-
Notifications
You must be signed in to change notification settings - Fork 8.1k
Description
Introduction
Zephyr has currently, at least, three different cryptography available and been used. They are:
- https://github.com/zephyrproject-rtos/tinycrypt
- https://github.com/zephyrproject-rtos/mbedtls
- https://github.com/zephyrproject-rtos/zephyr/blob/main/include/crypto/crypto.h
The lack of an unified API to cryptography leads to a situation where we have different components using the one that best attend there needs and when an application needs those components we end up having multiple cryptography implementations in a single target. This means resources being waste.
To make things worse, one of these implementations (TinyCrypt) is no longer supported, which put us in a position of maintain it by ourselves or replace it with something else.
PSA Crypto implementation provides a portable interface to cryptographic operations on a wide range of hardware and software. Which means we may have Zephyr's using a single API that can have different implementations depending in build options.
More information about it can be found in https://armmbed.github.io/mbed-crypto/html/overview/intro.html
Problem description
The lack of ONE API may cause waste of resources (multiple implementations needed at same time), make products more vulnerable (multiple implementations increases the code surface and consequently the chance of bugs), and it does help us take full advantage of HW accelerators.
Proposed change
The proposal is to adopt psa crypto API on Zephyr to replace the direct usage of other cryptography implementations.
Detailed RFC
The initial idea is:
- Select an implementation of the PSA crypto API (recent versions of mbedTLS implement it)
- Change the code base to use PSA crypto API
- Enable HW accelerators in the new API.
Concerns and Unresolved Questions
- The major reason to use TinyCrypt is due constraint resources, will PSA crypto be able to achieve similar requirements.
- What happens if we end up having two implementations of PSA crypto API in a same target ? e.g TF-M uses mbedTLS implementation and Zephyr's code base uses another one.
Alternatives
- One alternative is to implement Zephy's own API. That is idea behind the crypto drivers implementation (https://github.com/zephyrproject-rtos/zephyr/blob/main/include/crypto/crypto.h)
Metadata
Metadata
Assignees
Labels
Type
Projects
Status
Status