Revert: "[OIS] Add PSA crypto backend support" (#27391)

This reverts commit 834663d.

Author: woody-apple

.github/.wordlist.txt

@@ -1071,7 +1071,6 @@ ProxyDiscovery
 ProxyValid
 ProxyView
 PRs
-PSA
 PSCAN
 PSECT
 PSK

.github/workflows/examples-openiotsdk.yaml

@@ -31,11 +31,6 @@ env:
 
 jobs:
     openiotsdk:
-        strategy:
-            fail-fast: false
-            matrix:
-                cryptoBackend: ["psa", "mbedtls"]
-
         name: Open IoT SDK examples building
         timeout-minutes: 90
 
@@ -94,7 +89,7 @@ jobs:
               id: build_shell
               timeout-minutes: 10
               run: |
-                  scripts/examples/openiotsdk_example.sh -b ${{ matrix.cryptoBackend }} shell
+                  scripts/examples/openiotsdk_example.sh shell
                   .environment/pigweed-venv/bin/python3 scripts/tools/memory/gh_sizes.py \
                     openiotsdk release shell \
                     examples/shell/openiotsdk/build/chip-openiotsdk-shell-example.elf \
@@ -104,7 +99,7 @@ jobs:
               id: build_lock_app
               timeout-minutes: 10
               run: |
-                  scripts/examples/openiotsdk_example.sh -b ${{ matrix.cryptoBackend }} lock-app
+                  scripts/examples/openiotsdk_example.sh lock-app
                   .environment/pigweed-venv/bin/python3 scripts/tools/memory/gh_sizes.py \
                     openiotsdk release lock-app \
                     examples/lock-app/openiotsdk/build/chip-openiotsdk-lock-app-example.elf \
@@ -114,7 +109,7 @@ jobs:
               id: build_unit_tests
               timeout-minutes: 10
               run: |
-                  scripts/examples/openiotsdk_example.sh -b ${{ matrix.cryptoBackend }} unit-tests
+                  scripts/examples/openiotsdk_example.sh unit-tests
 
             - name: "Test: shell example"
               if: steps.build_shell.outcome == 'success'

.vscode/tasks.json

@@ -251,7 +251,6 @@
                 "-Cbuild",
                 "-d${input:openiotsdkDebugMode}",
                 "-l${input:openiotsdkLwipDebug}",
-                "-b${input:openiotsdkCryptoBackend}",
                 "${input:openiotsdkExample}"
             ],
             "group": "build",
@@ -272,7 +271,6 @@
                 "-Cbuild",
                 "-d${input:openiotsdkDebugMode}",
                 "-l${input:openiotsdkLwipDebug}",
-                "-b${input:openiotsdkCryptoBackend}",
                 "unit-tests"
             ],
             "group": "build",
@@ -482,13 +480,6 @@
             "options": ["false", "true"],
             "default": "false"
         },
-        {
-            "type": "pickString",
-            "id": "openiotsdkCryptoBackend",
-            "description": "Which Crypto algorithm do you wish to use?",
-            "options": ["mbedtls", "psa"],
-            "default": "mbedtls"
-        },
         {
             "type": "command",
             "id": "openiotsdkExample",

config/openiotsdk/CMakeLists.txt

@@ -62,7 +62,6 @@ matter_add_gn_arg_bool  ("chip_automation_logging"              CONFIG_CHIP_AUTO
 matter_add_gn_arg_bool  ("chip_error_logging"                   CONFIG_CHIP_ERROR_LOGGING)
 matter_add_gn_arg_bool  ("chip_openiotsdk_use_tfm"              TFM_SUPPORT)
 matter_add_gn_arg_bool  ("chip_openiotsdk_use_psa_ps"           CONFIG_CHIP_OPEN_IOT_SDK_USE_PSA_PS)
-matter_add_gn_arg_string("chip_crypto"                          "${CONFIG_CHIP_CRYPTO}")
 if (TARGET cmsis-rtos-api)
     matter_add_gn_arg_string("target_os"                        "cmsis-rtos")
 endif()

config/openiotsdk/chip-gn/args.gni

@@ -31,6 +31,7 @@ chip_system_config_use_lwip = true
 lwip_platform = "external"
 chip_system_config_use_sockets = false
 
+chip_crypto = "mbedtls"
 chip_external_mbedtls = true
 
 custom_toolchain = "${chip_root}/config/openiotsdk/chip-gn/toolchain:openiotsdk"

config/openiotsdk/cmake/chip.cmake

@@ -21,7 +21,7 @@
 
 get_filename_component(GEN_DIR ${CHIP_ROOT}/zzz_generated/ REALPATH)
 
-# Default CHIP build configuration
+# Default CHIP build configuration 
 set(CONFIG_CHIP_PROJECT_CONFIG "main/include/CHIPProjectConfig.h" CACHE STRING "")
 set(CONFIG_CHIP_LIB_TESTS NO CACHE BOOL "")
 set(CONFIG_CHIP_LIB_SHELL NO CACHE BOOL "")
@@ -32,7 +32,6 @@ set(CONFIG_CHIP_AUTOMATION_LOGGING YES CACHE BOOL "Enable logging at automation
 set(CONFIG_CHIP_ERROR_LOGGING YES CACHE BOOL "Enable logging at error level")
 
 set(CONFIG_CHIP_OPEN_IOT_SDK_USE_PSA_PS NO CACHE BOOL "Enable using PSA Protected Storage")
-set(CONFIG_CHIP_CRYPTO "mbedtls" CACHE STRING "Matter crypto backend. Mbedtls as default")
 
 if(CONFIG_CHIP_OPEN_IOT_SDK_USE_PSA_PS AND NOT TFM_SUPPORT)
     message( FATAL_ERROR "You can not use PSA Protected Storage without TF-M support" )
@@ -54,14 +53,8 @@ if(TFM_SUPPORT)
     add_dependencies(chip-gn tfm-ns-interface)
 endif()
 
-if ("${CONFIG_CHIP_CRYPTO}" STREQUAL "psa")
-    target_compile_definitions(chip
-        INTERFACE
-            CONFIG_CHIP_CRYPTO_PSA)
-endif()
-
 function(chip_add_data_model target scope model_name)
-    target_include_directories(${target}
+    target_include_directories(${target} 
         PUBLIC
             ${GEN_DIR}/app-common
             ${GEN_DIR}/${model_name}-app

config/openiotsdk/cmake/sdk.cmake

@@ -27,7 +27,7 @@ get_filename_component(OPEN_IOT_SDK_STORAGE_SOURCE ${CHIP_ROOT}/third_party/open
 # Open IoT SDK targets passed to CHIP build
 list(APPEND CONFIG_CHIP_EXTERNAL_TARGETS)
 
-# Additional Open IoT SDK build configuration
+# Additional Open IoT SDK build configuration 
 set(TFM_SUPPORT NO CACHE BOOL "Add Trusted Firmware-M (TF-M) support to application")
 set(TFM_NS_APP_VERSION "0.0.0" CACHE STRING "TF-M non-secure application version (in the x.x.x format)")
 set(CONFIG_CHIP_OPEN_IOT_SDK_LWIP_DEBUG NO CACHE BOOL "Enable LwIP debug logs")
@@ -82,7 +82,7 @@ if(TFM_SUPPORT)
     set(TFM_PLATFORM ${OPEN_IOT_SDK_EXAMPLE_COMMON}/tf-m/targets/an552)
     set(TFM_PSA_FIRMWARE_UPDATE ON)
     set(MCUBOOT_IMAGE_VERSION_NS ${TFM_NS_APP_VERSION})
-    set(TFM_CMAKE_ARGS "-DCONFIG_TFM_ENABLE_FP=ON;-DTFM_PROFILE=profile_medium;-DTFM_EXCEPTION_INFO_DUMP=ON;-DCONFIG_TFM_HALT_ON_CORE_PANIC=ON;-DTFM_ISOLATION_LEVEL=1;-DTFM_MBEDCRYPTO_PLATFORM_EXTRA_CONFIG_PATH=${OPEN_IOT_SDK_CONFIG}/mbedtls/mbedtls_config_psa.h;-DMBEDCRYPTO_BUILD_TYPE=${CMAKE_BUILD_TYPE};-DCMAKE_BUILD_TYPE=${CMAKE_BUILD_TYPE}")
+    set(TFM_CMAKE_ARGS "-DCONFIG_TFM_ENABLE_FP=ON;-DTFM_PROFILE=profile_medium;-DTFM_EXCEPTION_INFO_DUMP=ON;-DCONFIG_TFM_HALT_ON_CORE_PANIC=ON;-DTFM_ISOLATION_LEVEL=1")
     if ("${CMAKE_BUILD_TYPE}" STREQUAL "Debug")
         set(TFM_CMAKE_ARGS "${TFM_CMAKE_ARGS};-DMCUBOOT_LOG_LEVEL=INFO;-DTFM_SPM_LOG_LEVEL=TFM_SPM_LOG_LEVEL_DEBUG;-DTFM_PARTITION_LOG_LEVEL=TFM_PARTITION_LOG_LEVEL_INFO")
     else()
@@ -117,24 +117,24 @@ endif()
 # Add RTOS configuration headers
 # Link cmsis-rtos-api against a concrete implementation
 if(TARGET cmsis-rtos-api)
-    target_include_directories(cmsis-core
-        INTERFACE
+    target_include_directories(cmsis-core 
+        INTERFACE 
             cmsis-config
     )
-
+    
     target_compile_definitions(cmsis-rtos-api
         PUBLIC
             DOMAIN_NS=$<IF:$<BOOL:${TFM_SUPPORT}>,1,0>
     )
 
     if(TARGET freertos-kernel)
-        target_include_directories(freertos-kernel
-            PUBLIC
+        target_include_directories(freertos-kernel 
+            PUBLIC 
                 freertos-config
         )
 
-        target_link_libraries(freertos-kernel
-            PUBLIC
+        target_link_libraries(freertos-kernel 
+            PUBLIC 
                 cmsis-core
         )
 
@@ -250,6 +250,14 @@ if("cmsis-freertos" IN_LIST IOTSDK_FETCH_LIST)
     )
 endif()
 
+if("mbedtls" IN_LIST IOTSDK_FETCH_LIST)
+    list(APPEND CONFIG_CHIP_EXTERNAL_TARGETS
+        mbedtls
+        mbedtls-config
+        mbedtls-threading-cmsis-rtos 
+    )
+endif()
+
 if("lwip" IN_LIST IOTSDK_FETCH_LIST)
     list(APPEND CONFIG_CHIP_EXTERNAL_TARGETS
         lwipcore
@@ -274,15 +282,6 @@ if("trusted-firmware-m" IN_LIST IOTSDK_FETCH_LIST)
     )
 endif()
 
-# Note: Mbed TLS must appear after TF-M otherwise psa from mbed TLS is used
-if("mbedtls" IN_LIST IOTSDK_FETCH_LIST)
-    list(APPEND CONFIG_CHIP_EXTERNAL_TARGETS
-        mbedtls
-        mbedtls-config
-        mbedtls-threading-cmsis-rtos
-    )
-endif()
-
 # Additional Open IoT SDK port components
 
 # Add Open IoT SDK storage source

config/openiotsdk/lwip/user_lwipopts.h

@@ -49,11 +49,6 @@
  */
 #define LWIP_RAW (1)
 
-/**
- * Disable DHCP as the IP6 link local address can be used.
- */
-#define LWIP_DHCP 0
-
 #ifdef LWIP_DEBUG
 
 // Debug Options

config/openiotsdk/mbedtls/mbedtls_config.h

@@ -2692,7 +2692,7 @@
  *           or MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG.
  *
  */
-//#define MBEDTLS_PSA_CRYPTO_C
+#define MBEDTLS_PSA_CRYPTO_C
 
 /**
  * \def MBEDTLS_PSA_CRYPTO_SE_C
@@ -3313,8 +3313,8 @@
 //#define MBEDTLS_HMAC_DRBG_MAX_SEED_INPUT      384 /**< Maximum size of (re)seed buffer */
 
 /* ECP options */
-#define MBEDTLS_ECP_WINDOW_SIZE 6       /**< Maximum window size used */
-#define MBEDTLS_ECP_FIXED_POINT_OPTIM 1 /**< Enable fixed-point speed-up */
+//#define MBEDTLS_ECP_WINDOW_SIZE            4 /**< Maximum window size used */
+//#define MBEDTLS_ECP_FIXED_POINT_OPTIM      1 /**< Enable fixed-point speed-up */
 
 /* Entropy options */
 //#define MBEDTLS_ENTROPY_MAX_SOURCES                20 /**< Maximum number of sources supported */

config/openiotsdk/mbedtls/mbedtls_config_psa.h

@@ -374,42 +374,6 @@ For `TF-M` protected storage use:
 [Open IoT SDK build script](../../scripts/examples/openiotsdk_example.sh)
 provides the `-K,--kvsfile` option to use the persistence options listed above.
 
-### Crypto backend
-
-Open IoT SDK port supports two crypto backend implementations:
-
--   [Mbed TLS](../guides/openiotsdk_platform_overview.md#mbed-tls) - it's the
-    default option
--   [PSA crypto service](https://tf-m-user-guide.trustedfirmware.org/integration_guide/services/tfm_crypto_integration_guide.html)
-    from the
-    [TrustedFirmware-M (TF-M)](../guides/openiotsdk_platform_overview.md#trusted-firmware-m)
-    component
-
-The CMake variable `CONFIG_CHIP_CRYPTO` controls how cryptographic operations
-are implemented in Matter. It accepts two values:
-
--   `mbedtls`: use Mbed TLS for crypto operations.
--   `psa`: use
-    [PSA Cryptography API](https://armmbed.github.io/mbed-crypto/html/) for
-    crypto operations.
-
-This variable can be set in the main application `CMakeLists.txt`:
-
-```
-set(CONFIG_CHIP_CRYPTO <mbedtls | psa>)
-```
-
-The variable can also be defined with CMake CLI:
-
-```
-cmake -G <...> -DCONFIG_CHIP_CRYPTO=<mbedtls | psa> <...>
-```
-
-> 💡 **Notes**:
->
-> The `TF-M PSA crypto` option requires enabling [TF-M](#trusted-firmware-m)
-> support.
-
 ## Building
 
 You can build examples using the dedicated VSCode task or by calling directly
@@ -422,7 +386,6 @@ the build script from the command line.
 -   Select `Build Open IoT SDK example`
 -   Decide on debug mode support
 -   Decide on LwIP debug logs support
--   Choose crypto algorithm
 -   Choose example name
 
 This will call the script with the selected parameters.
@@ -605,12 +568,12 @@ telnet> close
 
 ## Specific examples
 
-### Build lock-app example with PSA crypto backend support and run it in the network namespace
+### Build lock-app example and run it in the network namespace
 
 **Using CLI**
 
 ```
-${MATTER_ROOT}/scripts/examples/openiotsdk_example.sh -b psa lock-app
+${MATTER_ROOT}/scripts/examples/openiotsdk_example.sh lock-app
 
 export TEST_NETWORK_NAME=OIStest
 
@@ -630,7 +593,6 @@ Build example:
 -   Select `Build Open IoT SDK example`
 -   Deny debug mode support `false`
 -   Deny LwIP debug logs support `false`
--   Choose crypto algorithm `psa`
 -   Choose example name `lock-app`
 
 Setup network environment:
@@ -652,12 +614,12 @@ Run example:
 
 The example output should be seen in the terminal window.
 
-### Build lock-app example with mbedtls crypto backend support and execute its test in the network namespace
+### Build lock-app example and execute its test in the network namespace
 
 **Using CLI**
 
 ```
-${MATTER_ROOT}/scripts/examples/openiotsdk_example.sh -b mbedtls lock-app
+${MATTER_ROOT}/scripts/examples/openiotsdk_example.sh lock-app
 
 export TEST_NETWORK_NAME=OIStest
 
@@ -677,7 +639,6 @@ Build example:
 -   Select `Build Open IoT SDK example`
 -   Deny debug mode support `false`
 -   Deny LwIP debug logs support `false`
--   Choose crypto algorithm `mbedtls`
 -   Choose example name `lock-app`
 
 Setup network environment:
@@ -697,7 +658,7 @@ Test example:
 -   Enter network interface `OIStesttap`
 -   Choose example name `lock-app`
 
-### Build lock-app example with mbedtls crypto backend support in debug mode and debug it in the network namespace using the VSCode task
+### Build lock-app example in debug mode and debug it in the network namespace using the VSCode task
 
 Build example:
 
@@ -706,7 +667,6 @@ Build example:
 -   Select `Build Open IoT SDK example`
 -   Confirm debug mode support `true`
 -   Deny LwIP debug logs support `false`
--   Choose crypto algorithm `mbedtls`
 -   Choose example name `lock-app`
 
 Setup network environment:
@@ -797,7 +757,7 @@ Example:
     id: build_new_example
     timeout-minutes: 10
     run: |
-        scripts/examples/openiotsdk_example.sh -b ${{ matrix.cryptoBackend }} new-example
+        scripts/examples/openiotsdk_example.sh new-example
         .environment/pigweed-venv/bin/python3 scripts/tools/memory/gh_sizes.py \
         openiotsdk release new-example \
         examples/new-example/openiotsdk/build/chip-openiotsdk-new-example-example.elf \

docs/guides/openiotsdk_examples.md

@@ -27,10 +27,6 @@
 #include "iotsdk/ip_network_api.h"
 #include "mbedtls/platform.h"
 
-#ifdef CONFIG_CHIP_CRYPTO_PSA
-#include "psa/crypto.h"
-#endif
-
 #include <DeviceInfoProviderImpl.h>
 #include <lib/support/CHIPMem.h>
 #include <lib/support/logging/CHIPLogging.h>
@@ -183,15 +179,6 @@ int openiotsdk_platform_init(void)
         return EXIT_FAILURE;
     }
 
-#ifdef CONFIG_CHIP_CRYPTO_PSA
-    ret = psa_crypto_init();
-    if (ret)
-    {
-        ChipLogError(NotSpecified, "PSA crypto initialization failed: %d", ret);
-        return EXIT_FAILURE;
-    }
-#endif
-
 #ifdef TFM_SUPPORT
     ret = get_psa_images_details();
     if (ret != 0)