Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support NXP S32 HSE CRYPTO driver for S32Z270 #79351

Open
wants to merge 2 commits into
base: main
Choose a base branch
from

Conversation

haduongquang
Copy link
Contributor

@haduongquang haduongquang commented Oct 3, 2024

This PR introduces NXP S32 HSE CRYTO driver for SoC NXP S32Z27 and enables its usage for board s32z270dc2.
Supports cryptographic operations, including hashing and symmetric ciphers, with capabilities for ECB, CBC, and CTR modes using RAM-based key catalogs with 128-bit key lengths.

tests\crypto\crypto_hash:

SUITE PASS - 100.00% [crypto_hash]: pass = 1, fail = 0, skip = 0, total = 1 duration = 0.001 seconds
 PASS - [crypto_hash.test_hash] duration = 0.001 seconds

samples\drivers\crypto:

I: Cipher Sample
I: ECB Mode
I: Output length (encryption): 0
I: ECB mode ENCRYPT - Match
I: Output length (decryption): 0
I: ECB mode DECRYPT - Match
I: CBC Mode
I: Output length (encryption): 80
I: CBC mode ENCRYPT - Match
I: Output length (decryption): 0
I: CBC mode DECRYPT - Match
I: CTR Mode
I: Output length (encryption): 0
I: CTR mode ENCRYPT - Match
I: Output length (decryption): 0
I: CTR mode DECRYPT - Match

@zephyrbot
Copy link
Collaborator

zephyrbot commented Oct 3, 2024

The following west manifest projects have been modified in this Pull Request:

Name Old Revision New Revision Diff
hal_nxp zephyrproject-rtos/hal_nxp@4a4741f (master) zephyrproject-rtos/hal_nxp#443 zephyrproject-rtos/hal_nxp#443/files

Note: This message is automatically posted and updated by the Manifest GitHub Action.

@zephyrbot zephyrbot added manifest manifest-hal_nxp DNM This PR should not be merged (Do Not Merge) labels Oct 3, 2024
@haduongquang haduongquang changed the title Add support for NXP S32 HSE CRYPTO driver for S32Z270 Add support NXP S32 HSE CRYPTO driver for S32Z270 Oct 3, 2024
@decsny decsny removed their request for review October 3, 2024 05:26
@haduongquang haduongquang force-pushed the support-hse-driver-for-s32z270 branch 3 times, most recently from dc8d870 to 2ba0f4f Compare October 3, 2024 08:01
@haduongquang
Copy link
Contributor Author

Fixed compliance, clang and build fail.


config CRYPTO_NXP_HSE_FORMAT_KEY_CATALOG
bool "NXP HSE crypto driver supports formatting all key catalogs during initialization."
default n
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

remove this, already n by default

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I removed

@@ -0,0 +1,30 @@
menuconfig CRYPTO_NXP_HSE
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pls use nxp_s32 for Kconfig name and file (for consistent with the rest of driver specific for nxp s32 platform)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I updated kconfig, file name and driver also.

@@ -1116,5 +1116,53 @@
clock-frequency = <I2C_BITRATE_STANDARD>;
status = "disabled";
};

mu0_mua: mu@23258000 {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should be mub? mua is accessible from HSE only

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I updated


struct crypto_nxp_hse_data {
struct crypto_nxp_hse_session sessions[CONFIG_CRYPTO_NXP_HSE_MAX_SESSION];
uint8_t mu_instance;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The instance can be moved to config imo

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not using the config now, so I think we can keep it in data is better.

Copy link
Member

@manuargue manuargue Oct 10, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is read only, it must be moved to the device config

if (mu_channel != HSE_IP_INVALID_MU_CHANNEL_U8) {
session = &data->sessions[mu_channel - 1];
session->in_use = true;
session->channel = mu_channel;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It seems to me this can be done at build time

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I updated

}
default: {
return -ENOTSUP;
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

pls fix indentation

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

not the wrong indentation, it is the correct format.


session = ctx->drv_sessn_state;
k_mutex_lock(&session->crypto_lock, K_FOREVER);
memset(&session->req_type, 0, sizeof(Hse_Ip_ReqType));
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why you need to clear the whole descriptor? it seems to me this is not needed

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

To ensure the new description is correct, and unaffected by the old.

with 128-bit key lengths.

.. note::
Applications must format key catalogs before executing the first service.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see you have defined an Kconfig to format key catalog for testing, should we documented it here?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I documented it.

.. note::
Applications must format key catalogs before executing the first service.

By default, MU0 is used, and other MUs are deactivated. If applications want to use other MUs,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What do you meant by default, MU0 is used? is used by who, the crypto driver?

If applications want to use other MUs, must activate them first: why don't active the MU inside crypto driver?

@haduongquang haduongquang force-pushed the support-hse-driver-for-s32z270 branch 2 times, most recently from 19dbc6b to f861b34 Compare October 9, 2024 01:44
Comment on lines 11 to 31
config CRYPTO_NXP_S32_HSE_FORMAT_KEY_CATALOG
bool "NXP S32 HSE crypto driver supports formatting all key catalogs during initialization."
depends on CRYPTO_NXP_S32_HSE
help
Enable supports formatting all key catalogs during initialization.
This feature is primarily used for testing purposes.

config CRYPTO_NXP_S32_HSE_OUTPUT_BUFFER_SIZE
int "The output buffer size for storing the output data of HSE crypto service"
default 128
depends on CRYPTO_NXP_S32_HSE
help
The output buffer size for storing the output data of HSE crypto service.

config CRYPTO_NXP_S32_HSE_AES_KEY_GROUP_ID
int "The AES 128-bits Key Group ID within RAM Key Catalog"
range 0 255
default 0
depends on CRYPTO_NXP_S32_HSE
help
The AES 128-bits Key Group ID within RAM Key Catalog.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

guard with CRYPTO_NXP_S32_HSE so all these options don't appear at toplevel and remove the depends on CRYPTO_NXP_S32_HSE

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I updated

@@ -3,4 +3,4 @@ CONFIG_CRYPTO_LOG_LEVEL_DBG=y
CONFIG_LOG=y
CONFIG_LOG_MODE_MINIMAL=y

CONFIG_MAIN_STACK_SIZE=4096
CONFIG_MAIN_STACK_SIZE=8192
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

if this is only needed for a specific platform/board, then I'd suggest to add overlays

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I reverted

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

please run clang-format on this new file, to conform with the suggested changes annotated by the CI

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have run the clang-format at locally, but some points are different with upstream.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

1f7c960

if it's not consistent, please report the version you are using in an issue


#define CRYPTO_NXP_S32_HSE_SESSION_CFG(indx, _) \
{ \
.channel = indx + 1, .out_buff = &crypto_out_buff[indx][0], \
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is a multiinstance driver, but the buffer crypto_out_buff is shared accross all instances (e.g. all instances channel 0 will get assigned the same buffer &crypto_out_buff[0][0]). There should be a buffer per instance and per channel.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I updated

#define CRYPTO_NXP_S32_HSE_MU_GET_INSTANCE(n) \
LISTIFY(__DEBRACKET HSE_IP_NUM_OF_MU_INSTANCES, CRYPTO_NXP_S32_HSE_MU_INSTANCE_CHECK, (|), n)

#define CRYPTO_NXP_S32_HSE_BLOCK_KEY_LEN_BYTES 16U
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

instead of hardcoding it, it can be exposed as a dt property to use either 128 or 256 bits

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have added a Kconfig to do it

return -EIO;
}

/* Update crypto crypto description input */
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nitpicking

Suggested change
/* Update crypto crypto description input */
/* Update HSE descriptor */

maybe? and everywhere else where this is mentioned as "description" instead of "descriptor"

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I updated

Hse_Ip_ReqType crypto_req_type;
hseFormatKeyCatalogsSrv_t *format_key_serv =
&(crypto_serv_desc.hseSrv.formatKeyCatalogsReq);
uint8_t channel = Hse_Ip_GetFreeChannel(data->mu_instance);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this channel is never released, see Hse_Ip_ReleaseChannel

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I updated


static inline void free_session(struct crypto_nxp_s32_hse_session *session)
{
session->in_use = false;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

MU channels are never released, see Hse_Ip_ReleaseChannel

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I updated

static struct crypto_nxp_s32_hse_session *crypto_nxp_s32_hse_get_session(const struct device *dev)
{
struct crypto_nxp_s32_hse_data *data = dev->data;
uint8_t mu_channel = Hse_Ip_GetFreeChannel(data->mu_instance);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this call seems not to be thread safe (ie. two threads could compete for the same MU channel with unknown results)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I updated.

depends on CRYPTO_NXP_S32_HSE
help
Enable supports formatting all key catalogs during initialization.
This feature is primarily used for testing purposes.
Copy link
Member

@manuargue manuargue Oct 10, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

From the board's doc you added:

Applications must format key catalogs before executing the first service.

From this kconfig:

Enable supports formatting all key catalogs during initialization.
This feature is primarily used for testing purposes.

I don't think having test code inside the driver is a good idea. If formatting the key catalog must be done in the application layer and you want to show how is possible to do this, then perhaps create a sample.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I updated the samples/crypto to show how to do this.

Copy link
Member

@manuargue manuargue Oct 16, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I updated the samples/crypto to show how to do this.

IMO having NXP specific HAL calls in a generic sample is definetly not a good idea. If this sample is really necessary it should be at least in samples/boards/nxp.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yep, that is a generic sample and should not have Hal specific calls.

@manuargue
Copy link
Member

manuargue commented Oct 10, 2024

@haduongquang I'd suggest you to look at how the HSE was integrated into Linux in regards to devicetree. I think it's a cleaner approach than the current one proposed on this pr because it clearly shows that the MU's are coupled with the HSE, and there's also explicit description of the RAM reserved to communicate between the CPU host and the HSE.

@haduongquang haduongquang force-pushed the support-hse-driver-for-s32z270 branch from f861b34 to 8fd4348 Compare October 16, 2024 02:20
@haduongquang
Copy link
Contributor Author

@haduongquang I'd suggest you to look at how the HSE was integrated into Linux in regards to devicetree. I think it's a cleaner approach than the current one proposed on this pr because it clearly shows that the MU's are coupled with the HSE, and there's also explicit description of the RAM reserved to communicate between the CPU host and the HSE.

For the first point, I have updated the device tree.
For the second point, regarding RAM reserved. Some other platforms require the descriptor to be put in a dedicated RAM region in order to communicate with HSE, this is not the case for S32Z so a RAM reserved is not needed.

struct crypto_nxp_s32_hse_data *data = dev->data;
struct crypto_nxp_s32_hse_session *session;

if (Hse_Ip_Init(data->mu_instance, &data->mu_state) != HSE_IP_STATUS_SUCCESS) {
Copy link
Member

@manuargue manuargue Oct 17, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's not enough to just call this initialiation but also the MUs that are not active by default must be activated through a request to HSE. As it is right now implemented, if the user tries to use the Zephyr Crypto API on a HSE-MU device that is not active, it will fail. In general, the device init function should ensure that all needed resources are allocated and ready in order for the driver to operate after exiting this function.

Add device tree node for MU instances that will be used by HSE and RTU
for s32z270.

Add support hash crypto for NXP S32 with Algo 2:
SHA224, SHA256, SHA384 and SHA512.

Add support cipher crypto with ECB, CBC and CTR mode by using ram key
catalog.

Signed-off-by: Ha Duong Quang <[email protected]>
Enable test for s32z270 hash crypto.

Enable samples for cipher cryptoEndable samples for EBC, CBC,
CTR mode of cipher crypto.

Signed-off-by: Ha Duong Quang <[email protected]>
@haduongquang haduongquang force-pushed the support-hse-driver-for-s32z270 branch from 8fd4348 to 949dba0 Compare October 28, 2024 02:30
Copy link

This pull request has been marked as stale because it has been open (more than) 60 days with no activity. Remove the stale label or add a comment saying that you would like to have the label removed otherwise this pull request will automatically be closed in 14 days. Note, that you can always re-open a closed pull request at any time.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
area: Crypto / RNG area: mbox area: Samples Samples DNM This PR should not be merged (Do Not Merge) manifest manifest-hal_nxp platform: NXP Drivers NXP Semiconductors, drivers platform: NXP S32 NXP Semiconductors, S32
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants