How to extend at_client sample to use Mbed TLS vanilla backend supporting TLS on Thingy:91 with nRF Connect SDK v1.5.0?

RE: How to extend at_client sample to use Mbed TLS vanilla backend supporting TLS on Thingy:91 with nRF Connect SDK v1.5.0?

Franck_Code — Wed, 31 Mar 2021 23:12:36 GMT

My impression was that Zephyr's integration was dropped because there were no duplicated definitions of Mbed TLS functions. Nevertheless, your answer gives me some new insights. Thanks a lot!

RE: How to extend at_client sample to use Mbed TLS vanilla backend supporting TLS on Thingy:91 with nRF Connect SDK v1.5.0?

Didrik Rokhaug — Wed, 31 Mar 2021 13:08:18 GMT

I have looked over your code, and your previous ticket.

CONFIG_MBEDTLS=y
CONFIG_MBEDTLS_LIBRARY=y

I am not entirely clear which mbedTLS "integration version" you want to use. At the moment, you are using both Zephyr's integration and the Nordic Security Module's (NSM) vanilla mbedTLS backend.

In addition to that, you have changed the source code used by the Zephyr-integration to use the same source code as the NSM uses. But, it is using a different configuration file. So you now have the same library built twice, with two different configuration files.

With that in mind, I believe this set of configuration options should be closer to what you want:

CONFIG_NORDIC_SECURITY_BACKEND=y
CONFIG_MBEDTLS_VANILLA_BACKEND=y
CONFIG_NRF_SECURITY_ADVANCED=y
CONFIG_MBEDTLS_X509_LIBRARY=y
CONFIG_MBEDTLS_TLS_LIBRARY=y

With that set of options, your code compiles, except for the mbedtls_hardware_poll function.

When it comes to the mbedtls_hardware_poll function, it must be provided by the application or NCS. As MBEDTLS_ENTROPY_HARDWARE_ALT is defined in the mbedTLS configuration file, it is not provided by mbedTLS.

The NSM has an implementation of it which is used for nRF5x devices, and will work for the nRF9160 as well, though it was not yet enabled for the nRF9160 at the time of the NCS v1.5.0 release.

You can find the changes necessary to include it for the nRF9160 as well in this commit: https://github.com/nrfconnect/sdk-nrfxlib/commit/01acd15117499f69170c43f18afc770f1b696412

Note the file name change from nrf_security/src/backend/nrf5x/entropy_nrf5x.c to nrf_security/src/backend/entropy/entropy_poll.c.

RE: How to extend at_client sample to use Mbed TLS vanilla backend supporting TLS on Thingy:91 with nRF Connect SDK v1.5.0?

Franck_Code — Mon, 29 Mar 2021 21:23:00 GMT

To me it looks like that entropy can be included like in
C:\Users\UserName\ncs\v1.5.0\nrf\samples\nrf9160\secure_services\src\main.c
(entropy init seems not to be necessary and spm_request_random_number can be used as in entropy_cc310.c)?

RE: How to extend at_client sample to use Mbed TLS vanilla backend supporting TLS on Thingy:91 with nRF Connect SDK v1.5.0?

Franck_Code — Mon, 29 Mar 2021 16:35:39 GMT

I would like to use vanilla Mbed TLS which I will later on modify regarding TLS features (Originally, I am coming from devzone.nordicsemi.com/.../how-to-use-latest-mbed-tls-2-26-0-with-nrf-connect-sdk-v1-5-0-on-thingy-91). Switching to the Serial LTE Modem application is no issue and advisable. The first step afterwards then remains, i.e. how best to integrate the entropy and how to configure/replace net_socket.c.

RE: How to extend at_client sample to use Mbed TLS vanilla backend supporting TLS on Thingy:91 with nRF Connect SDK v1.5.0?

Didrik Rokhaug — Mon, 29 Mar 2021 15:28:30 GMT

Hi,

What are you trying to acheive?

Depening on what it is you want to do, it might be better to start with the Serial LTE Modem, with or without the TLS stack running on the application core.

Best regards,

Didrik

RE: How to extend at_client sample to use Mbed TLS vanilla backend supporting TLS on Thingy:91 with nRF Connect SDK v1.5.0?

Franck_Code — Mon, 29 Mar 2021 10:09:00 GMT

From my understanding, manual entropy integration would be according to https://tls.mbed.org/kb/how-to/add-a-random-generator with NRF_CC3XX_PLATFORM_ENTROPY?

RE: How to extend at_client sample to use Mbed TLS vanilla backend supporting TLS on Thingy:91 with nRF Connect SDK v1.5.0?

Franck_Code — Mon, 29 Mar 2021 07:48:08 GMT

Originally, I hoped that config-tls-generic.h could help but it is only for built-in Mbed TLS.

https://developer.nordicsemi.com/nRF_Connect_SDK/doc/latest/kconfig/CONFIG_MBEDTLS_CFG_FILE.html

config MBEDTLS_CFG_FILE
    string "mbed TLS configuration file"
    default "config-tls-generic.h"
    depends on MBEDTLS_BUILTIN && MBEDTLS

    help

      Use a specific mbedTLS configuration file. The default config file file can be tweaked with Kconfig.

      The default configuration is suitable to communicate with majority of HTTPS servers on the Internet,

      but has relatively many features enabled. To optimize resources for special TLS usage, use available

      Kconfig options, or select an alternative config.

RE: How to extend at_client sample to use Mbed TLS vanilla backend supporting TLS on Thingy:91 with nRF Connect SDK v1.5.0?

Franck_Code — Sun, 28 Mar 2021 22:34:12 GMT

I would like to mention that adding the following two options did not help:

CONFIG_NRF_SECURITY_RNG=y
CONFIG_ENTROPY_GENERATOR=y