• State Verified Answer
  • Replies 5 replies
  • Subscribers 68 subscribers
  • Views 42 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 336664
Options

Cracen drivers preventing some ciphers from being compiled in

alexdr5398

Hello,

I am trying to upgrade my project from ncs 2.1.0 to ncs 2.6.1. I am running into some strange issues with mbedtls and I suspect it's because the same ciphers enabled when we were using ncs 2.1.0 are no longer enabled now that we have upgraded.

One such cipher is CFB AES 128. I have set `CONFIG_PSA_WANT_ALG_CFB=y` and I am getting the error `error: #error "No software implementation for 128 bit AES-CFB"`. This is because the config `PSA_ACCEL_CFB_AES_128` is not defined.

The direct dependencies for this are:

     MBEDTLS_PSA_CRYPTO_C(=y) && NRF_SECURITY(=y)  (=y)
  || PSA_CRYPTO_DRIVER_CRACEN(=n) && MBEDTLS_PSA_CRYPTO_C(=y) && NRF_SECURITY(=y)  (=n)

This config seems to be defined in two places `nrf/subsys/nrf_security/src/drivers/Kconfig.psa` and `nrf/subsys/nrf_security/src/drivers/cracen/psa_driver.Kconfig`. The requirements are met for the former but not the latter which seems to be taking precedence and not allowing me to enable this config. Below is the full Kconfig definition for this config.

At /home/alex/mesomat/p100_development/new-gateway/nrf/subsys/nrf_security/src/drivers/Kconfig.psa_accel:86
Included via /home/alex/mesomat/p100_development/new-gateway/p100_gateway/Kconfig:23 -> Kconfig.zephyr:41 -> modules/Kconfig:13 -> /home/alex/mesomat/p100_development/new-gateway/p100_gateway/build/Kconfig/Kconfig.modules:2 -> /home/alex/mesomat/p100_development/new-gateway/nrf/Kconfig.nrf:115 -> /home/alex/mesomat/p100_development/new-gateway/nrf/subsys/
Menu path: (Top) -> Modules -> nrf (/home/alex/mesomat/p100_development/new-gateway/nrf) -> Nordic nRF Connect -> Subsystems -> nRF Security -> Enable PSA crypto APIs -> PSA ACCEL - invisible

config PSA_ACCEL_CFB_AES_128
bool
depends on MBEDTLS_PSA_CRYPTO_C(=y) && NRF_SECURITY(=y)

At /home/alex/mesomat/p100_development/new-gateway/nrf/subsys/nrf_security/src/drivers/cracen/psa_driver.Kconfig:550
Included via /home/alex/mesomat/p100_development/new-gateway/p100_gateway/Kconfig:23 -> Kconfig.zephyr:41 -> modules/Kconfig:13 -> /home/alex/mesomat/p100_development/new-gateway/p100_gateway/build/Kconfig/Kconfig.modules:2 -> /home/alex/mesomat/p100_development/new-gateway/nrf/Kconfig.nrf:115 -> /home/alex/mesomat/p100_development/new-gateway/nrf/subsys/
Menu path: (Top) -> Modules -> nrf (/home/alex/mesomat/p100_development/new-gateway/nrf) -> Nordic nRF Connect -> Subsystems -> nRF Security -> Enable PSA crypto APIs -> PSA NEED CRACEN - invisible

config PSA_ACCEL_CFB_AES_128
bool
default y
depends on PSA_CRYPTO_DRIVER_CRACEN(=n) && MBEDTLS_PSA_CRYPTO_C(=y) && NRF_SECURITY(=y)

Is there a way to simply remove the cracen drivers from my project? I don't believe I have the hardware for it and I was able to enable this cipher in this same project in ncs 2.1.0.

Thanks

Alex

Parents
  • 0

    Hi, 

    Is there a way to simply remove the cracen drivers from my project?

    nRF Security drivers documentation webpage specifies how to disable cracen driver. Kconfig option CONFIG_PSA_CRYPTO_DRIVER_CRACEN is used to enable/disable CRACEN driver.

    Best regards,
    Dejan

  • 0 in reply to dejans

    Hi Dejan,

    That is already disabled, you can see that one in the dependencies 

         MBEDTLS_PSA_CRYPTO_C(=y) && NRF_SECURITY(=y)  (=y)
  || PSA_CRYPTO_DRIVER_CRACEN(=n) && MBEDTLS_PSA_CRYPTO_C(=y) && NRF_SECURITY(=y)  (=n)



    The first term in the OR is true ` MBEDTLS_PSA_CRYPTO_C(=y) && NRF_SECURITY(=y) (=y)`

    But the second term is false `PSA_CRYPTO_DRIVER_CRACEN(=n) && MBEDTLS_PSA_CRYPTO_C(=y) && NRF_SECURITY(=y) (=n)`

     And for some reason that is causing the value of `PSA_ACCEL_CFB_AES_128` to be set to no, even though it is OR'd, so it should be set to yes. Is that correct?

  • 0 in reply to alexdr5398 

                                                                                                    Symbol information
Name: PSA_ACCEL_CFB_AES_128
Type: bool
Value: n

Direct dependencies (=y):
     MBEDTLS_PSA_CRYPTO_C(=y) && NRF_SECURITY(=y)  (=y)
  || PSA_CRYPTO_DRIVER_CRACEN(=n) && MBEDTLS_PSA_CRYPTO_C(=y) && NRF_SECURITY(=y)  (=n)

Default:
  - y

    Here's the menuconfig symbol info. The dependencies are met, the default value is `y`, yet the value is no. I cannot set this symbol to yes manually cause it's not user configurable. So why is it being set to no?

Reply
  • 0 in reply to alexdr5398 

                                                                                                    Symbol information
Name: PSA_ACCEL_CFB_AES_128
Type: bool
Value: n

Direct dependencies (=y):
     MBEDTLS_PSA_CRYPTO_C(=y) && NRF_SECURITY(=y)  (=y)
  || PSA_CRYPTO_DRIVER_CRACEN(=n) && MBEDTLS_PSA_CRYPTO_C(=y) && NRF_SECURITY(=y)  (=n)

Default:
  - y

    Here's the menuconfig symbol info. The dependencies are met, the default value is `y`, yet the value is no. I cannot set this symbol to yes manually cause it's not user configurable. So why is it being set to no?

Children
  • 0 in reply to alexdr5398

    For some context. The issue is when connecting to our CoAP server over DTLS. Every time I try I get the error

    [00:00:36.675,292] <err> net_sock_tls: TLS handshake error: -0x6e00
[00:00:36.685,180] <err> mm_file_transfer: Failed to send block request (-1, -113)
[00:00:36.699,493] <err> mm_file_transfer: Failed to send block request -1

    Looking at the exchange on wireshark, it seems normal, but then they exchange encrypted alerts and no more traffic follows. Here's a screenshot of the exchange:

    So I suspect some ciphers/curves are enabled in the old version but not in the new version. One that I can see is PSA_WANT_ALG_CFB is enabled in the old version but setting that  same config in the new version gives the error in the OP:

    `error: #error "No software implementation for 128 bit AES-CFB"` among others

  • +1 in reply to alexdr5398

    Hi Dejan,

    I have managed to solve it. It appears that I had the mbedtls heap set too small and increasing it a bit solves the problem. Although it's a bit strange cause this amount was totally adequate on the old version.

    Also a bit annoying that there were no error messages indicating failure to allocate memory at all.

Related