• State Not Answered
  • Replies 10 replies
  • Subscribers 65 subscribers
  • Views 1369 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 290800
Options

CONFIG_NRF_SECURITY mbedtls generated config doesn't build

bdodge09

In order to use "psa_" crypto functions I use "CONFIG_NRF_SECUIRTY=y". I am also using mbedtls for TLS1.2 networking via external WiFi module

By using NRF Security, the project will no longer build

1 - The "mbedtls_ctr_drbg_*" functions are no longer configured because CONFIG_MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG is defined which forces MBEDTLS_RNG_C to NOT be defined.  Unfortunately Zephyr build needs that since it uses ctr_drbg in random subsys.  It seems I could turn that off perhaps, but shouldn't zephyr use the external rng if defined?

2 - The "pk_wrap" file references mbedtls_pk_write_pubkey which isn't defined because PK_WRITE_C isn't defined, but adding CONFIG_MBEDTLS_PK_WRITE_C to the project config doesn't fix that since the header generation ignores that for some reason

3 - I'd also like to use MBEDTLS_DEBUG but the build forces that to 'n'

it seems CONFIG_NRF_SECURITY=y can't work out-of-the-box. ?

------ Prj 

CONFIG_NRF_SECURITY=y
CONFIG_MBEDTLS=y
#CONFIG_MBEDTLS_DEBUG=y
CONFIG_MBEDTLS_TLS_LIBRARY=y
CONFIG_MBEDTLS_ENABLE_HEAP=y
CONFIG_MBEDTLS_HEAP_SIZE=97000
CONFIG_APP_LINK_WITH_MBEDTLS=y
CONFIG_MBEDTLS_PK_WRITE_C=y

Parents
  • 0

    I am based on 1.9.1

    For 1, I found the cause, and it was my fault. The Zigbee config was calling for CTR_DRBG.

    But Shouldn't there be a way to use h/w AES for Zigbee?  the "CONFIG CRYPO_NRF_ECB" is de-selected for 5340 and the code in zigbee/osif/zb_nrf_crypto.c uses only that or CONFIG_ZIGBEE_USE_SOFTWARE_AES.  Why not NRF_SECURITY?

    For 2, Any project if you add CONFIG_NRF_SECUIRTY=y will generate headers with "MBEDTLS_PK_WRITE_C" commented out and "MBEDTLS_PK_C" defined (because of TLS/DTLS additions).  Since CONFIG_NRF_SECUIRTY=y defines MBEDTLS_USE_PSA_CRYPTO, it compiles different code in mbedtls/library/pk_wrap.c which calls mbedtls_pk_write_pubkey (around line 586).  This is plainly a bug in the configuration since MBEDTLS_PK_WRITE_C would have to be defined in this case, but there is no way to define it since the generated headers turn it off, and even adding it to the project (CONFIG_MBEDTLS_PK_WRITE_C) doesn't work since the generated headers don't include autoconf.h and the generator ignores that as well.

    For 3, Again, try any project to turn on MBEDTLS_DEBUG

Reply
  • 0

    I am based on 1.9.1

    For 1, I found the cause, and it was my fault. The Zigbee config was calling for CTR_DRBG.

    But Shouldn't there be a way to use h/w AES for Zigbee?  the "CONFIG CRYPO_NRF_ECB" is de-selected for 5340 and the code in zigbee/osif/zb_nrf_crypto.c uses only that or CONFIG_ZIGBEE_USE_SOFTWARE_AES.  Why not NRF_SECURITY?

    For 2, Any project if you add CONFIG_NRF_SECUIRTY=y will generate headers with "MBEDTLS_PK_WRITE_C" commented out and "MBEDTLS_PK_C" defined (because of TLS/DTLS additions).  Since CONFIG_NRF_SECUIRTY=y defines MBEDTLS_USE_PSA_CRYPTO, it compiles different code in mbedtls/library/pk_wrap.c which calls mbedtls_pk_write_pubkey (around line 586).  This is plainly a bug in the configuration since MBEDTLS_PK_WRITE_C would have to be defined in this case, but there is no way to define it since the generated headers turn it off, and even adding it to the project (CONFIG_MBEDTLS_PK_WRITE_C) doesn't work since the generated headers don't include autoconf.h and the generator ignores that as well.

    For 3, Again, try any project to turn on MBEDTLS_DEBUG

Children
No Data
Related