Configuration for native tls (no offload to modem)

RE: Configuration for native tls (no offload to modem)

Håkon Alseth — Wed, 12 Jun 2024 08:20:23 GMT

Hi,

[quote user="Stefan Schmidt"]Hi Håkon, could you please show me where I find this information?[/quote]

My apologies, but this is not directly documented, but it used to be:

https://github.com/nrfconnect/sdk-nrfxlib/blob/v1.9-branch/nrf_modem/include/nrf_modem_limits.h#L27-L28

[quote user="Stefan Schmidt"]

sorry, I have to come back to this. You mentioned the https_client sample, which has PSA crypto enabled. However, one of the settings in this overlay is

CONFIG_NORDIC_SECURITY_BACKEND=y

When I search for CONFIG_NORDIC_SECURITY_BACKEND in https://docs.nordicsemi.com/bundle/ncs-latest/page/kconfig/index.html I get this information:

"Use nRF Security with Mbed TLS legacy crypto APIs support

Using this configuration enables legacy support for mbed TLS APIs This configuration is not to be used for PSA API support. Note that this will enable nrf_oberon by default. Multiple backends is not supported."

For me this sounds like it is not using PSA crypto enabled. Am I getting this wrong?

[/quote]

I'm sorry, but my former response is not correct for TLS based PSA communication.

We are currently using mbed-tls v3.5.x, which still requires certain legacy APIs, meaning that there will be some PSA APIs enabled, but by selecting NORDIC_SECURITY_BACKEND it'll favor legacy APIs.

At this time, including the upcoming ncs v2.7.0 (which is in RC1 now), PSA TLS socket operations are not yet implemented.

My deepest apologies for this inconvenience.

Kind regards,

Håkon

RE: Configuration for native tls (no offload to modem)

Stefan Schmidt — Tue, 11 Jun 2024 07:00:10 GMT

[quote userid="2115" url="~/f/nordic-q-a/110151/configuration-for-native-tls-no-offload-to-modem/479178"]Note that the modem cannot handle more than 4k on non-secure sockets, so no need to exceed 4096 bytes on this configuration.[/quote]

Hi Håkon, could you please show me where I find this information?

RE: Configuration for native tls (no offload to modem)

Stefan Schmidt — Mon, 10 Jun 2024 13:05:59 GMT

Hi Håkon,

sorry, I have to come back to this. You mentioned the https_client sample, which has PSA crypto enabled. However, one of the settings in this overlay is

CONFIG_NORDIC_SECURITY_BACKEND=y

When I search for CONFIG_NORDIC_SECURITY_BACKEND in https://docs.nordicsemi.com/bundle/ncs-latest/page/kconfig/index.html I get this information:

"Use nRF Security with Mbed TLS legacy crypto APIs support

For me this sounds like it is not using PSA crypto enabled. Am I getting this wrong?

RE: Configuration for native tls (no offload to modem)

Håkon Alseth — Fri, 19 Apr 2024 06:56:48 GMT

Hi Stefan,

Glad to hear that you got it running.

[quote userid="130767" url="~/f/nordic-q-a/110151/configuration-for-native-tls-no-offload-to-modem/479589"]

I have everything working now: I fetch the credentials with mbedtls and raw socket and store them to the modem, so that I can use them later with offloaded sockets.

I started my journey with the https_client sample you mentioned and I have replaced the root certificate locally.

Although everything is working I am still confused about the configurations of legacy and PSA APIs: Which one should I use?

[/quote]

Both work. Using PSA (ie. using TF-M to do the actual crypto-operations) will be more secure, but it will likely take up a bit more flash.

[quote userid="130767" url="~/f/nordic-q-a/110151/configuration-for-native-tls-no-offload-to-modem/479589"]And how do I configure the usage of the PSA API? See my last post in our thread, it seems contradicting (CONFIG_NRF_SECURITY <> CONFIG_NORDIC_SECURITY_BACKEND).[/quote]

https_client sample has an overlay for this, with PSA crypto enabled:

https://github.com/nrfconnect/sdk-nrf/blob/v2.5.2/samples/net/https_client/overlay-tfm_mbedtls.conf

Kind regards,

Håkon

RE: Configuration for native tls (no offload to modem)

Stefan Schmidt — Fri, 19 Apr 2024 06:20:33 GMT

Hi Håkon,

I have everything working now: I fetch the credentials with mbedtls and raw socket and store them to the modem, so that I can use them later with offloaded sockets.

I started my journey with the https_client sample you mentioned and I have replaced the root certificate locally.

Although everything is working I am still confused about the configurations of legacy and PSA APIs: Which one should I use? And how do I configure the usage of the PSA API? See my last post in our thread, it seems contradicting (CONFIG_NRF_SECURITY <> CONFIG_NORDIC_SECURITY_BACKEND).

Best regards

Stefan

RE: Configuration for native tls (no offload to modem)

Håkon Alseth — Wed, 17 Apr 2024 14:32:11 GMT

Hi,

[quote user="Stefan Schmidt"]Your mentioning of CONFIG_MODEM_KEY_MGMT makes me a bit nervous: Is it possible to use raw sockets with mbedtls and offloaded secure sockets in the same firmware? I thought I just set the SOCK_NATIVE_TLS to choose which tls implementation I am using on the socket?!?[/quote]

The reason I was asking is because of the https_client sample.

If you are testing with the https_client sample, this is a check in main on where to store the certificate, either via the modem API or via tls_credentials_* API.

In general, you can add this to add debug prints (note: there will be a lot...) from mbedtls:

CONFIG_MBEDTLS_DEBUG=y
CONFIG_MBEDTLS_DEBUG_C=y
CONFIG_MBEDTLS_DEBUG_LEVEL=4
CONFIG_MBEDTLS_LOG_LEVEL_DBG=y
CONFIG_MBEDTLS_SSL_DEBUG_ALL=y
CONFIG_LOG_BUFFER_SIZE=20000

If you do not want to use PSA APIs with mbedtls, here is an example with a modified https_client sample (note: using DigiCertGlobalG2.pem and not DigiCertGlobalRootCA.pem as originally used in ncs v2.5.x! host has changed root since this time).

devzone.nordicsemi.com/.../https_5F00_client_5F00_mbedtls_5F00_nrf9160.zip

Again, the above uses mbedtls in the non-secure application, and not via PSA APIs. Please also see the defines/checks in main.c to match against your own application.

Kind regards,

Håkon

RE: Configuration for native tls (no offload to modem)

Stefan Schmidt — Wed, 17 Apr 2024 11:28:33 GMT

Hi Håkon,

I see in my .config that CONFIG_MODEM_KEY_MGMT is not set.

I have to get data from a server which does not support chunked encoding or similar techniques to break down the data into chunks that would fit into the nrf9160 modem tls buffer (Limitations in the release notes of the 1.3.5 modem firmware - TLS/DTLS - Secure socket buffer size is 2kB.).

Therefore I use mbedtls with raw sockets. With the configuration above I am able to receive the 5949 Bytes in one chunk, this is what I get from my call to zsock_recv():

[00:00:31.687,713] <err> fetch_data: zsock_recv() gave 5949 bytes

But the configuration dependencies are not clear to me and I think the documentation is a mess.

Another example:
In this post RE: Crypto (PSA/mbedtls) ERRORS when migrating from SDK 2.1.1 to SDK 2.5.0 the author mentions "You use both CONFIG_NRF_SECURITY=y and CONFIG_NORDIC_SECURITY_BACKEND=y in your configuration. Unfortunately, this combination makes PSA unavailable."

But CONFIG_NORDIC_SECURITY_BACKEND is selected by CONFIG_BUILD_WITH_TFM (which is selected when I build a _ns image):

CONFIG_NORDIC_SECURITY_BACKEND

Use nRF Security with Mbed TLS legacy crypto APIs support

CONFIG_SOC_FAMILY_NRF

Defaults

y if CONFIG_BUILD_WITH_TFM

And CONFIG_NRF_SECURITY is required to enable PSA:

Enable nRF Security

Set this configuration to enable nRF Security. This provides Arm PSA cryptography APIs with RNG support (optionally).

Dependencies

CONFIG_SOC_FAMILY_NRF

Defaults

y if CONFIG_BUILD_WITH_TFM

So my understanding is that both are set to y by CONFIG_BUILD_WITH_TFM, but they should not be both enabled if I want to use the PSA API?!?!?

What would be the correct minimal configuration when I need tls1.2 with x509 certificates and a data chunks size exceeding the limitation of the modem? On a nrf9160 with nrf Connect SDK v 2.5.0 and a non-secure application....

Your mentioning of CONFIG_MODEM_KEY_MGMT makes me a bit nervous: Is it possible to use raw sockets with mbedtls and offloaded secure sockets in the same firmware? I thought I just set the SOCK_NATIVE_TLS to choose which tls implementation I am using on the socket?!?

RE: Configuration for native tls (no offload to modem)

Håkon Alseth — Wed, 17 Apr 2024 10:57:24 GMT

Hi,

Are you targeting to not use any TFM PSA APIs for crypto?

As you originally mention, this overlay conf file shows how to setup mbedtls in the application space, using TFM crypto:

https://github.com/nrfconnect/sdk-nrf/blob/v2.5.2/samples/net/https_client/overlay-tfm_mbedtls.conf

[quote user="Stefan Schmidt"]CONFIG_MBEDTLS_SSL_IN_CONTENT_LEN=8192[/quote]

Note that the modem cannot handle more than 4k on non-secure sockets, so no need to exceed 4096 bytes on this configuration.

Is your posted configuration complete? I cannot see "CONFIG_MODEM_KEY_MGMT=n" in there.

Kind regards,

Håkon

RE: Configuration for native tls (no offload to modem)

Stefan Schmidt — Tue, 16 Apr 2024 09:58:13 GMT

Ok, when I remove

CONFIG_DEBUG=y
CONFIG_DEBUG_INFO=y
CONFIG_DEBUG_THREAD_INFO=y

I get

[153/157] Linking C executable bin/tfm_s.axf
Memory region Used Size Region Size %age Used
FLASH: 31544 B 32256 B 97.79%
RAM: 14736 B 32 KB 44.97%

and

Memory region Used Size Region Size %age Used
FLASH: 276600 B 384 KB 70.34%
RAM: 149948 B 211608 B 70.86%
IDT_LIST: 0 GB 2 KB 0.00%

RE: Configuration for native tls (no offload to modem)

Stefan Schmidt — Mon, 15 Apr 2024 13:36:41 GMT

Hi,

I can share my configuration and the final build output. With this configuration (related to mbedTLS)

# MbedTLS and security
CONFIG_TFM_PROFILE_TYPE_MINIMAL=y
CONFIG_MBEDTLS_ENABLE_HEAP=y
CONFIG_MBEDTLS_SSL_IN_CONTENT_LEN=8192
CONFIG_MBEDTLS_SSL_OUT_CONTENT_LEN=4096
CONFIG_MBEDTLS_HEAP_SIZE=32768
CONFIG_MBEDTLS_RSA_C=y
CONFIG_MBEDTLS_GCM_C=y
CONFIG_MBEDTLS_DHM_C=y
CONFIG_MBEDTLS_TLS_LIBRARY=y
CONFIG_MBEDTLS_X509_LIBRARY=y
CONFIG_MBEDTLS_X509_REMOVE_INFO=y
CONFIG_MBEDTLS_PKCS1_V15=y
CONFIG_NRF_SECURITY=y
CONFIG_PSA_CRYPTO_DRIVER_CC3XX=y

I get this build output:

[153/157] Linking C executable bin/tfm_s.axf
Memory region         Used Size Region Size %age Used
           FLASH:       64332 B      65024 B     98.94%
             RAM:       18888 B        32 KB     57.64%

[433/444] Linking C executable zephyr/zephyr.elf
Memory region         Used Size Region Size %age Used
           FLASH:      349572 B       352 KB     96.98%
             RAM:      150204 B     211608 B     70.98%
        IDT_LIST:          0 GB         2 KB      0.00%

RE: Configuration for native tls (no offload to modem)

Håkon Alseth — Mon, 15 Apr 2024 12:51:10 GMT

Hi,

Can you share the build output?

Kind regards,

Håkon

RE: Configuration for native tls (no offload to modem)

Stefan Schmidt — Mon, 15 Apr 2024 12:14:12 GMT

Hi Håkon,

thanks a lot for your suggestion. I am currently using the https_client demo and reverse engineer the meaning of the different CONFIG options used there.

Resizing a partition might be an option, but resizing because I don't know how to configure the mbed tls library is not a solution.

Thanks

Stefan

RE: Configuration for native tls (no offload to modem)

Håkon Alseth — Thu, 11 Apr 2024 15:25:22 GMT

Hi,

How much are you overflowing with?

You can adjust the size of TFM using this configuration:

CONFIG_PM_PARTITION_SIZE_TFM

Note that the alignment can be a bit tricky here, especially when combining this with mcuboot.

Try for instance 0x27E00 if you're building with mcuboot.

Kind regards,

Håkon