Can we use latest MBED tls 2.28.0 or 3.1.0 with latest Nordic SDK for nrf52832

RE: Can we use latest MBED tls 2.28.0 or 3.1.0 with latest Nordic SDK for nrf52832

Einar Thorsrud — Thu, 05 May 2022 13:20:57 GMT

Hi,

Thank you for explaining the background, that is good to know. Generally I suspect that in a situation like you describe we might also issue a notice about the issue and how it can be fixed by for instance updating a specific component (like mbed TLS) or provide a patch. That is hypothetical, though. (Also note that mbed TLS is not much used in the SDK and it is an external component that we do not maintain). Other than that, you should ask your regional Nordic sales representative about details about (potential) future releases.

RE: Can we use latest MBED tls 2.28.0 or 3.1.0 with latest Nordic SDK for nrf52832

Engineer01 — Thu, 05 May 2022 13:01:10 GMT

Hi,

Thank you for the inputs. It is not required to update as of now since there are no vulnerabilities. But its a general requirement here to keep the cryptographic libraries to latest version due to security implications. I am assuming that latest versions might be more robust against vulnerabilities. Is it possible that Nordic will release new SDK with updated mbed TLS libraries in future if serious vulnerabilities are identified in 2.16.10?

Regards,

RE: Can we use latest MBED tls 2.28.0 or 3.1.0 with latest Nordic SDK for nrf52832

Einar Thorsrud — Thu, 05 May 2022 12:48:10 GMT

Hi,

I did not get a chanse to test this myself today. However, even though there should not be API changes there are quite a lot of changes, added functionality, etc between mbed TLS 2.16.10 and 2.28, so I expect you will need to work a bit on updating (at least adjust build configuration, mbedTLS configuration script (), etc.). This will typically be the same if you replace any library.

[quote user="Engineer01"]Also, i w2ould like to know if there are any risks of using mbed tls which has not gone through official release testing from nordic?[/quote]

I do not see any particular risk with updating to a newer mbed TLS version of the same major version. However, we only test what is in the SDK, and and cannot make any guarantees for anything else. This is up to you and your choice.

[quote user="Engineer01"]Are there any plans to upgrade the nordic SDK with mbed tls v2.28.0 in the near future?[/quote]

I generally cannot comment on roadmap questions here, but as you see in the nRF Connect SDK and nRF5 SDK statement, the nRF5 SDK is in maintenance mode and you should not expect many updated going forward.

One thing though, why do you need to update mbed TLS at this point? What this means is that EOL'ed versions will not get updates, but that does not mean that it is suddenly bad or more vulnerable than it was before. When there are new security issues found in mbed TLS you may want to update, but that could just as well be an issue introduced in a later version, (and then you would have to do this exercise again at that point).

RE: Can we use latest MBED tls 2.28.0 or 3.1.0 with latest Nordic SDK for nrf52832

Engineer01 — Wed, 04 May 2022 12:43:18 GMT

Thank you for the information. I cloned v2.28.0 from https://github.com/Mbed-TLS/mbedtls/blob/v2.28.0/BRANCHES.md and added it to my project. However, i got the following error

1. Fatal Error[Pe035]: #error directive: "MBEDTLS_CERTS_C defined, but not all prerequisites "source\modules\external\mbedtls\include\mbedtls\check_config.h 828

I then replaced the contents of "check_config.h" as per the contents of "check_config.h" in mbed tls v2.4.2. This resolved the error. However, i have following linker errors

Linking
Error[Li005]: no definition for "mbedtls_platform_zeroize" [referenced from application\pca10040\s132\iar\_build\ctr_drbg.o]
Error[Li005]: no definition for "mbedtls_chachapoly_update" [referenced from application\pca10040\s132\iar\_build\cipher.o]
Error[Li005]: no definition for "mbedtls_chachapoly_free" [referenced from application\pca10040\s132\iar\_build\cipher_wrap.o]
Error[Li005]: no definition for "mbedtls_chachapoly_init" [referenced from application\pca10040\s132\iar\_build\cipher_wrap.o]
Error[Li005]: no definition for "mbedtls_chachapoly_setkey" [referenced from application\pca10040\s132\iar\_build\cipher_wrap.o]
Error[Li005]: no definition for "mbedtls_chacha20_free" [referenced from application\pca10040\s132\iar\_build\cipher_wrap.o]
Error[Li005]: no definition for "mbedtls_chacha20_init" [referenced from application\pca10040\s132\iar\_build\cipher_wrap.o]
Error[Li005]: no definition for "mbedtls_chacha20_setkey" [referenced from application\pca10040\s132\iar\_build\cipher_wrap.o]
Error[Li005]: no definition for "mbedtls_chacha20_update" [referenced from application\pca10040\s132\iar\_build\cipher_wrap.o]
Error while running Linker

Total number of errors: 9

Please help. Also, i w2ould like to know if there are any risks of using mbed tls which has not gone through official release testing from nordic? Are there any plans to upgrade the nordic SDK with mbed tls v2.28.0 in the near future?

RE: Can we use latest MBED tls 2.28.0 or 3.1.0 with latest Nordic SDK for nrf52832

Einar Thorsrud — Wed, 04 May 2022 11:51:21 GMT

Hi,

We have only done release testing with the mbed TLS version that is part of the SDK release (this is the same with all external SDK components). That said, mbed TLS releases of the same minor versions should be API compatible, so I expect you should not have much problems replacing only mbed TLS.