• State Verified Answer
  • Replies 11 replies
  • Subscribers 74 subscribers
  • Views 1958 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 310160
Options

Does mbedtls APIs (sha256.h) use the hardware acceleration?

Kaushik Parsana

Hello Nordic team,

I'm currently looking into mbedtls on nRF5340, I'm using nRF NCS SDK 2.1.0

I wanted to calculate the HASH of the firmware image, I already developed one API that calculate and provide me a HASH of firmware image,
But I am unsure that API internally used the nRF5340 hardware acceleration feature or not? If not, then please provide me a sample code that used the hardware-acceleration internally?
Below is my API that provide me a HASH of firmware image.

void calculate_file_hash(unsigned char *hash_value, size_t hash_size)
{
    uint8_t buffer[READ_FLASH_BYTES];
    size_t bytes_read, address = QSPI_OTA_HEADER_START_ADDRESS;
    int rc = 0u;

    LOG_INF("calculate_file_hash");

    mbedtls_sha256_context sha256_ctx;
    mbedtls_sha256_init(&sha256_ctx);
    mbedtls_sha256_starts(&sha256_ctx, /*is224=*/0);

    for(bytes_read = 210539; bytes_read > 0; )       // For Net core
    {
        if(bytes_read >= READ_FLASH_BYTES)
        {
            rc = external_flash_sector_read(address, buffer, READ_FLASH_BYTES);
            if(rc != 0U)
            {
                LOG_INF("Error in flash reading(%x)", rc);
            }
            mbedtls_sha256_update(&sha256_ctx, buffer, READ_FLASH_BYTES);
        }
        else
        {
            memset(buffer, 0xFF, READ_FLASH_BYTES);
            rc = external_flash_sector_read(address, buffer, bytes_read);
            if(rc != 0U)
            {
                LOG_INF("Error in flash reading(%x)", rc);
            }
            mbedtls_sha256_update(&sha256_ctx, buffer, bytes_read);
        }
        if(bytes_read >= READ_FLASH_BYTES)
        {
            bytes_read = bytes_read - READ_FLASH_BYTES;
        }
        else
        {
            bytes_read = 0;
        }
        address = address + READ_FLASH_BYTES;
        // LOG_INF("address = %x, bytes_read = %d", address, bytes_read);
    }

    mbedtls_sha256_finish(&sha256_ctx, hash_value);
    mbedtls_sha256_free(&sha256_ctx);
}
Thanks in advance,
Kaushik
Parents
  • 0

    Hi, 

    CONFIG_NORDIC_SECURITY_BACKEND is required if you want to use mbedtls crypto functions prefixed with mbedtls_. As stated here, to configure legacy MbedTLS APIs, CONFIG_NORDIC_SECURITY_BACKEND (instead of CONFIG_NRF_SECURITY) is needed. Additionally, as mentioned in SHA-256 support, either cc3xx (CONFIG_CC3XX_BACKEND) or nrf_oberon (CONFIG_OBERON_BACKEND) must be enabled. Documentation also specifies that CONFIG_CC3XX_BACKEND should be used for devices with CryptoCell hardware peripheral.

    Additionally, for SHA-256 support, configuration option CONFIG_MBEDTLS_SHA256_C should be set as it is mentioned in secure hash configurations

    Enabling ARM CryptoCell specifies that ARM cryptocell cc3xx driver can be enabled by setting CONFIG_PSA_CRYPTO_DRIVER_CC3XX configuration option. In addition, you can read that the Arm CryptoCell cc3xx hardware is initialized in the hw_cc310.c file, located under nrf/drivers/hw_cc310/, and that it is controlled with the CONFIG_HW_CC3XX Kconfig option. The Kconfig option has a default value 'y' when cc3xx is available in the SoC.

    To summarize above-mentioned points, these are configuration options of interest:

    CONFIG_NORDIC_SECURITY_BACKEND 
CONFIG_CC3XX_BACKEND    
CONFIG_MBEDTLS_SHA256_C   
CONFIG_PSA_CRYPTO_DRIVER_CC3XX


    Relevant option which shows that hardware acceleration is enabled is MBEDTLS_SHA256_ALT. You could check if it is present in the final .config file which is located in <your_build_folder>\zephyr directory.

    Best regards,
    Dejan

Reply
  • 0

    Hi, 

    CONFIG_NORDIC_SECURITY_BACKEND is required if you want to use mbedtls crypto functions prefixed with mbedtls_. As stated here, to configure legacy MbedTLS APIs, CONFIG_NORDIC_SECURITY_BACKEND (instead of CONFIG_NRF_SECURITY) is needed. Additionally, as mentioned in SHA-256 support, either cc3xx (CONFIG_CC3XX_BACKEND) or nrf_oberon (CONFIG_OBERON_BACKEND) must be enabled. Documentation also specifies that CONFIG_CC3XX_BACKEND should be used for devices with CryptoCell hardware peripheral.

    Additionally, for SHA-256 support, configuration option CONFIG_MBEDTLS_SHA256_C should be set as it is mentioned in secure hash configurations

    Enabling ARM CryptoCell specifies that ARM cryptocell cc3xx driver can be enabled by setting CONFIG_PSA_CRYPTO_DRIVER_CC3XX configuration option. In addition, you can read that the Arm CryptoCell cc3xx hardware is initialized in the hw_cc310.c file, located under nrf/drivers/hw_cc310/, and that it is controlled with the CONFIG_HW_CC3XX Kconfig option. The Kconfig option has a default value 'y' when cc3xx is available in the SoC.

    To summarize above-mentioned points, these are configuration options of interest:

    CONFIG_NORDIC_SECURITY_BACKEND 
CONFIG_CC3XX_BACKEND    
CONFIG_MBEDTLS_SHA256_C   
CONFIG_PSA_CRYPTO_DRIVER_CC3XX


    Relevant option which shows that hardware acceleration is enabled is MBEDTLS_SHA256_ALT. You could check if it is present in the final .config file which is located in <your_build_folder>\zephyr directory.

    Best regards,
    Dejan

Children
Related
Terms of service