• State Verified Answer
  • Replies 11 replies
  • Subscribers 74 subscribers
  • Views 1961 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 310160
Options

Does mbedtls APIs (sha256.h) use the hardware acceleration?

Kaushik Parsana

Hello Nordic team,

I'm currently looking into mbedtls on nRF5340, I'm using nRF NCS SDK 2.1.0

I wanted to calculate the HASH of the firmware image, I already developed one API that calculate and provide me a HASH of firmware image,
But I am unsure that API internally used the nRF5340 hardware acceleration feature or not? If not, then please provide me a sample code that used the hardware-acceleration internally?
Below is my API that provide me a HASH of firmware image.

void calculate_file_hash(unsigned char *hash_value, size_t hash_size)
{
    uint8_t buffer[READ_FLASH_BYTES];
    size_t bytes_read, address = QSPI_OTA_HEADER_START_ADDRESS;
    int rc = 0u;

    LOG_INF("calculate_file_hash");

    mbedtls_sha256_context sha256_ctx;
    mbedtls_sha256_init(&sha256_ctx);
    mbedtls_sha256_starts(&sha256_ctx, /*is224=*/0);

    for(bytes_read = 210539; bytes_read > 0; )       // For Net core
    {
        if(bytes_read >= READ_FLASH_BYTES)
        {
            rc = external_flash_sector_read(address, buffer, READ_FLASH_BYTES);
            if(rc != 0U)
            {
                LOG_INF("Error in flash reading(%x)", rc);
            }
            mbedtls_sha256_update(&sha256_ctx, buffer, READ_FLASH_BYTES);
        }
        else
        {
            memset(buffer, 0xFF, READ_FLASH_BYTES);
            rc = external_flash_sector_read(address, buffer, bytes_read);
            if(rc != 0U)
            {
                LOG_INF("Error in flash reading(%x)", rc);
            }
            mbedtls_sha256_update(&sha256_ctx, buffer, bytes_read);
        }
        if(bytes_read >= READ_FLASH_BYTES)
        {
            bytes_read = bytes_read - READ_FLASH_BYTES;
        }
        else
        {
            bytes_read = 0;
        }
        address = address + READ_FLASH_BYTES;
        // LOG_INF("address = %x, bytes_read = %d", address, bytes_read);
    }

    mbedtls_sha256_finish(&sha256_ctx, hash_value);
    mbedtls_sha256_free(&sha256_ctx);
}
Thanks in advance,
Kaushik
Parents
  • 0

    Hi, 

    CONFIG_NORDIC_SECURITY_BACKEND is required if you want to use mbedtls crypto functions prefixed with mbedtls_. As stated here, to configure legacy MbedTLS APIs, CONFIG_NORDIC_SECURITY_BACKEND (instead of CONFIG_NRF_SECURITY) is needed. Additionally, as mentioned in SHA-256 support, either cc3xx (CONFIG_CC3XX_BACKEND) or nrf_oberon (CONFIG_OBERON_BACKEND) must be enabled. Documentation also specifies that CONFIG_CC3XX_BACKEND should be used for devices with CryptoCell hardware peripheral.

    Additionally, for SHA-256 support, configuration option CONFIG_MBEDTLS_SHA256_C should be set as it is mentioned in secure hash configurations

    Enabling ARM CryptoCell specifies that ARM cryptocell cc3xx driver can be enabled by setting CONFIG_PSA_CRYPTO_DRIVER_CC3XX configuration option. In addition, you can read that the Arm CryptoCell cc3xx hardware is initialized in the hw_cc310.c file, located under nrf/drivers/hw_cc310/, and that it is controlled with the CONFIG_HW_CC3XX Kconfig option. The Kconfig option has a default value 'y' when cc3xx is available in the SoC.

    To summarize above-mentioned points, these are configuration options of interest:

    CONFIG_NORDIC_SECURITY_BACKEND 
CONFIG_CC3XX_BACKEND    
CONFIG_MBEDTLS_SHA256_C   
CONFIG_PSA_CRYPTO_DRIVER_CC3XX


    Relevant option which shows that hardware acceleration is enabled is MBEDTLS_SHA256_ALT. You could check if it is present in the final .config file which is located in <your_build_folder>\zephyr directory.

    Best regards,
    Dejan

  • 0 in reply to dejans

    Hi dejans,

    I have added the configuration option in prj.conf file as you have described above,
    But I was facing error like below screenshot, can you please guide me how can I resolve that?

    We have used the "C:\ncs\v2.1.0\nrf\samples\matter\lock" this example as base code for our product development.




    Thanks,

    Kaushik Parsana

Reply Children
  • 0 in reply to Kaushik Parsana

    Hello Nordic team,

    Can someone please respond to the above query?

    Thanks,

    Kaushik Parsana

  • 0 in reply to Kaushik Parsana

    Hi,

    I am sorry for a delayed reply. 

    Kaushik Parsana said:
    I have added the configuration option in prj.conf file as you have described above,
    But I was facing error like below screenshot, can you please guide me how can I resolve that?

    Which configuration option have you added to prj.conf? 

    Could you successfully build your project before the change?

    Best regards,
    Dejan

  • 0 in reply to dejans

    Hi Dejans,

    Q. Which configuration option have you added to prj.conf? 

    A. Below configuration added in prj.conf file of the (C:\ncs\v2.1.0\nrf\samples\matter\lock) lock project.

    CONFIG_NORDIC_SECURITY_BACKEND=y
    CONFIG_CC3XX_BACKEND=y
    CONFIG_MBEDTLS_SHA256_C=y
    CONFIG_PSA_CRYPTO_DRIVER_CC3XX=y

    Q. Could you successfully build your project before the change?
    A. Yes, Nordic (C:\ncs\v2.1.0\nrf\samples\matter\lock) matter->lock demo code compiled before added of those changes.
    Can you please confirm that, with above prj.conf configuration changes (As mentioned in first answer), you able to compile the matter->lock (C:\ncs\v2.1.0\nrf\samples\matter\lock) sample code at your end?

    FYI, We are using the 2.1.0 ncs SDK and our hardware is nRF5340.
    Thanks,
    Kaushik Parsana
  • 0 in reply to Kaushik Parsana

    Hi Dejans,

    As per describe in above two answers (For matter->lock sample code),
    Can you please confirm that, is it the same behavior at your side as well or not?

    Thanks,

    Kaushik Parsana

  • +1 in reply to Kaushik Parsana

    Hi,

    I have reproduced your issue.

    There are some changes which you could make to enable successful building of your project. Here are required configuration changes in prj.conf:

    CONFIG_NORDIC_SECURITY_BACKEND=y
#CONFIG_CC3XX_BACKEND=y    
CONFIG_MBEDTLS_SHA256_C=y  
#CONFIG_PSA_CRYPTO_DRIVER_CC3XX


    I have added an overlay file in Kconfig fragments, but this is not mandatory for having successful builds:
    -DCONF_OVERLAY:STRING="board/nrf5340dk_nrf5340_cpuapp.overlay"


    I have also built lock sample with the shield by adding these Kconfig fragments:
    -DCONF_OVERLAY:STRING="board/nrf5340dk_nrf5340_cpuapp.overlay"
-Dhci_rpmsg_SHIELD:STRING="nrf7002_ek_coex"

    In both cases builds were successful. 

    As a confirmation of activated hardware acceleration, CONFIG_MBEDTLS_SHA256_ALT=y was present in build\zephyr\.conf file.

    Best regards,
    Dejan

Related
Terms of service