Data alignment when using mbedtls with i.MX RT1170

Freddy_ · ‎01-09-2024

Hi,

I’m currently working on cryptography topic and I have 2 questions related to the use of the mbedtls (SDK 2.13.1) along with the CAAM of i.MX RT1170.

Q1: Basically, I noticed that all CAAM accesses from mbedtls need to be performed from 32 bytes aligned data. This is not performed in SDK 2.13.1 mbedtls so I had to implement some fixes to make things work. Did I miss something ?

Q2: During RSA encryption using PKCS 1.5 padding, mbedtls calls the CAAM random number generation function every time a single random byte needs to be generated. However this process is very long because the CAAM requires 125ms to generate random bytes, no matter the number of bytes to be generated. I could update mbedtls in order to generate directly the number of bytes I need but I would prefer not to change NXP SDK in order to ease further maintainability. Perhaps I missed something there as well ?

Thanks for your help,

Freddy

nxf77486 · ‎01-15-2024

Hello,

Thank you for clarifying this information, so after reviewing the information. The changes you perform ed seem to be fine.

View solution in original post

Freddy_ · ‎01-13-2024

Hello,

Thank you for your reply.

Regarding Q1, indeed I needed to perform some changes in function 'mbedtls_rsa_rsaes_oaep_encrypt()'. When 'mbedtls_md( md_info, label, label_len, p )' is called, I needed to make sure 'p' is 32 bytes aligned. I did that using an intermediate static variable and '__ALIGNED(32)' tag. I wonder if this doesn't have something to see with DMA or data cache.

I didn't find any SDK example execising 'mbedtls_rsa_pkcs1_encrypt()' function.

Regarding Q2, ok with your answer.

nxf77486 · ‎01-15-2024

Hello,

It is correct we unfortunately do not have an example where we access the

mbedtls_rsa_pkcs1_encrypt()', but before continue I think I did not formulated my question properly for query 1.

So none of the SDK example available for mbedtls are working on the SDK, or is just that this example changes you are performing are exclusively for our software design?

Freddy_ · ‎01-15-2024

Hi,

Yes, the changes I made are exclusively related to our software design.

Freddy

nxf77486 · ‎01-15-2024

Hello,

Thank you for clarifying this information, so after reviewing the information. The changes you perform ed seem to be fine.

Freddy_ · ‎02-15-2024

Hello,

Unfortunately, I'm struggling again using mbedtls with i.MX RT1170. This time, when I sign data with 'security_rsa_pkcs1_sign' and verify the generated signature with 'security_rsa_pkcs1_verify', I get the error MBEDTLS_ERR_RSA_VERIFY_FAILED.

I did the signing and the verification steps in a continuous sequence, so I'm sure to use exactly the same RSA key. An interesting thing is that my signing/verification test works when mbedtls is configured to use PKCS#1 v1.5 but it does not work when mbedtls is configured to use PKCS#1 v2.1. This lets me think the issue related to the use of mbedtls with i.MX RT1170.

nxf77486 · ‎01-12-2024

Hello,

Thank you for contacting NXP support.

Regarding your first Q1 you mean you needed to perform changes in order to make work an SDK example?

On question 2 from my point of view I do not think you missed something.

I will only add that we have a latest version of the SDK 2.14.0.

Please let me know if there is anything else where I can help you.