• State Not Answered
  • Replies 10 replies
  • Subscribers 65 subscribers
  • Views 1369 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 290800
Options

CONFIG_NRF_SECURITY mbedtls generated config doesn't build

bdodge09

In order to use "psa_" crypto functions I use "CONFIG_NRF_SECUIRTY=y". I am also using mbedtls for TLS1.2 networking via external WiFi module

By using NRF Security, the project will no longer build

1 - The "mbedtls_ctr_drbg_*" functions are no longer configured because CONFIG_MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG is defined which forces MBEDTLS_RNG_C to NOT be defined.  Unfortunately Zephyr build needs that since it uses ctr_drbg in random subsys.  It seems I could turn that off perhaps, but shouldn't zephyr use the external rng if defined?

2 - The "pk_wrap" file references mbedtls_pk_write_pubkey which isn't defined because PK_WRITE_C isn't defined, but adding CONFIG_MBEDTLS_PK_WRITE_C to the project config doesn't fix that since the header generation ignores that for some reason

3 - I'd also like to use MBEDTLS_DEBUG but the build forces that to 'n'

it seems CONFIG_NRF_SECURITY=y can't work out-of-the-box. ?

------ Prj 

CONFIG_NRF_SECURITY=y
CONFIG_MBEDTLS=y
#CONFIG_MBEDTLS_DEBUG=y
CONFIG_MBEDTLS_TLS_LIBRARY=y
CONFIG_MBEDTLS_ENABLE_HEAP=y
CONFIG_MBEDTLS_HEAP_SIZE=97000
CONFIG_APP_LINK_WITH_MBEDTLS=y
CONFIG_MBEDTLS_PK_WRITE_C=y

Parents
  • 0

    Hi Brian,

    I have two suggestions for further debugging.

    1) Change to NCS 2.0.0 if you are still in the early aga of your development. From NCS2.0.0, Trusted Firmware M (TF-M) replaces the Secure Partition Manager (SPM) for secure image firmware. TF-M is now enabled by default for most nRF9160 and nRF5340 applications and samples. Applications and Libraries in the Non-secure Processing Environment can utilize these secure services with standardized PSA Functional APIs from TF-M. You will high chance struggle with other issues when you want to upgrade to NCS2.0.0 from NCS1.9.1.

    2) psa_export_key is used by v1.9.1\nrf\samples\crypto\hkdf sample without any issue, please compare its usages with your codes. I really hope to get minimal samples of your codes so I can review and debug your codes on my side.  

    Best regards,

    Charlie

  • 0 in reply to Charlie

    Thank you.

    I have had to stop using psa.  It is too overlapped with mbedtls in the SDK config, and mbedtls TLS connections don't work when using psa (handshake fails due to hw accel failure error).

    Is there any way to just enable psa API  (or sven cc3x api) without any changes to mbedtls build/API/config?

Reply Children
Related