• State Not Answered
  • Replies 3 replies
  • Subscribers 86 subscribers
  • Views 247 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 351856
Options
Beware that this post is related to an SDK in maintenance mode
More Info: Consider nRF Connect SDK for new designs

nRF5 SDK Crypto Size Optimization for nRF52811

Purvesh patel

Hi all,

I’m planning to add crypto support to my nRF52811 application. My main requirement is encrypting and decrypting a string, but I’m hitting flash size constraints. My app currently works, but flash usage is borderline full:

  • FDS stores two numbers (serial number + flag), consuming ~3 KB

  • BLE DFU requires:

    • SoftDevice: ~100 KB

    • Bootloader: 23–24 KB

    • Bootloader settings page + backup: 804 bytes → effectively 2 KB due to page alignment

This leaves very little space for my app.

My current crypto setup:

  • Backend: mbedtls

  • Frontend: AES

  • RNG: HW peripheral

I have a few questions:

  1. Could switching to a different frontend/backend save flash space?

  2. Is there anything in the SoftDevice I can use directly for encryption/decryption?

  3. I noticed nRF52811 has these peripherals:

    • ECB (/modules/nrfx/hal/nrf_ecb.c)

    • CCM

    Can I use these directly without the crypto backends? For ECB, there’s nrf_ecb.c, but I hit the same problem as described here: DevZone postno decrypt function. I could not find a CCM example.

  4. Any suggestions for storing my two numbers directly in flash without FDS to save space?

Thanks in advance for any guidance or best practices for flash optimization on nRF52811.

ps:- using nrf52840 evk for development. 

Parents
  • 0

    Hi Purvesh,

    Could switching to a different frontend/backend save flash space?

    We don't have statistic on the size, so unfortunately, it seems you will have to do some trial-and-error work to find out.

    • Is there anything in the SoftDevice I can use directly for encryption/decryption?

    • I noticed nRF52811 has these peripherals:

      • ECB (/modules/nrfx/hal/nrf_ecb.c)

      • CCM

      Can I use these directly without the crypto backends? For ECB, there’s nrf_ecb.c, but I hit the same problem as described here: DevZone postno decrypt function. I could not find a CCM example.

    The SoftDevice reserves the ECB and CCM peripherals when it is in use.

    It seems you have some limited access with the ECB peripherals. Yet again, there isn't a decrypting API.
    You could explore whether or not you can use the SoftDevice API for ECB encryption to do a stream encrypting/decrypting like discussed in the case you linked.

    Any suggestions for storing my two numbers directly in flash without FDS to save space?

    Are the numbers ever changed?

    If they are unchanged throughput the lifetime of the device, you could explore using the UICR, or you can reserve a small section of the flash memory during link time, and write directly to it.

    Hieu

  • 0 in reply to Hieu

    Hi Hieu,

    Thanks for the clarification earlier regarding ECB/CCM usage and flash storage options.
    I’ve decided to skip the custom crypto implementation for now and instead secure my BLE connection through the Peer Manager.

    Since my nRF52811 device has no display or keyboard, I can’t show or enter a passkey. I would like to pair only with a specific mobile app and prevent random devices from pairing.

    From what I’ve read, I might be able to do this using OOB pairing, but I’m not entirely sure how to implement it on the SoftDevice/Peer Manager side.

    Could you please confirm:

    1. How can I set or provide the OOB key (on both device and app sides)?

    2. If OOB isn’t practical, what would be the recommended way to restrict pairing only to a trusted app (for example, by whitelisting or rejecting new peers after the first bond)?

    Any code examples or documentation references would be greatly appreciated.

    edit:- also , if i try pairing with just these parameters

    #define SEC_PARAM_BOND                  1
#define SEC_PARAM_MITM                  0
#define SEC_PARAM_LESC                  0
#define SEC_PARAM_KEYPRESS              0
#define SEC_PARAM_IO_CAPABILITIES       BLE_GAP_IO_CAPS_NONE
#define SEC_PARAM_OOB                   0
#define SEC_PARAM_MIN_KEY_SIZE          7
#define SEC_PARAM_MAX_KEY_SIZE          16

    i get this error when try with 4 sec connection interval and 2 slave latency, 32 sec timeout. the error doesn't occur when conn interval is low. but i need high conn interval due to power constraint , i m guessing this is due to  BLE_GAP_SEC_STATUS_TIMEOUT, is there any way i could increase this timeout duration or any other workaround

    <info> peer_manager_handler: Connection security failed: role: Peripheral, conn_handle: 0x0, procedure: Bonding, error: 1 
<warning> peer_manager_handler: Disconnecting conn_handle 0.


    edit 2:-  peer_manager_sm: Could not perform security procedure. smd_params_reply() or smd_link_secure() returned NRF_ERROR_INVALID_ADDR.
    upon further reading it seems , to use secure boding i.e lesc=1 , you do need the crypto libaries, could you also confirm this



    Thanks,

Reply
  • 0 in reply to Hieu

    Hi Hieu,

    Thanks for the clarification earlier regarding ECB/CCM usage and flash storage options.
    I’ve decided to skip the custom crypto implementation for now and instead secure my BLE connection through the Peer Manager.

    Since my nRF52811 device has no display or keyboard, I can’t show or enter a passkey. I would like to pair only with a specific mobile app and prevent random devices from pairing.

    From what I’ve read, I might be able to do this using OOB pairing, but I’m not entirely sure how to implement it on the SoftDevice/Peer Manager side.

    Could you please confirm:

    1. How can I set or provide the OOB key (on both device and app sides)?

    2. If OOB isn’t practical, what would be the recommended way to restrict pairing only to a trusted app (for example, by whitelisting or rejecting new peers after the first bond)?

    Any code examples or documentation references would be greatly appreciated.

    edit:- also , if i try pairing with just these parameters

    #define SEC_PARAM_BOND                  1
#define SEC_PARAM_MITM                  0
#define SEC_PARAM_LESC                  0
#define SEC_PARAM_KEYPRESS              0
#define SEC_PARAM_IO_CAPABILITIES       BLE_GAP_IO_CAPS_NONE
#define SEC_PARAM_OOB                   0
#define SEC_PARAM_MIN_KEY_SIZE          7
#define SEC_PARAM_MAX_KEY_SIZE          16

    i get this error when try with 4 sec connection interval and 2 slave latency, 32 sec timeout. the error doesn't occur when conn interval is low. but i need high conn interval due to power constraint , i m guessing this is due to  BLE_GAP_SEC_STATUS_TIMEOUT, is there any way i could increase this timeout duration or any other workaround

    <info> peer_manager_handler: Connection security failed: role: Peripheral, conn_handle: 0x0, procedure: Bonding, error: 1 
<warning> peer_manager_handler: Disconnecting conn_handle 0.


    edit 2:-  peer_manager_sm: Could not perform security procedure. smd_params_reply() or smd_link_secure() returned NRF_ERROR_INVALID_ADDR.
    upon further reading it seems , to use secure boding i.e lesc=1 , you do need the crypto libaries, could you also confirm this



    Thanks,

Children
No Data
Related
Terms of service