doc: psa_tls: update for TLS v1.3 #20833
Conversation
github-actions
bot
added
doc-required
greg-fer
force-pushed
the
doc_psa_tls13_support
branch
from
a939636 to
4fdd44a
Compare
github-actions
bot
removed
the
changelog-entry-required
CI InformationTo view the history of this post, clich the 'edited' button above Inputs:Sources:more detailsGithub labels
List of changed files detected by CI (0)Outputs:ToolchainVersion: Test Spec & Results: ✅ Success; ❌ Failure; 🟠 Queued; 🟡 Progress; ◻️ Skipped;
|
| @@ -251,15 +286,15 @@ After programming the sample to your development kit, complete the following ste | |||
|
|
|||
| sudo ./eth_rtt_link --snr 960010000 --ipv4 192.0.2.1 | |||
|
|
|||
| #. Use ``openssl`` to start the server, which waits for the `client` connection and handshake operation. | |||
| #. Use OpenSSL to start the server, which waits for the `client` connection and handshake operation. | |||
|
|
|||
| .. code-block:: console | |||
|
|
|||
| openssl s_server -dtls -accept 4243 -cipher ECDHE-ECDSA-AES128-SHA256 -cert certs/ecdsa/cert.pem -key certs/ecdsa/cert.key | |||
There was a problem hiding this comment.
What about commands for DTSL server/client, @magnev ?
There was a problem hiding this comment.
DTLS v1.3 is not yet supported in OpenSSL, unfortunately.
samples/crypto/psa_tls/README.rst
Outdated
| * RSA is not supported in applications with CMSE enabled. | ||
| * AES256 is not supported in applications with CMSE enabled that are running on nRF9160. |
There was a problem hiding this comment.
| * RSA is not supported in applications with CMSE enabled. | |
| * AES256 is not supported in applications with CMSE enabled that are running on nRF9160. | |
| * RSA in applications with CMSE enabled. | |
| * AES256 in applications running on the nRF9160 with CMSE enabled. |
There was a problem hiding this comment.
Rephrased as instructed by @magnev . Kept is not supported for users who don't read the introductory lines to lists ;)
|
|
||
| You can find the ``_SEGGER_RTT`` RAM address in the :file:`.map` file. | ||
| When using an nRF5340 development kit, if :file:`eth_rtt_link` cannot start the RTT connection, pass the ``_SEGGER_RTT`` RAM block address as a parameter using ``--rttcbaddr``, as shown in the following example: |
There was a problem hiding this comment.
| When using an nRF5340 development kit, if :file:`eth_rtt_link` cannot start the RTT connection, pass the ``_SEGGER_RTT`` RAM block address as a parameter using ``--rttcbaddr``, as shown in the following example: | |
| When using an nRF5340 development kit and the :file:`eth_rtt_link` cannot start the RTT connection, pass the ``_SEGGER_RTT`` RAM block address as a parameter using ``--rttcbaddr``, as shown in the following example: |
There was a problem hiding this comment.
I see it as two conditions, so kept old phrasing.
|
You can find the documentation preview for this PR here. Preview links for modified nRF Connect SDK documents: https://ncsdoc.z6.web.core.windows.net/PR-20833/nrf/libraries/security/nrf_security/doc/drivers.html |
greg-fer
force-pushed
the
doc_psa_tls13_support
branch
2 times, most recently
from
1fcb312 to
69d275a
Compare
samples/crypto/psa_tls/README.rst
Outdated
| * - ``nrf52840dk/nrf52840`` | ||
| ``nrf9160dk/nrf9160`` | ||
| ``nrf9151dk/nrf9151`` | ||
| - :ref:`cc3xx_legacy<nrf_security_drivers_legacy>` |
There was a problem hiding this comment.
@magnev , can you double check links in this table? I'm not sure if the legacy links are correct. Thanks.
greg-fer
force-pushed
the
doc_psa_tls13_support
branch
from
69d275a to
50ca0b9
Compare
samples/crypto/psa_tls/README.rst
Outdated
| @@ -1,13 +1,13 @@ | |||
| .. _crypto_tls: | |||
|
|
|||
| Crypto: PSA TLS | |||
| ############### | |||
| Crypto: PSA Transport Layer Security | |||
There was a problem hiding this comment.
The sample name is "psa_tls"
I was a bit confused trying to find the sample documentation in the doc preview link, before I realized the documentation was renamed.
"TLS" is a pretty established abbreviation, so I propose we keep the "abbreviated" sample name in the header to keep it simple for developers to match the doc with the sample name, and then we can expand the abbreviations in the text description
samples/crypto/psa_tls/README.rst
Outdated
| - No | ||
| - No | ||
| - AES256, AES-GCM, SHA-512 | ||
| - Also supports :ref:`PSA Crypto nrf_oberon driver<nrf_security_drivers_oberon>` |
There was a problem hiding this comment.
This should be the "Mbed TLS legacy nrf_oberon" backend.
Mbed TLS "legacy crypto" and "PSA crypto" are two distinct crypto APIs. In this row we are referring TLS using the "legacy crypto" APIs.
Both "legacy" and PSA crypto APIs have A HW driver (using cc3xx driver) and a SW implementation (using the nrf_oberon oberon), however their configuration and usage are distinct.
There was a problem hiding this comment.
Actually, I now see that the legacy crypto using "nrf_oberon" is listed as a separate row below.
So just remove the "Also supports: PSA Crypto nrf_oberon driver" comment here
samples/crypto/psa_tls/README.rst
Outdated
| - No | ||
| - No | ||
| - | ||
| - Also supports :ref:`PSA Crypto nrf_oberon driver<nrf_security_drivers_oberon>` |
There was a problem hiding this comment.
Leave this comment blank. Same reasoning as above (this row lists legacy crypto support. Not PSA crypto)
samples/crypto/psa_tls/README.rst
Outdated
| - No | ||
| - Yes | ||
| - | ||
| - Also supports :ref:`PSA Crypto nrf_oberon driver<nrf_security_drivers_oberon>` |
There was a problem hiding this comment.
Leave this as blank as well.
SSF crypto service does not support nrf_oberon driver due to other reasons. The explanation might be a bit long for this comment. Happy to have a discussion offline.
samples/crypto/psa_tls/README.rst
Outdated
| - No | ||
| - No | ||
| - | ||
| - Also supports :ref:`PSA Crypto nrf_oberon driver<nrf_security_drivers_oberon>` |
There was a problem hiding this comment.
Leave the comment blank here as well
samples/crypto/psa_tls/README.rst
Outdated
| - :ref:`PSA Crypto CRACEN driver<nrf_security_drivers_cracen>` | ||
| - Yes | ||
| - Yes | ||
| - |
There was a problem hiding this comment.
RSA is not supported for these last 3 targets in the list:
- nrf54l15dk/nrf54l15/cpuapp,
- nrf54l15dk/nrf54l10/cpuapp,
- nrf54h20dk/nrf54h20/cpuapp / nrf54h20dk/nrf54h20/cpurad
samples/crypto/psa_tls/README.rst
Outdated
| - :ref:`PSA Crypto CRACEN driver<nrf_security_drivers_cracen>` | ||
| - Yes | ||
| - No | ||
| - |
There was a problem hiding this comment.
RSA is not supported for any of the TLS v1.3 targets
samples/crypto/psa_tls/README.rst
Outdated
| Supported cipher suites | ||
| ======================= | ||
|
|
||
| See the following tabs for the list of supported cipher suites for each TLS version. |
There was a problem hiding this comment.
Perhaps mention that other cipher suites may be working as well, but this list is what we verify
Updated sample documentation for TLS v1.3. NCSDK-32250. Signed-off-by: Grzegorz Ferenc <[email protected]>
greg-fer
force-pushed
the
doc_psa_tls13_support
branch
from
50ca0b9 to
2f0f6ba
Compare
|
@magnev , @endre-nordic , kindly please re-review. |
|
Updated sample documentation for TLS v1.3.
NCSDK-32250.