• State Verified Answer
  • Replies 13 replies
  • Subscribers 66 subscribers
  • Views 756 views
  • Users 0 members are here
Attachments (1) Download All
Nordic Case Info
  • Case ID: 325169
Options

Configuration for native tls (no offload to modem)

Stefan Schmidt

Dear Support-Team,

due to the 2KB limitation of the secure buffers of the nrf9160 modem I am trying to setup native tls. I found the https_client sample which sounded promising, but when I use the same configuration as described in the sample (prj.conf + overlay-tfm_mbedtls.conf) I get a "region FLASH overflow", so I am a trying to figure out which settings do what.

Using https://developer.nordicsemi.com/nRF_Connect_SDK/doc/2.5.0/kconfig/index.html does not help as the description gives no clue at all:

Examples:
CONFIG_NRF_SECURITY_ADVANCED

Advanced mbed TLS Configuration Settings

This configuration has no effect and will be deprecated. It is kept in to ensure projects setting this aren't affected.

or

CONFIG_TFM_PROFILE_TYPE_NOT_SET

TF-M build profile is not set

Is there any other documentation for those configurations?

Best regards

Context: I am working on a MQTT project and I have provisioned the certificates to the modem. With setting set_native_tls in the mqtt_sec_config struct I am able to connect to the server and get the data I expect (> offloading to the modem). Now I have to change to native tls in order to receive some other data which does not fit into the 2kB secure buffer of the modem.

Parents
  • 0

    Hi,

     

    How much are you overflowing with?

     

    You can adjust the size of TFM using this configuration:

    CONFIG_PM_PARTITION_SIZE_TFM

     

    Note that the alignment can be a bit tricky here, especially when combining this with mcuboot.

    Try for instance 0x27E00 if you're building with mcuboot.

     

    Kind regards,

    Håkon

  • 0 in reply to Håkon Alseth

    Hi Håkon,

    thanks a lot for your suggestion. I am currently using the https_client demo and reverse engineer the meaning of the different CONFIG options used there.

    Resizing a partition might be an option, but resizing because I don't know how to configure the mbed tls library is not a solution.

    Thanks

    Stefan

  • 0 in reply to Stefan Schmidt

    Hi,

     

    Stefan Schmidt said:
    Your mentioning of CONFIG_MODEM_KEY_MGMT makes me a bit nervous: Is it possible to use raw sockets with mbedtls and offloaded secure sockets in the same firmware? I thought I just set the SOCK_NATIVE_TLS to choose which tls implementation I am using on the socket?!?

    The reason I was asking is because of the https_client sample.

    If you are testing with the https_client sample, this is a check in main on where to store the certificate, either via the modem API or via tls_credentials_* API.

     

    In general, you can add this to add debug prints (note: there will be a lot...) from mbedtls:

    CONFIG_MBEDTLS_DEBUG=y
CONFIG_MBEDTLS_DEBUG_C=y
CONFIG_MBEDTLS_DEBUG_LEVEL=4
CONFIG_MBEDTLS_LOG_LEVEL_DBG=y
CONFIG_MBEDTLS_SSL_DEBUG_ALL=y
CONFIG_LOG_BUFFER_SIZE=20000

     

    If you do not want to use PSA APIs with mbedtls, here is an example with a modified https_client sample (note: using DigiCertGlobalG2.pem and not DigiCertGlobalRootCA.pem as originally used in ncs v2.5.x! host has changed root since this time).

    https_client_mbedtls_nrf9160.zip

     

    Again, the above uses mbedtls in the non-secure application, and not via PSA APIs. Please also see the defines/checks in main.c to match against your own application.

     

    Kind regards,

    Håkon

  • 0 in reply to Håkon Alseth

    Hi Håkon,

     I have everything working now: I fetch the credentials with mbedtls and raw socket and store them to the modem, so that I can use them later with offloaded sockets.

    I started my journey with the https_client sample you mentioned and I have replaced the root certificate locally.

    Although everything is working I am still confused about the configurations of legacy and PSA APIs: Which one should I use? And how do I configure the usage of the PSA API? See my last post in our thread, it seems contradicting (CONFIG_NRF_SECURITY <> CONFIG_NORDIC_SECURITY_BACKEND).

    Best regards

    Stefan

  • +1 in reply to Stefan Schmidt

    Hi Stefan,

     

    Glad to hear that you got it running.

    Stefan Schmidt said:

     I have everything working now: I fetch the credentials with mbedtls and raw socket and store them to the modem, so that I can use them later with offloaded sockets.

    I started my journey with the https_client sample you mentioned and I have replaced the root certificate locally.

    Although everything is working I am still confused about the configurations of legacy and PSA APIs: Which one should I use?

    Both work. Using PSA (ie. using TF-M to do the actual crypto-operations) will be more secure, but it will likely take up a bit more flash.

    Stefan Schmidt said:
    And how do I configure the usage of the PSA API? See my last post in our thread, it seems contradicting (CONFIG_NRF_SECURITY <> CONFIG_NORDIC_SECURITY_BACKEND).

    https_client sample has an overlay for this, with PSA crypto enabled:

    https://github.com/nrfconnect/sdk-nrf/blob/v2.5.2/samples/net/https_client/overlay-tfm_mbedtls.conf

     

    Kind regards,

    Håkon

  • 0 in reply to Håkon Alseth

    Hi Håkon,

     sorry, I have to come back to this. You mentioned the https_client sample, which has PSA crypto enabled. However, one of the settings in this overlay is

    CONFIG_NORDIC_SECURITY_BACKEND=y

    When I search for CONFIG_NORDIC_SECURITY_BACKEND in https://docs.nordicsemi.com/bundle/ncs-latest/page/kconfig/index.html I get this information:

    "Use nRF Security with Mbed TLS legacy crypto APIs support

    Using this configuration enables legacy support for mbed TLS APIs This configuration is not to be used for PSA API support. Note that this will enable nrf_oberon by default. Multiple backends is not supported."

    For me this sounds like it is not using PSA crypto enabled. Am I getting this wrong?

  • 0 in reply to Håkon Alseth
    Håkon Alseth said:
    Note that the modem cannot handle more than 4k on non-secure sockets, so no need to exceed 4096 bytes on this configuration.

    Hi Håkon, could you please show me where I find this information?

Reply Children
  • 0 in reply to Stefan Schmidt

    Hi,

     

    Stefan Schmidt said:
    Hi Håkon, could you please show me where I find this information?

    My apologies, but this is not directly documented, but it used to be:

    https://github.com/nrfconnect/sdk-nrfxlib/blob/v1.9-branch/nrf_modem/include/nrf_modem_limits.h#L27-L28

    Stefan Schmidt said:

     sorry, I have to come back to this. You mentioned the https_client sample, which has PSA crypto enabled. However, one of the settings in this overlay is

    CONFIG_NORDIC_SECURITY_BACKEND=y

    When I search for CONFIG_NORDIC_SECURITY_BACKEND in https://docs.nordicsemi.com/bundle/ncs-latest/page/kconfig/index.html I get this information:

    "Use nRF Security with Mbed TLS legacy crypto APIs support

    Using this configuration enables legacy support for mbed TLS APIs This configuration is not to be used for PSA API support. Note that this will enable nrf_oberon by default. Multiple backends is not supported."

    For me this sounds like it is not using PSA crypto enabled. Am I getting this wrong?

    I'm sorry, but my former response is not correct for TLS based PSA communication.

    We are currently using mbed-tls v3.5.x, which still requires certain legacy APIs, meaning that there will be some PSA APIs enabled, but by selecting NORDIC_SECURITY_BACKEND it'll favor legacy APIs.

    At this time, including the upcoming ncs v2.7.0 (which is in RC1 now), PSA TLS socket operations are not yet implemented.

     

    My deepest apologies for this inconvenience.

     

    Kind regards,

    Håkon

Related