[fix] samples/net/sockets/http_server fails to build for several nrf5340/cpuapp/ns targets #85201
Conversation
zephyrbot
added
area: Sockets
|
@mrodgers-witekio I tested this PR locally with: |
valeriosetti
force-pushed
the
fix-85155
branch
2 times, most recently
from
3859707 to
f3b7c2a
Compare
| CONFIG_MBEDTLS_ECDH_C=y | ||
| CONFIG_MBEDTLS_ECDSA_C=y | ||
| CONFIG_MBEDTLS_ECP_C=y | ||
| CONFIG_MBEDTLS_ECP_DP_SECP256R1_ENABLED=y | ||
| CONFIG_MBEDTLS_KEY_EXCHANGE_RSA_ENABLED=n |
There was a problem hiding this comment.
Should we leave these and have a separate overlay config file for PSA options so that the legacy compilation works as before?
And then have separate section that tests the non-PSA and PSA compilations in sample.yaml file?
So have something like
sample.net.sockets.http.server: {}
sample.net.sockets.http.server.no_psa:
filter: not CONFIG_BUILD_WITH_TFM
extra_configs:
- CONFIG_MBEDTLS_PSA_CRYPTO_C=y
here setting the psa overlay
sample.net.sockets.http.server.psa:
filter: CONFIG_BUILD_WITH_TFM
here setting the psa overlay
WDYT?
|
While this currently works in twister, the sample doesn't build on a platform without TF-M when built the usual way using west, since in this case it doesn't enable PSA crypto in mbedtls. The To see the build failure you can try: |
Yes, because to build the sample you have to add the
Or simply targetting the test case you want to reproduce:
Perhaps I can do this in the Kconfig file of the sample. Let me try this |
Please let's not do that, we need to be able to build for platforms like Why don't we just enable |
Wouldn't that result in a warning at build time? The build will proceed of course, but I don't know if it's really elegant to have an expected warning at build time. |
valeriosetti
force-pushed
the
fix-85155
branch
from
f3b7c2a to
a4b27bf
Compare
|
This builds successfully now, but I am seeing TLS handshake errors when running it: This is reproducible on the In another terminal: And then navigate to I guess there's probably a |
It would, still better than not building at all for non-tfm platforms IMHO. I'm fine with the current proposal though. However - maybe we need to rethink on how PSA APIs are enabled in general, it's a bit awkward that you need to define a custom Kconfig entry in the sample because the configuration differs depending on platform type. |
|
@mrodgers-witekio thanks for the test. I was indeed trying to test it locally but I'm a bit stuck on this. I would like to use the nrf52480dk board through the USB-Ethernet bridge which I saw should be possible from the README file of that sample. So I built it with: Then on my PC I run |
I was about to say, it might be useful to have a Kconfig at a system level rather than a sample app level that is something like |
I've never used the netusb config myself so not sure about that one specifically. The net samples generally have an IP address of 192.0.2.1, not in the usual 192.168.x.x range, although I don't know if the netusb is doing anything different here. Using "real" target hardware connected directly to my PC via Ethernet, I generally have to do something like: Assign my PC an IP address on the network interface the device is plugged into: Add an entry in routing table for the device: And after this it should work: I can ping 192.0.2.1, and use the HTTP server via a web browser |
|
I got it to work with native sim at least. The handshake failed with:
Adding the following lines to the config file allowed me to establish TLS session with the sample: No idea why was the second config needed though, just trial & error based on https://github.com/zephyrproject-rtos/zephyr/tree/main/tests/net/socket/tls_configurations configs. |
Thanks for the test and update. Well the additional config makes sense to me:
|
valeriosetti
force-pushed
the
fix-85155
branch
from
a4b27bf to
3d4ab9b
Compare
There was a problem hiding this comment.
Tested on native_sim and it''s working now.
Flash size needed for the sample is bumped up a bit (approx 325K --> 350K on nucleo_h753zi board, I wonder if there's any crypto features enabled by default that could be disabled to reduce this? I'm thinking of RSA in particular, as it's not needed by this sample.
|
I've just updated the PR with the changes required to make the sample working on the nrf52840dk. Since it took me some time to do it, I also updated the documentation.
Correct, indeed that part was removed. I kept it at the beginning because an RSA key exchange was previously enabled, but I realized that actually an ECDHE-ECDSA cipher suite is used when testing the connection on my PC. On this topic, I've seen that |
valeriosetti
force-pushed
the
fix-85155
branch
from
5724fff to
2a12f02
Compare
Yes, I think that file is just leftover from before the certificates were updated to use ECDSA so can be deleted (the |
valeriosetti
force-pushed
the
fix-85155
branch
from
2a12f02 to
47b8d54
Compare
| @@ -68,4 +68,9 @@ config NET_SAMPLE_WEBSOCKET_STATS_INTERVAL | |||
| This interval controls how often the net stats data shown on the web page | |||
| will be updated. | |||
|
|
|||
| # Enable the build of PSA Crypto core provided by Mbed TLS for platforms that | |||
| # do not have TF-M. | |||
| config MBEDTLS_PSA_CRYPTO_C | |||
There was a problem hiding this comment.
If this is only used for this sample, then please namespace the option name by NET_SAMPLE to make it clear that this is not a global option.
There was a problem hiding this comment.
Actually this is the very same Kconfig defined in zephyr/modules/mbedtls/Kconfig.tls-generic. I added it here as trick to enable it for platforms that do not have TF-M support.
As stated previously we might improve how PSA Crypto support is enabled, but that will require additional analysis and work and it's out of scope for this PR.
The other option was to set CONFIG_MBEDTLS_PSA_CRYPTO_C=y directly in the prj.conf for all the samples, but that would result in warnings at compile time for boards that support TF-M, so I preferred not to go that way.
There was a problem hiding this comment.
This looks very hackish now, basically you are stealing Kconfig option from mbedtls which I would say is a big no-no.
There was a problem hiding this comment.
I see. In my initial implementation I split the sample testing between TF-M and non-TF-M platforms (see f3b7c2a), but I was told this was not the proper way to go.
If you also agree that what I implemented back then was not OK, then I don't see many other options than just adding CONFIG_MBEDTLS_PSA_CRYPTO_C=y for all the boards and then live with the warning for those that support TF-M.
| @@ -13,6 +13,5 @@ common: | |||
| platform_exclude: | |||
| - native_posix | |||
| - native_posix/native/64 | |||
| - nrf5340dk/nrf5340/cpuapp/ns # Excluding due to ROM overflow. | |||
There was a problem hiding this comment.
Why was this removed, the sample will still not fit to that platform?
There was a problem hiding this comment.
Yes, correct. I initially thought that moving from legacy Mbed TLS support to TF-M's PSA Crypto on that platform could make the sample build successfully, but I just tried and it's not the case. So I need to revert this leftover. Thanks for noticing.
valeriosetti
force-pushed
the
fix-85155
branch
from
47b8d54 to
33e93ef
Compare
There was a problem hiding this comment.
I am giving this -1 atm before we figure out what to do with CONFIG_MBEDTLS_PSA_CRYPTO_C option.
This looks very confusing to the end user that we are introducing a new option in the sample and basically steal the option from mbedtls. Is this really a common way things are done in zephyr?
It's quite commonly done in As an alternative that might be a bit cleaner, how about this: I tried a build and it seems to work for me. This would need the TLS-related options to be split out into an overlay file (otherwise the build without HTTPS selected will still be broken), but this is probably a good idea anyway and aligns better with the other networking samples |
The
I like this much better, it is way clearer to the end user what we are trying to do here. |
Sure! I will rework the PR ASAP |
valeriosetti
dismissed stale reviews from mrodgers-witekio and rlubos
via
5b63a70
valeriosetti
force-pushed
the
fix-85155
branch
2 times, most recently
from
5b63a70 to
6f5f0f4
Compare
|
Should Apart from that all looks good to me now |
…APIs This commit also moves the TLS (overlay) configuration to a separate file named "overlay-tls.conf". In this way the simple HTTP (without TLS) will not enable Mbed TLS. A new test case is added to sample.yaml to test HTTPS scenario. Signed-off-by: Valerio Setti <vsetti@baylibre.com>
Add a section with a practical example on how to build the sample in order to test it with: - real device - ethernet over USB and test it with a Linux host system. Fix also references to overlay files that must be enabled to build the HTTPS version. Signed-off-by: Valerio Setti <vsetti@baylibre.com>
"ca.der" contains an RSA key, but this file is now useless for this sample as the sample is using EC keys. It's likely a leftover from some initial development, so it can be removed. Signed-off-by: Valerio Setti <vsetti@baylibre.com>
valeriosetti
force-pushed
the
fix-85155
branch
from
6f5f0f4 to
d266a9d
Compare
Change the sample configuration in order to replace legacy Mbed TLS crypto support with PSA one. The test case is also then split in 2 to differentiate boards that have TF-M from those that do not. This is done to avoid duplication of the PSA Crypto core.
Resolves #85155
This PR started from a suggestion from @mrodgers-witekio