• State Not Answered
  • Replies 10 replies
  • Subscribers 64 subscribers
  • Views 504 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 318509
Options

Crypto (PSA/mbedtls) ERRORS when migrating from SDK 2.1.1 to SDK 2.5.0

Mathi

Hi,


We are migrating from SDK 2.1.1 to SDK 2.5.0 on nrf5340.

The below is our crypto configuration when using SDK 2.1.1. We use both both PSA and mbedtls API(reason in the link below).

>>>>>>>>>

# Enable nordic security backend
CONFIG_NRF_SECURITY=y

# Select the Nordic Security Backend, as the default backednd does not support RSA OAEP 3072 [b],
# Refer (+) RSA example fails on psa_sign_hash returning -133 - Nordic Q&A - Nordic DevZone - Nordic DevZone (nordicsemi.com)  
CONFIG_NORDIC_SECURITY_BACKEND=y

# Enable PSA CryptoCell support.
CONFIG_PSA_CRYPTO_DRIVER_CC3XX=y

# Enable base64 API.
CONFIG_BASE64=y

# Mbedtls configuration.
CONFIG_MBEDTLS=y
CONFIG_MBEDTLS_ENABLE_HEAP=y
CONFIG_MBEDTLS_HEAP_SIZE=16384

# Enable cipers accessed through the mbed_tsl API.
CONFIG_MBEDTLS_RSA_C=y
CONFIG_MBEDTLS_ECDSA_C=y
CONFIG_MBEDTLS_PK_PARSE_C=y
CONFIG_MBEDTLS_ECDSA_DETERMINISTIC=n
>>>>>>>>>
Now, Iam able to build our application with the above configuration using SDK 2.5.0, but when trying to run the application (with above crypto configuration)
psa_driver_wrapper_cipher_decrypt_setup(blockDecrypt, blockDecryptKeyHandle, PSA_ALG_CBC_PKCS7) returns PSA_ERROR_NOT_SUPPORTED.

The release notes of 2.4 and 2.5 describes significant changes to the crypto support.

Iam trying to solve the following scenarios:

(a) Existing configuration(mbedtls API plus PSA API):
Is there a way to get the above configuration to work with SDK 2.5.0? I don't know if CONFIG_MBEDTLS_LEGACY_CRYPTO_C is relevant anymore. I did try to make configuration changes based on the release note and documentation, but can't resolve the above error.

Surprisingly there are no build errors while running with the above configuration on 2.5.0. I would have then expected the mbedTLS API to not work, but it's the PSA API that's failing.
Please suggest changes to the configuration that are needed to make the above work.

(b) New PSA only configuration, in future:
We would ideally like to stick to only PSA APIs and secure key storage, for our use case. And the choice of cryptocell/oberon for security and efficiency reasons.
Do the PSA APIs support the below cases?:
RSAES-OAEP - Key length 3072
AES-CBC, key length 128
ECDSA, NIST-P256
Note: Our application is built as SECURE.

Thanks,
Mathi.
Parents
  • 0

    Hi,

    Since not all PSA algorithms are enabled by default, you could try to add following configuration options:
    CONFIG_PSA_WANT_ALG_CBC_PKCS7=y
    CONFIG_PSA_WANT_KEY_TYPE_AES=y

    Regarding PSA security support and configurations, you can look at feature configurations and driver support. As you can read in asymmetric signature support, nrf_oberon driver supports several curve types for ECDSA. AES CBC sample uses 128 bit key. RSA OAEP is supported as shown in asymmetric encryption configurations.

    Best regards,
    Dejan

  • 0 in reply to dejans

    Hi,

    After some break, iam now actively looking at solving this issue now.
    Please note that i still see this problem i.e. 
    psa_driver_wrapper_cipher_decrypt_setup() is returning PSA_ERROR_NOT_SUPPORTED for PSA_ALG_CBC_PKCS7.
    (Please see attachment). 
    I get this error irrespective of whether i try to use CC3XX driver or the oberon driver.
    When i look at the definition of psa_driver_wrapper_cipher_decrypt_setup() in v2.5.0/nrf/subsys/nrf_security/src/psa_crypto_driver_wrappers.c, it can be seen that 

    Neither of the compile flags PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT, PSA_NEED_CC3XX_CIPHER_DRIVER
    Nor the flags PSA_NEED_OBERON_CIPHER_DRIVER is getting enabled.

    Is there a way to activate these drivers?

    =============================
    Please see my configuration below:

    # Enable nordic security backend
    CONFIG_NRF_SECURITY=y

    # Select the Nordic Security Backend, as the default backend does not support RSA AEOP 3072 [b],
    CONFIG_NORDIC_SECURITY_BACKEND=y
    CONFIG_MBEDTLS_PSA_CRYPTO_C=y
    # Enable PSA CryptoCell support.
    CONFIG_PSA_CRYPTO_DRIVER_OBERON=y
    CONFIG_PSA_CRYPTO_DRIVER_CC3XX=y

    CONFIG_PSA_WANT_ALG_ECB_NO_PADDING=y
    CONFIG_PSA_WANT_ALG_CBC_NO_PADDING=y
    CONFIG_PSA_WANT_ALG_CBC_PKCS7=y
    CONFIG_PSA_WANT_KEY_TYPE_AES=y
    CONFIG_PSA_WANT_ALG_CTR=y
    CONFIG_MBEDTLS_PSA_CRYPTO_STORAGE_C=y
    CONFIG_PSA_NATIVE_ITS=y
    CONFIG_NVS=y
    #CONFIG_PSA_CRYPTO_DRIVER_ALG_CBC_PKCS7_CC3XX=y
    #CONFIG_PSA_CRYPTO_DRIVER_ALG_CBC_PKCS7_OBERON=y
    # Enable base64 API.
    CONFIG_BASE64=y

    # Mbedtls configuration.
    CONFIG_MBEDTLS=y
    CONFIG_MBEDTLS_ENABLE_HEAP=y
    CONFIG_MBEDTLS_HEAP_SIZE=16384

    # Enable cipers accessed through the mbed_tsl API.
    CONFIG_MBEDTLS_RSA_C=y
    CONFIG_MBEDTLS_ECDSA_C=y
    CONFIG_MBEDTLS_PK_PARSE_C=y
    CONFIG_MBEDTLS_ECDSA_DETERMINISTIC=n

    ======================================================


    Thanks,

    Mathi.

  • 0 in reply to Mathi

    Furthermore, 
    The following two options that were valid in 2.4.3 does not seem to be supported anymore from 2.5.0 onwards or what?
    docs.nordicsemi.com/.../index.html


    docs.nordicsemi.com/.../index.html

  • 0 in reply to Mathi

    Hi Mathi,

    You use both CONFIG_NRF_SECURITY=y and CONFIG_NORDIC_SECURITY_BACKEND=y in your configuration. Unfortunately, this combination makes PSA unavailable.

    Best regards,
    Dejan

Reply Children
  • 0 in reply to dejans

    Hi,

    Unfortunately that still doesn't help. The configuration variables controlling psa_driver_wrapper_cipher_decrypt_setup() are disabled even after following the above suggestion.

    Please note we do not want to integrate with TF-M and would like to use the PSA/mbedTLS APIs and have no preference for a particular key storage backend. 
    Would be very helpful to find the correct configuration. 
    Could it be possible that from SDK v 2.5.0, it is mandatory to build with TF-M for using PSA crypto functionality?
    I also noticed the below infromation (see picture/snapshot) in the release notes of 2.4.0: Do you think this could be the reason for the problem i face?

  • 0 in reply to Mathi

    Hi,

    Whether TF-M is included or not in your build is specified by the way you build your application. If you build for _ns build target then TF-M is included in your build. In this case, your application is built as non-secure image and TF-M as secure image.

    Best regards,
    Dejan

  • 0 in reply to dejans

    Hi,

    Okay, I understand that.
    I am simply trying to find out why psa_cipher_decrypt_setup() returns PSA_ERROR_NOT_SUPPORTED when migrating from SDK version 2.1.1 to 2.5.0.
    I have shared above the crypto related configuration that we are using.
    Is there something that has changed in the SDK that impacts our configuration? Should we build differently?

    Thanks,

    Mathi.

  • 0 in reply to Mathi

    Hi Mathi,

    Have you tried building with only one of the 2 configuration options enabled - either CONFIG_NRF_SECURITY=y or CONFIG_NORDIC_SECURITY_BACKEND=y?

    Best regards,
    Dejan

  • 0 in reply to dejans

    Hi,

    Thanks for the quick response. I tried enable only one of those two configurations, unfortunately it didn't help.

    Also, What about 
    CONFIG_PSA_CRYPTO_DRIVER_CC3XX versus CONFIG_PSA_CRYPTO_DRIVER_OBERON ? Which one of these should i use? Would you be aware if anything changed between the choice of these two drivers?

    Thanks,

    Mathi.

Related