• State Not Answered
  • Replies 3 replies
  • Subscribers 73 subscribers
  • Views 44 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 343455
Options

Crypto operations to generate key pair when TFM profile is set to minimal.

mackz

Hi, I am using NRF connect sdk 2.6.1 and I am wondering what is the best way to run crypto operations when using TFM profile type minimal and building for nrf9160_ns. TFM_PROFILE_TYPE_NOT_SET takes up too much space but it seems there is no way to generate keys pair without it.

https://docs.nordicsemi.com/bundle/ncs-2.3.0/page/tfm/technical_references/design_docs/profiles/tfm_profile_small.html

This says that the minimal profile supports:
Symmetric cipher only
Cipher suite for symmetric-key algorithms based protocols, such as cipher suites defined in TLS pre-shared key (TLS-PSK) [1].
    Advanced Encryption Standard (AES) as symmetric crypto algorithm
    SHA256 as Hash function
    HMAC as Message Authentication Code algorithm


while the full profile supports:
        Support both symmetric ciphers and asymmetric ciphers
        Asymmetric key based cipher suites defined in TLS 1.2 [5] to support direct secure connection to major CSPs, including
                Authenticated Encryption with Associated Data (AEAD) algorithm
                Asymmetric key algorithm based signature and verification
                Public-key cryptography based key exchange
                Hash function
                HMAC for default Pseudorandom Function (PRF)
        Asymmetric digital signature and verification for Initial Attestation Token (IAT)
        Asymmetric algorithms for firmware image signature verification
        Key derivation


I have tried to generate the key pair using only mbedtls library but it seems like there is a lot missing in the nrf implementation. I am not able to use entropy at all, when i enable it with CONFIG_MBEDTLS_ENTROPY_C=y
i get: 

warning: MBEDTLS_ENTROPY_C (defined at
ncs/v2.6.1/nrf/subsys/net/openthread/Kconfig.defconfig:138,
ncs/v2.6.1/nrf/subsys/nrf_security/Kconfig.legacy:350) was assigned the value 'y' but
got the value 'n'. Check these unsatisfied dependencies: (NET_L2_OPENTHREAD ||
(!MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG && MBEDTLS_LEGACY_CRYPTO_C && NRF_SECURITY)) (=n). See
http://docs.zephyrproject.org/latest/kconfig.html#CONFIG_MBEDTLS_ENTROPY_C and/or look up
MBEDTLS_ENTROPY_C in the menuconfig/guiconfig interface. The Application Development Primer, Setting
Configuration Values, and Kconfig - Tips and Best Practices sections of the manual might be helpful
too.

and that makes it impossible to use this:
github.com/.../gen_key.c
Is there any other recommended way to do it or samples that i could look at?
Or is there any sample that describes a way to get a minimal working example with the profile set to NOT_SET?

Parents Reply
  • 0 in reply to dejans

    Yes i meant minimal and full. I am using minimal but i feel like there is no way to get something inbetween not being able to use TFM for anything and it taking up all of the memory for the application. So my questions stands:
    Is there any other recommended way to do it or samples that i could look at?
    Or is there any sample that describes a way to get a minimal working example with the profile set to NOT_SET?

Children
Related
Terms of service