From c8e4fd3f1a637608501f4422da992b2892a7d216 Mon Sep 17 00:00:00 2001 From: Ben Taylor Date: Mon, 22 Sep 2025 14:09:40 +0100 Subject: [PATCH 1/7] Initial removal of DES from mbedtls Signed-off-by: Ben Taylor --- tests/scripts/components-configuration-crypto.sh | 15 +-------------- tests/scripts/depends.py | 4 ---- tests/scripts/set_psa_test_dependencies.py | 1 - 3 files changed, 1 insertion(+), 19 deletions(-) diff --git a/tests/scripts/components-configuration-crypto.sh b/tests/scripts/components-configuration-crypto.sh index 0551e6a404..f5a0afc82c 100644 --- a/tests/scripts/components-configuration-crypto.sh +++ b/tests/scripts/components-configuration-crypto.sh @@ -90,9 +90,6 @@ component_test_psa_crypto_without_heap() { # is disabled below. scripts/config.py unset-all "^PSA_WANT_KEY_TYPE_RSA_" scripts/config.py unset-all "^PSA_WANT_ALG_RSA_" - # DES requires built-in support for key generation (parity check) so it - # cannot be accelerated - scripts/config.py unset PSA_WANT_KEY_TYPE_DES # EC-JPAKE use calloc/free in PSA core scripts/config.py unset PSA_WANT_ALG_JPAKE # Enable p192[k|r]1 curves which are disabled by default in tf-psa-crypto. @@ -330,7 +327,6 @@ component_test_full_no_cipher () { scripts/config.py unset PSA_WANT_ALG_OFB scripts/config.py unset PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128 scripts/config.py unset PSA_WANT_ALG_STREAM_CIPHER - scripts/config.py unset PSA_WANT_KEY_TYPE_DES # The following modules directly depends on CIPHER_C scripts/config.py unset MBEDTLS_NIST_KW_C @@ -1709,10 +1705,6 @@ component_test_psa_crypto_config_accel_cipher_aead_cmac () { common_psa_crypto_config_accel_cipher_aead_cmac - # Disable DES, if it still exists. - # This can be removed once we remove DES from the library. - scripts/config.py unset PSA_WANT_KEY_TYPE_DES - # Build # ----- @@ -1749,11 +1741,8 @@ component_test_psa_crypto_config_reference_cipher_aead_cmac () { msg "build: full config with non-accelerated cipher inc. AEAD and CMAC" common_psa_crypto_config_accel_cipher_aead_cmac - # Disable DES, if it still exists. - # This can be removed once we remove DES from the library. - scripts/config.py unset PSA_WANT_KEY_TYPE_DES - $MAKE_COMMAND + make msg "test: full config with non-accelerated cipher inc. AEAD and CMAC" $MAKE_COMMAND test @@ -2016,7 +2005,6 @@ component_build_aes_variations () { scripts/config.py unset PSA_WANT_ALG_CBC_NO_PADDING scripts/config.py unset PSA_WANT_ALG_CBC_PKCS7 scripts/config.py unset PSA_WANT_ALG_ECB_NO_PADDING - scripts/config.py unset PSA_WANT_KEY_TYPE_DES build_test_config_combos ${BUILTIN_SRC_PATH}/aes.o validate_aes_config_variations \ "MBEDTLS_AES_ROM_TABLES" \ @@ -2230,7 +2218,6 @@ config_block_cipher_no_decrypt () { scripts/config.py unset PSA_WANT_ALG_CBC_NO_PADDING scripts/config.py unset PSA_WANT_ALG_CBC_PKCS7 scripts/config.py unset PSA_WANT_ALG_ECB_NO_PADDING - scripts/config.py unset PSA_WANT_KEY_TYPE_DES } component_test_block_cipher_no_decrypt_aesni () { diff --git a/tests/scripts/depends.py b/tests/scripts/depends.py index 10d7028df0..bf401e0675 100755 --- a/tests/scripts/depends.py +++ b/tests/scripts/depends.py @@ -324,10 +324,6 @@ EXCLUSIVE_GROUPS = { '-PSA_WANT_ALG_CCM', '-PSA_WANT_ALG_GCM', '-PSA_WANT_ALG_ECB_NO_PADDING'], - 'PSA_WANT_KEY_TYPE_DES': ['-PSA_WANT_ALG_CCM', - '-PSA_WANT_ALG_GCM', - '-MBEDTLS_SSL_TICKET_C', - '-MBEDTLS_SSL_CONTEXT_SERIALIZATION'], } def handle_exclusive_groups(config_settings, symbol): """For every symbol tested in an exclusive group check if there are other diff --git a/tests/scripts/set_psa_test_dependencies.py b/tests/scripts/set_psa_test_dependencies.py index 0be8ac5e4e..37152112be 100755 --- a/tests/scripts/set_psa_test_dependencies.py +++ b/tests/scripts/set_psa_test_dependencies.py @@ -53,7 +53,6 @@ CLASSIC_DEPENDENCIES = frozenset([ 'MBEDTLS_CHACHAPOLY_C', 'MBEDTLS_CMAC_C', 'MBEDTLS_CTR_DRBG_C', - 'MBEDTLS_DES_C', 'MBEDTLS_ECDH_C', 'MBEDTLS_ECDSA_C', 'MBEDTLS_ECJPAKE_C', From 4936b17737031c38436cfcf9358e223f8a61c75c Mon Sep 17 00:00:00 2001 From: Ben Taylor Date: Thu, 25 Sep 2025 11:08:25 +0100 Subject: [PATCH 2/7] Add ChangeLog Signed-off-by: Ben Taylor --- ChangeLog.d/remove-des.txt | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 ChangeLog.d/remove-des.txt diff --git a/ChangeLog.d/remove-des.txt b/ChangeLog.d/remove-des.txt new file mode 100644 index 0000000000..e9be9c031f --- /dev/null +++ b/ChangeLog.d/remove-des.txt @@ -0,0 +1,3 @@ +Removals + * Remove DES and 3DES and all it's references + as it is not longer allowed by NIST. From c32f591bb10e89b4bcd805736e70cf7e8b2bf2f1 Mon Sep 17 00:00:00 2001 From: Ben Taylor Date: Fri, 26 Sep 2025 11:19:02 +0100 Subject: [PATCH 3/7] Improved ChangeLog Signed-off-by: Ben Taylor --- ChangeLog.d/remove-des.txt | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/ChangeLog.d/remove-des.txt b/ChangeLog.d/remove-des.txt index e9be9c031f..0c83ec1107 100644 --- a/ChangeLog.d/remove-des.txt +++ b/ChangeLog.d/remove-des.txt @@ -1,3 +1,2 @@ Removals - * Remove DES and 3DES and all it's references - as it is not longer allowed by NIST. + * Removed DES (including 3DES) From c4dee5cf6215f27c8f3fcd983bf465cc33c1f980 Mon Sep 17 00:00:00 2001 From: Ben Taylor Date: Mon, 29 Sep 2025 11:33:29 +0100 Subject: [PATCH 4/7] Remove ChangeLog Signed-off-by: Ben Taylor --- ChangeLog.d/remove-des.txt | 2 -- 1 file changed, 2 deletions(-) delete mode 100644 ChangeLog.d/remove-des.txt diff --git a/ChangeLog.d/remove-des.txt b/ChangeLog.d/remove-des.txt deleted file mode 100644 index 0c83ec1107..0000000000 --- a/ChangeLog.d/remove-des.txt +++ /dev/null @@ -1,2 +0,0 @@ -Removals - * Removed DES (including 3DES) From 1317d7f14d97d0b163c9a9f28cd992779abdd20f Mon Sep 17 00:00:00 2001 From: Ben Taylor Date: Mon, 29 Sep 2025 11:35:55 +0100 Subject: [PATCH 5/7] Remove spurious make command Signed-off-by: Ben Taylor --- tests/scripts/components-configuration-crypto.sh | 1 - 1 file changed, 1 deletion(-) diff --git a/tests/scripts/components-configuration-crypto.sh b/tests/scripts/components-configuration-crypto.sh index f5a0afc82c..c330ccd814 100644 --- a/tests/scripts/components-configuration-crypto.sh +++ b/tests/scripts/components-configuration-crypto.sh @@ -1742,7 +1742,6 @@ component_test_psa_crypto_config_reference_cipher_aead_cmac () { common_psa_crypto_config_accel_cipher_aead_cmac $MAKE_COMMAND - make msg "test: full config with non-accelerated cipher inc. AEAD and CMAC" $MAKE_COMMAND test From 6c4df1a2cc1820a117d722f6bf18b847defa9270 Mon Sep 17 00:00:00 2001 From: Ben Taylor Date: Tue, 30 Sep 2025 08:17:38 +0100 Subject: [PATCH 6/7] Update tf-psa-crypto submodule Signed-off-by: Ben Taylor --- tf-psa-crypto | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tf-psa-crypto b/tf-psa-crypto index 9a43f3fe86..092a54c678 160000 --- a/tf-psa-crypto +++ b/tf-psa-crypto @@ -1 +1 @@ -Subproject commit 9a43f3fe868ef6da5a312a3da076b9595e02a75e +Subproject commit 092a54c67864d06a93ac7e8bfe90b01b3e2ec2e5 From db39c0fe0a315b8e5174ca297a33d9c7cc09ef56 Mon Sep 17 00:00:00 2001 From: Ben Taylor Date: Tue, 30 Sep 2025 10:14:41 +0100 Subject: [PATCH 7/7] Update framework modules Signed-off-by: Ben Taylor --- framework | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/framework b/framework index 0bfaf0ed97..ab4d9cee6d 160000 --- a/framework +++ b/framework @@ -1 +1 @@ -Subproject commit 0bfaf0ed9721b3858e8982698c618ee748b21a7d +Subproject commit ab4d9cee6d63c0ddcdc150144ff2e1f2db914381