• State Verified Answer
  • Locked Locked
  • Replies 2 replies
  • Subscribers 91 subscribers
  • Views 1266 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 285309
Options
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

mbedtls_ctr_drbg_reseed_internal() goes straight to z_arm_usage_fault() in mbedtls cert req example

randomdude

I am trying to get this example program https://github.com/ARMmbed/mbedtls/blob/mbedtls-2.11.0/programs/x509/cert_req.c (stripped out all the file handling stuff) to run on an nrf9160, but it fails to seed the RNG. I stepped through the mbedtls_ctr_drbg_seed() function, right to the call to mbedtls_ctr_drbg_reseed_internal(), in which the first line is this:

 if( ctx->entropy_len > MBEDTLS_CTR_DRBG_MAX_SEED_INPUT )

ctx->entropy_len is 32 and MBEDTLS_CTR_DRBG_MAX_SEED_INPUT should be 384, but when I grep for MBEDTLS_CTR_DRBG_MAX_SEED_INPUT in the project directory, I can't see it being defined anywhere. If that were the case, it should evaluate to 0 and the condition should become true, which would cause the function to return MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG.

Instead, it goes directly to z_arm_usage_fault() and that is that.

I can't make any sense of this. Is there anyone who can help getting this to work?

  • +1

    Hi,

    That example will not work out of the box on the nRF9160. For nRF9160 projects that use the modem, the application must be built for non-secure. And the only entropy source available to the application in the nRF9160 is the CC310 TRNG which is only available from secure mode. If your application is in non-secure, you must use something to bridge the secure-nonsecure domian. In the nRF Connect SDK that is either the Secure Partition Manager (SPM) which provides entropy as a secure service, or Trusted Firmware-M.

    If you just need RNG, then the SPM is good enough. SPM does not support a lot of other crypto features though (in case you want to use CryptoCell), so if you need more then you should consider TF-M. This is still experimental, though.

    In either secure or non-secure case if you only need RNG you can use the CC310 Entropy driver, and that can be used via Zephyr Entropy APIs. You can refer to the old Endropy driver sample to see how this is used.

  • 0 in reply to Einar Thorsrud

    Hi,

    the links you provided were quite helpful.

    After a bit of reading I found what I was looking for in zephyr's PSA crypt sample, and managed to combine that with the HTTPS sample from the nrf sdk.

    Cheers!

Related
Terms of service