SHA256 Sample not working

Hi Colin,

Thanks for reaching out about this issue.

I’ll set aside some time to test it and will update you once I find something.

Best regards,
Charlie

Hi Colin,

I did a try the sha256 sample built with latest NCS 2.9.0 and NCS 2.7.0 on a nRF5340DK v2.0.0, and they all worked as expected.

*** Booting nRF Connect SDK v2.7.0-5cb85570ca43 ***
*** Using Zephyr OS v3.6.99-100befc70c74 ***
[00:00:00.267,181] <inf> sha256: Starting SHA256 example...
[00:00:00.267,211] <inf> sha256: ---- Plaintext to hash (len: 150): ----
[00:00:00.267,242] <inf> sha256: Content:
                                 45 78 61 6d 70 6c 65 20  73 74 72 69 6e 67 20 74 |Example  string t
                                 6f 20 64 65 6d 6f 6e 73  74 72 61 74 65 20 62 61 |o demons trate ba
                                 73 69 63 20 75 73 61 67  65 20 6f 66 20 53 48 41 |sic usag e of SHA
                                 32 35 36 2e 54 68 61 74  20 75 73 65 73 20 73 69 |256.That  uses si
                                 6e 67 6c 65 20 61 6e 64  20 6d 75 6c 74 69 2d 70 |ngle and  multi-p
                                 61 72 74 20 50 53 41 20  63 72 79 70 74 6f 20 41 |art PSA  crypto A
                                 50 49 27 73 20 74 6f 20  70 65 72 66 6f 72 6d 20 |PI's to  perform 
                                 61 20 53 48 41 2d 32 35  36 20 68 61 73 68 69 6e |a SHA-25 6 hashin
                                 67 20 6f 70 65 72 61 74  69 6f 6e 2e 00 00 00 00 |g operat ion.....
                                 00 00 00 00 00 00                                |......           
[00:00:00.267,272] <inf> sha256: ---- Plaintext to hash end  ----
[00:00:00.267,272] <inf> sha256: Hashing using SHA256...
[00:00:00.267,486] <inf> sha256: Hashing successful!
[00:00:00.267,517] <inf> sha256: ---- SHA256 hash (len: 32): ----
[00:00:00.267,547] <inf> sha256: Content:
                                 95 6e 6a 15 b9 5e 76 65  3a 4a 4a a7 71 62 63 b9 |.nj..^ve :JJ.qbc.
                                 d2 24 8a 88 95 e0 f5 3e  82 94 2f 2a 1d ba c9 d5 |.$.....> ../*....
[00:00:00.267,547] <inf> sha256: ---- SHA256 hash end  ----
[00:00:00.267,547] <inf> sha256: Verifying the SHA256 hash...
[00:00:00.267,761] <inf> sha256: SHA256 verification successful!
[00:00:00.267,791] <inf> sha256: Hashing using multi-part SHA256...
[00:00:00.268,035] <inf> sha256: Added 42 bytes
[00:00:00.268,188] <inf> sha256: Added 58 bytes
[00:00:00.268,310] <inf> sha256: Added 50 bytes
[00:00:00.268,524] <inf> sha256: Hashing successful!
[00:00:00.268,524] <inf> sha256: ---- SHA256 hash (len: 32): ----
[00:00:00.268,554] <inf> sha256: Content:
                                 95 6e 6a 15 b9 5e 76 65  3a 4a 4a a7 71 62 63 b9 |.nj..^ve :JJ.qbc.
                                 d2 24 8a 88 95 e0 f5 3e  82 94 2f 2a 1d ba c9 d5 |.$.....> ../*....
[00:00:00.268,585] <inf> sha256: ---- SHA256 hash end  ----
[00:00:00.268,585] <inf> sha256: Verifying the SHA256 hash...
[00:00:00.268,798] <inf> sha256: SHA256 verification successful!
[00:00:00.268,798] <inf> sha256: Example finished successfully!

I do not quite understand the change you have made, did you expect to see the errors when your modifcation is applied?

If you see the error with original sample, please have a try with the fimware I buildt on NCS 2.9.0. This firmware using ns so TF-M is enabled.

ncs290_sha256_nrf5340dk_ns.hex

Best regards,

Charlie

Hi Charlie, 

Thanks  for looking into it. Basically I commented out the return statements in the main function to let also hash_multipart_sha256 be executed in case only hash_singlepart_sha256 was failing. Otherwise I have not touched the SDK nor any other part of the sample. 

int main(void)
{
	int status;

	LOG_INF("Starting SHA256 example...");

	status = crypto_init();
	if (status != APP_SUCCESS) {
		LOG_INF(APP_ERROR_MESSAGE);
		//return APP_ERROR;
	}

	PRINT_HEX("Plaintext to hash", m_plain_text, sizeof(m_plain_text));

	status = hash_singlepart_sha256();
	if (status != APP_SUCCESS) {
		LOG_INF(APP_ERROR_MESSAGE);
		//return APP_ERROR;
	}

	status = verify_sha256();
	if (status != APP_SUCCESS) {
		LOG_INF(APP_ERROR_MESSAGE);
		//return APP_ERROR;
	}

	/* Reset the hash */
	memset(m_hash, 0, sizeof(m_hash));

	status = hash_multipart_sha256();
	if (status != APP_SUCCESS) {
		LOG_INF(APP_ERROR_MESSAGE);
		return APP_ERROR;
	}

	status = verify_sha256();
	if (status != APP_SUCCESS) {
		LOG_INF(APP_ERROR_MESSAGE);
		//return APP_ERROR;
	}

	LOG_INF(APP_SUCCESS_MESSAGE);

	//return APP_SUCCESS;
}

Here is the build configuration I used: 

I will try with SDK 2.9 next.

Your answer showed that the psa_hash API should be callable even with TFM activated. Could you point me to a documentation that explains how all elements work together?

I've spent time reading on TFM and the crypto libraries separately but I don't understand how the hierarchy is built and what the dependencies are between them. I understand there are several moving parts: 

• TF-M
• PSA API  
• Legacy Mbed TLS 
• Mbed TLS
• Drivers: Oberon Driver / c3xx 

Somehow they are intertwined by Kconfig flags but I don't really get how. A dependency diagram of some sorts would be great. 

Thank you for the support

Kind regards 

Colin 

Hi Charlie,

I Tested it with SDK v2.9 with the same build settings as your screenshot, it worked. Then I updated SDK v2.7 to make sure I hadn't alered it by mistake and it also worked. 

Then I found the real discrepancy: In my original buld config I had added prj.conf as base configuration file. I tried it again with prj.conf added and it failed. The build command looks like this : 

"west build --build-dir e:/BLE_Nordic/ncs/v2.7.0/nrf/samples/crypto/sha256/build e:/BLE_Nordic/ncs/v2.7.0/nrf/samples/crypto/sha256 --pristine --board nrf5340dk/nrf5340/cpuapp/ns --sysbuild -- -DNCS_TOOLCHAIN_VERSION=NONE -DCONF_FILE=e:/BLE_Nordic/ncs/v2.7.0/nrf/samples/crypto/sha256/prj.conf -DBOARD_ROOT=e:/ble_nordic/ncs/v2.7.0/nrf/samples/crypto/sha256"

Without explicit usage of prj.conf in the build config the build command looks like this : 

"west build --build-dir e:/BLE_Nordic/ncs/v2.7.0/nrf/samples/crypto/sha256/build e:/BLE_Nordic/ncs/v2.7.0/nrf/samples/crypto/sha256 --pristine --board nrf5340dk/nrf5340/cpuapp/ns --sysbuild -- -DNCS_TOOLCHAIN_VERSION=NONE -DBOARD_ROOT=e:/ble_nordic/ncs/v2.7.0/nrf/samples/crypto/sha256"

I will try comparing the .config output in both cases to understand the differences. 

Cheers 

Colin 

Hi Colin,

Thank you for your question. The integration of TF-M, PSA, MbedTLS, and Oberon Driver/c3xx is quite complex, so it's difficult to explain in simple terms here.

A colleague of mine has written a blog post, (+) Securing IoT products with PSA Certified APIs - Blogs - Nordic Blog - Nordic DevZone, which partially explains PSA and TF-M. I recommend reading it, and feel free to ask more specific questions if anything remains unclear.

Best regards,
Charlie

Hi Colin,

Thank you for your question. The integration of TF-M, PSA, MbedTLS, and Oberon Driver/c3xx is quite complex, so it's difficult to explain in simple terms here.

A colleague of mine has written a blog post, (+) Securing IoT products with PSA Certified APIs - Blogs - Nordic Blog - Nordic DevZone, which partially explains PSA and TF-M. I recommend reading it, and feel free to ask more specific questions if anything remains unclear.

Best regards,
Charlie

Hi Charlie, 

Thank you for the link. Regarding my previous answer, could you confirm that building with prj.conf included leads to the psa_hash_compute function failing. If so, could you explain what the reason for this is? 

Hi Colin,

I was able to reproduce this issue. After comparing the build logs, I noticed that the line:
"Merged configuration 'C:/ncs/v2.9.0/nrf/samples/crypto/sha256/boards/nrf5340dk_nrf5340_cpuapp_ns.conf'." is missing.

It seems that the NS board configuration is not merged into the build when setting CONF_FILE in the build command. You also need to manually specify the location of nrf5340dk_nrf5340_cpuapp_ns.conf in the Extra Kconfig fragment.

I'll check with our build system experts to determine whether this is expected behavior or a potential bug. I'll get back to you once I have their feedback.

Best regards,
Charlie

Hi Colin,

I had a chance to discuss this with our build system expert.

If you refer to the following section in  Setting Kconfig configuration values — Zephyr Project Documentation, you’ll see that the build behavior is exactly as described in the documentation. Therefore, we will not be making any changes.

1. If CONF_FILE is set, the configuration file(s) specified in it are merged and used as the application configuration. CONF_FILE can be set in various ways:

   1. In CMakeLists.txt, before calling find_package(Zephyr)

   2. By passing -DCONF_FILE=<conf file(s)>, either directly or via west

   3. From the CMake variable cache

2. Otherwise, if boards/<BOARD>.conf exists in the application configuration directory, the result of merging it with prj.conf is used.

Best regards,

Charlie

Hi Charlie, 

Thanks for looking into it. Your explanation makes sense, I guess I wasn't expecting the board specific config files not being included if CONF_FILE is set. 

Many Thanks, that solves the issue for me. 

Best 

Colin 

You are welcome. Good luck to you development.

Feel free to check with us if you have further questions.

Best regards,

Charlie