Using MbedTLS PSA crypto API with a secure Element for MQTT TLS handshake #74217
Replies: 2 comments 1 reply
-
|
Hi, I'm also very interested in this, as is the solution that we are looking to implement to enhance the security of our product. Do you have any more insights to offer? Did you find any guide or app note or any other source of help to help in this direction? I suppose, what you mean, is that, if for example we want to use a Microchip ATECC608C secure element, we need first to somehow configure mbedTLS to use the CryptoAuthlib driver/library and then all the higher layers of the applications will remain the same? Right now we are using our device without secure element and we provision the X509 certificate and private key using the TLS credentials management subsystem (https://docs.zephyrproject.org/apidoc/latest/group__tls__credentials.html) using the But most probably, I also think that your way would be the way to go. EDIT OK, no, by looking in more detail what the protected storage means, this is entirely different. But then also the question, for me at least is, how to provision the certificate and private key for the tls session? If those are provided through the secure element and the mbedTLS library directly, as we are discussing here? Is there a way to signal the mqtt client that the tls should find the certificate/private key directly through the mbedTLS library? |
Beta Was this translation helpful? Give feedback.
-
|
Hi, For now I left the secure element usage for a software cryptographic version with native MbedTLS. I will come back with my findings on the MbedTLS configuration needed to use the secure element with the PSA crypto API later on. I still don't know if this will work out but I think it is the best way to do it. For certificate to be totally opaque I am not sure, but the MbedTLS library allows the use of an opaque private key when using the PSA crypto API meaning it has a handle on a secure element slot to use. I will come back with my findings here too. NOTE: For now I am not using the PSA crypto API, but I managed to use a setup for MbedTLS mixed with MQTT outside of the MQTT opaque MbedTLS usage (my own ssl context), this way I will have a better hand on the lib when trying things for the secure element. |
Beta Was this translation helpful? Give feedback.
-
|
Hi @naNEQ and @PixTillzcorp, I’m currently working on a similar setup: using Zephyr’s MQTT module over TLS with an external secure element, and I also find the MbedTLS integration quite opaque in this context. Have you made any further progress or gathered insights on how to correctly hook the secure element into the TLS handshake, especially regarding certificate and private key provisioning? Thanks in advance for any pointers, |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
Hi,
I have a few blind spots regarding the usage and the configuration of the PSA crypto API from the MbedTLS library in relation with the MQTT net module.
I am using a secure element and I already have some experience with the PSA crypto API to use its capabilities in the TLS handshake.
However, I am not sure if the way I see the setup for Zephyr RTOS MQTT module to use the secure element is correct.
Since the MQTT module is pretty opaque regarding the MbedTLS usage in the TLS handshake, I assume I need to configure the MbedTLS PSA crypto API by registering my secure element driver before using the MQTT module and the add correct MbedTLS configuration in prj.conf.
Do you think it is the correct way to use the secure element with the MQTT module ?
Thank you in advance.
BR.
Beta Was this translation helpful? Give feedback.
All reactions