• State Not Answered
  • Replies 3 replies
  • Subscribers 68 subscribers
  • Views 102 views
  • Users 0 members are here
Attachments (1) Download All
Nordic Case Info
  • Case ID: 335799
Options

Trying to set up secure channel with odsp fails because it can't find the crypto device

mackz

Hi! I am trying to get OSDP communication up and running on my nrf9160dk board. I am trying to run this sample: https://github.com/zephyrproject-rtos/zephyr/tree/main/samples/subsys/mgmt/osdp/peripheral_device i have gone into the odsp Kconfig file and commented out the crypto options from:

config OSDP_SC_ENABLED
	bool "OSDP Secure Channel"
	depends on CSPRING_ENABLED
	default y
	select CRYPTO
	#select CRYPTO_MBEDTLS_SHIM
	#select MBEDTLS
	#select MBEDTLS_CIPHER_AES_ENABLED
	#select MBEDTLS_CIPHER_CCM_ENABLED

like mentioned in  Configuration Conflicts with OSDP and NRF Security 

this is my prj.conf

# OSDP config
CONFIG_OSDP=y
CONFIG_OSDP_MODE_PD=y

# LED CONTROL
CONFIG_OSDP_PD_CAP_READER_LED_CONTROL_COMP_LEVEL=1
CONFIG_OSDP_PD_CAP_READER_LED_CONTROL_NUM_ITEMS=1


CONFIG_NRF_SECURITY=y
CONFIG_MBEDTLS_PSA_CRYPTO_C=y

CONFIG_MBEDTLS_ENABLE_HEAP=y
CONFIG_MBEDTLS_HEAP_SIZE=8192
CONFIG_PSA_CRYPTO_DRIVER_OBERON=n
CONFIG_PSA_CRYPTO_DRIVER_CC3XX=y

CONFIG_PSA_WANT_ALG_CCM=y

CONFIG_ENTROPY_GENERATOR=y


CONFIG_OSDP_CRYPTO_DRV_NAME="CRYPTO_CC3XX"

CONFIG_MBEDTLS_USE_PSA_CRYPTO=y

# Enable OSDP Secure Channel feature
CONFIG_OSDP_SC_ENABLED=y
CONFIG_OSDP_PD_SCBK="NONE"

CONFIG_OSDP_PD_CAP_TIME_KEEPING_COMP_LEVEL=2

I have the dev kit wired to my pc via a usb-uart converter but when i try to send the secure key i get: 

[00:00:14.277,435] <err> osdp: osdp_encrypt: Failed to get crypto dev binding!

from osdp_sc.c:

void osdp_encrypt(uint8_t *key, uint8_t *iv, uint8_t *data, int len)
{
	const struct device *dev;
	struct cipher_ctx ctx = {
		.keylen = 16,
		.key.bit_stream = key,
		.flags = CAP_NO_IV_PREFIX
	};
	struct cipher_pkt encrypt = {
		.in_buf = data,
		.in_len = len,
		.out_buf = data,
		.out_len = len
	};

	dev = device_get_binding(CONFIG_OSDP_CRYPTO_DRV_NAME);
	if (dev == NULL) {
		LOG_ERR("Failed to get crypto dev binding!");
		return;
	}

i am using ncs v2.3.0 but have updated the osdp headers and source code to the newest version included in Zephyr. I have included the project.

I have gone trough the zephyr.dts file but cant find any crypto driver bindings there. What should i set CONFIG_OSDP_CRYPTO_DRV_NAME to?

osdp_pd.zip

Parents
  • 0

    Hi,

    There will be additional issues that need resolution when you mix and match SDK versions, but for reference this mde the OSDP peripheral device sample build and run without issues (though I did not do additional testing):

    1. cmoose osdp-uart, I did it in an app.overlay file:

    / {
	chosen {
		zephyr,osdp-uart = &uart0;

	};
};

    For crypto, enable the needed crypto features like this in prj.conf:

    CONFIG_NRF_SECURITY=y
CONFIG_MBEDTLS_PSA_CRYPTO_C=y

CONFIG_MBEDTLS_ENABLE_HEAP=y
CONFIG_MBEDTLS_HEAP_SIZE=8192

CONFIG_PSA_WANT_GENERATE_RANDOM=y
CONFIG_PSA_WANT_KEY_TYPE_AES=y
CONFIG_PSA_WANT_ALG_CCM=y

    And lastly, remove OSDP_SC_ENABLED as explained in this post from the thread you linked to.

    PS: OSDP support is part of Zephyr but not something we have worked with or support directly, and honestly does not know how to test it.

  • 0 in reply to Einar Thorsrud

    I am also able to build and run the sample, the problem is that i am trying to use the secure channel capabilites of OSDP but am getting errors during runtime because dev = device_get_binding(CONFIG_OSDP_CRYPTO_DRV_NAME); gives me an error. So what i am wondering is if it is possible to get the binding of the cc3xx crypto driver? This is what i found from zephyrs crypto sample: 

    #ifdef CONFIG_CRYPTO_TINYCRYPT_SHIM
#define CRYPTO_DRV_NAME CONFIG_CRYPTO_TINYCRYPT_SHIM_DRV_NAME
#elif CONFIG_CRYPTO_MBEDTLS_SHIM
#define CRYPTO_DRV_NAME CONFIG_CRYPTO_MBEDTLS_SHIM_DRV_NAME
#elif DT_HAS_COMPAT_STATUS_OKAY(st_stm32_cryp)
#define CRYPTO_DEV_COMPAT st_stm32_cryp
#elif DT_HAS_COMPAT_STATUS_OKAY(st_stm32_aes)
#define CRYPTO_DEV_COMPAT st_stm32_aes
#elif CONFIG_CRYPTO_NRF_ECB
#define CRYPTO_DEV_COMPAT nordic_nrf_ecb
#else
#error "You need to enable one crypto device"
#endif


    but when i try to set CONFIG_CRYPTO_NRF_ECB i get :
    CONFIG_CRYPTO_NRF_ECB was assigned the value y, but got the value n. Missing dependencies:
DT_HAS_NORDIC_NRF_ECB_ENABLED

Reply
  • 0 in reply to Einar Thorsrud

    I am also able to build and run the sample, the problem is that i am trying to use the secure channel capabilites of OSDP but am getting errors during runtime because dev = device_get_binding(CONFIG_OSDP_CRYPTO_DRV_NAME); gives me an error. So what i am wondering is if it is possible to get the binding of the cc3xx crypto driver? This is what i found from zephyrs crypto sample: 

    #ifdef CONFIG_CRYPTO_TINYCRYPT_SHIM
#define CRYPTO_DRV_NAME CONFIG_CRYPTO_TINYCRYPT_SHIM_DRV_NAME
#elif CONFIG_CRYPTO_MBEDTLS_SHIM
#define CRYPTO_DRV_NAME CONFIG_CRYPTO_MBEDTLS_SHIM_DRV_NAME
#elif DT_HAS_COMPAT_STATUS_OKAY(st_stm32_cryp)
#define CRYPTO_DEV_COMPAT st_stm32_cryp
#elif DT_HAS_COMPAT_STATUS_OKAY(st_stm32_aes)
#define CRYPTO_DEV_COMPAT st_stm32_aes
#elif CONFIG_CRYPTO_NRF_ECB
#define CRYPTO_DEV_COMPAT nordic_nrf_ecb
#else
#error "You need to enable one crypto device"
#endif


    but when i try to set CONFIG_CRYPTO_NRF_ECB i get :
    CONFIG_CRYPTO_NRF_ECB was assigned the value y, but got the value n. Missing dependencies:
DT_HAS_NORDIC_NRF_ECB_ENABLED

Children
  • 0 in reply to mackz

    Hi,

    I see. The CryptoCell driver is not intended to be used direclty, and it not possible from a non-secure application, so this approach will not work. I suspect that the simplest is to modify the OSDP implementation to use the supported crypti API's, and to be futureproof tahat means using the PSA APIs. You can see examples of those under nrf/samples/crypto.

Related