PSA Crypto in the Simplicity SDK#
The PSA Crypto API is included in the Simplicity SDK via the Mbed TLS implementation. The official API documentation for the PSA Crypto API can be found via the Mbed TLS Documentation Hub. The Simplicity SDK additionally includes some vendor-specific extensions to the PSA Crypto API, see PSA Crypto API Extensions.
The Simplicity SDK also includes device-specific drivers for selected PSA Crypto and Mbed TLS library functions. The drivers utilize available hardware peripherals to support acceleration of cryptographic primitives and algorithms, and offer functionality for secure key storage. See PSA Crypto Hardware Drivers for more info.
PSA Crypto Initialization#
To add the PSA Crypto API to an application, the PSA Crypto
component must be added to the project.
PSA Crypto must be initialized before usage. If the application calls any function that returns a psa_status_t
result code before calling psa_crypto_init()
, the function should return an error. When the PSA Crypto
component is added to the project, psa_crypto_init()
will automatically be called as a part of sl_system_init()
before the user application is started.
Note: For applications that rely on RAIL for entropy,
psa_crypto_init()
must be called manually by the application.
Thread Safety in PSA Crypto#
The Simplicity SDK includes threading support for the PSA Crypto library by providing protection against concurrent usage of key storage and RNG module. Concurrent calls into the PSA Crypto API are enabled automatically when generating a project with Micrium OS
or FreeRTOS
.
The PSA Crypto API specification defines minimum expectations for concurrent calls. API calls from multiple threads should behave as if they have been executed one at a time. The following cases are not supported and have undefined behaviour, the application is responsible for avoiding such situations:
Destroying a key while it's in use. That is, the user must make sure the key is not in use before calling psa_destroy_key.
Concurrent calls using the same operation object. (An operation object may not be used by more than one thread at a time. But it can move from one thread to another between calls.)
Overlap of an output buffer with an input or output of a concurrent call.
Modification of an input buffer during a call.