nrf_security: Remove redefined Kconfigs #20107
Conversation
github-actions
bot
added
the
changelog-entry-required
CI InformationTo view the history of this post, clich the 'edited' button above Inputs:Sources:sdk-nrf: PR head: 05d05459bcfd05b8cd75a8603e88dcb948075116 more detailssdk-nrf:
Github labels
List of changed files detected by CI (3)Outputs:ToolchainVersion: 342151af73 Test Spec & Results: ✅ Success; ❌ Failure; 🟠 Queued; 🟡 Progress; ◻️ Skipped;
|
|
You can find the documentation preview for this PR at this link. Note: This comment is automatically posted by the Documentation Publish GitHub Action. |
| @@ -1852,12 +1852,14 @@ config PSA_NEED_CRACEN_KMU_ENCRYPTED_KEYS | |||
| PSA_NEED_CRACEN_KEY_DERIVATION_DRIVER && \ | |||
| PSA_NEED_CRACEN_KMU_DRIVER | |||
|
|
|||
| config SUPPORT_PSA_NEED_CRACEN_PLATFORM_KEYS | |||
There was a problem hiding this comment.
This file has only configurations which has the PSA_NEED prefix, please keep the prefix as is and use another name.
There was a problem hiding this comment.
psa need support? How does that make sense? This matches the global format we use in ncs:
./doc/nrf/app_dev/config_and_build/sysbuild/sysbuild_images.rst: config SUPPORT_NETCORE_ABC
./doc/nrf/app_dev/config_and_build/sysbuild/sysbuild_images.rst: config SUPPORT_NETCORE_ABC
./samples/cellular/http_update/modem_delta_update/Kconfig:config SUPPORTED_BASE_VERSION
./samples/wifi/radio_test/multi_domain/Kconfig.sysbuild:config SUPPORT_NETCORE_PERIPHERAL_RADIO_TEST
./subsys/nrf_security/src/drivers/cracen/psa_driver.Kconfig:config SUPPORT_PSA_NEED_CRACEN_PLATFORM_KEYS
./subsys/suit/mci/Kconfig:config SUPPORT_SUIT_MCI_IMPL_SDFW
./subsys/suit/storage/Kconfig:config SUPPORT_SUIT_STORAGE_LAYOUT_SOC
./subsys/suit/storage/Kconfig:config SUPPORT_SUIT_STORAGE_LAYOUT_TEST
./subsys/suit/validator/Kconfig:config SUPPORT_SUIT_VALIDATOR_IMPL_SDFW
./sysbuild/Kconfig.appcore:config SUPPORT_APPCORE
./sysbuild/Kconfig.appcore:config SUPPORT_APPCORE_EMPTY
./sysbuild/Kconfig.appcore:config SUPPORT_APPCORE_REMOTE_SHELL
./sysbuild/Kconfig.cracen:config SUPPORT_CRACEN
./sysbuild/Kconfig.netcore:config SUPPORT_NETCORE
./sysbuild/Kconfig.netcore:config SUPPORT_NETCORE_EMPTY
./sysbuild/Kconfig.netcore:config SUPPORT_NETCORE_HCI_IPC
./sysbuild/Kconfig.netcore:config SUPPORT_NETCORE_RPC_HOST
./sysbuild/Kconfig.netcore:config SUPPORT_NETCORE_802154_RPMSG
./sysbuild/Kconfig.netcore:config SUPPORT_NETCORE_IPC_RADIO
./sysbuild/Kconfig.pprcore:config SUPPORT_PPRCORE
./sysbuild/Kconfig.xip:config SUPPORT_QSPI_XIP
./tests/subsys/suit/tests/sdfw/Kconfig:config SUPPORT_SUIT_STORAGE_LAYOUT_TEST
There was a problem hiding this comment.
Don't come up with a new naming convention in relation to Mbed TLS.
There is nothing in TF-M, Mbed TLS and/or Oberon-psa-crypto that has SUPPORT_
There was a problem hiding this comment.
yeah, the issue here is that the PSA_NEED is already a naming convention and we have too many of them already. Since the Oberon PSA core doesn't use the SUPPORT naming convention I am hesitant to accept that for this file.
There was a problem hiding this comment.
Don't come up with a new naming convention in relation to Mbed TLS.
There is nothing in TF-M, Mbed TLS and/or Oberon-psa-crypto that has
SUPPORT_
This is not to do with mbedtls, this is to do with Kconfig symbol support in build system
There was a problem hiding this comment.
One way to help solve some of these SOC-tie-ins is to create a HAS_HW_CRACEN configuration (as well as a HAS_HW_CRACEN_KMU for instance). This would only be available e.g. inside the H20 sec domain.
This is somewhat similar to how we signal that CC3XX is available:
HAS_HW_NRF_CC3XX
There was a problem hiding this comment.
The HAS will work but it will not allow you to differentiate between L15 and H20. If your goal is to just have that as conditionally set what you can do is to create a Kconfig symbol here:
https://github.com/nrfconnect/sdk-nrf/blob/main/subsys/nrf_security/src/drivers/Kconfig
You can add a promptless:
config PSA_WANT_PLATFORM_KEYS
Then you can use this both enable the:
MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS
and the
PSA_NEED_CRACEN_PLATFORM_KEYS
If you need platform keys you need to have BOTH enabled.
There was a problem hiding this comment.
This is not to do with mbedtls, this is to do with Kconfig symbol support in build system
There are 480+ entries in this file and they are all following the pattern config PSA_NEED_
You are also touching MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS which is an Mbed TLS configuration
SUPPORT_ doesn't make sense in the context
nordicjm
force-pushed
the
fixcpusecleak
branch
from
962b847 to
5ef0426
Compare
|
ping @Vge0rge @robertstypa @ahasztag @kszromek-nordic @tomchy for reviews, this is holding other teams up, would like to get it merged today |
Removes Kconfigs that are redefined because they are defined in an out of tree repo to prevent hiding problems if these symbols are renamed or removed Signed-off-by: Jamie McCrae <[email protected]>
nordicjm
force-pushed
the
fixcpusecleak
branch
from
5ef0426 to
05d0545
Compare
Removes Kconfigs that are redefined because they are defined in an out of tree repo to prevent hiding problems if these symbols are renamed or removed