sys/psa_crypto: Fix build problems

examples/psa_crypto/Makefile

@@ -48,6 +48,8 @@ else
     CFLAGS += -DCONFIG_PSA_SINGLE_KEY_COUNT=1
     USEMODULE += psa_secure_element
     USEMODULE += psa_secure_element_ateccx08a
+    USEMODULE += psa_secure_element_ateccx08a_cipher_aes_128
+    USEMODULE += psa_secure_element_ateccx08a_hmac_sha256
     USEMODULE += psa_secure_element_ateccx08a_ecc_p256
   else ifeq (2, $(SECURE_ELEMENT))
     CFLAGS += -DSECURE_ELEMENT # Application specific (not needed by PSA)
@@ -60,6 +62,8 @@ else
     USEMODULE += psa_secure_element
     USEMODULE += psa_secure_element_multiple
     USEMODULE += psa_secure_element_ateccx08a
+    USEMODULE += psa_secure_element_ateccx08a_cipher_aes_128
+    USEMODULE += psa_secure_element_ateccx08a_hmac_sha256
     USEMODULE += psa_secure_element_ateccx08a_ecc_p256
   else ifdef CUSTOM_BACKEND
     # Necessary configuration when using Make dependency resolution

examples/psa_crypto/app.config.test.multi_se

@@ -2,6 +2,8 @@
 CONFIG_MODULE_PSA_SECURE_ELEMENT=y
 CONFIG_MODULE_PSA_SECURE_ELEMENT_ATECCX08A=y
 CONFIG_MODULE_PSA_SECURE_ELEMENT_ATECCX08A_ECC_P256=y
+CONFIG_MODULE_PSA_SECURE_ELEMENT_ATECCX08A_CIPHER_AES_128=y
+CONFIG_MODULE_PSA_SECURE_ELEMENT_ATECCX08A_HMAC_SHA256=y
 CONFIG_MODULE_PSA_SECURE_ELEMENT_MULTIPLE=y
 
 CONFIG_PSA_MAX_SE_COUNT=2

examples/psa_crypto/app.config.test.se

@@ -1,6 +1,8 @@
 CONFIG_MODULE_PSA_SECURE_ELEMENT=y
 CONFIG_MODULE_PSA_SECURE_ELEMENT_ATECCX08A=y
 CONFIG_MODULE_PSA_SECURE_ELEMENT_ATECCX08A_ECC_P256=y
+CONFIG_MODULE_PSA_SECURE_ELEMENT_ATECCX08A_CIPHER_AES_128=y
+CONFIG_MODULE_PSA_SECURE_ELEMENT_ATECCX08A_HMAC_SHA256=y
 
 CONFIG_PSA_PROTECTED_KEY_COUNT=4
 CONFIG_PSA_SINGLE_KEY_COUNT=1

examples/psa_crypto/main.c

@@ -21,83 +21,125 @@
 #include "psa/crypto.h"
 #include "ztimer.h"
 
+#if IS_USED(MODULE_PSA_CIPHER)
 extern psa_status_t example_cipher_aes_128(void);
+#endif
+#if IS_USED(MODULE_PSA_MAC)
 extern psa_status_t example_hmac_sha256(void);
+#endif
+#if IS_USED(MODULE_PSA_ASYMMETRIC_ECC_P256R1)
 extern psa_status_t example_ecdsa_p256(void);
-
+#endif
+#if IS_USED(MODULE_PSA_ASYMMETRIC_ECC_ED25519)
 #ifndef SECURE_ELEMENT
 extern psa_status_t example_eddsa(void);
 #endif
+#endif
 
 #ifdef MULTIPLE_SE
+#if IS_USED(MODULE_PSA_CIPHER)
 extern psa_status_t example_cipher_aes_128_sec_se(void);
+#endif /* MODULE_PSA_CIPHER */
+#if IS_USED(MODULE_PSA_MAC)
 extern psa_status_t example_hmac_sha256_sec_se(void);
+#endif /* MODULE_PSA_MAC */
+#if IS_USED(MODULE_PSA_ASYMMETRIC_ECC_P256R1)
 extern psa_status_t example_ecdsa_p256_sec_se(void);
-#endif
+#endif /* MODULE_PSA_ASYMMETRIC_ECC_P256R1 */
+#endif /* MULTIPLE_SE */
 
 int main(void)
 {
+    bool failed = false;
     psa_status_t status;
 
     psa_crypto_init();
 
     ztimer_acquire(ZTIMER_USEC);
     ztimer_now_t start = ztimer_now(ZTIMER_USEC);
 
+    /* Needed in case only hashes are tested */
+    (void)status;
+    (void)start;
+
+#if IS_USED(MODULE_PSA_MAC)
     status = example_hmac_sha256();
     printf("HMAC SHA256 took %d us\n", (int)(ztimer_now(ZTIMER_USEC) - start));
     if (status != PSA_SUCCESS) {
+        failed = true;
         printf("HMAC SHA256 failed: %s\n", psa_status_to_humanly_readable(status));
     }
+#endif
 
+#if IS_USED(MODULE_PSA_CIPHER)
     start = ztimer_now(ZTIMER_USEC);
     status = example_cipher_aes_128();
     printf("Cipher AES 128 took %d us\n", (int)(ztimer_now(ZTIMER_USEC) - start));
     if (status != PSA_SUCCESS) {
+        failed = true;
         printf("Cipher AES 128 failed: %s\n", psa_status_to_humanly_readable(status));
     }
+#endif
 
+#if IS_USED(MODULE_PSA_ASYMMETRIC_ECC_P256R1)
     start = ztimer_now(ZTIMER_USEC);
     status = example_ecdsa_p256();
     printf("ECDSA took %d us\n", (int)(ztimer_now(ZTIMER_USEC) - start));
     if (status != PSA_SUCCESS) {
+        failed = true;
         printf("ECDSA failed: %s\n", psa_status_to_humanly_readable(status));
     }
+#endif
 
-#ifndef SECURE_ELEMENT
+#if IS_USED(MODULE_PSA_ASYMMETRIC_ECC_ED25519)
     start = ztimer_now(ZTIMER_USEC);
     status = example_eddsa();
     printf("EdDSA took %d us\n", (int)(ztimer_now(ZTIMER_USEC) - start));
     if (status != PSA_SUCCESS) {
+        failed = true;
         printf("EdDSA failed: %s\n", psa_status_to_humanly_readable(status));
     }
 #endif
 
 #ifdef MULTIPLE_SE
+#if IS_USED(MODULE_PSA_MAC)
     puts("Running Examples with secondary SE:");
     status = example_hmac_sha256_sec_se();
     printf("HMAC SHA256 took %d us\n", (int)(ztimer_now(ZTIMER_USEC) - start));
     if (status != PSA_SUCCESS) {
+        failed = true;
         printf("HMAC SHA256 failed: %s\n", psa_status_to_humanly_readable(status));
     }
+#endif /* MODULE_PSA_MAC */
 
+#if IS_USED(MODULE_PSA_CIPHER)
     start = ztimer_now(ZTIMER_USEC);
     status = example_cipher_aes_128_sec_se();
     printf("Cipher AES 128 took %d us\n", (int)(ztimer_now(ZTIMER_USEC) - start));
     if (status != PSA_SUCCESS) {
+        failed = true;
         printf("Cipher AES 128 failed: %s\n", psa_status_to_humanly_readable(status));
     }
+#endif /* MODULE_PSA_CIPHER */
 
+#if IS_USED(MODULE_PSA_ASYMMETRIC_ECC_P256R1)
     start = ztimer_now(ZTIMER_USEC);
     status = example_ecdsa_p256_sec_se();
     printf("ECDSA took %d us\n", (int)(ztimer_now(ZTIMER_USEC) - start));
     if (status != PSA_SUCCESS) {
+        failed = true;
         printf("ECDSA failed: %s\n", psa_status_to_humanly_readable(status));
     }
-#endif
+#endif /* MODULE_PSA_ASYMMETRIC_ECC_P256R1 */
+#endif /* MULTIPLE_SE */
 
     ztimer_release(ZTIMER_USEC);
 
-    puts("All Done");
+    if (failed) {
+        puts("Tests failed...");
+    }
+    else {
+        puts("All Done");
+    }
     return 0;
 }

pkg/cryptoauthlib/Makefile.dep

@@ -25,5 +25,13 @@ ifneq (,$(filter psa_crypto,$(USEMODULE)))
 endif
 
 ifneq (,$(filter psa_secure_element_ateccx08a_ecc_p256, $(USEMODULE)))
-  USEMODULE += psa_secure_element_asymmetric
+  USEMODULE += psa_asymmetric
+endif
+
+ifneq (,$(filter psa_secure_element_ateccx08a_cipher_aes_128, $(USEMODULE)))
+  USEMODULE += psa_cipher
+endif
+
+ifneq (,$(filter psa_secure_element_ateccx08a_hmac_sha256, $(USEMODULE)))
+  USEMODULE += psa_mac
 endif

pkg/cryptoauthlib/Makefile.include

@@ -27,7 +27,7 @@ ifneq (,$(filter cryptoauthlib_test,$(USEMODULE)))
   INCLUDES += -I$(PKG_SOURCE_DIR)/third_party/unity
 endif
 
-ifneq (,$(filter psa_crypto,$(USEMODULE)))
-  PSEUDOMODULES += psa_secure_element_ateccx08a
-  PSEUDOMODULES += psa_secure_element_ateccx08a_ecc_p256
-endif
+PSEUDOMODULES += psa_secure_element_ateccx08a
+PSEUDOMODULES += psa_secure_element_ateccx08a_cipher_aes_128
+PSEUDOMODULES += psa_secure_element_ateccx08a_ecc_p256
+PSEUDOMODULES += psa_secure_element_ateccx08a_hmac_sha256

pkg/micro-ecc/Makefile.include

@@ -8,8 +8,9 @@ CFLAGS += -Wno-unused-variable
 TOOLCHAINS_BLACKLIST += llvm
 
 ifneq (,$(filter psa_uecc_%, $(USEMODULE)))
-  PSEUDOMODULES += psa_uecc_p192
-  PSEUDOMODULES += psa_uecc_p256
   DIRS += $(RIOTPKG)/micro-ecc/psa_uecc
   INCLUDES += -I$(RIOTBASE)/sys/psa_crypto/include
 endif
+
+PSEUDOMODULES += psa_uecc_p192
+PSEUDOMODULES += psa_uecc_p256

sys/auto_init/security/auto_init_atca.c

@@ -50,7 +50,7 @@
         }
         atca_devs_ptr[i] = &atca_devs[i];
 
-        DEBUG("[auto_init_atca] Registering Driver with address: %x and location: %lx\n", atca_params[i].cfg.atcai2c.address, atca_params[i].atca_loc);
+        DEBUG("[auto_init_atca] Registering Driver with address: %x and location: %lx\n", atca_params[i].cfg.atcai2c.address, (unsigned long) atca_params[i].atca_loc);
         status = psa_register_secure_element(atca_params[i].atca_loc,
                                             &atca_methods,
                                             &atca_config_list[i],
@@ -58,7 +58,7 @@
         if (status != PSA_SUCCESS) {
             LOG_ERROR(
                 "[auto_init_atca] PSA Crypto – error registering cryptoauth PSA driver\
                 for device #%u, status: %s\n", i, psa_status_to_humanly_readable(status));
             continue;
         }
     }

sys/include/psa_crypto/psa/crypto.h

@@ -83,6 +83,7 @@
  */
 psa_status_t psa_crypto_init(void);
 
+#if IS_USED(MODULE_PSA_AEAD) || defined(DOXYGEN)
 /**
  * @brief   Process an authenticated encryption operation.
  *
@@ -767,7 +768,9 @@
  *                                                  initialize results in this error code.
  */
 psa_status_t psa_aead_abort(psa_aead_operation_t *operation);
+#endif /* MODULE_PSA_AEAD */
 
+#if IS_USED(MODULE_PSA_ASYMMETRIC) || defined(DOXYGEN)
 /**
  * @brief   Encrypt a short message with a public key.
  *
@@ -890,7 +893,10 @@
                                     uint8_t *output,
                                     size_t output_size,
                                     size_t *output_length);
+#endif /* MODULE_PSA_ASYMMETRIC */
 
+
+#if IS_USED(MODULE_PSA_CIPHER) || defined(DOXYGEN)
 /**
  * @brief   Abort a cipher operation.
  *
@@ -1385,7 +1391,9 @@
                                uint8_t *output,
                                size_t output_size,
                                size_t *output_length);
+#endif /* MODULE_PSA_CIPHER */
 
+#if IS_USED(MODULE_PSA_KEY_MANAGEMENT) || defined(DOXYGEN)
 /**
  * @brief   Make a copy of a key.
  *
@@ -1799,6 +1807,7 @@
  */
 psa_status_t psa_generate_key(const psa_key_attributes_t *attributes,
                               psa_key_id_t *key);
+#endif /* MODULE_PSA_KEY_MANAGEMENT */
 
 /**
  * @brief   Built-in function for random number generation.
@@ -1840,6 +1849,7 @@
 psa_status_t psa_generate_random(uint8_t *output,
                                  size_t output_size);
 
+#if IS_USED(MODULE_PSA_KEY_MANAGEMENT) || defined(DOXYGEN)
 /**
  * @brief   Declare the permitted algorithm policy for a key.
  *
@@ -2070,7 +2080,9 @@
  */
 psa_status_t psa_get_key_attributes(psa_key_id_t key,
                                     psa_key_attributes_t *attributes);
+#endif /* MODULE_PSA_KEY_MANAGEMENT */
 
+#if IS_USED(MODULE_PSA_HASH) || defined(DOXYGEN)
 /**
  * @brief   Abort a hash operation.
  *
@@ -2476,7 +2488,9 @@
 psa_status_t psa_hash_verify(psa_hash_operation_t *operation,
                              const uint8_t *hash,
                              size_t hash_length);
+#endif /* MODULE_PSA_HASH */
 
+#if IS_USED(MODULE_PSA_KEY_MANAGEMENT) || defined(DOXYGEN)
 /**
  * @brief   Built-in key import function.
  *
@@ -2619,7 +2633,9 @@
                             const uint8_t *data,
                             size_t data_length,
                             psa_key_id_t *key);
+#endif /* MODULE_PSA_KEY_MANAGEMENT */
 
+#if IS_USED(MODULE_PSA_KEY_DERIVATION) || defined(DOXYGEN)
 /**
  * @brief   Abort a key derivation operation.
  *
@@ -3309,7 +3325,9 @@
  */
 psa_status_t psa_key_derivation_verify_key(psa_key_derivation_operation_t *operation,
                                            psa_key_id_t expected);
+#endif /* PSA_CRYPTO_KEY_DERIVATION */
 
+#if IS_USED(MODULE_PSA_MAC) || defined(DOXYGEN)
 /**
  * @brief   Abort a MAC operation.
  *
@@ -3679,7 +3697,9 @@
 psa_status_t psa_mac_verify_setup(psa_mac_operation_t *operation,
                                   psa_key_id_t key,
                                   psa_algorithm_t alg);
+#endif /* MODULE_PSA_MAC */
 
+#if IS_USED(MODULE_PSA_KEY_MANAGEMENT) || defined(DOXYGEN)
 /**
  * @brief   Remove non-essential copies of key material from memory.
  *
@@ -3707,7 +3727,9 @@
  * @return  @ref PSA_ERROR_DATA_INVALID
  */
 psa_status_t psa_purge_key(psa_key_id_t key);
+#endif /* MODULE_PSA_KEY_MANAGEMENT */
 
+#if IS_USED(MODULE_PSA_KEY_AGREEMENT) || defined(DOXYGEN)
 /**
  * @brief   Perform a key agreement and return the raw shared secret.
  *
@@ -3778,7 +3800,9 @@
                                    uint8_t *output,
                                    size_t output_size,
                                    size_t *output_length);
+#endif /* MODULE_PSA_KEY_AGREEMENT */
 
+#if IS_USED(MODULE_PSA_ASYMMETRIC) || defined(DOXYGEN)
 /**
  * @brief   Sign an already-calculated hash with a private key.
  *
@@ -4044,10 +4068,11 @@
                                 size_t input_length,
                                 const uint8_t *signature,
                                 size_t signature_length);
+#endif /* MODULE_PSA_ASYMMETRIC */
 
 #ifdef __cplusplus
 }
 #endif
 
 #endif /* PSA_CRYPTO_PSA_CRYPTO_H */
 /** @} */

sys/include/psa_crypto/psa/crypto_sizes.h

@@ -79,29 +79,21 @@
  * @brief   Number of required allocated asymmetric key pair slots.
  *
  * @details These should be defined by the developer to
- *          fit their requirements. The default number is 5.
+ *          fit their requirements. The default number is 0.
  */
 #ifndef CONFIG_PSA_ASYMMETRIC_KEYPAIR_COUNT
-#if (IS_USED(MODULE_PSA_ASYMMETRIC))
-#define CONFIG_PSA_ASYMMETRIC_KEYPAIR_COUNT  5
-#else
 #define CONFIG_PSA_ASYMMETRIC_KEYPAIR_COUNT  0
 #endif
-#endif
 
 /**
  * @brief   Number of required allocated single key slots.
  *
  * @details These should be defined by the developer to
- *          fit their requirements. The default number is 5.
+ *          fit their requirements. The default number is 0.
  */
 #ifndef CONFIG_PSA_SINGLE_KEY_COUNT
-#if (IS_USED(MODULE_PSA_KEY_SLOT_MGMT))
-#define CONFIG_PSA_SINGLE_KEY_COUNT  5
-#else
 #define CONFIG_PSA_SINGLE_KEY_COUNT  0
 #endif
-#endif
 
 /**
  * @brief   Number of required allocated protected key slots.
@@ -110,8 +102,8 @@
  *          fit their requirements. The default number is 5.
  */
 #ifndef CONFIG_PSA_PROTECTED_KEY_COUNT
-#if (IS_USED(MODULE_PSA_SE_MGMT))
-#define CONFIG_PSA_PROTECTED_KEY_COUNT  5
+#if (IS_USED(MODULE_PSA_SECURE_ELEMENT))
+#define CONFIG_PSA_PROTECTED_KEY_COUNT 5
 #else
 #define CONFIG_PSA_PROTECTED_KEY_COUNT  0
 #endif
@@ -991,7 +983,7 @@
 /**
  * @brief   The maximum size of the used key data.
  */
-#if IS_USED(MODULE_PSA_SECURE_ELEMENT_ASYMMETRIC) || IS_USED(MODULE_PSA_ASYMMETRIC)
+#if IS_USED(MODULE_PSA_ASYMMETRIC)
 #define PSA_MAX_KEY_DATA_SIZE  (PSA_EXPORT_PUBLIC_KEY_MAX_SIZE)
 #else
 #define PSA_MAX_KEY_DATA_SIZE  (CONFIG_PSA_MAX_KEY_SIZE)
@@ -1033,7 +1025,7 @@
  *          If the parameters are not valid, the return value is unspecified.
  */
 #define PSA_SIGN_OUTPUT_SIZE(key_type, key_bits, alg)        \
     (PSA_KEY_TYPE_IS_ECC(key_type) ? PSA_ECDSA_SIGNATURE_SIZE(PSA_ECC_KEY_GET_CURVE(key_type, key_bits)) : \
      ((void)alg, 0))
 
 #ifdef __cplusplus