• State Not Answered
  • Replies 5 replies
  • Subscribers 74 subscribers
  • Views 1029 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 288539
Options

Can we use latest MBED tls 2.28.0 or 3.1.0 with latest Nordic SDK for nrf52832

Engineer01

Hi,

I see that the latest Nordic SDK (v17.1.0) supports mbed TLS version of 2.16.10 only. However, we have received a End of life notification for the same (Mbed TLS 1.3, 1.4, 2.0 ≤ 2.7, 2.14 ≤ 2.18 - End of Life Notification (EOL)). Please let us know if it is possible to use the latest version of mbed TLS (2.28.0 or 3.1.0) with the SDK. We are using NRF_CRYPTO_BACKEND_MBEDTLS_AES_CCM_ENABLED and  NRF_CRYPTO_BACKEND_NRF_HW_RNG_MBEDTLS_CTR_DRBG_ENABLED in sdk_config.h file.

 

Regards,

  • 0

    Hi,

    We have only done release testing with the mbed TLS version that is part of the SDK release (this is the same with all external SDK components). That said, mbed TLS releases of the same minor versions should be API compatible, so I expect you should not have much problems replacing only mbed TLS.

  • 0 in reply to Einar Thorsrud

    Thank you for the information. I cloned v2.28.0 from https://github.com/Mbed-TLS/mbedtls/blob/v2.28.0/BRANCHES.md and added it to my project. However, i got the following error

    1. Fatal Error[Pe035]: #error directive: "MBEDTLS_CERTS_C defined, but not all prerequisites "source\modules\external\mbedtls\include\mbedtls\check_config.h 828

    I then replaced the contents of "check_config.h" as per the contents of "check_config.h" in mbed tls v2.4.2. This resolved the error. However, i have following linker errors 

    Linking
    Error[Li005]: no definition for "mbedtls_platform_zeroize" [referenced from application\pca10040\s132\iar\_build\ctr_drbg.o]
    Error[Li005]: no definition for "mbedtls_chachapoly_update" [referenced from application\pca10040\s132\iar\_build\cipher.o]
    Error[Li005]: no definition for "mbedtls_chachapoly_free" [referenced from application\pca10040\s132\iar\_build\cipher_wrap.o]
    Error[Li005]: no definition for "mbedtls_chachapoly_init" [referenced from application\pca10040\s132\iar\_build\cipher_wrap.o]
    Error[Li005]: no definition for "mbedtls_chachapoly_setkey" [referenced from application\pca10040\s132\iar\_build\cipher_wrap.o]
    Error[Li005]: no definition for "mbedtls_chacha20_free" [referenced from application\pca10040\s132\iar\_build\cipher_wrap.o]
    Error[Li005]: no definition for "mbedtls_chacha20_init" [referenced from application\pca10040\s132\iar\_build\cipher_wrap.o]
    Error[Li005]: no definition for "mbedtls_chacha20_setkey" [referenced from application\pca10040\s132\iar\_build\cipher_wrap.o]
    Error[Li005]: no definition for "mbedtls_chacha20_update" [referenced from application\pca10040\s132\iar\_build\cipher_wrap.o]
    Error while running Linker

    Total number of errors: 9

    Please help. Also, i w2ould like to know if there are any risks of using mbed tls which has not gone through official release testing from nordic? Are there any plans to upgrade the nordic SDK with mbed tls v2.28.0 in the near future?

  • 0 in reply to Engineer01

    Hi,

    I did not get a chanse to test this myself today. However, even though there should not be API changes there are quite a lot of changes, added functionality, etc between mbed TLS 2.16.10 and 2.28, so I expect you will need to work a bit on updating (at least adjust build configuration, mbedTLS configuration script (), etc.). This will typically be the same if you replace any library.

    Engineer01 said:
    Also, i w2ould like to know if there are any risks of using mbed tls which has not gone through official release testing from nordic?

    I do not see any particular risk with updating to a newer mbed TLS version of the same major version. However, we only test what is in the SDK, and and cannot make any guarantees for anything else. This is up to you and your choice.

    Engineer01 said:
    Are there any plans to upgrade the nordic SDK with mbed tls v2.28.0 in the near future?

    I generally cannot comment on roadmap questions here, but as you see in the nRF Connect SDK and nRF5 SDK statement, the nRF5 SDK is in maintenance mode and you should not expect many updated going forward.

    One thing though, why do you need to update mbed TLS at this point? What this means is that EOL'ed versions will not get updates, but that does not mean that it is suddenly bad or more vulnerable than it was before. When there are new security issues found in mbed TLS you may want to update, but that could just as well be an issue introduced in a later version, (and then you would have to do this exercise again at that point).

  • 0 in reply to Einar Thorsrud

    Hi,

    Thank you for the inputs. It is not required to update as of now since there are no vulnerabilities. But its a general requirement here to keep the cryptographic libraries to latest version due to security implications. I am assuming that latest versions might be more robust against vulnerabilities. Is it possible that Nordic will release new SDK with updated mbed TLS libraries in future if serious vulnerabilities are identified in 2.16.10? 

    Regards,

  • 0 in reply to Engineer01

    Hi,

    Thank you for explaining the background, that is good to know. Generally I suspect that in a situation like you describe we might also issue a notice about the issue and how it can be fixed by for instance updating a specific component (like mbed TLS) or provide a patch. That is hypothetical, though. (Also note that mbed TLS is not much used in the SDK and it is an external component that we do not maintain). Other than that, you should ask your regional Nordic sales representative about details about  (potential) future releases.

Related
Terms of service