• State Not Answered
  • Replies 8 replies
  • Subscribers 72 subscribers
  • Views 2260 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 267234
Options
This post is older than 2 years and might not be relevant anymore
More Info: Consider searching for newer posts

How to extend at_client sample to use Mbed TLS vanilla backend supporting TLS on Thingy:91 with nRF Connect SDK v1.5.0?

Franck_Code

Hello,

I want to extend the at_client sample with vanilla Mbed TLS (delivered with the SDK) supporting TLS. Later on, I want to be able to modify the Mbed TLS vanilla implementation. I already asked a similar question but it looks like I better start again.

As approach I modified prj.conf to add vanilla Mbed TLS and networking:

CONFIG_ASSERT=y

CONFIG_NORDIC_SECURITY_BACKEND=y
CONFIG_MBEDTLS_VANILLA_BACKEND=y
CONFIG_MBEDTLS=y
CONFIG_MBEDTLS_LIBRARY=y
CONFIG_MBEDTLS_BUILTIN=n
CONFIG_APP_LINK_WITH_MBEDTLS=y
CONFIG_MBEDTLS_INSTALL_PATH="DUMMY"
CONFIG_MBEDTLS_ENTROPY_ENABLED=y
CONFIG_MBEDTLS_X509_LIBRARY=y
CONFIG_MBEDTLS_TLS_LIBRARY=y
CONFIG_NRF_SECURITY_ADVANCED=y

CONFIG_NET_IPV4=y
CONFIG_NET_IPV6=y
CONFIG_NET_TCP=y

# Network
CONFIG_NETWORKING=y
CONFIG_NET_NATIVE=y
CONFIG_NET_SOCKETS=y
CONFIG_NET_SOCKETS_OFFLOAD=y
CONFIG_NET_SOCKETS_POSIX_NAMES=y

# Modem library
CONFIG_NRF_MODEM_LIB=y

# AT host library
CONFIG_AT_HOST_LIBRARY=y
CONFIG_UART_INTERRUPT_DRIVEN=y

# Stacks and heaps
CONFIG_MAIN_STACK_SIZE=3072
CONFIG_HEAP_MEM_POOL_SIZE=16384

Then I added some includes and code to main.c (according to ssl_client1.c from Mbed TLS)

#include "mbedtls/net.h"
#include "mbedtls/ssl.h"
#include "mbedtls/entropy.h"
#include "mbedtls/ctr_drbg.h"
#include "mbedtls/debug.h"

void do_mbedtls_stuff(void){
 mbedtls_net_context server_fd;
 mbedtls_entropy_context entropy;
 mbedtls_ctr_drbg_context ctr_drbg;
 mbedtls_ssl_context ssl;
 mbedtls_ssl_config conf;
 mbedtls_x509_crt cacert;

 const char *pers = "ssl_client1";

 server_fd.fd = -1; //mbedtls_net_init( &server_fd ); <- due to mbedtls_net_init not found
 mbedtls_ssl_init( &ssl );
 mbedtls_ssl_config_init( &conf );
 mbedtls_x509_crt_init( &cacert );
 mbedtls_ctr_drbg_init( &ctr_drbg );
 mbedtls_entropy_init( &entropy ); // <- current compile error
 
 return;
}

and I get the following compile error:

modules/nrfxlib/nrf_security/src/mbedtls/libmbedtls_base_vanilla.a(entropy.c.obj): in function `mbedtls_entropy_init':
undefined reference to `mbedtls_hardware_poll'

This looks to me like I might be on the wrong track regarding the integration?
Or do I have to integratie networking/entropy/timing manually?

Parents Reply Children
  • 0 in reply to Franck_Code

    To me it looks like that entropy can be included like in
    C:\Users\UserName\ncs\v1.5.0\nrf\samples\nrf9160\secure_services\src\main.c
    (entropy init seems not to be necessary and spm_request_random_number can be used as in entropy_cc310.c)?

  • 0 in reply to Franck_Code

    I have looked over your code, and your previous ticket.

    CONFIG_MBEDTLS=y
    CONFIG_MBEDTLS_LIBRARY=y

    I am not entirely clear which mbedTLS "integration version" you want to use. At the moment, you are using both Zephyr's integration and the Nordic Security Module's (NSM) vanilla mbedTLS backend.

    In addition to that, you have changed the source code used by the Zephyr-integration to use the same source code as the NSM uses. But, it is using a different configuration file. So you now have the same library built twice, with two different configuration files.

    With that in mind, I believe this set of configuration options should be closer to what you want:

    CONFIG_NORDIC_SECURITY_BACKEND=y
CONFIG_MBEDTLS_VANILLA_BACKEND=y
CONFIG_NRF_SECURITY_ADVANCED=y
CONFIG_MBEDTLS_X509_LIBRARY=y
CONFIG_MBEDTLS_TLS_LIBRARY=y

    With that set of options, your code compiles, except for the mbedtls_hardware_poll function.

    When it comes to the mbedtls_hardware_poll function, it must be provided by the application or NCS. As MBEDTLS_ENTROPY_HARDWARE_ALT is defined in the mbedTLS configuration file, it is not provided by mbedTLS.

    The NSM has an implementation of it which is used for nRF5x devices, and will work for the nRF9160 as well, though it was not yet enabled for the nRF9160 at the time of the NCS v1.5.0 release.

    You can find the changes necessary to include it for the nRF9160 as well in this commit: https://github.com/nrfconnect/sdk-nrfxlib/commit/01acd15117499f69170c43f18afc770f1b696412

    Note the file name change from nrf_security/src/backend/nrf5x/entropy_nrf5x.c to  nrf_security/src/backend/entropy/entropy_poll.c.

  • 0 in reply to Didrik Rokhaug

    My impression was that Zephyr's integration was dropped because there were no duplicated definitions of Mbed TLS functions. Nevertheless, your answer gives me some new insights. Thanks a lot! 

Related
Terms of service