doc: crypto: updates to crypto samples, part 3 #25240

greg-fer · 2025-10-24T13:58:43Z

Updated the documentation of crypto samples.
Added sample output, cross-links to recently updated docs, more details in the overview sections.
Edited sample.yaml for term and style consistency. Future PRs will edit remaining crypto samples.
NCSDK-33435. Follow-up to #25032 and #25157.

NordicBuilder · 2025-10-24T14:03:39Z

CI Information

^{To view the history of this post, click the 'edited' button above}
Build number: 2

Inputs:

Sources:

sdk-nrf: PR head: 9172a0ce14f9fa49806a6b2472534d3db8617d06

more details

sdk-nrf:

PR head: 9172a0ce14f9fa49806a6b2472534d3db8617d06
merge base: 4e54417757e1c380defe6bea9f9e0213b1ed3b38
target head (main): 9b25e68156335c2372bc6edd6b4a9206716f910b
Diff

Github labels

Enabled	Name	Description
	ci-disabled	Disable the ci execution
	ci-all-test	Run all of ci, no test spec filtering will be done
	ci-force-downstream	Force execution of downstream even if twister fails
	ci-run-twister	Force run twister
	ci-run-zephyr-twister	Force run zephyr twister

List of changed files detected by CI (38)

doc
│  ├── nrf
│  │  ├── security
│  │  │  ├── crypto
│  │  │  │  │ crypto_supported_features.rst
samples
│  ├── crypto
│  │  ├── aes_cbc
│  │  │  │ prj.conf
│  │  ├── aes_ccm
│  │  │  │ prj.conf
│  │  ├── aes_ctr
│  │  │  │ prj.conf
│  │  ├── aes_gcm
│  │  │  │ prj.conf
│  │  ├── chachapoly
│  │  │  │ prj.conf
│  │  ├── ecdh
│  │  │  │ prj.conf
│  │  ├── ecdsa
│  │  │  │ prj.conf
│  │  ├── ecjpake
│  │  │  ├── README.rst
│  │  │  ├── sample.yaml
│  │  │  ├── src
│  │  │  │  │ main.c
│  │  ├── eddsa
│  │  │  ├── README.rst
│  │  │  ├── prj.conf
│  │  │  ├── sample.yaml
│  │  │  ├── src
│  │  │  │  │ main.c
│  │  ├── hkdf
│  │  │  ├── README.rst
│  │  │  ├── prj.conf
│  │  │  ├── sample.yaml
│  │  │  ├── src
│  │  │  │  │ main.c
│  │  ├── hmac
│  │  │  ├── README.rst
│  │  │  ├── prj.conf
│  │  │  ├── sample.yaml
│  │  │  ├── src
│  │  │  │  │ main.c
│  │  ├── kmu_usage_nrf54l
│  │  │  │ prj.conf
│  │  ├── pbkdf2
│  │  │  ├── README.rst
│  │  │  ├── prj.conf
│  │  │  ├── sample.yaml
│  │  │  ├── src
│  │  │  │  │ main.c
│  │  ├── persistent_key_usage
│  │  │  ├── README.rst
│  │  │  ├── prj.conf
│  │  │  │ sample.yaml
│  │  ├── rng
│  │  │  ├── README.rst
│  │  │  ├── prj.conf
│  │  │  │ sample.yaml
│  │  ├── rsa
│  │  │  │ prj.conf
│  │  ├── sha256
│  │  │  │ prj.conf
│  │  ├── spake2p
│  │  │  │ prj.conf
tests
│  ├── psa_crypto
│  │  │ prj.conf

Outputs:

Toolchain

Version: cfa6b06338
Build docker image: docker-dtr.nordicsemi.no/sw-production/ncs-build:cfa6b06338_bba2ea5f2e

Test Spec & Results: ✅ Success; ❌ Failure; 🟠 Queued; 🟡 Progress; ◻️ Skipped; ⚠️ Quarantine

◻️ Toolchain - Skipped: existing toolchain is used
✅ Build twister
- sdk-nrf test count: 4
✅ Integration tests
- ✅ test-fw-nrfconnect-nrf_crypto
- ✅ test-secdom-samples-public

Disabled integration tests

- test-fw-nrfconnect-nrf_lrcs_positioning
- desktop52_verification
- test-fw-nrfconnect-apps
- test-fw-nrfconnect-ble_mesh
- test-fw-nrfconnect-ble_samples
- test-fw-nrfconnect-chip
- test-fw-nrfconnect-fem
- test-fw-nrfconnect-nfc
- test-fw-nrfconnect-nrf-iot_cloud
- test-fw-nrfconnect-nrf-iot_libmodem-nrf
- test-fw-nrfconnect-nrf-iot_lwm2m
- test-fw-nrfconnect-nrf-iot_samples
- test-fw-nrfconnect-nrf-iot_serial_lte_modem
- test-fw-nrfconnect-nrf-iot_thingy91
- test-fw-nrfconnect-nrf-iot_zephyr_lwm2m
- test-fw-nrfconnect-ps-main
- test-fw-nrfconnect-rpc
- test-fw-nrfconnect-rs
- test-fw-nrfconnect-tfm
- test-fw-nrfconnect-thread-main
- test-low-level
- test-sdk-audio
- test-sdk-dfu
- test-sdk-find-my
- test-sdk-mcuboot

Note: This message is automatically posted and updated by the CI

peknis · 2025-10-27T06:25:33Z

doc/nrf/security/crypto/crypto_supported_features.rst

                 - | :kconfig:option:`CONFIG_PSA_WANT_ALG_RSA_OAEP`
                   | :kconfig:option:`CONFIG_PSA_WANT_ALG_RSA_PKCS1V15_CRYPT` (does not support RSA key pair generation)

+.. _crypto_supported_features_ecc_curve_types:


Suggested change

.. _crypto_supported_features_ecc_curve_types:

.. _ug_crypto_supported_features_ecc_curve_types:

To fix the doc build failure

peknis · 2025-10-27T06:28:26Z

samples/crypto/ecjpake/README.rst

+
+1. Initialization:
+
+   a. The PSA Crypto API is initialized using :c:func:`psa_crypto_init`.


Suggested change

a. The PSA Crypto API is initialized using :c:func:`psa_crypto_init`.

a. The PSA Crypto API is initialized using the :c:func:`psa_crypto_init` function.

I'd suggest saying the ... function, at least for the first instance of a section or list.

It is clear from the context: API, *_init.

It is, but don't we usually use the phrase "... using the ... function" in most places?

AntonZma · 2025-10-27T07:44:34Z

samples/crypto/aes_cbc/prj.conf

 CONFIG_NRF_SECURITY=y
 CONFIG_MBEDTLS_PSA_CRYPTO_C=y

+# Enable PSA Crypto APIs for the sample


These KConfigs specify cryptographic features needed by application rather that enable PSA Crypto API.
PSA API is enabled by CONFIG_MBEDTLS_PSA_CRYPTO_C

Right, I actually edited this towards what you say here before I read your comment :)

Updated the documentation of crypto samples. Added sample output, cross-links to recently updated docs, more details in the overview sections. Edited sample.yaml for term and style consistency. Future PRs will edit remaining crypto samples. NCSDK-33435. Follow-up to nrfconnect#25032 and nrfconnect#25157. Signed-off-by: Grzegorz Ferenc <[email protected]>

github-actions · 2025-10-27T09:40:58Z

You can find the documentation preview for this PR here.

Preview links for modified nRF Connect SDK documents:

tomi-font · 2025-10-27T10:21:26Z

samples/crypto/aes_cbc/prj.conf

 CONFIG_NRF_SECURITY=y
 CONFIG_MBEDTLS_PSA_CRYPTO_C=y

+# Enable cryptographic features for compilation


Suggested change

# Enable cryptographic features for compilation

# Enable needed cryptographic features

? at least "for compilation" to me is a bit off, of course you need to enable what you need to enable, and besides things might fail at runtime instead of build time so your compilation might succeed even with missing features

tomi-font · 2025-10-27T10:32:10Z

samples/crypto/ecjpake/README.rst

-1. Initializes the Platform Security Architecture (PSA) API.
-#. Goes through the steps for J-PAKE on server and client sides.
-#. Verifies that the derived keys are the same.
+* :kconfig:option:`CONFIG_PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY` - Used to enable support for ECC public key types from among the supported cryptographic operations for :ref:`ug_crypto_supported_features_key_types`.


From among the supported cryptographic operations? Maybe I'm just dumb but to me it's a bit weird.

Suggested change

* :kconfig:option:`CONFIG_PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY` - Used to enable support for ECC public key types from among the supported cryptographic operations for :ref:`ug_crypto_supported_features_key_types`.

* :kconfig:option:`CONFIG_PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY` - Used to enable support for ECC public key types among the supported cryptographic operations for :ref:`ug_crypto_supported_features_key_types`.

Suggested change

* :kconfig:option:`CONFIG_PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY` - Used to enable support for ECC public key types from among the supported cryptographic operations for :ref:`ug_crypto_supported_features_key_types`.

* :kconfig:option:`CONFIG_PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY` - Used to enable support for ECC public key types in the supported cryptographic operations for :ref:`ug_crypto_supported_features_key_types`.

tomi-font · 2025-10-27T10:34:22Z

samples/crypto/ecjpake/src/main.c

 		goto error;
 	}

+	LOG_INF("Shared secrets match successfully!");


Match successfully? Just match, no? (Or "successfully matched"?)

tomi-font · 2025-10-27T10:37:08Z

samples/crypto/hkdf/src/main.c

 		PSA_KEY_DERIVATION_OPERATION_INIT;

-	LOG_INF("Deriving a key using HKDF and SHA256...");
+	LOG_INF("Deriving a key using the HKDF algorithm and SHA-256 hash algorithm...");


it's basically HKDF with SHA-256, repeating algorithm seems wrong

Suggested change

LOG_INF("Deriving a key using the HKDF algorithm and SHA-256 hash algorithm...");

LOG_INF("Deriving a key using HKDF with SHA-256...");

tomi-font · 2025-10-27T10:37:31Z

samples/crypto/hkdf/sample.yaml

-  description: HMAC key derivation function example
-  name: HKDF example
+  description: |
+    This sample demonstrates HKDF key derivation using the HKDF algorithm.


Suggested change

This sample demonstrates HKDF key derivation using the HKDF algorithm.

This sample demonstrates key derivation using the HKDF algorithm.

tomi-font · 2025-10-27T10:38:04Z

samples/crypto/hmac/sample.yaml

-    This app provides an example of performing HMAC signing and verification
-    using the SHA256 hashing algorithm decryption using AES CBC mode
-  name: HMAC example
+    This sample demonstrates HMAC signing and verification using the HMAC algorithm using


repetition of "using"

tomi-font · 2025-10-27T10:38:20Z

samples/crypto/kmu_usage_nrf54l/prj.conf

 CONFIG_MBEDTLS_PSA_CRYPTO_C=y

-# Using hardware crypto accelerator
+# Enable using hardware crypto accelerator


Suggested change

# Enable using hardware crypto accelerator

# Enable hardware crypto accelerator

tomi-font · 2025-10-27T10:38:56Z

samples/crypto/pbkdf2/sample.yaml

-  description: HMAC key derivation function example
-  name: PBKDF2 example
+  description: |
+    This sample demonstrates PBKDF2 key derivation using the PBKDF2 algorithm with HMAC-SHA-256.


PBKDF2 repetition

tomi-font · 2025-10-27T10:39:38Z

samples/crypto/persistent_key_usage/prj.conf

 CONFIG_PSA_WANT_ALG_CTR=y
 CONFIG_PSA_WANT_GENERATE_RANDOM=y
+
+# Enable persistent storage APIs


Suggested change

# Enable persistent storage APIs

# Enable persistent storage for PSA Crypto

greg-fer requested review from AntonZma, Vge0rge and magnev October 24, 2025 13:58

greg-fer requested review from a team as code owners October 24, 2025 13:58

NordicBuilder added doc-required PR must not be merged without tech writer approval. changelog-entry-required Update changelog before merge. Remove label if entry is not needed or already added. labels Oct 24, 2025

peknis requested changes Oct 27, 2025

View reviewed changes

AntonZma reviewed Oct 27, 2025

View reviewed changes

greg-fer force-pushed the doc_crypto_samples_part3 branch from 5962a96 to 9172a0c Compare October 27, 2025 08:46

NordicBuilder requested review from a team October 27, 2025 08:47

AntonZma approved these changes Oct 27, 2025

View reviewed changes

peknis approved these changes Oct 27, 2025

View reviewed changes

tomi-font reviewed Oct 27, 2025

View reviewed changes

umapraseeda approved these changes Oct 27, 2025

View reviewed changes

Vge0rge approved these changes Oct 27, 2025

View reviewed changes

	.. _crypto_supported_features_ecc_curve_types:
	.. _ug_crypto_supported_features_ecc_curve_types:


		1. Initialization:

		a. The PSA Crypto API is initialized using :c:func:`psa_crypto_init`.

	# Enable cryptographic features for compilation
	# Enable needed cryptographic features

	* :kconfig:option:`CONFIG_PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY` - Used to enable support for ECC public key types from among the supported cryptographic operations for :ref:`ug_crypto_supported_features_key_types`.
	* :kconfig:option:`CONFIG_PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY` - Used to enable support for ECC public key types among the supported cryptographic operations for :ref:`ug_crypto_supported_features_key_types`.

	LOG_INF("Deriving a key using the HKDF algorithm and SHA-256 hash algorithm...");
	LOG_INF("Deriving a key using HKDF with SHA-256...");

	This sample demonstrates HKDF key derivation using the HKDF algorithm.
	This sample demonstrates key derivation using the HKDF algorithm.

	# Enable using hardware crypto accelerator
	# Enable hardware crypto accelerator

	# Enable persistent storage APIs
	# Enable persistent storage for PSA Crypto

Uh oh!

doc: crypto: updates to crypto samples, part 3 #25240

Are you sure you want to change the base?

doc: crypto: updates to crypto samples, part 3 #25240

Conversation

greg-fer commented Oct 24, 2025

Uh oh!

NordicBuilder commented Oct 24, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

CI Information

Inputs:

Sources:

Github labels

Outputs:

Toolchain

Test Spec & Results: ✅ Success; ❌ Failure; 🟠 Queued; 🟡 Progress; ◻️ Skipped; ⚠️ Quarantine

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

github-actions bot commented Oct 27, 2025

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

7 participants

NordicBuilder commented Oct 24, 2025 •

edited

Loading