TakayukiMatsuo
cc747f0094
Add WOLFSSL_SP_NO_DYN_STACK macro to avoid compilation error in CC-RX compiler
|
1 year ago | |
|---|---|---|
| .. | ||
| README.md | 2 years ago | |
| renesas_common.c | 1 year ago | |
| renesas_rx64_hw_sha.c | 1 year ago | |
| renesas_rx64_hw_util.c | 1 year ago | |
| renesas_sce_aes.c | 1 year ago | |
| renesas_sce_sha.c | 1 year ago | |
| renesas_sce_util.c | 1 year ago | |
| renesas_tsip_aes.c | 1 year ago | |
| renesas_tsip_sha.c | 1 year ago | |
| renesas_tsip_util.c | 1 year ago | |
README.md
TSIP FIT Module port
Support for TSIP FIT driver for symmetric AES, SHA1/SHA256 hardware acceleration and TLS-linked capability including Root CA, the server certificate or intermediate certificate verification.
Overview
Renesas TSIP FIT module with wolfSSL by setting WOLFSSL_RENESAS_TSIP definition.
Including the following examples:
- simple tls_client/tls_server
- crypt test
- crypt benchmark
The user_settings.h file enables some of the hardened settings.
Requirements
1. Renesas TSIP FIT module
FIT module Note : The included example program is tested with TSIP FIT version 1.06.
2. e2studio
3. Evaluation Board that supports TSIP
Note : The included example program is tested with GR-ROSE, which is classified to RX65N.
Setup and Build wolfSSL library
- Uncomment out
#define WOLFSSL_RENESAS_TSIPin/path/to/wolfssl/wolfssl/wolfcrypt/settings.h - Uncomment out
#define WOLFSSL_RENESAS_RX65Nin/path/to/wolfssl/wolfssl/wolfcrypt/settings.h - Open a project file at /path/to/wolfssl/IDE/Renesas/e2studio/Projects/wolfssl/ by e2studio and build to create wolfssl library
Note : Generating FIT module source files in advance are required to compile wolfSSL
when enabling WOLFSSL_RENESAS_TSIP and WOLFSSL_RENESAS_RX65N. Please see for
creating FIT module files at "Setup and Build and example program" in this readme below.
To disable portions of the hardware acceleration you can optionally define:
/* Disabled SHA acceleration */
#define NO_WOLFSSL_RENESAS_TSIP_CRYPT_HASH
/* Disabled TLS-linked acceleration */
#define NO_WOLFSSL_RENESAS_TSIP_TLS_SESSION
Benchmarks
Platform: Renesas : e2Studio v7.4.0 ToolChain : Renesas CCRX version 3.00.00 TSIP FIT : version 1.0.6 Board : GR-ROSE wolfSSL : 4.1.0
Software only implementation:
block cipher
RNG 200 KB took 1.099 seconds, 182.000 KB/s
SHA 1 MB took 1.005 seconds, 1.166 MB/s
SHA-256 425 KB took 1.038 seconds, 409.520 KB/s
TLS establishment time
TLS_RSA_WITH_AES_128_CBC_SHA : 0.651 (s)
TLS_RSA_WITH_AES_128_CBC_SHA256 : 0.651 (s)
TLS_RSA_WITH_AES_256_CBC_SHA : 0.642 (s)
TLS_RSA_WITH_AES_256_CBC_SHA256 : 0.662 (s)
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 : 2.050 (s)
Hardware acceleration:
block cipher
RNG 1 MB took 1.011 seconds, 1.038 MB/s
SHA 12 MB took 1.001 seconds, 11.515 MB/s
SHA-256 13 MB took 1.001 seconds, 12.900 MB/s
TLS establishment time with TLS-linked capability Perform full TLS-linked capability
TLS_RSA_WITH_AES_128_CBC_SHA : 0.141 (s)
TLS_RSA_WITH_AES_128_CBC_SHA256 : 0.141 (s)
TLS_RSA_WITH_AES_256_CBC_SHA : 0.141 (s)
TLS_RSA_WITH_AES_256_CBC_SHA256 : 0.144 (s)
Perform certificate verification by TSIP TLS-linked API
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 : 1.721 (s)
Setup and Build an example program
An example program expects the following FIT modules:
- r_bsp
- r_cmt_rx
- r_config
- r_ether_rx
- r_sys_time_rx
- r_t4_driver_rx
- r_t4_rx
- r_tsip_rx
These needed source files can be generated by creating a dummy project including Renesas Smart Configurator as steps below:
- Create a dummy project including Renesas Smart Configurator for your evaluation board type
- Open Smart Configurator and add FIT modules above
It would need to expand User Stack Size property and Heap Size of r_bsp.
Change IP ADDRESS and PORT NUMBER in r_t4_rx_config.h
#define T4_CFG_FIXED_IP_ADDRESS_CH0 192,168,1,33#define T4_CFG_TCP_REPID1_PORT_NUMBER 11111Note: It would need to modify other configuration base on evaluation board.
When using GR-ROSE, you can choose "GR-ROSE" from "board" tab and "board" drop-down list and then is able to follow settings below:
Go to component tab and open r_ether_rx properties: Ethernet interface : RMII The register bus of PHY0 for ETHER0/1: Use ETHER0 Resource, ETHERC: Check ETHERC0_RMII
Go to component tab and open r_t4_rx properties: Enable/Disable DHCP function : 0 IP address for ch0, when DHCP disable : 192,168,1,33 TCP REPID1 prot number : 11111
Go to pins tab and select ethernet controller Check to use pins
- Generate source code Now, it is able to copy these FIT modules into an example project.
- Make "smc_gen" folder under /path/to/wolfssl/IDE/Renesas/e2studio/Projects/test/src/
- Copy the FIT modules into the folder that is created at step 4.
- Open an example project file at /path/to/wolfssl/IDE/Renesas/e2studio/Projects/test/ by e2studio
Enable a macro definition in /path/to/wolfssl/IDE/Renesas/e2studio/Projects/test/src/wolfssl_demo.h for application type
#define CRYPT_TEST /* enable crypt test */ #define BENCHMARK /* enable benchmark application */ #define TLS_CLIENT /* enable simple tls client application */ #define TLS_SERVER /* enable simple tls server application */ #define USE_TSIP_TLS /* to inform user key and flash keying, when using TSIP */
Note: CRYPT_TEST and BENCHMARK can be enabled at the same time. TLS_CLIENT and TLS_SERVER cannot be enabled together other definitions.
- Setup debug configuration based on your debug hardware
Run client/server program on the device
When testing the embedded client or server on the device, it is recommended to test against one of the standard wolfSSL example application running on a desktop machine.
For the embedded client, an example server commands for running on a desktop machine, IP address 192.168.1.45, is as follows:
./example/server/server -b -d -i
For the embedded server, an example client commands for running on a desktop machine is as follows:
./example/client/client -h 192.168.1.33 -p 11111
Modify an example program
To use own TSIP keys for TSIP TLS-linked API use, it needs own flash keyring, PSS signed signature and RSA key.
Create flash keyring and use it in an example program
- Please follow the instruction at TSIP manual, chapter 7. Key Data Operations.
- Copy and paste s_flash[] data to s_flash[] data in example-program/key_data.c
const uint32_t s_flash[] =
Create RSA key pair for signing Root CA verification and use them in an example program
To use TSIP TLS-linked APIs, it needs RSA key pair and Root CA certificate bundle signature by RSA 2048 PSS with SHA256. Shell and Perl script program in /path/to/wolfssl/IDE/Renesas/e2studio/Projects/tools/ can be used for the purpose.
generate_rsa_keypair.sh: generate RSA 2048 bit key pair. Show modulus and public exponent when specifying "-s" optionrsa_pss_sign.sh: sign the file by the specified private keygenhexbuf.pl: generate C header file including a byte array generated from the specified file in the script
Modulus and public exponent showed by generate_rsa_keypair.sh can be used for input date to
Renesas Secure Flash Programmer to generate encrypted RSA keys for TSIP TLS-linked API use.
Please follow the instruction about how to generate RSA keys in the TSIP manual.
Generated byte array of signed signature by genhexbuf.pl can be replaced signature data in key_data.c of an example program.
Encrypted RSA key and generated byte array of signed signature need to be informed wolfSSL library before loading CA certification.
Please see SetTsipTlskey() function an example program about how to inform them.
Coding
In your application you must include before any other wolfSSL headers.
If building the sources directly we recommend defining WOLFSSL_USER_SETTINGS and adding your own user_settings.h file.
You can find a good reference for this in /path/to/Renesas/e2studio/Projects/common/user_settings.h.
Support
For question please email [support@wolfssl.com]