Add AEAD with AES-CCM support for nRF54LM20A and remove size restrictions for nRF54LV10A #25514
Conversation
NordicBuilder
added
the
doc-required
There was a problem hiding this comment.
Pull Request Overview
This PR adds software-based AES-CCM AEAD support for nRF54LM20A and removes size restrictions for nRF54LV10A by implementing a workaround for hardware counter size limitations. The implementation uses ECB primitives to build CCM mode operations when hardware limitations are detected.
Key changes:
- Introduces new Kconfig option
CONFIG_CRACEN_NEED_CTR_SIZE_WORKAROUNDSto identify platforms requiring software workarounds - Implements complete software AES-CCM AEAD functionality using ECB primitives
- Replaces SoC-specific checks with feature-based configuration flags throughout the codebase
Reviewed Changes
Copilot reviewed 12 out of 12 changed files in this pull request and generated 16 comments.
Show a summary per file
| File | Description |
|---|---|
subsys/nrf_security/src/drivers/cracen/cracenpsa/src/cipher.c |
Replaces CONFIG_SOC_NRF54LV10A with CONFIG_CRACEN_NEED_CTR_SIZE_WORKAROUNDS for CTR mode routing |
subsys/nrf_security/src/drivers/cracen/cracenpsa/src/aead.c |
Routes AES-CCM operations to software implementation when workarounds are needed; removes blanket PSA_ERROR_NOT_SUPPORTED for nRF54LM20A |
subsys/nrf_security/src/drivers/cracen/cracenpsa/include/cracen_psa_primitives.h |
Increases CRACEN_MAX_AEAD_BLOCK_SIZE to 96 bytes; adds cracen_sw_ccm_context_t structure; removes CCM data size restriction |
subsys/nrf_security/src/drivers/cracen/cracenpsa/cracenpsa.cmake |
Conditionally excludes hardware AEAD when multipart workarounds are needed |
subsys/nrf_security/src/drivers/cracen/cracen_sw/src/cracen_sw_aes_ccm.c |
New file implementing complete software AES-CCM using CBC-MAC and CTR mode with ECB primitives |
subsys/nrf_security/src/drivers/cracen/cracen_sw/src/cracen_sw_aead.c |
New dispatcher layer for software AEAD implementations |
subsys/nrf_security/src/drivers/cracen/cracen_sw/include/cracen_sw_aes_ccm.h |
New header declaring software AES-CCM API |
subsys/nrf_security/src/drivers/cracen/cracen_sw/include/cracen_sw_aead.h |
New header for software AEAD dispatcher API |
subsys/nrf_security/src/drivers/cracen/cracen_sw/cracen_sw.cmake |
Updates build configuration to include software CCM implementation |
subsys/nrf_security/src/drivers/cracen/Kconfig |
Adds CONFIG_CRACEN_NEED_CTR_SIZE_WORKAROUNDS configuration option |
subsys/nrf_security/src/drivers/cracen/CMakeLists.txt |
Updates include logic for cracen_sw based on new configuration flags |
doc/nrf/releases_and_maturity/releases/release-notes-changelog.rst |
Documents new AES-CCM AEAD support for nRF54LM20 and sample support |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
subsys/nrf_security/src/drivers/cracen/cracen_sw/src/cracen_sw_aes_ccm.c
Outdated
Show resolved
Hide resolved
subsys/nrf_security/src/drivers/cracen/cracen_sw/src/cracen_sw_aes_ccm.c
Outdated
Show resolved
Hide resolved
subsys/nrf_security/src/drivers/cracen/cracen_sw/src/cracen_sw_aes_ccm.c
Outdated
Show resolved
Hide resolved
subsys/nrf_security/src/drivers/cracen/cracenpsa/include/cracen_psa_primitives.h
Show resolved
Hide resolved
subsys/nrf_security/src/drivers/cracen/cracen_sw/src/cracen_sw_aes_ccm.c
Outdated
Show resolved
Hide resolved
subsys/nrf_security/src/drivers/cracen/cracen_sw/src/cracen_sw_aes_ccm.c
Outdated
Show resolved
Hide resolved
subsys/nrf_security/src/drivers/cracen/cracen_sw/src/cracen_sw_aead.c
Outdated
Show resolved
Hide resolved
doc/nrf/releases_and_maturity/releases/release-notes-changelog.rst
Outdated
Show resolved
Hide resolved
CI InformationTo view the history of this post, click the 'edited' button above Inputs:Sources:sdk-nrf: PR head: cc16bc45497951a49cf1cfd60b52dcbbde8c0997 more detailssdk-nrf:
Github labels
List of changed files detected by CI (15)Outputs:ToolchainVersion: 43683a87ea Test Spec & Results: ✅ Success; ❌ Failure; 🟠 Queued; 🟡 Progress; ◻️ Skipped;
|
degjorva
force-pushed
the
lm20-aes-ccm
branch
from
eccb724 to
5fcfd19
Compare
degjorva
force-pushed
the
lm20-aes-ccm
branch
from
5fcfd19 to
ec04d74
Compare
There was a problem hiding this comment.
Pull Request Overview
Copilot reviewed 12 out of 12 changed files in this pull request and generated 1 comment.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
degjorva
changed the title
|
You can find the documentation preview for this PR here. Preview links for modified nRF Connect SDK documents: https://ncsdoc.z6.web.core.windows.net/PR-25514/nrf/releases_and_maturity/releases/release-notes-changelog.html |
degjorva
force-pushed
the
lm20-aes-ccm
branch
from
ec04d74 to
3b31f03
Compare
degjorva
force-pushed
the
lm20-aes-ccm
branch
from
3b31f03 to
56219e3
Compare
There was a problem hiding this comment.
Pull Request Overview
Copilot reviewed 12 out of 12 changed files in this pull request and generated no new comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| psa_algorithm_t alg); | ||
|
|
||
| /** | ||
| * @brief Setup software AEAD decryption operation. |
There was a problem hiding this comment.
| * @brief Setup software AEAD decryption operation. | |
| * @brief Set up the software AEAD decryption operation. |
| * @brief Dispatcher layer for software AEAD implementations. | ||
| * | ||
| * This module provides a common interface that dispatches to specific | ||
| * software AEAD implementations (e.g., AES-CCM) as a workaround for |
There was a problem hiding this comment.
| * software AEAD implementations (e.g., AES-CCM) as a workaround for | |
| * software AEAD implementations (such as AES-CCM) as a workaround for |
| /** | ||
| * @brief Set lengths for software AEAD operation. | ||
| * | ||
| * Some AEAD algorithms (e.g., CCM) require lengths to be known upfront. |
There was a problem hiding this comment.
| * Some AEAD algorithms (e.g., CCM) require lengths to be known upfront. | |
| * Some AEAD algorithms (such as CCM) require lengths to be known up-front. |
| psa_status_t cracen_aead_abort(cracen_aead_operation_t *operation); | ||
|
|
||
| /** | ||
| * @brief Single-shot software AEAD encryption. |
There was a problem hiding this comment.
Can you replace "single-shot" with something less colloquial? Also, start the brief with a verb, like "Perform a ..." in cracen_sw_aes_ccm.h.
Applies to other instances in the file too.
There was a problem hiding this comment.
I changed it to single-part. That is the terminology the PSA documentation uses
| #include "cracen_psa_primitives.h" | ||
|
|
||
| /** | ||
| * @brief Setup software AES-CCM encryption operation. |
There was a problem hiding this comment.
| * @brief Setup software AES-CCM encryption operation. | |
| * @brief Set up the software AES-CCM encryption operation. |
| * @param[in] tag_size Size of the tag buffer. | ||
| * @param[out] tag_length Pointer to store the actual tag length. | ||
| * | ||
| * @retval PSA_SUCCESS Operation finished successfully, tag generated. |
There was a problem hiding this comment.
| * @retval PSA_SUCCESS Operation finished successfully, tag generated. | |
| * @retval PSA_SUCCESS Operation finished successfully; tag generated. |
Or :, as mentioned earlier.
| uint8_t *tag, size_t tag_size, size_t *tag_length); | ||
|
|
||
| /** | ||
| * @brief Verify and finish the software AES-CCM decryption operation. |
There was a problem hiding this comment.
| * @brief Verify and finish the software AES-CCM decryption operation. | |
| * @brief Verify the tag and finish the software AES-CCM decryption operation. |
| size_t ciphertext_size, size_t *ciphertext_length); | ||
|
|
||
| /** | ||
| * @brief Perform a single-shot software AES-CCM decryption. |
There was a problem hiding this comment.
| * @brief Perform a single-shot software AES-CCM decryption. | |
| * @brief Perform a single software AES-CCM decryption. |
To avoid the colloquialism.
| * @retval PSA_SUCCESS Decryption and verification completed successfully. | ||
| * @retval PSA_ERROR_INVALID_SIGNATURE Authentication tag verification failed. | ||
| * @retval PSA_ERROR_BUFFER_TOO_SMALL Output buffer too small. | ||
| * @retval PSA_ERROR_INVALID_ARGUMENT Invalid nonce length, key size, or ciphertext too short. |
There was a problem hiding this comment.
| * @retval PSA_ERROR_INVALID_ARGUMENT Invalid nonce length, key size, or ciphertext too short. | |
| * @retval PSA_ERROR_INVALID_ARGUMENT Invalid nonce length, invalid key size, or ciphertext too short. |
| @@ -140,6 +140,8 @@ Security | |||
|
|
|||
| * Support for AES in counter mode using CRACEN for the :zephyr:board:`nrf54lm20dk`. | |||
|
|
|||
| * Support for AES-CCM AEAD using CRACEN for the :zephyr:board:`nrf54lm20dk`. | |||
There was a problem hiding this comment.
There was a problem hiding this comment.
I updated the supported features for both LM20 and LV10, or rather I just removed the note which should cover it
| * @retval PSA_ERROR_INVALID_ARGUMENT Invalid key size. | ||
| */ | ||
| psa_status_t cracen_aead_encrypt_setup(cracen_aead_operation_t *operation, | ||
| const psa_key_attributes_t *attributes, |
There was a problem hiding this comment.
spacing on all of these is not consistent with the previous line
| #endif | ||
|
|
||
| psa_status_t cracen_aead_encrypt_setup(cracen_aead_operation_t *operation, | ||
| const psa_key_attributes_t *attributes, |
| } | ||
|
|
||
| psa_status_t cracen_sw_aes_ccm_encrypt_setup(cracen_aead_operation_t *operation, | ||
| const psa_key_attributes_t *attributes, |
| uint8_t ctr_block[SX_BLKCIPHER_AES_BLK_SZ]; /* Counter block for CTR mode */ | ||
| uint8_t keystream[SX_BLKCIPHER_AES_BLK_SZ]; /* Generated keystream */ | ||
| uint8_t partial_block[SX_BLKCIPHER_AES_BLK_SZ]; /* Buffer for partial blocks */ | ||
| size_t keystream_offset; /* Position in keystream buffer */ |
There was a problem hiding this comment.
(non-blocking suggestion) why not put the /* directly one space after the ; so it's easy to see what these are?
degjorva
force-pushed
the
lm20-aes-ccm
branch
from
56219e3 to
50f9035
Compare
degjorva
force-pushed
the
lm20-aes-ccm
branch
from
50f9035 to
6c540f9
Compare
degjorva
force-pushed
the
lm20-aes-ccm
branch
from
9e13ad8 to
64b21a9
Compare
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 15 out of 15 changed files in this pull request and generated 3 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
degjorva
force-pushed
the
lm20-aes-ccm
branch
from
64b21a9 to
f2fe57e
Compare
| * CCM cipher mode: | ||
|
|
||
| * Multi-part encrypt and decrypt APIs are not supported. | ||
| * A maximum of 1 MB of plaintext or ciphertext is supported. |
There was a problem hiding this comment.
This section is now empty. Do we need this entry for CCM?
There was a problem hiding this comment.
We don't, but lets fix that in another PR later so we don't have to rerun CI on this
degjorva
force-pushed
the
lm20-aes-ccm
branch
from
f2fe57e to
24df256
Compare
|
Rebase |
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 15 out of 15 changed files in this pull request and generated 3 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| static psa_status_t initialize_cbc_mac(cracen_aead_operation_t *operation, | ||
| struct sxblkcipher *cipher) | ||
| { | ||
| cracen_sw_ccm_context_t *ccm_ctx = &operation->sw_ccm_ctx; | ||
| uint8_t b0[SX_BLKCIPHER_AES_BLK_SZ]; | ||
| psa_status_t status; | ||
|
|
||
| if (ccm_ctx->cbc_mac_initialized) { | ||
| return PSA_SUCCESS; | ||
| } | ||
| format_ccm_b0(b0, operation->nonce_length, operation->nonce, operation->plaintext_length, | ||
| operation->ad_length, operation->tag_size); | ||
| status = cracen_aes_primitive(cipher, &operation->keyref, b0, ccm_ctx->cbc_mac); | ||
| if (status != PSA_SUCCESS) { | ||
| return status; | ||
| } | ||
| if (operation->ad_length > 0) { | ||
| size_t ad_len_size = | ||
| encode_ccm_ad_length(ccm_ctx->partial_block, operation->ad_length); | ||
| ccm_ctx->has_partial_ad_block = true; | ||
| ccm_ctx->total_ad_fed = ad_len_size; | ||
| } | ||
| ccm_ctx->cbc_mac_initialized = true; | ||
| return PSA_SUCCESS; | ||
| } |
There was a problem hiding this comment.
The b0 buffer contains sensitive cryptographic material (including plaintext/AD lengths and tag size) but is not securely cleared after use. This could potentially leak information. Consider using safe_memzero(b0, sizeof(b0)); before the function returns to ensure secure cleanup.
| safe_memzero(s0, sizeof(s0)); | ||
| return status; | ||
| } | ||
| memcpy(tag, operation->sw_ccm_ctx.cbc_mac, operation->tag_size); | ||
| cracen_xorbytes(tag, s0, operation->tag_size); | ||
| safe_memzero(s0, sizeof(s0)); |
There was a problem hiding this comment.
The a0_block buffer contains sensitive cryptographic material (nonce and counter) but is not securely cleared after use. Consider using safe_memzero(a0_block, sizeof(a0_block)); before returning to ensure secure cleanup of all temporary buffers.
| safe_memzero(s0, sizeof(s0)); | |
| return status; | |
| } | |
| memcpy(tag, operation->sw_ccm_ctx.cbc_mac, operation->tag_size); | |
| cracen_xorbytes(tag, s0, operation->tag_size); | |
| safe_memzero(s0, sizeof(s0)); | |
| safe_memzero(s0, sizeof(s0)); | |
| safe_memzero(a0_block, sizeof(a0_block)); | |
| return status; | |
| } | |
| memcpy(tag, operation->sw_ccm_ctx.cbc_mac, operation->tag_size); | |
| cracen_xorbytes(tag, s0, operation->tag_size); | |
| safe_memzero(s0, sizeof(s0)); | |
| safe_memzero(a0_block, sizeof(a0_block)); |
| tag_mismatch |= computed_tag[i] ^ tag[i]; | ||
| } | ||
| if (tag_mismatch != 0) { | ||
| status = PSA_ERROR_INVALID_SIGNATURE; |
There was a problem hiding this comment.
[nitpick] For better code clarity and maintainability, consider explicitly setting status = PSA_SUCCESS; when tag_mismatch == 0 (i.e., add an else clause to the if (tag_mismatch != 0) check). While the current code is functionally correct (status remains PSA_SUCCESS from generate_tag), making it explicit improves readability and prevents potential bugs if the code flow changes in the future.
| status = PSA_ERROR_INVALID_SIGNATURE; | |
| status = PSA_ERROR_INVALID_SIGNATURE; | |
| } else { | |
| status = PSA_SUCCESS; |
degjorva
force-pushed
the
lm20-aes-ccm
branch
from
24df256 to
25071c1
Compare
| * Added: | ||
| * Support for AES-CCM AEAD using CRACEN for the :zephyr:board:`nrf54lm20dk`. |
There was a problem hiding this comment.
| * Added: | |
| * Support for AES-CCM AEAD using CRACEN for the :zephyr:board:`nrf54lm20dk`. | |
| * Added: | |
| * Support for AES-CCM AEAD using CRACEN for the :zephyr:board:`nrf54lm20dk`. |
Add config for the workarounds required for socs which have a reduced ctr register size. Update existing workarounds to use this kconfig Signed-off-by: Dag Erik Gjørvad <[email protected]>
degjorva
force-pushed
the
lm20-aes-ccm
branch
from
25071c1 to
526b9d8
Compare
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 15 out of 15 changed files in this pull request and generated 1 comment.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Add support for AES-CCM using ECB primitives when using cracen_need_multipart_workarounds or cracen_need_ctr_size_workarounds Add AEAD to cracen_sw with AES-CCM support. Signed-off-by: Dag Erik Gjørvad <[email protected]>
degjorva
force-pushed
the
lm20-aes-ccm
branch
from
526b9d8 to
cc16bc4
Compare
8 participants
Add support for AES-CCM using ECB primitives when using cracen_need_multipart_workarounds and cracen_need_ctr_size_workarounds.
Se commits for details.
test_crypto: PR-890