Hi Simon,
Indeed while the migration is underway things can be a bit confusing, so let me try to clarify:
* releases can be found at: https://github.com/ARMmbed/mbedtls/releases - near the top you'll alwys find the latest development release followed by the latest LTS releases. At this point it is unclear if releases are going to stay on github or if they would move to trustedfrimware.org in the future, but if anything changes, we'll announce it.
* announcements about new releases and other important project events are made on the new Mbed-tls-announce mailing-list: https://github.com/ARMmbed/mbedtls/releases - if you're already subscribed to mbed-tls (this list), you don't need to subscribe to the "announce" mailing list in addition, as any post to "announce" is automatically cross-posted here ("announce" is for people who want a lower volume list).
* I don't think we're currently making announcements about upcoming releases, but I know we considered that. Unfortunately I don't remember the details and the colleague who was working on improving our release process is on leave now. But it we start making such announcements, they'll be on the "announce" list.
* We're currently planning 2.16.8 early in September.
* If you have a large number of products deployed that depend on Mbed TLS (or indeed any other tf.org project) and would like to be notified in advance of upcoming security fixes, please see the following pages: https://developer.trustedfirmware.org/w/mbed-tls/security-center/https://developer.trustedfirmware.org/w/collaboration/security_center/repor…https://developer.trustedfirmware.org/w/collaboration/security_center/trust…
I hope this answers your questions, and feel free to ask otherwise.
Manuel.
________________________________
From: mbed-tls <mbed-tls-bounces(a)lists.trustedfirmware.org> on behalf of Simon Leet via mbed-tls <mbed-tls(a)lists.trustedfirmware.org>
Sent: 14 August 2020 15:13
To: mbed-tls(a)lists.trustedfirmware.org <mbed-tls(a)lists.trustedfirmware.org>
Subject: [mbed-tls] LTS roadmap and announcement channel?
Hi folks,
I understand that https://tls.mbed.org/ has migrated under the umbrella of https://www.trustedfirmware.org/ but it’s not clear where I should turn to for information about the updates to the LTS versions. The https://tls.mbed.org/tech-updates blog used to announce LTS branch updates but seems defunct as of 2.16.7, and I can’t find equivalent information in https://developer.trustedfirmware.org/w/mbed-tls/roadmap/, https://github.com/ARMmbed/mbedtls/projects/2 or the generic https://www.trustedfirmware.org/blog/.
Is there a new channel for information about upcoming LTS mbedtls releases so that users can plan their appropriate upgrade cycles? E.g. when is 2.16.8 roughly expected to be released? Is the new model for monitoring release announcements reliably going to be as a new tag on https://github.com/ARMmbed/mbedtls/tags?
-Simon
Hi everyone,
Hope you are still going well
I am now working on MbedTLS to establish a key exchange with a BGM which has a TRNG
, and I read that I have to implement myself a function called «mbedTLS_hardware_poll »
But I have no idea to know how I can implement this function zlthough I read articles on the mbedtls.com about entropy site…. Can you help me, to know how I can implement this function ?
Hi all,
We have implemented the PSA Functional API for a custom secure environment
which passes PSA Arch tests.
Now we would like to run mbedtls tests (make check) on the PSA API if
possible.
When we run "make check", it includes and compiles library/psa_crypto.c file
for mbedTLS's PSA API Implementation.
Herein, we would like to compile our own psa_crypto.c implementation, does
mbedtls build system allow us to include custom PSA API Implementation to
run tests?
Thank you.
Murat
Hello,
The interface of the Diffie-Hellman (DHM) module is modeled on the way
it's used in TLS, which is a bit different from the classical
presentation. You can find code examples in programs/pkey/dh_client.c
and programs/pkey/dh_server.c .
Elliptic-curve Diffie-Hellman (provided by the ECDH module) has similar
security properties and is significantly faster. If you don't need
interoperability with legacy software that only supports classical
(finite-field) Diffie-Hellman, you should use ECDH rather than DHM. With
the ECDH module, you can use either the same TLS-inspired interface as
the DHM module, or a more classical interface for which there is a usage
example in psa_crypto.c in the function psa_key_agreement_ecdh.
Hope this helps,
--
Gilles Peskine
Mbed TLS developer
You can find an example of the TLS-like inter
On 12/08/2020 14:02, youssouf sokhona via mbed-tls wrote:
>
> Hello, I hope you are going well during this Covid crisis.
>
>
>
> I'm sending you this message to find out how to generate a Diffie
> Hellman key using MbedTLS. Indeed, with all the documentation, I'm a
> bit lost.
>
>
>
> I think, you have to use the int mbedtls_dhm_set_group function to
> create p and g. And then, I don't know how to use which function...
> Moreover, I can't find any function that allows to set a and b,
> whereas they are 2 fundamental elements
>
> Can you help me? Thank you!
>
>
>
> Best regards, YS
>
>
>
Hello,
Short version: to use the official tools to configure Mbed TLS, or to
run the unit tests, you need Python. If we start requiring Python 3.5,
is this going to be a problem?
Detailed version:
Mbed TLS includes four Python scripts that are of interest to users,
with a fifth one in preparation:
* scripts/config.py : compile-time configuration (unless you prefer to
edit config.h directly).
* scripts/generate_psa_constants.py : to build
programs/psa/psa_constant_names (we have a pending task to commit the
result instead of requiring it during the build).
* tests/scripts/generate_test_code.py : necessary to build the unit tests.
* tests/scripts/mbedtls_test.py : does anyone use this? It's for testing
on platforms with Greentea, but some of the automation is missing.
* upcoming: a script to generate glue code for accelerator and secure
element drivers. We'll also provide a manual way, but it won't be as
convenient.
This is a question to everyone who's building Mbed TLS and using some of
these scripts: is it ok if they require Python 3.5?
Currently:
* scripts/config.py requires Python 3.5.
* scripts/generate_psa_constants.py requires Python 3.3.
* tests/scripts/generate_test_code.py still works with Python 2.7.
* tests/scripts/mbedtls_test.py still works with Python 2.7.
* the driver glue code generation script will require Python 3.5, or
Python 3.4 + typing.
Is there any demand for versions of Python before 3.5?
--
Gilles Peskine
Mbed TLS developer
Hello, I hope you are going well during this Covid crisis.
I'm sending you this message to find out how to generate a Diffie Hellman key using MbedTLS. Indeed, with all the documentation, I'm a bit lost.
I think, you have to use the int mbedtls_dhm_set_group function to create p and g. And then, I don't know how to use which function... Moreover, I can't find any function that allows to set a and b, whereas they are 2 fundamental elements
Can you help me? Thank you!
Best regards, YS
Hi Frank,
We have now updated the links both on the download-archive and releases site and now they point to https://github.com/ARMmbed/mbedtls/releases, where all the releases are available.
We also have added checksums to the release notes on github and fixed the archive structure.
Thank you very much for pointing these issues out!
Cheers,
Janos
(Mbed TLS developer)
On 04/08/2020, 19:06, "mbed-tls on behalf of Frank Bergmann via mbed-tls" <mbed-tls-bounces(a)lists.trustedfirmware.org on behalf of mbed-tls(a)lists.trustedfirmware.org> wrote:
Hi,
2.16.7 was released on github more than one month ago (2020-07-01).
But it is not listed on
- download archive at https://tls.mbed.org/download-archive
- release news at https://tls.mbed.org/tech-updates/releases
Questions about that:
- Is it an "official" release even if it is not mentioned on release news?
- When will it be available in download archive?
- If there will be no more addings to download archive because now we'll
have to use github:
* Will there be separate releases GPL/Apache available?
* Will a signed/unsigned check sum be provided?
* Will the "new structure" as provided by tarball on github be kept
in future or was it just an accident? (e.g. main dir is named
"mbedtls-mbedtls-2.16.7")
I started using mbed TLS with 2.16.6 but now I am confused. ;-)
cheers,
Frank
--
mbed-tls mailing list
mbed-tls(a)lists.trustedfirmware.org
https://lists.trustedfirmware.org/mailman/listinfo/mbed-tls
Hi Frank,
I confirm that 2.16.7 is an official release of the 2.16 long-time
support branch of Mbed TLS, alongside 2.7.16 for the 2.7 branch and
2.23.0 for the latest features. Everyone should update to one of these
versions since they fix security issues and other bugs.
We're progressively transitioning the project from Arm infrastructure to
TrustedFirmware infrastructure. Eventually we'll decommission the
existing tls.mbed.org, and we intend to distribute releases via
trustedfirmware.org. We no longer intend to reference new releases
directly on https://tls.mbed.org/download-archive . For the time being,
we're distributing via GitHub. However, it isn't right that
https://tls.mbed.org/download-archive links to
https://github.com/ARMmbed/mbedtls/releases/ which doesn't list LTS
branches. We need to link from https://tls.mbed.org/download-archive to
the place that has the latest LTS releases one way or the other.
There are no longer separate archives with Apache and GPL licenses.
These archives were always identical except for license headers. Now LTS
releases are distributed as a single archive in which the files are
dual-licensed.
The naming with mbedtls-mbedtls- must be a bug in our release script.
Thanks for noticing.
I don't think we made a conscious decision not to provide official
checksums. I can see the value of having them so let's try to
incorporate those in our new release process.
--
Gilles Peskine
Mbed TLS developer
On 04/08/2020 19:05, Frank Bergmann via mbed-tls wrote:
> Hi,
>
> 2.16.7 was released on github more than one month ago (2020-07-01).
> But it is not listed on
> - download archive at https://tls.mbed.org/download-archive
> - release news at https://tls.mbed.org/tech-updates/releases
>
> Questions about that:
> - Is it an "official" release even if it is not mentioned on release news?
> - When will it be available in download archive?
> - If there will be no more addings to download archive because now we'll
> have to use github:
> * Will there be separate releases GPL/Apache available?
> * Will a signed/unsigned check sum be provided?
> * Will the "new structure" as provided by tarball on github be kept
> in future or was it just an accident? (e.g. main dir is named
> "mbedtls-mbedtls-2.16.7")
>
> I started using mbed TLS with 2.16.6 but now I am confused. ;-)
>
> cheers,
> Frank
>
>
