The nrf_crypto frontend and multiple backends can be configured by editing the sdk_config.h
file. For general information about nRF5 SDK configuration through sdk_config.h
, refer to SDK configuration header file.
This chapter explains how to enable the nrf_crypto frontend and backends by controlling the defines in sdk_config.h
.
Enabling this define gives access to use the nrf_crypto frontend APIs. Keep in mind that at least one of the nrf_crypto backends is required to use the API functions.
To enable an nrf_crypto backend, set the NRF_CRYPTO_<XXXX>_BACKEND_ENABLED define to 1.
To disable an nrf_crypto backend, change the define to 0.
It is possible to mix and match support from multiple backends at the same time. Doing so may require disabling one or more cryptographic function modes in one or more of the backends.
You will get a compilation error if multiple backends that support the same cryptographic function mode are enabled at once:
|
It is possible to enable or disable cryptographic function modes by controlling specific defines in sdk_config.h
. The supported modes are grouped inside the backends that support them.
To disable a cryptographic function mode in a backend, change the define to 0.
When an nrf_crypto frontend and backend is enabled, there are automatic defines available for you to use. These are either on cryptographic family level (such as nrf_crypto_hash) or on cryptographic family mode (such as nrf_crypto_hash_sha256).
If a cryptograpic function is enabled by enabling an nrf_crypto frontend and one of the backends, a define is declared for the family of cryptographic routines. The define has the value 1 if the cryptographic function is available.
Cryptographic family | Define |
---|---|
AEAD | NRF_CRYPTO_AEAD_ENABLED |
AES | NRF_CRYPTO_AES_ENABLED |
ECC (ECDH and ECDSA) | NRF_CRYPTO_ECC_ENABLED |
HASH | NRF_CRYPTO_HASH_ENABLED |
HMAC (and HKDF) | NRF_CRYPTO_HMAC_ENABLED |
RNG | NRF_CRYPTO_RNG_ENABLED |
Cryptographic function modes are enabled by Enabling the nrf_crypto frontend, Enabling an nrf_crypto backend, and Enabling a cryptographic function mode in an nrf_crypto backend.
Cryptographic modes | Define |
---|---|
AES - CBC | NRF_CRYPTO_AES_CBC_ENABLED |
AES - CBC MAC | NRF_CRYPTO_AES_CBC_MAC_ENABLED |
AES - CFB | NRF_CRYPTO_AES_CFB_ENABLED |
AES - CTR | NRF_CRYPTO_AES_CTR_ENABLED |
AES - CCM | NRF_CRYPTO_AES_CCM_ENABLED |
AES - CCM* | NRF_CRYPTO_AES_CCM_STAR_ENABLED |
AES - CMAC | NRF_CRYPTO_AES_CMAC_ENABLED |
AES - ECB | NRF_CRYPTO_AES_ECB_ENABLED |
AES - CMAC_PRF128 | NRF_CRYPTO_AES_CMAC_PRF128_ENABLED |
AES - EAX | NRF_CRYPTO_AES_EAX_ENABLED |
AES - GCM | NRF_CRYPTO_AES_GCM_ENABLED |
ECDH and ECDSA (secp160r1) | NRF_CRYPTO_ECC_SECP160R1_ENABLED |
ECDH and ECDSA (secp160r2) | NRF_CRYPTO_ECC_SECP160R2_ENABLED |
ECDH and ECDSA (secp192r1) | NRF_CRYPTO_ECC_SECP192R1_ENABLED |
ECDH and ECDSA (secp224r1) | NRF_CRYPTO_ECC_SECP224R1_ENABLED |
ECDH and ECDSA (secp256r1) | NRF_CRYPTO_ECC_SECP256R1_ENABLED |
ECDH and ECDSA (secp384r1) | NRF_CRYPTO_ECC_SECP384R1_ENABLED |
ECDH and ECDSA (secp512r1) | NRF_CRYPTO_ECC_SECP521R1_ENABLED |
ECDH and ECDSA (secp160k1) | NRF_CRYPTO_ECC_SECP160K1_ENABLED |
ECDH and ECDSA (secp192k1) | NRF_CRYPTO_ECC_SECP192K1_ENABLED |
ECDH and ECDSA (secp224k1) | NRF_CRYPTO_ECC_SECP224K1_ENABLED |
ECDH and ECDSA (secp256r1) | NRF_CRYPTO_ECC_SECP256K1_ENABLED |
ECDH and ECDSA (bp256r1) | NRF_CRYPTO_ECC_BP256R1_ENABLED |
ECDH and ECDSA (bp384r1) | NRF_CRYPTO_ECC_BP384R1_ENABLED |
ECDH and ECDSA (bp512r1) | NRF_CRYPTO_ECC_BP512R1_ENABLED |
ECDH (Curve25519) | NRF_CRYPTO_ECC_CURVE25519_ENABLED |
EdDSA (Ed25519) | NRF_CRYPTO_ECC_ED25519_ENABLED |
ChaCha-Poly | NRF_CRYPTO_CHACHA_POLY_ENABLED |
HASH - SHA-256 | NRF_CRYPTO_HASH_SHA256_ENABLED |
HASH - SHA-512 | NRF_CRYPTO_HASH_SHA512_ENABLED |
HMAC - SHA-256 | NRF_CRYPTO_HMAC_SHA256_ENABLED |
HMAC - SHA-512 | NRF_CRYPTO_HMAC_SHA512_ENABLED |
You can use the defines in nrf_crypto automatic defines and Defines for supported modes within a cryptographic family of functions to get compile-time assertions for the required modes of operation.
If your application requires Hash support for SHA-512, you can use the following statement to ensure that SHA-512 is supported.