PSA crypto features not enabled when CONFIG_MBEDTLS_LEGACY_CRYPTO_C is enabled

When utilizing PSA crypto, enabling CONFIG_MBEDTLS_LEGACY_CRYPTO_C (such as by turning on OpenThread), the PSA crypto features such as native ITS storage are not functional.

Example prj.conf with working PSA:

CONFIG_NRF_SECURITY=y
CONFIG_MBEDTLS_PSA_CRYPTO_C=y

# Enable persistent storage APIs
CONFIG_MBEDTLS_PSA_CRYPTO_STORAGE_C=y
CONFIG_PSA_NATIVE_ITS=y

CONFIG_MBEDTLS_ENABLE_HEAP=y
CONFIG_MBEDTLS_HEAP_SIZE=8192
CONFIG_PSA_CRYPTO_DRIVER_OBERON=y
CONFIG_PSA_CRYPTO_DRIVER_CC3XX=n
CONFIG_OBERON_BACKEND=y
CONFIG_CC3XX_BACKEND=n

CONFIG_PSA_WANT_ALG_CCM=n
CONFIG_PSA_WANT_ALG_GCM=y
CONFIG_PSA_WANT_ALG_CHACHA20_POLY1305=n
CONFIG_PSA_WANT_ALG_CMAC=n
CONFIG_PSA_WANT_ALG_RIPEMD160=n
CONFIG_PSA_WANT_ALG_MD5=n
CONFIG_PSA_WANT_ALG_ECB_NO_PADDING=n
CONFIG_PSA_WANT_ALG_CBC_NO_PADDING=y
CONFIG_PSA_WANT_ALG_CBC_PKCS7=y
CONFIG_PSA_WANT_ALG_CFB=n
CONFIG_PSA_WANT_ALG_CTR=n
CONFIG_PSA_WANT_ALG_OFB=n
CONFIG_PSA_WANT_ECC_SECP_K1_192=n
CONFIG_PSA_WANT_ECC_SECP_K1_256=y
CONFIG_PSA_WANT_ECC_SECP_R1_192=n
CONFIG_PSA_WANT_ECC_SECP_R1_224=n
CONFIG_PSA_WANT_ECC_SECP_R1_256=n
CONFIG_PSA_WANT_ECC_SECP_R1_384=n
CONFIG_PSA_WANT_ECC_SECP_R1_521=n
CONFIG_PSA_WANT_ALG_STREAM_CIPHER=n

# Force CBC to Oberon
CONFIG_PSA_CRYPTO_DRIVER_ALG_CBC_NO_PADDING_CC3XX=n
CONFIG_MBEDTLS_PSA_BUILTIN_ALG_ECDH=y

CONFIG_MBEDTLS_LEGACY_CRYPTO_C=n

This config generates build/modules/nrfxlib/nrfxlib/nrf_security/src/include/generated/nrf-config.h and build/modules/nrfxlib/nrfxlib/nrf_security/src/include/generated/nrf-config-user.h which have the PSA crypto features enabled.

Changing CONFIG_MBEDTLS_LEGACY_CRYPTO_C to y generates a build/modules/nrfxlib/nrfxlib/nrf_security/src/include/generated/nrf-config-user.h that is empty: 

/*
* Copyright (c) 2021 Nordic Semiconductor
*
* SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
*
*/

/* This file is intentionally empty.*/

This prevents the PSA crypto features from functioning. 

Parents
  • Hi,

    I will look into this and return with more information tomorrow.

    Regards,
    Sigurd Hellesvik

  • If you enable CONFIG_MBEDTLS_LEGACY_CRYPTO_C, this will force a legacy configuration scheme.

    Therefore, it is expected that you may lose functionality in the PSA APIs.

    If you want to use the PSA APIs with OpenTread, see how this can be configured in our OpenThread CLI sample.

    Regards,
    Sigurd Hellesvik

  • Additionally, CONFIG_OPENTHREAD_CRYPTO_PSA now depends on BUILD_WITH_TFM, which is not possible with the nrf52840, as it doesn't have a secure / non-secure mode.

  • zcornelius said:
    After some experimentation, I was wable to get CONFIG_OPENTHREAD_CRYPTO_PSA working without CONFIG_MBEDTLS_LEGACY_CRYPTO_C, but it required patching nrfxlib, as several features are only enabled in the legacy config file template, and not when using just PSA.

    Sweet, good job!

    Thanks for all the bug reports! I will address them below:

    zcornelius said:
    After some experimentation, I was wable to get CONFIG_OPENTHREAD_CRYPTO_PSA working without CONFIG_MBEDTLS_LEGACY_CRYPTO_C, but it required patching nrfxlib, as several features are only enabled in the legacy config file template, and not when using just PSA.

    This one we already have tracked internally, but it is not fixed yet,

    zcornelius said:
    Additionally, CONFIG_OPENTHREAD_CRYPTO_PSA now depends on BUILD_WITH_TFM, which is not possible with the nrf52840, as it doesn't have a secure / non-secure mode.

    Sounds like a bug to me, so I have reported it.

    zcornelius said:
    After some experimentation, I was wable to get CONFIG_OPENTHREAD_CRYPTO_PSA working without CONFIG_MBEDTLS_LEGACY_CRYPTO_C, but it required patching nrfxlib, as several features are only enabled in the legacy config file template, and not when using just PSA.

    I have not reported this as a bug yet, but I have asked our developers about it, to see if there is a reason for these not to be included.

    Regards,
    Sigurd Hellesvik

  • Sigurd Hellesvik said:
    I have not reported this as a bug yet, but I have asked our developers about it, to see if there is a reason for these not to be included.

    Our developers have got this message, and they are looking into it.

    Thanks again for the detailed explanation of your fix, and good luck onwards.

    Regards,
    Sigurd Hellesvik

  • Hi Sigurd, I am trying to do AES GCM encryption on a nrf52840+7002 board. I am able to get wifi connected and send a HTTP request and get response, also encryption to work by itself, however, when I add the encryption to the wifi code, I would be getting psa_aead_encrypt failed with error code of -134. From what I've read here, it looks like an expected problem?
    I've attached my prj.conf here. Could you take a look at it and let me know if there's anyway I can make the PSA encryption work with wifi? I can also implement a GCM encryption myself, but it would be best if I can use nordic library here.

    #
    # Copyright (c) 2023 Craig Peacock.
    #
    # SPDX-License-Identifier: Apache-2.0
    #
    
    CONFIG_WIFI=y
    CONFIG_INIT_STACKS=y
    CONFIG_NET_L2_WIFI_MGMT=y
    
    CONFIG_NETWORKING=y
    CONFIG_NET_IPV4=y
    CONFIG_NET_IPV6=y
    CONFIG_NET_UDP=y
    CONFIG_NET_TCP=y
    CONFIG_DNS_RESOLVER=y
    CONFIG_DNS_RESOLVER_AI_MAX_ENTRIES=10
    
    CONFIG_NET_SOCKETS=y
    CONFIG_HTTP_CLIENT=y
    
    # Use DHCP for IPv4
    CONFIG_NET_DHCPV4=y
    
    # Or assign a static IP address (useful for testing)
    # Following line must be enabled, otherwise WiFi connection fails with -1.
    CONFIG_NET_CONFIG_SETTINGS=y
    #CONFIG_NET_CONFIG_NEED_IPV4=y
    #CONFIG_NET_CONFIG_MY_IPV4_ADDR="192.168.0.12"
    #CONFIG_NET_CONFIG_MY_IPV4_GW="192.168.0.254"
    #CONFIG_NET_CONFIG_NEED_IPV6=y
    #CONFIG_NET_CONFIG_MY_IPV6_ADDR="fe80::100"
    
    # Enabling logging can be helpful for debugging
    #CONFIG_NET_LOG=y
    #CONFIG_WIFI_LOG_LEVEL_ERR=y
    #CONFIG_NET_IPV6_LOG_LEVEL_DBG=y
    
    CONFIG_NET_TX_STACK_SIZE=2048
    CONFIG_NET_RX_STACK_SIZE=2048
    
    CONFIG_NET_PKT_RX_COUNT=10
    CONFIG_NET_PKT_TX_COUNT=10
    
    CONFIG_NET_BUF_RX_COUNT=20
    CONFIG_NET_BUF_TX_COUNT=20
    
    CONFIG_NET_MAX_CONTEXTS=10
    
    # Added to prevent error with missing #include <ethernet/eth_stats.h> for esp_wifi_drv.c
    # Adding this line will cause CMAKE Warning: No SOURCES given to Zephyr library: drivers__ethernet
    # Just ignore.
    CONFIG_NET_L2_ETHERNET=y
    
    # Enable logging
    CONFIG_CONSOLE=y
    CONFIG_LOG=y
    CONFIG_USE_SEGGER_RTT=y
    CONFIG_RTT_CONSOLE=y
    
    # Fuck, I forgot to add 7002DK's code
    CONFIG_WIFI_NRF700X=y
    
    # Include WPA Supplement. Requires POSIX_API & NET_SOCKETS.
    CONFIG_WPA_SUPP=y
    CONFIG_POSIX_API=y
    CONFIG_NET_SOCKETS=y
    
    # Required to prevent error in \wifi\nrf700x\zephyr\src\shim.c:14:10: fatal error: sys/time.h: No such file or directory
    CONFIG_NEWLIB_LIBC=y
    CONFIG_NEWLIB_LIBC_NANO=n
    
    # Required to prevent undefined reference to `z_impl_sys_rand32_get'
    CONFIG_ENTROPY_GENERATOR=y
    CONFIG_TEST_RANDOM_GENERATOR=y
    
    CONFIG_HEAP_MEM_POOL_SIZE=153600
    CONFIG_MAIN_STACK_SIZE=4096
    CONFIG_SYSTEM_WORKQUEUE_STACK_SIZE=2048
    CONFIG_NET_TX_STACK_SIZE=4096
    CONFIG_NET_RX_STACK_SIZE=4096
    
    # AES not working...
    CONFIG_NRF_SECURITY=y
    CONFIG_MBEDTLS_PSA_CRYPTO_C=y
    # CONFIG_MBEDTLS_LEGACY_CRYPTO_C=y
    # CONFIG_BUILD_WITH_TFM=y
    # CONFIG_OPENTHREAD_CRYPTO_PSA=y
    
    CONFIG_MBEDTLS_ENABLE_HEAP=y
    CONFIG_MBEDTLS_HEAP_SIZE=8192
    
    CONFIG_SYS_CLOCK_TICKS_PER_SEC=1000

Reply
  • Hi Sigurd, I am trying to do AES GCM encryption on a nrf52840+7002 board. I am able to get wifi connected and send a HTTP request and get response, also encryption to work by itself, however, when I add the encryption to the wifi code, I would be getting psa_aead_encrypt failed with error code of -134. From what I've read here, it looks like an expected problem?
    I've attached my prj.conf here. Could you take a look at it and let me know if there's anyway I can make the PSA encryption work with wifi? I can also implement a GCM encryption myself, but it would be best if I can use nordic library here.

    #
    # Copyright (c) 2023 Craig Peacock.
    #
    # SPDX-License-Identifier: Apache-2.0
    #
    
    CONFIG_WIFI=y
    CONFIG_INIT_STACKS=y
    CONFIG_NET_L2_WIFI_MGMT=y
    
    CONFIG_NETWORKING=y
    CONFIG_NET_IPV4=y
    CONFIG_NET_IPV6=y
    CONFIG_NET_UDP=y
    CONFIG_NET_TCP=y
    CONFIG_DNS_RESOLVER=y
    CONFIG_DNS_RESOLVER_AI_MAX_ENTRIES=10
    
    CONFIG_NET_SOCKETS=y
    CONFIG_HTTP_CLIENT=y
    
    # Use DHCP for IPv4
    CONFIG_NET_DHCPV4=y
    
    # Or assign a static IP address (useful for testing)
    # Following line must be enabled, otherwise WiFi connection fails with -1.
    CONFIG_NET_CONFIG_SETTINGS=y
    #CONFIG_NET_CONFIG_NEED_IPV4=y
    #CONFIG_NET_CONFIG_MY_IPV4_ADDR="192.168.0.12"
    #CONFIG_NET_CONFIG_MY_IPV4_GW="192.168.0.254"
    #CONFIG_NET_CONFIG_NEED_IPV6=y
    #CONFIG_NET_CONFIG_MY_IPV6_ADDR="fe80::100"
    
    # Enabling logging can be helpful for debugging
    #CONFIG_NET_LOG=y
    #CONFIG_WIFI_LOG_LEVEL_ERR=y
    #CONFIG_NET_IPV6_LOG_LEVEL_DBG=y
    
    CONFIG_NET_TX_STACK_SIZE=2048
    CONFIG_NET_RX_STACK_SIZE=2048
    
    CONFIG_NET_PKT_RX_COUNT=10
    CONFIG_NET_PKT_TX_COUNT=10
    
    CONFIG_NET_BUF_RX_COUNT=20
    CONFIG_NET_BUF_TX_COUNT=20
    
    CONFIG_NET_MAX_CONTEXTS=10
    
    # Added to prevent error with missing #include <ethernet/eth_stats.h> for esp_wifi_drv.c
    # Adding this line will cause CMAKE Warning: No SOURCES given to Zephyr library: drivers__ethernet
    # Just ignore.
    CONFIG_NET_L2_ETHERNET=y
    
    # Enable logging
    CONFIG_CONSOLE=y
    CONFIG_LOG=y
    CONFIG_USE_SEGGER_RTT=y
    CONFIG_RTT_CONSOLE=y
    
    # Fuck, I forgot to add 7002DK's code
    CONFIG_WIFI_NRF700X=y
    
    # Include WPA Supplement. Requires POSIX_API & NET_SOCKETS.
    CONFIG_WPA_SUPP=y
    CONFIG_POSIX_API=y
    CONFIG_NET_SOCKETS=y
    
    # Required to prevent error in \wifi\nrf700x\zephyr\src\shim.c:14:10: fatal error: sys/time.h: No such file or directory
    CONFIG_NEWLIB_LIBC=y
    CONFIG_NEWLIB_LIBC_NANO=n
    
    # Required to prevent undefined reference to `z_impl_sys_rand32_get'
    CONFIG_ENTROPY_GENERATOR=y
    CONFIG_TEST_RANDOM_GENERATOR=y
    
    CONFIG_HEAP_MEM_POOL_SIZE=153600
    CONFIG_MAIN_STACK_SIZE=4096
    CONFIG_SYSTEM_WORKQUEUE_STACK_SIZE=2048
    CONFIG_NET_TX_STACK_SIZE=4096
    CONFIG_NET_RX_STACK_SIZE=4096
    
    # AES not working...
    CONFIG_NRF_SECURITY=y
    CONFIG_MBEDTLS_PSA_CRYPTO_C=y
    # CONFIG_MBEDTLS_LEGACY_CRYPTO_C=y
    # CONFIG_BUILD_WITH_TFM=y
    # CONFIG_OPENTHREAD_CRYPTO_PSA=y
    
    CONFIG_MBEDTLS_ENABLE_HEAP=y
    CONFIG_MBEDTLS_HEAP_SIZE=8192
    
    CONFIG_SYS_CLOCK_TICKS_PER_SEC=1000

Children
Related