• State Not Answered
  • Replies 4 replies
  • Subscribers 76 subscribers
  • Views 138 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 345845
Options

On nRF9151, how to deactivate SHA384 support in MBEDTLS when MBEDTLS_USE_PSA_CRYPTO is active ?

Ades

Hi,

I'm trying to use MBEDTLS with MBEDTLS_USE_PSA_CRYPTO and CONFIG_PSA_CRYPTO_DRIVER_CC3XX activated.

Unfortunately I can't find a way to tell MBEDTLS that nRF9151 is not supporting SHA384.

When I execute mbedtls_ssl_setup(), psa_hash_setup() in ssl_tls.c always fails because the define MBEDTLS_MD_CAN_SHA384 is always activated

I tried to unset it in my project.conf by different way but nothing works :

- CONFIG_PSA_WANT_ALG_SHA_384=n (that willl be in the future the good way to do it  but not supported yet even with SDK 3.0.1 - commit https://github.com/Mbed-TLS/mbedtls/pull/9171/commits still in development branche )

- CONFIG_MBEDTLS_MD_CAN_SHA384=n or CONFIG_MBEDTLS_SHA384_ALT=n => "error: ... is not directly user-configurable (has no prompt)"

- trying to set a custom config.h for MBEDTLS => warning: MBEDTLS_CFG_FILE (defined at .../v2.9.0/nrf/subsys/nrf_security/Kconfig:66, modules/mbedtls/Kconfig:58, modules/mbedtls/Kconfig:58) was assigned the value 'myconfig.h' but got the value 'nrf-config.h')

Any idea ?

Arnaud

Parents Reply Children
  • 0 in reply to Ades

    Hello,

    You might consider looking into your SDK:
    nrf/subsys/nrf_security/Kconfig

    config MBEDTLS_TLS_VERSION_1_2
	bool "Enable support for TLS 1.2 (DTLS 1.2)"
	select PSA_WANT_ALG_SHA_1
	select PSA_WANT_ALG_SHA_224
	select PSA_WANT_ALG_SHA_256
	select PSA_WANT_ALG_SHA_384
	select PSA_WANT_ALG_SHA_512
	select MBEDTLS_CIPHER


    Commenting out the selects for SHA_1, SHA_384, and SHA_512 finally removed the forced y warnings in my build and I got a decent amount of TFM flash back without breaking my testing. I don't know a better solution at this time.

Related
Terms of service