• State Verified Answer
  • Replies 10 replies
  • Subscribers 64 subscribers
  • Views 194 views
  • Users 0 members are here
Attachments (1) Download All
Nordic Case Info
  • Case ID: 325169
Options

Configuration for native tls (no offload to modem)

Stefan Schmidt

Dear Support-Team,

due to the 2KB limitation of the secure buffers of the nrf9160 modem I am trying to setup native tls. I found the https_client sample which sounded promising, but when I use the same configuration as described in the sample (prj.conf + overlay-tfm_mbedtls.conf) I get a "region FLASH overflow", so I am a trying to figure out which settings do what.

Using https://developer.nordicsemi.com/nRF_Connect_SDK/doc/2.5.0/kconfig/index.html does not help as the description gives no clue at all:

Examples:
CONFIG_NRF_SECURITY_ADVANCED

Advanced mbed TLS Configuration Settings

This configuration has no effect and will be deprecated. It is kept in to ensure projects setting this aren't affected.

or

CONFIG_TFM_PROFILE_TYPE_NOT_SET

TF-M build profile is not set

Is there any other documentation for those configurations?

Best regards

Context: I am working on a MQTT project and I have provisioned the certificates to the modem. With setting set_native_tls in the mqtt_sec_config struct I am able to connect to the server and get the data I expect (> offloading to the modem). Now I have to change to native tls in order to receive some other data which does not fit into the 2kB secure buffer of the modem.

Parents
  • 0

    Hi,

     

    How much are you overflowing with?

     

    You can adjust the size of TFM using this configuration:

    CONFIG_PM_PARTITION_SIZE_TFM

     

    Note that the alignment can be a bit tricky here, especially when combining this with mcuboot.

    Try for instance 0x27E00 if you're building with mcuboot.

     

    Kind regards,

    Håkon

  • 0 in reply to Håkon Alseth

    Hi Håkon,

    thanks a lot for your suggestion. I am currently using the https_client demo and reverse engineer the meaning of the different CONFIG options used there.

    Resizing a partition might be an option, but resizing because I don't know how to configure the mbed tls library is not a solution.

    Thanks

    Stefan

  • 0 in reply to Stefan Schmidt

    Hi,

     

    Can you share the build output?

     

    Kind regards,

    Håkon

  • 0 in reply to Håkon Alseth

    Hi,

     I can share my configuration and the final build output. With this configuration (related to mbedTLS)

    # MbedTLS and security
    CONFIG_TFM_PROFILE_TYPE_MINIMAL=y
    CONFIG_MBEDTLS_ENABLE_HEAP=y
    CONFIG_MBEDTLS_SSL_IN_CONTENT_LEN=8192
    CONFIG_MBEDTLS_SSL_OUT_CONTENT_LEN=4096
    CONFIG_MBEDTLS_HEAP_SIZE=32768
    CONFIG_MBEDTLS_RSA_C=y
    CONFIG_MBEDTLS_GCM_C=y
    CONFIG_MBEDTLS_DHM_C=y
    CONFIG_MBEDTLS_TLS_LIBRARY=y
    CONFIG_MBEDTLS_X509_LIBRARY=y
    CONFIG_MBEDTLS_X509_REMOVE_INFO=y
    CONFIG_MBEDTLS_PKCS1_V15=y
    CONFIG_NRF_SECURITY=y
    CONFIG_PSA_CRYPTO_DRIVER_CC3XX=y

    I get this build output:

    [153/157] Linking C executable bin/tfm_s.axf
    Memory region         Used Size  Region Size  %age Used
               FLASH:       64332 B      65024 B     98.94%
                 RAM:       18888 B        32 KB     57.64%

    [433/444] Linking C executable zephyr/zephyr.elf
    Memory region         Used Size  Region Size  %age Used
               FLASH:      349572 B       352 KB     96.98%
                 RAM:      150204 B     211608 B     70.98%
            IDT_LIST:          0 GB         2 KB      0.00%

  • 0 in reply to Stefan Schmidt

    Ok, when I remove

    CONFIG_DEBUG=y
    CONFIG_DEBUG_INFO=y
    CONFIG_DEBUG_THREAD_INFO=y

    I get

    [153/157] Linking C executable bin/tfm_s.axf
    Memory region Used Size Region Size %age Used
    FLASH: 31544 B 32256 B 97.79%
    RAM: 14736 B 32 KB 44.97%

    and

    Memory region Used Size Region Size %age Used
    FLASH: 276600 B 384 KB 70.34%
    RAM: 149948 B 211608 B 70.86%
    IDT_LIST: 0 GB 2 KB 0.00%

Reply Children
  • 0 in reply to Stefan Schmidt

    Hi,

     

    Are you targeting to not use any TFM PSA APIs for crypto?

    As you originally mention, this overlay conf file shows how to setup mbedtls in the application space, using TFM crypto:

    https://github.com/nrfconnect/sdk-nrf/blob/v2.5.2/samples/net/https_client/overlay-tfm_mbedtls.conf

     

    Stefan Schmidt said:
    CONFIG_MBEDTLS_SSL_IN_CONTENT_LEN=8192

    Note that the modem cannot handle more than 4k on non-secure sockets, so no need to exceed 4096 bytes on this configuration.

     

    Is your posted configuration complete? I cannot see "CONFIG_MODEM_KEY_MGMT=n" in there.

     

    Kind regards,

    Håkon

  • 0 in reply to Håkon Alseth

    Hi Håkon,

     I see in my .config that CONFIG_MODEM_KEY_MGMT is not set.

    I have to get data from a server which does not support chunked encoding or similar techniques to break down the data into chunks that would fit into the nrf9160 modem tls buffer (Limitations in the release notes of the 1.3.5 modem firmware - TLS/DTLS - Secure socket buffer size is 2kB.).

    Therefore I use mbedtls with raw sockets. With the configuration above I am able to receive the 5949 Bytes in one chunk, this is what I get from my call to zsock_recv():

    [00:00:31.687,713] <err> fetch_data: zsock_recv() gave 5949 bytes

    But the configuration dependencies are not clear to me and I think the documentation is a mess.

    Another example:
    In this post RE: Crypto (PSA/mbedtls) ERRORS when migrating from SDK 2.1.1 to SDK 2.5.0 the author mentions "You use both CONFIG_NRF_SECURITY=y and CONFIG_NORDIC_SECURITY_BACKEND=y in your configuration. Unfortunately, this combination makes PSA unavailable."

    But CONFIG_NORDIC_SECURITY_BACKEND is selected by CONFIG_BUILD_WITH_TFM (which is selected when I build a _ns image):

    CONFIG_NORDIC_SECURITY_BACKEND

    Use nRF Security with Mbed TLS legacy crypto APIs support

    Using this configuration enables legacy support for mbed TLS APIs This configuration is not to be used for PSA API support. Note that this will enable nrf_oberon by default. Multiple backends is not supported.
    Dependencies

    CONFIG_SOC_FAMILY_NRF

    Defaults

    y if CONFIG_BUILD_WITH_TFM

    And CONFIG_NRF_SECURITY is required to enable PSA:

    Enable nRF Security

    Set this configuration to enable nRF Security. This provides Arm PSA cryptography APIs with RNG support (optionally).

    Dependencies
    Defaults

    So my understanding is that both are set to y by CONFIG_BUILD_WITH_TFM, but they should not be both enabled if I want to use the PSA API?!?!?

    What would be the correct minimal configuration when I need tls1.2 with x509 certificates and a data chunks size exceeding the limitation of the modem? On a nrf9160 with nrf Connect SDK v 2.5.0 and a non-secure application....

    Your mentioning of CONFIG_MODEM_KEY_MGMT makes me a bit nervous: Is it possible to use raw sockets with mbedtls and offloaded secure sockets in the same firmware? I thought I just set the SOCK_NATIVE_TLS to choose which tls implementation I am using on the socket?!?

  • 0 in reply to Stefan Schmidt

    Hi,

     

    Stefan Schmidt said:
    Your mentioning of CONFIG_MODEM_KEY_MGMT makes me a bit nervous: Is it possible to use raw sockets with mbedtls and offloaded secure sockets in the same firmware? I thought I just set the SOCK_NATIVE_TLS to choose which tls implementation I am using on the socket?!?

    The reason I was asking is because of the https_client sample.

    If you are testing with the https_client sample, this is a check in main on where to store the certificate, either via the modem API or via tls_credentials_* API.

     

    In general, you can add this to add debug prints (note: there will be a lot...) from mbedtls:

    CONFIG_MBEDTLS_DEBUG=y
CONFIG_MBEDTLS_DEBUG_C=y
CONFIG_MBEDTLS_DEBUG_LEVEL=4
CONFIG_MBEDTLS_LOG_LEVEL_DBG=y
CONFIG_MBEDTLS_SSL_DEBUG_ALL=y
CONFIG_LOG_BUFFER_SIZE=20000

     

    If you do not want to use PSA APIs with mbedtls, here is an example with a modified https_client sample (note: using DigiCertGlobalG2.pem and not DigiCertGlobalRootCA.pem as originally used in ncs v2.5.x! host has changed root since this time).

    https_client_mbedtls_nrf9160.zip

     

    Again, the above uses mbedtls in the non-secure application, and not via PSA APIs. Please also see the defines/checks in main.c to match against your own application.

     

    Kind regards,

    Håkon

  • 0 in reply to Håkon Alseth

    Hi Håkon,

     I have everything working now: I fetch the credentials with mbedtls and raw socket and store them to the modem, so that I can use them later with offloaded sockets.

    I started my journey with the https_client sample you mentioned and I have replaced the root certificate locally.

    Although everything is working I am still confused about the configurations of legacy and PSA APIs: Which one should I use? And how do I configure the usage of the PSA API? See my last post in our thread, it seems contradicting (CONFIG_NRF_SECURITY <> CONFIG_NORDIC_SECURITY_BACKEND).

    Best regards

    Stefan

  • +1 in reply to Stefan Schmidt

    Hi Stefan,

     

    Glad to hear that you got it running.

    Stefan Schmidt said:

     I have everything working now: I fetch the credentials with mbedtls and raw socket and store them to the modem, so that I can use them later with offloaded sockets.

    I started my journey with the https_client sample you mentioned and I have replaced the root certificate locally.

    Although everything is working I am still confused about the configurations of legacy and PSA APIs: Which one should I use?

    Both work. Using PSA (ie. using TF-M to do the actual crypto-operations) will be more secure, but it will likely take up a bit more flash.

    Stefan Schmidt said:
    And how do I configure the usage of the PSA API? See my last post in our thread, it seems contradicting (CONFIG_NRF_SECURITY <> CONFIG_NORDIC_SECURITY_BACKEND).

    https_client sample has an overlay for this, with PSA crypto enabled:

    https://github.com/nrfconnect/sdk-nrf/blob/v2.5.2/samples/net/https_client/overlay-tfm_mbedtls.conf

     

    Kind regards,

    Håkon

Related