From 10149c9516812e700922afd5d8b8832415b2e18d Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Mon, 4 Dec 2023 09:21:46 +0100 Subject: [PATCH 1/7] changelog: add changelog for AEAD support without CIPHER_C Signed-off-by: Valerio Setti --- ChangeLog.d/8357.txt | 8 ++++++++ 1 file changed, 8 insertions(+) create mode 100644 ChangeLog.d/8357.txt diff --git a/ChangeLog.d/8357.txt b/ChangeLog.d/8357.txt new file mode 100644 index 0000000000..24ba1404b6 --- /dev/null +++ b/ChangeLog.d/8357.txt @@ -0,0 +1,8 @@ +Features + * It is now possible to have AEADs support (CCM, GCM and ChaChaPoly) without + MBEDTLS_CIPHER_C. This holds both for the builtin suport (MBEDTLS_CCM_C, + MBEDTLS_GCM_C and MBEDTLS_CHACHAPOLY_c) as well as the PSA one + (PSA_WANT_ALG_CCM, PSA_WANT_ALG_GCM, PSA_WANT_ALG_CHACHA20_POLY1305). + On the PSA side this means that it is possible to enable + MBEDTLS_PSA_CRYPTO_C without MBEDTLS_CIPHER_C if any of the + non-authenticated ciphers is enabled. From 20e93a2a9d958329cf46a4bff33f3f45406f6773 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Mon, 4 Dec 2023 11:29:36 +0100 Subject: [PATCH 2/7] driver-only-builds: update documentation for AEADs Signed-off-by: Valerio Setti --- docs/driver-only-builds.md | 26 +++++++++++++++++++++++++- 1 file changed, 25 insertions(+), 1 deletion(-) diff --git a/docs/driver-only-builds.md b/docs/driver-only-builds.md index 4bad2e879a..200f439413 100644 --- a/docs/driver-only-builds.md +++ b/docs/driver-only-builds.md @@ -55,6 +55,7 @@ For now, only the following (families of) mechanisms are supported: - hashes: SHA-3, SHA-2, SHA-1, MD5, etc. - elliptic-curve cryptography (ECC): ECDH, ECDSA, EC J-PAKE, ECC key types. - finite-field Diffie-Hellman: FFDH algorithm, DH key types. +- AEADs: GCM, CCM and ChachaPoly Supported means that when those are provided only by drivers, everything (including PK, X.509 and TLS if `MBEDTLS_USE_PSA_CRYPTO` is enabled) should @@ -63,7 +64,7 @@ in the "Limitations" sub-sections of the sections dedicated to each family below. In the near future (end of 2023), we are planning to also add support for -ciphers (AES) and AEADs (GCM, CCM, ChachaPoly). +ciphers (AES, ARIA, Camellia). Currently (mid-2023) we don't have plans to extend this to RSA. If you're interested in driver-only support for RSA, please let us know. @@ -240,3 +241,26 @@ removing builtin support (i.e. `MBEDTLS_DHM_C`). ### Limitations Support for deterministic derivation of a DH keypair (i.e. `PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_DERIVE`) is not supported. + +AEADs +----- + +It is possible to have all AEADs operations provided only by a driver. + +More precisely you can: +- enable desired PSA algorithm(s) and key type(s): + - `PSA_WANT_ALG_[CCM|GCM]` with `PSA_WANT_KEY_TYPE_[AES|ARIA|CAMELLIA]` + - `PSA_WANT_ALG_CHACHA20_POLY1305` with `PSA_WANT_KEY_TYPE_CHACHA20`; +- enable `MBEDTLS_PSA_ACCEL_xxx` symbol(s) which correspond to the + `PSA_WANT_xxx` of the previous step; +- disable builtin support of `MBEDTLS_[CCM|GCM|CHACHAPOLY]_C` algorithms and + key types `MBEDTLS_[AES|ARIA|CAMELLIA|CHACHA20]_C` for AEADs which are + accelerated. + +In such a build all AEADs operations requested through the PSA Crypto API +(including those in TLS and X.509) will be performed by the provided driver. +Of course direct calls to the disabled builtin modules +(ex: `mbedtls_ccm_init()`, etc) won't be possible. + +If no other non-authenticated cipher is required, it is also possible to +disable `MBEDTLS_CIPHER_C` in order to further reduce code's footprint. From 58d0206f390a2322b7a8e93bf0c6430126dcaebb Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Mon, 4 Dec 2023 12:01:06 +0100 Subject: [PATCH 3/7] test_suite_block_cipher: fix depends_on for Camellia tests Signed-off-by: Valerio Setti --- tests/suites/test_suite_block_cipher.data | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/tests/suites/test_suite_block_cipher.data b/tests/suites/test_suite_block_cipher.data index cf321ae47a..097b567e41 100644 --- a/tests/suites/test_suite_block_cipher.data +++ b/tests/suites/test_suite_block_cipher.data @@ -182,56 +182,74 @@ depends_on:MBEDTLS_ARIA_C test_vec:MBEDTLS_CIPHER_ID_ARIA:"000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f":"00112233445566778899aabbccddeeff":"f92bd7c79fb72e2f2b8f80c1972d24fc" Camellia-128-ECB Encrypt RFC3713 #1 +depends_on:MBEDTLS_CAMELLIA_C test_vec:MBEDTLS_CIPHER_ID_CAMELLIA:"0123456789abcdeffedcba9876543210":"0123456789abcdeffedcba9876543210":"67673138549669730857065648eabe43" Camellia-192-ECB Encrypt RFC3713 #1 +depends_on:MBEDTLS_CAMELLIA_C test_vec:MBEDTLS_CIPHER_ID_CAMELLIA:"0123456789abcdeffedcba98765432100011223344556677":"0123456789abcdeffedcba9876543210":"b4993401b3e996f84ee5cee7d79b09b9" Camellia-256-ECB Encrypt RFC3713 #1 +depends_on:MBEDTLS_CAMELLIA_C test_vec:MBEDTLS_CIPHER_ID_CAMELLIA:"0123456789abcdeffedcba987654321000112233445566778899aabbccddeeff":"0123456789abcdeffedcba9876543210":"9acc237dff16d76c20ef7c919e3a7509" Camellia-128-ECB Encrypt Perl EVP #1 [#1] +depends_on:MBEDTLS_CAMELLIA_C test_vec:MBEDTLS_CIPHER_ID_CAMELLIA:"000102030405060708090A0B0C0D0E0F":"00112233445566778899AABBCCDDEEFF":"77CF412067AF8270613529149919546F" Camellia-192-ECB Encrypt Perl EVP #1 [#1] +depends_on:MBEDTLS_CAMELLIA_C test_vec:MBEDTLS_CIPHER_ID_CAMELLIA:"000102030405060708090A0B0C0D0E0F1011121314151617":"00112233445566778899AABBCCDDEEFF":"B22F3C36B72D31329EEE8ADDC2906C68" Camellia-256-ECB Encrypt Perl EVP #1 [#1] +depends_on:MBEDTLS_CAMELLIA_C test_vec:MBEDTLS_CIPHER_ID_CAMELLIA:"000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F":"00112233445566778899AABBCCDDEEFF":"2EDF1F3418D53B88841FC8985FB1ECF2" Camellia-128-ECB Encrypt Perl EVP #1 [#2] +depends_on:MBEDTLS_CAMELLIA_C test_vec:MBEDTLS_CIPHER_ID_CAMELLIA:"2B7E151628AED2A6ABF7158809CF4F3C":"6BC1BEE22E409F96E93D7E117393172A":"432FC5DCD628115B7C388D770B270C96" Camellia-128-ECB Encrypt Perl EVP #2 +depends_on:MBEDTLS_CAMELLIA_C test_vec:MBEDTLS_CIPHER_ID_CAMELLIA:"2B7E151628AED2A6ABF7158809CF4F3C":"AE2D8A571E03AC9C9EB76FAC45AF8E51":"0BE1F14023782A22E8384C5ABB7FAB2B" Camellia-128-ECB Encrypt Perl EVP #3 +depends_on:MBEDTLS_CAMELLIA_C test_vec:MBEDTLS_CIPHER_ID_CAMELLIA:"2B7E151628AED2A6ABF7158809CF4F3C":"30C81C46A35CE411E5FBC1191A0A52EF":"A0A1ABCD1893AB6FE0FE5B65DF5F8636" Camellia-128-ECB Encrypt Perl EVP #4 +depends_on:MBEDTLS_CAMELLIA_C test_vec:MBEDTLS_CIPHER_ID_CAMELLIA:"2B7E151628AED2A6ABF7158809CF4F3C":"F69F2445DF4F9B17AD2B417BE66C3710":"E61925E0D5DFAA9BB29F815B3076E51A" Camellia-192-ECB Encrypt Perl EVP #1 [#2] +depends_on:MBEDTLS_CAMELLIA_C test_vec:MBEDTLS_CIPHER_ID_CAMELLIA:"8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B":"6BC1BEE22E409F96E93D7E117393172A":"CCCC6C4E138B45848514D48D0D3439D3" Camellia-192-ECB Encrypt Perl EVP #2 +depends_on:MBEDTLS_CAMELLIA_C test_vec:MBEDTLS_CIPHER_ID_CAMELLIA:"8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B":"AE2D8A571E03AC9C9EB76FAC45AF8E51":"5713C62C14B2EC0F8393B6AFD6F5785A" Camellia-192-ECB Encrypt Perl EVP #3 +depends_on:MBEDTLS_CAMELLIA_C test_vec:MBEDTLS_CIPHER_ID_CAMELLIA:"8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B":"30C81C46A35CE411E5FBC1191A0A52EF":"B40ED2B60EB54D09D030CF511FEEF366" Camellia-192-ECB Encrypt Perl EVP #4 +depends_on:MBEDTLS_CAMELLIA_C test_vec:MBEDTLS_CIPHER_ID_CAMELLIA:"8E73B0F7DA0E6452C810F32B809079E562F8EAD2522C6B7B":"F69F2445DF4F9B17AD2B417BE66C3710":"909DBD95799096748CB27357E73E1D26" Camellia-256-ECB Encrypt Perl EVP #1 [#2] +depends_on:MBEDTLS_CAMELLIA_C test_vec:MBEDTLS_CIPHER_ID_CAMELLIA:"603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4":"6BC1BEE22E409F96E93D7E117393172A":"BEFD219B112FA00098919CD101C9CCFA" Camellia-256-ECB Encrypt Perl EVP #2 +depends_on:MBEDTLS_CAMELLIA_C test_vec:MBEDTLS_CIPHER_ID_CAMELLIA:"603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4":"AE2D8A571E03AC9C9EB76FAC45AF8E51":"C91D3A8F1AEA08A9386CF4B66C0169EA" Camellia-256-ECB Encrypt Perl EVP #3 +depends_on:MBEDTLS_CAMELLIA_C test_vec:MBEDTLS_CIPHER_ID_CAMELLIA:"603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4":"30C81C46A35CE411E5FBC1191A0A52EF":"A623D711DC5F25A51BB8A80D56397D28" Camellia-256-ECB Encrypt Perl EVP #4 +depends_on:MBEDTLS_CAMELLIA_C test_vec:MBEDTLS_CIPHER_ID_CAMELLIA:"603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4":"F69F2445DF4F9B17AD2B417BE66C3710":"7960109FB6DC42947FCFE59EA3C5EB6B" From 5e18b90c95068efd1f3e872707b88994758af09c Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Mon, 4 Dec 2023 12:07:30 +0100 Subject: [PATCH 4/7] config-tfm: disable CIPHER_C We also add a check in "all.sh" components: - component_test_tfm_config_p256m_driver_accel_ec - component_test_tfm_config to ensure that CIPHER_C was not re-enabled accidentally. Signed-off-by: Valerio Setti --- configs/config-tfm.h | 5 +++++ tests/scripts/all.sh | 8 ++++++++ 2 files changed, 13 insertions(+) diff --git a/configs/config-tfm.h b/configs/config-tfm.h index 85b677b4cc..f6f527e006 100644 --- a/configs/config-tfm.h +++ b/configs/config-tfm.h @@ -45,6 +45,11 @@ #undef MBEDTLS_PLATFORM_STD_EXIT_SUCCESS #undef MBEDTLS_PLATFORM_STD_EXIT_FAILURE +/* CCM is the only cipher/AEAD enabled in TF-M configuration files, but it + * does not need CIPHER_C to be enabled, so we can disabled it in order + * to reduce code size further. */ +#undef MBEDTLS_CIPHER_C + /* * In order to get an example config that works cleanly out-of-the-box * for both baremetal and non-baremetal builds, we detect baremetal builds diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 462597ba6e..a2dc841988 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -3265,6 +3265,10 @@ component_test_tfm_config_p256m_driver_accel_ec () { # Check that p256m was built grep -q p256_ecdsa_ library/libmbedcrypto.a + # In "config-tfm.h" we disabled CIPHER_C tweaking TF-M's configuration + # files, so we want to ensure that it has not be re-enabled accidentally. + not grep mbedtls_cipher library/cipher.o + # Run the tests msg "test: TF-M config + p256m driver + accel ECDH(E)/ECDSA" make test @@ -3286,6 +3290,10 @@ component_test_tfm_config() { # Check that p256m was not built not grep p256_ecdsa_ library/libmbedcrypto.a + # In "config-tfm.h" we disabled CIPHER_C tweaking TF-M's configuration + # files, so we want to ensure that it has not be re-enabled accidentally. + not grep mbedtls_cipher library/cipher.o + msg "test: TF-M config" make test } From 69402fd6a2f9ccae6f209e3cd9dad235aab4e9cb Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Wed, 6 Dec 2023 11:32:10 +0100 Subject: [PATCH 5/7] changelog: fix typos and working Signed-off-by: Valerio Setti --- ChangeLog.d/8357.txt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ChangeLog.d/8357.txt b/ChangeLog.d/8357.txt index 24ba1404b6..9cae396ec5 100644 --- a/ChangeLog.d/8357.txt +++ b/ChangeLog.d/8357.txt @@ -1,8 +1,8 @@ Features * It is now possible to have AEADs support (CCM, GCM and ChaChaPoly) without MBEDTLS_CIPHER_C. This holds both for the builtin suport (MBEDTLS_CCM_C, - MBEDTLS_GCM_C and MBEDTLS_CHACHAPOLY_c) as well as the PSA one + MBEDTLS_GCM_C and MBEDTLS_CHACHAPOLY_C) as well as the PSA one (PSA_WANT_ALG_CCM, PSA_WANT_ALG_GCM, PSA_WANT_ALG_CHACHA20_POLY1305). On the PSA side this means that it is possible to enable - MBEDTLS_PSA_CRYPTO_C without MBEDTLS_CIPHER_C if any of the + MBEDTLS_PSA_CRYPTO_C without MBEDTLS_CIPHER_C if none of the non-authenticated ciphers is enabled. From 1e3fcc5692c776695b8e7190cfe17939e28499c1 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Wed, 6 Dec 2023 11:56:08 +0100 Subject: [PATCH 6/7] config-tfm: fix typo in comment Signed-off-by: Valerio Setti --- configs/config-tfm.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configs/config-tfm.h b/configs/config-tfm.h index f6f527e006..197b80814e 100644 --- a/configs/config-tfm.h +++ b/configs/config-tfm.h @@ -46,7 +46,7 @@ #undef MBEDTLS_PLATFORM_STD_EXIT_FAILURE /* CCM is the only cipher/AEAD enabled in TF-M configuration files, but it - * does not need CIPHER_C to be enabled, so we can disabled it in order + * does not need CIPHER_C to be enabled, so we can disable it in order * to reduce code size further. */ #undef MBEDTLS_CIPHER_C From acd7bafcbbc1d97abc82551958cdba8d580e1f74 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Wed, 6 Dec 2023 15:17:12 +0100 Subject: [PATCH 7/7] driver-only-build: update AEADs section Note: this section shouldn't actually be updated in #8357, but rather in #8358 which is the wrapup related to cipher and AEADs accelaration. As a consequence we start the AEAD section with a disclaimer explaining that the information written there will be updated soon by a follow up PR. Signed-off-by: Valerio Setti --- docs/driver-only-builds.md | 28 ++++++++++++++++++---------- 1 file changed, 18 insertions(+), 10 deletions(-) diff --git a/docs/driver-only-builds.md b/docs/driver-only-builds.md index 200f439413..2dcfe67975 100644 --- a/docs/driver-only-builds.md +++ b/docs/driver-only-builds.md @@ -245,6 +245,9 @@ Support for deterministic derivation of a DH keypair AEADs ----- +[This section might contain incomplete data and it is going to be updated in +#8358, i.e. the wrap-up task for accelerated ciphers and AEADs.] + It is possible to have all AEADs operations provided only by a driver. More precisely you can: @@ -252,15 +255,20 @@ More precisely you can: - `PSA_WANT_ALG_[CCM|GCM]` with `PSA_WANT_KEY_TYPE_[AES|ARIA|CAMELLIA]` - `PSA_WANT_ALG_CHACHA20_POLY1305` with `PSA_WANT_KEY_TYPE_CHACHA20`; - enable `MBEDTLS_PSA_ACCEL_xxx` symbol(s) which correspond to the - `PSA_WANT_xxx` of the previous step; -- disable builtin support of `MBEDTLS_[CCM|GCM|CHACHAPOLY]_C` algorithms and - key types `MBEDTLS_[AES|ARIA|CAMELLIA|CHACHA20]_C` for AEADs which are - accelerated. + `PSA_WANT_xxx` of the previous step (both for algorithms and key types); +- disable builtin support of `MBEDTLS_[CCM|GCM|CHACHAPOLY|POLY1305]_C` + algorithms and key types `MBEDTLS_[AES|ARIA|CAMELLIA|CHACHA20]_C` for AEADs + which are accelerated. -In such a build all AEADs operations requested through the PSA Crypto API -(including those in TLS and X.509) will be performed by the provided driver. -Of course direct calls to the disabled builtin modules -(ex: `mbedtls_ccm_init()`, etc) won't be possible. +In a build in which all AEADs algorithms and related key types are accelerated +all AEADs operations requested through the PSA Crypto API (including those in +TLS and X.509) will be performed by the driver. +Moreover if no unauthenticated cipher is required, it is also possible to +disable all built-in block cipher's key types +(i.e. `MBEDTLS_[AES|ARIA|CAMELLIA|CHACHA20]_C`) and `MBEDTLS_CIPHER_C`. This +helps in further reducing code's footprint, but unfortunately it makes the +following modules unavailable: +- `MBEDTLS_PKCS[5|12]_C` +- `MBEDTLS_CTR_DRBG_C` +- `MBEDTLS_NIST_KW_C` -If no other non-authenticated cipher is required, it is also possible to -disable `MBEDTLS_CIPHER_C` in order to further reduce code's footprint.