Bluetooth Mesh Crypto CMAC Can use hardware AES engine?

[LingaoM]

Currently, Bluetooth Mesh K1 K2 K3 K4 Crypto function used CMAC, which currently use tinycrypt library, can anyone known how this move to use hardware aes method to speed up calculation and save flash footprint size.

[LingaoM]

@alxelax @PavelVPV

[alxelax]

Hi @LingaoM, I participated in a couple of meetings of Zephyr's security work group. Per my understanding, tinycrypt library life cycle is over. It is out of support anymore. There is no sense to apply any hw accelerations for it. As a security standard Zephyr's community started looking at the PSA crypto API. Our team within Nordic started migration BLE Mesh implementation on PSA API that the mbedTLS library provides (actually it should be OK for any crypto solution that provides PSA API e.g. TF-M). Also, we understand that mbedTLS cannot provide good footprint digits as tinycrypt provides. We do support of PSA and tinycrypt in parallel (config choice in compile time) as a temporary solution while mbedTLS is not optimal enough. Nevertheless, mbedTLS includes HW acceleration for some platforms and some people work to improve its footprint. This is our vision in which direction support of BLE Mesh crypto functionality should go. It should be with a coherence of Zephyr's security group activities as well. All these changes we do in a private branch for a while.

[Laczen]

@alxelax, could psa not be used to call tinycrypt routines? As far as I understand psa is just a wrapper that provides calls to other libraries to do the work. Specific for psa is the storage and handling of keys, but not the routines. When psa is used it should be possible to easily switch from a software implementation to a hardware implementation.

[alxelax]

Hi @Laczen, I'm quite sure the current mbedTLS version doesn't use PSA API to call tinycrypt routines. I guess PSA is a bit deeper than wrapper. API has been designed to standardize usage chips with different security level domains with different root-of-trust(aka ARM designed TrustZone). However, I'm not security specialist to discuss it in details. I agree, it should be easy to switch between software and hardware implementation. Then we go back to LingaoM's question how to add this ability to tinycrypt. Since library is out of maintenance anymore there is another question who is going to do that. I'm pretty sure these questions are out of competence of BLE Mesh maintainers.

[Laczen]

Hi @alxelax, the original question was how to switch from tinycrypt to hardware functions. This should be easy if psa-crypto would be available: replace the tinycrypt calls with a psa-crypto call (that would be translated into either a hardware call or a software call). BTW mbedTLS should just be one of the implementations of the psa-crypto algorithms. Given the complexity of psa-crypto it will probably take some time before it is available. Although I have seen other systems (RIOT) making a big step towards implementation.