Matter + OpenThread + PSA (Oberon): Crypto/Memory Optimization + mbedTLS Logging

Hello,

currently i am configuring the networking stack on my project.

The goal is to use Matter's built-in Thread connection, to establish a Secure CoAP connection. 
I am trying to use PSA + Oberon to have access to hardware accelerated crypto modules.

My current configuration is compiling, but it seems so redundant to me. CHIP/Matter and OpenThread are relying on legacy MBEDTLS functions, so i have to enable legacy support in my config:

####################
### CHIP Configurations
####################

# Enable CHIP
CONFIG_CHIP=y
CONFIG_CHIP_PROJECT_CONFIG="include/chip_project_config.h"

# 32768 == 0x8000 (example Product ID, should be changed with proper PID)
CONFIG_CHIP_DEVICE_PRODUCT_ID=32774

####################
### General Settings
####################

CONFIG_STD_CPP17=y
CONFIG_NEWLIB_LIBC=y

# Enable Matter pairing automatically on application start
CONFIG_CHIP_ENABLE_PAIRING_AUTOSTART=y

# Enable Matter extended announcement and increase duration to 1 hour
CONFIG_CHIP_BLE_EXT_ADVERTISING=y
CONFIG_CHIP_BLE_ADVERTISING_DURATION=60

# Add support for LEDs and buttons on Nordic development kits
CONFIG_DK_LIBRARY=y

# Bluetooth Low Energy configuration
CONFIG_BT_DEVICE_NAME="MatterTemplate"

# Other settings
CONFIG_THREAD_NAME=y
CONFIG_MPU_STACK_GUARD=y
CONFIG_RESET_ON_FATAL_ERROR=n
CONFIG_CHIP_LIB_SHELL=n
CONFIG_NCS_SAMPLE_MATTER_TEST_SHELL=n

# Disable NFC commissioning
CONFIG_CHIP_NFC_COMMISSIONING=n

# Reduce application size
CONFIG_USE_SEGGER_RTT=n

# Enable Factory Data feature
CONFIG_CHIP_FACTORY_DATA=y
CONFIG_CHIP_FACTORY_DATA_BUILD=y

# Enable assertions
CONFIG_ASSERT=y

# Enable Bootloader
CONFIG_BOOTLOADER_MCUBOOT=y

####################
### Security Configurations
####################
CONFIG_NRF_SECURITY=y

####################
### Crypto Configurations
####################
CONFIG_NRF_SECURITY=y
CONFIG_CHIP_CRYPTO_PSA=y
CONFIG_MBEDTLS_SSL_PROTO_DTLS=y
CONFIG_MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED=y

CONFIG_OPENTHREAD_CRYPTO_PSA=y

# PSA configurations for algorithms
CONFIG_PSA_WANT_ALG_GCM=y
CONFIG_PSA_WANT_ALG_JPAKE=y
CONFIG_PSA_WANT_ALG_ECDSA=y
CONFIG_PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY=y
CONFIG_PSA_WANT_ECC_SECP_R1_256=y

CONFIG_PSA_CRYPTO_DRIVER_OBERON=y

# Enable mbedTLS integration with PSA
CONFIG_MBEDTLS_LEGACY_CRYPTO_C=y
CONFIG_MBEDTLS_PSA_CRYPTO_C=y
CONFIG_MBEDTLS_ECP_C=y
CONFIG_MBEDTLS_PK_C=n

CONFIG_MBEDTLS_TLS_LIBRARY=n
CONFIG_MBEDTLS_X509_LIBRARY=n

# Enable mbedTLS support for public key cryptography (PK)
CONFIG_MBEDTLS_RSA_C=y
CONFIG_MBEDTLS_ECDSA_C=y

# Increase MBEDTLS heap size to enable dtls handling
CONFIG_MBEDTLS_HEAP_SIZE=16384

####################
### CoAP Configurations
####################

CONFIG_COAP=y
CONFIG_COAP_UTILS=y

####################
### Connectivity Configurations
####################

# OpenThread configurations
CONFIG_OPENTHREAD_COAPS=y
CONFIG_OPENTHREAD_COAP=y
CONFIG_OPENTHREAD_SOURCES=y

####################
### NFC Configurations
####################
CONFIG_NFC_PLATFORM=n

####################
### OpenThread Shell Configurations
####################
CONFIG_OPENTHREAD_SHELL=n

# CONFIG_OPENTHREAD_MBEDTLS=n
CONFIG_OPENTHREAD_CRYPTO_PSA=y
CONFIG_OPENTHREAD_NRF_SECURITY_PSA_CHOICE=y
CONFIG_NRF_OBERON=y

# enable monitor debug mode
CONFIG_CORTEX_M_DEBUG_MONITOR_HOOK=y
CONFIG_SEGGER_DEBUGMON=y

CONFIG_DEBUG_THREAD_INFO=y

CONFIG_MBEDTLS_DEBUG_C=y
CONFIG_MBEDTLS_DEBUG_LEVEL=4

CONFIG_OPENTHREAD_MBEDTLS_DEBUG=y

# Attempt to use RTT logging. Currently not feasible.
# CONFIG_USE_SEGGER_RTT=y
# CONFIG_RTT_CONSOLE=y
# CONFIG_UART_CONSOLE=n
# CONFIG_LOG_MODE_MINIMAL=n
# CONFIG_LOG_BACKEND_RTT=y

Is there another way of configuring the project to use PSA and not legacy MBEDTLS? This configuration uses 99% of my flash. Additionally i am not sure if PSA is used after all when enabling legacy mbedtls?

Also i have one more question regarding logging:
I see CHIP logs and my user LOG_INF in the serial console, but i cant get MBEDTLS logging to work. I want to debug my DTLS CoAP handshake on the Openthread network stack. Is there more needed than configuring:

CONFIG_MBEDTLS_DEBUG_C=y
CONFIG_MBEDTLS_DEBUG_LEVEL=4

CONFIG_OPENTHREAD_MBEDTLS_DEBUG=y

Thanks for your help!

Best Jonas

Related