Hi
We are using mbedtls 2.28.9 and want to offload crypto operations to HSM
from NXP imx-secure-enclave.
is the below approach correct or please suggest alternate approaches if any?
1.Transition all apis from traditional apis to psa in modules
Use PSA crypto module
https://github.com/Mbed-TLS/mbedtls/blob/development/docs/psa-transition.md
2. Integrate PSA module with imx-secure-enclave in our custom mbedtls
3. All modules will use custom mbedtls which will internally offload crypto
operations to HSM
or Do you recommend to use MBEDTLS_PK_RSA_ALT_SUPPORT? and implement the
key creation/signing/export of public key operations ?
Thanks,
Kavitha
Hi!
We are working with Mbed TLS 3.6.0 library and need the following information:
1.
Is there any End-Of-Life date planned for this library?
2. What is the current version?
3. How can we obtain support for the library enquiries? Does this support has a cost?
4.
How is the library update? Does this update has a cost?
5.
Are this library Open Source?
Thanks in advance for your help! 🙂
Have a great day!
Héctor J. Solís Castillo
Embedded Engr I
Honeywell | HTS Building Automation
990, Av. Eje 5 Norte, Mexico City
CDMX
hectorjose.solis(a)honeywell.com<mailto:hectorjose.solis@honeywell.com>
honeywell.com<http://www.honeywell.com/>
Pronouns: He/Him<https://www.mypronouns.org/what-and-why>
Hello,
I have the following two certificate chains: server <- intermediateCA <-
rootCA and client <- intermediateCA <- rootCA.
Currently there are two ways the client is authenticated by the server:
both the intermediateCA and rootCA certificates are configured as CAs on
the server or if only intermediateCA is configured.
I am using a custom verify callback set by mbedtls_ssl_conf_verify().
I would like to achieve two separate cases:
1) Make the MbedTLS' built-in pre-verify be successful, even when only
the rootCA certificate is set as the server's CA.
2) Always obtain the whole certificate chain up to the root in the
verify callback.
For case 1) this is how our OpenSSL TLS implementation works, it is
discussed here <https://github.com/openssl/openssl/issues/7871>. From my
understanding the server should be able to build the certificate chain
by inquiring the client about its certificate's issuer, etc.
For case 2), whenever both rootCA and intermediateCA are configured on
the server, only the chain client <- intermediateCA is received by the
callback. I would like to be able to receive the chain client <-
intermediateCA <- rootCA.
Are these two cases achievable with mbedTLS? For reference I am using
mbedTLS 3.5.2. For my server I would like to utilize both cases 1) and
2) and for the client only the case 1).
Kind regards,
Roman Janota
Hello,
I notice in 'crypto.h' of mbedTLS 3.6.3, PSA_CRYPTO_API_VERSION_MAJOR & PSA_CRYPTO_API_VERSION_MINOR show the version implemented as v1.0.
Per the github page of TF-PSA-Crypto (https://github.com/Mbed-TLS/TF-PSA-Crypto/blob/development/README.md), the implementation is of v1.1. I verified that this mismatch between the README and crypto.h exists on the development branch of TF-PSA-Crypto as well.
What is the correct version implemented, as of mbedTLS 3.6.3?
Regards,
Kevin
Hi,
I'm trying to build the mbedtls v3.6.3 for an embedded 386 device. The
build is configured as `crypto_baremetal`. In the snippet below I use the
make build process with a GCC 11.2 cross toolchain that's installed in
`/opt/x-tools/i386-elf but the build process ends with an error:
```
(venv) dev [ /workspaces/mbedtls ]$ make
CC=/opt/x-tools/i386-elf/bin/i386-elf-gcc
AR=/opt/x-tools/i386-elf/bin/i386-elf-ar
make[1]: Entering directory '/workspaces/mbedtls/library'
CC aes.c
CC aesni.c
CC aesce.c
...
CC src/certs.c
CC src/psa_test_wrappers.c
CC src/test_helpers/ssl_helpers.c
make[1]: Leaving directory '/workspaces/mbedtls/tests'
make[1]: Entering directory '/workspaces/mbedtls/programs'
CC aes/crypt_and_hash.c
/opt/x-tools/i386-elf/lib/gcc/i386-elf/11.2.0/../../../../i386-elf/bin/ld:
cannot find crt0.o: No such file or directory
collect2: error: ld returned 1 exit status
make[1]: *** [Makefile:160: aes/crypt_and_hash] Error 1
make[1]: Leaving directory '/workspaces/mbedtls/programs'
make: *** [Makefile:34: programs] Error 2
(venv) dev [ /workspaces/mbedtls ]$
```
So I have two questions:
This error says it fails to link find crt0.o but the output
(library/libmbedcrypto.a) exists and looks ok (altho I've yet to try
linking against it). Is the error message spurious or is the library it
produced unusable?
Do I really need a version of crt0.o to link successfully? (The same
configuration builds with no errors using the host's x64 compiler toolchain
- and that toolchain also doesn't have a crt0.o file).
Thanks in advance!
Hi,
I'm the main developer of Leshan Library. This is a Java open source
implementation of LWM2M protocol hosted at Eclipse Foundation.
We currently use Scandium (from Californium Project) as DTLS library.
This library fits our needs until now but we have some concerns about
future-proofness of it (Especially, there is no plan for DTLS 1.3) and
there is no support of TLS.
So we explore some other way for the future.
I had consider to use OpenJdk but there is a lot of missing IoT
Features. I contact OpenJdk security dev and they makes me understand
politely that IoT is not the priority (at least this is my understanding)
Another solution we explore would be to use an mbedtls Java binding.
(as mbedtls is well supported and focus IoT)
There is a not official one at :
https://github.com/open-coap/kotlin-mbedtls
*Questions :
*
1. Is there any official java binding ?
2. If no, is there any plan for that kind of binding ?
3. If no, if there is a community initiative could it be hosted by you ?
Thx,
Simon
MBed-TLS Technical Forum - Asia
Every 4 weeks from 10am to 10:50am on Monday
United Kingdom Time
Trusted Firmware is inviting you to a scheduled Zoom meeting.Topic:
MBed-TLS Technical Forum - AsiaTime: Jun 16, 2025 10:00 AM London
Every 4 weeks on Mon, 39 occurrence(s)Please download and import the
following iCalendar (.ics) files to your calendar system.Weekly:
https://linaro-org.zoom.us/meeting/tJMqcuGuqDotGtIbACm498ytl0ZhydWKdu1b/ics…
Zoom
Meetinghttps://linaro-org.zoom.us/j/97758661706?pwd=baMjUvnWbY20z3ignQca7QVahhozkI.1Meeting
ID: 977 5866 1706Passcode: 577208---One tap
mobile+16892781000,,97758661706# US+17193594580,,97758661706# US---Dial by
your location• +1 689 278 1000 US• +1 719 359 4580 US• +1 253 205 0468 US•
+1 253 215 8782 US (Tacoma)• +1 301 715 8592 US (Washington DC)• +1 305 224
1968 US• +1 309 205 3325 US• +1 312 626 6799 US (Chicago)• +1 346 248 7799
US (Houston)• +1 360 209 5623 US• +1 386 347 5053 US• +1 507 473 4847 US•
+1 564 217 2000 US• +1 646 558 8656 US (New York)• +1 646 931 3860 US• +1
669 444 9171 US• +1 669 900 9128 US (San Jose)• 833 548 0282 US Toll-free•
833 928 4608 US Toll-free• 833 928 4609 US Toll-free• 833 928 4610 US
Toll-free• 877 853 5247 US Toll-free• 888 788 0099 US Toll-free• 833 548
0276 US Toll-freeMeeting ID: 977 5866 1706Find your local number:
https://linaro-org.zoom.us/u/acdtApJNbc
Guests
mbed-tls(a)lists.trustedfirmware.org
psa-crypto(a)lists.trustedfirmware.org
View all guest info
https://calendar.google.com/calendar/event?action=VIEW&eid=NjI4c3NnYjFoZHRh…
Reply for mbed-tls(a)lists.trustedfirmware.org and view more details
https://calendar.google.com/calendar/event?action=VIEW&eid=NjI4c3NnYjFoZHRh…
Your attendance is optional.
~~//~~
Invitation from Google Calendar: https://calendar.google.com/calendar/
You are receiving this email because you are an attendee on the event.
Forwarding this invitation could allow any recipient to send a response to
the organizer, be added to the guest list, invite others regardless of
their own invitation status, or modify your RSVP.
Learn more https://support.google.com/calendar/answer/37135#forwarding
Hi all,
I am writing in behalf of Security Pattern, a security firm specialized
in embedded systems.
We are a member of the QUBIP European Funded Project (https://qubip.eu),
which aims at transitioning protocols, networks, and systems to Post
Quantum algorithms.
As a result of the project, we have integrated a set of Post Quantum
algorithms in the TLS1.3 stack of the MbedTLS code (see here
https://github.com/QUBIP/pq-mqtt-client-mbedtls).
We have code running on STM32 Nucleo board in two versions:
the former is a full software, by leveraging the crypto primitives
provided in a library developed by another partner, the latter using a
Secure Element emulated by FPGA connected via I2C (also developed by
another partner of QUBIP).
Our main work has beed dedicated to integrating the new hybrid KEM and
signatures (MLKEM768-x25519 and MLDSA44-Ed25519) into the TLS stack, in
order to demonstrate communication with an MQTT broker running OpenSSL.
At the current stage we are about to publish the code on github with MIT
license (here https://github.com/QUBIP/pq-mqtt-client-mbedtls).
Meanwhile, we think the effort we made could be of help for MBedTLS
development/developers. So I would like to ask if you can address me to
some contact that is responsible in MbedTLS or ARM about the PQC
transition or the best way to facilitate the use/integration of our work.
Best Regards,
Alberto
--
Security Pattern <https://www.securitypattern.com/>
Alberto Battistello
Senior Security Engineer
M. +39 333 3239810
Via G. Boccaccio, 58 | 25080 Mazzano (BS) | Italy | P.I. 03943650980
www.securitypattern.com
<https://www.securitypattern.com/?utm_source=newsletter&utm_medium=email&utm…>
| Follow Linkedin <https://www.linkedin.com/company/securitypattern/> |
We value your privacy
<https://www.iubenda.com/privacy-policy/40319464/legal>
