MBEDTLS time/date support with nRF Security

Hi,

Can you provide information about your application?

Can you provide complete build log and your project configuration?

Best regards,
Dejan

This is a generic issue with nRF SDK, not tied to an application. 

I am using v2.7.0 SDK.

For e.g. you can try building "aws_iot_mqtt" example on nRF7002DK. See the build log for the same below. 

Building aws_iot_mqtt
west build --build-dir /home/vscode/workspaces/base-station-application/aws_iot_mqtt/build /home/vscode/workspaces/base-station-application/aws_iot_mqtt --pristine --board nrf7002dk/nrf5340/cpuapp/ns -- -DNCS_TOOLCHAIN_VERSION=NONE -DBOARD_ROOT=/home/vscode/workspaces/base-station-application

-- west build: generating a build system
Loading Zephyr default modules (Zephyr base).
-- Application: /home/vscode/workspaces/base-station-application/aws_iot_mqtt
-- CMake version: 3.30.2
-- Found Python3: /usr/bin/python3 (found suitable version "3.10.12", minimum required is "3.8") found components: Interpreter
-- Cache files will be written to: /home/vscode/workspaces/.cache/zephyr
-- Zephyr version: 3.6.99 (/home/vscode/workspaces/external_dependencies/zephyr)
-- Found west (found suitable version "1.2.0", minimum required is "0.14.0")
-- Board: nrf7002dk, qualifiers: nrf5340/cpuapp/ns
-- Found host-tools: zephyr 0.16.5 (/home/vscode/workspaces/external_dependencies/zephyr-sdk)
-- Found toolchain: zephyr 0.16.5 (/home/vscode/workspaces/external_dependencies/zephyr-sdk)
-- Found Dtc: /usr/bin/dtc (found suitable version "1.6.1", minimum required is "1.4.6")
-- Found BOARD.dts: /home/vscode/workspaces/external_dependencies/nrf/boards/nordic/nrf7002dk/nrf7002dk_nrf5340_cpuapp_ns.dts
-- Generated zephyr.dts: /home/vscode/workspaces/base-station-application/aws_iot_mqtt/build/zephyr/zephyr.dts
-- Generated devicetree_generated.h: /home/vscode/workspaces/base-station-application/aws_iot_mqtt/build/zephyr/include/generated/devicetree_generated.h
-- Including generated dts.cmake file: /home/vscode/workspaces/base-station-application/aws_iot_mqtt/build/zephyr/dts.cmake

warning: MBEDTLS_MEMORY_DEBUG (defined at
/home/vscode/workspaces/external_dependencies/nrf/subsys/nrf_security/Kconfig.tls:167,
modules/mbedtls/Kconfig:166, modules/mbedtls/Kconfig:166) was assigned the value 'y' but got the
value 'n'. Check these unsatisfied dependencies: ((MBEDTLS_TLS_LIBRARY && NRF_SECURITY) ||
(MBEDTLS_BUILTIN && MBEDTLS) || (MBEDTLS_BUILTIN && MBEDTLS && 0)) (=n). See
http://docs.zephyrproject.org/latest/kconfig.html#CONFIG_MBEDTLS_MEMORY_DEBUG and/or look up
MBEDTLS_MEMORY_DEBUG in the menuconfig/guiconfig interface. The Application Development Primer,
Setting Configuration Values, and Kconfig - Tips and Best Practices sections of the manual might be
helpful too.


warning: MBEDTLS_AES_ROM_TABLES (defined at
/home/vscode/workspaces/external_dependencies/nrf/subsys/nrf_security/Kconfig.legacy:417,
modules/mbedtls/Kconfig.tls-generic:261, modules/mbedtls/Kconfig.tls-generic:261) was assigned the
value 'y' but got the value 'n'. Check these unsatisfied dependencies: ((!(OBERON_BACKEND ||
CC3XX_BACKEND) && MBEDTLS_CIPHER_MODE_CBC && MBEDTLS_AES_C && MBEDTLS_LEGACY_CRYPTO_C &&
NRF_SECURITY) || (MBEDTLS_CIPHER_AES_ENABLED && !(NRF_SECURITY || NORDIC_SECURITY_BACKEND) &&
MBEDTLS_BUILTIN && MBEDTLS_CFG_FILE = "config-tls-generic.h" && MBEDTLS) ||
(MBEDTLS_CIPHER_AES_ENABLED && !(NRF_SECURITY || NORDIC_SECURITY_BACKEND) && MBEDTLS_BUILTIN &&
MBEDTLS_CFG_FILE = "config-tls-generic.h" && MBEDTLS && 0)) (=n). See
http://docs.zephyrproject.org/latest/kconfig.html#CONFIG_MBEDTLS_AES_ROM_TABLES and/or look up
MBEDTLS_AES_ROM_TABLES in the menuconfig/guiconfig interface. The Application Development Primer,
Setting Configuration Values, and Kconfig - Tips and Best Practices sections of the manual might be
helpful too.


warning: MBEDTLS_SSL_ALPN (defined at modules/mbedtls/Kconfig.tls-generic:44,
modules/mbedtls/Kconfig.tls-generic:44) was assigned the value 'y' but got the value 'n'. Check
these unsatisfied dependencies: (((MBEDTLS_TLS_VERSION_1_0 || MBEDTLS_TLS_VERSION_1_1 ||
MBEDTLS_TLS_VERSION_1_2) && MBEDTLS_BUILTIN && MBEDTLS_CFG_FILE = "config-tls-generic.h" && MBEDTLS)
|| ((MBEDTLS_TLS_VERSION_1_0 || MBEDTLS_TLS_VERSION_1_1 || MBEDTLS_TLS_VERSION_1_2) &&
MBEDTLS_BUILTIN && MBEDTLS_CFG_FILE = "config-tls-generic.h" && MBEDTLS && 0)) (=n). See
http://docs.zephyrproject.org/latest/kconfig.html#CONFIG_MBEDTLS_SSL_ALPN and/or look up
MBEDTLS_SSL_ALPN in the menuconfig/guiconfig interface. The Application Development Primer, Setting
Configuration Values, and Kconfig - Tips and Best Practices sections of the manual might be helpful
too.


warning: MBEDTLS_PEM_CERTIFICATE_FORMAT (defined at modules/mbedtls/Kconfig.tls-generic:401,
modules/mbedtls/Kconfig.tls-generic:401) was assigned the value 'y' but got the value 'n'. Check
these unsatisfied dependencies: ((MBEDTLS_BUILTIN && MBEDTLS_CFG_FILE = "config-tls-generic.h" &&
MBEDTLS) || (MBEDTLS_BUILTIN && MBEDTLS_CFG_FILE = "config-tls-generic.h" && MBEDTLS && 0)) (=n).
See http://docs.zephyrproject.org/latest/kconfig.html#CONFIG_MBEDTLS_PEM_CERTIFICATE_FORMAT and/or
look up MBEDTLS_PEM_CERTIFICATE_FORMAT in the menuconfig/guiconfig interface. The Application
Development Primer, Setting Configuration Values, and Kconfig - Tips and Best Practices sections of
the manual might be helpful too.


warning: MBEDTLS_SERVER_NAME_INDICATION (defined at modules/mbedtls/Kconfig.tls-generic:446,
modules/mbedtls/Kconfig.tls-generic:446) was assigned the value 'y' but got the value 'n'. Check
these unsatisfied dependencies: ((MBEDTLS_BUILTIN && MBEDTLS_CFG_FILE = "config-tls-generic.h" &&
MBEDTLS) || (MBEDTLS_BUILTIN && MBEDTLS_CFG_FILE = "config-tls-generic.h" && MBEDTLS && 0)) (=n).
See http://docs.zephyrproject.org/latest/kconfig.html#CONFIG_MBEDTLS_SERVER_NAME_INDICATION and/or
look up MBEDTLS_SERVER_NAME_INDICATION in the menuconfig/guiconfig interface. The Application
Development Primer, Setting Configuration Values, and Kconfig - Tips and Best Practices sections of
the manual might be helpful too.


warning: MBEDTLS_HAVE_TIME_DATE (defined at modules/mbedtls/Kconfig.tls-generic:458,
modules/mbedtls/Kconfig.tls-generic:458) was assigned the value 'y' but got the value 'n'. Check
these unsatisfied dependencies: ((MBEDTLS_BUILTIN && MBEDTLS_CFG_FILE = "config-tls-generic.h" &&
MBEDTLS) || (MBEDTLS_BUILTIN && MBEDTLS_CFG_FILE = "config-tls-generic.h" && MBEDTLS && 0)) (=n).
See http://docs.zephyrproject.org/latest/kconfig.html#CONFIG_MBEDTLS_HAVE_TIME_DATE and/or look up
MBEDTLS_HAVE_TIME_DATE in the menuconfig/guiconfig interface. The Application Development Primer,
Setting Configuration Values, and Kconfig - Tips and Best Practices sections of the manual might be
helpful too.


warning: MBEDTLS_SSL_MAX_CONTENT_LEN (defined at modules/mbedtls/Kconfig:73,
modules/mbedtls/Kconfig:73) was assigned the value '16384' but got the value ''. Check these
unsatisfied dependencies: ((MBEDTLS_BUILTIN && MBEDTLS) || (MBEDTLS_BUILTIN && MBEDTLS && 0)) (=n).
See http://docs.zephyrproject.org/latest/kconfig.html#CONFIG_MBEDTLS_SSL_MAX_CONTENT_LEN and/or look
up MBEDTLS_SSL_MAX_CONTENT_LEN in the menuconfig/guiconfig interface. The Application Development
Primer, Setting Configuration Values, and Kconfig - Tips and Best Practices sections of the manual
might be helpful too.


warning: The choice symbol MBEDTLS_BUILTIN (defined at modules/mbedtls/Kconfig:30,
modules/mbedtls/Kconfig:30) was selected (set =y), but MBEDTLS_LIBRARY_NRF_SECURITY (defined at
/home/vscode/workspaces/external_dependencies/nrf/subsys/nrf_security/Kconfig:293) ended up as the
choice selection. See http://docs.zephyrproject.org/latest/kconfig.html#CONFIG_MBEDTLS_BUILTIN
and/or look up MBEDTLS_BUILTIN in the menuconfig/guiconfig interface. The Application Development
Primer, Setting Configuration Values, and Kconfig - Tips and Best Practices sections of the manual
might be helpful too.

In the warning we can clearly see that MBEDTLS_HAVE_TIME_DATE is not being used.

Hello,

Sorry to revive this post, but I am facing the same issues.

The PR mentioned to enable the usage of TLS DATE_TIME was never merged and is now closed.

Is there another way to have tls date time validation for NCS 3.0.2 without "MBEDTLS_BUILTIN" ? 

Thanks

Hi c.lancea ,

You could try to add changes from previously mentioned PR manually.

Best regards,
Dejan

Hello,

Modifying directly the sdk is not an option for us. We use the sdk though nrf connect vs code extension, so it's is not in our repository. Also our build machine has another installation that we would need to modify. 
Those two point alone makes it impossible or a very bad practice which would be impossible to maintain.

Do you have any other suggestion ? 
Is the tls date time verification planned for another release ?

Thanks 

Hi,

c.lancea said:

Do you have any other suggestion ? 

We will look into this internally. I expect to get back to you with status update by the end of the week.

Best regards,
Dejan

Hi,

This is just to inform you that we are still looking into this issue. I expect to get back to you by the end of next week but please note that it might take more time than usual for this issue to get resolved. 

Best regards,
Dejan

Hi,

This is just to inform you that we are still looking into this issue. I expect to get back to you by the end of next week but please note that it might take more time than usual for this issue to get resolved. 

Best regards,
Dejan

Hello,

Thank you for the update.

Best regard,
Charles

Hi Charles,

We are still looking into this issue. Unfortunately, I cannot provide exact timeline when this issue might get resolved. I will get back to you as soon as I have an update. I will keep this ticket open until then.

Best regards,
Dejan