• State Not Answered
  • Replies 8 replies
  • Subscribers 63 subscribers
  • Views 152 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 325529
Options

HTTPS without T-FM and PSA

Daniel Figueira

Hello,

We are currently developing a WiFi library and just started on implementing HTTPS and ran into some issues. Since we don't have enough flash and memory for using the T-FM image, we decided to work on the secure build (without *ns).

As such we tried to get the exercise 'wififund_less5_exer2' running without PSA and T-FM, and using the CONFIG_WIFI_CREDENTIALS_BACKEND_SETTINGS as backend.

Unfortunately we always get the same error when calling connect():

[00:00:35.491,699] <inf> Lesson5_Exercise2: Network connected
[00:00:36.076,354] <inf> Lesson5_Exercise2: IPv4 address of HTTP server found 18.238.243.52
[00:00:36.100,402] <err> Lesson5_Exercise2: Connecting to server failed, err: 22, Invalid argument
[00:00:36.100,402] <err> Lesson5_Exercise2: Failed to initialize client


Which is exactly the same problem we're getting in our library.

Is it somehow possible to get HTTPS working without T-FM and PSA, using a different crypto? Or is it limited by the hardware/kernel?

Best regards,
Daniel Figueira

  • 0

    Hi,

    I will look into this and return with more information on Monday.

    Regards,
    Sigurd Hellesvik

  • 0

    Hi Daniel,

    (Optional) To learn about the PSA Crypto API, see  Securing IoT products with PSA Certified APIs .

    One of the big upsides with the PSA Crypto API is that it should do the same both with and without TF-M, so your code should function the same (if a tad less securely) without TF-M.

    So out of the gate, I think that what you try should work.

    Can you try our HTTPS Client example without TF-M?
    Reason I ask for a sample is because that makes this easier to try and reproduce from my side.
    Here is the overlay I used for nrf7002dk_nrf5340_cpuapp.conf, which maybe work:

    #
# Copyright (c) 2023 Nordic Semiconductor ASA
#
# SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
#

# General
CONFIG_POSIX_CLOCK=y
CONFIG_SYSTEM_WORKQUEUE_STACK_SIZE=4096
CONFIG_HEAP_MEM_POOL_SIZE=81920
CONFIG_NET_RX_STACK_SIZE=2048

# Optimize Wi-Fi stack to save some memory
CONFIG_NRF700X_RX_NUM_BUFS=16
CONFIG_NRF700X_MAX_TX_AGGREGATION=4

# Wi-Fi
CONFIG_WIFI=y
CONFIG_WIFI_NRF700X=y
CONFIG_WIFI_NRF700X_LOG_LEVEL_ERR=y
CONFIG_WIFI_MGMT_EXT=y
CONFIG_WIFI_CREDENTIALS=y


# Shell
CONFIG_SHELL=y
CONFIG_SHELL_STACK_SIZE=6144

# WPA supplicant
CONFIG_WPA_SUPP=y
CONFIG_WPA_SUPP_LOG_LEVEL_ERR=y

# Zephyr NET Connection Manager connectivity layer
CONFIG_L2_WIFI_CONNECTIVITY=y
CONFIG_L2_WIFI_CONNECTIVITY_AUTO_DOWN=n
CONFIG_L2_WIFI_CONNECTIVITY_AUTO_CONNECT=n

# DNS
CONFIG_DNS_RESOLVER=y
CONFIG_NET_SOCKETS_DNS_TIMEOUT=30000

# NET sockets
CONFIG_NET_NATIVE=y
CONFIG_NET_L2_ETHERNET=y
CONFIG_NET_TCP=y
CONFIG_NET_TCP_WORKQ_STACK_SIZE=2048
CONFIG_NET_UDP=y
CONFIG_NET_SOCKETS_OFFLOAD=n
CONFIG_NET_DHCPV4=y
CONFIG_NET_CONTEXT_SNDTIMEO=y

# TLS networking
CONFIG_NET_SOCKETS_ENABLE_DTLS=n
CONFIG_NET_SOCKETS_TLS_MAX_CONTEXTS=2
CONFIG_NET_SOCKETS_SOCKOPT_TLS=y

# TLS credentials
CONFIG_FLASH=y
Here is the overlay I used for nrf7002dk_nrf5340_cpuapp
CONFIG_FLASH_MAP=y
CONFIG_NVS=y
CONFIG_SETTINGS=y
CONFIG_WIFI_CREDENTIALS_BACKEND_SETTINGS=y
CONFIG_TLS_CREDENTIALS_BACKEND_VOLATILE=y

# mbedTLS
CONFIG_NRF_SECURITY=y
CONFIG_MBEDTLS=y
CONFIG_MBEDTLS_ENABLE_HEAP=y
CONFIG_MBEDTLS_HEAP_SIZE=81920
CONFIG_PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY=y
CONFIG_PSA_WANT_RSA_KEY_SIZE_2048=y
CONFIG_MBEDTLS_RSA_C=y
CONFIG_MBEDTLS_TLS_LIBRARY=y


CONFIG_WIFI_CREDENTIALS_STATIC=y
CONFIG_WIFI_CREDENTIALS_STATIC_SSID=""
CONFIG_WIFI_CREDENTIALS_STATIC_PASSWORD=""

CONFIG_PM_SINGLE_IMAGE=y

    I say "maybe" because I did not get to test it yet. I planned to but then Monday happened and I do not have access to a nRF7002DK until tomorrow.

  • 0 in reply to Sigurd Hellesvik

    Hi Sigurd, tomorrow I won't be able to, but Wednesday I will give this a try see how it goes.

  • 0 in reply to Daniel Figueira

    Worked for me on nrf7002dk_nrf5340_cpuapp now. That is a good sign.

    Let me know how your test goes

  • 0 in reply to Sigurd Hellesvik

    The HTTPS_client sample also seems to work for me with the configs you provided Thumbsup

    I tried to use the HTTPS_client sample to connect to the server used by 'wififund_less5_exer2' (echo.thingy.rocks) with the certificate provided for that lesson (which we've been using in our tests) and I figured out that by null-terminating that certificate like shown on the HTTPS_client sample:

    I no longer get the EINVAL error code (22) - which makes sense since I previously did not understand why connect would be returning EINVAL: https://pubs.opengroup.org/onlinepubs/9699919799/functions/connect.html

    I still get an ECONNABORTED error (113) - which is not described on the connect() function, but seems to make more sense...

    I'll try to look a bit more into it later this week. If I can't manage to connect to 'echo.thingy.rocks' (nordic server) I'll use the server (example.com) and certificates from the HTTPS_client sample instead and see how that goes.

Related