Hello All,
I have a project which utilizes an ECC508 cryptography device to store secrets, including key pairs and device/signer certificates. I am attempting to port this project into the ESP32, but I am having some difficulty in configuring the mbedtls options to support what I need to do.
I need to redirect any mbedtls sign or verify operations through the ECC508 device, because the private key required to perform those operations is stored within and not accessible. (I cannot extract the key and present it to the mbedtls configuration structure for use during run-time.)
The PlatformIO interface provides the ability to set many mbedtls parameters through the menuconfig interface. However, there are some serious limitations with the manner in which this configuration interface is designed - perhaps intentionally, but I would like to know for sure.
One detail in particular is with regard to the option for use of alternate ECP implementations. I have selected the following two options in the menuconfig interface:
- Enable hardware ECDSA sign acceleration when using ATECC608A
- Enable hardware ECDSA verify acceleration when using ATECC608A
If I select these options to force the sign and verify functionality to an alternate handler, the compiler gives me the following warning:
#error “MBEDTLS_ECP_RESTARTABLE defined, but it cannot coexist with an alternative ECP implementation”
This restartable option allows non-blocking operation of the TLS handshake process, which is important to prevent the starving of other tasks in the system. The menuconfig interface “hard codes” the restartable option, so it cannot be changed. I believe this makes sense, but I am struggling with how I can implement the redirects of the sign/verify steps to the ECC508 if mbedtls wants these options to be mutually exclusive.
Has anyone had any experience with configuring a project to operate in such a fashion (redirecting mbedtls operations to a crypto device)?
Thanks in advance!
Mark