Configuration for native tls (no offload to modem)

Hi,

How much are you overflowing with?

You can adjust the size of TFM using this configuration:

CONFIG_PM_PARTITION_SIZE_TFM

Note that the alignment can be a bit tricky here, especially when combining this with mcuboot.

Try for instance 0x27E00 if you're building with mcuboot.

Kind regards,

Håkon

Hi Håkon,

thanks a lot for your suggestion. I am currently using the https_client demo and reverse engineer the meaning of the different CONFIG options used there.

Resizing a partition might be an option, but resizing because I don't know how to configure the mbed tls library is not a solution.

Thanks

Stefan

Hi Håkon,

 I have everything working now: I fetch the credentials with mbedtls and raw socket and store them to the modem, so that I can use them later with offloaded sockets.

I started my journey with the https_client sample you mentioned and I have replaced the root certificate locally.

Although everything is working I am still confused about the configurations of legacy and PSA APIs: Which one should I use? And how do I configure the usage of the PSA API? See my last post in our thread, it seems contradicting (CONFIG_NRF_SECURITY <> CONFIG_NORDIC_SECURITY_BACKEND).

Best regards

Stefan

Hi Stefan,

Glad to hear that you got it running.

Stefan Schmidt said:

 I have everything working now: I fetch the credentials with mbedtls and raw socket and store them to the modem, so that I can use them later with offloaded sockets.

I started my journey with the https_client sample you mentioned and I have replaced the root certificate locally.

Although everything is working I am still confused about the configurations of legacy and PSA APIs: Which one should I use?

Both work. Using PSA (ie. using TF-M to do the actual crypto-operations) will be more secure, but it will likely take up a bit more flash.

Stefan Schmidt said:

And how do I configure the usage of the PSA API? See my last post in our thread, it seems contradicting (CONFIG_NRF_SECURITY <> CONFIG_NORDIC_SECURITY_BACKEND).

https_client sample has an overlay for this, with PSA crypto enabled:

https://github.com/nrfconnect/sdk-nrf/blob/v2.5.2/samples/net/https_client/overlay-tfm_mbedtls.conf

Kind regards,

Håkon

Hi Håkon,

 sorry, I have to come back to this. You mentioned the https_client sample, which has PSA crypto enabled. However, one of the settings in this overlay is

CONFIG_NORDIC_SECURITY_BACKEND=y

When I search for CONFIG_NORDIC_SECURITY_BACKEND in https://docs.nordicsemi.com/bundle/ncs-latest/page/kconfig/index.html I get this information:

"Use nRF Security with Mbed TLS legacy crypto APIs support

Using this configuration enables legacy support for mbed TLS APIs This configuration is not to be used for PSA API support. Note that this will enable nrf_oberon by default. Multiple backends is not supported."

For me this sounds like it is not using PSA crypto enabled. Am I getting this wrong?

Håkon Alseth said:

Note that the modem cannot handle more than 4k on non-secure sockets, so no need to exceed 4096 bytes on this configuration.

Hi Håkon, could you please show me where I find this information?

Hi,

Stefan Schmidt said:

Hi Håkon, could you please show me where I find this information?

My apologies, but this is not directly documented, but it used to be:

https://github.com/nrfconnect/sdk-nrfxlib/blob/v1.9-branch/nrf_modem/include/nrf_modem_limits.h#L27-L28

Stefan Schmidt said:

 sorry, I have to come back to this. You mentioned the https_client sample, which has PSA crypto enabled. However, one of the settings in this overlay is

CONFIG_NORDIC_SECURITY_BACKEND=y

When I search for CONFIG_NORDIC_SECURITY_BACKEND in https://docs.nordicsemi.com/bundle/ncs-latest/page/kconfig/index.html I get this information:

"Use nRF Security with Mbed TLS legacy crypto APIs support

Using this configuration enables legacy support for mbed TLS APIs This configuration is not to be used for PSA API support. Note that this will enable nrf_oberon by default. Multiple backends is not supported."

For me this sounds like it is not using PSA crypto enabled. Am I getting this wrong?

I'm sorry, but my former response is not correct for TLS based PSA communication.

We are currently using mbed-tls v3.5.x, which still requires certain legacy APIs, meaning that there will be some PSA APIs enabled, but by selecting NORDIC_SECURITY_BACKEND it'll favor legacy APIs.

At this time, including the upcoming ncs v2.7.0 (which is in RC1 now), PSA TLS socket operations are not yet implemented.

My deepest apologies for this inconvenience.

Kind regards,

Håkon

Hi,

Stefan Schmidt said:

Hi Håkon, could you please show me where I find this information?

My apologies, but this is not directly documented, but it used to be:

https://github.com/nrfconnect/sdk-nrfxlib/blob/v1.9-branch/nrf_modem/include/nrf_modem_limits.h#L27-L28

Stefan Schmidt said:

 sorry, I have to come back to this. You mentioned the https_client sample, which has PSA crypto enabled. However, one of the settings in this overlay is

CONFIG_NORDIC_SECURITY_BACKEND=y

When I search for CONFIG_NORDIC_SECURITY_BACKEND in https://docs.nordicsemi.com/bundle/ncs-latest/page/kconfig/index.html I get this information:

"Use nRF Security with Mbed TLS legacy crypto APIs support

Using this configuration enables legacy support for mbed TLS APIs This configuration is not to be used for PSA API support. Note that this will enable nrf_oberon by default. Multiple backends is not supported."

For me this sounds like it is not using PSA crypto enabled. Am I getting this wrong?

I'm sorry, but my former response is not correct for TLS based PSA communication.

We are currently using mbed-tls v3.5.x, which still requires certain legacy APIs, meaning that there will be some PSA APIs enabled, but by selecting NORDIC_SECURITY_BACKEND it'll favor legacy APIs.

At this time, including the upcoming ncs v2.7.0 (which is in RC1 now), PSA TLS socket operations are not yet implemented.

My deepest apologies for this inconvenience.

Kind regards,

Håkon