Code review 1

nrfconnect · Jan 29, 2025 · 6424970 · 6424970
1 parent 9017448
commit 6424970
Show file tree

Hide file tree

Showing 4 changed files with 27 additions and 25 deletions.
diff --git a/config/nrfconnect/chip-module/Kconfig.features b/config/nrfconnect/chip-module/Kconfig.features
@@ -315,17 +315,6 @@ if CHIP_KMU_SUPPORT
 	  The last available KMU slot for Matter purposes.
 	  This slot does not include DAC private key.
 
-	config CHIP_KMU_MAX_FABRICS
-	int
-	default 18 if (CHIP_ENABLE_ICD_SUPPORT && CHIP_CRYPTO_PSA_DAC_PRIV_KEY_KMU)
-	default 37 if CHIP_CRYPTO_PSA_DAC_PRIV_KEY_KMU
-	default 20 if CHIP_ENABLE_ICD_SUPPORT
-	default 40
-	help
-	  Maximum possible Matter fabrics to store NOC keys in the Key Management Unit.
-	  The slots number is limited, so there is the limited NOC keys possible to store as well.
-	  Currently, each NOC key uses 2 KMU slots.
-
-endif
+endif # CHIP_KMU_SUPPORT
 
 endif # CHIP
diff --git a/src/platform/nrfconnect/crypto/KMUOperationalKeystore.cpp b/src/platform/nrfconnect/crypto/KMUOperationalKeystore.cpp
@@ -29,14 +29,14 @@ namespace Crypto {
 KMUOperationalKeystore::KMUPersistentP256Keypair::KMUPersistentP256Keypair(FabricIndex fabricIndex) :
     PSAOperationalKeystore::PersistentP256Keypair(0)
 {
-    if (IsValidFabricIndex(fabricIndex))
-    {
-        // Decrease fabricIndex by 1 to match the 0-based index used by the KMU slot definitions.
-        ToPsaContext(mKeypair).key_id =
-            static_cast<psa_key_id_t>(KMU_MATTER_NOC_SLOT_START + ((fabricIndex - 1) * KMU_MATTER_SLOTS_PER_NOC_KEY));
+    VerifyOrReturn(fabricIndex < CHIP_KMU_MAX_FABRICS);
+    VerifyOrReturn(IsValidFabricIndex(fabricIndex));
 
-        mInitialized = true;
-    }
+    // Decrease fabricIndex by 1 to match the 0-based index used by the KMU slot definitions.
+    ToPsaContext(mKeypair).key_id =
+        static_cast<psa_key_id_t>(KMU_MATTER_NOC_SLOT_START + ((fabricIndex - 1) * KMU_MATTER_SLOTS_PER_NOC_KEY));
+
+    mInitialized = true;
 }
 
 KMUOperationalKeystore::KMUPersistentP256Keypair::~KMUPersistentP256Keypair()

diff --git a/src/platform/nrfconnect/crypto/KMUSessionKeystore.cpp b/src/platform/nrfconnect/crypto/KMUSessionKeystore.cpp
@@ -136,7 +136,6 @@ CHIP_ERROR KMUSessionKeystore::PersistICDKey(Symmetric128BitsKeyHandle & key)
     CHIP_ERROR err;
     psa_key_id_t newKeyId = PSA_KEY_ID_NULL;
     psa_key_attributes_t attrs;
-    psa_status_t s = PSA_SUCCESS;
     uint8_t keyEx[CHIP_CRYPTO_SYMMETRIC_KEY_LENGTH_BYTES];
     size_t keyExSize = sizeof(keyEx);
 

diff --git a/src/platform/nrfconnect/crypto/KMUSlotDefinitions.h b/src/platform/nrfconnect/crypto/KMUSlotDefinitions.h
@@ -24,18 +24,32 @@
 #error "CONFIG_CHIP_CRYPTO_PSA_DAC_PRIV_KEY_KMU_SLOT_ID Cannot overlaps with KMU slots dedicated for Matter core"
 #endif
 
+// Define the number of slots per NOC and ICD key.
+#define KMU_MATTER_SLOTS_PER_NOC_KEY 2
+#define KMU_MATTER_SLOTS_PER_ICD_KEY 2
+
+// Define the maximum number of fabrics supported by the KMU.
+#if CONFIG_CHIP_ICD_CHECK_IN_SUPPORT
+// If ICD is enabled, we need to divide the available slots by the number of slots per NOC and ICD key.
+#define CHIP_KMU_MAX_FABRICS                                                                                                       \
+    ((CONFIG_CHIP_CORE_KMU_SLOT_END - CONFIG_CHIP_CORE_KMU_SLOT_START) /                                                           \
+     (KMU_MATTER_SLOTS_PER_NOC_KEY + KMU_MATTER_SLOTS_PER_ICD_KEY))
+#else
+// Otherwise we can use all available slots for NOC keys.
+#define CHIP_KMU_MAX_FABRICS ((CONFIG_CHIP_CORE_KMU_SLOT_END - CONFIG_CHIP_CORE_KMU_SLOT_START) / KMU_MATTER_SLOTS_PER_NOC_KEY)
+#endif // CONFIG_CHIP_ICD_CHECK_IN_SUPPORT
+
 // Define how many slots are available for Matter.
 #define KMU_MATTER_SLOT_COUNT (CONFIG_CHIP_CORE_KMU_SLOT_END - CONFIG_CHIP_CORE_KMU_SLOT_START)
 // For NOC we need 2 slots per fabric (ESDSA)
-#define KMU_MATTER_NOC_SLOT_COUNT (CONFIG_CHIP_KMU_MAX_FABRICS * 2)
-#define KMU_MATTER_SLOTS_PER_NOC_KEY 2
+#define KMU_MATTER_NOC_SLOT_COUNT (CHIP_KMU_MAX_FABRICS * KMU_MATTER_SLOTS_PER_NOC_KEY)
 
-#ifdef CONFIG_CHIP_ENABLE_ICD_SUPPORT
+#ifdef CONFIG_CHIP_ICD_CHECK_IN_SUPPORT
 // For ICD we need 2 slots per ICD entry (AES + HMAC)
-#define KMU_MATTER_ICD_SLOT_COUNT (CONFIG_CHIP_KMU_MAX_FABRICS * 2)
+#define KMU_MATTER_ICD_SLOT_COUNT (CHIP_KMU_MAX_FABRICS * KMU_MATTER_SLOTS_PER_ICD_KEY)
 #else
 #define KMU_MATTER_ICD_SLOT_COUNT 0
-#endif
+#endif // CONFIG_CHIP_ICD_CHECK_IN_SUPPORT
 
 // Define the start of the KMU slots for Matter.
 #define KMU_MATTER_NOC_SLOT_START                                                                                                  \