Hello,
I want to use the function mbedtls_pkcs5_pbkdf2_hmac which can be found in mbedtls\library\pkc5s.c.
There is a compiler switch named MBEDTLS_PKCS5_C which activates this function.
Hello,
I want to use the function mbedtls_pkcs5_pbkdf2_hmac which can be found in mbedtls\library\pkc5s.c.
There is a compiler switch named MBEDTLS_PKCS5_C which activates this function.
CONFIG_MBEDTLS=y CONFIG_MBEDTLS_PKCS5_C=y CONFIG_MBEDTLS_ENABLE_HEAP=y CONFIG_MBEDTLS_HEAP_SIZE=8192
Hi,
Do you have TF-M (_ns) enabled for your device?
If so, this can change how things work.
Also, to make sure it is not an XY problem, can you shortly explain why you need the mbedtls_pkcs5_pbkdf2_hmac function?
For some docs, see Nordic Security Module. When i get more information, I can probably give you more specific docs as well
Regards,
Sigurd Hellesvik
Thanks for the fast reply!
In our project we commited to use the PBKDF2 for key derviation. Because it is supported on all platforms we use. I found out that the mbedtls provides this function.
As I mentioned I am currently working with the v2.0.0. It seems that PBKDF2 is not supported by the Nordic security module (nrf_security/doc/driver_config). Only in the link you posted (latest version of nrf Connect) the CONFIG_PSA_WANT_ALG_PBKDF2_HMAC is mentioned which will possibly meet my requirements.
After my holiday I will upgrade to the latest version of nrf Connect and try it.
Just to clearify there is a note in your posted link: PBKDF2 algorithms are not supported with TF-M.
So I cannot use it with the _ns board build configuration?
ProfNocturne said:Just to clearify there is a note in your posted link: PBKDF2 algorithms are not supported with TF-M.
Ah, then you need to use mbedtls.
ProfNocturne said:So I cannot use it with the _ns board build configuration?
I think it is possible to use legacy (mbedtls) functionality alongside TF-M at the time, but it is not easy.
So you have two choices:
ProfNocturne said:Just to clearify there is a note in your posted link: PBKDF2 algorithms are not supported with TF-M.
Ah, then you need to use mbedtls.
ProfNocturne said:So I cannot use it with the _ns board build configuration?
I think it is possible to use legacy (mbedtls) functionality alongside TF-M at the time, but it is not easy.
So you have two choices:
Ok, currently for prototyping I am working without TF-M.
I thought the way which I described in my first post should work. But setting CONFIG_MBEDTLS_PKCS5_C to yes in prj.conf doesn't enable functions in pkc5s.c. By default they are blocked by the compiler switch MBEDTLS_PKCS5_C. Maybe it is a bug? Or is there a basic misunderstanding on my side?
I found this topic and took it as an example:
PBKDF2 password derivation using CC310 or mbed-tls
Also in Support for Public/Private key pair Generation as part of ECC in the last post of Einar Thorsrud he recommended to use pkcs5 for that.
Earlier, I helped another customer to use mbedtls functionality in RSA example fails on psa_sign_hash returning -133 . Have a look at this case and see if it helps.
I have been trying to use this method myself for mbedtls_pkcs5_pbkdf2_hmac, but have not been able to make it work yet.
So I asked our developers for tips, and will return to you when I hear back from them.
Try this, is it what you need?
Sorry for the delayed answer.
Your example works. All I need is to add CONFIG_NORDIC_SECURITY_BACKEND=y in prj.conf.
Thank your for your help!