mbedtls PBKDF2: Activating function in prj.conf is not possible

Hi,

Do you have TF-M (_ns) enabled for your device?
If so, this can change how things work.

Also, to make sure it is not an XY problem, can you shortly explain why you need the mbedtls_pkcs5_pbkdf2_hmac function?

For some docs, see Nordic Security Module. When i get more information, I can probably give you more specific docs as well

Regards,
Sigurd Hellesvik

Thanks for the fast reply!

In our project we commited to use the PBKDF2 for key derviation. Because it is supported on all platforms we use. I found out that the mbedtls provides this function.
As I mentioned I am currently working with the v2.0.0. It seems that PBKDF2 is not supported by the Nordic security module (nrf_security/doc/driver_config). Only in the link you posted (latest version of nrf Connect) the CONFIG_PSA_WANT_ALG_PBKDF2_HMAC is mentioned which will possibly meet my requirements.

After my holiday I will upgrade to the latest version of nrf Connect and try it.
Just to clearify there is a note in your posted link: PBKDF2 algorithms are not supported with TF-M. 

So I cannot use it with the _ns board build configuration?

ProfNocturne said:

Just to clearify there is a note in your posted link: PBKDF2 algorithms are not supported with TF-M. 

Ah, then you need to use mbedtls.

ProfNocturne said:

So I cannot use it with the _ns board build configuration?

I think it is possible to use legacy (mbedtls) functionality alongside TF-M at the time, but it is not easy.

So you have two choices:

1. Learn how to set this without TF-M
2. Learn how to set this with TF-M
   1. In this case, I will try to learn it myself and explain it to when I have

ProfNocturne said:

Just to clearify there is a note in your posted link: PBKDF2 algorithms are not supported with TF-M. 

Ah, then you need to use mbedtls.

ProfNocturne said:

So I cannot use it with the _ns board build configuration?

I think it is possible to use legacy (mbedtls) functionality alongside TF-M at the time, but it is not easy.

So you have two choices:

1. Learn how to set this without TF-M
2. Learn how to set this with TF-M
   1. In this case, I will try to learn it myself and explain it to when I have

Ok, currently for prototyping I am working without TF-M.

I thought the way which I described in my first post should work. But setting CONFIG_MBEDTLS_PKCS5_C to yes in prj.conf doesn't enable functions in pkc5s.c.  By default they are blocked by the compiler switch MBEDTLS_PKCS5_C. Maybe it is a bug? Or is there a basic misunderstanding on my side?

I found this topic and took it as an example:

PBKDF2 password derivation using CC310 or mbed-tls

Also in Support for Public/Private key pair Generation as part of ECC  in the last post of Einar Thorsrud he recommended to use pkcs5 for that.

Earlier, I helped another customer to use mbedtls functionality in  RSA example fails on psa_sign_hash returning -133 . Have a look at this case and see if it helps.

I have been trying to use this method myself for mbedtls_pkcs5_pbkdf2_hmac, but have not been able to make it work yet.
So I asked our developers for tips, and will return to you when I hear back from them.

Try this, is it what you need?

mbedtls_pkcs5_pbkdf2_hmac_ext_test.zip

Sorry for the delayed answer.

Your example works. All I need is to add CONFIG_NORDIC_SECURITY_BACKEND=y in prj.conf.

Thank your for your help!