• State Verified Answer
  • Replies 12 replies
  • Subscribers 75 subscribers
  • Views 4617 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 266790
Options
This post is older than 2 years and might not be relevant anymore
More Info: Consider searching for newer posts

How to use latest Mbed TLS (2.26.0) with nRF Connect SDK v1.5.0 on Thingy:91

Franck_Code

I would like to use the latest version of Mbed TLS (2.26.0) on the Thingy:91 and then realize a TLS connection using this version. As a first step I integrated this particular version of Mbed TLS into the at_client sample project. For this I followed the steps listed below. Good news is that it compiles and links.

When i compare my result with the Mbed TLS (2.16.8) integration provided by the SDK (CONFIG_MBEDTLS=y) I see that the two defines (MBEDTLS_NET_C, MBEDTLS_TIMING_C) are active in constrast to my approach. And that step 6 (check for is regular file) seems not to be necessary.

Therefore, I would like know how I can remove these differences?

Is there an easier way to reach my goal than the steps below? (Maybe via CONFIG_MBEDTLS_VANILLA_BACKEND ?)


Developing on Windows with SEGGER Embdedded Studio 5.34a and toolchain version 1.5.0 for target thingy91_nrf9160ns.
 
1. Copy include and library folder from Mbed TLS (github.com/.../mbedtls, tag 2.26.0) to at_client root folder (C:\Users\<username>\ncs\v1.5.0\nrf\samples\nrf9160\at_client)

2. Remove .gitignore, CMakeLists.txt from copied folders include and library
3. Remove Makefile from library

4. Edit CMakeLists.txt in at_client in order to add source and include files from Mbed TLS to the project and to define MBEDTLS_USE_PSA_CRYPTO, CONFIG_POSIX_FS. Add folder $ENV{ZEPHYR_BASE}/include/posix to provide dirent.h and sys/stat.h. CMakeLists.txt is as follows:
cmake_minimum_required(VERSION 3.13.1)
find_package(Zephyr REQUIRED HINTS $ENV{ZEPHYR_BASE})
project(NONE)
# NORDIC SDK APP START
file(GLOB app_sources library/*.c )
target_sources(app PRIVATE src/main.c ${app_sources})
target_compile_definitions(app PRIVATE MBEDTLS_USE_PSA_CRYPTO CONFIG_POSIX_FS)
target_include_directories(app PRIVATE library include include/mbedtls include/psa $ENV{ZEPHYR_BASE}/include/posix)
# NORDIC SDK APP END

4. Create at_client project in Segger Embedded Studio via File → Open nRF CONNECT SDK Project ...
Select thingy91_nrf9160ns as platform

5. In at_client project open include/mbedtls/config.h via File → Open and modify defines as follows
#define MBEDTLS_NO_PLATFORM_ENTROPY
//#define MBEDTLS_NET_C
//#define MBEDTLS_TIMING_C

6. In file library/x509_crt.c comment out two lines (1650,1651)
// if( !S_ISREG( sb.st_mode ) )
// continue;
Now the project builds (compiles and links) succesfully.

Parents Reply
  • 0 in reply to Franck_Code

    Adding the following lines to C:\ncs\nrf\samples\nrf9160\at_client\prj.conf brings the files from C:\ncs\mbedtls into the project:

    CONFIG_NORDIC_SECURITY_BACKEND=y
    CONFIG_MBEDTLS_VANILLA_BACKEND=y
    CONFIG_MBEDTLS=y
    CONFIG_MBEDTLS_LIBRARY=y
    CONFIG_MBEDTLS_BUILTIN=n
    CONFIG_CC3XX_BACKEND=n
    CONFIG_OBERON_BACKEND=n
    #CONFIG_APP_LINK_WITH_MBEDTLS=y # switches between nrf-config.h and nrf-config-noglue.h

    Are these settungs correct?

    As nrf-config.h and nrf-config-noglue.h are generated what is the proper way to modify the defines within nrf-config-noglue.h? (E.g. just comment or uncomment them in nrf-config-noglue.h?)


Children
  • +1 in reply to Franck_Code

    I'm don't see any problems with the configuration above. However, I forgot to ask what the motivation for doing this update was, so I'm not sure what the goal is. Both the Oberon and the cc3xx backend should be better in terms of performance.

    Nordic security module documentation for reference: https://developer.nordicsemi.com/nRF_Connect_SDK/doc/latest/nrfxlib/nrf_security/README.html

  • 0 in reply to Vidar Berg

    The motivation is to experiment with the latest Mbed TLS crypto implementation on nrf9160/thingy:91 hardware. This means in particular not to use the provided hardware-accelerated or pre-compiled implementations. (Later it might be interesting to use some hardware-acceleration.)

    The linked security module documentation was studied intensively by me. Nevertheless, it was difficult for me to figure out the specific set of settings. Originally I hoped that CONFIG_MBEDTLS_VANILLA_BACKEND=y would be sufficient but it did not show any effect (As written in https://developer.nordicsemi.com/nRF_Connect_SDK/doc/latest/nrfxlib/nrf_security/doc/configuration.html CONFIG_NORDIC_SECURITY_BACKEND=y is needed first). CONFIG_MBEDTLS=y used alone did bring zephyr/module/mbedtls into the project which was not the desired version. Therefore, it took me quite some time using trial and error to figure out the precise settings.


  • 0 in reply to Franck_Code

    https://github.com/nrfconnect/sdk-nrfxlib/blob/master/nrf_security/Kconfig

    comment "mbed TLS Configuration File"

    config MBEDTLS_CFG_FILE
        string "mbed TLS configuration file"
        default "nrf-config.h"

    config GENERATE_MBEDTLS_CFG_FILE
        bool
        prompt "Generate mbed TLS config file"
        default y
        help
          nRF Connect SDK Security will generate a mbed TLS configuration file
          based on the selection of configuration options in Kconfig.
          However, if the generated configuration file needs custom
          adjustments, this setting can be used to disable generating the
          mbed TLS configuration file. Only disable this setting if you know
          what you are doing.


    This answers my question regarding nrf-config-noglue.h
    -------
    Update:
    The answer is to let the build process generate the config file(s) and modify the(se) generated config file(s) as desired. This is described in the documentation at developer.nordicsemi.com/.../mbed_tls_header.html

  • 0 in reply to Franck_Code

    Using the options from above in prj.conf in a standard installation of nRF Connect SDK v1.5.0 and "west build -b thingy91_nrf9160ns" in a command line build (as well as in Segger Embedded Studio) leads to a build error:

    ...
    -- Build files have been written to: C:/Users/ffp/ncs/v1.5.0/nrf/samples/nrf9160/at_client/build
    -- west build: building application
    [23/257] Performing build step for 'spm_subimage'
    [201/206] Linking C executable zephyr\zephyr_prebuilt.elf
    Memory region Used Size Region Size %age Used
    FLASH: 64 KB 64 KB 100.00%
    SRAM: 8768 B 64 KB 13.38%
    IDT_LIST: 88 B 2 KB 4.30%
    [206/206] Linking C executable zephyr\zephyr.elf
    [251/257] Linking C executable zephyr\zephyr_prebuilt.elf
    FAILED: zephyr/zephyr_prebuilt.elf
    cmd.exe /C "cd . && C:\Users\ffp\ncs\v1.5.0\toolchain\opt\bin\arm-none-eabi-gcc.exe zephyr/CMakeFiles/zephyr_prebuilt.dir/misc/empty_file.c.obj -o zephyr\zephyr_prebuilt.elf -Wl,-T zephyr/linker.cmd -Wl,-Map=C:/Users/ffp/ncs/v1.5.0/nrf/samples/nrf9160/at_client/build/zephyr/zephyr_prebuilt.map -Wl,--whole-archive app/libapp.a zephyr/libzephyr.a zephyr/arch/common/libarch__common.a zephyr/arch/arch/arm/core/aarch32/libarch__arm__core__aarch32.a zephyr/arch/arch/arm/core/aarch32/cortex_m/libarch__arm__core__aarch32__cortex_m.a zephyr/arch/arch/arm/core/aarch32/cortex_m/mpu/libarch__arm__core__aarch32__cortex_m__mpu.a zephyr/arch/arch/arm/core/aarch32/cortex_m/cmse/libarch__arm__core__aarch32__cortex_m__cmse.a zephyr/lib/libc/minimal/liblib__libc__minimal.a zephyr/lib/posix/liblib__posix.a zephyr/soc/arm/common/cortex_m/libsoc__arm__common__cortex_m.a zephyr/boards/boards/arm/thingy91_nrf9160ns/lib..__nrf__boards__arm__thingy91_nrf9160.a zephyr/subsys/net/libsubsys__net.a zephyr/subsys/net/ip/libsubsys__net__ip.a zephyr/subsys/random/libsubsys__random.a zephyr/drivers/gpio/libdrivers__gpio.a zephyr/drivers/i2c/libdrivers__i2c.a zephyr/drivers/spi/libdrivers__spi.a zephyr/drivers/serial/libdrivers__serial.a zephyr/drivers/entropy/libdrivers__entropy.a modules/nrf/lib/nrf_modem_lib/lib..__nrf__lib__nrf_modem_lib.a modules/nrf/lib/at_cmd/lib..__nrf__lib__at_cmd.a modules/nrf/lib/at_notif/lib..__nrf__lib__at_notif.a modules/nrf/lib/at_host/lib..__nrf__lib__at_host.a modules/nrf/lib/fatal_error/lib..__nrf__lib__fatal_error.a modules/nrf/subsys/fw_info/lib..__nrf__subsys__fw_info.a C:/Users/ffp/ncs/v1.5.0/nrfxlib/nrf_modem/lib/cortex-m33/hard-float/libmodem.a modules/nrfxlib/nrf_security/src/mbedtls/libmbedtls_base_vanilla.a modules/hal_nordic/libmodules__hal_nordic.a -Wl,--no-whole-archive zephyr/kernel/libkernel.a zephyr/CMakeFiles/offsets.dir/./arch/arm/core/offsets/offsets.c.obj -L"c:/users/ffp/ncs/v1.5.0/toolchain/opt/bin/../lib/gcc/arm-none-eabi/9.2.1/thumb/v8-m.main+fp/hard" -LC:/Users/ffp/ncs/v1.5.0/nrf/samples/nrf9160/at_client/build/zephyr -lgcc -Wl,--print-memory-usage zephyr/arch/common/libisr_tables.a modules/nrfxlib/nrf_security/src/mbedtls/shared/libmbedcrypto_shared.a modules/nrfxlib/nrf_security/src/mbedtls/vanilla/libmbedcrypto_vanilla.a -mcpu=cortex-m33 -mthumb -mabi=aapcs -mfpu=fpv5-sp-d16 -Wl,--gc-sections -Wl,--build-id=none -Wl,--sort-common=descending -Wl,--sort-section=alignment -Wl,-u,_OffsetAbsSyms -Wl,-u,_ConfigAbsSyms -nostdlib -static -no-pie -Wl,-X -Wl,-N -Wl,--orphan-handling=warn spm/libspmsecureentries.a -lgcc modules/nrfxlib/nrf_security/src/mbedtls/libmbedtls_external.a -L && cd ."
    arm-none-eabi-gcc.exe: error: missing argument to '-L'
    ninja: build stopped: subcommand failed.

    I also set ARM_MBEDTLS_PATH=C:\Users\ffp\ncs\v1.5.0\mbedtls if that might be the missing path.
    Do you have any idea? (As a side note on my second installation on Linux the same error occurs.)

  • +1 in reply to Franck_Code

    Thanks for updating the thread earlier and clarifying what the goal was. With regards to the linker error, I have seen it before, but can't remember exactly what caused it. Could you try to build with CONFIG_MBEDTLS_INSTALL_PATH="DUMMY" and see if that helps? This is the configuration used by the crypto test projects in  \v1.5.0\nrf\tests\crypto at least.

Related
Terms of service