• State Verified Answer
  • Replies 9 replies
  • Subscribers 74 subscribers
  • Views 162 views
  • Users 0 members are here
Attachments (1) Download All
Nordic Case Info
  • Case ID: 344528
Options

AES CBC (or EBC) on nRF52832 & nRF54L05

Nick_RA

So I need to decrypt a single 16 byte block of data using AES128 and a pre-shared key on the above SoCs. But PSA doesn't seem to work (I'm currently working using the nRF52DK). Even the AES CBC example application fails with an error when I run it

Booting nRF Connect SDK v2.9.0-7787b2649840 ***
*** Using Zephyr OS v3.7.99-1f8f3dc29142 ***
[00:00:00.265,533] <inf> aes_cbc: Starting AES-CBC-NO-PADDING example...
[00:00:00.265,594] <inf> aes_cbc: Generating random AES key...
[00:00:00.265,625] <inf> aes_cbc: psa_generate_key failed! (Error: -141)
[00:00:00.265,625] <inf> aes_cbc: Example exited with error!

I notice there is a config option CONFIG_MBEDTLS_LEGACY_CRYPTO_C, but the description suggests it's not a great option

Enable support for legacy mbed TLS APIs.
Note that this is a configuration that may be removed at some point.
It is only provided during a transition period while PSA Crypto APIs become
the defacto front-end. Enabling this will enable nrf_oberon for all features that
are supported and builtin for the remaining functionality.

Any advice on the way forward?

  • 0 in reply to Einar Thorsrud

    No I haven't commented out anything! That is exactly how the sample project was delivered (apart of course from the lines appended as you suggested).

    Edit: Here is the prj.conf after deleting the old folders and creating another new application from the sample (no build, nothing)

    #
# Copyright (c) 2024 Nordic Semiconductor ASA
#
# SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
#
# The Zephyr CMSIS emulation assumes that ticks are ms, currently
CONFIG_SYS_CLOCK_TICKS_PER_SEC=1000

CONFIG_MAIN_STACK_SIZE=4096
CONFIG_HEAP_MEM_POOL_SIZE=4096

# Enable logging
CONFIG_CONSOLE=y
CONFIG_LOG=y

# Enable nordic security backend and PSA APIs
#CONFIG_NRF_SECURITY=y
#CONFIG_MBEDTLS_PSA_CRYPTO_C=y

#CONFIG_PSA_WANT_GENERATE_RANDOM=y
#CONFIG_PSA_WANT_KEY_TYPE_AES=y
#CONFIG_PSA_WANT_ALG_CBC_NO_PADDING=y

CONFIG_NORDIC_SECURITY_BACKEND=y

  • 0 in reply to Nick_RA

    You have commented out configs that are needed and that are used in the sample here. The configs you have commented your last post should be uncommented. Specifically, these:

    # Enable nordic security backend and PSA APIs
CONFIG_NRF_SECURITY=y
CONFIG_MBEDTLS_PSA_CRYPTO_C=y

CONFIG_PSA_WANT_GENERATE_RANDOM=y
CONFIG_PSA_WANT_KEY_TYPE_AES=y
CONFIG_PSA_WANT_ALG_CBC_NO_PADDING=y

  • 0 in reply to Einar Thorsrud

    OK so I have no idea how this happened - but I checked my ncs folder from where the samples are copied and the lines were commented. So I re-downloaded ncs 2.9.0 and replaced the aes-cbc folder entirely from Github and it's as it should be. Weird, as I've only used the "copy a sample" method from within VCS?

    So anyway now it runs :) Apologies for the hassle.

    For a pre-shared key do I generate a key using psa_import_key() ?

  • +1 in reply to Nick_RA

    Hi,

    I am glad to hear you got it working. Yes, you import an existing key using psa_import_key(). You can see an example of importing an AES key here (generally, you specify key type and uses as astributs you provide to the call together with the raw key).

Related
Terms of service