• State Not Answered
  • Replies 3 replies
  • Subscribers 64 subscribers
  • Views 115 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 326544
Options

undefined reference to `mbedtls_pk_setup_opaque'

franchan

Hello,

On Ubuntu 22.04 with nRF Connect SDK 2.6.1 I try to generate a CSR based on a generated asymm. key. The CSR is for AWS IoT provisioning by claim. The implementation is based on the zephyr/samples/tfm_integration/psa_crypto example (I have an outstanding ticket here). The code is supposed to run in NSPE. The target is nrf5340dk_nrf5340_cpuapp_ns.

1) I run into a linking problem: mbedtls_pk_setup_opaque is undefined. It looks similar to this issue but I dont find the solution (I hoped to find a copy 'n paste style solution).

2) A side question: how to properly convert a psa_key_id_t into a mbedtls_svc_key_id_t? Is there a macro or function that does this conversion? Currently I'm just typecasting; that feels not correct ...

3) A development side question: Due to using TFM, I first need to flash with sdk-nrf/tree/main/samples/tfm/provisioning_image & recovery mode to put the DK into a "provisioning state". Next I then flash once more the image containing the CSR experimental code. Is there an easy way, for the development phase, to disable the mechanism that prevents me to flash the experimental code?

This is the prj.conf (there's no BL):

CONFIG_LOG=y
CONFIG_LOG_DEFAULT_LEVEL=3
CONFIG_LOG_BUFFER_SIZE=4096

CONFIG_TFM_ITS_ENCRYPTED=y

CONFIG_TFM_PROFILE_TYPE_NOT_SET=y
# without following psa_generate_random() returns -134
CONFIG_TFM_PARTITION_INITIAL_ATTESTATION=y
CONFIG_TFM_NRF_PROVISIONING=y
CONFIG_BUILD_WITH_TFM=y

CONFIG_MAIN_STACK_SIZE=16384
CONFIG_MBEDTLS_HEAP_SIZE=16384
CONFIG_HEAP_MEM_POOL_SIZE=32768

CONFIG_MBEDTLS_X509_CREATE_C=y
CONFIG_MBEDTLS_X509_CSR_WRITE_C=y
CONFIG_MBEDTLS_PK_WRITE_C=y
CONFIG_MBEDTLS_USE_PSA_CRYPTO=y


The code (it is experimental):
int make_csr(psa_key_id_t key_id)
{
	mbedtls_x509write_csr req;
	mbedtls_x509write_csr_init(&req);

	mbedtls_x509write_csr_set_md_alg(&req, MBEDTLS_MD_SHA256);

	int res = mbedtls_x509write_csr_set_subject_name(&req, "O=XYZ,CN=Device Certificate");
	if (0 != res) {
		LOG_ERR("mbedtls_x509write_csr_set_subject_name() failed %d", res);
		return -1;
	}
	LOG_INF("mbedtls_x509write_csr_set_subject_name() ok");
	
	mbedtls_pk_context pk_key_container;
	mbedtls_pk_init(&pk_key_container);

	res = mbedtls_pk_setup_opaque(&pk_key_container, (mbedtls_svc_key_id_t)key_id);
	if (0 != res) {
		LOG_ERR("mbedtls_pk_setup_opaque() failed %d", res);
		return -1;
	}
	LOG_INF("mbedtls_pk_setup_opaque() ok");

	mbedtls_x509write_csr_set_key(&req, &pk_key_container);

	// WIP ...

	mbedtls_pk_free(&pk_key_container);
	mbedtls_x509write_csr_free(&req);

	return 0;
}


Thank you!

Kind regards, francis

Related