Cracen drivers preventing some ciphers from being compiled in

RE: Cracen drivers preventing some ciphers from being compiled in

alexdr5398 — Tue, 26 Nov 2024 16:36:29 GMT

Hi Dejan,

I have managed to solve it. It appears that I had the mbedtls heap set too small and increasing it a bit solves the problem. Although it's a bit strange cause this amount was totally adequate on the old version.

Also a bit annoying that there were no error messages indicating failure to allocate memory at all.

RE: Cracen drivers preventing some ciphers from being compiled in

alexdr5398 — Tue, 26 Nov 2024 15:54:26 GMT

For some context. The issue is when connecting to our CoAP server over DTLS. Every time I try I get the error

[00:00:36.675,292] <err> net_sock_tls: TLS handshake error: -0x6e00
[00:00:36.685,180] <err> mm_file_transfer: Failed to send block request (-1, -113)
[00:00:36.699,493] <err> mm_file_transfer: Failed to send block request -1

Looking at the exchange on wireshark, it seems normal, but then they exchange encrypted alerts and no more traffic follows. Here's a screenshot of the exchange:

So I suspect some ciphers/curves are enabled in the old version but not in the new version. One that I can see is PSA_WANT_ALG_CFB is enabled in the old version but setting that same config in the new version gives the error in the OP:

`error: #error "No software implementation for 128 bit AES-CFB"` among others

RE: Cracen drivers preventing some ciphers from being compiled in

alexdr5398 — Tue, 26 Nov 2024 14:50:40 GMT

                                                                                                Symbol information
Name: PSA_ACCEL_CFB_AES_128
Type: bool
Value: n

Direct dependencies (=y):
     MBEDTLS_PSA_CRYPTO_C(=y) && NRF_SECURITY(=y)  (=y)
  || PSA_CRYPTO_DRIVER_CRACEN(=n) && MBEDTLS_PSA_CRYPTO_C(=y) && NRF_SECURITY(=y)  (=n)

Default:
  - y

Here's the menuconfig symbol info. The dependencies are met, the default value is `y`, yet the value is no. I cannot set this symbol to yes manually cause it's not user configurable. So why is it being set to no?

RE: Cracen drivers preventing some ciphers from being compiled in

alexdr5398 — Tue, 26 Nov 2024 14:41:44 GMT

Hi Dejan,

That is already disabled, you can see that one in the dependencies

     MBEDTLS_PSA_CRYPTO_C(=y) && NRF_SECURITY(=y)  (=y)
  || PSA_CRYPTO_DRIVER_CRACEN(=n) && MBEDTLS_PSA_CRYPTO_C(=y) && NRF_SECURITY(=y)  (=n)

The first term in the OR is true ` MBEDTLS_PSA_CRYPTO_C(=y) && NRF_SECURITY(=y) (=y)`

But the second term is false `PSA_CRYPTO_DRIVER_CRACEN(=n) && MBEDTLS_PSA_CRYPTO_C(=y) && NRF_SECURITY(=y) (=n)`

And for some reason that is causing the value of `PSA_ACCEL_CFB_AES_128` to be set to no, even though it is OR'd, so it should be set to yes. Is that correct?

RE: Cracen drivers preventing some ciphers from being compiled in

dejans — Tue, 26 Nov 2024 14:35:15 GMT

Hi,

[quote user=""]Is there a way to simply remove the cracen drivers from my project?[/quote]

nRF Security drivers documentation webpage specifies how to disable cracen driver. Kconfig option CONFIG_PSA_CRYPTO_DRIVER_CRACEN is used to enable/disable CRACEN driver.

Best regards,
Dejan