MbedTLS Porting into new environment - Help with networking and entropy

Hi,

I am porting the mbedTLS library into my Keil v4 bare metal project using the LPC3250 Arm9. My project does not have an operating system, therefore I cannot use net_sockets.c or Default entropy sources. I am following the link below but need help with adding a new entropy-collection function. My goal is to use mbedTLS to send TLS secure emails from my embedded system.
https://tls.mbed.org/kb/how-to/how-do-i-port-mbed-tls-to-a-new-environment-OS

So far I have moved over all the source and header files into my current Keil project but am now stuck on the networking and entropy part. I want to use the mbedTLS ssl_mail_client example to set up a SMTPS function.

Has anyone successfully imported mbedTLS into their bare metal, no OS, embedded project? Are there any examples of bare metal networking or entropy C code? Any help is appreciated, thanks.

Hi @kamaln16

Entropy should be specific to your platform.
Does your platform have a hw entropy source? If so, you should use the MBEDTLS_ENTROPY_HARDWARE_ALT configuration, and implement mbedtls_hardware_poll() in your appplication, as explained in Alternative cryptography engines implementation — Mbed TLS documentation and Why to add an entropy source — Mbed TLS documentation
If you don’t have a hardware entropy source, you may consider using the NV seed feature and store it in your internal secure flash.

If you don’t have such an option, you probably won’t have a strong enough entropy source, and your application will probably not be secure.

As for networking, this is according to your platform. net_sockets.c is an example networking functionality using BSD sockets. It probably won’t help you.
You should undefine MBEDTLS_NET_C and implement your own bio callbacks that use your platform’s networking read and write functions. Since I believe your platform already have an unsecure mail client, you can look at what the bio functions that are being used there, and wrap them when you call mbedtls_ssl_set_bio()
Regards,
Mbed TLS Team member
Ron

Hi Ron,

Thanks again for helping me out. For the entropy source, I am going to go with the NV seed feature. I followed your link and went through the steps to configure the NV seed feature, I am using the standard libc functions for the write and read functions. For the NV seed feature do I need to write the any of the functions and do I need to populate my seed file? I see there is a write and update function for the seed file, but I am not sure how to set the seed file.

For the networking, I am going to use my current bio functions like you suggested but am not sure how to wrap them into mbedtls_ssl_set_bio(). I found this link below, stating that I need to wrap the f_send and f_recv functions but in the mbedTLS files, I cannot find where the f_send and f_recv are originally defined so I can wrap them.

Sorry if I am not understanding this very well but it is all new to me, thanks.
-Kamal

HI Kamal,
The send and recv callback prototypes are defined here.

You will need to implememnt functions with these function prototypes, which internally will call your current bio functions, and set them as parameters when you call mbedtls_ssl_set_bio().

As for the NV seed feature, you will probably need to implement your own functionality for read and write, unless the default functionality works for you. The initial population of the seed file should be external to Mbed TLS , in a provisioning phase, in secure NV memory. You should probably have some provisioning tool that will populate the true random seed file.
Regards,
Ron

I am currently working on the send and recv callback prototypes. Could you please explain what the “void *ctx” parameter is? In the description, context for the receive callback (typically a file descriptor), am I required to use this parameter?

@kamaln16
It is dependent on your implementation and on what your platform send \ recv function get as parameters.
It is not required for you to use this context, but usually this context is required to hold the handle of the socket that was opened during initialization.

Is it possible to download the OS source files required from mbedTLS? I don’t understand why a OS is needed since it is all C code. Why can’t I just download the mbedTLS required header files from Windows API and use Windows API functions instead of creating my own?

HI @kamaln16
I am sorry but I don’t understand what you mean.
Mbed TLS is a c library, and is mostly platform independent.
However, as mentioned in Mbed TLS abstraction layers — Mbed TLS documentation and other articles I already referenced, there are some porting efforts to specific platforms, such as the networking layer, as this is entirely platform specific.
Mbed TLS is shipped with an example networking layer, which implements the BSD type sockets API, and supports Windows OS as well, so you should be able to use it, if your OS is Windows API, as mentioned in your last comment.
The Mbed TLS stack calls the bio callbacks, which have known prototypes. In order to do that, you will need to supply the bio callbacks with the expected prototypes, which inside implement the calls to the OS networking module, assuming the OS API has different prototype signature than Mbed TLS networking API.

Regards,
Mbed TLS Team member
Ron

Hi Ron,

Sorry if I worded my questions poorly. I am asking if there is anyway to use a already made socket API for the networking functions. My question was, why can’t I just take the sockets API from an OS like Windows and use it in my project? Why can’t my bare metal project use the BSD type sockets API? Am I able to take in the source code for an already made sockets API into my bare metal project and use it for mbedTLS? Overall, I want to know if its possible to take the network sockets portion of an OS and stick it into my bare metal project. Currently, my project does not have any OS and everything is written from bare metal in C code, thanks.

HI Kamal,
As mentioned in my previous comment:

The Mbed TLS stack calls the bio callbacks, which have known prototypes. In order to do that, you will need to supply the bio callbacks with the expected prototypes, which inside implement the calls to the OS networking module, assuming the OS API has different prototype signature than Mbed TLS networking API.

This means that the TLS stack, is platform independent, and calls the Mbed TLS network API. Mbed TLS is shipped with an example implementation of the bio callbacks, which wrap the BSD sockets API.
If the windows networking module, which is also supported in the Mbed TLS networking module is the same API that is used in your platform, you don’t need further implementation.
However, if the API is different, you will need to make your own wrapper on top of your platform networking API, in which the former has the same prototype as the Mbed TLS networking module API.

Regards