Hello,
I am migrating a Honeywell ACM system on i.MX6Q (PCIMX6Q5EVT10AA) from Linux Kernel 4.14 + Mbed TLS 2.1.0 to Linux Kernel 6.6 + Mbed TLS 3.3.0.
Reason for migration:
Under Mbed TLS 2.1.0, we observed a hang in mbedtls_x509_crt_verify() during certificate chain verification.
Upgrading to Mbed TLS 3.3.0 resolved that certificate verification hang.
Current issue:
During boot, the system now hangs while validating a 19 MB image file with SHA-256.
mbedtls_sha256_file is removed/deprecated in newer Mbed TLS, so we replaced it with streaming calls.
The board hangs while processing the file loop (during/around mbedtls_sha256_update).
Environment:
Observed behavior:
int mbedtls_sha256_file(const char *path, unsigned char output[32], int is224)
{
FILE *f = NULL;
size_t n;
int ret = 0;
mbedtls_sha256_context ctx;
unsigned char buf[4096];
f = fopen(path, "rb");
if (f == NULL) return F1IMG_ERR_FILE_IO;
mbedtls_sha256_init(&ctx);
ret = mbedtls_sha256_starts(&ctx, is224);
if (ret != 0) goto cleanup;
while ((n = fread(buf, 1, sizeof(buf), f)) > 0) {
ret = mbedtls_sha256_update(&ctx, buf, n);
if (ret != 0) goto cleanup;
}
if (ferror(f) != 0) {
ret = F1IMG_ERR_FILE_IO;
goto cleanup;
}
ret = mbedtls_sha256_finish(&ctx, output);
cleanup:
mbedtls_sha256_free(&ctx);
if (f != NULL) fclose(f);
return ret;
}
Thanks in advance.
Hello,
Please note that we do not support Mbed TLS on i.MX MPUs as this is mostly used on the i.MX RT instead, even so I did a little research on the issue you are seeing.
It may be possible that you're seeing a CPU hard lock (infinite loop / unaligned access / undefined instruction) triggered by Mbed TLS 3.x optimizations.
For this I would recommend to disable all assembly and hardware acceleration in Mbed TLS
Rebuild Mbed TLS 3.3.0 with these options:
This forces portable C SHA‑256 and matches behavior close to Mbed TLS 2.1.0, so it may be worth giving a try.
Best regards/Saludos,
Aldo.