• State Not Answered
  • Replies 6 replies
  • Subscribers 87 subscribers
  • Views 1805 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 258195
Options
This post is older than 2 years and might not be relevant anymore
More Info: Consider searching for newer posts

Struggling with encryption, nrf52840 using ncs 1.3.1

basvkesteren

Hi,

I'm really struggling with encryption, kind of lost in the woods of libraries, api's and documentation. Can anyone point me in the right direction?

Config: I have CONFIG_NORDIC_SECURITY_BACKEND=y set

To start simple, I want to encrypt a block of data using AES.

Using the following code:

u8_t testkey[16] =  { 1, 2, 3, 4, 5, 6, 7, 8, 9, 0, 1, 2, 3, 4, 5 };
u8_t testiv[] = { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 1, 2, 3, 4, 5, 6 };
u8_t testinput[] = { 't', 'e', 's', 't',0,0,0,0,0,0,0,0,0,0,0,0};
u8_t testoutput[64];

memset(testoutput, 0, sizeof(testoutput));

mbedtls_aes_setkey_enc(&aes, testkey, sizeof(testkey) * 8);
mbedtls_aes_crypt_cbc(&aes, MBEDTLS_AES_ENCRYPT, 16, testiv, testinput, testoutput);

This runs (the two mbedtls functions return 0, all ok), but 'testoutput' does not contain anything (all zero's)

So, I found out about the 'cipher' API (from the nrfconnect crypto test). Created the following code for that:

mbedtls_cipher_init (&ctx);

LOG_DBG("setup %d", mbedtls_cipher_setup (&ctx, mbedtls_cipher_info_from_values(MBEDTLS_CIPHER_ID_AES, sizeof(testkey)*8, MBEDTLS_MODE_ECB)));
LOG_DBG("setkey %d", mbedtls_cipher_setkey (&ctx, testkey, sizeof(testkey)*8, MBEDTLS_ENCRYPT));
LOG_DBG("setiv %d", mbedtls_cipher_set_iv (&ctx, testiv, sizeof(testiv)*8));
LOG_DBG("reset %d", mbedtls_cipher_reset (&ctx));
LOG_DBG("update %d", mbedtls_cipher_update (&ctx, testinput, sizeof(testinput), testoutput,  &r));
LOG_DBG("finish %d", mbedtls_cipher_finish (&ctx, testoutput,  &r)); 

mbedtls_cipher_free (&ctx);

The mbedtls_cipher_setup call fails with MBEDTLS_ERR_CIPHER_ALLOC_FAILED, so obviously the subsequent calls fail aswell.

So.. help? What am I doing wrong here? Which API should I use, what configuration do I need?

Parents
  • 0

    Ah, it seems that enabling the oberon stuff (CONFIG_NRF_OBERON=y, CONFIG_OBERON_BACKEND=y) does wonders;

    The mbedtls_aes_setkey_enc/mbedtls_aes_crypt_cbc code now works, have not tested the mbedtls_cipher API bu t I assume that works aswell.

    Does this mean my code doesn't work on the CC310 module? As I understand it, I'm doing AES-128 here, and the CC310 should support that, right?

  • 0 in reply to basvkesteren

    Hi!

    Right now, you only have nrf_oberon enabled as backend, which only runs in software To use the CC310 module, you need to enable the Arm CryptoCell cc3xx backend, by enabling CONFIG_CC3XX_BACKEND.

    The functions you are calling (mbedtls_aes_setkey_enc and mbedtls_aes_crypt_cbc) are part of the mbed TLS glue layer (API reference), which allows you to use both the HW and SW implementations simultaneously, which means you can have both of these backends enabled in your application.

    When you have multiple backends available, the mbed TLS glue layer enables a dynamic check to verify whether the cryptographic algorithm is supported in hardware. For instance, the cc3xx backend is limited to key sizes of 128 bits on devices with CC310. In this case, the layer will call into a different enabled backend (nrf_oberon) as a fallback. 

    Let me know if this clears things up for you!

    Best regards,

    Heidi

  • 0 in reply to Heidi

    Hello Heidi,

    Thanks for the response! But, I'm not quite getting it (sorry... ;) )

    Is the CONFIG_CC310_BACKEND the same as CONFIG_CC3XX_BACKEND? Because i cant find the latter...?

    Enabling CONFIG_NORDIC_SECURITY_BACKEND automagically enables CONFIG_CC310_BACKEND for me, so i think i already have the setting you mean enabled?

    Thanks,

    -Bastiaan

  • 0 in reply to basvkesteren

    Hi!

    CONFIG_CC3XX_BACKEND will select CONFIG_CC310_BACKEND when SOC_NRF52840 && NORDIC_SECURITY_BACKEND is true, see here. So it's just a more general configuration. 


    basvkesteren said:
    Enabling CONFIG_NORDIC_SECURITY_BACKEND automagically enables CONFIG_CC310_BACKEND for me, so i think i already have the setting you mean enabled?

     Are you sure? In the documentation, it doesn't look like this configuration selects the CC310_BACKEND. Perhaps you have something else enabled that does it. 

    Best regards,

    Heidi

  • 0 in reply to Heidi

    Hello Heidi,

    I have to admit that the build-system isn't 100% clear to me (still learning...), but the build/zephyr/.config file (which, as far as i understand it, is the actual config file after all the build-system magic has happened) contains CONFIG_CC310_BACKEND=y

    In my prj.conf file I have, among others, CONFIG_NORDIC_SECURITY_BACKEND=y

    As far as i can tell there are no other lines in my prj.conf file that do anything encryption-related

    Thanks,

    -Bastiaan

Reply
  • 0 in reply to Heidi

    Hello Heidi,

    I have to admit that the build-system isn't 100% clear to me (still learning...), but the build/zephyr/.config file (which, as far as i understand it, is the actual config file after all the build-system magic has happened) contains CONFIG_CC310_BACKEND=y

    In my prj.conf file I have, among others, CONFIG_NORDIC_SECURITY_BACKEND=y

    As far as i can tell there are no other lines in my prj.conf file that do anything encryption-related

    Thanks,

    -Bastiaan

Children
Related
Terms of service