Hi We are using mbedtls 2.28.9 and want to offload crypto operations to HSM from NXP imx-secure-enclave. is the below approach correct or please suggest alternate approaches if any? 1.Transition all apis from traditional apis to psa in modules Use PSA crypto module https://github.com/Mbed-TLS/mbedtls/blob/development/docs/psa-transition.md 2. Integrate PSA module with imx-secure-enclave in our custom mbedtls 3. All modules will use custom mbedtls which will internally offload crypto operations to HSM
or Do you recommend to use MBEDTLS_PK_RSA_ALT_SUPPORT? and implement the key creation/signing/export of public key operations ? Thanks, Kavitha
Hello,
Indeed, using a PSA driver and transitioning to the PSA API is the approach I would recommend. I suggest https://github.com/Mbed-TLS/mbedtls/blob/mbedtls-3.6/docs/psa-driver-example... to get started with driver integration. We are aware that the tooling and documentation are unfinished, so please don't hesitate to ask for help if you get stuck.
If it's exclusively for a TLS server then another approach is MBEDTLS_SSL_ASYNC_PRIVATE (https://mbed-tls.readthedocs.io/en/latest/kb/how-to/ssl_async/). But that doesn't help if you need crypto for anything else.
I would not recommend using MBEDTLS_PK_RSA_ALT_SUPPORT in new code. It's largely untested, and will not be present in future versions of Mbed TLS or TF-PSA-Crypto.
By the way, please note that the 2.28 branch is no longer supported. The current long-time support branch is Mbed TLS 3.6.
Best regards,
🙏
kavitha bk reacted via Gmail https://www.google.com/gmail/about/?utm_source=gmail-in-product&utm_medium=et&utm_campaign=emojireactionemail#app
On Thu, Jun 12, 2025 at 11:03 AM Gilles Peskine gilles.peskine@arm.com wrote:
Hello,
Indeed, using a PSA driver and transitioning to the PSA API is the approach I would recommend. I suggest https://github.com/Mbed-TLS/mbedtls/blob/mbedtls-3.6/docs/psa-driver-example... to get started with driver integration. We are aware that the tooling and documentation are unfinished, so please don't hesitate to ask for help if you get stuck.
If it's exclusively for a TLS server then another approach is MBEDTLS_SSL_ASYNC_PRIVATE ( https://mbed-tls.readthedocs.io/en/latest/kb/how-to/ssl_async/). But that doesn't help if you need crypto for anything else.
I would not recommend using MBEDTLS_PK_RSA_ALT_SUPPORT in new code. It's largely untested, and will not be present in future versions of Mbed TLS or TF-PSA-Crypto.
By the way, please note that the 2.28 branch is no longer supported. The current long-time support branch is Mbed TLS 3.6.
Best regards,
-- Gilles Peskine Mbed TLS developer
On 6/12/25 09:01, kavitha bk via mbed-tls wrote:
Hi We are using mbedtls 2.28.9 and want to offload crypto operations to HSM from NXP imx-secure-enclave. is the below approach correct or please suggest alternate approaches if any? 1.Transition all apis from traditional apis to psa in modules Use PSA crypto module https://github.com/Mbed-TLS/mbedtls/blob/development/docs/psa-transition.md 2. Integrate PSA module with imx-secure-enclave in our custom mbedtls 3. All modules will use custom mbedtls which will internally offload crypto operations to HSM
or Do you recommend to use MBEDTLS_PK_RSA_ALT_SUPPORT? and implement the key creation/signing/export of public key operations ? Thanks, Kavitha
mbed-tls@lists.trustedfirmware.org
-
Gilles Peskine -
kavitha bk