nrf_security: cracen: make IKG seed KMU slot configurable #17381
Conversation
github-actions
bot
added
the
changelog-entry-required
CI InformationTo view the history of this post, clich the 'edited' button above Inputs:Sources:sdk-nrf: PR head: b1871c4e1363f25bfced8971a2a3763627e44ebf more detailssdk-nrf:
Github labels
List of changed files detected by CI (12)Outputs:ToolchainVersion: 2aae60c2f9 Test Spec & Results: ✅ Success; ❌ Failure; 🟠 Queued; 🟡 Progress; ◻️ Skipped;
|
tomi-font
force-pushed
the
security_cracen_IKG_seed_slot
branch
2 times, most recently
from
0b14d76 to
3ae08db
Compare
|
You can find the documentation preview for this PR at this link. It will be updated about 10 minutes after the documentation build succeeds. Note: This comment is automatically posted by the Documentation Publishing GitHub Action. |
tomi-font
force-pushed
the
security_cracen_IKG_seed_slot
branch
from
3ae08db to
3473ab5
Compare
github-actions
bot
added
doc-required
tomi-font
force-pushed
the
security_cracen_IKG_seed_slot
branch
from
3473ab5 to
5f947aa
Compare
| #define CRACEN_KMU_KEY_USAGE_SCHEME_RAW 3 | ||
| enum kmu_metadata_key_usage_scheme { | ||
| /** | ||
| * These keys can only be pushed to Cracen's protected RAM. |
There was a problem hiding this comment.
| * These keys can only be pushed to Cracen's protected RAM. | |
| * These keys can only be pushed to CRACEN's protected RAM. |
| the one defined here plus the two following it. | ||
| This defines the KMU slots location | ||
| - to which the IKG seed is provisioned, and | ||
| - that are pushed when loading the IKG seed. |
There was a problem hiding this comment.
3 KMU slots are provisioned/pushed for the IKG seed. I rephrased the sentence.
| range 0 183 | ||
| default 183 | ||
| help | ||
| The Cracen IKG seed spans over 3 KMU slots: |
There was a problem hiding this comment.
| The Cracen IKG seed spans over 3 KMU slots: | |
| The CRACEN IKG seed spans over 3 KMU slots: |
| @@ -97,7 +97,7 @@ Developing with PMICs | |||
| Security | |||
| ======== | |||
|
|
|||
| |no_changes_yet_note| | |||
| * The :kconfig:option:`CONFIG_CRACEN_IKG_SEED_KMU_SLOT` Kconfig option was added to allow customization of the KMU slot used to store CRACEN's IKG SEED. | |||
There was a problem hiding this comment.
| * The :kconfig:option:`CONFIG_CRACEN_IKG_SEED_KMU_SLOT` Kconfig option was added to allow customization of the KMU slot used to store CRACEN's IKG SEED. | |
| * The :kconfig:option:`CONFIG_CRACEN_IKG_SEED_KMU_SLOT` Kconfig option was added to allow customization of the KMU slot used to store CRACEN's Isolated Key Generator (IKG) seed. |
| - to which the IKG seed is provisioned, and | ||
| - that are pushed when loading the IKG seed. |
There was a problem hiding this comment.
Not sure if this renders as bullet points or just as continued text
And set it to 183 by default. In addition improve some names, replace magic numbers and remove duplicate definitions of values. Signed-off-by: Tomi Fontanilles <[email protected]>
Changed from 64 to 128 bits. Signed-off-by: Tomi Fontanilles <[email protected]>
tomi-font
force-pushed
the
security_cracen_IKG_seed_slot
branch
from
5f947aa to
6521c40
Compare
| To send logs over RTT instead of UART, apply the following settings: | ||
| .. toggle:: | ||
|
|
||
| Custom printing has been dropped in favor of using the logging subsystem, with output printed out to the default logging device. |
There was a problem hiding this comment.
| Custom printing has been dropped in favor of using the logging subsystem, with output printed out to the default logging device. | |
| Custom printing is replaced by the logging subsystem, with output printed out to the default logging device. |
There was a problem hiding this comment.
This is not something I wrote. All I did here was add the toggle...
There was a problem hiding this comment.
This was reviewed and approved by Anna in #17079
| * Enable the :kconfig:option:`CONFIG_USE_SEGGER_RTT` and :kconfig:option:`CONFIG_RTT_CONSOLE` Kconfig options. | ||
| * Disable the :kconfig:option:`CONFIG_UART_CONSOLE` and :kconfig:option:`CONFIG_SERIAL` Kconfig options. |
There was a problem hiding this comment.
Is there a reason why these two got indented?
There was a problem hiding this comment.
Yes. I put everything in here under a toggle, so everything needs to be indented one level more.
| default 183 | ||
| help | ||
| The Cracen IKG seed spans over 3 KMU slots: | ||
| the one defined here plus the two following it. |
There was a problem hiding this comment.
Would it be better to say "and the two subsequent ones" instead?
tomi-font
force-pushed
the
security_cracen_IKG_seed_slot
branch
from
6521c40 to
62dbff1
Compare
|
ping for reviewers |
| */ | ||
| KMU_METADATA_SCHEME_PROTECTED, | ||
| /** | ||
| * These keys use 3 key slots. Pushed to the seed register. |
There was a problem hiding this comment.
These are not exactly keys though, we can maybe rename it to seed material/data or something?
There was a problem hiding this comment.
This is only something I copy-pasted from subsys/nrf_security/src/drivers/cracen/cracenpsa/src/kmu.h to be able to get rid of duplicate macros that were here. But true, so I'll change the naming.
So that everything is as it should be. Signed-off-by: Tomi Fontanilles <[email protected]>
tomi-font
force-pushed
the
security_cracen_IKG_seed_slot
branch
from
62dbff1 to
b1871c4
Compare
| @@ -64,9 +64,9 @@ struct kmu_src_t { | |||
| /** Revocation policy. */ | |||
| uint32_t rpolicy; | |||
| /** 32-bit destination address. Cannot point to SICR and must be on a | |||
| * 64-bit boundary. | |||
| * 128-bit boundary. | |||
There was a problem hiding this comment.
I guess here we can say that is 64 bit boundary for the pdk and 128 for the dk, right?
There was a problem hiding this comment.
I expect the alignment requirement to be 128 bits starting from now, so that's why I only mentioned that. And anyway support for PDK will be removed soon.
And set it to 183 by default.
In addition improve some names, replace magic numbers and remove duplicate definitions of values.