How to use CryptoCell on NRF9160

RE: How to use CryptoCell on NRF9160

Didrik Rokhaug — Fri, 16 Feb 2024 15:37:33 GMT

There has happened quite a lot on the TF-M front over the past years, so if you have a question about it, I recommend you open a new ticket where you share all the relevant details.

Best regards,

Didrik

RE: How to use CryptoCell on NRF9160

GilDev — Fri, 16 Feb 2024 13:22:28 GMT

Hi,

Again, any news about this please?

RE: How to use CryptoCell on NRF9160

Gawain — Tue, 24 Aug 2021 13:48:30 GMT

Hi,

I'm also trying to get a Zephyr non-secure app running with TF-M, BL2 and PSA crypto and need this working. It would be great if we could get an update on the timeframe for this please?

For info, I did make some progress by building the TF-M repository independently of Zephyr and then flashing the BL2 and the TF-M secure and nonsecure images. I then built my zephyr app for the nrf9160ns board (at a base addresss of 0x50400), signed it, converted it to an srecord, and then flashed it in place of the tf-m non-secure code. Everything then starts up but some of the PSA crypto calls hang forever presumably because there is some issue with the non-secure to secure interface.

Thanks

Gawain

RE: How to use CryptoCell on NRF9160

Didrik Rokhaug — Thu, 19 Aug 2021 08:49:21 GMT

Are you sure the secure firmware actually printed something?

Do you see something if you add a printf to a secure function that you know is called?

E.g. when I tested with the nrf/samples/crypto/rsa sample, I added a printf in tfm_crypto_generate_key, on line 674 in modules/tee/tfm/trusted-firmware-m/secure_fw/partitions/crypto/crypto_key.c.

RE: How to use CryptoCell on NRF9160

mglettig — Wed, 18 Aug 2021 15:32:27 GMT

[quote userid="81181" url="~/f/nordic-q-a/77691/how-to-use-cryptocell-on-nrf9160/325556#325556"]

Have you tried changing the pin in the device tree?

If I change the pin in an overlay file for the non-secure board, it uses a different pin.

[/quote]

Yes I tried to change the DTS-Overlay but that didn't have an effect on the Secure-Firmware (TF-M). I still couldn't see the UART / console output.

RE: How to use CryptoCell on NRF9160

Didrik Rokhaug — Wed, 18 Aug 2021 15:09:04 GMT

Have you tried changing the pin in the device tree?

If I change the pin in an overlay file for the non-secure board, it uses a different pin.

RE: How to use CryptoCell on NRF9160

mglettig — Fri, 13 Aug 2021 09:09:21 GMT

[quote userid="81181" url="~/f/nordic-q-a/77691/how-to-use-cryptocell-on-nrf9160/322696#322696"]If you do not, and the peripheral is configured as secure, you will not be able to use it from the non-secure domain.[/quote]

By default USART1 is enabled in TF-M. But how do I configure the TX-Pin of the UART?

I found 2 potential places to do:

- modules/tee/tfm/trusted-firmware-m/platform/ext/target/nordic_nrf/nrf9160dk_nrf9160/RTE_Device.h

- nrf/modules/tfm/tfm/boards/board/RTE_Device.h

I tried to change RTE_USART1_TXD_PIN in both of those files but I didn't see any console output on the desired pin. Can you please help me here so that I see the TF-M console output?

Kind regards,

Michael

RE: How to use CryptoCell on NRF9160

mglettig — Fri, 13 Aug 2021 06:47:29 GMT

[quote userid="81181" url="~/f/nordic-q-a/77691/how-to-use-cryptocell-on-nrf9160/324073#324073"]

Currently, there is an issue with using bootloader + TF-M, where BL2 don't play well with Nordic Crypto, and NCS MCUBoot don't play well with TF-M. But, this is being worked on.

However, I don't know when this issue will be solved.

[/quote]

Could you please ask the development team until this will be resolved? I didn't get an answer when commenting the PR.

Kind regards,

Michael

RE: How to use CryptoCell on NRF9160

mglettig — Wed, 11 Aug 2021 14:35:20 GMT

[quote userid="81181" url="~/f/nordic-q-a/77691/how-to-use-cryptocell-on-nrf9160/324310#324310"]I have created a feature request to make this configurable, and will try to keep you updated on the progress.[/quote]

Thanks Didrik. Looking forward to this feature.

RE: How to use CryptoCell on NRF9160

Didrik Rokhaug — Tue, 10 Aug 2021 15:47:15 GMT

Regarding UART1:

It is currently not (easily) possible to disbale UART1 in TF-M.

The way to do it would normally be to enable UART1 in the device tree (as you can see in the psa_tls sample I linked previously, it should be disabled to use TF-M). However, TF-M will still try to use it, which will cause a bus error. It is possible to modify TF-M to not initialize UART1, but that is not a good solution.

I have created a feature request to make this configurable, and will try to keep you updated on the progress.

Best regards,

Didrik

RE: How to use CryptoCell on NRF9160

Didrik Rokhaug — Mon, 09 Aug 2021 15:43:21 GMT

Sorry, we are quite short on staff at the moment, so it is hard to answer all the questions in a timely manner.

Currently, there is an issue with using bootloader + TF-M, where BL2 don't play well with Nordic Crypto, and NCS MCUBoot don't play well with TF-M. But, this is being worked on.

However, I don't know when this issue will be solved.

Below are some PRs that are relevant:

https://github.com/nrfconnect/sdk-mcuboot/pull/159

https://github.com/nrfconnect/sdk-mcuboot/pull/158

https://github.com/nrfconnect/sdk-trusted-firmware-m/pull/26

https://github.com/nrfconnect/sdk-nrf/pull/5048

https://github.com/nrfconnect/sdk-nrf/pull/4972

You might also be interested in this example on the master branch, showing TLS running on TF-M:
https://github.com/nrfconnect/sdk-nrf/tree/master/samples/crypto/psa_tls

I haven't gotten a reply from our developers regarding the UART yet, but I have pushed for an update.

RE: How to use CryptoCell on NRF9160

mglettig — Mon, 09 Aug 2021 06:41:23 GMT

Hi Didrik Rokhaug

Do you have an update for me?

My goal is to finish TF-M integration this week.

Kind regards,

Michael

RE: How to use CryptoCell on NRF9160

mglettig — Fri, 30 Jul 2021 15:40:17 GMT

[quote userid="81181" url="~/f/nordic-q-a/77691/how-to-use-cryptocell-on-nrf9160/322696#322696"]TF-M has an integrated logging module which uses UART1. However, I believe you should be able to disable that, so that UART1 becomes available for the non-secure application.[/quote]

I found this CMake value here: https://github.com/nrfconnect/sdk-trusted-firmware-m/blob/3599bcc187f3ac05119b9424c859332f5acb0db3/trusted-firmware-m/platform/ext/target/nordic_nrf/common/nrf9160/config.cmake#L9

Could you please also ask your experts how to free UART1 from TF-M? And also how to change the UART1 configuration if I want to use it (can this be done using the normal device-tree?).

[quote userid="81181" url="~/f/nordic-q-a/77691/how-to-use-cryptocell-on-nrf9160/322696#322696"] I'll have to check with our experts and come back to you.[/quote]

Thanks for asking them. Looking forward to an answer.

Kind regards,

Michael

RE: How to use CryptoCell on NRF9160

Didrik Rokhaug — Fri, 30 Jul 2021 14:23:17 GMT

[quote user="mglettig"]Or can I tell TF-M do not use UART1?[/quote]

TF-M has an integrated logging module which uses UART1. However, I believe you should be able to disable that, so that UART1 becomes available for the non-secure application.

If you do not, and the peripheral is configured as secure, you will not be able to use it from the non-secure domain. This will be true also for SPI and TW 1, as they use the same hardware as UART1.

[quote user="mglettig"]An issue that still bugs me is that I'm unable to enable the bootloader.[/quote][quote user="mglettig"]Do you have a solution for me?[/quote]

I'll have to check with our experts and come back to you.

RE: How to use CryptoCell on NRF9160

mglettig — Thu, 29 Jul 2021 13:55:13 GMT

[quote userid="104198" url="~/f/nordic-q-a/77691/how-to-use-cryptocell-on-nrf9160/322355#322355"]

Now when I run my application which tries to establish an mTLS connection I get the following error:

[00:23:03.684,661] <err> net_sock_tls: TLS handshake error: -5

Currently I do have my private-key and certificate that I need for mTLS in the non-secure area and register them using the function tls_credential_add. Should that still work with hw crypto acceleration or do I have to keep everything in the secure area? If yes how would I do that? Any ideas why the TLS handshake is failing?

[/quote]

Ok this is solved now by switching from ARM GNU Toolchain to SDK Zephyr Toolchain. See here https://github.com/zephyrproject-rtos/zephyr/issues/34658#issuecomment-828422111. This was very hard to find because I didn't have a console output from TF-M.

The questions regarding UART1 remain.

An issue that still bugs me is that I'm unable to enable the bootloader. When I try it with the following configuration...

CONFIG_IMG_MANAGER=y
CONFIG_IMG_ERASE_PROGRESSIVELY=y
CONFIG_REBOOT=y
CONFIG_BOOTLOADER_MCUBOOT=y

... the bootloader get stuck:

*** Booting Zephyr OS build v2.6.0-rc1-ncs1-1-g0cf135c0cf22  ***
I: Starting bootloader
I: Primary image: magic=bad, swap_type=0x1, copy_done=0x2, image_ok=0x2
I: Secondary image: magic=unset, swap_type=0x1, copy_done=0x3, image_ok=0x3
I: Boot source: none
I: Swap type: none
I: Bootloader chainload address offset: 0x10000
I: Jumping to the first image slot

I tried to set CONFIG_TFM_BL2 but that's not possible due to the following limitation:

Do you have a solution for me?

Regards,

Michael

RE: How to use CryptoCell on NRF9160

mglettig — Thu, 29 Jul 2021 06:57:11 GMT

Hi Didrik Rokhaug

Thanks for your hints. In the meantime I managed to build both TF-M with the minimal configuration and TF-M with a custom configuration. Both images are booting now. I currently use the following custom configuration:

CONFIG_BUILD_WITH_TFM=y
CONFIG_TFM_BL2=n

CONFIG_TFM_IPC=y
CONFIG_TFM_MCUBOOT_IMAGE_NUMBER=1
CONFIG_TFM_PARTITION_INITIAL_ATTESTATION=n
CONFIG_TFM_PARTITION_AUDIT_LOG=n
CONFIG_TFM_CRYPTO_MAC_MODULE_ENABLED=y
CONFIG_TFM_CRYPTO_ASYMMETRIC_MODULE_ENABLED=n
CONFIG_TFM_CRYPTO_KEY_DERIVATION_MODULE_ENABLED=y
CONFIG_TFM_CRYPTO_KEY_MODULE_ENABLED=y
CONFIG_TFM_CRYPTO_AEAD_MODULE_ENABLED=n
CONFIG_TFM_CRYPTO_GENERATOR_MODULE_ENABLED=y
CONFIG_TFM_PARTITION_PROTECTED_STORAGE=y
CONFIG_TFM_PARTITION_INTERNAL_TRUSTED_STORAGE=y
CONFIG_TFM_CRYPTO_CIPHER_MODULE_ENABLED=y

Now when I run my application which tries to establish an mTLS connection I get the following error:

[00:23:03.684,661] <err> net_sock_tls: TLS handshake error: -5

One other question: UART1 is used by TF-M. Does this mean that all of the following peripherals are not usable by my application anymore?

Or can I tell TF-M do not use UART1?

Last but not least: How can I access the TF-M UART1 console output on nRF9160-DK?

Kind regards,

Michael

RE: How to use CryptoCell on NRF9160

Didrik Rokhaug — Tue, 27 Jul 2021 16:42:05 GMT

Hi, and sorry.

Due to summer vacations, we are a bit short on staff, so I don't have as much time as I would like to look through each ticket.

I don't think the minimal configuration will work for you, as it disables most modules except for RNG and HASH. However, looking at nrf/modules/trusted-firmware-m/Kconfig.tfm_minimal.defconfig should give you an idea of what you can disable to reduce flash usage.

You can also increase the TF-M partition size by setting CONFIG_PM_PARTITION_SIZE_TFM. The flash partition used by TF-M is locked by the SPU, which has a granularity of 32kB, which is why you see a 64kB partition. This is also a good reason to stick to 32kB steps when you configure the partition size.

Best regards,

Didrik

RE: How to use CryptoCell on NRF9160

mglettig — Tue, 27 Jul 2021 12:15:03 GMT

Hi Didrik Rokhaug

Do you have an update for me?

Kind regards,

Michael

RE: How to use CryptoCell on NRF9160

mglettig — Mon, 26 Jul 2021 06:58:13 GMT

Hi Didrik Rokhaug

Regarding the build failure above I figured out what caused this issue. I disabled UART hardware flow control in my DT overlay file:

&uart0 {
	status = "okay";
	// rx-pin = <24>;
	// tx-pin = <25>;
	current-speed = <115200>;
	/delete-property/ hw-flow-control;
	/delete-property/ rts-pin;
    /delete-property/ cts-pin;
};

Looks like modules/tfm/tfm/boards/board/RTE_Device.h:37 is expecting that RTS-Pin and CTS-Pin are configured. What is the proper way to disable UART flow-control in the device tree?

As a temporary fix I applied the following patch:

diff --git a/iiot_main_firmware/nrf9160dk_nrf9160ns.overlay b/iiot_main_firmware/nrf9160dk_nrf9160ns.overlay
index 20139d1..199bcb9 100644
--- a/iiot_main_firmware/nrf9160dk_nrf9160ns.overlay
+++ b/iiot_main_firmware/nrf9160dk_nrf9160ns.overlay
@@ -40,13 +40,10 @@
        // rx-pin = <24>;
        // tx-pin = <25>;
        current-speed = <115200>;
-       /delete-property/ hw-flow-control;
-       /delete-property/ rts-pin;
-    /delete-property/ cts-pin;
 };
 
 &uart1 {
-       status = "okay";
+       status = "disabled";
        rx-pin = <26>;
        tx-pin = <27>;

Now I managed to build TF-M. However I get a linker error because TF-M no longer fits my ROM (overflowed by 184708 bytes).

--> Does HW crypto acceleration also work with TF-M Minimal?

Next I tried to build with CONFIG_TFM_MINIMAL=y. But that still leads to a ROM overflow by 32256 bytes. From the description of the KConfig parameter CONFIG_TFM_MINIMAL I excepted that it would consume 32 kB ROM only. What is the reason for it to actually consume 64 kB? Am I supposed to change the partitioning of my ROM? How could I do this with TF-M?

Kind regards,

Michael

RE: How to use CryptoCell on NRF9160

mglettig — Fri, 23 Jul 2021 14:59:01 GMT

Hi Didrik Rokhaug

Sorry our replies almost came at the same time. As you can see I now switched from SPM to TFM with the issue posted below. I also tested CONFIG_TFM_MINIMAL=y but without success.

Thanks for checking my memory question with your colleagues.

Kind regards,

Michael

RE: How to use CryptoCell on NRF9160

Didrik Rokhaug — Fri, 23 Jul 2021 14:29:45 GMT

[quote user="mglettig"]Why is CRYPTOCELL_USABLE set to n?[/quote]

Are you building the application with TF-M or the SPM?

From what I can see, CONFIG_CRYTPOCELL_USABLE depends on CONFIG_BUILD_WITH_TFM.

Regarding how much memory optimization you can get that way, I'll have to check with my colleagues and come back to you.

RE: How to use CryptoCell on NRF9160

mglettig — Fri, 23 Jul 2021 14:21:28 GMT

Ok I'm another step further. Looks like CONFIG_BUILD_WITH_TFM=y is needed in order to get the CC1xx backend. However enabling this leads to build errors at the UART driver:

FAILED: platform/CMakeFiles/platform_ns.dir/ext/target/nordic_nrf/common/core/cmsis_drivers/Driver_USART.o 
/opt/toolchains/gcc-arm-none-eabi-10-2020-q4-major/bin/arm-none-eabi-gcc -DDAUTH_CHIP_DEFAULT -DDOMAIN_NS=1 -DMCUBOOT_IMAGE_NUMBER=2 -DMCUBOOT_SIGN_RSA -DMCUBOOT_SIGN_RSA_LEN=3072 -DNRF9160_XXAA -DNRF_TRUSTZONE_NONSECURE -DSECURE_UART1 -DTFM_PARTITION_AUDIT_LOG -DTFM_PARTITION_CRYPTO -DTFM_PARTITION_INITIAL_ATTESTATION -DTFM_PARTITION_INTERNAL_TRUSTED_STORAGE -DTFM_PARTITION_LOG_LEVEL=TFM_PARTITION_LOG_LEVEL_DEBUG -DTFM_PARTITION_PLATFORM -DTFM_PARTITION_PROTECTED_STORAGE -D__NRF_TFM__ -I/opt/zephyrproject/modules/tee/tfm/trusted-firmware-m/platform/ext/target/nordic_nrf/common/core/. -I/opt/zephyrproject/modules/tee/tfm/trusted-firmware-m/platform/ext/target/nordic_nrf/common/core/nrfx -I/opt/zephyrproject/modules/tee/tfm/trusted-firmware-m/platform/ext/target/nordic_nrf/common/core/nrfx/mdk -I/opt/zephyrproject/modules/tee/tfm/trusted-firmware-m/platform/ext/target/nordic_nrf/common/core/nrfx/drivers/include -I/opt/zephyrproject/modules/tee/tfm/trusted-firmware-m/platform/.. -I/opt/zephyrproject/modules/tee/tfm/trusted-firmware-m/platform/../interface/include -I/opt/zephyrproject/modules/tee/tfm/trusted-firmware-m/platform/ext/target/nordic_nrf/common/nrf9160/. -I/opt/zephyrproject/nrf/modules/tfm/tfm/boards/board -I../zephyr/misc/generated/syscalls_links/include -I/opt/zephyrproject/zephyr/include -I/opt/zephyrproject/nrf/modules/tfm/tfm/boards/include -I/opt/zephyrproject/nrf/include/tfm -I/opt/zephyrproject/modules/tee/tfm/trusted-firmware-m/platform/ext -I/opt/zephyrproject/modules/tee/tfm/trusted-firmware-m/platform/ext/common -I/opt/zephyrproject/modules/tee/tfm/trusted-firmware-m/platform/ext/driver -I/opt/zephyrproject/modules/tee/tfm/trusted-firmware-m/platform/include -I/opt/zephyrproject/modules/tee/tfm/trusted-firmware-m/platform/ext/cmsis -I/opt/zephyrproject/nrf/modules/tfm/tfm/boards/partition -I../zephyr/include/generated -I/opt/zephyrproject/modules/tee/tfm/trusted-firmware-m/interface/include -Igenerated/interface/include -I/opt/zephyrproject/modules/tee/tfm/tf-m-tests/app/../ns_interface -I/opt/zephyrproject/modules/tee/tfm/tf-m-tests/app/../ns_interface/ns_client_id -mcpu=cortex-m33+nodsp -g   --specs=nano.specs -Wall -Wno-format -Wno-return-type -Wno-unused-but-set-variable -c -fdata-sections -ffunction-sections -fno-builtin -fshort-enums -funsigned-char -mthumb -nostdlib -std=c99 -msoft-float -MD -MT platform/CMakeFiles/platform_ns.dir/ext/target/nordic_nrf/common/core/cmsis_drivers/Driver_USART.o -MF platform/CMakeFiles/platform_ns.dir/ext/target/nordic_nrf/common/core/cmsis_drivers/Driver_USART.o.d -o platform/CMakeFiles/platform_ns.dir/ext/target/nordic_nrf/common/core/cmsis_drivers/Driver_USART.o   -c /opt/zephyrproject/modules/tee/tfm/trusted-firmware-m/platform/ext/target/nordic_nrf/common/core/cmsis_drivers/Driver_USART.c
In file included from /opt/zephyrproject/nrf/modules/tfm/tfm/boards/board/RTE_Device.h:23,
                 from /opt/zephyrproject/modules/tee/tfm/trusted-firmware-m/platform/ext/target/nordic_nrf/common/core/cmsis_drivers/Driver_USART.c:21:
../zephyr/include/generated/devicetree_unfixed.h:4799:38: error: 'DT_N_S_soc_S_peripheral_40000000_S_uart_8000_P_rts_pin' undeclared here (not in a function); did you mean 'DT_N_S_soc_S_peripheral_40000000_S_uart_8000_P_rx_pin'?
 4799 | #define DT_N_NODELABEL_uart0         DT_N_S_soc_S_peripheral_40000000_S_uart_8000
      |                                      ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
../zephyr/misc/generated/syscalls_links/include/devicetree.h:2326:24: note: in definition of macro 'DT_CAT'
 2326 | #define DT_CAT(a1, a2) a1 ## a2
      |                        ^~
/opt/zephyrproject/nrf/modules/tfm/tfm/boards/board/RTE_Device.h:27:32: note: in expansion of macro 'DT_PROP'
   27 | #define UARTE_PROP(idx, prop)  DT_PROP(UARTE(idx), prop)
      |                                ^~~~~~~
../zephyr/misc/generated/syscalls_links/include/devicetree.h:2326:24: note: in expansion of macro 'DT_N_NODELABEL_uart0'
 2326 | #define DT_CAT(a1, a2) a1 ## a2
      |                        ^~
../zephyr/misc/generated/syscalls_links/include/devicetree.h:173:29: note: in expansion of macro 'DT_CAT'
  173 | #define DT_NODELABEL(label) DT_CAT(DT_N_NODELABEL_, label)
      |                             ^~~~~~
/opt/zephyrproject/nrf/modules/tfm/tfm/boards/board/RTE_Device.h:26:22: note: in expansion of macro 'DT_NODELABEL'
   26 | #define UARTE(idx)   DT_NODELABEL(uart##idx)
      |                      ^~~~~~~~~~~~
/opt/zephyrproject/nrf/modules/tfm/tfm/boards/board/RTE_Device.h:27:40: note: in expansion of macro 'UARTE'
   27 | #define UARTE_PROP(idx, prop)  DT_PROP(UARTE(idx), prop)
      |                                        ^~~~~
/opt/zephyrproject/nrf/modules/tfm/tfm/boards/board/RTE_Device.h:37:41: note: in expansion of macro 'UARTE_PROP'
   37 | #define   RTE_USART0_RTS_PIN            UARTE_PROP(0, rts_pin)
      |                                         ^~~~~~~~~~
/opt/zephyrproject/modules/tee/tfm/trusted-firmware-m/platform/ext/target/nordic_nrf/common/core/cmsis_drivers/Driver_USART.c:305:21: note: in expansion of macro 'RTE_USART0_RTS_PIN'
  305 |         .pselrts  = RTE_USART##idx##_RTS_PIN,                             \
      |                     ^~~~~~~~~
/opt/zephyrproject/modules/tee/tfm/trusted-firmware-m/platform/ext/target/nordic_nrf/common/core/cmsis_drivers/Driver_USART.c:371:1: note: in expansion of macro 'DRIVER_USART'
  371 | DRIVER_USART(0);
      | ^~~~~~~~~~~~
../zephyr/include/generated/devicetree_unfixed.h:4799:38: error: 'DT_N_S_soc_S_peripheral_40000000_S_uart_8000_P_cts_pin' undeclared here (not in a function); did you mean 'DT_N_S_soc_S_peripheral_40000000_S_uart_8000_P_tx_pin'?
 4799 | #define DT_N_NODELABEL_uart0         DT_N_S_soc_S_peripheral_40000000_S_uart_8000
      |                                      ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
../zephyr/misc/generated/syscalls_links/include/devicetree.h:2326:24: note: in definition of macro 'DT_CAT'
 2326 | #define DT_CAT(a1, a2) a1 ## a2
      |                        ^~
/opt/zephyrproject/nrf/modules/tfm/tfm/boards/board/RTE_Device.h:27:32: note: in expansion of macro 'DT_PROP'
   27 | #define UARTE_PROP(idx, prop)  DT_PROP(UARTE(idx), prop)
      |                                ^~~~~~~
../zephyr/misc/generated/syscalls_links/include/devicetree.h:2326:24: note: in expansion of macro 'DT_N_NODELABEL_uart0'
 2326 | #define DT_CAT(a1, a2) a1 ## a2
      |                        ^~
../zephyr/misc/generated/syscalls_links/include/devicetree.h:173:29: note: in expansion of macro 'DT_CAT'
  173 | #define DT_NODELABEL(label) DT_CAT(DT_N_NODELABEL_, label)
      |                             ^~~~~~
/opt/zephyrproject/nrf/modules/tfm/tfm/boards/board/RTE_Device.h:26:22: note: in expansion of macro 'DT_NODELABEL'
   26 | #define UARTE(idx)   DT_NODELABEL(uart##idx)
      |                      ^~~~~~~~~~~~
/opt/zephyrproject/nrf/modules/tfm/tfm/boards/board/RTE_Device.h:27:40: note: in expansion of macro 'UARTE'
   27 | #define UARTE_PROP(idx, prop)  DT_PROP(UARTE(idx), prop)
      |                                        ^~~~~
/opt/zephyrproject/nrf/modules/tfm/tfm/boards/board/RTE_Device.h:39:41: note: in expansion of macro 'UARTE_PROP'
   39 | #define   RTE_USART0_CTS_PIN            UARTE_PROP(0, cts_pin)
      |                                         ^~~~~~~~~~
/opt/zephyrproject/modules/tee/tfm/trusted-firmware-m/platform/ext/target/nordic_nrf/common/core/cmsis_drivers/Driver_USART.c:306:21: note: in expansion of macro 'RTE_USART0_CTS_PIN'
  306 |         .pselcts  = RTE_USART##idx##_CTS_PIN,                             \
      |                     ^~~~~~~~~
/opt/zephyrproject/modules/tee/tfm/trusted-firmware-m/platform/ext/target/nordic_nrf/common/core/cmsis_drivers/Driver_USART.c:371:1: note: in expansion of macro 'DRIVER_USART'
  371 | DRIVER_USART(0);
      | ^~~~~~~~~~~~
[170/233] Building C object secure_fw/partitions/crypto/mbedcrypto/nrf_security_src/mbedtls/CMakeFiles/crypto_service_mbedcrypto_base_vanilla.dir/opt/zephyrproject/mbedtls/library/psa_crypto.o
ninja: build stopped: subcommand failed.
[103/400] Completed 'mcuboot_subimage'
FAILED: modules/trusted-firmware-m/tfm-prefix/src/tfm-stamp/tfm-build tfm/secure_fw/s_veneers.o tfm/app/libtfm_api_ns.a tfm/generated/interface/include/psa_manifest/sid.h tfm/platform/libplatform_ns.a tfm/bin/tfm_s.bin tfm/bin/tfm_s.hex tfm/bin/tfm_ns.bin tfm/bin/tfm_ns.hex tfm/bin/tfm_s_signed.bin tfm/bin/tfm_ns_signed.bin tfm/bin/tfm_s_ns_signed.bin 
cd /opt/zephyrproject/iiot-firmware-nordic-nrf91/iiot_main_firmware/build/tfm && /usr/bin/cmake --build .
ninja: build stopped: subcommand failed.
FATAL ERROR: command exited with status 1: /usr/bin/cmake --build /work/iiot_main_firmware/build

RE: How to use CryptoCell on NRF9160

mglettig — Fri, 23 Jul 2021 12:37:31 GMT

In the meantime I managed to get rid of the SSL handshake error by setting CONFIG_MBEDTLS_PKCS1_V15=y. But I'm still not sure if the application now really uses the crypto hardware or some other backend in software (e.g. nrf_oberon backend). How can I figure out if the hardware acceleration is really in the loop? This is how menuconfig looks like:

Also my biggest question still is to what extend is the value CONFIG_MBEDTLS_HEAP_SIZE still relevant with the crypto HW? Because I expected to save RAM when moving to the Crypto-HW. That was my initial motivation for enabling the crypto hw.

Kind regards,

Michael

RE: How to use CryptoCell on NRF9160

mglettig — Fri, 23 Jul 2021 09:33:17 GMT

Hi Didrik Rokhaug

While I still have this handshake error I think that hw acceleration is still not yet active. Menuconfig shows me the following when inspecting CONFIG_CC3XX_BACKEND:

Why is CRYPTOCELL_USABLE set to n? Or is CONFIG_CC3XX_BACKEND=y something that I need to enable in my secure image? Does it work with SPM or do I need to switch to TF-M?

Regards,

Michael

RE: How to use CryptoCell on NRF9160

mglettig — Fri, 23 Jul 2021 06:53:54 GMT

It looks like I have much more success when trying to use the Crypto-HW with NRF v1.6. I managed to build it now with the following configuration flags:

CONFIG_NORDIC_SECURITY_BACKEND=y
CONFIG_CC3XX_BACKEND=y
CONFIG_MBEDTLS_TLS_LIBRARY=y
CONFIG_MBEDTLS_ECDSA_DETERMINISTIC=n
CONFIG_MBEDTLS_SSL_SRV_C=n
CONFIG_MBEDTLS_X509_CSR_WRITE_C=y
CONFIG_MBEDTLS_X509_CREATE_C=y
CONFIG_MBEDTLS_PK_WRITE_C=y
CONFIG_MBEDTLS_SSL_SERVER_NAME_INDICATION=y

While compiling works again I did not yet manage to get my application working the way it used to before HW acceleration. The https client requests fail (SSL handshake error 7780).

To what extend is the value CONFIG_MBEDTLS_HEAP_SIZE still relevant with the crypto HW?

I do not yet understand how mbedtls and the crypto acceleration play together.

Best regards,

Michael