• State Not Answered
  • Replies 14 replies
  • Subscribers 67 subscribers
  • Views 2577 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 303254
Options

PSA crypto features not enabled when CONFIG_MBEDTLS_LEGACY_CRYPTO_C is enabled

zcornelius

When utilizing PSA crypto, enabling CONFIG_MBEDTLS_LEGACY_CRYPTO_C (such as by turning on OpenThread), the PSA crypto features such as native ITS storage are not functional.

Example prj.conf with working PSA:

CONFIG_NRF_SECURITY=y
CONFIG_MBEDTLS_PSA_CRYPTO_C=y

# Enable persistent storage APIs
CONFIG_MBEDTLS_PSA_CRYPTO_STORAGE_C=y
CONFIG_PSA_NATIVE_ITS=y

CONFIG_MBEDTLS_ENABLE_HEAP=y
CONFIG_MBEDTLS_HEAP_SIZE=8192
CONFIG_PSA_CRYPTO_DRIVER_OBERON=y
CONFIG_PSA_CRYPTO_DRIVER_CC3XX=n
CONFIG_OBERON_BACKEND=y
CONFIG_CC3XX_BACKEND=n

CONFIG_PSA_WANT_ALG_CCM=n
CONFIG_PSA_WANT_ALG_GCM=y
CONFIG_PSA_WANT_ALG_CHACHA20_POLY1305=n
CONFIG_PSA_WANT_ALG_CMAC=n
CONFIG_PSA_WANT_ALG_RIPEMD160=n
CONFIG_PSA_WANT_ALG_MD5=n
CONFIG_PSA_WANT_ALG_ECB_NO_PADDING=n
CONFIG_PSA_WANT_ALG_CBC_NO_PADDING=y
CONFIG_PSA_WANT_ALG_CBC_PKCS7=y
CONFIG_PSA_WANT_ALG_CFB=n
CONFIG_PSA_WANT_ALG_CTR=n
CONFIG_PSA_WANT_ALG_OFB=n
CONFIG_PSA_WANT_ECC_SECP_K1_192=n
CONFIG_PSA_WANT_ECC_SECP_K1_256=y
CONFIG_PSA_WANT_ECC_SECP_R1_192=n
CONFIG_PSA_WANT_ECC_SECP_R1_224=n
CONFIG_PSA_WANT_ECC_SECP_R1_256=n
CONFIG_PSA_WANT_ECC_SECP_R1_384=n
CONFIG_PSA_WANT_ECC_SECP_R1_521=n
CONFIG_PSA_WANT_ALG_STREAM_CIPHER=n

# Force CBC to Oberon
CONFIG_PSA_CRYPTO_DRIVER_ALG_CBC_NO_PADDING_CC3XX=n
CONFIG_MBEDTLS_PSA_BUILTIN_ALG_ECDH=y

CONFIG_MBEDTLS_LEGACY_CRYPTO_C=n

This config generates build/modules/nrfxlib/nrfxlib/nrf_security/src/include/generated/nrf-config.h and build/modules/nrfxlib/nrfxlib/nrf_security/src/include/generated/nrf-config-user.h which have the PSA crypto features enabled.

Changing CONFIG_MBEDTLS_LEGACY_CRYPTO_C to y generates a build/modules/nrfxlib/nrfxlib/nrf_security/src/include/generated/nrf-config-user.h that is empty: 

/*
* Copyright (c) 2021 Nordic Semiconductor
*
* SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
*
*/

/* This file is intentionally empty.*/

This prevents the PSA crypto features from functioning. 

Parents
  • 0

    Hi,

    I will look into this and return with more information tomorrow.

    Regards,
    Sigurd Hellesvik

  • 0 in reply to Sigurd Hellesvik

    If you enable CONFIG_MBEDTLS_LEGACY_CRYPTO_C, this will force a legacy configuration scheme.

    Therefore, it is expected that you may lose functionality in the PSA APIs.

    If you want to use the PSA APIs with OpenTread, see how this can be configured in our OpenThread CLI sample.

    Regards,
    Sigurd Hellesvik

  • 0 in reply to Sigurd Hellesvik

    Hi Sigurd, I am trying to do AES GCM encryption on a nrf52840+7002 board. I am able to get wifi connected and send a HTTP request and get response, also encryption to work by itself, however, when I add the encryption to the wifi code, I would be getting psa_aead_encrypt failed with error code of -134. From what I've read here, it looks like an expected problem?
    I've attached my prj.conf here. Could you take a look at it and let me know if there's anyway I can make the PSA encryption work with wifi? I can also implement a GCM encryption myself, but it would be best if I can use nordic library here.

    #
# Copyright (c) 2023 Craig Peacock.
#
# SPDX-License-Identifier: Apache-2.0
#

CONFIG_WIFI=y
CONFIG_INIT_STACKS=y
CONFIG_NET_L2_WIFI_MGMT=y

CONFIG_NETWORKING=y
CONFIG_NET_IPV4=y
CONFIG_NET_IPV6=y
CONFIG_NET_UDP=y
CONFIG_NET_TCP=y
CONFIG_DNS_RESOLVER=y
CONFIG_DNS_RESOLVER_AI_MAX_ENTRIES=10

CONFIG_NET_SOCKETS=y
CONFIG_HTTP_CLIENT=y

# Use DHCP for IPv4
CONFIG_NET_DHCPV4=y

# Or assign a static IP address (useful for testing)
# Following line must be enabled, otherwise WiFi connection fails with -1.
CONFIG_NET_CONFIG_SETTINGS=y
#CONFIG_NET_CONFIG_NEED_IPV4=y
#CONFIG_NET_CONFIG_MY_IPV4_ADDR="192.168.0.12"
#CONFIG_NET_CONFIG_MY_IPV4_GW="192.168.0.254"
#CONFIG_NET_CONFIG_NEED_IPV6=y
#CONFIG_NET_CONFIG_MY_IPV6_ADDR="fe80::100"

# Enabling logging can be helpful for debugging
#CONFIG_NET_LOG=y
#CONFIG_WIFI_LOG_LEVEL_ERR=y
#CONFIG_NET_IPV6_LOG_LEVEL_DBG=y

CONFIG_NET_TX_STACK_SIZE=2048
CONFIG_NET_RX_STACK_SIZE=2048

CONFIG_NET_PKT_RX_COUNT=10
CONFIG_NET_PKT_TX_COUNT=10

CONFIG_NET_BUF_RX_COUNT=20
CONFIG_NET_BUF_TX_COUNT=20

CONFIG_NET_MAX_CONTEXTS=10

# Added to prevent error with missing #include <ethernet/eth_stats.h> for esp_wifi_drv.c
# Adding this line will cause CMAKE Warning: No SOURCES given to Zephyr library: drivers__ethernet
# Just ignore.
CONFIG_NET_L2_ETHERNET=y

# Enable logging
CONFIG_CONSOLE=y
CONFIG_LOG=y
CONFIG_USE_SEGGER_RTT=y
CONFIG_RTT_CONSOLE=y

# Fuck, I forgot to add 7002DK's code
CONFIG_WIFI_NRF700X=y

# Include WPA Supplement. Requires POSIX_API & NET_SOCKETS.
CONFIG_WPA_SUPP=y
CONFIG_POSIX_API=y
CONFIG_NET_SOCKETS=y

# Required to prevent error in \wifi\nrf700x\zephyr\src\shim.c:14:10: fatal error: sys/time.h: No such file or directory
CONFIG_NEWLIB_LIBC=y
CONFIG_NEWLIB_LIBC_NANO=n

# Required to prevent undefined reference to `z_impl_sys_rand32_get'
CONFIG_ENTROPY_GENERATOR=y
CONFIG_TEST_RANDOM_GENERATOR=y

CONFIG_HEAP_MEM_POOL_SIZE=153600
CONFIG_MAIN_STACK_SIZE=4096
CONFIG_SYSTEM_WORKQUEUE_STACK_SIZE=2048
CONFIG_NET_TX_STACK_SIZE=4096
CONFIG_NET_RX_STACK_SIZE=4096

# AES not working...
CONFIG_NRF_SECURITY=y
CONFIG_MBEDTLS_PSA_CRYPTO_C=y
# CONFIG_MBEDTLS_LEGACY_CRYPTO_C=y
# CONFIG_BUILD_WITH_TFM=y
# CONFIG_OPENTHREAD_CRYPTO_PSA=y

CONFIG_MBEDTLS_ENABLE_HEAP=y
CONFIG_MBEDTLS_HEAP_SIZE=8192

CONFIG_SYS_CLOCK_TICKS_PER_SEC=1000

  • 0 in reply to erichotterbeefcurry

    Hi Eric,

    Can you create a new ticket for your issue?

    And refer to this one in the new ticket

  • 0 in reply to Sigurd Hellesvik

    Hi Sigurd, thanks for getting back! I forgot where but in another post I noticed PSA's encryption library will not work with WPA_SUPP, which is crucial for our purposes, so I've decided to use the legacy MBEDTLS library to do the AES encryptions, so probably no need to creating a new ticket... thank you for the valuable information in this post though!
    -Eric

  • 0 in reply to erichotterbeefcurry

    Hi Eric, 

    You might have seen the issue created by me here: https://devzone.nordicsemi.com/f/nordic-q-a/98977/psa_generate_key-failed-with-error--134

    I heard from Nordic team that they are working on resolving the PSA's encryption library work with WPA_SUPP, but not sure about a timeline. But my usecase also needed that but I had to use legacy MBEDTLS. Good decision. May be you can subscribe to my ticket so that you will have some news later. 

    Thanks 

    Vipin Das

  • 0 in reply to vipin das

    Hey Vipin, thanks for replying, yes that was the post I was talking about! It seems we have a similar situation, we also need both encryption and WPA to work... I started working on MBEDTLS today and was able to get some CBC encryptions. I have subscribed to your ticket!
    Also, I am going to work towards integrating MBEDTLS in our wifi driver. If you don't mind, if I encounter any problems, is it okay to reach out to you?
    -Best,

    Eric

Reply
  • 0 in reply to vipin das

    Hey Vipin, thanks for replying, yes that was the post I was talking about! It seems we have a similar situation, we also need both encryption and WPA to work... I started working on MBEDTLS today and was able to get some CBC encryptions. I have subscribed to your ticket!
    Also, I am going to work towards integrating MBEDTLS in our wifi driver. If you don't mind, if I encounter any problems, is it okay to reach out to you?
    -Best,

    Eric

Children
Related