This post is older than 2 years and might not be relevant anymore
More Info: Consider searching for newer posts

How to extend at_client sample to use Mbed TLS vanilla backend supporting TLS on Thingy:91 with nRF Connect SDK v1.5.0?

Hello,

I want to extend the at_client sample with vanilla Mbed TLS (delivered with the SDK) supporting TLS. Later on, I want to be able to modify the Mbed TLS vanilla implementation. I already asked a similar question but it looks like I better start again.

As approach I modified prj.conf to add vanilla Mbed TLS and networking:

CONFIG_ASSERT=y

CONFIG_NORDIC_SECURITY_BACKEND=y
CONFIG_MBEDTLS_VANILLA_BACKEND=y
CONFIG_MBEDTLS=y
CONFIG_MBEDTLS_LIBRARY=y
CONFIG_MBEDTLS_BUILTIN=n
CONFIG_APP_LINK_WITH_MBEDTLS=y
CONFIG_MBEDTLS_INSTALL_PATH="DUMMY"
CONFIG_MBEDTLS_ENTROPY_ENABLED=y
CONFIG_MBEDTLS_X509_LIBRARY=y
CONFIG_MBEDTLS_TLS_LIBRARY=y
CONFIG_NRF_SECURITY_ADVANCED=y

CONFIG_NET_IPV4=y
CONFIG_NET_IPV6=y
CONFIG_NET_TCP=y

# Network
CONFIG_NETWORKING=y
CONFIG_NET_NATIVE=y
CONFIG_NET_SOCKETS=y
CONFIG_NET_SOCKETS_OFFLOAD=y
CONFIG_NET_SOCKETS_POSIX_NAMES=y

# Modem library
CONFIG_NRF_MODEM_LIB=y

# AT host library
CONFIG_AT_HOST_LIBRARY=y
CONFIG_UART_INTERRUPT_DRIVEN=y

# Stacks and heaps
CONFIG_MAIN_STACK_SIZE=3072
CONFIG_HEAP_MEM_POOL_SIZE=16384

Then I added some includes and code to main.c (according to ssl_client1.c from Mbed TLS)

#include "mbedtls/net.h"
#include "mbedtls/ssl.h"
#include "mbedtls/entropy.h"
#include "mbedtls/ctr_drbg.h"
#include "mbedtls/debug.h"

void do_mbedtls_stuff(void){
 mbedtls_net_context server_fd;
 mbedtls_entropy_context entropy;
 mbedtls_ctr_drbg_context ctr_drbg;
 mbedtls_ssl_context ssl;
 mbedtls_ssl_config conf;
 mbedtls_x509_crt cacert;

 const char *pers = "ssl_client1";

 server_fd.fd = -1; //mbedtls_net_init( &server_fd ); <- due to mbedtls_net_init not found
 mbedtls_ssl_init( &ssl );
 mbedtls_ssl_config_init( &conf );
 mbedtls_x509_crt_init( &cacert );
 mbedtls_ctr_drbg_init( &ctr_drbg );
 mbedtls_entropy_init( &entropy ); // <- current compile error
 
 return;
}

and I get the following compile error:

modules/nrfxlib/nrf_security/src/mbedtls/libmbedtls_base_vanilla.a(entropy.c.obj): in function `mbedtls_entropy_init':
undefined reference to `mbedtls_hardware_poll'

This looks to me like I might be on the wrong track regarding the integration?
Or do I have to integratie networking/entropy/timing manually?

Parents

0 Didrik Rokhaug over 3 years ago

Hi,

What are you trying to acheive?

Depening on what it is you want to do, it might be better to start with the Serial LTE Modem, with or without the TLS stack running on the application core.

Best regards,

Didrik
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Franck_Code over 3 years ago in reply to Didrik Rokhaug

I would like to use vanilla Mbed TLS which I will later on modify regarding TLS features (Originally, I am coming from devzone.nordicsemi.com/.../how-to-use-latest-mbed-tls-2-26-0-with-nrf-connect-sdk-v1-5-0-on-thingy-91). Switching to the Serial LTE Modem application is no issue and advisable. The first step afterwards then remains, i.e. how best to integrate the entropy and how to configure/replace net_socket.c.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Franck_Code over 3 years ago in reply to Franck_Code

To me it looks like that entropy can be included like in
C:\Users\UserName\ncs\v1.5.0\nrf\samples\nrf9160\secure_services\src\main.c
(entropy init seems not to be necessary and spm_request_random_number can be used as in entropy_cc310.c)?
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Reply

0 Franck_Code over 3 years ago in reply to Franck_Code

To me it looks like that entropy can be included like in
C:\Users\UserName\ncs\v1.5.0\nrf\samples\nrf9160\secure_services\src\main.c
(entropy init seems not to be necessary and spm_request_random_number can be used as in entropy_cc310.c)?
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Children

0 Didrik Rokhaug over 3 years ago in reply to Franck_Code
I have looked over your code, and your previous ticket.

CONFIG_MBEDTLS=y
CONFIG_MBEDTLS_LIBRARY=y

I am not entirely clear which mbedTLS "integration version" you want to use. At the moment, you are using both Zephyr's integration and the Nordic Security Module's (NSM) vanilla mbedTLS backend.

In addition to that, you have changed the source code used by the Zephyr-integration to use the same source code as the NSM uses. But, it is using a different configuration file. So you now have the same library built twice, with two different configuration files.

With that in mind, I believe this set of configuration options should be closer to what you want:

CONFIG_NORDIC_SECURITY_BACKEND=y CONFIG_MBEDTLS_VANILLA_BACKEND=y CONFIG_NRF_SECURITY_ADVANCED=y CONFIG_MBEDTLS_X509_LIBRARY=y CONFIG_MBEDTLS_TLS_LIBRARY=y

With that set of options, your code compiles, except for the mbedtls_hardware_poll function.

When it comes to the mbedtls_hardware_poll function, it must be provided by the application or NCS. As MBEDTLS_ENTROPY_HARDWARE_ALT is defined in the mbedTLS configuration file, it is not provided by mbedTLS.

The NSM has an implementation of it which is used for nRF5x devices, and will work for the nRF9160 as well, though it was not yet enabled for the nRF9160 at the time of the NCS v1.5.0 release.

You can find the changes necessary to include it for the nRF9160 as well in this commit: https://github.com/nrfconnect/sdk-nrfxlib/commit/01acd15117499f69170c43f18afc770f1b696412

Note the file name change from nrf_security/src/backend/nrf5x/entropy_nrf5x.c to nrf_security/src/backend/entropy/entropy_poll.c.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Franck_Code over 3 years ago in reply to Didrik Rokhaug

My impression was that Zephyr's integration was dropped because there were no duplicated definitions of Mbed TLS functions. Nevertheless, your answer gives me some new insights. Thanks a lot!
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel