==================================================================
- client/server TLS1.3 ECC example
- Trusted Firmware-M TLS1.3 on Nucleo-l552ZE-Q board
These examples are modified versions of client/server examples found in tls/ but using PSA for ECDH, ECDSA, HKDF, AES-GCM and SHA256.
To build the client/server examples you must provide the path to a static
library that implements the PSA interface using the environment variable
PSA_LIB_PATH. You can optionally specify the location of the PSA headers with
PSA_INCLUDE. After that you can run make to build the client-tls13-ecc-psa
and server-tls13-ecc-psa.
PSA_INCLUDE=/path/to/psa/include PSA_LIB_PATH=/path/to/psa/library.a make
wolfSSL must be built with PSA (--enable-psa) and public key callbacks
(--enable-pkcallbacks) support and must be built using the same PSA headers
used to compile the examples.
You can test these examples with mbedTLS PSA implementation. For this task the
helper script build_with_mbedtls_psa.sh is provided. It must run from the
wolfSSL source root directory and it compiles the mbedTLS library in
/tmp/mbedtls . To use the script and then compile the examples use these
commands:
cd /path/to/wolfSSL/src;
./path/to/wolfssl-examples/psa/build_with_mbedtls_psa.sh
make install
cd /path/to/wolfssl-examples/psa/
export PSA_INCLUDE=/tmp/mbedtls/build/include
export PSA_LIB_PATH=/tmp/mbedtls/build/library/libmbedcrypto.a
make
TLS1.3 client/server exchange a small message over memory in PSA enabled Trusted Firmware-M (TF-M) on Nucleo-l552ZE-Q board.
This example is provided as a patch to the TF-M test repo, which is normally used as the default Non Secure app in the TF-M repo. This way the example integrates smoothly inside the TF-M build system.
The general requirements to build TF-M are listed here TF-M doc
To compile TF-M on Nucleo-l552ZE-Q board you additionally need: - GNU Arm compiler v7.3.1+ toolchain - STM32_Programmer_CLI see here
To have all the needed binary artifacts to flash on the board you need three
interacting parts: the main TF-M repo (for bootloader and Secure world), wolfSSL
PSA-enabled library, and the modified TF-M test repo (for Non-Secure world). The
provided script build_tfm_example.sh automatically downloads and compile all
the needed components and produces the final build artifacts. The toolchain
needs to be available on the default path for the script to work.
CAVEATS: The example only works with TF-M commit ID f07cc31545bbba3bad1806ed078c3aee3a09dc52
After running build_tfm_example.sh you can flash the binaries artifacts from
the TF-M build directory (defaults to /tmp/wolfssl_tfm/tfm/build) and run:
./regression.sh && ./TFM_UPDATE.sh
to flash on the nucelo board. Remember that this step needs
STM32_Programmer_CLIinstalled and on the default PATH.
After that you will see client and server interacting on the UART of the board:
[Sec Thread] Secure image initializing!
TF-M FP mode: Software
Booting TFM v1.5.0
Non-Secure system starting...
wolfSSL demo
wolfSSL_Init Success
wolfSSL provisioning server secret key
Server is starting
Client is starting
Overriding cert date error as example for bad clock testing
Received message from client:
hello wolfssl!