-
Notifications
You must be signed in to change notification settings - Fork 7.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
mbedTLS memory allocation stragegy SPIRAM/default allocation mode breaks mbedTLS with gcc 8 (IDFGH-1336) #3624
Comments
In a browser it fails but it works in curl. Actually it works in a browser as long as you force https in the URL. The problem with chrome is that it will timeout on the first try and close the connection but it will succeed on the second try. However your example code returns on handshake failure instead of continuing the accept loop. |
@negativekelvin Then you're getting other results than me. Just verified that if I browse to https://IP:9080, then I get the MAC-failure. Did you use the sdkconfig in the zip?
It was the only example that uses mbedTLS I found that wasn't written by me I could find and in this case it doesn't matter - the MAC failure happens. |
Yes I only changed the Serial flasher settings. Firefox:
Chrome:
|
Could the difference in result be due to different hardware? What device are you running on, @negativekelvin ? |
No same hardware but I am using make and gcc 5. |
Ah, that might be the difference then. Could you please try with gcc 8 and same IDF just to see if it is reproducible by others than me? |
Yes switching to gcc 8 I can reproduce it It does get pretty far into the handshake and then |
@negativekelvin Thanks for confirming. So it seems this is related to the gcc 8 tool chain and thus of interest for @igrr perhaps? |
For the record: I tried the very latest IDF and xtensa-gcc 8 with the same result. OP updated with new versions. Also, I tried to go back to gcc 5, but gcc 8 rc1 is the only one offered on the download page now so I'm totally blocked now. |
For the GCC 5 link, you can still find it here: https://docs.espressif.com/projects/esp-idf/en/stable/get-started/linux-setup.html#toolchain-setup |
Oh right. I always go /latest in the docs, not /stable Thank you @igrr |
I forgot - with access to gcc 8 I've started using C++ 17, so going back to gcc 5 isn't an appealing option. Using bleeding edge tech is fun, but sometimes it hurts 💩 Then again, that's what early access is for. |
Use "libc-psram-workaround.a" instead of "libc.a" to solve the problem, �[0;32mI (754) cpu_start: Starting app cpu, entry point is 0x400814a4�[0m |
@xiruilin suggestion works, overriding the newlib component with the gcc8 versions. Actually I take it back it doesn't work 100% of the time. It might require the new psram fix. |
You mean the outstanding issue in gcc 8? |
I mean this #2892 |
Yeah, that one. I wonder though - this MAC issue seems to only occur in gcc 8. Why is that you think? gcc8 just happens to generate code that triggers the PSRAM every time it runs the crypto code? |
Well I did not test enough to say it doesn't ever occur in gcc 5. I don't know if there are ABI changes that cause exactly the right trigger, but maybe. |
Tried with the latest IDF (original post updated), and the issue remains. |
It's been a month since this ticket was opened, would it be possible to get some feedback from Espressif, @igrr? |
Hi all, we have the same issue in our project, where we have memory constraints. |
@PerMalmberg with the latest master branch (842432f) I can not reproduce the issue using the project attached to the OP. I see a handshake error -0x7780 with Chrome (as @negativekelvin has reported) and both GCC 5.2 and 8.2 based toolchains. There is no error with curl and Safari in both GCC versions. However, while looking into this issue, I have found a potential problem related to the way psram-workaround version of libc.a was built for the GCC 8 toolchain. Could you please try replacing /path-to/xtensa-esp32-elf/xtensa-esp32-elf/lib/esp32-psram/libc.a with the attached copy, and see if the issue persists? libc.a.zip |
Running
|
Sorry, stripping the static library was obviously a bad idea. The full version is at https://dl.espressif.com/dl/misc/IDFGH-1336-libc.a.zip, please give a try. |
Full test results:
I wonder why you can't reproduce it with the latest master and the original libc.a ? |
for me it is still not working consistently
|
xtensa-esp32-elf-gcc selects among the multilib configurations based on the presence of -mfix-esp32-psram-cache-issue flag. Pass this flag in LDFLAGS so that the correct libraries are linked. Reported in espressif#3624
@igrr Where are we on this? Any more changes coming, or will it be in the next release of the tool chain? |
Another one and a half month later, status update, please @igrr ? |
@PerMalmberg sorry, the fix should indeed be part of the new toolchain release. Unfortunately it got held up by a different issue, which we are working on. Hopefully it will get solved next week. |
yes, all this seems related to a bigger issue concerning external ram allocation, which corrupts in some way. |
We also wait for this fix :) |
Hi @igrr , I was just wondering when the new toolchain will be released. |
Unfortunately we ran into an issue with enabling RTTI support in this new toolchain build. We are working on some alternative solution. I will update this issue when we have some progress! |
The toolchain has been updated in c2db6a1#diff-0633a6582c888c6fc5bc6a3c00dba496, this version includes the correctly built libc.a. Please update the toolchain and give it a try. This version uses the original version of the PSRAM workaround, not the new one mentioned in #2892. |
Will release/4.0 also support this new toolchain? We're currently using the betas from 4.0 on our projects and it would be nice to avoid having to swap libc.a with the patched one. |
Which, apart from possibly solving the issue reported in this thread, still leaves us with only unicore being a stable mode of operation. Can we expect another updated toolchain before the final release of v4.0 ? |
release/v4.0 has also been updated to this toolchain release, it will get synced to GitHub once we fix some of the failing tests on our side. Regarding the new PSRAM workaround version, I think it is unlikely that it will be finished in time for the 4.0 release. We will definitely include it into the subsequent patch release (4.0.x), once this toolchain version is ready. The linked issue will be updated when this happens. |
@igrr using the latest release/v4.0 ( a3f3c7b ) with the 2020r1 psram fix toolchain release still results in this bug. Are there other steps i should be taking or should i to wait for release/4.0 to be updated? edit: Forcefully copying the psram fix blobs in the 2020r1 toolchain (and using them to replace the standard blobs) seem to make the problem go away. I'm using the idf_as_lib strategy with cmake for building. Is there some way i should be properly linking these? I have:
in my toolchain.cmake file |
Could you please do a verbose build, copy the final linker command line, and paste it here? |
@igrr the final command is the one that generates the .elf file correct? i notice that the espressif components have the -mfix-esp32-psram-cache flag after the .a blobs, but mine do not. Maybe that's part of the issue.
|
Thanks, this looks correct. Could you please run Also, if you have switched from esp-2019r2 to esp-2020r1 toolchain, have you removed your CMakeCache.txt? CMake caches the path to the compiler, so it might be possible that the older toolchain is still used. One other thing, could you please explain what you mean by
Which exact files have you copied, and to what location? |
Oh, i think i see the reason — you are using "nano" C library, which is not compatible with PSRAM. Please check if the issue persists after disabling "nano" option. |
Removing the nano option seems to have done it, i've successfully ota'd my device from an https endpoint 3 times now. Thanks @igrr
I copied xtensa-esp32-elf/lib/esp32-psram files out into the main xtensa-esp32-elf/lib folder, replacing the files there. This least helped me debug that i was doing something wrong and the the toolchain was working. |
Hi, I tested with firefox, chrome, opera and edge and not work. With Chrome: esp-idf version: v4.2-dev-1235-g71dc5eb27 |
Hello @PerMalmberg, we are closing this issue. It was fixed in 4.0.2: #2892 (comment) If you think this issue should be open, please let me know. Thank you! |
Environment
Problem Description
This bug relates to this question of the forum.
To make a long story short - forcing mbedTLS to use external memory breaks it in such a way that all TLS handshakes results in this error:
meaning "SSL - Verification of the message MAC failed"
Expected Behavior
TLS to be functional even when using SPIRAM
Actual Behavior
Steps to repropduce
I've attached a zip with a modified https_server example in which I've replaced the actual server with one that uses mbedTLS (original source by @projectgus here, but modified to use the certs provided in the https_server project).
Simply change the hard-coded "CHANGE ME" ssid and password in main2.c, compile, run and browse to IP:9080 and you'll see your browser emit something like this, as well as the above log message.
Changing mbedTLS memory allocation strategy to internal makes the handshake function again and the server will output the browsers request on screen.
I've intentionally forced most memory allocations to use SPIRAM by setting CONFIG_SPIRAM_MALLOC_ALWAYSINTERNAL to 256 to ensure the problem is shown in this example.
Unfortunately there is not enough internal memory for my project so I can't do without SPIRAM so any attempt to have mbedTLS only use internal memory results in memory allocation errors, with the side effects that brings.
mbedtls_broken_with_gcc8.zip
The text was updated successfully, but these errors were encountered: