Skip to content

sys/psa_crypto: Adding aead aes ccm#21455

Merged
mguetschow merged 5 commits intoRIOT-OS:masterfrom
Lukas-Luger:pr/psa-aes-ccm
May 28, 2025
Merged

sys/psa_crypto: Adding aead aes ccm#21455
mguetschow merged 5 commits intoRIOT-OS:masterfrom
Lukas-Luger:pr/psa-aes-ccm

Conversation

@Lukas-Luger
Copy link
Copy Markdown
Contributor

@Lukas-Luger Lukas-Luger commented Apr 29, 2025

Contribution description

This PR adds AES CCM as the first Authenticated encryption with associated data algorithm to the PSA Certified Crypto API implementation of RIOT.

It comes with three backends:

Cifra

  • supports all three key sizes (128, 192, 256)

Tinycrypt

  • only supports 128 bit key size
  • nonce size is limited to 13 Bytes

Cryptocell 310

  • only supports 128 bit key size

Testing procedure

A test is provided in tests/sys/psa_crypto_aead.
Note that the test will fail on tinycrypt because of invalid nonce size.

Issues/PRs references

This is highly inspired by #18547.

@github-actions github-actions bot added Platform: ARM Platform: This PR/issue effects ARM-based platforms Area: doc Area: Documentation Area: tests Area: tests and testing framework Area: build system Area: Build system Area: pkg Area: External package ports Area: cpu Area: CPU/MCU ports Area: sys Area: System labels Apr 29, 2025
@benpicco benpicco requested a review from Einhornhool April 29, 2025 17:01
@crasbe crasbe added Type: new feature The issue requests / The PR implemements a new feature for RIOT CI: ready for build If set, CI server will compile all applications for all available boards for the labeled PR labels Apr 29, 2025
@riot-ci
Copy link
Copy Markdown

riot-ci commented Apr 29, 2025
edited
Loading

Murdock results

✔️ PASSED

406d6dc pkg/driver_cryptocell_310: add psa_crypto aes ccm

Success Failures Total Runtime
10382 0 10383 15m:06s

Artifacts

mguetschow
mguetschow requested changes Apr 30, 2025
View reviewed changes
Copy link
Copy Markdown
Contributor

@mguetschow mguetschow left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for doing this! Here's a first round of review. Haven't tested it locally yet.

@mguetschow
Copy link
Copy Markdown
Contributor

mguetschow commented Apr 30, 2025

Oh, and something seems to be off in your automatic backend selection:

-- running on worker alien thread 1, build number 13791.
make: Entering directory '/tmp/dwq.0.49495055948356803/0b95bb80d67d834a634a4edd6938ca1d/tests/sys/psa_crypto_aead'
 You are going to use the PSA Crypto module, which is only partly implemented and not yet thouroughly tested.\n Please do not use this module in production, as it may introduce security issues!
/tmp/dwq.0.49495055948356803/0b95bb80d67d834a634a4edd6938ca1d/sys/psa_crypto/Makefile.include:111: *** "One (and only one) backend should be selected for psa_aead_aes_128_ccm".  Stop.
make: Leaving directory '/tmp/dwq.0.49495055948356803/0b95bb80d67d834a634a4edd6938ca1d/tests/sys/psa_crypto_aead'
make: Entering directory '/tmp/dwq.0.49495055948356803/0b95bb80d67d834a634a4edd6938ca1d/tests/sys/psa_crypto_aead'
 You are going to use the PSA Crypto module, which is only partly implemented and not yet thouroughly tested.\n Please do not use this module in production, as it may introduce security issues!
/tmp/dwq.0.49495055948356803/0b95bb80d67d834a634a4edd6938ca1d/sys/psa_crypto/Makefile.include:111: *** "One (and only one) backend should be selected for psa_aead_aes_128_ccm".  Stop.
make: Leaving directory '/tmp/dwq.0.49495055948356803/0b95bb80d67d834a634a4edd6938ca1d/tests/sys/psa_crypto_aead'
cat: /tmp/dwq.0.49495055948356803/0b95bb80d67d834a634a4edd6938ca1d/build/test-input-hash.sha1: No such file or directory

mguetschow
mguetschow approved these changes May 9, 2025
View reviewed changes
Copy link
Copy Markdown
Contributor

@mguetschow mguetschow left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for this! Feel free to squash directly after adding the missing documentation.

@Lukas-Luger Lukas-Luger force-pushed the pr/psa-aes-ccm branch 3 times, most recently from bb55129 to 08ebf6f Compare May 9, 2025 12:25
@Lukas-Luger
Copy link
Copy Markdown
Contributor Author

Lukas-Luger commented May 9, 2025

No Problem. Everything should be ready now ;)

mguetschow
mguetschow requested changes May 12, 2025
View reviewed changes
Copy link
Copy Markdown
Contributor

@mguetschow mguetschow left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry, one last nit, found while trying to compile with

diff --git a/tests/sys/psa_crypto_aead/Makefile b/tests/sys/psa_crypto_aead/Makefile
index e0fdc67078..5d8f3615e1 100644
--- a/tests/sys/psa_crypto_aead/Makefile
+++ b/tests/sys/psa_crypto_aead/Makefile
@@ -6,6 +6,8 @@ USEMODULE += psa_crypto
 
 USEMODULE += psa_aead
 USEMODULE += psa_aead_aes_128_ccm
+USEMODULE += psa_aead_aes_128_ccm_custom_backend
+USEMODULE += psa_aead_aes_128_ccm_backend_tinycrypt
 
 CFLAGS += -DCONFIG_PSA_SINGLE_KEY_COUNT=2

Also, would you mind updating your commit messages and remove all the fixup commit messages? I can show you how to, if needed.

@Lukas-Luger
Copy link
Copy Markdown
Contributor Author

Lukas-Luger commented May 23, 2025

Should be all done now. Sorry for the delay

@mguetschow mguetschow enabled auto-merge May 26, 2025 11:22
mguetschow
mguetschow approved these changes May 26, 2025
View reviewed changes
Copy link
Copy Markdown
Contributor

@mguetschow mguetschow left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

@mguetschow mguetschow added this pull request to the merge queue May 26, 2025
@github-merge-queue github-merge-queue bot removed this pull request from the merge queue due to failed status checks May 26, 2025
@crasbe
Copy link
Copy Markdown
Contributor

crasbe commented May 26, 2025

You'll have to add a Makefile.ci to the tests/sys/psa_crypto_aead with the following content:

BOARD_INSUFFICIENT_MEMORY := \
    nucleo-l011k4 \
    samd10-xmini \
    stm32f030f4-demo \
    #

@mguetschow mguetschow added this pull request to the merge queue May 27, 2025
Merged via the queue into RIOT-OS:master with commit 9100302 May 28, 2025
25 checks passed
@Lukas-Luger Lukas-Luger deleted the pr/psa-aes-ccm branch May 28, 2025 10:52
@mguetschow mguetschow mentioned this pull request May 28, 2025
Merged
@Teufelchen1 Teufelchen1 added this to the Release 2025.07 milestone Jul 14, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mcr mcr mcr approved these changes

@mguetschow mguetschow mguetschow approved these changes

@leandrolanzieri leandrolanzieri Awaiting requested review from leandrolanzieri leandrolanzieri is a code owner

@aabadie aabadie Awaiting requested review from aabadie aabadie is a code owner

@MichelRottleuthner MichelRottleuthner Awaiting requested review from MichelRottleuthner MichelRottleuthner is a code owner

@jia200x jia200x Awaiting requested review from jia200x jia200x is a code owner

@Einhornhool Einhornhool Awaiting requested review from Einhornhool

Assignees

No one assigned

Labels

Area: build system Area: Build system Area: cpu Area: CPU/MCU ports Area: doc Area: Documentation Area: pkg Area: External package ports Area: sys Area: System Area: tests Area: tests and testing framework CI: ready for build If set, CI server will compile all applications for all available boards for the labeled PR Platform: ARM Platform: This PR/issue effects ARM-based platforms Type: new feature The issue requests / The PR implemements a new feature for RIOT

Projects

None yet

Milestone

Release 2025.07

Development

Successfully merging this pull request may close these issues.

6 participants

@Lukas-Luger @riot-ci @mguetschow @crasbe @mcr @Teufelchen1