Skip to content

bluetooth: Add prerequisites mbedtls PSA flags #90066

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed

Conversation

xavraz
Copy link
Contributor

@xavraz xavraz commented May 16, 2025

The zephyr/subsys/bluetooth/crypto/Kconfig file shall be updated to add prerequisites mbedtls PSA flags to support the MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED flag.

The zephyr/subsys/bluetooth/crypto/Kconfig file shall be updated to
add prerequisites mbedtls PSA flags to support the
MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED flag.

Signed-off-by: Xavier Razavet <[email protected]>
@xavraz xavraz force-pushed the bugfix/mbtls_psa_flags branch from 84e723a to 0b04651 Compare May 16, 2025 13:27
# Copyright (c) 2022 Nordic Semiconductor ASA
# SPDX-License-Identifier: Apache-2.0

config BT_CRYPTO
bool
select MBEDTLS if !BUILD_WITH_TFM
select MBEDTLS_PSA_CRYPTO_C if !BUILD_WITH_TFM
select PSA_WANT_ALG_ECDSA
select PSA_WANT_ALG_JPAKE
select PSA_WANT_ALG_GCM
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is support for these algorithms a new requirement or are they already used somewhere?

Copy link
Contributor Author

@xavraz xavraz May 16, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hello HERMABE,
It is a new requirement for a compilation purpose for a NXP application.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Excuse me for my ignorance, but why would a kconfig dependency for "a NXP application" go into the Bluetooth subsys crypto kconfig?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hello HERMABE, It is a new requirement for a compilation purpose for a NXP application.

If these algorithms are not in use by the crypto parts of the bluetooth subsystem these selects dont belong here.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hello HERNABE,
I have to compile the tests/bluetooth/tester application for example.
Because PSA mbedtls flags added require other prerequisites, i propose to update the tests/bluetooth/tester/Kconfig file by adding the following line :
# Config options for NXP application
osource "${ZEPHYR_BASE}/tests/bluetooth/tester/Kconfig.nxp"

The advantage of this method is there is no impacts on the application, even if the NXP files are not present thanks to the osource "${ZEPHYR_BASE}/xxx" included in the Kconfig file.

osource definition :
It works just like source, but it doesn't throw an error if the file doesn't exist. This is useful when you want to include a Kconfig file only if it’s present, such as in optional modules or configurations.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@alwa-nordic,
you are ok with my proposal ?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It is a bit weird to add a reference to a file that doesnt exist in-tree. If you anyway have a fork of zephyr, can you not just add it to the application prj.conf?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It looks like PSA_WANT_ALG_ECB_NO_PADDING is not used so it should be removed. And we depend on the PSA API, not MBEDTLS, so those selects should probably go somewhere else too

@alwa-nordic this is correct, but as of now there is no way to tell "I need crypto support" and then let Zephyr figure out if this kind of support is to be provided through Mbed TLS or TF-M. This is why we have these kind of select in Zephyr codebase. I agree that this is something we might want to fix sooner or later.

For the record, speaking of the PR, to the best of my knowledge none of these crypto algs are required for BT/BT-LE.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It is a bit weird to add a reference to a file that doesnt exist in-tree. If you anyway have a fork of zephyr, can you not just add it to the application prj.conf?

Hi Hermabe,
We have to add the flags in a Kconfig file, hence the proposed solution with the Kconfig.nxp.
If Kconfig.nxp is weird, a possibility would be to replace nxp by another key word as Kconfig.custom for example ?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What I meant was that it is weird that upstream zephyr references a file that only exists in a fork of zephyr. Can the sourcing of the kconfig file be added in the fork instead? I see no reason to have osource here since the file will not be found in the zephyr tree.

@Thalley Thalley removed their request for review May 16, 2025 13:42
Copy link

@alwa-nordic alwa-nordic requested a review from valeriosetti May 19, 2025 08:45
# Copyright (c) 2022 Nordic Semiconductor ASA
# SPDX-License-Identifier: Apache-2.0

config BT_CRYPTO
bool
select MBEDTLS if !BUILD_WITH_TFM
select MBEDTLS_PSA_CRYPTO_C if !BUILD_WITH_TFM
select PSA_WANT_ALG_ECDSA
select PSA_WANT_ALG_JPAKE
select PSA_WANT_ALG_GCM
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This zephyr/subsys/bluetooth/crypto/Kconfig file should enable only algorithms that are explicitly used in zephyr/subsys/bluetooth/crypto1. Computing prerequisite kconfigs should be the responsibility of the PSA subsystem. I expect it should go in a board-specific file in zephyr/modules/mbedtls.

Footnotes

  1. It looks like PSA_WANT_ALG_ECB_NO_PADDING is not used so it should be removed. And we depend on the PSA API, not MBEDTLS, so those selects should probably go somewhere else too.

@xavraz
Copy link
Contributor Author

xavraz commented May 23, 2025

Hi All,
We have change our internal environment.

Thanks for your comments.

@alwa-nordic
Copy link
Collaborator

I understand you have found a different solution and you don't need this PR. Feel free to reopen the PR or continue the discussion if I'm misunderstanding.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants