Skip to content

nrf_security: Make the Cracen IKG configurable #22542

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Jun 3, 2025
Merged

nrf_security: Make the Cracen IKG configurable #22542

merged 2 commits into from
Jun 3, 2025
+144 −86

Conversation

Vge0rge
Copy link
Contributor

@Vge0rge Vge0rge commented May 27, 2025 

Add the configuration option CRACEN_IKG
which allows to disable the IKG funcionality
if it is not needed.

This will decrease the flash usage for applications
which don't use the IKG.

Ref: NCSDK-30246

Signed-off-by: Georgios Vasilakis <[email protected]>

@Vge0rge Vge0rge requested review from a team as code owners May 27, 2025 13:25
@github-actions github-actions bot added the changelog-entry-required Update changelog before merge. Remove label if entry is not needed or already added. label May 27, 2025
@NordicBuilder
Copy link
Contributor

NordicBuilder commented May 27, 2025
edited
Loading

CI Information

To view the history of this post, clich the 'edited' button above
Build number: 6

Inputs:

Sources:

sdk-nrf: PR head: 83fa46f5af1fcd5a1eb83d204409f519651fd389

more details

sdk-nrf:

PR head: 83fa46f5af1fcd5a1eb83d204409f519651fd389
merge base: 3d75f3562e4f8c16491b8c51f250a9cb1b2232b5
target head (main): 3d75f3562e4f8c16491b8c51f250a9cb1b2232b5
Diff

Github labels

Enabled Name Description
ci-disabled Disable the ci execution
ci-all-test Run all of ci, no test spec filtering will be done
ci-force-downstream Force execution of downstream even if twister fails
ci-run-twister Force run twister
ci-run-zephyr-twister Force run zephyr twister
List of changed files detected by CI (10) 
subsys
│  ├── nrf_security
│  │  ├── src
│  │  │  ├── drivers
│  │  │  │  ├── cracen
│  │  │  │  │  ├── Kconfig
│  │  │  │  │  ├── cracenpsa
│  │  │  │  │  │  ├── cracenpsa.cmake
│  │  │  │  │  │  ├── src
│  │  │  │  │  │  │  ├── common.c
│  │  │  │  │  │  │  ├── key_management.c
│  │  │  │  │  │  │  │ sign.c
│  │  │  │  │  ├── silexpk
│  │  │  │  │  │  ├── include
│  │  │  │  │  │  │  ├── silexpk
│  │  │  │  │  │  │  │  │ ik.h
│  │  │  │  │  │  ├── silexpk.cmake
│  │  │  │  │  │  ├── target
│  │  │  │  │  │  │  ├── baremetal_ba414e_with_ik
│  │  │  │  │  │  │  │  │ pk_baremetal.c
│  │  │  │  │  │  │  ├── hw
│  │  │  │  │  │  │  │  ├── ba414
│  │  │  │  │  │  │  │  │  │ pkhardware_ba414e.c
│  │  │  │  │  │  │  │  ├── ik
│  │  │  │  │  │  │  │  │  │ ikhardware.c

Outputs:

Toolchain

Version: 4aa3467a6d
Build docker image: docker-dtr.nordicsemi.no/sw-production/ncs-build:4aa3467a6d_e85602c25f

Test Spec & Results: ✅ Success; ❌ Failure; 🟠 Queued; 🟡 Progress; ◻️ Skipped; ⚠️ Quarantine

  • ◻️ Toolchain - Skipped: existing toolchain is used
  • ✅ Build twister
    • sdk-nrf test count: 1819
  • ✅ Integration tests
    • ✅ test-fw-nrfconnect-boot
    • ✅ test_ble_nrf_config
    • ✅ test-fw-nrfconnect-chip
    • ✅ test-fw-nrfconnect-nrf-iot_cloud
    • ✅ test-fw-nrfconnect-nrf_crypto
    • ✅ test-fw-nrfconnect-rs
    • ✅ test-fw-nrfconnect-tfm
    • ✅ test-sdk-find-my
    • ✅ test-sdk-mcuboot
    • ⚠️ test-sdk-dfu
Disabled integration tests
    • desktop52_verification
    • doc-internal
    • test-fw-nrfconnect-apps
    • test-fw-nrfconnect-ble_mesh
    • test-fw-nrfconnect-ble_samples
    • test-fw-nrfconnect-fem
    • test-fw-nrfconnect-nfc
    • test-fw-nrfconnect-nrf-iot_libmodem-nrf
    • test-fw-nrfconnect-nrf-iot_lwm2m
    • test-fw-nrfconnect-nrf-iot_mosh
    • test-fw-nrfconnect-nrf-iot_positioning
    • test-fw-nrfconnect-nrf-iot_samples
    • test-fw-nrfconnect-nrf-iot_serial_lte_modem
    • test-fw-nrfconnect-nrf-iot_thingy91
    • test-fw-nrfconnect-nrf-iot_zephyr_lwm2m
    • test-fw-nrfconnect-proprietary_esb
    • test-fw-nrfconnect-ps-main
    • test-fw-nrfconnect-rpc
    • test-fw-nrfconnect-thread-main
    • test-low-level
    • test-sdk-audio
    • test-sdk-pmic-samples
    • test-sdk-wifi
    • test-secdom-samples-public

Note: This message is automatically posted and updated by the CI

@github-actions GitHub Actions
Copy link

You can find the documentation preview for this PR here.

@Vge0rge Vge0rge force-pushed the configurable_ikg branch from e6c820c to 7d433f8 Compare May 27, 2025 13:54
@Vge0rge Vge0rge removed the changelog-entry-required Update changelog before merge. Remove label if entry is not needed or already added. label May 27, 2025
degjorva
degjorva reviewed May 28, 2025
View reviewed changes
@Vge0rge Vge0rge force-pushed the configurable_ikg branch from 7d433f8 to 35768a0 Compare June 1, 2025 15:32
@github-actions github-actions bot added the changelog-entry-required Update changelog before merge. Remove label if entry is not needed or already added. label Jun 1, 2025
@Vge0rge Vge0rge force-pushed the configurable_ikg branch 2 times, most recently from 6b5e695 to 590d9a5 Compare June 2, 2025 06:35
degjorva
degjorva approved these changes Jun 2, 2025
View reviewed changes
Copy link
Contributor

@degjorva degjorva left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved with change to misspelled config. Also NIT: in commit message for "remove unused function" you dropped a word in :"The function exit_ikg instead which is placed in the file
ikg_signature.c". Probably "is used" or something similar.

subsys/nrf_security/src/drivers/cracen/cracenpsa/src/sign.c Outdated
Comment on lines 112 to 114
return status;
} else {
return SX_ERR_INCOMPATIBLE_HW;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

NIT: you could have this as a single return status; outside the if since the status is set to SX_ERR_INCOMPATIBLE_HW

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Makes sense, I did this

subsys/nrf_security/src/drivers/cracen/silexpk/target/baremetal_ba414e_with_ik/pk_baremetal.c Outdated
@@ -99,7 +106,7 @@ int read_status(sx_pk_req *req)
int sx_pk_wait(sx_pk_req *req)
{
do {
#ifndef CONFIG_CRACEN_HW_VERSION_LITE
#if !defined(CONFIG_CRACEN_HW_VERSION_LITE) && defined(COFNIG_CRACEN_IKG)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
#if !defined(CONFIG_CRACEN_HW_VERSION_LITE) && defined(COFNIG_CRACEN_IKG)
#if !defined(CONFIG_CRACEN_HW_VERSION_LITE) && defined(CONFIG_CRACEN_IKG)

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also as discussed offline this should probably not be here

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Updated the logic, have a second look on this please.

Vge0rge added 2 commits June 2, 2025 17:04
@Vge0rge
nrf_security: Make the Cracen IKG configurable
6e134ca 
Add the configuration option CRACEN_IKG
which allows to disable the IKG funcionality
if it is not needed.

This will decrease the flash usage for applications
which don't use the IKG.

Ref: NCSDK-30246

Signed-off-by: Georgios Vasilakis <[email protected]>
@Vge0rge
nrf_security: Remove unused function in Cracen PK
83fa46f 
Remove the function sx_pk_ik_mode_exit which was unused.
The function exit_ikg is used instead which is placed in the file
ikg_signature.c

Signed-off-by: Georgios Vasilakis <[email protected]>
@Vge0rge Vge0rge force-pushed the configurable_ikg branch from 590d9a5 to 83fa46f Compare June 2, 2025 15:04
@carlescufi carlescufi merged commit 31e578e into nrfconnect:main Jun 3, 2025
14 checks passed
@nvlsianpu nvlsianpu mentioned this pull request Jun 3, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@degjorva degjorva degjorva approved these changes

@nordicjm nordicjm nordicjm approved these changes

Assignees
No one assigned
Labels
changelog-entry-required Update changelog before merge. Remove label if entry is not needed or already added.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@Vge0rge @NordicBuilder @degjorva @nordicjm @carlescufi