• State Not Answered
  • Replies 10 replies
  • Subscribers 65 subscribers
  • Views 1369 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 290800
Options

CONFIG_NRF_SECURITY mbedtls generated config doesn't build

bdodge09

In order to use "psa_" crypto functions I use "CONFIG_NRF_SECUIRTY=y". I am also using mbedtls for TLS1.2 networking via external WiFi module

By using NRF Security, the project will no longer build

1 - The "mbedtls_ctr_drbg_*" functions are no longer configured because CONFIG_MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG is defined which forces MBEDTLS_RNG_C to NOT be defined.  Unfortunately Zephyr build needs that since it uses ctr_drbg in random subsys.  It seems I could turn that off perhaps, but shouldn't zephyr use the external rng if defined?

2 - The "pk_wrap" file references mbedtls_pk_write_pubkey which isn't defined because PK_WRITE_C isn't defined, but adding CONFIG_MBEDTLS_PK_WRITE_C to the project config doesn't fix that since the header generation ignores that for some reason

3 - I'd also like to use MBEDTLS_DEBUG but the build forces that to 'n'

it seems CONFIG_NRF_SECURITY=y can't work out-of-the-box. ?

------ Prj 

CONFIG_NRF_SECURITY=y
CONFIG_MBEDTLS=y
#CONFIG_MBEDTLS_DEBUG=y
CONFIG_MBEDTLS_TLS_LIBRARY=y
CONFIG_MBEDTLS_ENABLE_HEAP=y
CONFIG_MBEDTLS_HEAP_SIZE=97000
CONFIG_APP_LINK_WITH_MBEDTLS=y
CONFIG_MBEDTLS_PK_WRITE_C=y

  • 0

    Hi Brian,

    Which NCS version are you using? Can you provide a minimal sample that can reproduce this issue?

    Best regards,
    Charlie

  • 0

    I am based on 1.9.1

    For 1, I found the cause, and it was my fault. The Zigbee config was calling for CTR_DRBG.

    But Shouldn't there be a way to use h/w AES for Zigbee?  the "CONFIG CRYPO_NRF_ECB" is de-selected for 5340 and the code in zigbee/osif/zb_nrf_crypto.c uses only that or CONFIG_ZIGBEE_USE_SOFTWARE_AES.  Why not NRF_SECURITY?

    For 2, Any project if you add CONFIG_NRF_SECUIRTY=y will generate headers with "MBEDTLS_PK_WRITE_C" commented out and "MBEDTLS_PK_C" defined (because of TLS/DTLS additions).  Since CONFIG_NRF_SECUIRTY=y defines MBEDTLS_USE_PSA_CRYPTO, it compiles different code in mbedtls/library/pk_wrap.c which calls mbedtls_pk_write_pubkey (around line 586).  This is plainly a bug in the configuration since MBEDTLS_PK_WRITE_C would have to be defined in this case, but there is no way to define it since the generated headers turn it off, and even adding it to the project (CONFIG_MBEDTLS_PK_WRITE_C) doesn't work since the generated headers don't include autoconf.h and the generator ignores that as well.

    For 3, Again, try any project to turn on MBEDTLS_DEBUG

  • 0 in reply to Charlie

    also, there are all kinds of other mbedtls config options disabled for what seems like no real reason.  for example, I can't turn on PEM format support because of Kconfig rules which seem not-needed.  I cant even over-ride and use a custom mbedtls config file since the generated header files are included on the command line to compile psa sources, even of you turn off generated headers. 

  • 0

    Hi Brian,

    Sorry for the late reply.

    I found we actually have sample Crypto: PSA TLS — nRF Connect SDK 1.9.1 documentation (nordicsemi.com) demonstrating how to use Nordic Security Backend.

    It is enabled with the following configuration:

    # mbed TLS and security
    CONFIG_MBEDTLS_PK_C=y
    CONFIG_MBEDTLS_RSA_C=y
    CONFIG_MBEDTLS_PKCS1_V15=y
    CONFIG_MBEDTLS_ENABLE_HEAP=y
    CONFIG_MBEDTLS_HEAP_SIZE=55936
    CONFIG_MBEDTLS_TLS_LIBRARY=y
    CONFIG_MBEDTLS_X509_LIBRARY=y
    CONFIG_NRF_SECURITY_ADVANCED=y
    CONFIG_NORDIC_SECURITY_BACKEND=y
    You can enable mbed TLS debug with 
    CONFIG_MBEDTLS_DEBUG_C=y
    I have tested the original  Crypto: PSA TLS sample and hellow_world, and both of them have no errors for the build.
     

    For the Zigbee AES methods selection, I try to inquire our development team and still waiting for a reply.

    Best regards,

    Charlie 

  • 0 in reply to Charlie

    Thank you.  That is closer.  I am still having issues with that

    1) There are functions like "psa_export_key" which we need that aren't built with this configurati0on.  To enable that, you have to add CONFIG_MBEDTLS_PSA_CRYPTO_C=y  but that is ignored by the build. Also CONFIG_MBEDTLS_SSL_MAX_CONTENT_LEN in the prj file is ignroed (and flagged as a warning) but at least it isn't set to 1 with this configuraton

    2) The psa build doesn't properly do TLS handshake. I get an "prf" error (HW Accel Failed)

Related