An important aspect of any IoT device is how secure the device is when it communicates with other devices, gateways or the cloud. It is common for developers to secure communications such as TCP/IP connections, Bluetooth or Zigbee. However, if a microcontroller sends sensitive information over a simple interface such as a UART to another microcontroller, it is important to realize that data should also be secured to prevent someone from snooping the UART line.
Silicon Labs offers a hardware CRYPTO module that provides an efficient acceleration of common cryptographic operations and allows these to be used efficiently with low CPU overhead. In addition to the CRYPTO module, Silicon Labs also provides a mbed TLS library to integrate with mbed TLS to allow it to take advantage of the CRYPTO module acceleration.
To use mbed TLS in a Micrium OS based application, first the developer must understand how the mbed TLS library will be used in the application. By default, mbed TLS is intended to be used in a single threaded/bare metal application or used in only a single thread of an RTOS application. For a Micrium OS application, this means if there will only be one task calling mbed TLS functions then no special modifications to the config file are necessary. If mbed TLS will be called from multiple tasks, for example a Bluetooth project that has a UART to communicate to another microcontroller, then a few modifications need to be made to the mbed TLS config header.
The following instructions will show you how to enable thread protection in mbed TLS for a Micrium OS Blink project on the Giant Gecko Series 1 (SLSTK3701A). If you have any difficulty getting the project set up, a .sls file is attached to this post for you to download. If you need further information on the SiLabs’ mbed TLS library, refer to Application Node AN0955.
Open Simplicity Studio and with your GG11 plugged in, select the board under debug adapters and then expand the Software Examples. Select the SLSTK3701A_micriumos_blink project and jump to the Simplicity IDE.
First, mbed TLS must be added to the project as its not already included. You can either download mbed TLS from https://tls.mbed.org or you can grab a copy from your install of Simplicity Studio from: Simplicity Studio install location -> Eclipse -> developer -> sdks -> gecko_sdk_suite -> v2.4 -> util -> third_party -> mbedtls. Place those files into the workspace folder for the SLSTK3701A_micriumos_blink.
Once you have mbed TLS added to the project, you need to add the SiLabs library for mbed TLS to the workspace for SLSTK3701A_micriumos_blink. Under the Simplicity Studio install you can copy the sl_crypto folder and config folder from here: Eclipse -> developer -> sdks -> gecko_sdk_suite -> v2.4 -> util -> third_party -> mbedtls.
After adding the folders to the workspace similar to the image above, include paths need to be added to the project. Under the project properties, go to C/C++ Build -> Settings -> GNU ARM C Compiler -> Includes.
Paths need to be added for the config directory, include directory and the sl_crypto directory. After adding those paths, remain in the project settings and go to Symbols under GNU ARM C Compiler.
At this point, mbed TLS has been added to the project, but it is only set to run in its default configuration. This means it won’t take advantage of the CRYPTO module acceleration and it won’t work from multiple threads. To fix that, add a new symbol that contains the following: MBEDTLS_CONFIG_FILE="config-sl-crypto-all-acceleration.h" then click OK. This will tell all mbed TLS files to look at the new config file, rather than the default config.h file.
Open up the config-sl-crypto-all-acceleration.h under the config directory. This is the default config file for enabling all hardware accelerations supported by SiLabs’ mbed TLS library. Add the following code to the header file to enable threading and remove a requirement for network sockets (unless you plan to use them). This code must be placed directly below the #include “mbedtls/config.h”.
/* Include the default mbed TLS config file */ #include "mbedtls/config.h" /* Add Micrium OS support */ #define MBEDTLS_THREADING_ALT #define MBEDTLS_THREADING_C #define MBEDTLS_MICRIUM #undef MBEDTLS_NET_C #undef MBEDTLS_TIMING_C
Finally, the last piece to enable Micrium OS support in mbed TLS is to initialize threading support before starting Micrium OS. In the file ex_main.c, place the following code in main() anytime after the OSInit() call and before OSStart(). This will initialize the necessary mutexes to provide the protection.
// Enable Micrium OS support #if defined ( MBEDTLS_THREADING_C ) THREADING_setup(); #endif
At this point, after the OSStart() call completes and multitasking has begun, any mbed TLS call can be made safely from any task in Micrium OS.