Mbed TLS in the Simplicity SDK#

Mbed TLS provides an open-source implementation of cryptographic primitives, X.509 certificate handling and the SSL/TLS and DTLS protocols. It also provides a reference implementation of the PSA Crypto API. The Mbed TLS library is used by several components provided in the Simplicity SDK, and can also be utilized by application code.

Note: The PSA Crypto API is the recommended interface for cryptographic operations.

More information on Mbed TLS can be found on the Mbed TLS API documentation hub.

Initialization#

Mbed TLS is enabled by including the Mbed TLS component to the project. When the Mbed TLS component is added to the project, the library is automatically initialized as a part of sl_system_init() and is ready to use by the application.

Hardware Drivers#

The Simplicity SDK platform includes alternative implementations for utilizing hardware peripherals for cryptographic primitives and composite algorithms. The specifics of what primitives and composite algorithms are supported depends on the device capabilities.

The drivers support sharing of cryptography hardware in multi-threaded applications, as well as a reduced overhead configuration for optimal performance in single-threaded applications. Multi-threaded support is provided by the Threading Primitives module.

The drivers are automatically enabled when adding the Mbed TLS component to the application project.

Dynamic Memory#

The Runtime initialisation of dynamic memory allocation functions for Mbed TLS component allows user configuration of application-specific functions for dynamic memory allocation. When this component is selected the application can call mbedtls_platform_set_calloc_free to set application-specific calloc and free function pointers which will be used by the Mbed TLS modules, PSA Crypto core, and hardware drivers. See providing your own hooks.

By default, dynamic memory allocation functions are provided via the Malloc Wrapper component.

Threading Primitives#

A default alternative (_alt) implementation for Threading Support is provided to support multi-threading with Micriumos or Freertos. The default implementation provides the alt implemention with the CMSIS RTOS2 API to add multi-threading support with MicriumOS and FreeRTOS.

Randomness Collection#

The Simplicity SDK includes hardware drivers for entropy generation. These are recommended to be used for any cryptographic operation that requires high-quality randomness.

TRNG Entropy Source#

All Series 2 Silicon Labs devices feature dedicated TRNG engines. For Virtual SE devices, the TRNG is a part of the CRYPTOACC peripheral; on Hardware SE devices, the TRNG is handled by the SE. This is the default and recommended entropy source, and will be enabled for all applications that use PSA Crypto.

Device-Unique Seed Entropy Source#

If an additional entropy source is requested in addition to the TRNG, a non-volatile random seed construction can be used.

This functionality is dependent on having an NVM3 default instance included in the application, since that is where the seed gets stored. On first boot, a seed gets generated by hashing device-unique information. On subsequent cycles, the seed gets rolled over and mixed with potential other entropy sources, meaning that the amount of reboot cycles and reinitialisations of the entropy collector becomes part of the entropy.

This entropy source is currently not usable through PSA Crypto. This entropy source is intended to be used in combination with a Deterministic Random Bit Generator (DRBG): see the 'CTR-DRBG' component.

Note: The seed generated at first boot is considered low quality. If high quality entropy is required, but the device does not support any of the hardware entropy sources, the application developer is strongly encouraged to write a high-quality seed during factory production by calling mbedtls_nv_seed_write and providing a true-random seed of size MBEDTLS_ENTROPY_BLOCK_SIZE.