Test Mbed TLS on Zephyr
This article introduces how to create a simple Mbed TLS program, calling PSA Crypto API, on Zephyr RTOS.
In a previous post, I introduced Mbed TLS and PSA Crypto API. Now I am going to explore how they can be applied in a real-time system.
Zephyr
Zephyr is a scalable real-time operating system (RTOS) supporting multiple hardware architectures, optimized for resource constrained devices.
Zephyr has a long guideline to get started. I will not copy those instructions to introduce how to setup the environment. My story starts from the Hello World sample.
Zephyr supports a big number of boards. While building a program, you need to specific the board type that your program will be deployed to. I chose qemu_x86 for the hardware of my test.
To build and run the Hello World demo:
cd samples/hello_world
west build -b qemu_x86
west build -t runMbed TLS Demo
Modify the Hello World
The source code of the Hello World is in the folder samples/hello_world of Zephyr:
> tree hello_world
hello_world
├── CMakeLists.txt
├── prj.conf
├── README.rst
├── sample.yaml
└── src
└── main.cNow I will modify the code of src/main.c to call some PSA Crypto APIs, like this:
#include <zephyr/kernel.h>
#include <psa/crypto.h>void main(void) {
psa_status_t status;
uint8_t randoms[12]; status = psa_crypto_init();
if (status != PSA_SUCCESS) {
printk("psa_crypto_init() failed: %d", status);
return;
} status = psa_generate_random(randoms, sizeof(randoms));
if (status == PSA_SUCCESS)
printk("Generated random numbers.\r\n");
else
printk("Failed to generate random numbers: %d\r\n", status);
}
In this very simple program, 2 PSA Crypto functions were invoked:
- psa_crypto_init(): Initialize the PSA Crypto context
- psa_generate_random(): Generate some random numbers
Now the problem is: how to build the source code with Mbed TLS?
Build With Mbed TLS
Zephyr has a module mechanism to work with external open source projects. The document here provides the information for how to integrate a source code repository in Zephyr as a module. Happily the Mbed TLS has already been integrated in Zephyr. Now it’s easy to build a Mbed TLS application in Zephyr.
To enable the Mbed TLS support, you need to modify the kernel configuration of Zephyr. One way is to use the menuconfig tool:
west build -t menuconfigThe command will open a menu in command line:
Then you need to find the Mbed TLS item in Modules sub-menu and configure as you wish.
After saving, the file build/zephyr/.config (under samples/hello_world folder) will be updated. But the build folder is generated. If you want the configuration persistent, it’s better to save your customization content in file prj.conf.
The configuration items required for building the crypto demo are:
# prj.conf
CONFIG_MBEDTLS=y
CONFIG_MBEDTLS_BUILTIN=y
CONFIG_MBEDTLS_CFG_FILE="config-tls-generic.h"
CONFIG_MBEDTLS_ENTROPY_ENABLED=y
CONFIG_MBEDTLS_PSA_CRYPTO_C=y
CONFIG_MBEDTLS_ZEPHYR_ENTROPY=yThen even if you remove the build/ directory, everything can be rebuilt successfully.
Run the Demo
Running the demo program, you should be able to see:
> west build -t run
-- west build: running target run
[0/1] To exit from QEMU enter: 'CTRL+a, x'[QEMU] CPU: qemu32,+nx,+pae
SeaBIOS (version zephyr-v1.0.0-0-g31d4e0e-dirty-20200714_234759-fv-az50-zephyr)
Booting from ROM..
*** Booting Zephyr OS build zephyr-v3.2.0-1066-g217528f2dea8 ***
Generated random numbers.
