diff --git a/configs/config-tfm.h b/configs/config-tfm.h new file mode 100644 index 0000000000..191e4c4f41 --- /dev/null +++ b/configs/config-tfm.h @@ -0,0 +1,40 @@ +/** + * \file config-tfm.h + * + * \brief TF-M medium profile, adapted to work on other platforms. + */ +/* + * Copyright The Mbed TLS Contributors + * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later + */ + +/* TF-M medium profile: mbedtls legacy configuration */ +#include "../configs/ext/tfm_mbedcrypto_config_profile_medium.h" + +/* TF-M medium profile: PSA crypto configuration */ +#define MBEDTLS_PSA_CRYPTO_CONFIG_FILE "../configs/ext/crypto_config_profile_medium.h" + +/***********************************************************/ +/* Tweak the configuration to remove dependencies on TF-M. */ +/***********************************************************/ + +/* MBEDTLS_PSA_CRYPTO_SPM needs third-party files, so disable it. */ +#undef MBEDTLS_PSA_CRYPTO_SPM + +/* TF-M provides its own dummy implementations to save code size. + * We don't have any way to disable the tests that need these feature, + * so we just keep AES decryption enabled. We will resolve this through + * an official way to disable AES decryption, then this deviation + * will no longer be needed: + * https://github.com/Mbed-TLS/mbedtls/issues/7368 + */ +#undef MBEDTLS_AES_SETKEY_DEC_ALT +#undef MBEDTLS_AES_DECRYPT_ALT + +/* Use built-in platform entropy functions (TF-M provides its own). */ +#undef MBEDTLS_NO_PLATFORM_ENTROPY + +/* Disable buffer-based memory allocator. This isn't strictly required, + * but using the native allocator is faster and works better with + * memory management analysis frameworks such as ASan. */ +#undef MBEDTLS_MEMORY_BUFFER_ALLOC_C diff --git a/configs/crypto_config_profile_medium.h b/configs/ext/crypto_config_profile_medium.h similarity index 100% rename from configs/crypto_config_profile_medium.h rename to configs/ext/crypto_config_profile_medium.h diff --git a/configs/tfm_mbedcrypto_config_profile_medium.h b/configs/ext/tfm_mbedcrypto_config_profile_medium.h similarity index 100% rename from configs/tfm_mbedcrypto_config_profile_medium.h rename to configs/ext/tfm_mbedcrypto_config_profile_medium.h diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h index 08d82b1afa..951db314e6 100644 --- a/include/mbedtls/check_config.h +++ b/include/mbedtls/check_config.h @@ -193,6 +193,15 @@ #error "MBEDTLS_ECDSA_C defined, but not all prerequisites" #endif +#if defined(MBEDTLS_PK_C) && defined(MBEDTLS_USE_PSA_CRYPTO) +#if defined(MBEDTLS_PK_CAN_ECDSA_SIGN) && !defined(MBEDTLS_ASN1_WRITE_C) +#error "MBEDTLS_PK_C with MBEDTLS_USE_PSA_CRYPTO needs MBEDTLS_ASN1_WRITE_C for ECDSA signature" +#endif +#if defined(MBEDTLS_PK_CAN_ECDSA_VERIFY) && !defined(MBEDTLS_ASN1_PARSE_C) +#error "MBEDTLS_PK_C with MBEDTLS_USE_PSA_CRYPTO needs MBEDTLS_ASN1_PARSE_C for ECDSA verification" +#endif +#endif /* MBEDTLS_PK_C && MBEDTLS_USE_PSA_CRYPTO */ + #if defined(MBEDTLS_ECJPAKE_C) && \ ( !defined(MBEDTLS_ECP_C) || \ !( defined(MBEDTLS_MD_C) || defined(MBEDTLS_PSA_CRYPTO_C) ) ) diff --git a/scripts/code_size_compare.py b/scripts/code_size_compare.py index ad9b325bd3..abd13df240 100755 --- a/scripts/code_size_compare.py +++ b/scripts/code_size_compare.py @@ -144,8 +144,8 @@ def detect_arch() -> str: print("Unknown host architecture, cannot auto-detect arch.") sys.exit(1) -TFM_MEDIUM_CONFIG_H = 'configs/tfm_mbedcrypto_config_profile_medium.h' -TFM_MEDIUM_CRYPTO_CONFIG_H = 'configs/crypto_config_profile_medium.h' +TFM_MEDIUM_CONFIG_H = 'configs/ext/tfm_mbedcrypto_config_profile_medium.h' +TFM_MEDIUM_CRYPTO_CONFIG_H = 'configs/ext/crypto_config_profile_medium.h' CONFIG_H = 'include/mbedtls/mbedtls_config.h' CRYPTO_CONFIG_H = 'include/psa/crypto_config.h' diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index cba98c5516..85c449b7d2 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -3173,49 +3173,29 @@ component_test_psa_crypto_config_reference_ecc_ffdh_no_bignum () { # - component_test_tfm_config() common_tfm_config () { # Enable TF-M config - cp configs/tfm_mbedcrypto_config_profile_medium.h "$CONFIG_H" - cp configs/crypto_config_profile_medium.h "$CRYPTO_CONFIG_H" + cp configs/config-tfm.h "$CONFIG_H" + echo "#undef MBEDTLS_PSA_CRYPTO_CONFIG_FILE" >> "$CONFIG_H" + cp configs/ext/crypto_config_profile_medium.h "$CRYPTO_CONFIG_H" - # Adjust for the fact that we're building outside the TF-M environment. - # - # TF-M has separation, our build doesn't - scripts/config.py unset MBEDTLS_PSA_CRYPTO_SPM - scripts/config.py unset MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER - # TF-M provdes its own (dummy) implemenation, from their tree - scripts/config.py unset MBEDTLS_AES_DECRYPT_ALT - scripts/config.py unset MBEDTLS_AES_SETKEY_DEC_ALT - # We have an OS that provides entropy, use it - scripts/config.py unset MBEDTLS_NO_PLATFORM_ENTROPY - - # Other config adjustments to make the tests pass. - # Those should probably be adopted upstream. + # Other config adjustment to make the tests pass. + # This should probably be adopted upstream. # # - USE_PSA_CRYPTO for PK_HAVE_ECC_KEYS echo "#define MBEDTLS_USE_PSA_CRYPTO" >> "$CONFIG_H" - # pkparse.c and pkwrite.c fail to link without this - echo "#define MBEDTLS_OID_C" >> "$CONFIG_H" - # - ASN1_[PARSE/WRITE]_C found by check_config.h for pkparse/pkwrite - echo "#define MBEDTLS_ASN1_PARSE_C" >> "$CONFIG_H" - echo "#define MBEDTLS_ASN1_WRITE_C" >> "$CONFIG_H" - # - MD_C for HKDF_C - echo "#define MBEDTLS_MD_C" >> "$CONFIG_H" - # Config adjustments for better test coverage in our environment. - # These are not needed just to build and pass tests. + # Config adjustment for better test coverage in our environment. + # This is not needed just to build and pass tests. # # Enable filesystem I/O for the benefit of PK parse/write tests. echo "#define MBEDTLS_FS_IO" >> "$CONFIG_H" - # Disable this for maximal ASan efficiency - scripts/config.py unset MBEDTLS_MEMORY_BUFFER_ALLOC_C # Config adjustments for features that are not supported # when using only drivers / by p256-m # - # Disable all the features that auto-enable ECP_LIGHT (see build_info.h) + # Disable all the features that auto-enable ECP_LIGHT (see config_adjust_legacy_crypto.h) scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE # Disable deterministic ECDSA as p256-m only does randomized scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_DETERMINISTIC_ECDSA - } # Keep this in sync with component_test_tfm_config() as they are both meant @@ -4068,8 +4048,8 @@ support_build_tfm_armcc () { component_build_tfm_armcc() { # test the TF-M configuration can build cleanly with various warning flags enabled - cp configs/tfm_mbedcrypto_config_profile_medium.h "$CONFIG_H" - cp configs/crypto_config_profile_medium.h "$CRYPTO_CONFIG_H" + cp configs/ext/tfm_mbedcrypto_config_profile_medium.h "$CONFIG_H" + cp configs/ext/crypto_config_profile_medium.h "$CRYPTO_CONFIG_H" msg "build: TF-M config, armclang armv7-m thumb2" make clean @@ -4077,9 +4057,13 @@ component_build_tfm_armcc() { } component_build_tfm() { - # test the TF-M configuration can build cleanly with various warning flags enabled - cp configs/tfm_mbedcrypto_config_profile_medium.h "$CONFIG_H" - cp configs/crypto_config_profile_medium.h "$CRYPTO_CONFIG_H" + # Check that the TF-M configuration can build cleanly with various + # warning flags enabled. We don't build or run tests, since the + # TF-M configuration needs a TF-M platform. A tweaked version of + # the configuration that works on mainstream platforms is in + # configs/config-tfm.h, tested via test-ref-configs.pl. + cp configs/ext/tfm_mbedcrypto_config_profile_medium.h "$CONFIG_H" + cp configs/ext/crypto_config_profile_medium.h "$CRYPTO_CONFIG_H" msg "build: TF-M config, clang, armv7-m thumb2" make lib CC="clang" CFLAGS="--target=arm-linux-gnueabihf -march=armv7-m -mthumb -Os -std=c99 -Werror -Wall -Wextra -Wwrite-strings -Wpointer-arith -Wimplicit-fallthrough -Wshadow -Wvla -Wformat=2 -Wno-format-nonliteral -Wshadow -Wasm-operand-widths -Wunused -I../tests/include/spe" diff --git a/tests/scripts/analyze_outcomes.py b/tests/scripts/analyze_outcomes.py index 80b6459cd7..a070b01639 100755 --- a/tests/scripts/analyze_outcomes.py +++ b/tests/scripts/analyze_outcomes.py @@ -441,6 +441,7 @@ KNOWN_TASKS = { 'component_driver': 'test_tfm_config_p256m_driver_accel_ec', 'ignored_suites': [ # Modules replaced by drivers + 'asn1parse', 'asn1write', 'ecp', 'ecdsa', 'ecdh', 'ecjpake', 'bignum_core', 'bignum_random', 'bignum_mod', 'bignum_mod_raw', 'bignum.generated', 'bignum.misc', @@ -450,12 +451,6 @@ KNOWN_TASKS = { 'test_suite_random': [ 'PSA classic wrapper: ECDSA signature (SECP256R1)', ], - 'test_suite_asn1parse': [ - 'INTEGER too large for mpi', - ], - 'test_suite_asn1write': [ - re.compile(r'ASN.1 Write mpi.*'), - ], } } } diff --git a/tests/scripts/test-ref-configs.pl b/tests/scripts/test-ref-configs.pl index 0702074ab5..055023a5f2 100755 --- a/tests/scripts/test-ref-configs.pl +++ b/tests/scripts/test-ref-configs.pl @@ -37,6 +37,9 @@ my %configs = ( 'config-symmetric-only.h' => { 'test_again_with_use_psa' => 0, # Uses PSA by default, no need to test it twice }, + 'config-tfm.h' => { + 'test_again_with_use_psa' => 0, # Uses PSA by default, no need to test it twice + }, 'config-thread.h' => { 'opt' => '-f ECJPAKE.*nolog', 'test_again_with_use_psa' => 1, diff --git a/tests/suites/test_suite_pk.function b/tests/suites/test_suite_pk.function index 881429c2d1..fa0b03b343 100644 --- a/tests/suites/test_suite_pk.function +++ b/tests/suites/test_suite_pk.function @@ -24,6 +24,17 @@ #define RSA_KEY_SIZE MBEDTLS_RSA_GEN_KEY_MIN_BITS #define RSA_KEY_LEN (MBEDTLS_RSA_GEN_KEY_MIN_BITS/8) +/* MBEDTLS_TEST_PK_PSA_SIGN is enabled when: + * - The build has PK_[PARSE/WRITE]_C for RSA or ECDSA signature. + * - The build has built-in ECC and ECDSA signature. + */ +#if (defined(MBEDTLS_PK_PARSE_C) && defined(MBEDTLS_PK_WRITE_C) && \ + ((defined(MBEDTLS_RSA_C) && defined(MBEDTLS_GENPRIME)) || \ + defined(MBEDTLS_PK_CAN_ECDSA_SIGN))) || \ + (defined(MBEDTLS_ECP_C) && defined(MBEDTLS_PK_CAN_ECDSA_SIGN)) +#define MBEDTLS_TEST_PK_PSA_SIGN +#endif + #if defined(MBEDTLS_PK_USE_PSA_EC_DATA) static int pk_genkey_ec(mbedtls_pk_context *pk, mbedtls_ecp_group_id grp_id) { @@ -1274,7 +1285,7 @@ exit: } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_USE_PSA_CRYPTO */ +/* BEGIN_CASE depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_USE_PSA_CRYPTO:MBEDTLS_TEST_PK_PSA_SIGN */ void pk_psa_sign(int parameter_arg, int psa_type_arg, int expected_bits_arg) { diff --git a/tests/suites/test_suite_psa_crypto_slot_management.function b/tests/suites/test_suite_psa_crypto_slot_management.function index 5bd12eb09e..b4f2d234ea 100644 --- a/tests/suites/test_suite_psa_crypto_slot_management.function +++ b/tests/suites/test_suite_psa_crypto_slot_management.function @@ -142,7 +142,6 @@ void transient_slot_lifecycle(int owner_id_arg, #if defined(MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER) { - psa_key_handle_t handle; mbedtls_svc_key_id_t key_with_invalid_owner = mbedtls_svc_key_id_make(owner_id + 1, MBEDTLS_SVC_KEY_ID_GET_KEY_ID(key)); @@ -150,8 +149,8 @@ void transient_slot_lifecycle(int owner_id_arg, TEST_ASSERT(mbedtls_key_owner_id_equal( owner_id, MBEDTLS_SVC_KEY_ID_GET_OWNER_ID(key))); - TEST_EQUAL(psa_open_key(key_with_invalid_owner, &handle), - PSA_ERROR_DOES_NOT_EXIST); + TEST_EQUAL(psa_get_key_attributes(key_with_invalid_owner, &attributes), + PSA_ERROR_INVALID_HANDLE); } #endif