• State Not Answered
  • Replies 6 replies
  • Subscribers 74 subscribers
  • Views 228 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 346410
Options

Matter + OpenThread + PSA (Oberon): Crypto/Memory Optimization + mbedTLS Logging

jlux

Hello,

currently i am configuring the networking stack on my project.

The goal is to use Matter's built-in Thread connection, to establish a Secure CoAP connection. 
I am trying to use PSA + Oberon to have access to hardware accelerated crypto modules.

My current configuration is compiling, but it seems so redundant to me. CHIP/Matter and OpenThread are relying on legacy MBEDTLS functions, so i have to enable legacy support in my config:

####################
### CHIP Configurations
####################

# Enable CHIP
CONFIG_CHIP=y
CONFIG_CHIP_PROJECT_CONFIG="include/chip_project_config.h"

# 32768 == 0x8000 (example Product ID, should be changed with proper PID)
CONFIG_CHIP_DEVICE_PRODUCT_ID=32774

####################
### General Settings
####################

CONFIG_STD_CPP17=y
CONFIG_NEWLIB_LIBC=y

# Enable Matter pairing automatically on application start
CONFIG_CHIP_ENABLE_PAIRING_AUTOSTART=y

# Enable Matter extended announcement and increase duration to 1 hour
CONFIG_CHIP_BLE_EXT_ADVERTISING=y
CONFIG_CHIP_BLE_ADVERTISING_DURATION=60

# Add support for LEDs and buttons on Nordic development kits
CONFIG_DK_LIBRARY=y

# Bluetooth Low Energy configuration
CONFIG_BT_DEVICE_NAME="MatterTemplate"

# Other settings
CONFIG_THREAD_NAME=y
CONFIG_MPU_STACK_GUARD=y
CONFIG_RESET_ON_FATAL_ERROR=n
CONFIG_CHIP_LIB_SHELL=n
CONFIG_NCS_SAMPLE_MATTER_TEST_SHELL=n

# Disable NFC commissioning
CONFIG_CHIP_NFC_COMMISSIONING=n

# Reduce application size
CONFIG_USE_SEGGER_RTT=n

# Enable Factory Data feature
CONFIG_CHIP_FACTORY_DATA=y
CONFIG_CHIP_FACTORY_DATA_BUILD=y

# Enable assertions
CONFIG_ASSERT=y

# Enable Bootloader
CONFIG_BOOTLOADER_MCUBOOT=y

####################
### Security Configurations
####################
CONFIG_NRF_SECURITY=y

####################
### Crypto Configurations
####################
CONFIG_NRF_SECURITY=y
CONFIG_CHIP_CRYPTO_PSA=y
CONFIG_MBEDTLS_SSL_PROTO_DTLS=y
CONFIG_MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED=y

CONFIG_OPENTHREAD_CRYPTO_PSA=y

# PSA configurations for algorithms
CONFIG_PSA_WANT_ALG_GCM=y
CONFIG_PSA_WANT_ALG_JPAKE=y
CONFIG_PSA_WANT_ALG_ECDSA=y
CONFIG_PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY=y
CONFIG_PSA_WANT_ECC_SECP_R1_256=y

CONFIG_PSA_CRYPTO_DRIVER_OBERON=y

# Enable mbedTLS integration with PSA
CONFIG_MBEDTLS_LEGACY_CRYPTO_C=y
CONFIG_MBEDTLS_PSA_CRYPTO_C=y
CONFIG_MBEDTLS_ECP_C=y
CONFIG_MBEDTLS_PK_C=n

CONFIG_MBEDTLS_TLS_LIBRARY=n
CONFIG_MBEDTLS_X509_LIBRARY=n

# Enable mbedTLS support for public key cryptography (PK)
CONFIG_MBEDTLS_RSA_C=y
CONFIG_MBEDTLS_ECDSA_C=y

# Increase MBEDTLS heap size to enable dtls handling
CONFIG_MBEDTLS_HEAP_SIZE=16384

####################
### CoAP Configurations
####################

CONFIG_COAP=y
CONFIG_COAP_UTILS=y

####################
### Connectivity Configurations
####################

# OpenThread configurations
CONFIG_OPENTHREAD_COAPS=y
CONFIG_OPENTHREAD_COAP=y
CONFIG_OPENTHREAD_SOURCES=y

####################
### NFC Configurations
####################
CONFIG_NFC_PLATFORM=n

####################
### OpenThread Shell Configurations
####################
CONFIG_OPENTHREAD_SHELL=n

# CONFIG_OPENTHREAD_MBEDTLS=n
CONFIG_OPENTHREAD_CRYPTO_PSA=y
CONFIG_OPENTHREAD_NRF_SECURITY_PSA_CHOICE=y
CONFIG_NRF_OBERON=y

# enable monitor debug mode
CONFIG_CORTEX_M_DEBUG_MONITOR_HOOK=y
CONFIG_SEGGER_DEBUGMON=y

CONFIG_DEBUG_THREAD_INFO=y

CONFIG_MBEDTLS_DEBUG_C=y
CONFIG_MBEDTLS_DEBUG_LEVEL=4

CONFIG_OPENTHREAD_MBEDTLS_DEBUG=y

# Attempt to use RTT logging. Currently not feasible.
# CONFIG_USE_SEGGER_RTT=y
# CONFIG_RTT_CONSOLE=y
# CONFIG_UART_CONSOLE=n
# CONFIG_LOG_MODE_MINIMAL=n
# CONFIG_LOG_BACKEND_RTT=y

Is there another way of configuring the project to use PSA and not legacy MBEDTLS? This configuration uses 99% of my flash. Additionally i am not sure if PSA is used after all when enabling legacy mbedtls?

Also i have one more question regarding logging:
I see CHIP logs and my user LOG_INF in the serial console, but i cant get MBEDTLS logging to work. I want to debug my DTLS CoAP handshake on the Openthread network stack. Is there more needed than configuring:

CONFIG_MBEDTLS_DEBUG_C=y
CONFIG_MBEDTLS_DEBUG_LEVEL=4

CONFIG_OPENTHREAD_MBEDTLS_DEBUG=y

Thanks for your help!

Best Jonas

  • 0

    Could i get an answer on this please? Slight smile I am unsure about this configuration using MBEDTLS and PSA in tandem...

    Essentially through CONFIG_CHIP_CRYTO_PSA=y (which should be default as i understood?) Matter should always use PSA instead of MBEDTLS. Still my Code wont compile without CONFIG_MBEDTLS_LEGACY_CRYPTO_C=y

    ../../../../../modules/lib/matter/src/crypto/CHIPCryptoPALmbedTLSCert.cpp: In function 'CHIP_ERROR chip::Crypto::VerifyCertificateSigningRequest(const uint8_t*, size_t, P256PublicKey&)':
../../../../../modules/lib/matter/src/crypto/CHIPCryptoPALmbedTLSCert.cpp:69:15: error: 'mbedtls_pk_ec' was not declared in this scope; did you mean 'mbedtls_pk_free'?
   69 |     keypair = mbedtls_pk_ec(csr.CHIP_CRYPTO_PAL_PRIVATE_X509(pk));
      |               ^~~~~~~~~~~~~
      |               mbedtls_pk_free
../../../../../modules/lib/matter/src/crypto/CHIPCryptoPALmbedTLSCert.cpp: In function 'CHIP_ERROR chip::Crypto::ExtractPubkeyFromX509Cert(const chip::ByteSpan&, P256PublicKey&)':
../../../../../modules/lib/matter/src/crypto/CHIPCryptoPALmbedTLSCert.cpp:521:15: error: 'mbedtls_pk_ec' was not declared in this scope; did you mean 'mbedtls_pk_free'?
  521 |     keypair = mbedtls_pk_ec(mbed_cert.CHIP_CRYPTO_PAL_PRIVATE_X509(pk));
      |               ^~~~~~~~~~~~~
      |               mbedtls_pk_free

  • 0 in reply to jlux

    Hi, so I checked with the developers:

    no it is not supported while using PSA API. This file should not be compiled while compiling firmware for a device; this part is dedicated to a Matter controller. If a customer wants to compile this file, they need to switch to MbedTLS (but in this case, they cannot inherit the Thread certificate from us).

    Regards,
    Jonathan

  • 0 in reply to JONATHAN LL

    Thanks for the answer.

    I dont want this file to be compiled then. But why is it being compiled anyway?

    I think i have a missing link understanding the matter build in the nrf sdk.
    In build/modules/connectedhomeip/args.gn the crypto system is set to PSA:

    chip_crypto = "psa"

    Why is mbedtls being used? 
    In the build files e.g.  build/modules/connectedhomeip/gen/include/crypto/CryptoBuildConfig.h mbedtls is explicitly disabled:

    #define CHIP_CRYPTO_MBEDTLS 0
    #define CHIP_CRYPTO_PSA 1
    #define CHIP_CRYPTO_PSA_SPAKE2P 1
    #define CHIP_CRYPTO_OPENSSL 0
    #define CHIP_CRYPTO_BORINGSSL 0
    #define CHIP_CRYPTO_PLATFORM 0

    still modules/lib/matter/src/crypto/CHIPCryptoPALmbedTLSCert.cpp is being compiled during matter build.

    in modules/lib/matter/cryptoBUILD.gn this block implies the file is also being used in PSA configuration:

    } else if (chip_crypto == "psa") {
  import("//build_overrides/mbedtls.gni")

  source_set("cryptopal_psa") {
    sources = [
      "CHIPCryptoPALPSA.cpp",
      "CHIPCryptoPALPSA.h",
      "CHIPCryptoPALmbedTLS.h",
      "CHIPCryptoPALmbedTLSCert.cpp",
    ]
    public_deps = [ ":public_headers" ]

    if (!chip_external_mbedtls) {
      public_deps += [ "${mbedtls_root}:mbedtls" ]
    }
  }
}


    So it seems to be correct that it is being used. Looks like matter still relies on some mbedtls functionality?

    Thanks for your time, Best Jonas

Related
Terms of service