• State Not Answered
  • Replies 10 replies
  • Subscribers 65 subscribers
  • Views 1369 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 290800
Options

CONFIG_NRF_SECURITY mbedtls generated config doesn't build

bdodge09

In order to use "psa_" crypto functions I use "CONFIG_NRF_SECUIRTY=y". I am also using mbedtls for TLS1.2 networking via external WiFi module

By using NRF Security, the project will no longer build

1 - The "mbedtls_ctr_drbg_*" functions are no longer configured because CONFIG_MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG is defined which forces MBEDTLS_RNG_C to NOT be defined.  Unfortunately Zephyr build needs that since it uses ctr_drbg in random subsys.  It seems I could turn that off perhaps, but shouldn't zephyr use the external rng if defined?

2 - The "pk_wrap" file references mbedtls_pk_write_pubkey which isn't defined because PK_WRITE_C isn't defined, but adding CONFIG_MBEDTLS_PK_WRITE_C to the project config doesn't fix that since the header generation ignores that for some reason

3 - I'd also like to use MBEDTLS_DEBUG but the build forces that to 'n'

it seems CONFIG_NRF_SECURITY=y can't work out-of-the-box. ?

------ Prj 

CONFIG_NRF_SECURITY=y
CONFIG_MBEDTLS=y
#CONFIG_MBEDTLS_DEBUG=y
CONFIG_MBEDTLS_TLS_LIBRARY=y
CONFIG_MBEDTLS_ENABLE_HEAP=y
CONFIG_MBEDTLS_HEAP_SIZE=97000
CONFIG_APP_LINK_WITH_MBEDTLS=y
CONFIG_MBEDTLS_PK_WRITE_C=y

Parents
  • 0

    Hi Brian,

    I have two suggestions for further debugging.

    1) Change to NCS 2.0.0 if you are still in the early aga of your development. From NCS2.0.0, Trusted Firmware M (TF-M) replaces the Secure Partition Manager (SPM) for secure image firmware. TF-M is now enabled by default for most nRF9160 and nRF5340 applications and samples. Applications and Libraries in the Non-secure Processing Environment can utilize these secure services with standardized PSA Functional APIs from TF-M. You will high chance struggle with other issues when you want to upgrade to NCS2.0.0 from NCS1.9.1.

    2) psa_export_key is used by v1.9.1\nrf\samples\crypto\hkdf sample without any issue, please compare its usages with your codes. I really hope to get minimal samples of your codes so I can review and debug your codes on my side.  

    Best regards,

    Charlie

Reply
  • 0

    Hi Brian,

    I have two suggestions for further debugging.

    1) Change to NCS 2.0.0 if you are still in the early aga of your development. From NCS2.0.0, Trusted Firmware M (TF-M) replaces the Secure Partition Manager (SPM) for secure image firmware. TF-M is now enabled by default for most nRF9160 and nRF5340 applications and samples. Applications and Libraries in the Non-secure Processing Environment can utilize these secure services with standardized PSA Functional APIs from TF-M. You will high chance struggle with other issues when you want to upgrade to NCS2.0.0 from NCS1.9.1.

    2) psa_export_key is used by v1.9.1\nrf\samples\crypto\hkdf sample without any issue, please compare its usages with your codes. I really hope to get minimal samples of your codes so I can review and debug your codes on my side.  

    Best regards,

    Charlie

Children
Related