crypto: nrf_cc3xx: Update mutex support for Mbed TLS 3.6.0

-This adds support for the 3 new mutexes that is required when building with Mbed TLS 3.6.0 with PSA crypto: - mbedtls_threading_key_slot_mutex - mbedtls_threading_psa_globaldata_mutex - mbedtls_threading_psa_rngdata_mutex -Fixed typo Note: There is a counterpart to this for devices that doesn't enable CC3XX_BACKEND (Legacy crypto features) present in nrf_security to allow thread-safe PSA core in all types of build in NCS. Signed-off-by: Frank Audun Kvamtrø <[email protected]>
nrfconnect · Sep 10, 2024 · d826e24 · d826e24
1 parent a21499e
commit d826e24
Show file tree

Hide file tree

Showing 2 changed files with 148 additions and 2 deletions.
diff --git a/crypto/nrf_cc310_platform/src/nrf_cc3xx_platform_mutex_zephyr.c b/crypto/nrf_cc310_platform/src/nrf_cc3xx_platform_mutex_zephyr.c
@@ -45,6 +45,14 @@ K_MUTEX_DEFINE(power_mutex_int);
  */
 K_MUTEX_DEFINE(heap_mutex_int);
 
+/** @brief Definition of mutex for PSA storage key slot operations
+ */
+K_MUTEX_DEFINE(key_slot_mutex_int);
+
+/** @brief Definition of mutex for PSA global access
+ */
+K_MUTEX_DEFINE(psa_globaldata_mutex_int);
+
 #elif CONFIG_CC3XX_ATOMIC_LOCK
 
 /** @brief Definition of mutex for symmetric cryptography
@@ -63,13 +71,23 @@ static atomic_t power_mutex_int;
  */
 static atomic_t heap_mutex_int;
 
+/** @brief Definition of mutex for PSA storage key slot operations
+ */
+static atomic_t key_slot_mutex_int;
+
+/** @brief Definition of mutex for PSA global access
+ */
+static atomic_t psa_globaldata_mutex_int;
+
 #elif defined(NRF5340_XXAA_APPLICATION) && NRF_CC3XX_PLATFORM_MUTEX_MASK_IS_HW_MUTEX
 
 typedef enum {
     HW_MUTEX_SYM_CRYPTO = 15,
     HW_MUTEX_ASYM_CRYPTO = 14,
     HW_MUTEX_POWER_MODE = 13,
     HW_MUTEX_HEAP_ALLOC = 12,
+    HW_MUTEX_KEY_SLOT = 11,
+    HW_MUTEX_PSA_GLOBALDATA = 10,
 } hw_mutex_t;
 
 /** @brief Definition of mutex for symmetric cryptography
@@ -88,6 +106,14 @@ static hw_mutex_t power_mutex_int = HW_MUTEX_POWER_MODE;
  */
 static hw_mutex_t heap_mutex_int = HW_MUTEX_HEAP_ALLOC;
 
+/** @brief Definition of mutex for PSA storage key slot operations
+ */
+static hw_mutex_t key_slot_mutex_int = HW_MUTEX_KEY_SLOT;
+
+/** @brief Definition of mutex for PSA global access
+ */
+static hw_mutex_t psa_globaldata_mutex_int = HW_MUTEX_PSA_GLOBALDATA;
+
 #else
 #error "Improper configuration of the lock variant!"
 #endif
@@ -161,7 +187,7 @@ static nrf_cc3xx_platform_mutex_t power_mutex = {
  *  allocation is unneccesary
  *
  * @note This symbol can't be static as it is referenced in the replacement
- *       file mbemory_buffer_alloc.c inside the heap structure.
+ *       file memory_buffer_alloc.c inside the heap structure.
  */
 nrf_cc3xx_platform_mutex_t heap_mutex = {
     .mutex = &heap_mutex_int,
@@ -172,6 +198,53 @@ nrf_cc3xx_platform_mutex_t heap_mutex = {
                     NRF_CC3XX_PLATFORM_MUTEX_MASK_IS_VALID
 };
 
+/** @brief Definition of RTOS-independent key slot mutex
+ *  with NRF_CC3XX_PLATFORM_MUTEX_MASK_IS_VALID set to indicate that
+ *  allocation is unneccesary
+ *
+ * @note This symbol can't be static as it is referenced from Mbed TLS
+ */
+nrf_cc3xx_platform_mutex_t mbedtls_threading_key_slot_mutex = {
+    .mutex = &key_slot_mutex_int,
+    .flags = IS_ENABLED(CONFIG_CC3XX_ATOMIC_LOCK) ?
+                NRF_CC3XX_PLATFORM_MUTEX_MASK_IS_ATOMIC :
+                IS_ENABLED(CONFIG_CC3XX_HW_MUTEX_LOCK) ?
+                    NRF_CC3XX_PLATFORM_MUTEX_MASK_IS_HW_MUTEX :
+                    NRF_CC3XX_PLATFORM_MUTEX_MASK_IS_VALID
+};
+
+/** @brief Definition of RTOS-independent PSA global data mutex
+ *  with NRF_CC3XX_PLATFORM_MUTEX_MASK_IS_VALID set to indicate that
+ *  allocation is unneccesary
+ *
+ * @note This symbol can't be static as it is referenced from Mbed TLS
+ */
+nrf_cc3xx_platform_mutex_t mbedtls_threading_psa_globaldata_mutex = {
+    .mutex = &psa_globaldata_mutex_int,
+    .flags = IS_ENABLED(CONFIG_CC3XX_ATOMIC_LOCK) ?
+                NRF_CC3XX_PLATFORM_MUTEX_MASK_IS_ATOMIC :
+                IS_ENABLED(CONFIG_CC3XX_HW_MUTEX_LOCK) ?
+                    NRF_CC3XX_PLATFORM_MUTEX_MASK_IS_HW_MUTEX :
+                    NRF_CC3XX_PLATFORM_MUTEX_MASK_IS_VALID
+};
+
+/** @brief Definition of RTOS-independent psa global data mutex
+ *  with NRF_CC3XX_PLATFORM_MUTEX_MASK_IS_VALID set to indicate that
+ *  allocation is unneccesary
+ *
+ * @note This symbol can't be static as it is referenced from Mbed TLS
+ *
+ * @note Reusing the RNG mutex used for CryptoCell.
+ */
+nrf_cc3xx_platform_mutex_t mbedtls_threading_psa_rngdata_mutex = {
+    .mutex = &rng_mutex_int,
+    .flags = IS_ENABLED(CONFIG_CC3XX_ATOMIC_LOCK) ?
+                NRF_CC3XX_PLATFORM_MUTEX_MASK_IS_ATOMIC :
+                IS_ENABLED(CONFIG_CC3XX_HW_MUTEX_LOCK) ?
+                    NRF_CC3XX_PLATFORM_MUTEX_MASK_IS_HW_MUTEX :
+                    NRF_CC3XX_PLATFORM_MUTEX_MASK_IS_VALID
+};
+
 static bool mutex_flags_unknown(uint32_t flags){
     switch(flags){
         case (NRF_CC3XX_PLATFORM_MUTEX_MASK_IS_VALID | NRF_CC3XX_PLATFORM_MUTEX_MASK_IS_INTERNAL_MUTEX):

diff --git a/crypto/nrf_cc312_platform/src/nrf_cc3xx_platform_mutex_zephyr.c b/crypto/nrf_cc312_platform/src/nrf_cc3xx_platform_mutex_zephyr.c
@@ -45,6 +45,14 @@ K_MUTEX_DEFINE(power_mutex_int);
  */
 K_MUTEX_DEFINE(heap_mutex_int);
 
+/** @brief Definition of mutex for PSA storage key slot operations
+ */
+K_MUTEX_DEFINE(key_slot_mutex_int);
+
+/** @brief Definition of mutex for PSA global access
+ */
+K_MUTEX_DEFINE(psa_globaldata_mutex_int);
+
 #elif CONFIG_CC3XX_ATOMIC_LOCK
 
 /** @brief Definition of mutex for symmetric cryptography
@@ -63,13 +71,23 @@ static atomic_t power_mutex_int;
  */
 static atomic_t heap_mutex_int;
 
+/** @brief Definition of mutex for PSA storage key slot operations
+ */
+static atomic_t key_slot_mutex_int;
+
+/** @brief Definition of mutex for PSA global access
+ */
+static atomic_t psa_globaldata_mutex_int;
+
 #elif defined(NRF5340_XXAA_APPLICATION) && NRF_CC3XX_PLATFORM_MUTEX_MASK_IS_HW_MUTEX
 
 typedef enum {
     HW_MUTEX_SYM_CRYPTO = 15,
     HW_MUTEX_ASYM_CRYPTO = 14,
     HW_MUTEX_POWER_MODE = 13,
     HW_MUTEX_HEAP_ALLOC = 12,
+    HW_MUTEX_KEY_SLOT = 11,
+    HW_MUTEX_PSA_GLOBALDATA = 10,
 } hw_mutex_t;
 
 /** @brief Definition of mutex for symmetric cryptography
@@ -88,6 +106,14 @@ static hw_mutex_t power_mutex_int = HW_MUTEX_POWER_MODE;
  */
 static hw_mutex_t heap_mutex_int = HW_MUTEX_HEAP_ALLOC;
 
+/** @brief Definition of mutex for PSA storage key slot operations
+ */
+static hw_mutex_t key_slot_mutex_int = HW_MUTEX_KEY_SLOT;
+
+/** @brief Definition of mutex for PSA global access
+ */
+static hw_mutex_t psa_globaldata_mutex_int = HW_MUTEX_PSA_GLOBALDATA;
+
 #else
 #error "Improper configuration of the lock variant!"
 #endif
@@ -161,7 +187,7 @@ static nrf_cc3xx_platform_mutex_t power_mutex = {
  *  allocation is unneccesary
  *
  * @note This symbol can't be static as it is referenced in the replacement
- *       file mbemory_buffer_alloc.c inside the heap structure.
+ *       file memory_buffer_alloc.c inside the heap structure.
  */
 nrf_cc3xx_platform_mutex_t heap_mutex = {
     .mutex = &heap_mutex_int,
@@ -172,6 +198,53 @@ nrf_cc3xx_platform_mutex_t heap_mutex = {
                     NRF_CC3XX_PLATFORM_MUTEX_MASK_IS_VALID
 };
 
+/** @brief Definition of RTOS-independent key slot mutex
+ *  with NRF_CC3XX_PLATFORM_MUTEX_MASK_IS_VALID set to indicate that
+ *  allocation is unneccesary
+ *
+ * @note This symbol can't be static as it is referenced from Mbed TLS
+ */
+nrf_cc3xx_platform_mutex_t mbedtls_threading_key_slot_mutex = {
+    .mutex = &key_slot_mutex_int,
+    .flags = IS_ENABLED(CONFIG_CC3XX_ATOMIC_LOCK) ?
+                NRF_CC3XX_PLATFORM_MUTEX_MASK_IS_ATOMIC :
+                IS_ENABLED(CONFIG_CC3XX_HW_MUTEX_LOCK) ?
+                    NRF_CC3XX_PLATFORM_MUTEX_MASK_IS_HW_MUTEX :
+                    NRF_CC3XX_PLATFORM_MUTEX_MASK_IS_VALID
+};
+
+/** @brief Definition of RTOS-independent PSA global data mutex
+ *  with NRF_CC3XX_PLATFORM_MUTEX_MASK_IS_VALID set to indicate that
+ *  allocation is unneccesary
+ *
+ * @note This symbol can't be static as it is referenced from Mbed TLS
+ */
+nrf_cc3xx_platform_mutex_t mbedtls_threading_psa_globaldata_mutex = {
+    .mutex = &psa_globaldata_mutex_int,
+    .flags = IS_ENABLED(CONFIG_CC3XX_ATOMIC_LOCK) ?
+                NRF_CC3XX_PLATFORM_MUTEX_MASK_IS_ATOMIC :
+                IS_ENABLED(CONFIG_CC3XX_HW_MUTEX_LOCK) ?
+                    NRF_CC3XX_PLATFORM_MUTEX_MASK_IS_HW_MUTEX :
+                    NRF_CC3XX_PLATFORM_MUTEX_MASK_IS_VALID
+};
+
+/** @brief Definition of RTOS-independent psa global data mutex
+ *  with NRF_CC3XX_PLATFORM_MUTEX_MASK_IS_VALID set to indicate that
+ *  allocation is unneccesary
+ *
+ * @note This symbol can't be static as it is referenced from Mbed TLS
+ *
+ * @note Reusing the RNG mutex used for CryptoCell.
+ */
+nrf_cc3xx_platform_mutex_t mbedtls_threading_psa_rngdata_mutex = {
+    .mutex = &rng_mutex_int,
+    .flags = IS_ENABLED(CONFIG_CC3XX_ATOMIC_LOCK) ?
+                NRF_CC3XX_PLATFORM_MUTEX_MASK_IS_ATOMIC :
+                IS_ENABLED(CONFIG_CC3XX_HW_MUTEX_LOCK) ?
+                    NRF_CC3XX_PLATFORM_MUTEX_MASK_IS_HW_MUTEX :
+                    NRF_CC3XX_PLATFORM_MUTEX_MASK_IS_VALID
+};
+
 static bool mutex_flags_unknown(uint32_t flags){
     switch(flags){
         case (NRF_CC3XX_PLATFORM_MUTEX_MASK_IS_VALID | NRF_CC3XX_PLATFORM_MUTEX_MASK_IS_INTERNAL_MUTEX):