Driver configurations and supported features
This section covers the configurations available when using PSA drivers.
Configuring multiple drivers
Multiple PSA drivers can be enabled at the same time, with added support for fine-grained control of which drivers implement support for cryptographic features.
To enable a PSA driver, set the following configurations:
PSA driver |
Configuration option |
Notes |
---|---|---|
nrf_cc3xx |
Only on nRF52840, nRF9160, and nRF5340 devices |
|
nrf_oberon |
If multiple drivers are enabled, the first ordered item in this table takes precedence for an enabled cryptographic feature, unless the driver does not enable or support it.
Enabling or disabling PSA driver specific configurations controls the support for a given algorithm, per driver.
If a specific cryptographic feature is not supported by a PSA driver but the algorithm is configured to be used, then Built-in Mbed TLS will be enabled to ensure the feature is available.
AES cipher configuration
To enable AES cipher modes, set one or more of the following Kconfig options:
Cipher mode |
Configuration option |
---|---|
ECB_NO_PADDING |
|
CBC_NO_PADDING |
|
CBC_PKCS7 |
|
CFB |
|
CTR |
|
OFB |
|
XTS |
AES cipher driver configuration
You can use the following Kconfig options for fine-grained control over which drivers provide AES cipher support:
Cipher mode |
nrf_cc3xx driver support |
nrf_oberon driver support |
---|---|---|
ECB_NO_PADDING |
||
CBC_NO_PADDING |
||
CBC_PKCS7 |
Not supported |
|
CFB |
Not supported |
|
CTR |
||
OFB |
Not supported |
Not supported |
XTS |
Not supported |
Not supported |
Note
If an AES cipher mode is enabled and no PSA driver enables or supports it, Built-in Mbed TLS support is enabled and used.
The Arm CryptoCell cc3xx driver is limited to AES key sizes of 128 bits on devices with Arm CryptoCell cc310.
MAC configuration
To enable MAC support, set one or more of the following Kconfig options:
MAC cipher |
Configuration option |
---|---|
ECB_NO_PADDING |
|
CBC_NO_PADDING |
MAC driver configurations
You can use the following Kconfig options for fine-grained control over which drivers provide AEAD support:
MAC cipher |
nrf_cc3xx driver support |
nrf_oberon driver support |
---|---|---|
ECB_NO_PADDING |
Not supported |
|
CBC_NO_PADDING |
Not supported |
Note
If a MAC algorithm is enabled and no PSA driver enables or supports it, Built-in Mbed TLS support is enabled and used.
The Arm CryptoCell cc3xx driver is limited to AES CMAC key sizes of 128 bits on devices with Arm CryptoCell cc310.
The Arm CryptoCell cc3xx driver is limited to HMAC using SHA-1, SHA-224, and SHA-256 on devices with Arm CryptoCell cc310.
AEAD configurations
To enable Authenticated Encryption with Associated Data (AEAD), set one or more of the following Kconfig options:
AEAD cipher |
Configuration option |
---|---|
AES CCM |
|
AES GCM |
|
ChaCha/Poly |
AEAD driver configurations
You can use the following Kconfig options for fine-grained control over which drivers provide AEAD support:
AEAD cipher |
nrf_cc3xx driver support |
nrf_oberon driver support |
---|---|---|
AES CCM |
||
AES GCM |
||
ChaCha/Poly |
Note
If an AEAD algorithm is enabled and no PSA driver enables or supports it, Built-in Mbed TLS support is enabled and used.
The Arm CryptoCell cc3xx driver is limited to AES key sizes of 128 bits on devices with Arm CryptoCell cc310.
The Arm CryptoCell cc3xx driver does not provide hardware support for AES GCM on devices with Arm CryptoCell cc310.
ECC configurations
To enable Elliptic Curve Cryptography (ECC), set one or more of the following Kconfig options:
ECC algorithm |
Configuration option |
---|---|
ECDH |
|
ECDSA |
|
ECDSA (deterministic) |
The ECC algorithm support is dependent on one or more Kconfig options enabling curve support according to ECC curve configurations.
ECC driver configurations
You can use the following Kconfig options for fine-grained control over which drivers provide ECC support:
ECC algorithm |
nrf_cc3xx driver support |
nrf_oberon driver support |
---|---|---|
ECDH |
||
ECDSA |
||
ECDSA (deterministic) |
Note
If an ECC algorithm is enabled and no PSA driver enables or supports it, then Built-in Mbed TLS support is enabled and used.
The nrf_oberon driver is currently limited to curve types secp224r1 and secp256r1 for ECDH and ECDSA.
ECC curve configurations
To configure elliptic curve support, set one or more of the following Kconfig options:
ECC curve type |
Configuration option |
---|---|
Brainpool256r1 |
|
Brainpool384r1 |
|
Brainpool512r1 |
|
Curve25519 |
|
Curve448 |
|
secp192k1 |
|
secp256k1 |
|
secp192r1 |
|
secp224r1 |
|
secp256r1 |
|
secp384r1 |
|
secp521r1 |
ECC curve driver configurations
You can use the following Kconfig options for fine-grained control over which drivers provide elliptic curve support:
ECC curve type |
nrf_cc3xx driver support |
nrf_oberon driver support |
---|---|---|
Brainpool256r1 |
Not supported |
|
Brainpool384r1 |
Not supported |
Not supported |
Brainpool512r1 |
Not supported |
Not supported |
Curve25519 |
||
Curve448 |
Not supported |
Not supported |
secp192k1 |
Not supported |
|
secp256k1 |
Not supported |
|
secp192r1 |
Not supported |
|
secp224r1 |
||
secp256r1 |
||
secp384r1 |
Not supported |
|
secp521r1 |
Not supported |
RSA configurations
To enable Rivest-Shamir-Adleman (RSA) support, set one or more of the following Kconfig options:
RSA algorithms |
Configuration option |
---|---|
RSA OAEP |
|
RSA PKCS#1 v1.5 crypt |
|
RSA PKCS#1 v1.5 sign |
|
RSA PSS |
RSA driver configurations
You can use the following Kconfig options for fine-grained control over which drivers provide RSA support:
RSA algorithms |
nrf_cc3xx driver support |
nrf_oberon driver support |
---|---|---|
RSA OAEP |
Not supported |
|
RSA PKCS#1 v1.5 crypt |
Not supported |
|
RSA PKCS#1 v1.5 sign |
Not supported |
|
RSA PSS |
Not supported |
Not supported |
Note
If an RSA algorithm is enabled and no PSA driver enables or supports it, Built-in Mbed TLS support is enabled and used.
Arm CryptoCell cc3xx driver is limited to key sizes less than or equal to 2048 bits.
Secure Hash configurations
To configure the Secure Hash algorithms, set one or more of the following Kconfig options:
Hash algorithm |
Configuration option |
---|---|
SHA-1 |
|
SHA-224 |
|
SHA-256 |
|
SHA-384 |
|
SHA-512 |
Secure Hash driver configurations
You can use the following PSA driver-specific configurations for fine-grained control over which drivers provide the Secure Hash algorithm.
Hash algorithm |
nrf_cc3xx driver support |
nrf_oberon driver support |
---|---|---|
SHA-1 |
||
SHA-224 |
||
SHA-256 |
||
SHA-384 |
Not supported |
|
SHA-512 |
Not supported |
Note
If Secure Hash algorithm is enabled and no PSA driver enables or supports it, Built-in Mbed TLS support is enabled and used.