• State Not Answered
  • Replies 5 replies
  • Subscribers 87 subscribers
  • Views 373 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 350518
Options

Using AES with CONFIG_MBEDTLS_USE_PSA_CRYPTO: False

phil38

Context : SDK2.9, nrf9151

Here is the crypto configuration we had

=========== Generating psa_crypto_config ===============
Backup: CONFIG_MBEDTLS_PSA_CRYPTO_SPM: False
Backup: CONFIG_MBEDTLS_PSA_CRYPTO_C: False
Backup: CONFIG_MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER: False
Backup: CONFIG_MBEDTLS_PLATFORM_SETUP_TEARDOWN_ALT: False
Backup: CONFIG_MBEDTLS_THREADING: False
Backup: CONFIG_MBEDTLS_THREADING_ALT: False
=========== Checkpoint: backup ===============
Restore: CONFIG_MBEDTLS_PSA_CRYPTO_SPM: False
Restore: CONFIG_MBEDTLS_PSA_CRYPTO_C: False
Restore: CONFIG_MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER: False
Restore: CONFIG_MBEDTLS_PLATFORM_SETUP_TEARDOWN_ALT: False
Restore: CONFIG_MBEDTLS_THREADING: False
Restore: CONFIG_MBEDTLS_THREADING_ALT: False
=========== End psa_crypto_config ===============
=========== Generating psa_crypto_library_config ===============
Backup: CONFIG_MBEDTLS_PSA_CRYPTO_C: False
Backup: CONFIG_MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER: False
Backup: CONFIG_MBEDTLS_PSA_CRYPTO_SPM: False
Backup: CONFIG_MBEDTLS_USE_PSA_CRYPTO: False
Backup: CONFIG_MBEDTLS_PLATFORM_PRINTF_ALT: False
Backup: CONFIG_MBEDTLS_THREADING: False
Backup: CONFIG_MBEDTLS_THREADING_ALT: False
=========== Checkpoint: backup ===============
Restore: CONFIG_MBEDTLS_PSA_CRYPTO_C: False
Restore: CONFIG_MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER: False
Restore: CONFIG_MBEDTLS_PSA_CRYPTO_SPM: False
Restore: CONFIG_MBEDTLS_USE_PSA_CRYPTO: False
Restore: CONFIG_MBEDTLS_PLATFORM_PRINTF_ALT: False
Restore: CONFIG_MBEDTLS_THREADING: False
Restore: CONFIG_MBEDTLS_THREADING_ALT: False
=========== End psa_crypto_library_config ===============

Our product use MBEDTLS1.2, this is why CONFIG_MBEDTLS_USE_PSA_CRYPTO is set to False.

We are able to perform LWM2M exchange based on MBEDTLS1.2.

We need to perform some AES128 operations, but we can't use the associated PSA API (psa_set_key_id(), psa_import_key(), psa_cipher_encrypt_setup()...)

When calling the psa_import_key() we have a crash.

My question is: what are the (AES) API to be called without changing our crypto configuration

Thanks for your help, Philippe

Parents
  • 0

    Hello,

    your approach seems correct. Can you provide code and Kconfig files to reproduce the crash?

  • 0 in reply to Hakon

    Hello hakon,

    The crash is my fault; I'm doing encryption while the AES key import failed.
    My real issue is that the key import has failed (-134 PSA ERROR_NOT_SUPPORTED).

    I wonder why, because I already test this code in another project.

    int import_aes_key(psa_key_id_t key_id, const uint8_t *key_data, size_t key_data_size)
{
    psa_status_t status;
    psa_key_attributes_t key_attributes = PSA_KEY_ATTRIBUTES_INIT;

    // Configure key attributes
    psa_set_key_id(&key_attributes, key_id);
    psa_set_key_lifetime(&key_attributes, PSA_KEY_LIFETIME_PERSISTENT);
    psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT);
    psa_set_key_algorithm(&key_attributes, PSA_ALG_ECB_NO_PADDING);
    psa_set_key_type(&key_attributes, PSA_KEY_TYPE_AES);
    psa_set_key_bits(&key_attributes, 128);

    // Import the key material
    status = psa_import_key(&key_attributes, key_data, key_data_size, &key_id);
    if (status != PSA_SUCCESS) {
        if (status != PSA_ERROR_ALREADY_EXISTS) {
            LOG_ERR("Failed to import AES key: %d", status);
            return -1;
        }
    }

    LOG_INF("AES key imported successfully with ID: %d", key_id);
    return 0;
}

    (if really helpful) i can provide files the ticket but the must be switch from public to private.

    regards, Philippe

  • 0 in reply to phil38
    phil38 said:
    (if really helpful) i can provide files the ticket but the must be switch from public to private.

    Okay, but before we do that, please check if TFM_PROFILE_TYPE_MINIMAL is set. If it is enabled, disable it and enable TFM_PROFILE_TYPE_NOT_SET instead.

Reply Children
Related
Terms of service