pkg/driver_cryptocell_310: add psa_crypto aes ccm

Update pkg/driver_cryptocell_310/psa_cryptocell_310/aes_ccm.c

Co-authored-by: mguetschow <[email protected]>

Update pkg/driver_cryptocell_310/psa_cryptocell_310/aes_ccm.c

Co-authored-by: mguetschow <[email protected]>

Update pkg/driver_cryptocell_310/psa_cryptocell_310/aes_ccm.c

Co-authored-by: mguetschow <[email protected]>

Update pkg/driver_cryptocell_310/psa_cryptocell_310/aes_ccm.c

Co-authored-by: mguetschow <[email protected]>

Update pkg/driver_cryptocell_310/psa_cryptocell_310/aes_ccm.c

Co-authored-by: mguetschow <[email protected]>

Update pkg/driver_cryptocell_310/psa_cryptocell_310/aes_ccm.c

Co-authored-by: mguetschow <[email protected]>

Update pkg/driver_cryptocell_310/psa_cryptocell_310/aes_ccm.c

Co-authored-by: mguetschow <[email protected]>

Update pkg/driver_cryptocell_310/psa_cryptocell_310/aes_ccm.c

Author: Lukas-Luger

cpu/nrf52/Makefile.features

@@ -21,6 +21,7 @@ ifneq (,$(filter nrf52840xxaa,$(CPU_MODEL)))
   FEATURES_PROVIDED += periph_hmac_sha_256
   FEATURES_PROVIDED += periph_cipher_aes_128_cbc
   FEATURES_PROVIDED += periph_cipher_chacha20
+  FEATURES_PROVIDED += periph_aead_aes_128_ccm
   FEATURES_PROVIDED += periph_ecc_p192r1
   FEATURES_PROVIDED += periph_ecc_p256r1
   FEATURES_PROVIDED += periph_ecc_ed25519

cpu/nrf52/periph/Makefile.dep

@@ -43,6 +43,11 @@ ifneq (,$(filter periph_cipher_chacha20,$(USEMODULE)))
   USEMODULE += psa_cryptocell_310_cipher_chacha20
 endif
 
+ifneq (,$(filter periph_aead_aes_128_ccm,$(USEMODULE)))
+  USEPKG += driver_cryptocell_310
+  USEMODULE += psa_cryptocell_310_aes_ccm
+endif
+
 ifneq (,$(filter periph_hmac_sha_256,$(USEMODULE)))
   USEPKG += driver_cryptocell_310
   USEMODULE += psa_cryptocell_310_hmac

features.yaml

@@ -866,6 +866,8 @@ groups:
       help: AES 128 CBC hardware acceleration present
     - name: periph_cipher_chacha20
       help: ChaCha20 hardware acceleration present
+    - name: periph_aead_aes_128_ccm
+      help: AES 128 CCM hardware acceleration present
     - name: periph_ecc_p192r1
       help: ECC P192R1 hardware acceleration peripheral present.
     - name: periph_ecc_p256r1

makefiles/features_existing.inc.mk

@@ -139,6 +139,7 @@ FEATURES_EXISTING := \
     no_idle_thread \
     periph_adc \
     periph_adc_continuous \
+    periph_aead_aes_128_ccm \
     periph_can \
     periph_cipher_aes_128_cbc \
     periph_cipher_chacha20 \

makefiles/features_modules.inc.mk

@@ -13,6 +13,7 @@ USEMODULE += $(PERIPH_FEATURES)
 PERIPH_IGNORE_MODULES := \
   periph_cipher_aes_128_cbc \
   periph_cipher_chacha20 \
+  periph_aead_aes_128_ccm \
   periph_clic \
   periph_common \
   periph_coretimer \

pkg/driver_cryptocell_310/Makefile.include

@@ -13,6 +13,7 @@ endif
 CFLAGS += -Wno-cast-align
 
 PSEUDOMODULES += psa_cryptocell_310_aes_cbc
+PSEUDOMODULES += psa_cryptocell_310_aes_ccm
 PSEUDOMODULES += psa_cryptocell_310_aes_common
 PSEUDOMODULES += psa_cryptocell_310_cipher_chacha20
 PSEUDOMODULES += psa_cryptocell_310_ecc_common

pkg/driver_cryptocell_310/psa_cryptocell_310/Makefile.dep

@@ -21,6 +21,10 @@ ifneq (,$(filter psa_cryptocell_310_aes_cbc,$(USEMODULE)))
   USEMODULE += psa_cryptocell_310_aes_common
 endif
 
+ifneq (,$(filter psa_cryptocell_310_aes_ccm,$(USEMODULE)))
+  USEMODULE += psa_cryptocell_310_aes_common
+endif
+
 ifneq (,$(filter psa_cryptocell_310_ecc_p192,$(USEMODULE)))
   USEMODULE += psa_cryptocell_310_ecc_common
 endif

pkg/driver_cryptocell_310/psa_cryptocell_310/aes_ccm.c

@@ -0,0 +1,109 @@
+/*
+ * Copyright (C) 2025 TU Dresden
+ *
+ * This file is subject to the terms and conditions of the GNU Lesser
+ * General Public License v2.1. See the file LICENSE in the top level
+ * directory for more details.
+ */
+
+/**
+ * @ingroup     sys_psa_crypto pkg_driver_cryptocell_310
+ * @{
+ *
+ * @brief       Glue code translating between PSA Crypto and the PSA Cryptocell 310 APIs
+ *
+ * @author      Lukas Luger <[email protected]>
+ *
+ * @}
+ */
+
+#include "psa/crypto.h"
+#include "crys_aesccm.h"
+#include "crys_aesccm_error.h"
+#include "psa_error.h"
+#include "cryptocell_310_util.h"
+
+#define ENABLE_DEBUG 0
+#include "debug.h"
+
+psa_status_t psa_aead_aes_128_ccm_encrypt(const psa_key_attributes_t *attributes,
+                                          uint8_t *key_buffer, size_t key_buffer_length,
+                                          uint8_t tag_length, const uint8_t *nonce,
+                                          size_t nonce_length, const uint8_t *additional_data,
+                                          size_t additional_data_length, const uint8_t *plaintext,
+                                          size_t plaintext_length, uint8_t *ciphertext,
+                                          size_t ciphertext_size, size_t *ciphertext_length)
+{
+    (void)attributes;
+    (void)key_buffer_length;
+    /* This should already have been checked by PSA. */
+    assert(ciphertext_size >= plaintext_length + tag_length);
+
+    if (!cryptocell_310_data_within_ram(nonce) ||
+        !cryptocell_310_data_within_ram(key_buffer) ||
+        !cryptocell_310_data_within_ram(additional_data) ||
+        !cryptocell_310_data_within_ram(plaintext)) {
+        DEBUG("%s : cryptocell_310 data required to be in RAM.\n", __FILE__);
+        return PSA_ERROR_DATA_INVALID;
+    }
+
+    uint8_t tag[PSA_AES_CCM_TAG_MAX_SIZE];
+
+    CRYSError_t ret = CC_AESCCM(SASI_AES_ENCRYPT, (uint8_t *)key_buffer, CRYS_AES_Key128BitSize,
+                                (uint8_t *)nonce, nonce_length, (uint8_t *)additional_data,
+                                additional_data_length, (uint8_t *)plaintext, plaintext_length,
+                                ciphertext, tag_length, tag, CRYS_AESCCM_MODE_CCM);
+
+    if (ret != CRYS_OK) {
+        DEBUG("%s : cryptocell_310 failed to encrypt with %s.\n", __FILE__,
+              cryptocell310_status_to_humanly_readable(ret));
+        return CRYS_to_psa_error(ret);
+    }
+
+    memcpy(&ciphertext[plaintext_length], tag, tag_length);
+
+    *ciphertext_length = plaintext_length + tag_length;
+
+    return PSA_SUCCESS;
+}
+
+psa_status_t psa_aead_aes_128_ccm_decrypt(const psa_key_attributes_t *attributes,
+                                          uint8_t *key_buffer, size_t key_buffer_length,
+                                          uint8_t tag_length, const uint8_t *nonce,
+                                          size_t nonce_length, const uint8_t *additional_data,
+                                          size_t additional_data_length, const uint8_t *ciphertext,
+                                          size_t ciphertext_length, uint8_t *plaintext,
+                                          size_t plaintext_size, size_t *plaintext_length)
+{
+    (void)attributes;
+    (void)key_buffer_length;
+    /* This should already have been checked by PSA. */
+    assert(plaintext_size >= ciphertext_length - tag_length);
+
+    if (!cryptocell_310_data_within_ram(nonce) ||
+        !cryptocell_310_data_within_ram(key_buffer) ||
+        !cryptocell_310_data_within_ram(additional_data) ||
+        !cryptocell_310_data_within_ram(ciphertext)) {
+        DEBUG("%s : cryptocell_310 data required to be in RAM.\n", __FILE__);
+        return PSA_ERROR_DATA_INVALID;
+    }
+
+    uint8_t tag[PSA_AES_CCM_TAG_MAX_SIZE];
+    memcpy(tag, &ciphertext[plaintext_size], tag_length);
+
+    CRYSError_t ret = CC_AESCCM(SASI_AES_DECRYPT, (uint8_t *)key_buffer, CRYS_AES_Key128BitSize,
+                                (uint8_t *)nonce, nonce_length, (uint8_t *)additional_data,
+                                additional_data_length, (uint8_t *)ciphertext,
+                                ciphertext_length - tag_length, plaintext, tag_length,
+                                tag, CRYS_AESCCM_MODE_CCM);
+
+    if (ret != CRYS_OK) {
+        DEBUG("%s : cryptocell_310 failed to decrypt with %s.\n", __FILE__,
+              cryptocell310_status_to_humanly_readable(ret));
+        return CRYS_to_psa_error(ret);
+    }
+
+    *plaintext_length = ciphertext_length - tag_length;
+
+    return PSA_SUCCESS;
+}

pkg/driver_cryptocell_310/psa_cryptocell_310/error_conversion.c

@@ -19,6 +19,7 @@
  */
 
 #include "psa_error.h"
+#include "crys_aesccm_error.h"
 
 psa_status_t CRYS_to_psa_error(CRYSError_t error)
 {
@@ -144,7 +145,34 @@ psa_status_t CRYS_to_psa_error(CRYSError_t error)
     case CRYS_ECMONT_PKI_ERROR:
     case CRYS_ECMONT_IS_NOT_SUPPORTED:
     case CRYS_ECEDW_IS_NOT_SUPPORTED:
+    case CRYS_AESCCM_INVALID_USER_CONTEXT_POINTER_ERROR:
+    case CRYS_AESCCM_ILLEGAL_KEY_SIZE_ERROR:
+    case CRYS_AESCCM_INVALID_KEY_POINTER_ERROR:
+    case CRYS_AESCCM_INVALID_ENCRYPT_MODE_ERROR:
+    case CRYS_AESCCM_USER_CONTEXT_CORRUPTED_ERROR:
+    case CRYS_AESCCM_DATA_IN_POINTER_INVALID_ERROR:
+    case CRYS_AESCCM_DATA_OUT_POINTER_INVALID_ERROR:
+    case CRYS_AESCCM_DATA_IN_SIZE_ILLEGAL:
+    case CRYS_AESCCM_DATA_OUT_DATA_IN_OVERLAP_ERROR:
+    case CRYS_AESCCM_DATA_OUT_SIZE_INVALID_ERROR:
+    case CRYS_AESCCM_ADDITIONAL_BLOCK_NOT_PERMITTED_ERROR:
+    case CRYS_AESCCM_ILLEGAL_DMA_BUFF_TYPE_ERROR:
+    case CRYS_AESCCM_ILLEGAL_PARAMETER_SIZE_ERROR:
+    case CRYS_AESCCM_ILLEGAL_PARAMETER_PTR_ERROR:
+    case CRYS_AESCCM_ILLEGAL_DATA_TYPE_ERROR:
+    case CRYS_AESCCM_LAST_BLOCK_NOT_PERMITTED_ERROR:
+    case CRYS_AESCCM_ILLEGAL_PARAMETER_ERROR:
+    case CRYS_AESCCM_NOT_ALL_ADATA_WAS_PROCESSED_ERROR:
+    case CRYS_AESCCM_NOT_ALL_DATA_WAS_PROCESSED_ERROR:
+    case CRYS_AESCCM_ADATA_WAS_PROCESSED_ERROR:
+    case CRYS_AESCCM_ILLEGAL_NONCE_SIZE_ERROR:
+    case CRYS_AESCCM_ILLEGAL_TAG_SIZE_ERROR:
+    case CRYS_AESCCM_CTX_SIZES_ERROR:
+    case CRYS_AESCCM_ILLEGAL_PARAMS_ERROR:
+    case CRYS_AESCCM_IS_NOT_SUPPORTED:
         return PSA_ERROR_INVALID_ARGUMENT;
+    case CRYS_AESCCM_CCM_MAC_INVALID_ERROR:
+        return PSA_ERROR_INVALID_SIGNATURE;
     default:
         return PSA_ERROR_GENERIC_ERROR;
     }
@@ -486,6 +514,58 @@ const char *cryptocell310_status_to_humanly_readable(uint32_t status)
             return "CRYS_CHACHA_INVALID_USER_CONTEXT_POINTER_ERROR";
         case CRYS_CHACHA_IS_NOT_SUPPORTED:
             return "CRYS_CHACHA_IS_NOT_SUPPORTED";
+        case CRYS_AESCCM_INVALID_USER_CONTEXT_POINTER_ERROR:
+            return "CRYS_AESCCM_INVALID_USER_CONTEXT_POINTER_ERROR";
+        case CRYS_AESCCM_ILLEGAL_KEY_SIZE_ERROR:
+            return "CRYS_AESCCM_ILLEGAL_KEY_SIZE_ERROR";
+        case CRYS_AESCCM_INVALID_KEY_POINTER_ERROR:
+            return "CRYS_AESCCM_INVALID_KEY_POINTER_ERROR";
+        case CRYS_AESCCM_INVALID_ENCRYPT_MODE_ERROR:
+            return "CRYS_AESCCM_INVALID_ENCRYPT_MODE_ERROR";
+        case CRYS_AESCCM_USER_CONTEXT_CORRUPTED_ERROR:
+            return "CRYS_AESCCM_USER_CONTEXT_CORRUPTED_ERROR";
+        case CRYS_AESCCM_DATA_IN_POINTER_INVALID_ERROR:
+            return "CRYS_AESCCM_DATA_IN_POINTER_INVALID_ERROR";
+        case CRYS_AESCCM_DATA_OUT_POINTER_INVALID_ERROR:
+            return "CRYS_AESCCM_DATA_OUT_POINTER_INVALID_ERROR";
+        case CRYS_AESCCM_DATA_IN_SIZE_ILLEGAL:
+            return "CRYS_AESCCM_DATA_IN_SIZE_ILLEGAL";
+        case CRYS_AESCCM_DATA_OUT_DATA_IN_OVERLAP_ERROR:
+            return "CRYS_AESCCM_DATA_OUT_DATA_IN_OVERLAP_ERROR";
+        case CRYS_AESCCM_DATA_OUT_SIZE_INVALID_ERROR:
+            return "CRYS_AESCCM_DATA_OUT_SIZE_INVALID_ERROR";
+        case CRYS_AESCCM_ADDITIONAL_BLOCK_NOT_PERMITTED_ERROR:
+            return "CRYS_AESCCM_ADDITIONAL_BLOCK_NOT_PERMITTED_ERROR";
+        case CRYS_AESCCM_ILLEGAL_DMA_BUFF_TYPE_ERROR:
+            return "CRYS_AESCCM_ILLEGAL_DMA_BUFF_TYPE_ERROR";
+        case CRYS_AESCCM_ILLEGAL_PARAMETER_SIZE_ERROR:
+            return "CRYS_AESCCM_ILLEGAL_PARAMETER_SIZE_ERROR";
+        case CRYS_AESCCM_ILLEGAL_PARAMETER_PTR_ERROR:
+            return "CRYS_AESCCM_ILLEGAL_PARAMETER_PTR_ERROR";
+        case CRYS_AESCCM_ILLEGAL_DATA_TYPE_ERROR:
+            return "CRYS_AESCCM_ILLEGAL_DATA_TYPE_ERROR";
+        case CRYS_AESCCM_LAST_BLOCK_NOT_PERMITTED_ERROR:
+            return "CRYS_AESCCM_LAST_BLOCK_NOT_PERMITTED_ERROR";
+        case CRYS_AESCCM_ILLEGAL_PARAMETER_ERROR:
+            return "CRYS_AESCCM_ILLEGAL_PARAMETER_ERROR";
+        case CRYS_AESCCM_NOT_ALL_ADATA_WAS_PROCESSED_ERROR:
+            return "CRYS_AESCCM_NOT_ALL_ADATA_WAS_PROCESSED_ERROR";
+        case CRYS_AESCCM_NOT_ALL_DATA_WAS_PROCESSED_ERROR:
+            return "CRYS_AESCCM_NOT_ALL_DATA_WAS_PROCESSED_ERROR";
+        case CRYS_AESCCM_ADATA_WAS_PROCESSED_ERROR:
+            return "CRYS_AESCCM_ADATA_WAS_PROCESSED_ERROR";
+        case CRYS_AESCCM_ILLEGAL_NONCE_SIZE_ERROR:
+            return "CRYS_AESCCM_ILLEGAL_NONCE_SIZE_ERROR";
+        case CRYS_AESCCM_ILLEGAL_TAG_SIZE_ERROR:
+            return "CRYS_AESCCM_ILLEGAL_TAG_SIZE_ERROR";
+        case CRYS_AESCCM_CTX_SIZES_ERROR:
+            return "CRYS_AESCCM_CTX_SIZES_ERROR";
+        case CRYS_AESCCM_ILLEGAL_PARAMS_ERROR:
+            return "CRYS_AESCCM_ILLEGAL_PARAMS_ERROR";
+        case CRYS_AESCCM_IS_NOT_SUPPORTED:
+            return "CRYS_AESCCM_IS_NOT_SUPPORTED";
+        case CRYS_AESCCM_CCM_MAC_INVALID_ERROR:
+            return "CRYS_AESCCM_CCM_MAC_INVALID_ERROR";
         default:
             return "Error value not recognized";
     }