TLS communication

Hello, @ashwini2024 

Thanks for the reply.

The two configurations could be done via "make menuconfig", then choose Cryptographic API -> Hardware crypto devices ->Support for NXP HSE cryptographic engine ->Messaging Unit Interface ->MU2

Device Driver->Userspace I/O drivers ->NXP HSE UIO driver ->Messaging Unit Interface ->MU3 

From the latest log you shared, seems it is correct.

With these settings, the BSP could boot correct from my test.

From my opinion, doing it with bootloader(MU0/1 on M core side), it could be a very different topic, and is beyond the original discussion of this post, I suggest raising new post for your specific settings, if additional code/private settings needed to be shared, additional support case via support portal could be raised.

Sorry for your inconvenience.

BR

Chenyin 

Hello, @ashwini2024 

You are welcome.

The two configurations I mentioned are from the kernel configurations, I suggest directly modify it according to your own needs from menuconfig before rebuilding the kernel.

BR

Chenyin

Hello, @ashwini2024 

Thanks for your reply.

It is possible using the MU2/3 in your linux, the linux kernel may have to be recompiled since they are not by default set.

From kernel configuration, you may change the  CONFIG_CRYPTO_DEV_NXP_HSE_MU to MU3, while change the CONFIG_UIO_NXP_HSE_MU to MU2 to select MU2/3 used in Linux side, at the same time, only use MU0/1 in M7 side.

BR

Chenyin

Hello, @ashwini2024 

Sorry for the delay due out of office.

It is fine for using MU0/1 from M7 side and MU2/MU3 in A53 side, but according to your working setup, from the BSP user manual, there seems limitation existed for using user space APIs when using other MUs.

BR

Chenyin

Hello, @ashwini2024 

Thanks for the reply.

From the description before, I assume that you may want to implement your own application to support the TLS connections, maybe https server/client or so, and take use of HSE to do something during handshake and/or even data encryption/decryption during the TLS communication, is it right?

Theoretically, it could be done on S32G board, since Linux could be correctly running on it, with various applications/libs supported.(openssl, libcrypto, libssl, etc.)

From NXP's perspective, in formal released BSP, the TLS operation could be done via software, HSE is not involved, since lacking of enough APIs to let the openssl to call the HSE related lower APIs, as you may know, in formal BSPs, only libhse and libpkcs are provided, the users have to learn the details of the lib to implement their own applications on them, but there is not openssl interface, so that the openssl cannot directly access the HSE services in formal BSP release.

In AN14072, the author implemented some code to let the openssl to call the libpkcs, so that some operation could be done via openssl->libpkcs->HSE, the main TLS connection logic is based on the openssl, a few selected algorithm(like ECDH-ECDSA-AES128-SHA) related operation in TLS connection could be done via HSE, while all others are still done via the openssl libs.

For you questions:

1. TLS Cipher Suite Configuration

[Chenyin]: Check the script, there are available cipher suite supported.

2. Location of TLS Scripts

[Chenyin]: The scripts you mentioned are part of the demo, and could not be directly used in BSP.

3. AES Key Storage in HSE

[Chenyin]: Yes, there is not any other documents related, reading the code is suggested.

4. Overview of Required Steps and other related questions

[Chenyin]: Follow the guides in AN14072, firstly apply all patches to the corresponding packages, then rebuild them and put the generating libxxx to the board running with the formal BSP(in the example, BSP38 is used, for recent BSPs, porting may be needed.), then running the script to demo the TLS connections with selected cipher suite.

In summary:

1. With default BSPs, the TLS connection could be done only via openssl and related libs(software based), HSE could not be involved with default configuration.

2. With the patches from AN14072 applied, some selected cipher suite could be offloaded to HSE while doing the TLS test.

3. There seems no other formal documents/demos related with this topic.

I suggest firstly reproducing the TLS demo shown in AN14072 on your board(maybe based on recent BSPs according to the requirements),  to check if it could fulfill your requirement, and then to implement your own code based on it(or only reference) to add new features that needed from your own applications.

BR

Chenyin

Hello, @ashwini2024 

Thanks for your reply.

There is no such examples included in the formal BSP, but there is demo code for implementing simple TLS connections based on openssl/pkcs, which is introduced by AN14072, may I know if you have referenced it?

After checking the demo code attached to the AN, the ECDH-ECDSA-AES128-SHA is supported, thus the ECDH could be used for key-exchange phase for establishing the connection. Which may fit your requirements.

I hope it will help.

BR

Chenyin

Thank you @chenyin_h .
How do i move further on this ? I just wanted to know if accessing the key from openssl is feasible [ecdh shared secret]
As from the demo app there is a document on queries regarding the TLS .
I would want support on that.

Hello, @ashwini2024 

Thanks for you reply.

So you want to use the openssl to access the HSE via PKCS engine with BSP43 to achieve the operations mentioned in your original post?

I feel sorry that there is not formal document regarding to the openssl/libpkcs support in BSP, you may have to implement needed functions based on libpkcs/libhse, and integrate them to the openssl engine layer, currently there are not similar examples from the recent release for your reference. 

BR

Chenyin

Hello, @ashwini2024 

Thanks for your post.

May I know if S32G2 or G3 is used? Which version HSE FW is used? 

BR

Chenyin