CONFIG_NRF_SECURITY mbedtls generated config doesn't build

RE: CONFIG_NRF_SECURITY mbedtls generated config doesn't build

Charlie — Fri, 24 Jun 2022 13:55:30 GMT

Hi Brian,

This Legacy Crypto Support mentioned in Configuration — nrfxlib 2.0.0 documentation (nordicsemi.com) should allow you to use the Mbed TLS crypto toolbox as previously way.

Best regards,

Charlie

RE: CONFIG_NRF_SECURITY mbedtls generated config doesn't build

bdodge09 — Thu, 23 Jun 2022 13:53:12 GMT

Thank you.

I have had to stop using psa. It is too overlapped with mbedtls in the SDK config, and mbedtls TLS connections don't work when using psa (handshake fails due to hw accel failure error).

Is there any way to just enable psa API (or sven cc3x api) without any changes to mbedtls build/API/config?

RE: CONFIG_NRF_SECURITY mbedtls generated config doesn't build

Charlie — Thu, 23 Jun 2022 13:35:54 GMT

Hi Brian,

I have two suggestions for further debugging.

1) Change to NCS 2.0.0 if you are still in the early aga of your development. From NCS2.0.0, Trusted Firmware M (TF-M) replaces the Secure Partition Manager (SPM) for secure image firmware. TF-M is now enabled by default for most nRF9160 and nRF5340 applications and samples. Applications and Libraries in the Non-secure Processing Environment can utilize these secure services with standardized PSA Functional APIs from TF-M. You will high chance struggle with other issues when you want to upgrade to NCS2.0.0 from NCS1.9.1.

2) psa_export_key is used by v1.9.1\nrf\samples\crypto\hkdf sample without any issue, please compare its usages with your codes. I really hope to get minimal samples of your codes so I can review and debug your codes on my side.

Best regards,

Charlie

RE: CONFIG_NRF_SECURITY mbedtls generated config doesn't build

bdodge09 — Wed, 22 Jun 2022 17:44:18 GMT

Actually, this is even worse it turns out. The symbol CONFIG_PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT is never defined so you aren't really using crypto h/w in this sample. Just psa functions which happen to just call back to mbedtls s/w functions to do the work.

This is really wrong as far as I can tell

RE: CONFIG_NRF_SECURITY mbedtls generated config doesn't build

bdodge09 — Wed, 22 Jun 2022 16:57:04 GMT

Also, CONFIG_MBEDTLS_DEBUG_C=y is ignored and not defined in the generated header.

RE: CONFIG_NRF_SECURITY mbedtls generated config doesn't build

bdodge09 — Wed, 22 Jun 2022 16:55:31 GMT

Thank you. That is closer. I am still having issues with that

1) There are functions like "psa_export_key" which we need that aren't built with this configurati0on. To enable that, you have to add CONFIG_MBEDTLS_PSA_CRYPTO_C=y but that is ignored by the build. Also CONFIG_MBEDTLS_SSL_MAX_CONTENT_LEN in the prj file is ignroed (and flagged as a warning) but at least it isn't set to 1 with this configuraton

2) The psa build doesn't properly do TLS handshake. I get an "prf" error (HW Accel Failed)

RE: CONFIG_NRF_SECURITY mbedtls generated config doesn't build

Charlie — Wed, 22 Jun 2022 14:14:46 GMT

Hi Brian,

Sorry for the late reply.

I found we actually have sample Crypto: PSA TLS — nRF Connect SDK 1.9.1 documentation (nordicsemi.com) demonstrating how to use Nordic Security Backend.

It is enabled with the following configuration:

# mbed TLS and security

CONFIG_MBEDTLS_PK_C=y

CONFIG_MBEDTLS_RSA_C=y

CONFIG_MBEDTLS_PKCS1_V15=y

CONFIG_MBEDTLS_ENABLE_HEAP=y

CONFIG_MBEDTLS_HEAP_SIZE=55936

CONFIG_MBEDTLS_TLS_LIBRARY=y

CONFIG_MBEDTLS_X509_LIBRARY=y

CONFIG_NRF_SECURITY_ADVANCED=y

CONFIG_NORDIC_SECURITY_BACKEND=y

You can enable mbed TLS debug with

CONFIG_MBEDTLS_DEBUG_C=y

I have tested the original Crypto: PSA TLS sample and hellow_world, and both of them have no errors for the build.

For the Zigbee AES methods selection, I try to inquire our development team and still waiting for a reply.

Best regards,

Charlie

RE: CONFIG_NRF_SECURITY mbedtls generated config doesn't build

bdodge09 — Fri, 17 Jun 2022 14:10:13 GMT

also, there are all kinds of other mbedtls config options disabled for what seems like no real reason. for example, I can't turn on PEM format support because of Kconfig rules which seem not-needed. I cant even over-ride and use a custom mbedtls config file since the generated header files are included on the command line to compile psa sources, even of you turn off generated headers.

RE: CONFIG_NRF_SECURITY mbedtls generated config doesn't build

bdodge09 — Fri, 17 Jun 2022 11:21:48 GMT

I am based on 1.9.1

For 1, I found the cause, and it was my fault. The Zigbee config was calling for CTR_DRBG.

But Shouldn't there be a way to use h/w AES for Zigbee? the "CONFIG CRYPO_NRF_ECB" is de-selected for 5340 and the code in zigbee/osif/zb_nrf_crypto.c uses only that or CONFIG_ZIGBEE_USE_SOFTWARE_AES. Why not NRF_SECURITY?

For 2, Any project if you add CONFIG_NRF_SECUIRTY=y will generate headers with "MBEDTLS_PK_WRITE_C" commented out and "MBEDTLS_PK_C" defined (because of TLS/DTLS additions). Since CONFIG_NRF_SECUIRTY=y defines MBEDTLS_USE_PSA_CRYPTO, it compiles different code in mbedtls/library/pk_wrap.c which calls mbedtls_pk_write_pubkey (around line 586). This is plainly a bug in the configuration since MBEDTLS_PK_WRITE_C would have to be defined in this case, but there is no way to define it since the generated headers turn it off, and even adding it to the project (CONFIG_MBEDTLS_PK_WRITE_C) doesn't work since the generated headers don't include autoconf.h and the generator ignores that as well.

For 3, Again, try any project to turn on MBEDTLS_DEBUG

RE: CONFIG_NRF_SECURITY mbedtls generated config doesn't build

Charlie — Fri, 17 Jun 2022 10:27:22 GMT

Hi Brian,

Which NCS version are you using? Can you provide a minimal sample that can reproduce this issue?

Best regards,
Charlie