Driver configurations and supported features
This section covers the configurations available when using PSA drivers.
Configuring multiple drivers
Multiple PSA drivers can be enabled at the same time, with added support for fine-grained control of which drivers implement support for cryptographic features.
To enable a PSA driver, set the configurations according to the following table:
PSA driver |
Configuration option |
Notes |
---|---|---|
nrf_cc3xx |
Only on nRF52840, nRF9160, and nRF5340 devices |
|
nrf_oberon |
|
If multiple drivers are enabled, the first ordered item in this table takes precedence for an enabled cryptographic feature, unless the driver does not enable or support it.
Enabling or disabling PSA driver specific configurations controls the support for a given algorithm, per driver.
If a specific cryptographic feature is not supported by a PSA driver but the algorithm is configured to be used, then Built-in Mbed TLS will be enabled to ensure the feature is available.
AES cipher configuration
AES cipher modes can be enabled by setting one or more of the following Kconfig options:
Cipher mode |
Configuration option |
---|---|
ECB_NO_PADDING |
|
CBC_NO_PADDING |
|
CBC_PKCS7 |
|
CFB |
|
CTR |
|
OFB |
|
XTS |
AES cipher driver configuration
You can use the Kconfig options from the following table for fine-grained control over which drivers provide AES cipher support:
Cipher mode |
nrf_cc3xx driver support |
nrf_oberon driver support |
---|---|---|
ECB_NO_PADDING |
||
CBC_NO_PADDING |
||
CBC_PKCS7 |
Not supported |
|
CFB |
Not supported |
|
CTR |
||
OFB |
Not supported |
Not supported |
XTS |
Not supported |
Not supported |
Note
If an AES cipher mode is enabled and no PSA driver enables or supports it, then Built-in Mbed TLS support is enabled and used.
The Arm CryptoCell cc3xx driver is limited to AES key sizes of 128 bits on devices with Arm CryptoCell cc310.
MAC configuration
You can enable MAC support by setting one or more Kconfig options in the following table:
MAC cipher |
Configuration option |
---|---|
ECB_NO_PADDING |
|
CBC_NO_PADDING |
MAC driver configurations
You can use the Kconfig options in the following table for fine-grained control over which drivers provide AEAD support:
MAC cipher |
nrf_cc3xx driver support |
nrf_oberon driver support |
|
---|---|---|---|
ECB_NO_PADDING |
Not supported |
||
CBC_NO_PADDING |
Not supported |
Note
If a MAC algorithm is enabled and no PSA driver enables or supports it, then Built-in Mbed TLS support is enabled and used.
The Arm CryptoCell cc3xx driver is limited to AES CMAC key sizes of 128 bits on devices with Arm CryptoCell cc310.
The Arm CryptoCell cc3xx driver is limited to HMAC using SHA-1, SHA-224, and SHA-256 on devices with Arm CryptoCell cc310.
AEAD configurations
You can enable Authenticated Encryption with Associated Data (AEAD) by setting one or more Kconfig options in the following table:
AEAD cipher |
Configuration option |
---|---|
AES CCM |
|
AES GCM |
|
ChaCha/Poly |
AEAD driver configurations
You can use the Kconfig options in the following table for fine-grained control over which drivers provide AEAD support:
AEAD cipher |
nrf_cc3xx driver support |
nrf_oberon driver support |
---|---|---|
AES CCM |
||
AES GCM |
Not Supported |
|
ChaCha/Poly |
Note
If an AEAD algorithm is enabled and no PSA driver enables or supports it, then Built-in Mbed TLS support is enabled and used.
The Arm CryptoCell cc3xx driver is limited to AES key sizes of 128 bits on devices with Arm CryptoCell cc310.
The Arm CryptoCell cc3xx driver does not provide hardware support for AES GCM on devices with Arm CryptoCell cc310.
ECC configurations
You can enable Elliptic Curve Cryptography (ECC) by setting one or more Kconfig options in the following table:
ECC algorithm |
Configuration option |
---|---|
ECDH |
|
ECDSA |
|
ECDSA (deterministic) |
The ECC algorithm support is dependent on one or more Kconfig options enabling curve support according to ECC curve configurations.
ECC driver configurations
You can use the Kconfig options in the following table for fine-grained control over which drivers provide ECC support:
ECC algorithm |
nrf_cc3xx driver support |
nrf_oberon driver support |
|
---|---|---|---|
ECDH |
|
||
ECDSA |
|
||
ECDSA (deterministic) |
Note
If an ECC algorithm is enabled and no PSA driver enables or supports it, then Built-in Mbed TLS support is enabled and used.
The nrf_oberon driver is currently limited to curve types secp224r1 and secp256r1 for ECDH and ECDSA.
ECC curve configurations
You can configure elliptic curve support by setting one or more Kconfig options in the following table:
ECC curve type |
Configuration option |
---|---|
Brainpool256r1 |
|
Brainpool384r1 |
|
Brainpool512r1 |
|
Curve25519 |
|
Curve448 |
|
secp192k1 |
|
secp256k1 |
|
secp192r1 |
|
secp224r1 |
|
secp256r1 |
|
secp384r1 |
|
secp521r1 |
ECC curve driver configurations
You can sue the Kconfig options in the following table for fine-grained control over which drivers provide elliptic curve support:
ECC curve type |
nrf_cc3xx driver support |
nrf_oberon driver support |
---|---|---|
Brainpool256r1 |
Not supported |
|
Brainpool384r1 |
Not supported |
Not supported |
Brainpool512r1 |
Not supported |
Not supported |
Curve25519 |
||
Curve448 |
Not supported |
Not supported |
secp192k1 |
Not supported |
|
secp256k1 |
Not supported |
|
secp192r1 |
Not supported |
|
secp224r1 |
||
secp256r1 |
||
secp384r1 |
Not supported |
|
secp521r1 |
Not supported |
RSA configurations
You can enable Rivest-Shamir-Adleman (RSA) support by setting one or more Kconfig options in the following table:
RSA algorithms |
Configuration option |
---|---|
RSA OAEP |
|
RSA PKCS#1 v1.5 crypt |
|
RSA PKCS#1 v1.5 sign |
|
RSA PSS |
RSA driver configurations
You can use the Kconfig options in the following table for fine-grained control over which drivers provide RSA support:
RSA algorithms |
nrf_cc3xx driver support |
nrf_oberon driver support |
---|---|---|
RSA OAEP |
Not supported |
|
RSA PKCS#1 v1.5 crypt |
Not supported |
|
RSA PKCS#1 v1.5 sign |
Not supported |
|
RSA PSS |
Not supported |
Note
If an RSA algorithm is enabled and no PSA driver enables or supports it, then Built-in Mbed TLS support is enabled and used.
Arm CryptoCell cc3xx driver is limited to key sizes of <= 2048 bits.
Secure Hash configurations
You can configure the Secure Hash algorithms by setting one or more Kconfig options according to the following table:
Hash algorithm |
Configuration optio |
---|---|
SHA-1 |
|
SHA-224 |
|
SHA-256 |
|
SHA-384 |
|
SHA-512 |
Secure Hash driver configurations
You can use the PSA driver-specific configurations provided in this table for fine-grained control over which drivers provide the Secure Hash algorithm.
Hash algorithm |
nrf_cc3xx driver support |
nrf_oberon driver support |
---|---|---|
SHA-1 |
||
SHA-224 |
||
SHA-256 |
||
SHA-384 |
Not supported |
|
SHA-512 |
Not supported |
Note
If Secure Hash algorithm is enabled and no PSA driver enables or supports it, then Built-in Mbed TLS support is enabled and used.