#
# Copyright (c) 2021 Nordic Semiconductor ASA
#
# SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
#

config HW_UNIQUE_KEY_SRC
	bool
	default y if HW_UNIQUE_KEY || HW_UNIQUE_KEY_LOAD
	depends on !ARM_NONSECURE_FIRMWARE
	help
	  This is true whenever hw_unique_key source files are included in the
	  build.

config HW_UNIQUE_KEY_LOAD
	bool "Load Hardware Unique key on boot"
	depends on HAS_HW_NRF_ACL
	depends on HAS_HW_NRF_CC310
	depends on NRF_CC3XX_PLATFORM
	select FPROTECT
	imply NRFX_NVMC
	help
	  Use this on devices with no KMU. Enable this in the immutable
	  bootloader to load the HUK from the allocated flash area
	  "hw_unique_key_partition" and lock the flash area so no subsequent
	  code can read it.
	  The code allows the app to write a (typically random) key to the flash
	  area on the first clean boot. On subsequent boots, the bootloader
	  will fail if no key is present.

config HW_UNIQUE_KEY_SUPPORTED
	bool
	default y if HAS_HW_NRF_CC3XX || (CRACEN_HW_PRESENT && !TFM_PROFILE_TYPE_MINIMAL)

config HW_UNIQUE_KEY
	bool "Hardware Unique Keys (HUK)"
	depends on HW_UNIQUE_KEY_SUPPORTED
	depends on NRF_CC3XX_PLATFORM || BUILD_WITH_TFM || CRACEN_HW_PRESENT
	depends on NRF_SECURITY
	depends on MPU_ALLOW_FLASH_WRITE || BUILD_WITH_TFM || CRACEN_HW_PRESENT
	depends on !BUILD_WITH_TFM || (TFM_CRYPTO_BUILTIN_KEYS || CRACEN_HW_PRESENT)
	select PSA_WANT_ALG_SP800_108_COUNTER_CMAC if CRACEN_HW_PRESENT
	select PSA_WANT_ALG_CMAC if CRACEN_HW_PRESENT
	select PSA_WANT_KEY_TYPE_AES if CRACEN_HW_PRESENT
	select PSA_WANT_ALG_ECB_NO_PADDING if CRACEN_HW_PRESENT
	select PSA_WANT_ALG_GCM if CRACEN_HW_PRESENT
	select PSA_NEED_CRACEN_KMU_DRIVER if CRACEN_HW_PRESENT
	select FPROTECT if HAS_HW_NRF_ACL
	imply NRFX_NVMC if HAS_HW_NRF_ACL
	default y if BUILD_WITH_TFM
	help
	  This option will load the Hardware Unique Key (HUK) in the KDR
	  registers of the CryptoCell peripheral and sets the LCS. It will also
	  lock its flash page so that it's not accesible by the CPU until the
	  next reboot.

if HW_UNIQUE_KEY

config HW_UNIQUE_KEY_WRITE_ON_CRYPTO_INIT
	bool "Write HUK on crypto_driver initialization"
	depends on !BUILD_WITH_TFM
	help
	  Write the HUK in psa_driver_wrapper_init. For devices without KMU this
	  still requires the device to reboot and the bootloader to load the HUK

config HW_UNIQUE_KEY_RANDOM
	bool "Enable writing random HW Unique Keys"
	depends on MAIN_STACK_SIZE >= 2048 || BUILD_WITH_TFM
	default y if BUILD_WITH_TFM
	help
	  Enable the hw_unique_key_write_random() function which utilizes the
	  NRF_CC3XX_PLATFORM to get random numbers.
	  Disable to save space.
endif

config HW_UNIQUE_KEY_PARTITION_SIZE
	hex
	default 0 if !HAS_HW_NRF_ACL
	default FPROTECT_BLOCK_SIZE
	help
	  Size of the flash page for storing the HUK.
	  Only needed when there is no KMU for storing keys (nRF52840).
