My Project
Loading...
Searching...
No Matches
TSIP FIT Module port

Support for TSIP FIT driver for symmetric AES, SHA1/SHA256 hardware acceleration and TLS-linked capability including Root CA, the server certificate or intermediate certificate verification.

Overview

Renesas TSIP FIT module with wolfSSL by setting WOLFSSL_RENESAS_TSIP definition.

Including the following examples:

  • simple tls_client/tls_server
  • crypt test

  • crypt benchmark

    The user_settings.h file enables some of the hardened settings.

Requirements

1. Renesas TSIP FIT module

FIT module
Note : The included example program is tested with TSIP FIT version 1.06.

2. e2studio

3. Evaluation Board that supports TSIP

Note : The included example program is tested with GR-ROSE, which is classified to RX65N.

Setup and Build wolfSSL library

  1. Uncomment out #define WOLFSSL_RENESAS_TSIP in /path/to/wolfssl/wolfssl/wolfcrypt/settings.h
    Uncomment out #define WOLFSSL_RENESAS_RX65N in /path/to/wolfssl/wolfssl/wolfcrypt/settings.h
  2. Open a project file at /path/to/wolfssl/IDE/Renesas/e2studio/Projects/wolfssl/ by e2studio and build to create wolfssl library
    Note : Generating FIT module source files in advance are required to compile wolfSSL when enabling WOLFSSL_RENESAS_TSIP and WOLFSSL_RENESAS_RX65N. Please see for creating FIT module files at "Setup and Build and example program" in this readme below.

To disable portions of the hardware acceleration you can optionally define:

/* Disabled SHA acceleration */
#define NO_WOLFSSL_RENESAS_TSIP_CRYPT_HASH
/* Disabled TLS-linked acceleration */
#define NO_WOLFSSL_RENESAS_TSIP_TLS_SESSION

Benchmarks

Software only implementation:
block cipher

RNG 200 KB took 1.099 seconds, 182.000 KB/s
SHA 1 MB took 1.005 seconds, 1.166 MB/s
SHA-256 425 KB took 1.038 seconds, 409.520 KB/s

TLS establishment time

TLS_RSA_WITH_AES_128_CBC_SHA : 0.651 (s)
TLS_RSA_WITH_AES_128_CBC_SHA256 : 0.651 (s)
TLS_RSA_WITH_AES_256_CBC_SHA : 0.642 (s)
TLS_RSA_WITH_AES_256_CBAC_SHA256 : 0.662 (s)
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 : 2.050 (s)

Hardware acceleration:
block cipher

RNG 1 MB took 1.011 seconds, 1.038 MB/s
SHA 12 MB took 1.001 seconds, 11.515 MB/s
SHA-256 13 MB took 1.001 seconds, 12.900 MB/s

TLS establishment time with TLS-linked capability
Perform full TlS-linked capability

TLS_RSA_WITH_AES_128_CBC_SHA : 0.141 (s)
TLS_RSA_WITH_AES_128_CBC_SHA256 : 0.141 (s)
TLS_RSA_WITH_AES_256_CBC_SHA : 0.141 (s)
TLS_RSA_WITH_AES_256_CBAC_SHA256 : 0.144 (s)

Perform certificate verification by TSIP TLS-linked API

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 : 1.721 (s)

Condition:
Renesas : e2Studio v7.4.0
ToolChain : Renesas CCRX version 3.00.00
TSIP FIT : version 1.0.6
Board : GR-ROSE
wolfSSL : 4.1.0

Setup and Build an example program

An example program expects the following FIT modules:

  • r_bsp
  • r_cmt_rx
  • r_config
  • r_ether_rx
  • r_sys_time_rx
  • r_t4_driver_rx
  • r_t4_rx
  • r_tsip_rx

These needed source files can be generated by creating a dummy project including Renesas Smart Configurator as steps below:

  1. Create a dummy project including Renesas Smart Configurator for your evaluation board type

  2. Open Smart Configurator and add FIT modules above
    It would need to expand User Stack Size property and Heap Size of r_bsp.
    Change IP ADDRESS and PORT NUMBER in r_t4_rx_config.h
    #define T4_CFG_FIXED_IP_ADDRESS_CH0 192,168,1,33
    #define T4_CFG_TCP_REPID1_PORT_NUMBER 11111
    Note: It would need to modify other configuration base on evaluation board.

    When using GR-ROSE, you can choose "GR-ROSE" from "board" tab and "board" drop-down list and then is able to follow settings below:

    Go to component tab and open r_ether_rx properties:
    Ethernet interface : RMII
    The register bus of PHY0 for ETHER0/1: Use ETHER0
    Resource, ETHERC: Check ETHERC0_RMII

    Go to component tab and open r_t4_rx properties:
    Enable/Disable DHCP function : 0
    IP address for ch0, when DHCP disable : 192,168,1,33
    TCP REPID1 prot number : 11111

    Go to pins tab and select ethernet controller
    Check to use pins

  3. Generate source code
    Now, it is able to copy these FIT modules into an example project.
  4. Make "smc_gen" folder under /path/to/wolfssl/IDE/Renesas/e2studio/Projects/test/src/
  5. Copy the FIT modules into the folder that is created at step 4.
  6. Open an example project file at /path/to/wolfssl/IDE/Renesas/e2studio/Projects/test/ by e2studio
  7. Enable a macro definition in /path/to/wolfssl/IDE/Renesas/e2studio/Projects/test/src/wolfssl_demo.h for application type #define CRYPT_TEST // enable crypt test
    #define BENCHMARK // enable benchmark application
    #define TLS_CLIENT // enable simple tls client application
    #define TLS_SERVER // enable simple tls server application
    #define USE_TSIP_TLS // to inform user key and flash keying, when using TSIP
    Note: CRYPT_TEST and BENCHMARK can be enabled at the same time. TLS_CLIENT and TLS_SERVER cannot be enabled together other definitions.
  1. Setup debug configuration based on your debug hardware

Run client/server program on the device

When testing the embedded client or server on the device, it is recommended to test against one of the standard wolfSSL example application running on a desktop machine.

For the embedded client, an example server commands for running on a desktop machine, IP address 192.168.1.45, is as follows:
$./example/server/server -b -d -i

For the embedded server, an example client commands for running on a desktop machine is as follows:
$./example/client/client -h 192.168.1.33 -p 11111

Modify an example program

To use own TSIP keys for TSIP TLS-linked API use, it needs own flash keyring, PSS signed signature and RSA key.

Create flash keyring and use it in an example program

  1. Please follow the instruction at TSIP manual, chapter 7. Key Data Operations.
  2. Copy and paste s_flash[] data to s_flash[] data in example-program/key_data.c
    const uint32_t s_flash[] =

Create RSA key pair for signing Root CA verification and use them in an example program

To use TSIP TLS-linked APIs, it needs RSA key pair and Root CA certificate bundle signature by RSA 2048 PSS with SHA256. Shell and Perl script program in /path/to/wolfssl/IDE/Renesas/e2studio/Projects/tools/ can be used for the purpose.

  • generate_rsa_keypair.sh : generate RSA 2048 bit key pair. Show modulus and public exponent when specifying "-s" option
  • rsa_pss_sign.sh : sign the file by the specified private key
  • genhexbuf.pl : generate C header file including a byte array generated from the specified file in the script

Modulus and public exponent showed by generate_rsa_keypair.sh can be used for input date to Renesas Secure Flash Programmer to generate encrypted RSA keys for TSIP TLS-linked API use. Please follow the instruction about how to generate RSA keys in the TSIP manual.

Generated byte array of signed signature by genhexbuf.pl can be replaced signature data in key_data.c of an example program.

Encrypted RSA key and generated byte array of signed signature need to be informed wolfSSL library before loading CA certification. Please see SetTsipTlskey() function an example program about how to inform them.

Coding

In your application you must include <wolfssl/wolfcrypt/settings.h> before any other wolfSSL headers. If building the sources directly we recommend defining WOLFSSL_USER_SETTINGS and adding your own user_settings.h file. You can find a good reference for this in /path/to/Renesas/e2studio/Projects/common/user_settings.h.

Support

For question please email [suppo.nosp@m.rt@w.nosp@m.olfss.nosp@m.l.co.nosp@m.m]