Driver configurations and supported features

This section covers the configurations available when using PSA drivers.

Configuring multiple drivers

Multiple PSA drivers can be enabled at the same time, with added support for fine-grained control of which drivers implement support for cryptographic features.

To enable a PSA driver, set the configurations according to the following table:

PSA driver

Configuration option

Notes

nrf_cc3xx

CONFIG_PSA_CRYPTO_DRIVER_CC3XX

Only on nRF52840, nRF9160, and nRF5340 devices

nrf_oberon

CONFIG_PSA_RYPTO_DRIVER_OBERON

If multiple drivers are enabled, the first ordered item in this table takes precedence for an enabled cryptographic feature, unless the driver does not enable or support it.

Enabling or disabling PSA driver specific configurations controls the support for a given algorithm, per driver.

If a specific cryptographic feature is not supported by a PSA driver but the algorithm is configured to be used, then Built-in Mbed TLS will be enabled to ensure the feature is available.

AES cipher configuration

AES cipher modes can be enabled by setting one or more of the following Kconfig options:

Cipher mode

Configuration option

ECB_NO_PADDING

CONFIG_PSA_WANT_ALG_ECB_NO_PADDING

CBC_NO_PADDING

CONFIG_PSA_WANT_ALG_CBC_NO_PADDING

CBC_PKCS7

CONFIG_PSA_WANT_ALG_CBC_PKCS7

CFB

CONFIG_PSA_WANT_ALG_CFB

CTR

CONFIG_PSA_WANT_ALG_CTR

OFB

CONFIG_PSA_WANT_ALG_OFB

XTS

CONFIG_PSA_WANT_ALG_XTS

AES cipher driver configuration

You can use the Kconfig options from the following table for fine-grained control over which drivers provide AES cipher support:

Cipher mode

nrf_cc3xx driver support

nrf_oberon driver support

ECB_NO_PADDING

CONFIG_PSA_CRYPTO_DRIVER_ALG_ECB_NO_PADDING_CC3XX

CONFIG_PSA_CRYPTO_DRIVER_ALG_ECB_NO_PADDING_OBERON

CBC_NO_PADDING

CONFIG_PSA_CRYPTO_DRIVER_ALG_CBC_NO_PADDING_CC3XX

CONFIG_PSA_CRYPTO_DRIVER_ALG_CBC_NO_PADDING_OBERON

CBC_PKCS7

CONFIG_PSA_CRYPTO_DRIVER_ALG_CBC_PKCS7_CC3XX

Not supported

CFB

CONFIG_PSA_CRYPTO_DRIVER_ALG_CFB_CC3XX

Not supported

CTR

CONFIG_PSA_CRYPTO_DRIVER_ALG_CTR_CC3XX

CONFIG_PSA_CRYPTO_DRIVER_ALG_CTR_OBERON

OFB

Not supported

Not supported

XTS

Not supported

Not supported

Note

  • If an AES cipher mode is enabled and no PSA driver enables or supports it, then Built-in Mbed TLS support is enabled and used.

  • The Arm CryptoCell cc3xx driver is limited to AES key sizes of 128 bits on devices with Arm CryptoCell cc310.

MAC configuration

You can enable MAC support by setting one or more Kconfig options in the following table:

MAC cipher

Configuration option

ECB_NO_PADDING

CONFIG_PSA_WANT_ALG_CMAC

CBC_NO_PADDING

CONFIG_PSA_WANT_ALG_HMAC

MAC driver configurations

You can use the Kconfig options in the following table for fine-grained control over which drivers provide AEAD support:

MAC cipher

nrf_cc3xx driver support

nrf_oberon driver support

ECB_NO_PADDING

CONFIG_PSA_CRYPTO_DRIVER_ALG_CMAC_CC3XX

Not supported

CBC_NO_PADDING

CONFIG_PSA_CRYPTO_DRIVER_ALG_HMAC_CC3XX

Not supported

Note

  • If a MAC algorithm is enabled and no PSA driver enables or supports it, then Built-in Mbed TLS support is enabled and used.

  • The Arm CryptoCell cc3xx driver is limited to AES CMAC key sizes of 128 bits on devices with Arm CryptoCell cc310.

  • The Arm CryptoCell cc3xx driver is limited to HMAC using SHA-1, SHA-224, and SHA-256 on devices with Arm CryptoCell cc310.

AEAD configurations

You can enable Authenticated Encryption with Associated Data (AEAD) by setting one or more Kconfig options in the following table:

AEAD cipher

Configuration option

AES CCM

CONFIG_PSA_WANT_ALG_CCM

AES GCM

CONFIG_PSA_WANT_ALG_GCM

ChaCha/Poly

CONFIG_PSA_WANT_ALG_CHACHA20_POLY1305

AEAD driver configurations

You can use the Kconfig options in the following table for fine-grained control over which drivers provide AEAD support:

AEAD cipher

nrf_cc3xx driver support

nrf_oberon driver support

AES CCM

CONFIG_PSA_CRYPTO_DRIVER_ALG_CCM_CC3XX

CONFIG_PSA_CRYPTO_DRIVER_ALG_CCM_OBERON

AES GCM

CONFIG_PSA_CRYPTO_DRIVER_ALG_GCM_CC3XX

Not Supported

ChaCha/Poly

CONFIG_PSA_CRYPTO_DRIVER_ALG_CHACHA20_POLY1305_CC3XX

CONFIG_PSA_CRYPTO_DRIVER_ALG_CHACHA20_POLY1305_OBERON

Note

ECC configurations

You can enable Elliptic Curve Cryptography (ECC) by setting one or more Kconfig options in the following table:

ECC algorithm

Configuration option

ECDH

CONFIG_PSA_WANT_ALG_ECDH

ECDSA

CONFIG_PSA_WANT_ALG_ECDSA

ECDSA (deterministic)

CONFIG_PSA_WANT_ALG_DETERMINISTIC_ECDSA

The ECC algorithm support is dependent on one or more Kconfig options enabling curve support according to ECC curve configurations.

ECC driver configurations

You can use the Kconfig options in the following table for fine-grained control over which drivers provide ECC support:

ECC algorithm

nrf_cc3xx driver support

nrf_oberon driver support

ECDH

CONFIG_PSA_CRYPTO_DRIVER_ALG_ECDH_CC3XX | CONFIG_PSA_CRYPTO_DRIVER_ALG_ECDSA_OBERON

ECDSA

CONFIG_PSA_CRYPTO_DRIVER_ALG_ECDSA_CC3XX | CONFIG_PSA_CRYPTO_DRIVER_ALG_ECDSA_OBERON

ECDSA (deterministic)

CONFIG_PSA_CRYPTO_DRIVER_ALG_DETERMINISTIC_ECDSA_CC3XX

CONFIG_PSA_CRYPTO_DRIVER_ALG_DETERMINISTIC_ECDSA_OBERON

Note

  • If an ECC algorithm is enabled and no PSA driver enables or supports it, then Built-in Mbed TLS support is enabled and used.

  • The nrf_oberon driver is currently limited to curve types secp224r1 and secp256r1 for ECDH and ECDSA.

ECC curve configurations

You can configure elliptic curve support by setting one or more Kconfig options in the following table:

ECC curve type

Configuration option

Brainpool256r1

CONFIG_PSA_WANT_ECC_BRAINPOOL_P_R1_256

Brainpool384r1

CONFIG_PSA_WANT_ECC_BRAINPOOL_P_R1_384

Brainpool512r1

CONFIG_PSA_WANT_ECC_BRAINPOOL_P_R1_512

Curve25519

CONFIG_PSA_WANT_ECC_MONTGOMERY_255

Curve448

CONFIG_PSA_WANT_ECC_MONTGOMERY_448

secp192k1

CONFIG_PSA_WANT_ECC_SECP_K1_192

secp256k1

CONFIG_PSA_WANT_ECC_SECP_K1_256

secp192r1

CONFIG_PSA_WANT_ECC_SECP_R1_192

secp224r1

CONFIG_PSA_WANT_ECC_SECP_R1_224

secp256r1

CONFIG_PSA_WANT_ECC_SECP_R1_256

secp384r1

CONFIG_PSA_WANT_ECC_SECP_R1_384

secp521r1

CONFIG_PSA_WANT_ECC_SECP_R1_521

ECC curve driver configurations

You can sue the Kconfig options in the following table for fine-grained control over which drivers provide elliptic curve support:

ECC curve type

nrf_cc3xx driver support

nrf_oberon driver support

Brainpool256r1

CONFIG_PSA_CRYPTO_DRIVER_ECC_BRAINPOOL_P_R1_256_CC3XX

Not supported

Brainpool384r1

Not supported

Not supported

Brainpool512r1

Not supported

Not supported

Curve25519

CONFIG_PSA_CRYPTO_DRIVER_ECC_MONTGOMERY_255_CC3XX

CONFIG_PSA_CRYPTO_DRIVER_ECC_MONTGOMERY_255_OBERON

Curve448

Not supported

Not supported

secp192k1

CONFIG_PSA_CRYPTO_DRIVER_ECC_SECP_K1_192_CC3XX

Not supported

secp256k1

CONFIG_PSA_CRYPTO_DRIVER_ECC_SECP_K1_256_CC3XX

Not supported

secp192r1

CONFIG_PSA_CRYPTO_DRIVER_ECC_SECP_R1_192_CC3XX

Not supported

secp224r1

CONFIG_PSA_CRYPTO_DRIVER_ECC_SECP_R1_224_CC3XX

CONFIG_PSA_CRYPTO_DRIVER_ECC_SECP_R1_224_OBERON

secp256r1

CONFIG_PSA_CRYPTO_DRIVER_ECC_SECP_R1_256_CC3XX

CONFIG_PSA_CRYPTO_DRIVER_ECC_SECP_R1_256_OBERON

secp384r1

CONFIG_PSA_CRYPTO_DRIVER_ECC_SECP_R1_384_CC3XX

Not supported

secp521r1

CONFIG_PSA_CRYPTO_DRIVER_ECC_SECP_R1_521_CC3XX

Not supported

RSA configurations

You can enable Rivest-Shamir-Adleman (RSA) support by setting one or more Kconfig options in the following table:

RSA algorithms

Configuration option

RSA OAEP

CONFIG_PSA_WANT_ALG_RSA_OAEP

RSA PKCS#1 v1.5 crypt

CONFIG_PSA_WANT_ALG_RSA_PKCS1V15_CRYPT

RSA PKCS#1 v1.5 sign

CONFIG_PSA_WANT_ALG_RSA_PKCS1V15_SIGN

RSA PSS

CONFIG_PSA_WANT_ALG_RSA_PSS

RSA driver configurations

You can use the Kconfig options in the following table for fine-grained control over which drivers provide RSA support:

RSA algorithms

nrf_cc3xx driver support

nrf_oberon driver support

RSA OAEP

CONFIG_PSA_CRYPTO_DRIVER_ALG_RSA_OAEP_CC3XX

Not supported

RSA PKCS#1 v1.5 crypt

CONFIG_PSA_CRYPTO_DRIVER_ALG_RSA_PKCS1V15_CRYPT_CC3XX

Not supported

RSA PKCS#1 v1.5 sign

CONFIG_PSA_CRYPTO_DRIVER_ALG_RSA_PKCS1V15_SIGN_CC3XX

Not supported

RSA PSS

CONFIG_PSA_CRYPTO_DRIVER_ALG_RSA_PSS_CC3XX

Not supported

Note

Secure Hash configurations

You can configure the Secure Hash algorithms by setting one or more Kconfig options according to the following table:

Hash algorithm

Configuration optio

SHA-1

CONFIG_PSA_WANT_ALG_SHA_1

SHA-224

CONFIG_PSA_WANT_ALG_SHA_224

SHA-256

CONFIG_PSA_WANT_ALG_SHA_256

SHA-384

CONFIG_PSA_WANT_ALG_SHA_384

SHA-512

CONFIG_PSA_WANT_ALG_SHA_512

Secure Hash driver configurations

You can use the PSA driver-specific configurations provided in this table for fine-grained control over which drivers provide the Secure Hash algorithm.

Hash algorithm

nrf_cc3xx driver support

nrf_oberon driver support

SHA-1

CONFIG_PSA_CRYPTO_DRIVER_ALG_SHA_1_CC3XX

CONFIG_PSA_CRYPTO_DRIVER_ALG_SHA_1_OBERON

SHA-224

CONFIG_PSA_CRYPTO_DRIVER_ALG_SHA_224_CC3XX

CONFIG_PSA_CRYPTO_DRIVER_ALG_SHA_224_OBERON

SHA-256

CONFIG_PSA_CRYPTO_DRIVER_ALG_SHA_256_CC3XX

CONFIG_PSA_CRYPTO_DRIVER_ALG_SHA_256_OBERON

SHA-384

Not supported

CONFIG_PSA_CRYPTO_DRIVER_ALG_SHA_384_OBERON

SHA-512

Not supported

CONFIG_PSA_CRYPTO_DRIVER_ALG_SHA_512_OBERON

Note

  • If Secure Hash algorithm is enabled and no PSA driver enables or supports it, then Built-in Mbed TLS support is enabled and used.