general since it makes the secure domain the sole provider
of crypto through the PSA APIs. This has the sideffect that the
legacy mbecrypto APIs are not currently supported.

Since wifi relies on the mbedTLS legacy crypto functionality
we need to make sure that it continues to work as before.

In this change we disable the PSA RNG as the entropy provider and
we explicitely set it to be the PRNG. This makes sure that the crypto
funcionality is provided by the software implementation which supports
the legacy APIs and not from the secure domain.

This should not change anything functionaly. It only makes sure that the
wifi samples do not inherit enabling the PSA RNG as the entropy provider
by default.

Signed-off-by: Georgios Vasilakis <[email protected]>
@Vge0rge Vge0rge force-pushed the 54h20_psa_rng branch 2 times, most recently from 4d80edd to 5b7b39a Compare January 15, 2025 11:59
Revert "sdfw_services: psa_crypto: use new tags for pointer-to-const members"

This reverts commit 4825324.

Signed-off-by: Georgios Vasilakis <[email protected]>
Revert "sdfw_services: regenerate zcbor encoders/decoders with current version"

This reverts commit 48d68a3.

Signed-off-by: Georgios Vasilakis <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
changelog-entry-required Update changelog before merge. Remove label if entry is not needed or already added. CI-all-test Run All integration tests DNM manifest manifest-nrfxlib manifest-zephyr
Projects
None yet
Development

Successfully merging this pull request may close these issues.