[nRF Connect] Configure nrf_security (#2370)

Use mbedTLS from nrf_security library which provides hardware-accelerated cryptographic functions.
project-chip · Aug 28, 2020 · 1a91eaa · 1a91eaa
1 parent 8cfe391
commit 1a91eaa
Show file tree

Hide file tree

Showing 6 changed files with 20 additions and 48 deletions.
diff --git a/.github/workflows/examples-autotools.yaml b/.github/workflows/examples-autotools.yaml
@@ -74,7 +74,7 @@ jobs:
         runs-on: ubuntu-latest
 
         container:
-            image: connectedhomeip/chip-build-nrf-platform:0.4.1
+            image: connectedhomeip/chip-build-nrf-platform:0.4.2
             volumes:
                 - "/tmp/bloat_reports:/tmp/bloat_reports"
                 - "/tmp/output_binaries:/tmp/output_binaries"

diff --git a/config/nrfconnect/chip-lib.cmake b/config/nrfconnect/chip-lib.cmake
@@ -107,13 +107,14 @@ function(chip_configure TARGET_NAME)
         --disable-docs
         --disable-java
         --disable-device-manager
-        --with-mbedtls=${ZEPHYR_BASE}/../modules/crypto/mbedtls
         --with-crypto=mbedtls
     )
 
     append_if(CHIP_CONFIGURE_ARGS CONFIG_NET_L2_OPENTHREAD --with-openthread=${ZEPHYR_BASE}/../modules/lib/openthread)
+    append_if(CHIP_CONFIGURE_ARGS CONFIG_NORDIC_SECURITY_BACKEND --with-mbedtls=${ZEPHYR_BASE}/../mbedtls)
     append_if_not(CHIP_CONFIGURE_ARGS CHIP_BUILD_TESTS --disable-tests)
     append_if_not(CHIP_CONFIGURE_ARGS CONFIG_NET_IPV4 --disable-ipv4)
+    append_if_not(CHIP_CONFIGURE_ARGS CONFIG_NORDIC_SECURITY_BACKEND --with-mbedtls=${ZEPHYR_BASE}/../modules/crypto/mbedtls)
 
     # Define target
     ExternalProject_Add(

diff --git a/config/nrfconnect/nrfconnect-app.cmake b/config/nrfconnect/nrfconnect-app.cmake
@@ -54,8 +54,8 @@ include(chip-lib)
 
 set(CHIP_COMMON_FLAGS
     -D_SYS__PTHREADTYPES_H_
+    -DMBEDTLS_CONFIG_FILE="<nrf-config.h>"
     -isystem${ZEPHYR_BASE}/include/posix
-    -isystem${ZEPHYR_BASE}/../modules/crypto/mbedtls/configs
 )
 
 set(CHIP_OUTPUT_LIBRARIES

diff --git a/examples/lock-app/nrfconnect/main/include/app_mbedtls_config.h b/examples/lock-app/nrfconnect/main/include/app_mbedtls_config.h
diff --git a/examples/lock-app/nrfconnect/prj.conf b/examples/lock-app/nrfconnect/prj.conf
@@ -85,23 +85,24 @@ CONFIG_BT=n
 # CONFIG_BT_DEVICE_NAME_MAX=15
 # CONFIG_BT_MAX_CONN=2
 
-# mbedTLS tweaks
-CONFIG_MBEDTLS=y
+# Use mbedTLS from nrf_security library
+CONFIG_NORDIC_SECURITY_BACKEND=y
+CONFIG_OPENTHREAD_MBEDTLS=n
+
 CONFIG_MBEDTLS_ENABLE_HEAP=y
-CONFIG_MBEDTLS_BUILTIN=y
-CONFIG_MBEDTLS_SSL_MAX_CONTENT_LEN=768
-CONFIG_MBEDTLS_HEAP_SIZE=10240
-CONFIG_MBEDTLS_ENTROPY_ENABLED=y
-CONFIG_MBEDTLS_CTR_DRBG_ENABLED=y
-CONFIG_MBEDTLS_CIPHER_MODE_CTR_ENABLED=y
+CONFIG_MBEDTLS_HEAP_SIZE=15360
+CONFIG_MBEDTLS_TLS_LIBRARY=y
+CONFIG_NRF_SECURITY_ADVANCED=y
+
+CONFIG_MBEDTLS_AES_C=y
+CONFIG_MBEDTLS_RSA_C=y
+CONFIG_MBEDTLS_ECP_C=y
 CONFIG_MBEDTLS_ECP_DP_SECP256R1_ENABLED=y
-CONFIG_MBEDTLS_CFG_FILE="config-tls-generic.h"
-CONFIG_MBEDTLS_USER_CONFIG_ENABLE=y
-CONFIG_MBEDTLS_USER_CONFIG_FILE="app_mbedtls_config.h"
-CONFIG_MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED=y
-CONFIG_MBEDTLS_CIPHER_CCM_ENABLED=y
+CONFIG_MBEDTLS_CTR_DRBG_C=y
+CONFIG_MBEDTLS_CIPHER_MODE_CTR=y
+CONFIG_MBEDTLS_ECJPAKE_C=y
 
-#Enable entropy
+# Enable entropy
 CONFIG_ENTROPY_GENERATOR=y
 
 # Enable OpenThread

diff --git a/src/test_driver/nrfconnect/prj.conf b/src/test_driver/nrfconnect/prj.conf
@@ -81,7 +81,7 @@ CONFIG_MBEDTLS=y
 CONFIG_MBEDTLS_ENABLE_HEAP=y
 CONFIG_MBEDTLS_BUILTIN=y
 CONFIG_MBEDTLS_SSL_MAX_CONTENT_LEN=768
-CONFIG_MBEDTLS_HEAP_SIZE=10240
+CONFIG_MBEDTLS_HEAP_SIZE=15360
 CONFIG_MBEDTLS_ENTROPY_ENABLED=y
 CONFIG_MBEDTLS_CTR_DRBG_ENABLED=y
 CONFIG_MBEDTLS_CIPHER_MODE_CTR_ENABLED=y