- mbed-tls - lists.trustedfirmware.org

Re: [EXTERNAL] Re: mbedtls_platform_setup/teardown in TF-M ?

by Shebu Varghese Kuriakose

+ Mbed TLS mailing list for visibility… Regards, Shebu From: Rehan Malak via TF-M <tf-m(a)lists.trustedfirmware.org> Sent: Monday, July 10, 2023 9:44 AM To: Antonio De Angelis <Antonio.DeAngelis(a)arm.com>; tf-m(a)lists.trustedfirmware.org Subject: [TF-M] Re: [EXTERNAL] Re: mbedtls_platform_setup/teardown in TF-M ? Hi Antonio, Thanks a lot for your answer ! Looking at the MbedTLS github link you sent (and the one therein) - https://github.com/Mbed-TLS/mbedtls/issues/6228 PSA: separate driver initialization with a nicer fixed ordering - https://github.com/Mbed-TLS/mbedtls/issues/6007 Define the PSA subsystem initialization interface in Mbed TLS it seems that for the best would be indeed to provide feedback to the MbedTLS/PSA team such that TF-M could just run the adequate psa_* functions. Thanks ! Rehan Intrinsic ID ________________________________ From: Antonio De Angelis <Antonio.DeAngelis(a)arm.com<mailto:Antonio.DeAngelis@arm.com>> Sent: Saturday, July 8, 2023 12:13 AM To: tf-m(a)lists.trustedfirmware.org<mailto:tf-m@lists.trustedfirmware.org> <tf-m(a)lists.trustedfirmware.org<mailto:tf-m@lists.trustedfirmware.org>>; Rehan Malak <Rehan.Malak(a)intrinsic-id.com<mailto:Rehan.Malak@intrinsic-id.com>> Subject: [EXTERNAL] Re: mbedtls_platform_setup/teardown in TF-M ? Hi Rehan, This looks like a non-PSA standardized feature specific to mbed TLS. We don't have any platform in TF-M that requires such setup/teardown so I can't comment from experience, but to me it looks like this would be an mbed TLS specific feature that needs to be hooked underneath the service and into the library. The most natural choice would be indeed to have them as part of the psa_crypto_init() and lower functions, but at this stage I think is not possible to implement this without patching the source code (i.e. there are no options to allow this at build time in TF-M, at least). Note also that mbed TLS has a on open ongoing issue to better define the initialisation sequence for the various operations in psa_crypto_init(): PSA: separate driver initialization with a nicer fixed ordering · Issue #6228 · Mbed-TLS/mbedtls (github.com)<https://github.com/Mbed-TLS/mbedtls/issues/6228> It might be a good place to start to provide feedback regarding this particular aspect of custom platform initialisation if is not being considered there. To conclude, if you want to propose a patch for TF-M to allow such functions to be plugged in (in the meantime that mbed TLS agrees on the long term course of action), I will be happy to review it. Thanks, Antonio ________________________________ From: Rehan Malak via TF-M <tf-m(a)lists.trustedfirmware.org<mailto:tf-m@lists.trustedfirmware.org>> Sent: Friday, July 7, 2023 13:15 To: tf-m(a)lists.trustedfirmware.org<mailto:tf-m@lists.trustedfirmware.org> <tf-m(a)lists.trustedfirmware.org<mailto:tf-m@lists.trustedfirmware.org>> Subject: [TF-M] mbedtls_platform_setup/teardown in TF-M ? Dear TF-M developers, I am currently adapting a basic MbedTLS / PSA Crypto example such that it would run on the NS side with TF-M doing the crypto. At the end, this is very similar to this psa_sign_verify_message_test from the NS crypto test suite : https://git.trustedfirmware.org/TF-M/tf-m-tests.git/tree/test/secure_fw/sui… But my build config of MbedTLS has MBEDTLS_PLATFORM_SETUP_TEARDOWN_ALT enabled because I have a custom mbedtls_platform_setup / mbedtls_platform_teardown. And I can't see any place in TF-M where mbedtls_platform_setup/mbedtls_platform_teardown are called : ? -> mbedtls_platform_setup ? -> mbedtls_platform_teardown At first, I tried to put this code into the psa_driver_wrapper_init/psa_driver_wrapper_free but I have a similar problem : tfm_crypto_engine_init -> psa_crypto_init -> psa_driver_wrapper_init ? -> mbedtls_psa_crypto_free -> psa_driver_wrapper_free Is there any cmake/Kconfig option or any C macros to hook TF-M initialization/shutdown with mbedtls_platform_setup/mbedtls_platform_teardown without patching TF-M ? If not, could mbedtls_platform_setup be called here ? https://git.trustedfirmware.org/TF-M/trusted-firmware-m.git/tree/secure_fw/… or is there a nicer way of doing this ? (btw, I am currently experimenting on qemu mps2-an521) Thanks for any advice ! 🙂 Best regards, Rehan MALAK Intrinsic ID

2 years, 2 months

2
1
0 0

Python version requirements

by Gilles Peskine

Hello, This is a question for integrators and packagers of Mbed TLS, especially if you're integrating the library in some embedded OS or BSP. To build, configure and test Mbed TLS, we use Python for several purposes: * To configure the library with scripts/config.py, unless you use the default configuration or write your own configuration from scratch. * To generate some configuration-independent library source files, but only if you use the development branch, not if you use a release or an LTS branch. * To generate some glue code for PSA drivers, if you use PSA drivers and don't write the glue code by hand. * To generate the unit test source files. * (We have many more maintenance and test scripts but they're out of scope here.) (Python is not necessary, and will remain unnecessary, to configure and build the library with a given set of hardware drivers, so that a typical BSP will not have to depend on Python.) For each of these purposes, how problematic is it if we require a recent version of Python? We're currently planning to drop support for older versions of Python as soon as they become unsupported upstream (so officially dropping 3.8 now — although right now all scripts still work on 3.5). This includes versions of Python that are still shipped in e.g. Linux distributions that are themselves officially supported. Is there demand for supporting older Python versions for some scripts? Also, how problematic is it if some of these purposes require third-party Python packages? Best regards, -- Gilles Peskine Mbed TLS developer

2 years, 2 months

1
0
0 0

Reminder: MBed TLS Tech Forum - US/Europe External

by Don Harbin

Hi All, A gentle reminder that the US-Europe timezone-friendly MBed TLS Tech forum is next Monday at 4:30 PM UK time. Invite details can be found on the online calendar here <https://www.trustedfirmware.org/meetings/>. If you have any topics, please let Dave Rodgman know. :) Best regards, Don Harbin TrustedFirmware Community Manager don.harbin(a)linaro.org

2 years, 2 months

1
1
0 0

Fwd: [Tf-openci-triage] FYI; Cambridge Lab Down

by Don Harbin

FYI to all TF dev teams leveraging Open CI. Best regards, Don ---------- Forwarded message --------- From: Glen Valante via Tf-openci-triage < tf-openci-triage(a)lists.trustedfirmware.org> Date: Fri, 23 Jun 2023 at 08:41 Subject: [Tf-openci-triage] FYI; Cambridge Lab Down To: tf-openci-triage(a)lists.trustedfirmware.org < tf-openci-triage(a)lists.trustedfirmware.org> Hello All; FYI; the Cambridge lab took a serious power hit and is down. They are scrambling to get things back up, but it may take all weekend. Expect LAVA failures and other strange results. Thanks; -g -- [image: Linaro] <http://www.linaro.org> Glen Valante | *Director Program & Project Management* T: +1.508.517.3461 <1617-320-5000> glen.valante(a)linaro.org | Skype: gvalante <callto:gvalante> -- Tf-openci-triage mailing list -- tf-openci-triage(a)lists.trustedfirmware.org To unsubscribe send an email to tf-openci-triage-leave(a)lists.trustedfirmware.org

2 years, 2 months

1
0
0 0

Global entropy required for TLS 1.3?

by Jethro Beekman

The MbedTLS generally allows you to pass in an RNG callback for each function that requires it. This is even explicitly called out in the 3.x migration guide: > The RNG parameter is now mandatory for all functions that accept one https://github.com/Mbed-TLS/mbedtls/blob/a7d454cec2/docs/3.0-migration-guid… However, TLS 1.3 support requires MBEDTLS_PSA_CRYPTO_C https://github.com/Mbed-TLS/mbedtls/blob/a7d454cec2/include/mbedtls/check_c… And MBEDTLS_PSA_CRYPTO_C requires MBEDTLS_ENTROPY_C or MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG https://github.com/Mbed-TLS/mbedtls/blob/a7d454cec2/include/mbedtls/check_c… This seems to go against the general rule that MbedTLS doesn't require any global state. Was this done intentionally? -- Jethro Beekman | Fortanix

2 years, 3 months

2
2
0 0

Regarding adding a new encryption algorithm in mbedtls

by Vishal Rathod

Dear sir/madam, Hope you are doing good! We are working on a lightweight TLS implementation for embedded hardware and want to add our own algorithm inside mbedTLS. As per my knowledge, we have to add a .h file in mbedtls/include/mbedtls and .c file in the library. Also, we have to list our algorithm in library/CMakeLists.txt. Except these, what should be the procedure? Also, our task is during handshake, the receiver chooses our algorithm instead of the default one for encryption and decryption. If someone could help us regarding this then it would be great. Thanks in advance. Regards, -- *Dr. Vishal J. Rathod* *(Member - IEEE, ACM, IET)* *Senior Project Engineer (SPE),* *IoT R & D Group,* *C-DAC, Electronic City,* *Bengaluru, Karnataka, India.* *Email ID: rathodvishal78(a)gmail.com <rathodvishal78(a)gmail.com> and * vishalrathod(a)ieee.org *Mobile - 9879957770*

2 years, 3 months

1
0
0 0

Feature idea for mbedtls_net_connect()

by Alexander Timofeev

Hi! I am a new MbedTLS user and would like to say thanks to devs first! From my point of view mbedtls_net_connect() could handle binding socket to a specified local client port. Although it does not seem to be a common requirement and bloats API a little bit but otherwise user has to throw away mbedtls_net_connect() and implement connection function by their hands. Best, Alex

2 years, 3 months

1
0
0 0

Re: [psa-crypto] Benchmark application for PSA crypto API's

by Stephan Koch

Hi Ruchika, as an addition to the previous answers, there is also the SecureMark-TLS benchmark from EEMBC that "Analyzes the costs associated with implementing TLS on an edge device using a common IoT cyphersuite comprised of ECC & ECDSA on the NIST secp256r1 curve, SHA256, and AES128-CCM/ECB", see: https://www.eembc.org/securemark/ It provides profiles to run benchmarks against Mbed TLS API, PSA Crypto API, and wolfSSL, see sources here: https://github.com/eembc/securemark-tls/tree/main/examples/selfhosted/profi… The chosen cipher-suite is similar to the TF-M medium profile and it allows estimates of speed and power consumption for TLS on microcontrollers. It also allows to add - manually - footprint data. Best Stephan From: Ruchika Gupta via psa-crypto <psa-crypto(a)lists.trustedfirmware.org> Reply to: Ruchika Gupta <ruchika.gupta_1(a)nxp.com> Date: Tuesday, 16 May 2023 at 13:40 To: "mbed-tls(a)lists.trustedfirmware.org" <mbed-tls(a)lists.trustedfirmware.org>, "psa-crypto(a)lists.trustedfirmware.org" <psa-crypto(a)lists.trustedfirmware.org> Subject: [psa-crypto] Benchmark application for PSA crypto API's Hi, For mbedtls API’s, there is a benchmark application available. Are there any plans to implement benchmark application for PSA crypto APIs ? Regards, Ruchika

2 years, 3 months

2
3
0 0

Benchmark application for PSA crypto API's

by Ruchika Gupta

Hi, For mbedtls API's, there is a benchmark application available. Are there any plans to implement benchmark application for PSA crypto APIs ? Regards, Ruchika

2 years, 3 months

3
4
0 0

PSA key slot management functions access private structure members

by S Krishnan, Archanaa

Hello, In mbedLS v3.4.0, I came across a build error that there are no members for type and flag in psa_core_keyattributes_t structure. The following functions in psa_crypto_core.h access private members type and flag of psa_core_keyattributes_t structure without the MBEDTLS_PRIBATE() private access. * psa_is_key_slot_occupied() * psa_key_slot_get_flags() * psa_key_slot_set_flags() * psa_key_slot_set_bits_in_flags() * psa_key_slot_clear_bits() Updating to private access for attribute struct members in psa_crypto_core.h fixed the build errors. Regards, Archanaa

2 years, 4 months

2
4
0 0

2025

2024

2023

2022

2021

2020

mbed-tls