Skip to content

PSA Crypto API adoption in Zephyr #43712

@ceolin

Description

@ceolin

Introduction

Zephyr has currently, at least, three different cryptography available and been used. They are:

The lack of an unified API to cryptography leads to a situation where we have different components using the one that best attend there needs and when an application needs those components we end up having multiple cryptography implementations in a single target. This means resources being waste.

To make things worse, one of these implementations (TinyCrypt) is no longer supported, which put us in a position of maintain it by ourselves or replace it with something else.

PSA Crypto implementation provides a portable interface to cryptographic operations on a wide range of hardware and software. Which means we may have Zephyr's using a single API that can have different implementations depending in build options.
More information about it can be found in https://armmbed.github.io/mbed-crypto/html/overview/intro.html

Problem description

The lack of ONE API may cause waste of resources (multiple implementations needed at same time), make products more vulnerable (multiple implementations increases the code surface and consequently the chance of bugs), and it does help us take full advantage of HW accelerators.

Proposed change

The proposal is to adopt psa crypto API on Zephyr to replace the direct usage of other cryptography implementations.

Detailed RFC

The initial idea is:

  • Select an implementation of the PSA crypto API (recent versions of mbedTLS implement it)
  • Change the code base to use PSA crypto API
  • Enable HW accelerators in the new API.

Concerns and Unresolved Questions

  • The major reason to use TinyCrypt is due constraint resources, will PSA crypto be able to achieve similar requirements.
  • What happens if we end up having two implementations of PSA crypto API in a same target ? e.g TF-M uses mbedTLS implementation and Zephyr's code base uses another one.

Alternatives

Metadata

Metadata

Assignees

Labels

Type

Projects

Status

No status

Status

In Progress

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions