nrf_security: cracen_sw: Add config for ctr size workarounds

degjorva · degjorva · commit 47375e91a09c · 2025-11-27T12:23:10.000+01:00
Add config for the workarounds required for socs which have
a reduced ctr register size.
Update existing workarounds to use this kconfig

Signed-off-by: Dag Erik Gjørvad &lt;dag.erik.gjorvad@nordicsemi.no&gt;
diff --git a/subsys/nrf_security/cmake/psa_crypto_config.cmake b/subsys/nrf_security/cmake/psa_crypto_config.cmake
@@ -473,6 +473,7 @@ kconfig_check_and_set_base_to_one(PSA_NEED_CRACEN_TRNG_DRIVER)
 kconfig_check_and_set_base_to_one(PSA_CRYPTO_DRIVER_ALG_PRNG_TEST)
 kconfig_check_and_set_base_to_one(PSA_CRYPTO_DRIVER_IRONSIDE)
 kconfig_check_and_set_base_to_one(PSA_NEED_CRACEN_MULTIPART_WORKAROUNDS)
+kconfig_check_and_set_base_to_one(PSA_NEED_CRACEN_CTR_SIZE_WORKAROUNDS)
 kconfig_check_and_set_base_to_one(PSA_NEED_CRACEN_IKG_INTERRUPT_WORKAROUND)
 kconfig_check_and_set_base_to_one(PSA_NEED_CRACEN_RNG_NO_ENTROPY_WORKAROUND)
 kconfig_check_and_set_base_to_one(PSA_NEED_CRACEN_ECC_KEY_GEN_PKE)
diff --git a/subsys/nrf_security/configs/psa_crypto_config.h.template b/subsys/nrf_security/configs/psa_crypto_config.h.template
@@ -468,6 +468,7 @@
 #cmakedefine PSA_CRYPTO_DRIVER_ALG_PRNG_TEST                    @PSA_CRYPTO_DRIVER_ALG_PRNG_TEST@
 #cmakedefine PSA_CRYPTO_DRIVER_IRONSIDE                         @PSA_CRYPTO_DRIVER_IRONSIDE@
 #cmakedefine PSA_NEED_CRACEN_MULTIPART_WORKAROUNDS              @PSA_NEED_CRACEN_MULTIPART_WORKAROUNDS@
+#cmakedefine PSA_NEED_CRACEN_CTR_SIZE_WORKAROUNDS               @PSA_NEED_CRACEN_CTR_SIZE_WORKAROUNDS@
 #cmakedefine PSA_NEED_CRACEN_IKG_INTERRUPT_WORKAROUND           @PSA_NEED_CRACEN_IKG_INTERRUPT_WORKAROUND@
 #cmakedefine PSA_NEED_CRACEN_RNG_NO_ENTROPY_WORKAROUND          @PSA_NEED_CRACEN_RNG_NO_ENTROPY_WORKAROUND@
 #cmakedefine PSA_NEED_CRACEN_ECC_KEY_GEN_PKE                    @PSA_NEED_CRACEN_ECC_KEY_GEN_PKE@
diff --git a/subsys/nrf_security/src/drivers/cracen/CMakeLists.txt b/subsys/nrf_security/src/drivers/cracen/CMakeLists.txt
@@ -11,8 +11,7 @@ set(cracen_driver_sources)
 include(sxsymcrypt/sxsymcrypt.cmake)
 include(silexpk/silexpk.cmake)
 include(cracenpsa/cracenpsa.cmake)
-if(CONFIG_PSA_NEED_CRACEN_MULTIPART_WORKAROUNDS OR
-   (CONFIG_SOC_NRF54LV10A AND CONFIG_PSA_NEED_CRACEN_CTR_AES))
+if(CONFIG_PSA_NEED_CRACEN_CTR_SIZE_WORKAROUNDS)
   include(cracen_sw/cracen_sw.cmake)
 endif()
 
diff --git a/subsys/nrf_security/src/drivers/cracen/Kconfig b/subsys/nrf_security/src/drivers/cracen/Kconfig
@@ -19,6 +19,9 @@ config CRACEN_KMU_HW_PRESENT
 config PSA_NEED_CRACEN_MULTIPART_WORKAROUNDS
 	def_bool SOC_NRF54LM20A
 
+config PSA_NEED_CRACEN_CTR_SIZE_WORKAROUNDS
+	def_bool PSA_NEED_CRACEN_MULTIPART_WORKAROUNDS || SOC_NRF54LV10A
+
 config PSA_NEED_CRACEN_IKG_INTERRUPT_WORKAROUND
 	def_bool SOC_NRF54LM20A || SOC_NRF54LV10A || SOC_NRF7120_ENGA
 
diff --git a/subsys/nrf_security/src/drivers/cracen/cracen_sw/cracen_sw.cmake b/subsys/nrf_security/src/drivers/cracen/cracen_sw/cracen_sw.cmake
@@ -33,8 +33,7 @@ if(CONFIG_PSA_NEED_CRACEN_MULTIPART_WORKAROUNDS AND CONFIG_PSA_NEED_CRACEN_MAC_D
   endif()
 endif()
 
-if((CONFIG_PSA_NEED_CRACEN_MULTIPART_WORKAROUNDS OR CONFIG_SOC_NRF54LV10A) AND
-   CONFIG_PSA_NEED_CRACEN_CTR_AES)
+if(CONFIG_PSA_NEED_CRACEN_CTR_SIZE_WORKAROUNDS AND CONFIG_PSA_NEED_CRACEN_CTR_AES)
   list(APPEND cracen_driver_sources
     ${CMAKE_CURRENT_LIST_DIR}/src/cracen_sw_aes_ctr.c
   )
diff --git a/subsys/nrf_security/src/drivers/cracen/cracenpsa/include/cracen_psa_primitives.h b/subsys/nrf_security/src/drivers/cracen/cracenpsa/include/cracen_psa_primitives.h
@@ -44,12 +44,12 @@
 #define CRACEN_MAX_CHACHA20_KEY_SIZE (32u)
 
 /*
- * There is a HW limitation for nRF54LM20A and nRF54LV10A:
- * a maximum of 1 MB of plaintext or ciphertext is supported.
+ * HW limitation for devices with smaller CTR size:
+ * a maximum of 1 MB of plaintext or ciphertext is supported for CCM.
  */
-#if defined(CONFIG_SOC_NRF54LM20A) || defined(CONFIG_SOC_NRF54LV10A)
+#if defined(CONFIG_PSA_NEED_CRACEN_CTR_SIZE_WORKAROUNDS)
 #define CRACEN_MAX_CCM_DATA_SIZE (65536U * SX_BLKCIPHER_AES_BLK_SZ)
-#endif /* CONFIG_SOC_NRF54LM20A || CONFIG_SOC_NRF54LV10A */
+#endif /* CONFIG_PSA_NEED_CRACEN_CTR_SIZE_WORKAROUNDS */
 
 /*
  * There are two key types supported for ciphers, CHACHA20 and AES,
diff --git a/subsys/nrf_security/src/drivers/cracen/cracenpsa/src/cipher.c b/subsys/nrf_security/src/drivers/cracen/cracenpsa/src/cipher.c
@@ -23,7 +23,7 @@
 
 #include "cracen_psa_primitives.h"
 
-#if defined(CONFIG_SOC_NRF54LV10A) && defined(PSA_NEED_CRACEN_CTR_AES)
+#if defined(CONFIG_PSA_NEED_CRACEN_CTR_SIZE_WORKAROUNDS) && defined(PSA_NEED_CRACEN_CTR_AES)
 #include <cracen_sw_aes_ctr.h>
 #endif
 
@@ -288,7 +288,7 @@ psa_status_t cracen_cipher_encrypt(const psa_key_attributes_t *attributes,
 	cracen_cipher_operation_t operation = {0};
 	*output_length = 0;
 
-#if defined(CONFIG_SOC_NRF54LV10A) && defined(PSA_NEED_CRACEN_CTR_AES)
+#if defined(CONFIG_PSA_NEED_CRACEN_CTR_SIZE_WORKAROUNDS) && defined(PSA_NEED_CRACEN_CTR_AES)
 	/* Route AES_CTR to software implementation due to 16-bit counter limitation */
 	if (alg == PSA_ALG_CTR) {
 		if (output_size < input_length) {
@@ -364,7 +364,7 @@ psa_status_t cracen_cipher_decrypt(const psa_key_attributes_t *attributes,
 	const size_t iv_size = (alg == PSA_ALG_STREAM_CIPHER) ? 12 : SX_BLKCIPHER_IV_SZ;
 	*output_length = 0;
 
-#if defined(CONFIG_SOC_NRF54LV10A) && defined(PSA_NEED_CRACEN_CTR_AES)
+#if defined(CONFIG_PSA_NEED_CRACEN_CTR_SIZE_WORKAROUNDS) && defined(PSA_NEED_CRACEN_CTR_AES)
 	/* Route AES_CTR to software implementation due to 16-bit counter limitation */
 	if (alg == PSA_ALG_CTR) {
 		return cracen_sw_aes_ctr_crypt(attributes, key_buffer, key_buffer_size, input,
@@ -480,7 +480,7 @@ psa_status_t cracen_cipher_encrypt_setup(cracen_cipher_operation_t *operation,
 					 const uint8_t *key_buffer, size_t key_buffer_size,
 					 psa_algorithm_t alg)
 {
-#if defined(CONFIG_SOC_NRF54LV10A) && defined(PSA_NEED_CRACEN_CTR_AES)
+#if defined(CONFIG_PSA_NEED_CRACEN_CTR_SIZE_WORKAROUNDS) && defined(PSA_NEED_CRACEN_CTR_AES)
 	/* Route AES_CTR to software implementation due to 16-bit counter limitation */
 	if (alg == PSA_ALG_CTR) {
 		return cracen_sw_aes_ctr_setup(operation, attributes, key_buffer, key_buffer_size);
@@ -496,7 +496,7 @@ psa_status_t cracen_cipher_decrypt_setup(cracen_cipher_operation_t *operation,
 					 psa_algorithm_t alg)
 {
 
-#if defined(CONFIG_SOC_NRF54LV10A) && defined(PSA_NEED_CRACEN_CTR_AES)
+#if defined(CONFIG_PSA_NEED_CRACEN_CTR_SIZE_WORKAROUNDS) && defined(PSA_NEED_CRACEN_CTR_AES)
 	/* Route AES_CTR to software implementation due to 16-bit counter limitation */
 	if (alg == PSA_ALG_CTR) {
 		return cracen_sw_aes_ctr_setup(operation, attributes, key_buffer, key_buffer_size);
@@ -511,7 +511,7 @@ psa_status_t cracen_cipher_set_iv(cracen_cipher_operation_t *operation, const ui
 {
 	__ASSERT_NO_MSG(iv != NULL);
 
-#if defined(CONFIG_SOC_NRF54LV10A) && defined(PSA_NEED_CRACEN_CTR_AES)
+#if defined(CONFIG_PSA_NEED_CRACEN_CTR_SIZE_WORKAROUNDS) && defined(PSA_NEED_CRACEN_CTR_AES)
 	/* Route AES_CTR to software implementation due to 16-bit counter limitation */
 	if (operation->alg == PSA_ALG_CTR) {
 		return cracen_sw_aes_ctr_set_iv(operation, iv, iv_length);
@@ -554,7 +554,7 @@ psa_status_t cracen_cipher_update(cracen_cipher_operation_t *operation, const ui
 	__ASSERT_NO_MSG(input != NULL || input_length == 0);
 	__ASSERT_NO_MSG(output_length != NULL);
 
-#if defined(CONFIG_SOC_NRF54LV10A) && defined(PSA_NEED_CRACEN_CTR_AES)
+#if defined(CONFIG_PSA_NEED_CRACEN_CTR_SIZE_WORKAROUNDS) && defined(PSA_NEED_CRACEN_CTR_AES)
 	/* Route AES_CTR to software implementation due to 16-bit counter limitation */
 	if (operation->alg == PSA_ALG_CTR) {
 		return cracen_sw_aes_ctr_update(operation, input, input_length, output, output_size,
@@ -712,7 +712,7 @@ psa_status_t cracen_cipher_finish(cracen_cipher_operation_t *operation, uint8_t
 {
 	__ASSERT_NO_MSG(output_length != NULL);
 
-#if defined(CONFIG_SOC_NRF54LV10A) && defined(PSA_NEED_CRACEN_CTR_AES)
+#if defined(CONFIG_PSA_NEED_CRACEN_CTR_SIZE_WORKAROUNDS) && defined(PSA_NEED_CRACEN_CTR_AES)
 	/* Route AES_CTR to software implementation due to 16-bit counter limitation */
 	if (operation->alg == PSA_ALG_CTR) {
 		return cracen_sw_aes_ctr_finish(operation, output_length);
@@ -859,7 +859,7 @@ psa_status_t cracen_cipher_finish(cracen_cipher_operation_t *operation, uint8_t
 
 psa_status_t cracen_cipher_abort(cracen_cipher_operation_t *operation)
 {
-#if defined(CONFIG_SOC_NRF54LV10A) && defined(PSA_NEED_CRACEN_CTR_AES)
+#if defined(CONFIG_PSA_NEED_CRACEN_CTR_SIZE_WORKAROUNDS) && defined(PSA_NEED_CRACEN_CTR_AES)
 	/* Route AES_CTR to software implementation due to 16-bit counter limitation */
 	if (operation->alg == PSA_ALG_CTR) {
 		/* Software AES CTR implementation doesn't allocate hardware resources to free */

Original file line number	Diff line number	Diff line change
`@@ -33,8 +33,7 @@ if(CONFIG_PSA_NEED_CRACEN_MULTIPART_WORKAROUNDS AND CONFIG_PSA_NEED_CRACEN_MAC_D`
`33`	`33`	`endif()`
`34`	`34`	`endif()`
`35`	`35`
`36`		`-if((CONFIG_PSA_NEED_CRACEN_MULTIPART_WORKAROUNDS OR CONFIG_SOC_NRF54LV10A) AND`
`37`		`- CONFIG_PSA_NEED_CRACEN_CTR_AES)`
	`36`	`+if(CONFIG_PSA_NEED_CRACEN_CTR_SIZE_WORKAROUNDS AND CONFIG_PSA_NEED_CRACEN_CTR_AES)`
`38`	`37`	`list(APPEND cracen_driver_sources`
`39`	`38`	`${CMAKE_CURRENT_LIST_DIR}/src/cracen_sw_aes_ctr.c`
`40`	`39`	`)`