• State Not Answered
  • Replies 5 replies
  • Subscribers 87 subscribers
  • Views 371 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 350518
Options

Using AES with CONFIG_MBEDTLS_USE_PSA_CRYPTO: False

phil38

Context : SDK2.9, nrf9151

Here is the crypto configuration we had

=========== Generating psa_crypto_config ===============
Backup: CONFIG_MBEDTLS_PSA_CRYPTO_SPM: False
Backup: CONFIG_MBEDTLS_PSA_CRYPTO_C: False
Backup: CONFIG_MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER: False
Backup: CONFIG_MBEDTLS_PLATFORM_SETUP_TEARDOWN_ALT: False
Backup: CONFIG_MBEDTLS_THREADING: False
Backup: CONFIG_MBEDTLS_THREADING_ALT: False
=========== Checkpoint: backup ===============
Restore: CONFIG_MBEDTLS_PSA_CRYPTO_SPM: False
Restore: CONFIG_MBEDTLS_PSA_CRYPTO_C: False
Restore: CONFIG_MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER: False
Restore: CONFIG_MBEDTLS_PLATFORM_SETUP_TEARDOWN_ALT: False
Restore: CONFIG_MBEDTLS_THREADING: False
Restore: CONFIG_MBEDTLS_THREADING_ALT: False
=========== End psa_crypto_config ===============
=========== Generating psa_crypto_library_config ===============
Backup: CONFIG_MBEDTLS_PSA_CRYPTO_C: False
Backup: CONFIG_MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER: False
Backup: CONFIG_MBEDTLS_PSA_CRYPTO_SPM: False
Backup: CONFIG_MBEDTLS_USE_PSA_CRYPTO: False
Backup: CONFIG_MBEDTLS_PLATFORM_PRINTF_ALT: False
Backup: CONFIG_MBEDTLS_THREADING: False
Backup: CONFIG_MBEDTLS_THREADING_ALT: False
=========== Checkpoint: backup ===============
Restore: CONFIG_MBEDTLS_PSA_CRYPTO_C: False
Restore: CONFIG_MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER: False
Restore: CONFIG_MBEDTLS_PSA_CRYPTO_SPM: False
Restore: CONFIG_MBEDTLS_USE_PSA_CRYPTO: False
Restore: CONFIG_MBEDTLS_PLATFORM_PRINTF_ALT: False
Restore: CONFIG_MBEDTLS_THREADING: False
Restore: CONFIG_MBEDTLS_THREADING_ALT: False
=========== End psa_crypto_library_config ===============

Our product use MBEDTLS1.2, this is why CONFIG_MBEDTLS_USE_PSA_CRYPTO is set to False.

We are able to perform LWM2M exchange based on MBEDTLS1.2.

We need to perform some AES128 operations, but we can't use the associated PSA API (psa_set_key_id(), psa_import_key(), psa_cipher_encrypt_setup()...)

When calling the psa_import_key() we have a crash.

My question is: what are the (AES) API to be called without changing our crypto configuration

Thanks for your help, Philippe

  • 0

    Hello,

    your approach seems correct. Can you provide code and Kconfig files to reproduce the crash?

  • 0 in reply to Hakon

    Hello hakon,

    The crash is my fault; I'm doing encryption while the AES key import failed.
    My real issue is that the key import has failed (-134 PSA ERROR_NOT_SUPPORTED).

    I wonder why, because I already test this code in another project.

    int import_aes_key(psa_key_id_t key_id, const uint8_t *key_data, size_t key_data_size)
{
    psa_status_t status;
    psa_key_attributes_t key_attributes = PSA_KEY_ATTRIBUTES_INIT;

    // Configure key attributes
    psa_set_key_id(&key_attributes, key_id);
    psa_set_key_lifetime(&key_attributes, PSA_KEY_LIFETIME_PERSISTENT);
    psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT);
    psa_set_key_algorithm(&key_attributes, PSA_ALG_ECB_NO_PADDING);
    psa_set_key_type(&key_attributes, PSA_KEY_TYPE_AES);
    psa_set_key_bits(&key_attributes, 128);

    // Import the key material
    status = psa_import_key(&key_attributes, key_data, key_data_size, &key_id);
    if (status != PSA_SUCCESS) {
        if (status != PSA_ERROR_ALREADY_EXISTS) {
            LOG_ERR("Failed to import AES key: %d", status);
            return -1;
        }
    }

    LOG_INF("AES key imported successfully with ID: %d", key_id);
    return 0;
}

    (if really helpful) i can provide files the ticket but the must be switch from public to private.

    regards, Philippe

  • 0 in reply to phil38
    phil38 said:
    (if really helpful) i can provide files the ticket but the must be switch from public to private.

    Okay, but before we do that, please check if TFM_PROFILE_TYPE_MINIMAL is set. If it is enabled, disable it and enable TFM_PROFILE_TYPE_NOT_SET instead.

  • 0 in reply to Hakon

    Hi, 

    enabling TFM_PROFILE_TYPE_NOT_SET works (thanks);

    But I have to increase the RAM required for TFM_s in our static partition file, from 56K to 64K (SPU alignment required 8K for NRF91).

    Is there a way to minimize the RAM required by the TFM_s ; I only need to use AES128.

    Thanks for your help

  • 0 in reply to phil38

    You can disable crypto algorithms that you don't use, and just enable AES. You can also adjust parameters like the stack size and buffer size used;

    CRYPTO_ENGINE_BUF_SIZE
CRYPTO_CONC_OPER_NUM
CRYPTO_IOVEC_BUFFER_SIZE
CRYPTO_STACK_SIZE

    That will maybe be the simplest approach.

Related
Terms of service