diff --git a/samples/bluetooth/mesh/boards/nrf5340dk_nrf5340_cpuapp_ns.conf b/samples/bluetooth/mesh/boards/nrf5340dk_nrf5340_cpuapp_ns.conf deleted file mode 100644 index ee6d1210e8df79..00000000000000 --- a/samples/bluetooth/mesh/boards/nrf5340dk_nrf5340_cpuapp_ns.conf +++ /dev/null @@ -1,2 +0,0 @@ -# Enable PSA as a crypto backend in host -CONFIG_BT_USE_PSA_API=y diff --git a/samples/bluetooth/mesh_demo/boards/nrf5340dk_nrf5340_cpuapp_ns.conf b/samples/bluetooth/mesh_demo/boards/nrf5340dk_nrf5340_cpuapp_ns.conf deleted file mode 100644 index ee6d1210e8df79..00000000000000 --- a/samples/bluetooth/mesh_demo/boards/nrf5340dk_nrf5340_cpuapp_ns.conf +++ /dev/null @@ -1,2 +0,0 @@ -# Enable PSA as a crypto backend in host -CONFIG_BT_USE_PSA_API=y diff --git a/samples/bluetooth/mesh_provisioner/boards/nrf5340dk_nrf5340_cpuapp_ns.conf b/samples/bluetooth/mesh_provisioner/boards/nrf5340dk_nrf5340_cpuapp_ns.conf deleted file mode 100644 index ee6d1210e8df79..00000000000000 --- a/samples/bluetooth/mesh_provisioner/boards/nrf5340dk_nrf5340_cpuapp_ns.conf +++ /dev/null @@ -1,2 +0,0 @@ -# Enable PSA as a crypto backend in host -CONFIG_BT_USE_PSA_API=y diff --git a/subsys/bluetooth/Kconfig b/subsys/bluetooth/Kconfig index d5560d6d5d0ea7..e03501d6500cd3 100644 --- a/subsys/bluetooth/Kconfig +++ b/subsys/bluetooth/Kconfig @@ -241,13 +241,6 @@ config BT_SHELL Activate shell module that provides Bluetooth commands to the console. -config BT_USE_PSA_API - bool "Use PSA APIs instead of TinyCrypt for crypto operations" - depends on BT_CRYPTO || BT_HOST_CRYPTO || BT_ECC - depends on PSA_CRYPTO_CLIENT - help - Use PSA APIs instead of TinyCrypt for crypto operations - endif # BT_HCI config BT_COMPANY_ID diff --git a/subsys/bluetooth/crypto/CMakeLists.txt b/subsys/bluetooth/crypto/CMakeLists.txt index dc0f83b32c271f..073a9c613d7488 100644 --- a/subsys/bluetooth/crypto/CMakeLists.txt +++ b/subsys/bluetooth/crypto/CMakeLists.txt @@ -4,15 +4,11 @@ zephyr_library() zephyr_library_sources(bt_crypto.c) -if(CONFIG_BT_USE_PSA_API) - zephyr_library_sources(bt_crypto_psa.c) - zephyr_library_link_libraries_ifdef(CONFIG_MBEDTLS mbedTLS) - zephyr_library_include_directories_ifdef(CONFIG_BUILD_WITH_TFM - $/api_ns/interface/include - ) -else() - zephyr_library_sources(bt_crypto_tc.c) -endif() +zephyr_library_sources(bt_crypto_psa.c) +zephyr_library_link_libraries_ifdef(CONFIG_MBEDTLS mbedTLS) +zephyr_library_include_directories_ifdef(CONFIG_BUILD_WITH_TFM + $/api_ns/interface/include +) if(CONFIG_BT_CRYPTO_LOG_LEVEL_DBG) message(WARNING "CONFIG_BT_CRYPTO_LOG_LEVEL_DBG is enabled. diff --git a/subsys/bluetooth/crypto/Kconfig b/subsys/bluetooth/crypto/Kconfig index a59979730f0d54..42858e2187b1f9 100644 --- a/subsys/bluetooth/crypto/Kconfig +++ b/subsys/bluetooth/crypto/Kconfig @@ -3,10 +3,9 @@ config BT_CRYPTO bool - select TINYCRYPT if !BT_USE_PSA_API - select TINYCRYPT_AES if !BT_USE_PSA_API - select TINYCRYPT_AES_CMAC if !BT_USE_PSA_API - select PSA_WANT_KEY_TYPE_AES if BT_USE_PSA_API - select PSA_WANT_ALG_CMAC if BT_USE_PSA_API + select MBEDTLS if !BUILD_WITH_TFM + select MBEDTLS_PSA_CRYPTO_C if !BUILD_WITH_TFM + select PSA_WANT_KEY_TYPE_AES + select PSA_WANT_ALG_CMAC help This option enables the Bluetooth Cryptographic Toolbox. diff --git a/subsys/bluetooth/crypto/bt_crypto.c b/subsys/bluetooth/crypto/bt_crypto.c index 62a475a57d751b..604449bf8f156e 100644 --- a/subsys/bluetooth/crypto/bt_crypto.c +++ b/subsys/bluetooth/crypto/bt_crypto.c @@ -7,12 +7,7 @@ #include -#if defined(CONFIG_BT_USE_PSA_API) #include "psa/crypto.h" -#else -#include -#include -#endif #include "common/bt_str.h" #include "bt_crypto.h" diff --git a/subsys/bluetooth/crypto/bt_crypto_tc.c b/subsys/bluetooth/crypto/bt_crypto_tc.c deleted file mode 100644 index 95160d55dfd9ee..00000000000000 --- a/subsys/bluetooth/crypto/bt_crypto_tc.c +++ /dev/null @@ -1,34 +0,0 @@ -/* Copyright (c) 2022 Nordic Semiconductor ASA - * SPDX-License-Identifier: Apache-2.0 - */ - -#include -#include - -#include - -#include -#include - -#include "common/bt_str.h" -#include "bt_crypto.h" - -int bt_crypto_aes_cmac(const uint8_t *key, const uint8_t *in, size_t len, uint8_t *out) -{ - struct tc_aes_key_sched_struct sched; - struct tc_cmac_struct state; - - if (tc_cmac_setup(&state, key, &sched) == TC_CRYPTO_FAIL) { - return -EIO; - } - - if (tc_cmac_update(&state, in, len) == TC_CRYPTO_FAIL) { - return -EIO; - } - - if (tc_cmac_final(out, &state) == TC_CRYPTO_FAIL) { - return -EIO; - } - - return 0; -} diff --git a/subsys/bluetooth/host/CMakeLists.txt b/subsys/bluetooth/host/CMakeLists.txt index dd209d4177c532..e3e461fb0c119c 100644 --- a/subsys/bluetooth/host/CMakeLists.txt +++ b/subsys/bluetooth/host/CMakeLists.txt @@ -32,11 +32,10 @@ if(CONFIG_BT_HCI_HOST) scan.c ) - if(CONFIG_BT_USE_PSA_API) - zephyr_library_sources_ifdef(CONFIG_BT_HOST_CRYPTO crypto_psa.c) - else() - zephyr_library_sources_ifdef(CONFIG_BT_HOST_CRYPTO crypto_tc.c) - endif() + zephyr_library_sources_ifdef( + CONFIG_BT_HOST_CRYPTO + crypto_psa.c + ) zephyr_library_sources_ifdef( CONFIG_BT_ECC @@ -116,12 +115,10 @@ if(CONFIG_BT_CONN_DISABLE_SECURITY) ) endif() -if(CONFIG_BT_USE_PSA_API) - zephyr_library_link_libraries_ifdef(CONFIG_MBEDTLS mbedTLS) - zephyr_library_include_directories_ifdef(CONFIG_BUILD_WITH_TFM - $/api_ns/interface/include - ) -endif() +zephyr_library_link_libraries_ifdef(CONFIG_MBEDTLS mbedTLS) +zephyr_library_include_directories_ifdef(CONFIG_BUILD_WITH_TFM + $/api_ns/interface/include +) # Bluetooth Mesh has test dependencies in the host. # In order to compile Bsim tests with these test features diff --git a/subsys/bluetooth/host/Kconfig b/subsys/bluetooth/host/Kconfig index db247d76b93c60..484e54cbae9854 100644 --- a/subsys/bluetooth/host/Kconfig +++ b/subsys/bluetooth/host/Kconfig @@ -168,22 +168,23 @@ rsource "../audio/Kconfig" config BT_HOST_CRYPTO bool "Use crypto functionality implemented in the Bluetooth host" default y if !BT_CTLR_CRYPTO - select TINYCRYPT if !BT_USE_PSA_API - select TINYCRYPT_AES if !BT_USE_PSA_API - select PSA_WANT_KEY_TYPE_AES if BT_USE_PSA_API + select MBEDTLS if !BUILD_WITH_TFM + select MBEDTLS_PSA_CRYPTO_C if !BUILD_WITH_TFM + select PSA_WANT_KEY_TYPE_AES + select PSA_WANT_ALG_ECB_NO_PADDING help - The option adds the AES encryption support using TinyCrypt + The option adds the AES encryption support using PSA Crypto API library if this is not provided by the controller implementation. config BT_HOST_CRYPTO_PRNG - bool "Use Tinycrypt library for random number generation" + bool "Use PSA crypto API library for random number generation" default y - select TINYCRYPT_SHA256 if !BT_USE_PSA_API - select TINYCRYPT_SHA256_HMAC if !BT_USE_PSA_API - select TINYCRYPT_SHA256_HMAC_PRNG if !BT_USE_PSA_API + select PSA_WANT_ALG_SHA_256 + select PSA_WANT_KEY_TYPE_HMAC + select PSA_WANT_ALG_HMAC depends on BT_HOST_CRYPTO help - When selected, will use tinycrypt library for random number generation. + When selected, will use PSA Crypto API library for random number generation. This will consume additional ram, but may speed up the generation of random numbers. diff --git a/subsys/bluetooth/host/Kconfig.gatt b/subsys/bluetooth/host/Kconfig.gatt index c9c9247dc91c27..c8d8b75c1c1f99 100644 --- a/subsys/bluetooth/host/Kconfig.gatt +++ b/subsys/bluetooth/host/Kconfig.gatt @@ -115,11 +115,9 @@ config BT_GATT_CACHING bool "GATT Caching support" default y depends on BT_GATT_SERVICE_CHANGED - select TINYCRYPT if !BT_USE_PSA_API - select TINYCRYPT_AES if !BT_USE_PSA_API - select TINYCRYPT_AES_CMAC if !BT_USE_PSA_API - select PSA_WANT_KEY_TYPE_AES if BT_USE_PSA_API - select PSA_WANT_ALG_CMAC if BT_USE_PSA_API + depends on PSA_CRYPTO_CLIENT + select PSA_WANT_KEY_TYPE_AES + select PSA_WANT_ALG_CMAC help This option enables support for GATT Caching. When enabled the stack will register Client Supported Features and Database Hash diff --git a/subsys/bluetooth/host/crypto_psa.c b/subsys/bluetooth/host/crypto_psa.c index 041a2f9cd047e9..d3f2de3b886853 100644 --- a/subsys/bluetooth/host/crypto_psa.c +++ b/subsys/bluetooth/host/crypto_psa.c @@ -30,6 +30,7 @@ LOG_MODULE_REGISTER(bt_host_crypto); int prng_init(void) { if (psa_crypto_init() != PSA_SUCCESS) { + LOG_ERR("psa_crypto_init() failed"); return -EIO; } return 0; @@ -42,6 +43,7 @@ int bt_rand(void *buf, size_t len) return 0; } + LOG_ERR("psa_generate_random() failed"); return -EIO; } #else /* !CONFIG_BT_HOST_CRYPTO_PRNG */ diff --git a/subsys/bluetooth/host/crypto_tc.c b/subsys/bluetooth/host/crypto_tc.c deleted file mode 100644 index 1ffe94a4592531..00000000000000 --- a/subsys/bluetooth/host/crypto_tc.c +++ /dev/null @@ -1,176 +0,0 @@ -/* - * Copyright (c) 2017 Nordic Semiconductor ASA - * Copyright (c) 2015-2016 Intel Corporation - * - * SPDX-License-Identifier: Apache-2.0 - */ - -#include -#include - -#include -#include -#include - -#include -#include -#include -#include - -#include -#include -#include -#include - -#include "common/bt_str.h" - -#include "hci_core.h" - -#define LOG_LEVEL CONFIG_BT_HCI_CORE_LOG_LEVEL -#include -LOG_MODULE_REGISTER(bt_host_crypto); - -static struct tc_hmac_prng_struct prng; - -static int prng_reseed(struct tc_hmac_prng_struct *h) -{ - uint8_t seed[32]; - int64_t extra; - int ret; - - ret = bt_hci_le_rand(seed, sizeof(seed)); - if (ret) { - return ret; - } - - extra = k_uptime_get(); - - ret = tc_hmac_prng_reseed(h, seed, sizeof(seed), (uint8_t *)&extra, - sizeof(extra)); - if (ret == TC_CRYPTO_FAIL) { - LOG_ERR("Failed to re-seed PRNG"); - return -EIO; - } - - return 0; -} - -int prng_init(void) -{ - uint8_t perso[8]; - int ret; - - ret = bt_hci_le_rand(perso, sizeof(perso)); - if (ret) { - return ret; - } - - ret = tc_hmac_prng_init(&prng, perso, sizeof(perso)); - if (ret == TC_CRYPTO_FAIL) { - LOG_ERR("Failed to initialize PRNG"); - return -EIO; - } - - /* re-seed is needed after init */ - return prng_reseed(&prng); -} - -#if defined(CONFIG_BT_HOST_CRYPTO_PRNG) -int bt_rand(void *buf, size_t len) -{ - int ret; - - CHECKIF(buf == NULL || len == 0) { - return -EINVAL; - } - - ret = tc_hmac_prng_generate(buf, len, &prng); - if (ret == TC_HMAC_PRNG_RESEED_REQ) { - ret = prng_reseed(&prng); - if (ret) { - return ret; - } - - ret = tc_hmac_prng_generate(buf, len, &prng); - } - - if (ret == TC_CRYPTO_SUCCESS) { - return 0; - } - - return -EIO; -} -#else /* !CONFIG_BT_HOST_CRYPTO_PRNG */ -int bt_rand(void *buf, size_t len) -{ - CHECKIF(buf == NULL || len == 0) { - return -EINVAL; - } - - return bt_hci_le_rand(buf, len); -} -#endif /* CONFIG_BT_HOST_CRYPTO_PRNG */ - -int bt_encrypt_le(const uint8_t key[16], const uint8_t plaintext[16], - uint8_t enc_data[16]) -{ - struct tc_aes_key_sched_struct s; - uint8_t tmp[16]; - - CHECKIF(key == NULL || plaintext == NULL || enc_data == NULL) { - return -EINVAL; - } - - LOG_DBG("key %s", bt_hex(key, 16)); - LOG_DBG("plaintext %s", bt_hex(plaintext, 16)); - - sys_memcpy_swap(tmp, key, 16); - - if (tc_aes128_set_encrypt_key(&s, tmp) == TC_CRYPTO_FAIL) { - return -EINVAL; - } - - sys_memcpy_swap(tmp, plaintext, 16); - - if (tc_aes_encrypt(enc_data, tmp, &s) == TC_CRYPTO_FAIL) { - return -EINVAL; - } - - sys_mem_swap(enc_data, 16); - - LOG_DBG("enc_data %s", bt_hex(enc_data, 16)); - - return 0; -} - -int bt_encrypt_be(const uint8_t key[16], const uint8_t plaintext[16], - uint8_t enc_data[16]) -{ - struct tc_aes_key_sched_struct s; - - CHECKIF(key == NULL || plaintext == NULL || enc_data == NULL) { - return -EINVAL; - } - - LOG_DBG("key %s", bt_hex(key, 16)); - LOG_DBG("plaintext %s", bt_hex(plaintext, 16)); - - if (tc_aes128_set_encrypt_key(&s, key) == TC_CRYPTO_FAIL) { - return -EINVAL; - } - - if (tc_aes_encrypt(enc_data, plaintext, &s) == TC_CRYPTO_FAIL) { - return -EINVAL; - } - - LOG_DBG("enc_data %s", bt_hex(enc_data, 16)); - - return 0; -} - -#ifdef ZTEST_UNITTEST -struct tc_hmac_prng_struct *bt_crypto_get_hmac_prng_instance(void) -{ - return &prng; -} -#endif /* ZTEST_UNITTEST */ diff --git a/subsys/bluetooth/host/gatt.c b/subsys/bluetooth/host/gatt.c index 023216073e03f3..20b9c41e02734c 100644 --- a/subsys/bluetooth/host/gatt.c +++ b/subsys/bluetooth/host/gatt.c @@ -21,15 +21,7 @@ #include #if defined(CONFIG_BT_GATT_CACHING) -#if defined(CONFIG_BT_USE_PSA_API) #include "psa/crypto.h" -#else /* CONFIG_BT_USE_PSA_API */ -#include -#include -#include -#include -#include -#endif /* CONFIG_BT_USE_PSA_API */ #endif /* CONFIG_BT_GATT_CACHING */ #include @@ -703,7 +695,6 @@ static ssize_t cf_write(struct bt_conn *conn, const struct bt_gatt_attr *attr, return len; } -#if defined(CONFIG_BT_USE_PSA_API) struct gen_hash_state { psa_mac_operation_t operation; psa_key_id_t key; @@ -753,43 +744,6 @@ static int db_hash_finish(struct gen_hash_state *state) return 0; } -#else /* CONFIG_BT_USE_PSA_API */ -struct gen_hash_state { - struct tc_cmac_struct state; - struct tc_aes_key_sched_struct sched; - int err; -}; - -static int db_hash_setup(struct gen_hash_state *state, uint8_t *key) -{ - if (tc_cmac_setup(&(state->state), key, &(state->sched)) == TC_CRYPTO_FAIL) { - LOG_ERR("CMAC setup failed"); - return -EIO; - } - return 0; -} - -static int db_hash_update(struct gen_hash_state *state, uint8_t *data, size_t len) -{ - if (tc_cmac_update(&state->state, data, len) == TC_CRYPTO_FAIL) { - LOG_ERR("CMAC update failed"); - return -EIO; - } - return 0; -} - -static int db_hash_finish(struct gen_hash_state *state) -{ - if (tc_cmac_final(db_hash.hash, &(state->state)) == TC_CRYPTO_FAIL) { - LOG_ERR("CMAC finish failed"); - return -EIO; - } - return 0; -} - - -#endif /* CONFIG_BT_USE_PSA_API */ - union hash_attr_value { /* Bluetooth Core Specification Version 5.3 | Vol 3, Part G * Table 3.1: Service declaration diff --git a/subsys/bluetooth/host/hci_ecc.c b/subsys/bluetooth/host/hci_ecc.c index 39fc7ef47a2f5c..a30328d871b280 100644 --- a/subsys/bluetooth/host/hci_ecc.c +++ b/subsys/bluetooth/host/hci_ecc.c @@ -14,14 +14,7 @@ #include #include -#if defined(CONFIG_BT_USE_PSA_API) #include -#else /* !CONFIG_BT_USE_PSA_API */ -#include -#include -#include -#include -#endif /* CONFIG_BT_USE_PSA_API*/ #include #include @@ -109,7 +102,6 @@ static void send_cmd_status(uint16_t opcode, uint8_t status) #endif } -#if defined(CONFIG_BT_USE_PSA_API) static void set_key_attributes(psa_key_attributes_t *attr) { psa_set_key_type(attr, PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1)); @@ -156,29 +148,6 @@ static uint8_t generate_keys(void) return 0; } -#else -static uint8_t generate_keys(void) -{ - do { - int rc; - - rc = uECC_make_key(ecc.public_key_be, ecc.private_key_be, - &curve_secp256r1); - if (rc == TC_CRYPTO_FAIL) { - LOG_ERR("Failed to create ECC public/private pair"); - return BT_HCI_ERR_UNSPECIFIED; - } - - /* make sure generated key isn't debug key */ - } while (memcmp(ecc.private_key_be, debug_private_key_be, BT_PRIV_KEY_LEN) == 0); - - if (IS_ENABLED(CONFIG_BT_LOG_SNIFFER_INFO)) { - LOG_INF("SC private key 0x%s", bt_hex(ecc.private_key_be, BT_PRIV_KEY_LEN)); - } - - return 0; -} -#endif /* CONFIG_BT_USE_PSA_API */ static void emulate_le_p256_public_key_cmd(void) { @@ -233,7 +202,6 @@ static void emulate_le_generate_dhkey(void) int ret = 0; bool use_debug = atomic_test_bit(flags, USE_DEBUG_KEY); -#if defined(CONFIG_BT_USE_PSA_API) psa_key_attributes_t attr = PSA_KEY_ATTRIBUTES_INIT; psa_key_id_t key_id; /* PSA expects secp256r1 public key to start with a predefined 0x04 byte @@ -265,19 +233,6 @@ static void emulate_le_generate_dhkey(void) ret = -EIO; } -#else /* !CONFIG_BT_USE_PSA_API */ - ret = uECC_valid_public_key(ecc.public_key_be, &curve_secp256r1); - if (ret < 0) { - LOG_ERR("public key is not valid (ret %d)", ret); - ret = -EIO; - goto exit; - } - ret = uECC_shared_secret(ecc.public_key_be, - use_debug ? debug_private_key_be : ecc.private_key_be, - ecc.dhkey_be, &curve_secp256r1); - ret = (ret == TC_CRYPTO_FAIL) ? -EIO : 0; -#endif /* CONFIG_BT_USE_PSA_API */ - exit: buf = bt_buf_get_rx(BT_BUF_EVT, K_FOREVER); diff --git a/tests/bluetooth/mesh/basic/testcase.yaml b/tests/bluetooth/mesh/basic/testcase.yaml index 1eced45437fcd0..dcd2e8abbc8d31 100644 --- a/tests/bluetooth/mesh/basic/testcase.yaml +++ b/tests/bluetooth/mesh/basic/testcase.yaml @@ -46,8 +46,6 @@ tests: bluetooth.mesh.gatt.psa: build_only: true extra_args: CONF_FILE=gatt.conf - extra_configs: - - CONFIG_BT_USE_PSA_API=y platform_allow: - qemu_x86 - nrf5340dk/nrf5340/cpuapp/ns diff --git a/tests/bsim/bluetooth/host/gatt/caching/psa_overlay.conf b/tests/bsim/bluetooth/host/gatt/caching/psa_overlay.conf index 49282c5e502db1..9e3c2e8461de74 100644 --- a/tests/bsim/bluetooth/host/gatt/caching/psa_overlay.conf +++ b/tests/bsim/bluetooth/host/gatt/caching/psa_overlay.conf @@ -1,4 +1,3 @@ -CONFIG_BT_USE_PSA_API=y CONFIG_MBEDTLS=y CONFIG_MBEDTLS_PSA_CRYPTO_C=y CONFIG_PSA_CRYPTO_ENABLE_ALL=y diff --git a/tests/bsim/bluetooth/ll/conn/psa_overlay.conf b/tests/bsim/bluetooth/ll/conn/psa_overlay.conf index 49282c5e502db1..9e3c2e8461de74 100644 --- a/tests/bsim/bluetooth/ll/conn/psa_overlay.conf +++ b/tests/bsim/bluetooth/ll/conn/psa_overlay.conf @@ -1,4 +1,3 @@ -CONFIG_BT_USE_PSA_API=y CONFIG_MBEDTLS=y CONFIG_MBEDTLS_PSA_CRYPTO_C=y CONFIG_PSA_CRYPTO_ENABLE_ALL=y diff --git a/tests/bsim/bluetooth/mesh/overlay_psa.conf b/tests/bsim/bluetooth/mesh/overlay_psa.conf index d250244f506f77..2a39292aadb729 100644 --- a/tests/bsim/bluetooth/mesh/overlay_psa.conf +++ b/tests/bsim/bluetooth/mesh/overlay_psa.conf @@ -1,6 +1,3 @@ -# Enable PSA as a crypto backend in host -CONFIG_BT_USE_PSA_API=y - # Increase the number of key slots in PSA core CONFIG_MBEDTLS_PSA_KEY_SLOT_COUNT=64