• State Not Answered
  • Replies 1 reply
  • Subscribers 86 subscribers
  • Views 64 views
  • Users 0 members are here
Attachments (1) Download All
Nordic Case Info
  • Case ID: 360169
Options

Public and Private key generation for TLS communication using PSA Crypto calls.

AR Jadhav

Hello, 

Overview:

Currently we are using nRF9160 we are using mbedtls library for generating EC key based certificates (self-signed and CSR). Our code is built with TFM and application is non-secure. I need to understand following.
1. What is the role of TFM if application itself is in non-secure mode.

2. I want to remove mbedtls library and use PSA-crypto engine for certificate generation, parsing and signing how that can be possible.

Attaching the .config file after build for your reference. The aim to reduce the heap consumption done by mbedtls and optimize the code.

version used: nrf sdk version 2.7.0

3823.configFile.txt

Thanks,
Akshay

Parents
  • 0

    Hi,

    Thanks for the question. 

    Role of TM-F

    So when you build your nRF9160 application for the non-secure board target, the firmware is split into two environments, Secure Processing Environment (SPE) and Non-Secure Processing Environment (NSPE). TF-M runs in SPE it handles all security critical functionality like cryptographic operations, key storage and secure boot. It is also isolated from your application code. Whereas our main application runs in NSPE and this cannot directly access the secure side. The key benefit is that our application never has direct access to cryptographic keys or sensitive data. Instead, it communicates with TF-M through the PSA API.

    Replacing mbed TLS with PSA-crypto for certificates

    - For key generation and signing, you can replace mbed TLS calls with PSA APIs directly. A typical flow using PSA Crypto could be checked from Crypto: EdDSA sample

    - However for CSR generation, the full PSA CSR support (without Mbed TLS) may require patching in NCS. As the PSA Crypto API does not natively handle X.509 certificate parsing or formatting. That layer is still typically handled by mbed TLS's X.509 library. However there is a PSA CSR sample which can help you on it.

    Mainly you wanted to bring down mbed TLS heap use, which in your config that pool is about 28 KB, that mostly reflects how much of mbed TLS is switched on (TLS, X.509, RSA/EC), not PSA itself. So moving keys and signing to PSA is still worth doing, but you’ll still need a small mbed TLS X.509 part for CSR and certificates, so the realistic thing can be to trim what you don’t need, turn on CONFIG_MBEDTLS_USE_PSA_CRYPTO, and only lower CONFIG_MBEDTLS_HEAP_SIZE after you’ve measured again.

    Best Regards,
    Syed Maysum

Reply
  • 0

    Hi,

    Thanks for the question. 

    Role of TM-F

    So when you build your nRF9160 application for the non-secure board target, the firmware is split into two environments, Secure Processing Environment (SPE) and Non-Secure Processing Environment (NSPE). TF-M runs in SPE it handles all security critical functionality like cryptographic operations, key storage and secure boot. It is also isolated from your application code. Whereas our main application runs in NSPE and this cannot directly access the secure side. The key benefit is that our application never has direct access to cryptographic keys or sensitive data. Instead, it communicates with TF-M through the PSA API.

    Replacing mbed TLS with PSA-crypto for certificates

    - For key generation and signing, you can replace mbed TLS calls with PSA APIs directly. A typical flow using PSA Crypto could be checked from Crypto: EdDSA sample

    - However for CSR generation, the full PSA CSR support (without Mbed TLS) may require patching in NCS. As the PSA Crypto API does not natively handle X.509 certificate parsing or formatting. That layer is still typically handled by mbed TLS's X.509 library. However there is a PSA CSR sample which can help you on it.

    Mainly you wanted to bring down mbed TLS heap use, which in your config that pool is about 28 KB, that mostly reflects how much of mbed TLS is switched on (TLS, X.509, RSA/EC), not PSA itself. So moving keys and signing to PSA is still worth doing, but you’ll still need a small mbed TLS X.509 part for CSR and certificates, so the realistic thing can be to trim what you don’t need, turn on CONFIG_MBEDTLS_USE_PSA_CRYPTO, and only lower CONFIG_MBEDTLS_HEAP_SIZE after you’ve measured again.

    Best Regards,
    Syed Maysum

Children
No Data
Related
Terms of service