How to integrate MBEDTLS for nrf9160 and native simulation on sdk 2.6?

RE: How to integrate MBEDTLS for nrf9160 and native simulation on sdk 2.6?

Cla — Wed, 17 Apr 2024 14:49:49 GMT

Thank you, I will take a look.

RE: How to integrate MBEDTLS for nrf9160 and native simulation on sdk 2.6?

Sigurd Hellesvik — Wed, 17 Apr 2024 14:42:19 GMT

[quote user="Cla"]Maybe I did not clarify my expectation clearly. For example the library `mbedtls_x509write` can be used on the nrf9160 without problem, but it can not be used with native sim, because it is not possible to activate the respective Kconfig option. But my expectation is, that it is possible, because I expect a software implementation of the `mbedtls_x509write`-interface to be available.

Let me know, if I could explain my expectation and/or goal in a better way?[/quote]

I found one developer in nordic with native_sim experience, and asked ca:
"And SW mbedtls should not be too hard to make work with native_sim?"
He answers:
"it works already (at least in plain zephyr:
tests/crypto/mbedtls/ builds and runs fine for native_sim )
and it is used in quite a few other tests and samples
"

Can you take a look at that test and see if what you need is there?

RE: How to integrate MBEDTLS for nrf9160 and native simulation on sdk 2.6?

Cla — Tue, 16 Apr 2024 12:22:38 GMT

Thank you for analyzing this.

[quote userid="106736" url="~/f/nordic-q-a/109703/how-to-integrate-mbedtls-for-nrf9160-and-native-simulation-on-sdk-2-6/478947"]Which APIs do you currently use in your code?[/quote]

mbedtls_aes
mbedtls_ecp
mbedtls_mpi
mbedtls_pk
mbedtls_rsa
mbedtls_sha256
mbedtls_x509write

My understanding is, that when building for nrf9160 with tfm activated, it will use the "alternative" implementation, when building with tfm. This will then cause the calls to be redirected to tfm-crypto?

CONFIG_MBEDTLS_ENTROPY_HARDWARE_ALT=y
CONFIG_MBEDTLS_AES_SETKEY_ENC_ALT=y
CONFIG_MBEDTLS_AES_SETKEY_DEC_ALT=y
CONFIG_MBEDTLS_AES_ENCRYPT_ALT=y

...

As for native_sim, the goal would be to use above libraries in their software implementation.

[quote userid="106736" url="~/f/nordic-q-a/109703/how-to-integrate-mbedtls-for-nrf9160-and-native-simulation-on-sdk-2-6/478947"]TF-M

I assume you need this?

[/quote]

My understanding is, that this is not currently possible with native_sim. I heard it works on qemu with https://docs.zephyrproject.org/latest/boards/arm/mps2/doc/mps2_an521.html but never tested. So if it uses the software implementation of the mbedtls libraries, I think it is not needed for native sim.

[quote userid="106736" url="~/f/nordic-q-a/109703/how-to-integrate-mbedtls-for-nrf9160-and-native-simulation-on-sdk-2-6/478947"]Do you agree with this summary?
Am I missing something? Do you disagree with anything?[/quote]

Yes, sounds good. Maybe I did not clarify my expectation clearly. For example the library `mbedtls_x509write` can be used on the nrf9160 without problem, but it can not be used with native sim, because it is not possible to activate the respective Kconfig option. But my expectation is, that it is possible, because I expect a software implementation of the `mbedtls_x509write`-interface to be available.

Let me know, if I could explain my expectation and/or goal in a better way?

Thanks on the support so far.

RE: How to integrate MBEDTLS for nrf9160 and native simulation on sdk 2.6?

Sigurd Hellesvik — Tue, 16 Apr 2024 11:20:14 GMT

Doing some testing:

zephyr/samples/drivers/crypto works with native_sim

zephyr/samples/tfm_integration/tfm_psa_test does not work with native_sim (even with vanilla zephyr)

So to sum up parts that might have problems with native_sim:

Modem networking
- Fix: Assuming IP works for native_sim, configure networking to use that instead
TF-M
- I assume you need this?
- Not sure how or if to fix this for native_sim at the moment.
Crypto
- Which APIs do you currently use in your code?
- Fix: I have never tried Mbedtls-shim before, but look into using that
HW specific components
- Fix: Simulate

Do you agree with this summary?
Am I missing something? Do you disagree with anything?

RE: How to integrate MBEDTLS for nrf9160 and native simulation on sdk 2.6?

Cla — Tue, 16 Apr 2024 10:50:57 GMT

Thanks for the quick reply. Disabling and Mocking the crypto-stuff could be an option.

I was just wondering, if there is a supported way to achieve this, since software implementations for Mbedtls exists.

RE: How to integrate MBEDTLS for nrf9160 and native simulation on sdk 2.6?

Sigurd Hellesvik — Tue, 16 Apr 2024 10:22:41 GMT

Speaking of the Dev, they just answered:

This is not something we claim to support. The NCS MbedTLS config is coupled with building for our products.

I have no idea if their use case is feasible, I suspect it would require a lot of config and build system voodoo, but I don't think we can support them on this. You are probably as likely as any of the developers to be able to provide advice here.

"
So yea, I can spend some time to try and build a crypto sample for native_sim, but i would not have high hopes. As they say the tight coupling between our SoC and libraries may make this hard.

One alternative would be to disable crypto for your project, but that might make the whole exercise a bit pointless?

RE: How to integrate MBEDTLS for nrf9160 and native simulation on sdk 2.6?

Sigurd Hellesvik — Tue, 16 Apr 2024 10:12:19 GMT

The status on this ticket is that I have asked our crypto developers if they have any ideas here.

RE: How to integrate MBEDTLS for nrf9160 and native simulation on sdk 2.6?

Cla — Mon, 15 Apr 2024 14:22:06 GMT

We have some unit-test in place. They use the native-posix board with `CONFIG_ASAN` and `CONFIG_UBSAN` activated. We run the unit-test directly on the hardware also.

In addition we would like to do some integration/system-testing with a simulation setup.In the past we have used `qemu`, but it is not possible to activate `CONFIG_ASAN` to my knowledge. We are evaluating `native_sim` (released with zephyr 3.5) to do system-testing in a simulation environment that allows us to use native debugging tools and other tooling like above mentioned address sanitizer.

Edit: on the hardware we run the unit tests without CONFIG_ASAN and CONFIG_UBSAN, because they are not supported to our knowledge.

RE: How to integrate MBEDTLS for nrf9160 and native simulation on sdk 2.6?

Sigurd Hellesvik — Tue, 09 Apr 2024 11:32:31 GMT

I am honestly a bit new to the whole testing stuff.

So to learn, I have talked with a colleguea who knows more than me, and I think the first question to ask is:

What exactly do you want to test?
Is this a unit test or an integration test?

RE: How to integrate MBEDTLS for nrf9160 and native simulation on sdk 2.6?

Cla — Wed, 03 Apr 2024 12:34:29 GMT

We use `BUILD_WITH_TFM` (Not profile minimal though).

RE: How to integrate MBEDTLS for nrf9160 and native simulation on sdk 2.6?

Sigurd Hellesvik — Wed, 03 Apr 2024 12:30:11 GMT

I am missing one part:

[quote user="Cla"]Just to be clear, we do not use NRF_SECURITY for the nrf9160 either.[/quote]

What are you doing on the nRF9160 from before?

RE: How to integrate MBEDTLS for nrf9160 and native simulation on sdk 2.6?

Cla — Wed, 03 Apr 2024 12:26:15 GMT

It did, thanks. Just to be clear, we do not use NRF_SECURITY for the nrf9160 either.

My thinking was to use MBEDTLS-APIs.

Then when building for nrf9160 it would be forwarded to PSA_CRYPTO (which my understanding is, that is currently happending via the `_ALT` implementations), PSA_CRYPTO then uses the cryptocell hardware internally.

Then when building for native_sim it would use software implementations for the same functions of MBEDTLS.

This would have been my thinking. I do not know, if this is possible or, whether there is a better solution to achieve my goal. I try to also communicate my goal (X = build for nrf9160 and native_sim) and not just my current approach (Y = build MBEDTLS for native_sim) as not to cause the XY-communication problem.

I hope I could clearify my thinking.

RE: How to integrate MBEDTLS for nrf9160 and native simulation on sdk 2.6?

Sigurd Hellesvik — Tue, 02 Apr 2024 12:42:44 GMT

Right.

Then the next question is: Why would NRF_SECURITY not work on native_sim?
The easy answer is likely "Because we have not put effort into supporting this".

But maybe before that: Do you use the cryptocell hardware for your crypto on the nRF9160? If so, I also doubt that the native_sim supports that. Using software implementations of cypto on the other hand in theory should not be an issue I guess.

This was not very coherent, but I hope that it made some sense?

RE: How to integrate MBEDTLS for nrf9160 and native simulation on sdk 2.6?

Cla — Tue, 02 Apr 2024 11:50:32 GMT

`nrf/subsys/nrf_security/Kconfig.tls` is sourced conditionally. It is only available if NRF_SECURITY is active. See line 47 of `nrfxlib/nrf_security/Kconfig`:

```
if NRF_SECURITY

...

# Include TLS/DTLS and x509 configurations
rsource "Kconfig.tls"

...

endif # NRF_SECURITY

```

RE: How to integrate MBEDTLS for nrf9160 and native simulation on sdk 2.6?

Sigurd Hellesvik — Tue, 02 Apr 2024 08:02:03 GMT

[quote user="Cla"]Alternatively, are there other options for running a simulation target except native_sim?[/quote]

Not sure if it is better or not, but Renode exists:

https://renodepedia.renode.io/boards/nrf9160dk_nrf9160/?view=software&demo=hello_world

However, I think/hope it should be possible to make native_sim work here also.
Are you able to find a sample and/or minimal sample I can reproduce your issue on?
I find it odd that these are the dependencies, as I can not find them in the definition of MBEDTLS_X509_LIBRARY. (nrf/subsys/nrf_security/Kconfig.tls)

[quote user=""]Check these unsatisfied dependencies: (TFM_PROFILE_TYPE_MINIMAL || NRF_SECURITY) (=n).[/quote]

RE: How to integrate MBEDTLS for nrf9160 and native simulation on sdk 2.6?

Cla — Thu, 28 Mar 2024 09:28:03 GMT

Alternatively, are there other options for running a simulation target except native_sim?

RE: How to integrate MBEDTLS for nrf9160 and native simulation on sdk 2.6?

Cla — Thu, 28 Mar 2024 07:45:50 GMT

[quote userid="106736" url="~/f/nordic-q-a/109703/how-to-integrate-mbedtls-for-nrf9160-and-native-simulation-on-sdk-2-6/476179"]Use VS Code extension Kconfig search of "west build -t menuconfig" to find which of these are "n" and then figure out why those are "n" and if you can make them become "y".[/quote]

Thanks for the quick reply.

I consider the first part of my question answered and understand, that for `sdk 2.6` we should use the MBEDTLS linked in the `west.yml` from `sdk-nrf`.

This leaves the second part all the more unclear. How can certain features of MBEDTLS be configured for native_sim?

Lets take another look at the above mentioned config. As you point out there are the two unsatisfied dependencies (TFM_PROFILE_TYPE_MINIMAL || NRF_SECURITY) . Now neither of those can be activated to work with native_sim. For starter native_sim is not a NORDIC_SOC so NRF_SECURITY is not possible. On the other hand it does also not support TFM such that TFM_PROFILE_TYPE_MINIMAL can not be activated.

I hope, that I could clarify my question about how to configure MBEDTLS in the above mentioned circumstances?

RE: How to integrate MBEDTLS for nrf9160 and native simulation on sdk 2.6?

Sigurd Hellesvik — Wed, 27 Mar 2024 14:10:40 GMT

Hi Cla,

[quote user=""]Which mbedtls-version to use with `sdk-2.6` (sdk vs upsteam, revision v3.5.2-ncs1 vs revision 66ed2279d6222056af172c188eaf4dcfed481032) ?[/quote]

sdk-nrf is the boss of west includes. See west.yml.
name-allowlist decides which repos zephyr are allowed to include. Since mbedtls is not here, we know that mbedtls is not from zephyr.

The two previous links was for main, but for v2.6.0 we now change to that. Here we can scroll down and find that mbedtls uses v3.5.2-ncs1.

To verify this we can navigate in git bash to "ncs/modules/crypto/mbedtl" and do "git log":

commit acea48fc8a5eb227033b55e6ec012731218e257f (HEAD, tag: v3.3.0-ncs2-rc2, tag: v3.3.0-ncs2-2, tag: v3.3.0-ncs2-1-rc1, tag: v3.3.0-ncs2-1, tag: v3.3.0-ncs2, manifest-rev)
Author: Frank Audun Kvamtrø <frank.kvamtro@nordicsemi.no>
Date:   Tue Oct 17 09:13:17 2023 +0200

    [nrf noup]  Fix buffer overread with stream cipher
    
    Recreated from commit faf0b8604ac49456b0cff7a34ad27485ca145cce
    which provides the following information
    
    "With stream ciphers, add a check that there's enough room to read a MAC
    in the record. Without this check, subtracting the MAC length from the
    data length resulted in an integer underflow, causing the MAC calculation
    to try reading (SIZE_MAX + 1 - maclen) bytes of input, which is a buffer
    overread."
    
    This commit is a "noup" since TLS/DTLS is undergoing refactoring and
    the content of the commit had to be recreated.
    
    Signed-off-by: Frank Audun Kvamtrø <frank.kvamtro@nordicsemi.no>

[quote user=""]How can we do all this, while ensuring, that hardware-crypto-acceleration is used when building for the nrf9160?[/quote]

The hope is that zephyrs board-definition feature will be able to make sure that this works as expected.
You should still verify this after it looks like it works though.

[quote user=""]Which way do you recommend to configure MBEDTLS to achieve the goal described above? Could we use `CONFIG_MBEDTLS_CFG_FILE` instead?[/quote]

I think you need to do this step by step. Why does it fail now?
Then create boards/native_sim.conf and add configurations needed for this board there until it works.
And/or move configs from prj.conf to boards/nrf9160dk_nrf9160_ns.conf which are not needed for native_sim also.

[quote user=""]Check these unsatisfied dependencies: (TFM_PROFILE_TYPE_MINIMAL || NRF_SECURITY) (=n).[/quote]

Use VS Code extension Kconfig search of "west build -t menuconfig" to find which of these are "n" and then figure out why those are "n" and if you can make them become "y".

Regards,
Sigurd Hellesvik