<alp/security.h> — MbedTLS PSA Crypto
Cryptographic primitives backed by MbedTLS PSA Crypto on Zephyr / bare-metal, and OpenSSL on Yocto. The application API is identical across backends.
Header
#include <alp/security.h>
Hashing
alp_hash_t hash;
alp_hash_init(&hash, ALP_HASH_SHA256);
alp_hash_update(&hash, (const uint8_t *)"hello", 5);
uint8_t digest[32];
alp_hash_finalize(&hash, digest, sizeof(digest));
Supported algorithms: SHA256, SHA384, SHA512.
AEAD (authenticated encryption)
alp_aead_t aead;
alp_aead_init(&aead, ALP_AEAD_AES_128_GCM, key, sizeof(key));
uint8_t ciphertext[64];
uint8_t tag[16];
size_t out_len;
alp_aead_encrypt(&aead,
nonce, sizeof(nonce),
aad, sizeof(aad),
plaintext, plaintext_len,
ciphertext, sizeof(ciphertext), &out_len,
tag, sizeof(tag));
// Decrypt
alp_err_t rc = alp_aead_decrypt(&aead,
nonce, sizeof(nonce),
aad, sizeof(aad),
ciphertext, out_len,
plaintext, sizeof(plaintext), &out_len,
tag, sizeof(tag));
// rc == ALP_ERR_IO on tag mismatch (header contract)
Supported ciphers: AES_128_GCM, AES_256_GCM, ChaCha20_Poly1305.
Random bytes
uint8_t nonce[12];
alp_random_bytes(nonce, sizeof(nonce));
On Zephyr / bare-metal this routes through the SoC's TRNG (or PSA's psa_generate_random()). On Yocto it routes through OpenSSL's RAND_bytes.
OPTIGA Trust M
Every Alp Lab SoM populates an Infineon OPTIGA Trust M secure element. It exposes pre-provisioned ECC key pairs for TLS client certs, ECDSA-P256 signing, and X.509 certificate storage. Direct access is via the chip driver:
#include <alp/chips/optiga_trust_m.h>
optiga_trust_m_t se;
optiga_trust_m_init(&se, brd_i2c, 0x30);
uint8_t sig[64];
optiga_trust_m_ecdsa_sign(&se, /* key_slot */ 0, digest, 32, sig);
<alp/security.h> integrates the OPTIGA into MbedTLS's PSA Crypto driver model so generic TLS code transparently uses it.
Secure boot + OTA
For chain-of-trust details (MCUboot on AEN-Zephyr, Mender on Yocto, key lifecycle), see the SDK repo:
See also
<alp/iot.h>— MQTT over TLS- Chip catalogue —
optiga_trust_m