Update Swiftly TLS certificate and MBedTLS config

Author: bandogora

app/CMakeLists.txt

@@ -13,7 +13,7 @@ zephyr_include_directories(${gen_dir})
 
 foreach(inc_file
   r4.crt
-  AmazonRootCA1.cer
+  AmazonRootCA3.cer
 )
   generate_inc_file_for_target(
     app

app/VERSION

@@ -1,5 +1,5 @@
 VERSION_MAJOR = 0
-VERSION_MINOR = 11
-PATCHLEVEL = 2
+VERSION_MINOR = 12
+PATCHLEVEL = 0
 VERSION_TWEAK = 0
 EXTRAVERSION = stable

app/boards/circuitdojo_feather_nrf9160_ns.conf

@@ -59,7 +59,7 @@ CONFIG_TFM_CMAKE_BUILD_TYPE_RELEASE=y
 # TF-M memory regions - optimize for size
 CONFIG_PM_PARTITION_SIZE_TFM_SRAM=0x10000
 CONFIG_PM_PARTITION_SIZE_TFM=0x37E00
-# CONFIG_PM_PARTITION_SIZE_TFM_PROTECTED_STORAGE=0x2000
+CONFIG_PM_PARTITION_SIZE_TFM_PROTECTED_STORAGE=0x2000
 
 # TF-M logging requirements
 CONFIG_TFM_SECURE_UART0=y
@@ -69,12 +69,13 @@ CONFIG_TFM_SECURE_UART_SHARE_INSTANCE=y
 CONFIG_NRF_SECURITY=y
 # CONFIG_NORDIC_SECURITY_BACKEND=y
 CONFIG_MBEDTLS_LEGACY_CRYPTO_C=y
+# CONFIG_MBEDTLS_USE_PSA_CRYPTO=y
 CONFIG_PSA_CRYPTO_DRIVER_CC3XX=y
+# CONFIG_MBEDTLS_LIBRARY_NRF_SECURITY=y
 
 # Enable MbedTLS
 CONFIG_MBEDTLS=y
 
-CONFIG_MBEDTLS_THREADING_C=y
 # CONFIG_CC3XX_BACKEND=y
 # MbedTLS configurations
 CONFIG_MBEDTLS_ENABLE_HEAP=y
@@ -85,8 +86,8 @@ CONFIG_MBEDTLS_SSL_OUT_CONTENT_LEN=16384
 
 # MbedTLS net configurations
 CONFIG_NET_SOCKETS_TLS_MAX_CONTEXTS=6
-# CONFIG_TLS_MAX_CREDENTIALS_NUMBER=8
-# CONFIG_NET_SOCKETS_TLS_MAX_CREDENTIALS=8
+CONFIG_TLS_MAX_CREDENTIALS_NUMBER=8
+CONFIG_NET_SOCKETS_TLS_MAX_CREDENTIALS=8
 
 # Create the mbed SSL/TLS library in addition to the mbed crypto library
 CONFIG_MBEDTLS_TLS_LIBRARY=y
@@ -96,21 +97,30 @@ CONFIG_MBEDTLS_X509_LIBRARY=y
 
 # Enable TLS credentials management subsystem
 CONFIG_TLS_CREDENTIALS=y
-# CONFIG_TLS_CREDENTIALS_BACKEND_PROTECTED_STORAGE=y
+CONFIG_TLS_CREDENTIALS_BACKEND_PROTECTED_STORAGE=y
 
 # MbedTLS module configurations
 CONFIG_MBEDTLS_PSA_CRYPTO_C=y
-CONFIG_MBEDTLS_RSA_C=y
-# CONFIG_MBEDTLS_PEM_PARSE_C=y
-CONFIG_MBEDTLS_SSL_SRV_C=y
-
+CONFIG_MBEDTLS_X509_LIBRARY=y
+CONFIG_MBEDTLS_PK_C=y
+CONFIG_MBEDTLS_PK_PARSE_C=y
+CONFIG_MBEDTLS_PK_PARSE_EC_EXTENDED=y
+CONFIG_MBEDTLS_AES_C=y
+CONFIG_MBEDTLS_ECDH_C=y
+CONFIG_MBEDTLS_ECDSA_C=y
+CONFIG_MBEDTLS_CIPHER_C=y
+CONFIG_MBEDTLS_SHA256_C=y
+# CONFIG_MBEDTLS_GCM_C=y
+# CONFIG_MBEDTLS_ECP_C=y
+# CONFIG_MBEDTLS_CTR_DRBG_USE_128_BIT_KEY=y
+# CONFIG_MBEDTLS_ASN1_PARSE_C=y
+
+CONFIG_MBEDTLS_SSL_SRV_C=n
 CONFIG_MBEDTLS_TLS_VERSION_1_2=n
 CONFIG_MBEDTLS_CIPHER=n
-# CONFIG_MBEDTLS_ECP_C=n
 CONFIG_MBEDTLS_ECJPAKE_C=n
 CONFIG_MBEDTLS_SHA1_C=n
 CONFIG_MBEDTLS_SHA224_C=n
-# CONFIG_MBEDTLS_SHA256_C=n
 CONFIG_MBEDTLS_SHA384_C=n
 CONFIG_MBEDTLS_SHA512_C=n
 CONFIG_MBEDTLS_CHACHA20_C=n
@@ -128,36 +138,23 @@ CONFIG_MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN=n
 CONFIG_MBEDTLS_CIPHER_PADDING_ZEROS=n
 CONFIG_MBEDTLS_MAC_SHA256_ENABLED=n
 CONFIG_MBEDTLS_CMAC_C=n
+CONFIG_MBEDTLS_CIPHER_MODE_CTR=n
+CONFIG_MBEDTLS_ECP_DP_SECP256R1_ENABLED=n
 
 # Key exchange configurations
-CONFIG_MBEDTLS_KEY_EXCHANGE_RSA_ENABLED=y
-CONFIG_MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED=y
 CONFIG_MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED=y
-CONFIG_MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED=y
 CONFIG_MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED=y
 
 CONFIG_MBEDTLS_KEY_EXCHANGE_PSK_ENABLED=n
-CONFIG_MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED=n
-CONFIG_MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED=n
-CONFIG_MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED=n
 CONFIG_MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED=n
-CONFIG_MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED=n
 
 # Key type configurations
 CONFIG_PSA_WANT_KEY_TYPE_AES=y
-
 CONFIG_PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY=y
 CONFIG_PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT=y
 CONFIG_PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT=y
 CONFIG_PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE=y
-
-CONFIG_PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY=y
-CONFIG_PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT=y
-CONFIG_PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT=y
-CONFIG_PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_DERIVE=y
-
-# Select RSA key sizes
-CONFIG_PSA_WANT_RSA_KEY_SIZE_2048=y
+CONFIG_PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE=y
 
 # Cipher configurations
 CONFIG_PSA_WANT_ALG_CTR=y
@@ -169,30 +166,20 @@ CONFIG_PSA_WANT_ALG_CBC_NO_PADDING=n
 CONFIG_PSA_WANT_ALG_ECDH=y
 
 # Key derivation function configurations
-CONFIG_PSA_WANT_ALG_TLS12_PRF=y
-
+CONFIG_PSA_WANT_ALG_TLS12_PRF=n
 CONFIG_PSA_WANT_ALG_TLS12_PSK_TO_MS=n
 
 # MAC configurations
-CONFIG_PSA_WANT_ALG_CMAC=n
+CONFIG_PSA_WANT_ALG_HMAC=y
 
 # AEAD configurations
-CONFIG_PSA_WANT_ALG_ECB_NO_PADDING=n
 CONFIG_PSA_WANT_ALG_GCM=y
 
 # Asymmetric signature configurations
 CONFIG_PSA_WANT_ALG_ECDSA=y
-CONFIG_PSA_WANT_ALG_RSA_PKCS1V15_SIGN=y
-CONFIG_PSA_WANT_ALG_RSA_PSS=y
-
-# Asymmetric encryption configurations
-CONFIG_PSA_WANT_ALG_RSA_OAEP=y
-CONFIG_PSA_WANT_ALG_RSA_PKCS1V15_CRYPT=y
-
 CONFIG_PSA_WANT_ALG_SHA_256=y
 
 # ECC curve configurations
-CONFIG_PSA_WANT_ECC_MONTGOMERY_255=y
 CONFIG_PSA_WANT_ECC_SECP_R1_256=y
 
 # RNG configurations
@@ -205,16 +192,13 @@ CONFIG_MBEDTLS_SSL_SERVER_NAME_INDICATION=y
 # Enable SSL renegotiation
 CONFIG_MBEDTLS_SSL_RENEGOTIATION=y
 
-# Enable SSL cache
-CONFIG_MBEDTLS_SSL_CACHE_C=y
-
 # Enable SSL session tickets
 CONFIG_MBEDTLS_SSL_SESSION_TICKETS=y
 
 # Enable Mbed TLS logs
 CONFIG_MBEDTLS_DEBUG=y
 CONFIG_MBEDTLS_DEBUG_C=y
-# CONFIG_MBEDTLS_DEBUG_LEVEL=4
+# CONFIG_MBEDTLS_DEBUG_LEVEL=1
 CONFIG_MBEDTLS_LOG_LEVEL_DBG=y
 CONFIG_MBEDTLS_SSL_DEBUG_ALL=y
 

app/boards/circuitdojo_feather_nrf9160_ns_release.conf

@@ -24,7 +24,6 @@ CONFIG_NRF_MODEM_LIB=y
 CONFIG_NRF_MODEM_LIB_FAULT_STRERROR=y
 CONFIG_NRF_MODEM_LIB_ON_FAULT_APPLICATION_SPECIFIC=y
 CONFIG_MODEM_KEY_MGMT=n
-CONFIG_PDN=y
 
 # Align the max FD entry to NRF_MODEM_MAX_SOCKET_COUNT(8)
 CONFIG_ZVFS_OPEN_MAX=8
@@ -60,6 +59,7 @@ CONFIG_TFM_CMAKE_BUILD_TYPE_RELEASE=y
 # TF-M memory regions - optimize for size
 CONFIG_PM_PARTITION_SIZE_TFM_SRAM=0x10000
 CONFIG_PM_PARTITION_SIZE_TFM=0x37E00
+CONFIG_PM_PARTITION_SIZE_TFM_PROTECTED_STORAGE=0x2000
 
 # TF-M logging requirements
 CONFIG_TFM_LOG_LEVEL_SILENCE=y
@@ -80,10 +80,11 @@ CONFIG_MBEDTLS_ENABLE_HEAP=y
 CONFIG_MBEDTLS_HEAP_SIZE=65536
 CONFIG_MBEDTLS_SSL_IN_CONTENT_LEN=16384
 CONFIG_MBEDTLS_SSL_OUT_CONTENT_LEN=16384
-CONFIG_MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH=y
 
 # MbedTLS net configurations
 CONFIG_NET_SOCKETS_TLS_MAX_CONTEXTS=6
+CONFIG_TLS_MAX_CREDENTIALS_NUMBER=8
+CONFIG_NET_SOCKETS_TLS_MAX_CREDENTIALS=8
 
 # Create the mbed SSL/TLS library in addition to the mbed crypto library
 CONFIG_MBEDTLS_TLS_LIBRARY=y
@@ -93,12 +94,21 @@ CONFIG_MBEDTLS_X509_LIBRARY=y
 
 # Enable TLS credentials management subsystem
 CONFIG_TLS_CREDENTIALS=y
+CONFIG_TLS_CREDENTIALS_BACKEND_PROTECTED_STORAGE=y
 
 # MbedTLS module configurations
 CONFIG_MBEDTLS_PSA_CRYPTO_C=y
-CONFIG_MBEDTLS_RSA_C=y
-CONFIG_MBEDTLS_SSL_SRV_C=y
-
+CONFIG_MBEDTLS_X509_LIBRARY=y
+CONFIG_MBEDTLS_PK_C=y
+CONFIG_MBEDTLS_PK_PARSE_C=y
+CONFIG_MBEDTLS_PK_PARSE_EC_EXTENDED=y
+CONFIG_MBEDTLS_AES_C=y
+CONFIG_MBEDTLS_ECDH_C=y
+CONFIG_MBEDTLS_ECDSA_C=y
+CONFIG_MBEDTLS_CIPHER_C=y
+CONFIG_MBEDTLS_SHA256_C=y
+
+CONFIG_MBEDTLS_SSL_SRV_C=n
 CONFIG_MBEDTLS_TLS_VERSION_1_2=n
 CONFIG_MBEDTLS_CIPHER=n
 CONFIG_MBEDTLS_ECJPAKE_C=n
@@ -121,36 +131,23 @@ CONFIG_MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN=n
 CONFIG_MBEDTLS_CIPHER_PADDING_ZEROS=n
 CONFIG_MBEDTLS_MAC_SHA256_ENABLED=n
 CONFIG_MBEDTLS_CMAC_C=n
+CONFIG_MBEDTLS_CIPHER_MODE_CTR=n
+CONFIG_MBEDTLS_ECP_DP_SECP256R1_ENABLED=n
 
 # Key exchange configurations
-CONFIG_MBEDTLS_KEY_EXCHANGE_RSA_ENABLED=y
-CONFIG_MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED=y
 CONFIG_MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED=y
-CONFIG_MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED=y
 CONFIG_MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED=y
 
 CONFIG_MBEDTLS_KEY_EXCHANGE_PSK_ENABLED=n
-CONFIG_MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED=n
-CONFIG_MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED=n
-CONFIG_MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED=n
 CONFIG_MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED=n
-CONFIG_MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED=n
 
 # Key type configurations
 CONFIG_PSA_WANT_KEY_TYPE_AES=y
-
 CONFIG_PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY=y
 CONFIG_PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT=y
 CONFIG_PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT=y
 CONFIG_PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE=y
-
-CONFIG_PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY=y
-CONFIG_PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT=y
-CONFIG_PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT=y
-CONFIG_PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_DERIVE=y
-
-# Select RSA key sizes
-CONFIG_PSA_WANT_RSA_KEY_SIZE_2048=y
+CONFIG_PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE=y
 
 # Cipher configurations
 CONFIG_PSA_WANT_ALG_CTR=y
@@ -162,30 +159,20 @@ CONFIG_PSA_WANT_ALG_CBC_NO_PADDING=n
 CONFIG_PSA_WANT_ALG_ECDH=y
 
 # Key derivation function configurations
-CONFIG_PSA_WANT_ALG_TLS12_PRF=y
-
+CONFIG_PSA_WANT_ALG_TLS12_PRF=n
 CONFIG_PSA_WANT_ALG_TLS12_PSK_TO_MS=n
 
 # MAC configurations
-CONFIG_PSA_WANT_ALG_CMAC=n
+CONFIG_PSA_WANT_ALG_HMAC=y
 
 # AEAD configurations
-CONFIG_PSA_WANT_ALG_ECB_NO_PADDING=n
 CONFIG_PSA_WANT_ALG_GCM=y
 
 # Asymmetric signature configurations
 CONFIG_PSA_WANT_ALG_ECDSA=y
-CONFIG_PSA_WANT_ALG_RSA_PKCS1V15_SIGN=y
-CONFIG_PSA_WANT_ALG_RSA_PSS=y
-
-# Asymmetric encryption configurations
-CONFIG_PSA_WANT_ALG_RSA_OAEP=y
-CONFIG_PSA_WANT_ALG_RSA_PKCS1V15_CRYPT=y
-
 CONFIG_PSA_WANT_ALG_SHA_256=y
 
 # ECC curve configurations
-CONFIG_PSA_WANT_ECC_MONTGOMERY_255=y
 CONFIG_PSA_WANT_ECC_SECP_R1_256=y
 
 # RNG configurations
@@ -198,8 +185,5 @@ CONFIG_MBEDTLS_SSL_SERVER_NAME_INDICATION=y
 # Enable SSL renegotiation
 CONFIG_MBEDTLS_SSL_RENEGOTIATION=y
 
-# Enable SSL cache
-CONFIG_MBEDTLS_SSL_CACHE_C=y
-
 # Enable SSL session tickets
 CONFIG_MBEDTLS_SSL_SESSION_TICKETS=y

app/keys/public/AmazonRootCA3.cer

@@ -1,11 +1,11 @@
 EMPTY_0:
-  address: 0xfc000
+  address: 0xfa000
   end_address: 0x100000
   placement:
     after:
     - tfm_ps
   region: flash_primary
-  size: 0x4000
+  size: 0x6000
 EMPTY_1:
   address: 0xf2000
   end_address: 0xf8000
@@ -237,7 +237,7 @@ tfm_otp_nv_counters:
   size: 0x2000
 tfm_ps:
   address: 0xf8000
-  end_address: 0xfc000
+  end_address: 0xfa000
   inside:
   - tfm_storage
   placement:
@@ -246,7 +246,7 @@ tfm_ps:
     before:
     - end
   region: flash_primary
-  size: 0x4000
+  size: 0x2000
 tfm_secure:
   address: 0x10000
   end_address: 0x48000
@@ -268,11 +268,11 @@ tfm_sram:
   size: 0x10000
 tfm_storage:
   address: 0xe8000
-  end_address: 0xfc000
+  end_address: 0xfa000
   orig_span: &id010
   - tfm_ps
   - tfm_its
   - tfm_otp_nv_counters
   region: flash_primary
-  size: 0x14000
+  size: 0x12000
   span: *id010

app/pm_static.yml

@@ -260,6 +260,7 @@ int main(void) {
     k_msleep(29000);
   }
 #else
+  k_msleep(3000);
   LOG_ERR("Reached end of main; rebooting.");
   /* The ARM implementation sys_reboot ignores the parameter */
   sys_reboot(SYS_REBOOT_WARM);

app/src/main.c

@@ -25,7 +25,7 @@ static const char jes_cert[] = {
 #endif  // CONFIG_JES_FOTA
 
 static const char swiftly_cert[] = {
-#include "AmazonRootCA1.cer.hex"
+#include "AmazonRootCA3.cer.hex"
     // Null terminate certificate if running Mbed TLS
     IF_ENABLED(CONFIG_TLS_CREDENTIALS, (0x00))
 };