Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

A client example failed when proper entropy collector has not been implemented #545

Closed
toyowata opened this issue Jul 22, 2016 · 3 comments
Closed

A client example failed when proper entropy collector has not been implemented #545

toyowata opened this issue Jul 22, 2016 · 3 comments

Comments

@toyowata
Copy link

The issue is moved from here.

In K64F platform, the macro MBEDTLS_ENTROPY_HARDWARE_ALT is defined in the target.json and proper implementation has been done in the HAL.

ARMmbed/mbed-os#1879

Some platforms do not support RNG hardware and expect to use software solution. e.g. build client example without MBEDTLS_ENTROPY_HARDWARE_ALT macro.

In that case, I got connection error below if I removed the MBEDTLS_ENTROPY_HARDWARE_ALT macro in K64F platform (as non RNG support device).

Starting mbed Client example...
Using Ethernet

Connected to Network successfully
IP address 10.128.4.32

SOCKET_MODE : UDP
Connecting to coap://api.connector.mbed.com:5684

[ERROR:] M2MInterface::SecureConnectionFailed

Attached files is mbed-trace log: trace_log_failed.txt

So, my question is:

  • Is the MBEDTLS_ENTROPY_HARDWARE_ALT macro and entropy collector implementation mandatory feature, or optional?

If this is optional, the nanostack-hal-mbed-cmsis-rtos should also have software implementation and the client example should not fail.

https://github.com/ARMmbed/nanostack-hal-mbed-cmsis-rtos/blob/master/arm_hal_random.c#L28
@toyowata toyowata mentioned this issue Jul 22, 2016
Closed
@ciarmcom
Copy link

ARM Internal Ref: IOTSSL-907

@pjbakker
Copy link
Contributor

mbed TLS (and any other cryptographic operations) require entropy for the random they need to do those operations securely.

So that means that any target platform that wants security needs to implement support for a strong entropy source. Meaning either:

  1. Support for the on-board hardware entropy source (using MBEDTLS_ENTROPY_HARDWARE_ALT)
  2. Support for a (less secure) software based entropy source (such as the NV Seed entropy source provided, which requires device-unique provisioning of a seed in the NV)
  3. Implementation of and support for a different strong entropy source for that target platform.
  4. The target platform not being suitable for production use because there is no strong entropy source.

There is no way around it. A strong entropy source is required and that's not specifically an mbed TLS requirement but a TLS / crypto protocols requirement.

Note: For debug (AND DEBUG ONLY) purposes it's possible to put mbed TLS in a mode where it runs without a strong entropy source, BUT THIS DISABLES ANY AND ALL SECURITY AND IS THUS NOT USING TLS/CRYPTO SECURITY AT ALL AND THUS NOT INTENDED FOR USE IN PRODUCTION ENVIRONMENTS.

@yogpan01
Copy link

yogpan01 commented Aug 2, 2016

As @pjbakker explained this has to be supported on platform level, but since there is missing implementation for entropy on various platform, easiest way to work around is to add NULL_ENTROPY feature for example application on those non-K64F boards.
I have created a PR on mbed-client example explaining how user can do this ARMmbed/mbed-os-example-client#63

I propose we can close this issue

simonbutcher added a commit that referenced this issue Dec 21, 2018
@simonbutcher
Merge pull request #545 from ARMmbed/version-2.7.9
3187e7c 
Update the version of the library to 2.7.9
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@pjbakker @toyowata @simonbutcher @yogpan01 @ciarmcom