Configuration Conflicts with OSDP and NRF Security

Issue:

We are attempting to implement NRF and OSDP into a Zephyr project. In order for NRF to be, properly, included this requires a configuration statement in the prj.conf for nrf security (CONFIG_NRF_SECURITY). And in order to leverage the OSDP library it requires that we include the necessary dependencies for the configuration symbol MBEDTLS_CIPHER_CCM_ENABLED. However, it explicitly says in the documentation that CONFIG_NRF_SECURITY must be disabled for the OSDP symbol.

Context & Progress:

After removing CONFIG_NRF_SECURITY The errors related to OSDP go away, but I then get errors related to NRF such as undefined references. So effectively it seems that I can choose to have NRF or OSDP not both at this point.

Development Setup

  • MacOS
  • Zephyr RTOS
  • VS Code w/ nRF Connect Extension
  • nrf52840


Error Messages:

OSDP Related Errors:

warning: MBEDTLS_CIPHER_CCM_ENABLED (defined at modules/mbedtls/Kconfig.tls-generic:282, modules/mbedtls/Kconfig.tls-generic:282) has direct dependencies ((MBEDTLS_CIPHER_AES_ENABLED || MBEDTLS_CIPHER_CAMELLIA_ENABLED) && !(NRF_SECURITY || NORDIC_SECURITY_BACKEND) && MBEDTLS_BUILTIN && MBEDTLS_CFG_FILE = "config-tls-generic.h" && MBEDTLS) || ((MBEDTLS_CIPHER_AES_ENABLED || MBEDTLS_CIPHER_CAMELLIA_ENABLED) && !(NRF_SECURITY || NORDIC_SECURITY_BACKEND) && MBEDTLS_BUILTIN && MBEDTLS_CFG_FILE = "config-tls-generic.h" && MBEDTLS && 0) with value n, but is currently being y-selected by the following symbols:
- OSDP_SC_ENABLED (defined at subsys/mgmt/osdp/Kconfig:71), with value y, direct dependencies CSPRING_ENABLED && OSDP (value: y), and select condition CSPRING_ENABLED && OSDP (value: y)

NRF/PSA Related Errors:

I Included this for context the hope is that I will be able to use NRF_Security because that component is already implemented in our products.

Question:
Is there a way to leverage both libraries or edit the OSDP configuration so MBEDTLS_CIPHER_CCM_ENABLED is not required?

Parents
  • Hello,

    Which version of the nRF Connect SDK are you using? I tried to reproduce this by building the /zephyr/samples/subsys/mgmt/osdp/peripheral_device sample with CONFIG_NRF_SECURITY enabled in SDK v.2.5.0, but did not get any build errors. Please try to add CONFIG_PSA_WANT_ALG_CCM=y to your build and see if you receive the same linker errors.

    Best regards,

    Vidar

  • I downloaded the 2.5.0 SDK this morning and attempted the, peripheral_device sample, build again. Unfortunately, there was no change.

    I tried to add these statements to the prj.config:

    • CONFIG_NRF_SECURITY=y
    • CONFIG_PSA_WANT_ALG_CCM=y

    Here is an image of the prj.config file:

    I initially was using 2.4.99-dev2, I switched over to 2.5.0 this morning. Im getting the same results.

    Here is an image of the build attempt on 2.5.0


  • Hi,

    The initial reason I couldn't reproduce the error was that I had disabled CONFIG_OSDP_SC_ENABLED to allow me to build the original sample without considering what this option actually did (i.e., enabling encryption support).

    To fix these compile errors I had to cherry pick the commits from this PR: https://github.com/zephyrproject-rtos/zephyr/pull/66258 

    /ncs/v2.5.0/zephyr$ git remote add arkwad https://github.com/arkwad/zephyr.git
    /ncs/v2.5.0/zephyr$ git remote fetch arkwad
    /ncs/v2.5.0/zephyr$ git cherry-pick a30723d52fe4bb3afd605af5b204bbbcfad759b5
    /ncs/v2.5.0/zephyr$ git cherry-pick 5fd916aa8f855c8d03652f7d8ed7bbd773b42d12

    After applying this fix, I was able to reproduce the same build error because CONFIG_OSDP_SC_ENABLED is selecting the Zephyr mbedtls module here: https://github.com/nrfconnect/sdk-zephyr/blob/b3979ec709df026fc655286f1a58be30b0f688e0/subsys/mgmt/osdp/Kconfig#L71 

    Please try to comment the lines shown below in /v2.5.0/zephyr/subsys/mgmt/osdp/Kconfig and see if it fixes the problem:

    config OSDP_SC_ENABLED
    	bool "OSDP Secure Channel"
    	depends on CSPRING_ENABLED
    	default y
    	#select CRYPTO
    	#select CRYPTO_MBEDTLS_SHIM
    	#select MBEDTLS
    	#select MBEDTLS_CIPHER_CCM_ENABLED
    	help
    	  Secure the OSDP communication channel with encryption and mutual
    	  authentication.

Reply
  • Hi,

    The initial reason I couldn't reproduce the error was that I had disabled CONFIG_OSDP_SC_ENABLED to allow me to build the original sample without considering what this option actually did (i.e., enabling encryption support).

    To fix these compile errors I had to cherry pick the commits from this PR: https://github.com/zephyrproject-rtos/zephyr/pull/66258 

    /ncs/v2.5.0/zephyr$ git remote add arkwad https://github.com/arkwad/zephyr.git
    /ncs/v2.5.0/zephyr$ git remote fetch arkwad
    /ncs/v2.5.0/zephyr$ git cherry-pick a30723d52fe4bb3afd605af5b204bbbcfad759b5
    /ncs/v2.5.0/zephyr$ git cherry-pick 5fd916aa8f855c8d03652f7d8ed7bbd773b42d12

    After applying this fix, I was able to reproduce the same build error because CONFIG_OSDP_SC_ENABLED is selecting the Zephyr mbedtls module here: https://github.com/nrfconnect/sdk-zephyr/blob/b3979ec709df026fc655286f1a58be30b0f688e0/subsys/mgmt/osdp/Kconfig#L71 

    Please try to comment the lines shown below in /v2.5.0/zephyr/subsys/mgmt/osdp/Kconfig and see if it fixes the problem:

    config OSDP_SC_ENABLED
    	bool "OSDP Secure Channel"
    	depends on CSPRING_ENABLED
    	default y
    	#select CRYPTO
    	#select CRYPTO_MBEDTLS_SHIM
    	#select MBEDTLS
    	#select MBEDTLS_CIPHER_CCM_ENABLED
    	help
    	  Secure the OSDP communication channel with encryption and mutual
    	  authentication.

Children
Related