• State Not Answered
  • Replies 18 replies
  • Subscribers 74 subscribers
  • Views 1966 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 324445
Options

How to integrate MBEDTLS for nrf9160 and native simulation on sdk 2.6?

Cla

Dear Support Team

My goal is to build an application for two targets. The targets are an nrf9160 and a simulation target for running it natively on Linux (currently trying native_sim).

The application makes use of the mbedtls-API. For example the `mbedtls_x509...`, `mbedtls_ecp` etc...

To build it for the nrf9160 it works fine now with the following config:

```
CONFIG_MBEDTLS_TLS_LIBRARY=y
CONFIG_MBEDTLS_PK_WRITE_C=y
CONFIG_MBEDTLS_ECP_C=y
CONFIG_MBEDTLS_DHM_C=y
CONFIG_MBEDTLS_X509_CREATE_C=y
CONFIG_MBEDTLS_X509_CSR_WRITE_C=y
CONFIG_MBEDTLS_X509_CRT_PARSE_C=y
CONFIG_MBEDTLS_X509_LIBRARY=y
CONFIG_MBEDTLS_X509_USE_C=y
CONFIG_MBEDTLS_ENABLE_HEAP=y
CONFIG_MBEDTLS_HEAP_SIZE=59000
CONFIG_MBEDTLS_SSL_SERVER_NAME_INDICATION=y
CONFIG_MBEDTLS_PKCS1_V15=y
CONFIG_MBEDTLS_RSA_C=y
CONFIG_MBEDTLS_CMAC_C=n
CONFIG_MBEDTLS_PSA_CRYPTO_C=y
CONFIG_MBEDTLS_GCM_C=y
CONFIG_MBEDTLS_SSL_OUT_CONTENT_LEN=16384
CONFIG_MBEDTLS_SSL_IN_CONTENT_LEN=16384
CONFIG_MBEDTLS_SHA384_C=n
CONFIG_MBEDTLS_SHA512_C=n
CONFIG_MBEDTLS_CIPHER_MODE_XTS=n
CONFIG_MBEDTLS_CIPHER_MODE_CBC=n
CONFIG_MBEDTLS_CIPHER_MODE_CTR=y
CONFIG_MBEDTLS_CHACHA20_C=n
CONFIG_MBEDTLS_ECDSA_DETERMINISTIC=n
CONFIG_MBEDTLS_SSL_SRV_C=n
CONFIG_MBEDTLS_ECDH_C=n
CONFIG_MBEDTLS_PKCS1_V21=n
CONFIG_MBEDTLS_CCM_C=n
CONFIG_MBEDTLS_POLY1305_C=n
CONFIG_MBEDTLS_HKDF_C=n

```

Furthermore, we had to modify the `modules/mbedtls/configs/config-tls-generic.h`-file slightly with some hardcoded `defines`.

But I am struggling to build it for native_sim. The problem is, that I can not enable the respective Kconfigs. For example:

```

warning: MBEDTLS_X509_LIBRARY (defined at /opt/zephyrproject/nrf/modules/trusted-
firmware-m/Kconfig.mbedtls_minimal.defconfig:32,
/opt/zephyrproject/nrf/subsys/nrf_security/Kconfig.tls:7) was assigned the value 'y' but got the
value 'n'. Check these unsatisfied dependencies: (TFM_PROFILE_TYPE_MINIMAL || NRF_SECURITY) (=n).

```

Furthermore, I have observed the following:

The library can be included via the `nrf-sdk`-west.yml or via `sdk-zephyr`-west.yml. Both of those will pull in a different state it seems:

Both refer to the mbedtls fork here: https://github.com/nrfconnect/sdk-mbedtls

But then there is also upstream mbedtls, that is pulled in by upstream zephyr, that seems to offer different options then the `sdk-mbedtls`-fork, like `CONFIG_MBEDTLS_BUILTIN`: https://github.com/zephyrproject-rtos/mbedtls

This confuses me a bit. And I can summarize my questions this way:

  • Which mbedtls-version to use with `sdk-2.6` (sdk vs upsteam, revision v3.5.2-ncs1 vs revision 66ed2279d6222056af172c188eaf4dcfed481032) ?
  • Which way do you recommend to configure MBEDTLS to achieve the goal described above? Could we use `CONFIG_MBEDTLS_CFG_FILE` instead?
  • How can we do all this, while ensuring, that hardware-crypto-acceleration is used when building for the nrf9160?

Thanks in advance and let me know, if you need additional information.

  • 0 in reply to Sigurd Hellesvik

    Thank you for analyzing this.

    Sigurd Hellesvik said:
    Which APIs do you currently use in your code?

    mbedtls_aes
    mbedtls_ecp
    mbedtls_mpi
    mbedtls_pk
    mbedtls_rsa
    mbedtls_sha256
    mbedtls_x509write

    My understanding is, that when building for nrf9160 with tfm activated, it will use the "alternative" implementation, when building with tfm. This will then cause the calls to be redirected to tfm-crypto?

    CONFIG_MBEDTLS_ENTROPY_HARDWARE_ALT=y
    CONFIG_MBEDTLS_AES_SETKEY_ENC_ALT=y
    CONFIG_MBEDTLS_AES_SETKEY_DEC_ALT=y
    CONFIG_MBEDTLS_AES_ENCRYPT_ALT=y

    ...

    As for native_sim, the goal would be to use above libraries in their software implementation.

    Sigurd Hellesvik said:
    TF-M
    • I assume you need this?

    My understanding is, that this is not currently possible with native_sim. I heard it works on qemu with https://docs.zephyrproject.org/latest/boards/arm/mps2/doc/mps2_an521.html but never tested. So if it uses the software implementation of the mbedtls libraries, I think it is not needed for native sim.

    Sigurd Hellesvik said:
    Do you agree with this summary?
    Am I missing something? Do you disagree with anything?

    Yes, sounds good. Maybe I did not clarify my expectation clearly. For example the library `mbedtls_x509write` can be used on the nrf9160 without problem, but it can not be used with native sim, because it is not possible to activate the respective Kconfig option. But my expectation is, that it is possible, because I expect a software implementation of the `mbedtls_x509write`-interface to be available.

    Let me know, if I could explain my expectation and/or goal in a better way?

    Thanks on the support so far.

  • 0 in reply to Cla
    Cla said:
    Maybe I did not clarify my expectation clearly. For example the library `mbedtls_x509write` can be used on the nrf9160 without problem, but it can not be used with native sim, because it is not possible to activate the respective Kconfig option. But my expectation is, that it is possible, because I expect a software implementation of the `mbedtls_x509write`-interface to be available.

    Let me know, if I could explain my expectation and/or goal in a better way?

    I found one developer in nordic with native_sim experience, and asked ca:
    "And SW mbedtls should not be too hard to make work with native_sim?"
    He answers:
    "it works already (at least in plain zephyr:
    tests/crypto/mbedtls/ builds and runs fine for native_sim )
    and it is used in quite a few other tests and samples
    "

    Can you take a look at that test and see if what you need is there?

Related
Terms of service