diff --git a/CMakeLists.txt b/CMakeLists.txt index 1501240662..19fa7e9800 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -412,41 +412,71 @@ add_subdirectory(pkgconfig) # to define the test executables. # if(ENABLE_TESTING OR ENABLE_PROGRAMS) - file(GLOB MBEDTLS_TEST_HELPER_FILES - ${CMAKE_CURRENT_SOURCE_DIR}/tests/src/*.c - ${CMAKE_CURRENT_SOURCE_DIR}/tests/src/test_helpers/*.c) - add_library(mbedtls_test_helpers OBJECT ${MBEDTLS_TEST_HELPER_FILES}) - set_base_compile_options(mbedtls_test_helpers) - + file(GLOB MBEDTLS_TEST_FILES + ${MBEDTLS_FRAMEWORK_DIR}/tests/src/*.c + ${MBEDTLS_FRAMEWORK_DIR}/tests/src/drivers/*.c) + add_library(mbedtls_test OBJECT ${MBEDTLS_TEST_FILES}) + set_base_compile_options(mbedtls_test) if(GEN_FILES) add_custom_command( OUTPUT - ${MBEDTLS_DIR}/tests/src/test_certs.h - WORKING_DIRECTORY - ${MBEDTLS_DIR}/tests + ${MBEDTLS_FRAMEWORK_DIR}/tests/src/test_keys.h + COMMAND + "${MBEDTLS_PYTHON_EXECUTABLE}" + "${MBEDTLS_FRAMEWORK_DIR}/scripts/generate_test_keys.py" + "--output" + "${MBEDTLS_FRAMEWORK_DIR}/tests/src/test_keys.h" + DEPENDS + ${MBEDTLS_FRAMEWORK_DIR}/scripts/generate_test_keys.py + ) + add_custom_target(mbedtls_test_keys_header + DEPENDS ${MBEDTLS_FRAMEWORK_DIR}/tests/src/test_keys.h) + add_dependencies(mbedtls_test mbedtls_test_keys_header) + endif() + target_include_directories(mbedtls_test + PRIVATE ${MBEDTLS_FRAMEWORK_DIR}/tests/include + PRIVATE tests/include + PRIVATE include + PRIVATE tf-psa-crypto/include + PRIVATE tf-psa-crypto/drivers/builtin/include + PRIVATE tf-psa-crypto/drivers/everest/include + PRIVATE library + PRIVATE tf-psa-crypto/core + PRIVATE tf-psa-crypto/drivers/builtin/src) + # Request C11, needed for memory poisoning tests + set_target_properties(mbedtls_test PROPERTIES C_STANDARD 11) + set_config_files_compile_definitions(mbedtls_test) + + file(GLOB MBEDTLS_TEST_HELPER_FILES + tests/src/*.c tests/src/test_helpers/*.c) + add_library(mbedtls_test_helpers OBJECT ${MBEDTLS_TEST_HELPER_FILES}) + set_base_compile_options(mbedtls_test_helpers) + if(GEN_FILES) + add_custom_command( + OUTPUT + ${CMAKE_CURRENT_SOURCE_DIR}/tests/src/test_certs.h COMMAND "${MBEDTLS_PYTHON_EXECUTABLE}" "${MBEDTLS_FRAMEWORK_DIR}/scripts/generate_test_cert_macros.py" "--output" - "${MBEDTLS_DIR}/tests/src/test_certs.h" + "${CMAKE_CURRENT_SOURCE_DIR}/tests/src/test_certs.h" DEPENDS ${MBEDTLS_FRAMEWORK_DIR}/scripts/generate_test_cert_macros.py ) add_custom_target(mbedtls_test_certs_header - DEPENDS ${MBEDTLS_DIR}/tests/src/test_certs.h) + DEPENDS ${CMAKE_CURRENT_SOURCE_DIR}/tests/src/test_certs.h) add_dependencies(mbedtls_test_helpers mbedtls_test_certs_header) endif() - target_include_directories(mbedtls_test_helpers - PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/framework/tests/include - PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/tests/include - PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/include - PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/tf-psa-crypto/include - PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/tf-psa-crypto/drivers/builtin/include - PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/library - PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/tf-psa-crypto/core - PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/tf-psa-crypto/drivers/builtin/src - PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/tf-psa-crypto/drivers/everest/include) + PRIVATE ${MBEDTLS_FRAMEWORK_DIR}/tests/include + PRIVATE tests/include + PRIVATE include + PRIVATE tf-psa-crypto/include + PRIVATE tf-psa-crypto/drivers/builtin/include + PRIVATE library + PRIVATE tf-psa-crypto/core + PRIVATE tf-psa-crypto/drivers/builtin/src + PRIVATE tf-psa-crypto/drivers/everest/include) set_config_files_compile_definitions(mbedtls_test_helpers) endif() diff --git a/Makefile b/Makefile index ebe8492fc2..20580bf047 100644 --- a/Makefile +++ b/Makefile @@ -94,6 +94,8 @@ visualc_files: $(VISUALC_FILES) # present before it runs. It doesn't matter if the files aren't up-to-date, # they just need to be present. $(VISUALC_FILES): | library/generated_files +$(VISUALC_FILES): | programs/generated_files +$(VISUALC_FILES): | tests/generated_files $(VISUALC_FILES): $(gen_file_dep) scripts/generate_visualc_files.pl $(VISUALC_FILES): $(gen_file_dep) scripts/data_files/vs2017-app-template.vcxproj $(VISUALC_FILES): $(gen_file_dep) scripts/data_files/vs2017-main-template.vcxproj diff --git a/configs/ext/crypto_config_profile_medium.h b/configs/ext/crypto_config_profile_medium.h index 2871c9456b..67de4c0fd9 100644 --- a/configs/ext/crypto_config_profile_medium.h +++ b/configs/ext/crypto_config_profile_medium.h @@ -9,37 +9,149 @@ * \brief PSA crypto configuration options (set of defines) * */ -#if defined(MBEDTLS_PSA_CRYPTO_CONFIG) -/** - * When #MBEDTLS_PSA_CRYPTO_CONFIG is enabled in mbedtls_config.h, - * this file determines which cryptographic mechanisms are enabled - * through the PSA Cryptography API (\c psa_xxx() functions). - * - * To enable a cryptographic mechanism, uncomment the definition of - * the corresponding \c PSA_WANT_xxx preprocessor symbol. - * To disable a cryptographic mechanism, comment out the definition of - * the corresponding \c PSA_WANT_xxx preprocessor symbol. - * The names of cryptographic mechanisms correspond to values - * defined in psa/crypto_values.h, with the prefix \c PSA_WANT_ instead - * of \c PSA_. - * - * Note that many cryptographic mechanisms involve two symbols: one for - * the key type (\c PSA_WANT_KEY_TYPE_xxx) and one for the algorithm - * (\c PSA_WANT_ALG_xxx). Mechanisms with additional parameters may involve - * additional symbols. - */ -#else -/** - * When \c MBEDTLS_PSA_CRYPTO_CONFIG is disabled in mbedtls_config.h, - * this file is not used, and cryptographic mechanisms are supported - * through the PSA API if and only if they are supported through the - * mbedtls_xxx API. - */ -#endif #ifndef PROFILE_M_PSA_CRYPTO_CONFIG_H #define PROFILE_M_PSA_CRYPTO_CONFIG_H +/** + * \name SECTION: Platform abstraction layer + * + * This section sets platform specific settings. + * \{ + */ + +/** + * \def MBEDTLS_MEMORY_BUFFER_ALLOC_C + * + * Enable the buffer allocator implementation that makes use of a (stack) + * based buffer to 'allocate' dynamic memory. (replaces calloc() and free() + * calls) + * + * Module: library/memory_buffer_alloc.c + * + * Requires: MBEDTLS_PLATFORM_C + * MBEDTLS_PLATFORM_MEMORY (to use it within Mbed TLS) + * + * Enable this module to enable the buffer memory allocator. + */ +#define MBEDTLS_MEMORY_BUFFER_ALLOC_C + +/** + * \def MBEDTLS_PLATFORM_C + * + * Enable the platform abstraction layer that allows you to re-assign + * functions like calloc(), free(), snprintf(), printf(), fprintf(), exit(). + * + * Enabling MBEDTLS_PLATFORM_C enables to use of MBEDTLS_PLATFORM_XXX_ALT + * or MBEDTLS_PLATFORM_XXX_MACRO directives, allowing the functions mentioned + * above to be specified at runtime or compile time respectively. + * + * \note This abstraction layer must be enabled on Windows (including MSYS2) + * as other modules rely on it for a fixed snprintf implementation. + * + * Module: library/platform.c + * Caller: Most other .c files + * + * This module enables abstraction of common (libc) functions. + */ +#define MBEDTLS_PLATFORM_C + +/** + * \def MBEDTLS_PLATFORM_MEMORY + * + * Enable the memory allocation layer. + * + * By default Mbed TLS uses the system-provided calloc() and free(). + * This allows different allocators (self-implemented or provided) to be + * provided to the platform abstraction layer. + * + * Enabling #MBEDTLS_PLATFORM_MEMORY without the + * MBEDTLS_PLATFORM_{FREE,CALLOC}_MACROs will provide + * "mbedtls_platform_set_calloc_free()" allowing you to set an alternative calloc() and + * free() function pointer at runtime. + * + * Enabling #MBEDTLS_PLATFORM_MEMORY and specifying + * MBEDTLS_PLATFORM_{CALLOC,FREE}_MACROs will allow you to specify the + * alternate function at compile time. + * + * An overview of how the value of mbedtls_calloc is determined: + * + * - if !MBEDTLS_PLATFORM_MEMORY + * - mbedtls_calloc = calloc + * - if MBEDTLS_PLATFORM_MEMORY + * - if (MBEDTLS_PLATFORM_CALLOC_MACRO && MBEDTLS_PLATFORM_FREE_MACRO): + * - mbedtls_calloc = MBEDTLS_PLATFORM_CALLOC_MACRO + * - if !(MBEDTLS_PLATFORM_CALLOC_MACRO && MBEDTLS_PLATFORM_FREE_MACRO): + * - Dynamic setup via mbedtls_platform_set_calloc_free is now possible with a default value MBEDTLS_PLATFORM_STD_CALLOC. + * - How is MBEDTLS_PLATFORM_STD_CALLOC handled? + * - if MBEDTLS_PLATFORM_NO_STD_FUNCTIONS: + * - MBEDTLS_PLATFORM_STD_CALLOC is not set to anything; + * - MBEDTLS_PLATFORM_STD_MEM_HDR can be included if present; + * - if !MBEDTLS_PLATFORM_NO_STD_FUNCTIONS: + * - if MBEDTLS_PLATFORM_STD_CALLOC is present: + * - User-defined MBEDTLS_PLATFORM_STD_CALLOC is respected; + * - if !MBEDTLS_PLATFORM_STD_CALLOC: + * - MBEDTLS_PLATFORM_STD_CALLOC = calloc + * + * - At this point the presence of MBEDTLS_PLATFORM_STD_CALLOC is checked. + * - if !MBEDTLS_PLATFORM_STD_CALLOC + * - MBEDTLS_PLATFORM_STD_CALLOC = uninitialized_calloc + * + * - mbedtls_calloc = MBEDTLS_PLATFORM_STD_CALLOC. + * + * Defining MBEDTLS_PLATFORM_CALLOC_MACRO and #MBEDTLS_PLATFORM_STD_CALLOC at the same time is not possible. + * MBEDTLS_PLATFORM_CALLOC_MACRO and MBEDTLS_PLATFORM_FREE_MACRO must both be defined or undefined at the same time. + * #MBEDTLS_PLATFORM_STD_CALLOC and #MBEDTLS_PLATFORM_STD_FREE do not have to be defined at the same time, as, if they are used, + * dynamic setup of these functions is possible. See the tree above to see how are they handled in all cases. + * An uninitialized #MBEDTLS_PLATFORM_STD_CALLOC always fails, returning a null pointer. + * An uninitialized #MBEDTLS_PLATFORM_STD_FREE does not do anything. + * + * Requires: MBEDTLS_PLATFORM_C + * + * Enable this layer to allow use of alternative memory allocators. + */ +#define MBEDTLS_PLATFORM_MEMORY + +/** + * \def MBEDTLS_PLATFORM_NO_STD_FUNCTIONS + * + * Do not assign standard functions in the platform layer (e.g. calloc() to + * MBEDTLS_PLATFORM_STD_CALLOC and printf() to MBEDTLS_PLATFORM_STD_PRINTF) + * + * This makes sure there are no linking errors on platforms that do not support + * these functions. You will HAVE to provide alternatives, either at runtime + * via the platform_set_xxx() functions or at compile time by setting + * the MBEDTLS_PLATFORM_STD_XXX defines, or enabling a + * MBEDTLS_PLATFORM_XXX_MACRO. + * + * Requires: MBEDTLS_PLATFORM_C + * + * Uncomment to prevent default assignment of standard functions in the + * platform layer. + */ +#define MBEDTLS_PLATFORM_NO_STD_FUNCTIONS + +#define MBEDTLS_PLATFORM_PRINTF_ALT + +/* To use the following function macros, MBEDTLS_PLATFORM_C must be enabled. */ +/* MBEDTLS_PLATFORM_XXX_MACRO and MBEDTLS_PLATFORM_XXX_ALT cannot both be defined */ + +#include + +#define MBEDTLS_PLATFORM_SNPRINTF_MACRO snprintf +#define MBEDTLS_PLATFORM_STD_EXIT_FAILURE EXIT_FAILURE +#define MBEDTLS_PLATFORM_STD_EXIT_SUCCESS EXIT_SUCCESS + +#define MBEDTLS_PLATFORM_STD_MEM_HDR + +/** \} name SECTION: Platform abstraction layer */ + +/** + * \name SECTION: SECTION Cryptographic mechanism selection (PSA API) + * + * This section sets PSA API settings. + * \{ + */ /* * CBC-MAC is not yet supported via the PSA API in Mbed TLS. */ @@ -125,6 +237,406 @@ #define PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE 1 //#define PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE 1 +/** \} name SECTION Cryptographic mechanism selection (PSA API) */ + +/** + * \name SECTION: PSA core + * + * This section sets PSA specific settings. + * \{ + */ + +/** + * \def MBEDTLS_ENTROPY_C + * + * Enable the platform-specific entropy code. + * + * Module: library/entropy.c + * Caller: + * + * Requires: MBEDTLS_SHA512_C or MBEDTLS_SHA256_C + * + * This module provides a generic entropy pool + */ +#define MBEDTLS_ENTROPY_C + +/** + * \def MBEDTLS_ENTROPY_NV_SEED + * + * Enable the non-volatile (NV) seed file-based entropy source. + * (Also enables the NV seed read/write functions in the platform layer) + * + * This is crucial (if not required) on systems that do not have a + * cryptographic entropy source (in hardware or kernel) available. + * + * Requires: MBEDTLS_ENTROPY_C, MBEDTLS_PLATFORM_C + * + * \note The read/write functions that are used by the entropy source are + * determined in the platform layer, and can be modified at runtime and/or + * compile-time depending on the flags (MBEDTLS_PLATFORM_NV_SEED_*) used. + * + * \note If you use the default implementation functions that read a seedfile + * with regular fopen(), please make sure you make a seedfile with the + * proper name (defined in MBEDTLS_PLATFORM_STD_NV_SEED_FILE) and at + * least MBEDTLS_ENTROPY_BLOCK_SIZE bytes in size that can be read from + * and written to or you will get an entropy source error! The default + * implementation will only use the first MBEDTLS_ENTROPY_BLOCK_SIZE + * bytes from the file. + * + * \note The entropy collector will write to the seed file before entropy is + * given to an external source, to update it. + */ +#define MBEDTLS_ENTROPY_NV_SEED + +/** + * \def MBEDTLS_NO_PLATFORM_ENTROPY + * + * Do not use built-in platform entropy functions. + * This is useful if your platform does not support + * standards like the /dev/urandom or Windows CryptoAPI. + * + * Uncomment this macro to disable the built-in platform entropy functions. + */ +#define MBEDTLS_NO_PLATFORM_ENTROPY + +/** + * \def MBEDTLS_PSA_CRYPTO_C + * + * Enable the Platform Security Architecture cryptography API. + * + * Module: library/psa_crypto.c + * + * Requires: either MBEDTLS_CTR_DRBG_C and MBEDTLS_ENTROPY_C, + * or MBEDTLS_HMAC_DRBG_C and MBEDTLS_ENTROPY_C, + * or MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG. + * Auto-enables: MBEDTLS_CIPHER_C if any unauthenticated (ie, non-AEAD) cipher + * is enabled in PSA (unless it's fully accelerated, see + * docs/driver-only-builds.md about that). + */ +#define MBEDTLS_PSA_CRYPTO_C + +/** + * \def MBEDTLS_PSA_CRYPTO_SPM + * + * When MBEDTLS_PSA_CRYPTO_SPM is defined, the code is built for SPM (Secure + * Partition Manager) integration which separates the code into two parts: a + * NSPE (Non-Secure Process Environment) and an SPE (Secure Process + * Environment). + * + * If you enable this option, your build environment must include a header + * file `"crypto_spe.h"` (either in the `psa` subdirectory of the Mbed TLS + * header files, or in another directory on the compiler's include search + * path). Alternatively, your platform may customize the header + * `psa/crypto_platform.h`, in which case it can skip or replace the + * inclusion of `"crypto_spe.h"`. + * + * Module: library/psa_crypto.c + * Requires: MBEDTLS_PSA_CRYPTO_C + * + */ +#define MBEDTLS_PSA_CRYPTO_SPM + +/** + * \def MBEDTLS_PSA_CRYPTO_STORAGE_C + * + * Enable the Platform Security Architecture persistent key storage. + * + * Module: library/psa_crypto_storage.c + * + * Requires: MBEDTLS_PSA_CRYPTO_C, + * either MBEDTLS_PSA_ITS_FILE_C or a native implementation of + * the PSA ITS interface + */ +#define MBEDTLS_PSA_CRYPTO_STORAGE_C + +/** \} name SECTION: PSA core */ + +/** + * \name SECTION: Builtin drivers + * + * This section sets driver specific settings. + * \{ + */ + +/** + * \def MBEDTLS_AES_ROM_TABLES + * + * Use precomputed AES tables stored in ROM. + * + * Uncomment this macro to use precomputed AES tables stored in ROM. + * Comment this macro to generate AES tables in RAM at runtime. + * + * Tradeoff: Using precomputed ROM tables reduces RAM usage by ~8kb + * (or ~2kb if \c MBEDTLS_AES_FEWER_TABLES is used) and reduces the + * initialization time before the first AES operation can be performed. + * It comes at the cost of additional ~8kb ROM use (resp. ~2kb if \c + * MBEDTLS_AES_FEWER_TABLES below is used), and potentially degraded + * performance if ROM access is slower than RAM access. + * + * This option is independent of \c MBEDTLS_AES_FEWER_TABLES. + */ +#define MBEDTLS_AES_ROM_TABLES + +/** + * \def MBEDTLS_AES_FEWER_TABLES + * + * Use less ROM/RAM for AES tables. + * + * Uncommenting this macro omits 75% of the AES tables from + * ROM / RAM (depending on the value of \c MBEDTLS_AES_ROM_TABLES) + * by computing their values on the fly during operations + * (the tables are entry-wise rotations of one another). + * + * Tradeoff: Uncommenting this reduces the RAM / ROM footprint + * by ~6kb but at the cost of more arithmetic operations during + * runtime. Specifically, one has to compare 4 accesses within + * different tables to 4 accesses with additional arithmetic + * operations within the same table. The performance gain/loss + * depends on the system and memory details. + * + * This option is independent of \c MBEDTLS_AES_ROM_TABLES. + */ +#define MBEDTLS_AES_FEWER_TABLES + +/** + * \def MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH + * + * Use only 128-bit keys in AES operations to save ROM. + * + * Uncomment this macro to remove support for AES operations that use 192- + * or 256-bit keys. + * + * Uncommenting this macro reduces the size of AES code by ~300 bytes + * on v8-M/Thumb2. + * + * Module: library/aes.c + * + * Requires: MBEDTLS_AES_C + */ +#define MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH + +/** + * \def MBEDTLS_ECP_NIST_OPTIM + * + * Enable specific 'modulo p' routines for each NIST prime. + * Depending on the prime and architecture, makes operations 4 to 8 times + * faster on the corresponding curve. + * + * Comment this macro to disable NIST curves optimisation. + */ +#define MBEDTLS_ECP_NIST_OPTIM + +/** + * \def MBEDTLS_HAVE_ASM + * + * The compiler has support for asm(). + * + * Requires support for asm() in compiler. + * + * Used in: + * library/aesni.h + * library/aria.c + * library/bn_mul.h + * library/constant_time.c + * + * Required by: + * MBEDTLS_AESCE_C + * MBEDTLS_AESNI_C (on some platforms) + * + * Comment to disable the use of assembly code. + */ +#define MBEDTLS_HAVE_ASM + +/** + * Uncomment to enable p256-m. This is an alternative implementation of + * key generation, ECDH and (randomized) ECDSA on the curve SECP256R1. + * Compared to the default implementation: + * + * - p256-m has a much smaller code size and RAM footprint. + * - p256-m is only available via the PSA API. This includes the pk module. + * - p256-m does not support deterministic ECDSA, EC-JPAKE, custom protocols + * over the core arithmetic, or deterministic derivation of keys. + * + * We recommend enabling this option if your application uses the PSA API + * and the only elliptic curve support it needs is ECDH and ECDSA over + * SECP256R1. + * + * If you enable this option, you do not need to enable any ECC-related + * MBEDTLS_xxx option. You do need to separately request support for the + * cryptographic mechanisms through the PSA API: + * - #MBEDTLS_PSA_CRYPTO_C for PSA-based configuration; + * - #PSA_WANT_ECC_SECP_R1_256; + * - #PSA_WANT_ALG_ECDH and/or #PSA_WANT_ALG_ECDSA as needed; + * - #PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY, #PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC, + * #PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT, + * #PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT and/or + * #PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE as needed. + * + * \note To benefit from the smaller code size of p256-m, make sure that you + * do not enable any ECC-related option not supported by p256-m: this + * would cause the built-in ECC implementation to be built as well, in + * order to provide the required option. + * Make sure #PSA_WANT_ALG_DETERMINISTIC_ECDSA, #PSA_WANT_ALG_JPAKE and + * #PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE, and curves other than + * SECP256R1 are disabled as they are not supported by this driver. + * Also, avoid defining #MBEDTLS_PK_PARSE_EC_COMPRESSED or + * #MBEDTLS_PK_PARSE_EC_EXTENDED as those currently require a subset of + * the built-in ECC implementation, see docs/driver-only-builds.md. + */ +#define MBEDTLS_PSA_P256M_DRIVER_ENABLED + +/** + * \def MBEDTLS_SHA256_SMALLER + * + * Enable an implementation of SHA-256 that has lower ROM footprint but also + * lower performance. + * + * The default implementation is meant to be a reasonable compromise between + * performance and size. This version optimizes more aggressively for size at + * the expense of performance. Eg on Cortex-M4 it reduces the size of + * mbedtls_sha256_process() from ~2KB to ~0.5KB for a performance hit of about + * 30%. + * + * Uncomment to enable the smaller implementation of SHA256. + */ +#define MBEDTLS_SHA256_SMALLER + +/* ECP options */ +#define MBEDTLS_ECP_FIXED_POINT_OPTIM 0 /**< Disable fixed-point speed-up */ + +/** \} name SECTION: Builtin drivers */ + +/** + * \name SECTION: Legacy cryptography + * + * This section sets legacy settings. + * \{ + */ + +/** + * \def MBEDTLS_AES_C + * + * Enable the AES block cipher. + * + * Module: library/aes.c + * Caller: library/cipher.c + * library/pem.c + * library/ctr_drbg.c + * + * This module enables the following ciphersuites (if other requisites are + * enabled as well): + * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA + * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA + * MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA + * MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA + * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 + * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 + * MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 + * MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 + * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 + * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 + * MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 + * MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 + * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 + * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 + * MBEDTLS_TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 + * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 + * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 + * MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 + * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA + * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA + * MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA + * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 + * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 + * MBEDTLS_TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 + * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 + * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 + * MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 + * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA + * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA + * MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA + * MBEDTLS_TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 + * MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384 + * MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA384 + * MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA + * MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA + * MBEDTLS_TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 + * MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 + * MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 + * MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA + * MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA + * MBEDTLS_TLS_RSA_WITH_AES_256_GCM_SHA384 + * MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA256 + * MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA + * MBEDTLS_TLS_RSA_WITH_AES_128_GCM_SHA256 + * MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA256 + * MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA + * MBEDTLS_TLS_PSK_WITH_AES_256_GCM_SHA384 + * MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA384 + * MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA + * MBEDTLS_TLS_PSK_WITH_AES_128_GCM_SHA256 + * MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA256 + * MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA + * + * PEM_PARSE uses AES for decrypting encrypted keys. + */ +#define MBEDTLS_AES_C + +/** + * \def MBEDTLS_CIPHER_C + * + * Enable the generic cipher layer. + * + * Module: library/cipher.c + * Caller: library/ccm.c + * library/cmac.c + * library/gcm.c + * library/nist_kw.c + * library/pkcs12.c + * library/pkcs5.c + * library/psa_crypto_aead.c + * library/psa_crypto_mac.c + * library/ssl_ciphersuites.c + * library/ssl_msg.c + * Auto-enabled by: MBEDTLS_PSA_CRYPTO_C depending on which ciphers are enabled + * (see the documentation of that option for details). + * + * Uncomment to enable generic cipher wrappers. + */ +#define MBEDTLS_CIPHER_C + +/** + * \def MBEDTLS_CTR_DRBG_C + * + * Enable the CTR_DRBG AES-based random generator. + * The CTR_DRBG generator uses AES-256 by default. + * To use AES-128 instead, enable \c MBEDTLS_CTR_DRBG_USE_128_BIT_KEY above. + * + * AES support can either be achieved through builtin (MBEDTLS_AES_C) or PSA. + * Builtin is the default option when MBEDTLS_AES_C is defined otherwise PSA + * is used. + * + * \warning When using PSA, the user should call `psa_crypto_init()` before + * using any CTR_DRBG operation (except `mbedtls_ctr_drbg_init()`). + * + * \note AES-128 will be used if \c MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH is set. + * + * \note To achieve a 256-bit security strength with CTR_DRBG, + * you must use AES-256 *and* use sufficient entropy. + * See ctr_drbg.h for more details. + * + * Module: library/ctr_drbg.c + * Caller: + * + * Requires: MBEDTLS_AES_C or + * (PSA_WANT_KEY_TYPE_AES and PSA_WANT_ALG_ECB_NO_PADDING and + * MBEDTLS_PSA_CRYPTO_C) + * + * This module provides the CTR_DRBG AES random number generator. + */ +#define MBEDTLS_CTR_DRBG_C +/** \} name SECTION: Legacy cryptography */ + /***********************************************************/ /* Tweak the configuration to remove dependencies on TF-M. */ /***********************************************************/ @@ -178,6 +690,14 @@ * to reduce code size further. */ #undef MBEDTLS_CIPHER_C +#if CRYPTO_NV_SEED +#include "tfm_mbedcrypto_config_extra_nv_seed.h" +#endif /* CRYPTO_NV_SEED */ + +#if !defined(CRYPTO_HW_ACCELERATOR) && defined(MBEDTLS_ENTROPY_NV_SEED) +#include "mbedtls_entropy_nv_seed_config.h" +#endif + #ifdef CRYPTO_HW_ACCELERATOR #include "crypto_accelerator_config.h" #endif diff --git a/configs/ext/tfm_mbedcrypto_config_profile_medium.h b/configs/ext/tfm_mbedcrypto_config_profile_medium.h index 8ef28ee332..ee62cf6e01 100644 --- a/configs/ext/tfm_mbedcrypto_config_profile_medium.h +++ b/configs/ext/tfm_mbedcrypto_config_profile_medium.h @@ -35,385 +35,6 @@ #define _CRT_SECURE_NO_DEPRECATE 1 #endif -/** - * \name SECTION: System support - * - * This section sets system specific settings. - * \{ - */ - -/** - * \def MBEDTLS_HAVE_ASM - * - * The compiler has support for asm(). - * - * Requires support for asm() in compiler. - * - * Used in: - * library/aria.c - * library/timing.c - * include/mbedtls/bn_mul.h - * - * Required by: - * MBEDTLS_AESNI_C - * - * Comment to disable the use of assembly code. - */ -#define MBEDTLS_HAVE_ASM - -/** - * \def MBEDTLS_PLATFORM_MEMORY - * - * Enable the memory allocation layer. - * - * By default mbed TLS uses the system-provided calloc() and free(). - * This allows different allocators (self-implemented or provided) to be - * provided to the platform abstraction layer. - * - * Enabling MBEDTLS_PLATFORM_MEMORY without the - * MBEDTLS_PLATFORM_{FREE,CALLOC}_MACROs will provide - * "mbedtls_platform_set_calloc_free()" allowing you to set an alternative calloc() and - * free() function pointer at runtime. - * - * Enabling MBEDTLS_PLATFORM_MEMORY and specifying - * MBEDTLS_PLATFORM_{CALLOC,FREE}_MACROs will allow you to specify the - * alternate function at compile time. - * - * Requires: MBEDTLS_PLATFORM_C - * - * Enable this layer to allow use of alternative memory allocators. - */ -#define MBEDTLS_PLATFORM_MEMORY - -/* \} name SECTION: System support */ - -/** - * \name SECTION: mbed TLS feature support - * - * This section sets support for features that are or are not needed - * within the modules that are enabled. - * \{ - */ - -/** - * \def MBEDTLS_AES_ROM_TABLES - * - * Use precomputed AES tables stored in ROM. - * - * Uncomment this macro to use precomputed AES tables stored in ROM. - * Comment this macro to generate AES tables in RAM at runtime. - * - * Tradeoff: Using precomputed ROM tables reduces RAM usage by ~8kb - * (or ~2kb if \c MBEDTLS_AES_FEWER_TABLES is used) and reduces the - * initialization time before the first AES operation can be performed. - * It comes at the cost of additional ~8kb ROM use (resp. ~2kb if \c - * MBEDTLS_AES_FEWER_TABLES below is used), and potentially degraded - * performance if ROM access is slower than RAM access. - * - * This option is independent of \c MBEDTLS_AES_FEWER_TABLES. - * - */ -#define MBEDTLS_AES_ROM_TABLES - -/** - * \def MBEDTLS_AES_FEWER_TABLES - * - * Use less ROM/RAM for AES tables. - * - * Uncommenting this macro omits 75% of the AES tables from - * ROM / RAM (depending on the value of \c MBEDTLS_AES_ROM_TABLES) - * by computing their values on the fly during operations - * (the tables are entry-wise rotations of one another). - * - * Tradeoff: Uncommenting this reduces the RAM / ROM footprint - * by ~6kb but at the cost of more arithmetic operations during - * runtime. Specifically, one has to compare 4 accesses within - * different tables to 4 accesses with additional arithmetic - * operations within the same table. The performance gain/loss - * depends on the system and memory details. - * - * This option is independent of \c MBEDTLS_AES_ROM_TABLES. - * - */ -#define MBEDTLS_AES_FEWER_TABLES - -/** - * \def MBEDTLS_ECP_NIST_OPTIM - * - * Enable specific 'modulo p' routines for each NIST prime. - * Depending on the prime and architecture, makes operations 4 to 8 times - * faster on the corresponding curve. - * - * Comment this macro to disable NIST curves optimisation. - */ -#define MBEDTLS_ECP_NIST_OPTIM - -/** - * \def MBEDTLS_NO_PLATFORM_ENTROPY - * - * Do not use built-in platform entropy functions. - * This is useful if your platform does not support - * standards like the /dev/urandom or Windows CryptoAPI. - * - * Uncomment this macro to disable the built-in platform entropy functions. - */ -#define MBEDTLS_NO_PLATFORM_ENTROPY - -/** - * \def MBEDTLS_ENTROPY_NV_SEED - * - * Enable the non-volatile (NV) seed file-based entropy source. - * (Also enables the NV seed read/write functions in the platform layer) - * - * This is crucial (if not required) on systems that do not have a - * cryptographic entropy source (in hardware or kernel) available. - * - * Requires: MBEDTLS_ENTROPY_C, MBEDTLS_PLATFORM_C - * - * \note The read/write functions that are used by the entropy source are - * determined in the platform layer, and can be modified at runtime and/or - * compile-time depending on the flags (MBEDTLS_PLATFORM_NV_SEED_*) used. - * - * \note If you use the default implementation functions that read a seedfile - * with regular fopen(), please make sure you make a seedfile with the - * proper name (defined in MBEDTLS_PLATFORM_STD_NV_SEED_FILE) and at - * least MBEDTLS_ENTROPY_BLOCK_SIZE bytes in size that can be read from - * and written to or you will get an entropy source error! The default - * implementation will only use the first MBEDTLS_ENTROPY_BLOCK_SIZE - * bytes from the file. - * - * \note The entropy collector will write to the seed file before entropy is - * given to an external source, to update it. - */ -#define MBEDTLS_ENTROPY_NV_SEED - -/** - * \def MBEDTLS_PSA_CRYPTO_SPM - * - * When MBEDTLS_PSA_CRYPTO_SPM is defined, the code is built for SPM (Secure - * Partition Manager) integration which separates the code into two parts: a - * NSPE (Non-Secure Process Environment) and an SPE (Secure Process - * Environment). - * - * Module: library/psa_crypto.c - * Requires: MBEDTLS_PSA_CRYPTO_C - * - */ -#define MBEDTLS_PSA_CRYPTO_SPM - -/** - * \def MBEDTLS_SHA256_SMALLER - * - * Enable an implementation of SHA-256 that has lower ROM footprint but also - * lower performance. - * - * The default implementation is meant to be a reasonnable compromise between - * performance and size. This version optimizes more aggressively for size at - * the expense of performance. Eg on Cortex-M4 it reduces the size of - * mbedtls_sha256_process() from ~2KB to ~0.5KB for a performance hit of about - * 30%. - * - * Uncomment to enable the smaller implementation of SHA256. - */ -#define MBEDTLS_SHA256_SMALLER - -/** - * \def MBEDTLS_PSA_CRYPTO_CONFIG - * - * This setting allows support for cryptographic mechanisms through the PSA - * API to be configured separately from support through the mbedtls API. - * - * When this option is disabled, the PSA API exposes the cryptographic - * mechanisms that can be implemented on top of the `mbedtls_xxx` API - * configured with `MBEDTLS_XXX` symbols. - * - * When this option is enabled, the PSA API exposes the cryptographic - * mechanisms requested by the `PSA_WANT_XXX` symbols defined in - * include/psa/crypto_config.h. The corresponding `MBEDTLS_XXX` settings are - * automatically enabled if required (i.e. if no PSA driver provides the - * mechanism). You may still freely enable additional `MBEDTLS_XXX` symbols - * in mbedtls_config.h. - * - * If the symbol #TF_PSA_CRYPTO_CONFIG_FILE is defined, it specifies - * an alternative header to include instead of include/psa/crypto_config.h. - * - * This feature is still experimental and is not ready for production since - * it is not completed. - */ -#define MBEDTLS_PSA_CRYPTO_CONFIG - -/* \} name SECTION: mbed TLS feature support */ - -/** - * \name SECTION: mbed TLS modules - * - * This section enables or disables entire modules in mbed TLS - * \{ - */ - -/** - * \def MBEDTLS_AES_C - * - * Enable the AES block cipher. - * - * Module: library/aes.c - * Caller: library/cipher.c - * library/pem.c - * library/ctr_drbg.c - * - * This module is required to support the TLS ciphersuites that use the AES - * cipher. - * - * PEM_PARSE uses AES for decrypting encrypted keys. - */ -#define MBEDTLS_AES_C - -/** - * \def MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH - * - * Use only 128-bit keys in AES operations to save ROM. - * - * Uncomment this macro to remove support for AES operations that use 192- - * or 256-bit keys. - * - * Uncommenting this macro reduces the size of AES code by ~300 bytes - * on v8-M/Thumb2. - * - * Module: library/aes.c - * - * Requires: MBEDTLS_AES_C - */ -#define MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH - -/** - * \def MBEDTLS_CIPHER_C - * - * Enable the generic cipher layer. - * - * Module: library/cipher.c - * - * Uncomment to enable generic cipher wrappers. - */ -#define MBEDTLS_CIPHER_C - -/** - * \def MBEDTLS_CTR_DRBG_C - * - * Enable the CTR_DRBG AES-based random generator. - * The CTR_DRBG generator uses AES-256 by default. - * To use AES-128 instead, enable MBEDTLS_CTR_DRBG_USE_128_BIT_KEY below. - * - * Module: library/ctr_drbg.c - * Caller: - * - * Requires: MBEDTLS_AES_C - * - * This module provides the CTR_DRBG AES random number generator. - */ -#define MBEDTLS_CTR_DRBG_C - -/** - * \def MBEDTLS_ENTROPY_C - * - * Enable the platform-specific entropy code. - * - * Module: library/entropy.c - * Caller: - * - * Requires: MBEDTLS_SHA512_C or MBEDTLS_SHA256_C - * - * This module provides a generic entropy pool - */ -#define MBEDTLS_ENTROPY_C - -/** - * \def MBEDTLS_HKDF_C - * - * Enable the HKDF algorithm (RFC 5869). - * - * Module: library/hkdf.c - * Caller: - * - * Requires: MBEDTLS_MD_C - * - * This module adds support for the Hashed Message Authentication Code - * (HMAC)-based key derivation function (HKDF). - */ -//#define MBEDTLS_HKDF_C /* Used for HUK deriviation */ - -/** - * \def MBEDTLS_MEMORY_BUFFER_ALLOC_C - * - * Enable the buffer allocator implementation that makes use of a (stack) - * based buffer to 'allocate' dynamic memory. (replaces calloc() and free() - * calls) - * - * Module: library/memory_buffer_alloc.c - * - * Requires: MBEDTLS_PLATFORM_C - * MBEDTLS_PLATFORM_MEMORY (to use it within mbed TLS) - * - * Enable this module to enable the buffer memory allocator. - */ -#define MBEDTLS_MEMORY_BUFFER_ALLOC_C - -/** - * \def MBEDTLS_PLATFORM_C - * - * Enable the platform abstraction layer that allows you to re-assign - * functions like calloc(), free(), snprintf(), printf(), fprintf(), exit(). - * - * Enabling MBEDTLS_PLATFORM_C enables to use of MBEDTLS_PLATFORM_XXX_ALT - * or MBEDTLS_PLATFORM_XXX_MACRO directives, allowing the functions mentioned - * above to be specified at runtime or compile time respectively. - * - * \note This abstraction layer must be enabled on Windows (including MSYS2) - * as other module rely on it for a fixed snprintf implementation. - * - * Module: library/platform.c - * Caller: Most other .c files - * - * This module enables abstraction of common (libc) functions. - */ -#define MBEDTLS_PLATFORM_C - -#define MBEDTLS_PLATFORM_NO_STD_FUNCTIONS -#define MBEDTLS_PLATFORM_STD_MEM_HDR - -#include - -#define MBEDTLS_PLATFORM_SNPRINTF_MACRO snprintf -#define MBEDTLS_PLATFORM_PRINTF_ALT -#define MBEDTLS_PLATFORM_STD_EXIT_SUCCESS EXIT_SUCCESS -#define MBEDTLS_PLATFORM_STD_EXIT_FAILURE EXIT_FAILURE - -/** - * \def MBEDTLS_PSA_CRYPTO_C - * - * Enable the Platform Security Architecture cryptography API. - * - * Module: library/psa_crypto.c - * - * Requires: MBEDTLS_CTR_DRBG_C, MBEDTLS_ENTROPY_C - * - */ -#define MBEDTLS_PSA_CRYPTO_C - -/** - * \def MBEDTLS_PSA_CRYPTO_STORAGE_C - * - * Enable the Platform Security Architecture persistent key storage. - * - * Module: library/psa_crypto_storage.c - * - * Requires: MBEDTLS_PSA_CRYPTO_C, - * either MBEDTLS_PSA_ITS_FILE_C or a native implementation of - * the PSA ITS interface - */ -#define MBEDTLS_PSA_CRYPTO_STORAGE_C - -/* \} name SECTION: mbed TLS modules */ - /** * \name SECTION: General configuration options * @@ -459,112 +80,6 @@ */ //#define MBEDTLS_USER_CONFIG_FILE "/dev/null" -/** - * \def TF_PSA_CRYPTO_CONFIG_FILE - * - * If defined, this is a header which will be included instead of - * `"psa/crypto_config.h"`. - * This header file specifies which cryptographic mechanisms are available - * through the PSA API when #MBEDTLS_PSA_CRYPTO_CONFIG is enabled, and - * is not used when #MBEDTLS_PSA_CRYPTO_CONFIG is disabled. - * - * This macro is expanded after an \#include directive. This is a popular but - * non-standard feature of the C language, so this feature is only available - * with compilers that perform macro expansion on an \#include line. - * - * The value of this symbol is typically a path in double quotes, either - * absolute or relative to a directory on the include search path. - */ -//#define TF_PSA_CRYPTO_CONFIG_FILE "psa/crypto_config.h" - -/** - * \def TF_PSA_CRYPTO_USER_CONFIG_FILE - * - * If defined, this is a header which will be included after - * `"psa/crypto_config.h"` or #TF_PSA_CRYPTO_CONFIG_FILE. - * This allows you to modify the default configuration, including the ability - * to undefine options that are enabled by default. - * - * This macro is expanded after an \#include directive. This is a popular but - * non-standard feature of the C language, so this feature is only available - * with compilers that perform macro expansion on an \#include line. - * - * The value of this symbol is typically a path in double quotes, either - * absolute or relative to a directory on the include search path. - */ -//#define TF_PSA_CRYPTO_USER_CONFIG_FILE "/dev/null" - /** \} name SECTION: General configuration options */ -/** - * \name SECTION: Module configuration options - * - * This section allows for the setting of module specific sizes and - * configuration options. The default values are already present in the - * relevant header files and should suffice for the regular use cases. - * - * Our advice is to enable options and change their values here - * only if you have a good reason and know the consequences. - * - * Please check the respective header file for documentation on these - * parameters (to prevent duplicate documentation). - * \{ - */ - -/* ECP options */ -#define MBEDTLS_ECP_FIXED_POINT_OPTIM 0 /**< Disable fixed-point speed-up */ - -/** - * Uncomment to enable p256-m. This is an alternative implementation of - * key generation, ECDH and (randomized) ECDSA on the curve SECP256R1. - * Compared to the default implementation: - * - * - p256-m has a much smaller code size and RAM footprint. - * - p256-m is only available via the PSA API. This includes the pk module. - * - p256-m does not support deterministic ECDSA, EC-JPAKE, custom protocols - * over the core arithmetic, or deterministic derivation of keys. - * - * We recommend enabling this option if your application uses the PSA API - * and the only elliptic curve support it needs is ECDH and ECDSA over - * SECP256R1. - * - * If you enable this option, you do not need to enable any ECC-related - * MBEDTLS_xxx option. You do need to separately request support for the - * cryptographic mechanisms through the PSA API: - * - #MBEDTLS_PSA_CRYPTO_C and #MBEDTLS_PSA_CRYPTO_CONFIG for PSA-based - * configuration; - * - #PSA_WANT_ECC_SECP_R1_256; - * - #PSA_WANT_ALG_ECDH and/or #PSA_WANT_ALG_ECDSA as needed; - * - #PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY, #PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC, - * #PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT, - * #PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT and/or - * #PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE as needed. - * - * \note To benefit from the smaller code size of p256-m, make sure that you - * do not enable any ECC-related option not supported by p256-m: this - * would cause the built-in ECC implementation to be built as well, in - * order to provide the required option. - * Make sure #PSA_WANT_ALG_DETERMINISTIC_ECDSA, #PSA_WANT_ALG_JPAKE and - * #PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE, and curves other than - * SECP256R1 are disabled as they are not supported by this driver. - * Also, avoid defining #MBEDTLS_PK_PARSE_EC_COMPRESSED or - * #MBEDTLS_PK_PARSE_EC_EXTENDED as those currently require a subset of - * the built-in ECC implementation, see docs/driver-only-builds.md. - */ -#define MBEDTLS_PSA_P256M_DRIVER_ENABLED - -/* \} name SECTION: Customisation configuration options */ - -#if CRYPTO_NV_SEED -#include "tfm_mbedcrypto_config_extra_nv_seed.h" -#endif /* CRYPTO_NV_SEED */ - -#if !defined(CRYPTO_HW_ACCELERATOR) && defined(MBEDTLS_ENTROPY_NV_SEED) -#include "mbedtls_entropy_nv_seed_config.h" -#endif - -#ifdef CRYPTO_HW_ACCELERATOR -#include "mbedtls_accelerator_config.h" -#endif - #endif /* PROFILE_M_MBEDTLS_CONFIG_H */ diff --git a/framework b/framework index beb5dadbf2..ff4c33600a 160000 --- a/framework +++ b/framework @@ -1 +1 @@ -Subproject commit beb5dadbf26156f434ea58dce5c5a3182df4c60f +Subproject commit ff4c33600afc0def98d190f7d10210370f47bd9f diff --git a/programs/CMakeLists.txt b/programs/CMakeLists.txt index 87b9a1b5a7..2c23c48c66 100644 --- a/programs/CMakeLists.txt +++ b/programs/CMakeLists.txt @@ -8,7 +8,6 @@ if (NOT WIN32) endif() add_subdirectory(hash) add_subdirectory(pkey) -add_subdirectory(../tf-psa-crypto/programs/psa ../tf-psa-crypto/programs/psa) add_subdirectory(random) add_subdirectory(ssl) add_subdirectory(test) diff --git a/programs/Makefile b/programs/Makefile index 0b3025dc96..c177c28a25 100644 --- a/programs/Makefile +++ b/programs/Makefile @@ -132,14 +132,14 @@ ${MBEDTLS_TEST_OBJS}: $(MAKE) -C ../tests mbedtls_test .PHONY: generated_files -GENERATED_FILES = psa/psa_constant_names_generated.c test/query_config.c +GENERATED_FILES = ../tf-psa-crypto/programs/psa/psa_constant_names_generated.c test/query_config.c generated_files: $(GENERATED_FILES) -../tf-psa-crypto/psa/psa_constant_names_generated.c: $(gen_file_dep) ../tf-psa-crypto/scripts/generate_psa_constants.py -psa/psa_constant_names_generated.c: $(gen_file_dep) ../tf-psa-crypto/include/psa/crypto_values.h -psa/psa_constant_names_generated.c: $(gen_file_dep) ../tf-psa-crypto/include/psa/crypto_extra.h -psa/psa_constant_names_generated.c: $(gen_file_dep) ../tf-psa-crypto/tests/suites/test_suite_psa_crypto_metadata.data -psa/psa_constant_names_generated.c: +../tf-psa-crypto/programs/psa/psa_constant_names_generated.c: $(gen_file_dep) ../tf-psa-crypto/scripts/generate_psa_constants.py +../tf-psa-crypto/programs/psa/psa_constant_names_generated.c: $(gen_file_dep) ../tf-psa-crypto/include/psa/crypto_values.h +../tf-psa-crypto/programs/psa/psa_constant_names_generated.c: $(gen_file_dep) ../tf-psa-crypto/include/psa/crypto_extra.h +../tf-psa-crypto/programs/psa/psa_constant_names_generated.c: $(gen_file_dep) ../tf-psa-crypto/tests/suites/test_suite_psa_crypto_metadata.data +../tf-psa-crypto/programs/psa/psa_constant_names_generated.c: echo " Gen $@" cd ../tf-psa-crypto; $(PYTHON) ./scripts/generate_psa_constants.py @@ -271,7 +271,7 @@ pkey/rsa_encrypt$(EXEXT): pkey/rsa_encrypt.c $(DEP) echo " CC psa/key_ladder_demo.c" $(CC) $(LOCAL_CFLAGS) $(CFLAGS) ../tf-psa-crypto/programs/psa/key_ladder_demo.c $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@ -../tf-psa-crypto/programs/psa/psa_constant_names$(EXEXT): ../tf-psa-crypto/programs/psa/psa_constant_names.c psa/psa_constant_names_generated.c $(DEP) +../tf-psa-crypto/programs/psa/psa_constant_names$(EXEXT): ../tf-psa-crypto/programs/psa/psa_constant_names.c ../tf-psa-crypto/programs/psa/psa_constant_names_generated.c $(DEP) echo " CC psa/psa_constant_names.c" $(CC) $(LOCAL_CFLAGS) $(CFLAGS) ../tf-psa-crypto/programs/psa/psa_constant_names.c $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@ diff --git a/programs/aes/CMakeLists.txt b/programs/aes/CMakeLists.txt index 08bf095088..c5128b1b4d 100644 --- a/programs/aes/CMakeLists.txt +++ b/programs/aes/CMakeLists.txt @@ -4,7 +4,7 @@ set(executables add_dependencies(${programs_target} ${executables}) foreach(exe IN LISTS executables) - add_executable(${exe} ${exe}.c $) + add_executable(${exe} ${exe}.c $) set_base_compile_options(${exe}) target_link_libraries(${exe} ${tfpsacrypto_target} ${CMAKE_THREAD_LIBS_INIT}) target_include_directories(${exe} PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/../../framework/tests/include) diff --git a/programs/cipher/CMakeLists.txt b/programs/cipher/CMakeLists.txt index 3bc1a9e51c..d6483011a0 100644 --- a/programs/cipher/CMakeLists.txt +++ b/programs/cipher/CMakeLists.txt @@ -4,7 +4,7 @@ set(executables add_dependencies(${programs_target} ${executables}) foreach(exe IN LISTS executables) - add_executable(${exe} ${exe}.c $) + add_executable(${exe} ${exe}.c $) set_base_compile_options(${exe}) target_link_libraries(${exe} ${tfpsacrypto_target} ${CMAKE_THREAD_LIBS_INIT}) target_include_directories(${exe} PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/../../framework/tests/include) diff --git a/programs/fuzz/CMakeLists.txt b/programs/fuzz/CMakeLists.txt index 57cfeee510..8f463178b8 100644 --- a/programs/fuzz/CMakeLists.txt +++ b/programs/fuzz/CMakeLists.txt @@ -31,7 +31,7 @@ foreach(exe IN LISTS executables_no_common_c executables_with_common_c) set(exe_sources ${exe}.c $ - $) + $) if(NOT FUZZINGENGINE_LIB) list(APPEND exe_sources onefile.c) endif() diff --git a/programs/hash/CMakeLists.txt b/programs/hash/CMakeLists.txt index 3eabb97d31..d23db0443e 100644 --- a/programs/hash/CMakeLists.txt +++ b/programs/hash/CMakeLists.txt @@ -6,7 +6,7 @@ set(executables add_dependencies(${programs_target} ${executables}) foreach(exe IN LISTS executables) - add_executable(${exe} ${exe}.c $) + add_executable(${exe} ${exe}.c $) set_base_compile_options(${exe}) target_link_libraries(${exe} ${tfpsacrypto_target} ${CMAKE_THREAD_LIBS_INIT}) target_include_directories(${exe} PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/../../framework/tests/include) diff --git a/programs/pkey/CMakeLists.txt b/programs/pkey/CMakeLists.txt index 34987c3f52..c782ad4655 100644 --- a/programs/pkey/CMakeLists.txt +++ b/programs/pkey/CMakeLists.txt @@ -5,7 +5,7 @@ set(executables_mbedtls add_dependencies(${programs_target} ${executables_mbedtls}) foreach(exe IN LISTS executables_mbedtls) - add_executable(${exe} ${exe}.c $) + add_executable(${exe} ${exe}.c $) set_base_compile_options(${exe}) target_link_libraries(${exe} ${mbedtls_target} ${CMAKE_THREAD_LIBS_INIT}) target_include_directories(${exe} PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/../../framework/tests/include) @@ -34,7 +34,7 @@ set(executables_mbedcrypto add_dependencies(${programs_target} ${executables_mbedcrypto}) foreach(exe IN LISTS executables_mbedcrypto) - add_executable(${exe} ${exe}.c $) + add_executable(${exe} ${exe}.c $) set_base_compile_options(${exe}) target_link_libraries(${exe} ${tfpsacrypto_target} ${CMAKE_THREAD_LIBS_INIT}) target_include_directories(${exe} PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/../../framework/tests/include) diff --git a/programs/random/CMakeLists.txt b/programs/random/CMakeLists.txt index d7c0782428..76cb8407af 100644 --- a/programs/random/CMakeLists.txt +++ b/programs/random/CMakeLists.txt @@ -5,7 +5,7 @@ set(executables add_dependencies(${programs_target} ${executables}) foreach(exe IN LISTS executables) - add_executable(${exe} ${exe}.c $) + add_executable(${exe} ${exe}.c $) set_base_compile_options(${exe}) target_link_libraries(${exe} ${tfpsacrypto_target} ${CMAKE_THREAD_LIBS_INIT}) target_include_directories(${exe} PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/../../framework/tests/include) diff --git a/programs/ssl/CMakeLists.txt b/programs/ssl/CMakeLists.txt index 513c866d5b..a27c6262b5 100644 --- a/programs/ssl/CMakeLists.txt +++ b/programs/ssl/CMakeLists.txt @@ -40,8 +40,8 @@ foreach(exe IN LISTS executables) endif() add_executable(${exe} ${exe}.c + $ $ - $ ${extra_sources}) set_base_compile_options(${exe}) target_link_libraries(${exe} ${libs} ${CMAKE_THREAD_LIBS_INIT}) @@ -59,8 +59,8 @@ endforeach() if(THREADS_FOUND) add_executable(ssl_pthread_server ssl_pthread_server.c - $ - $) + $ + $) set_base_compile_options(ssl_pthread_server) target_include_directories(ssl_pthread_server PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/../../framework/tests/include ${CMAKE_CURRENT_SOURCE_DIR}/../../tests/include) diff --git a/programs/test/CMakeLists.txt b/programs/test/CMakeLists.txt index 285da13afb..dec1e8c28a 100644 --- a/programs/test/CMakeLists.txt +++ b/programs/test/CMakeLists.txt @@ -82,7 +82,7 @@ foreach(exe IN LISTS executables_libs executables_mbedcrypto) ${CMAKE_CURRENT_SOURCE_DIR}/query_config.h ${CMAKE_CURRENT_BINARY_DIR}/query_config.c) endif() - add_executable(${exe} ${exe}.c $ + add_executable(${exe} ${exe}.c $ ${extra_sources}) set_base_compile_options(${exe}) target_include_directories(${exe} diff --git a/programs/util/CMakeLists.txt b/programs/util/CMakeLists.txt index ae1b467049..c1b6b75866 100644 --- a/programs/util/CMakeLists.txt +++ b/programs/util/CMakeLists.txt @@ -10,7 +10,7 @@ set(executables add_dependencies(${programs_target} ${executables}) foreach(exe IN LISTS executables) - add_executable(${exe} ${exe}.c $) + add_executable(${exe} ${exe}.c $) set_base_compile_options(${exe}) target_link_libraries(${exe} ${libs} ${CMAKE_THREAD_LIBS_INIT}) target_include_directories(${exe} PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/../../framework/tests/include) diff --git a/programs/x509/CMakeLists.txt b/programs/x509/CMakeLists.txt index c3ee3480ff..9e63bf1530 100644 --- a/programs/x509/CMakeLists.txt +++ b/programs/x509/CMakeLists.txt @@ -13,7 +13,7 @@ set(executables add_dependencies(${programs_target} ${executables}) foreach(exe IN LISTS executables) - add_executable(${exe} ${exe}.c $) + add_executable(${exe} ${exe}.c $) set_base_compile_options(${exe}) target_link_libraries(${exe} ${libs} ${CMAKE_THREAD_LIBS_INIT}) target_include_directories(${exe} PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/../../framework/tests/include) diff --git a/scripts/make_generated_files.bat b/scripts/make_generated_files.bat index fb4a2253f4..e1f0962a3a 100644 --- a/scripts/make_generated_files.bat +++ b/scripts/make_generated_files.bat @@ -29,6 +29,6 @@ python framework\scripts\generate_config_tests.py tests\suites\test_suite_config python framework\scripts\generate_config_tests.py --directory tf-psa-crypto\tests\suites tests\suites\test_suite_config.psa_boolean.data || exit /b 1 python framework\scripts\generate_ecp_tests.py --directory tf-psa-crypto\tests\suites || exit /b 1 python framework\scripts\generate_psa_tests.py --directory tf-psa-crypto\tests\suites || exit /b 1 -python framework\scripts\generate_test_keys.py --output framework\tests\src\test_keys.h || exit /b 1 +python framework\scripts\generate_test_keys.py --output framework\tests\include\test\test_keys.h || exit /b 1 python framework\scripts\generate_test_cert_macros.py --output tests\src\test_certs.h || exit /b 1 python framework\scripts\generate_tls13_compat_tests.py || exit /b 1 diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt index 402b8cb2ea..950c365973 100644 --- a/tests/CMakeLists.txt +++ b/tests/CMakeLists.txt @@ -154,7 +154,7 @@ function(add_test_suite suite_name) ) add_executable(test_suite_${data_name} test_suite_${data_name}.c - $ + $ $) set_base_compile_options(test_suite_${data_name}) target_compile_options(test_suite_${data_name} PRIVATE ${TEST_C_FLAGS}) diff --git a/tests/Makefile b/tests/Makefile index 69285b6bf0..7063d81cbb 100644 --- a/tests/Makefile +++ b/tests/Makefile @@ -57,7 +57,7 @@ endif GENERATED_CRYPTO_DATA_FILES += $(GENERATED_PSA_DATA_FILES) GENERATED_FILES = $(GENERATED_DATA_FILES) $(GENERATED_CRYPTO_DATA_FILES) -GENERATED_FILES += ../framework/tests/src/test_keys.h src/test_certs.h +GENERATED_FILES += ../framework/tests/include/test/test_keys.h src/test_certs.h # Generated files needed to (fully) run ssl-opt.sh .PHONY: ssl-opt @@ -172,7 +172,7 @@ src/test_certs.h: ../framework/scripts/generate_test_cert_macros.py \ echo " Gen $@" $(PYTHON) ../framework/scripts/generate_test_cert_macros.py --output $@ -../framework/tests/src/test_keys.h: ../framework/scripts/generate_test_keys.py +../framework/tests/include/test/test_keys.h: ../framework/scripts/generate_test_keys.py echo " Gen $@" $(PYTHON) ../framework/scripts/generate_test_keys.py --output $@ @@ -183,7 +183,7 @@ ifdef RECORD_PSA_STATUS_COVERAGE_LOG # therefore the wildcard enumeration above doesn't include it. TEST_OBJS_DEPS += ../framework/tests/include/test/instrument_record_status.h endif -TEST_OBJS_DEPS += src/test_certs.h ../framework/tests/src/test_keys.h +TEST_OBJS_DEPS += src/test_certs.h ../framework/tests/include/test/test_keys.h # Rule to compile common test C files in framework ../framework/tests/src/%.o : ../framework/tests/src/%.c $(TEST_OBJS_DEPS) @@ -323,13 +323,14 @@ endef libtestdriver1.a: rm -Rf ./libtestdriver1 mkdir ./libtestdriver1 + mkdir ./libtestdriver1/framework mkdir ./libtestdriver1/tf-psa-crypto mkdir ./libtestdriver1/tf-psa-crypto/drivers mkdir ./libtestdriver1/tf-psa-crypto/drivers/everest mkdir ./libtestdriver1/tf-psa-crypto/drivers/p256-m touch ./libtestdriver1/tf-psa-crypto/drivers/everest/Makefile.inc touch ./libtestdriver1/tf-psa-crypto/drivers/p256-m/Makefile.inc - cp -Rf ../framework ./libtestdriver1 + cp -Rf ../framework/scripts ./libtestdriver1/framework cp -Rf ../library ./libtestdriver1 cp -Rf ../include ./libtestdriver1 cp -Rf ../scripts ./libtestdriver1 diff --git a/tests/configs/tls13-only.h b/tests/configs/tls13-only.h index d825ee92c7..342bbed91e 100644 --- a/tests/configs/tls13-only.h +++ b/tests/configs/tls13-only.h @@ -26,6 +26,3 @@ #undef MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE #undef MBEDTLS_SSL_DTLS_CONNECTION_ID #undef MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT - -/* Enable some invasive tests */ -#define MBEDTLS_TEST_HOOKS diff --git a/tests/configs/user-config-malloc-0-null.h b/tests/configs/user-config-malloc-0-null.h index fada9ee934..c1a1214fde 100644 --- a/tests/configs/user-config-malloc-0-null.h +++ b/tests/configs/user-config-malloc-0-null.h @@ -1,4 +1,4 @@ -/* mbedtls_config.h modifier that forces calloc(0) to return NULL. +/* crypto_config.h modifier that forces calloc(0) to return NULL. * Used for testing. */ /* diff --git a/tests/configs/user-config-zeroize-memset.h b/tests/configs/user-config-zeroize-memset.h index 52d4b0833e..270d12584b 100644 --- a/tests/configs/user-config-zeroize-memset.h +++ b/tests/configs/user-config-zeroize-memset.h @@ -1,4 +1,4 @@ -/* mbedtls_config.h modifier that defines mbedtls_platform_zeroize() to be +/* crypto_config.h modifier that defines mbedtls_platform_zeroize() to be * memset(), so that the compile can check arguments for us. * Used for testing. */ diff --git a/tests/scripts/check-generated-files.sh b/tests/scripts/check-generated-files.sh index a66c37013b..3b186d68a6 100755 --- a/tests/scripts/check-generated-files.sh +++ b/tests/scripts/check-generated-files.sh @@ -146,10 +146,15 @@ if [ -d tf-psa-crypto ]; then check ../framework/scripts/generate_ecp_tests.py $(../framework/scripts/generate_ecp_tests.py --list) check ../framework/scripts/generate_psa_tests.py $(../framework/scripts/generate_psa_tests.py --list) cd .. + # Generated files that are present in the repository even in the development + # branch. (This is intended to be temporary, until the generator scripts are + # fully reviewed and the build scripts support a generated header file.) + check framework/scripts/generate_psa_wrappers.py tf-psa-crypto/tests/include/test/psa_test_wrappers.h tf-psa-crypto/tests/src/psa_test_wrappers.c check tf-psa-crypto/scripts/generate_driver_wrappers.py ${crypto_core_dir}/psa_crypto_driver_wrappers.h \ ${crypto_core_dir}/psa_crypto_driver_wrappers_no_static.c check framework/scripts/generate_config_tests.py tests/suites/test_suite_config.mbedtls_boolean.data else + check scripts/generate_psa_constants.py ./programs/psa/psa_constant_names_generated.c check framework/scripts/generate_bignum_tests.py $(framework/scripts/generate_bignum_tests.py --list) if in_tf_psa_crypto_repo; then check framework/scripts/generate_config_tests.py tests/suites/test_suite_config.psa_boolean.data @@ -160,9 +165,13 @@ else check framework/scripts/generate_psa_tests.py $(framework/scripts/generate_psa_tests.py --list) check scripts/generate_driver_wrappers.py ${crypto_core_dir}/psa_crypto_driver_wrappers.h \ ${crypto_core_dir}/psa_crypto_driver_wrappers_no_static.c + # Generated files that are present in the repository even in the development + # branch. (This is intended to be temporary, until the generator scripts are + # fully reviewed and the build scripts support a generated header file.) + check framework/scripts/generate_psa_wrappers.py tests/include/test/psa_test_wrappers.h tests/src/psa_test_wrappers.c fi -check framework/scripts/generate_test_keys.py framework/tests/src/test_keys.h +check framework/scripts/generate_test_keys.py framework/tests/include/test/test_keys.h # Additional checks for Mbed TLS only if in_mbedtls_repo; then @@ -177,8 +186,3 @@ if in_mbedtls_repo; then # the step that creates or updates these files. check scripts/generate_visualc_files.pl visualc/VS2017 fi - -# Generated files that are present in the repository even in the development -# branch. (This is intended to be temporary, until the generator scripts are -# fully reviewed and the build scripts support a generated header file.) -check framework/scripts/generate_psa_wrappers.py tf-psa-crypto/tests/include/test/psa_test_wrappers.h tf-psa-crypto/tests/src/psa_test_wrappers.c diff --git a/tests/scripts/check_files.py b/tests/scripts/check_files.py index 5647133b40..d3fbe859e3 100755 --- a/tests/scripts/check_files.py +++ b/tests/scripts/check_files.py @@ -106,6 +106,8 @@ class FileIssueTracker: BINARY_FILE_PATH_RE_LIST = [ r'docs/.*\.pdf\Z', r'docs/.*\.png\Z', + r'tf-psa-crypto/docs/.*\.pdf\Z', + r'tf-psa-crypto/docs/.*\.png\Z', r'programs/fuzz/corpuses/[^.]+\Z', r'framework/data_files/[^.]+\Z', r'framework/data_files/.*\.(crt|csr|db|der|key|pubkey)\Z', diff --git a/tests/scripts/components-compiler.sh b/tests/scripts/components-compiler.sh index 4237305c78..0598b2df08 100644 --- a/tests/scripts/components-compiler.sh +++ b/tests/scripts/components-compiler.sh @@ -114,7 +114,7 @@ component_build_zeroize_checks () { scripts/config.py full # Only compile - we're looking for sizeof-pointer-memaccess warnings - make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/user-config-zeroize-memset.h\"' -DMBEDTLS_TEST_DEFINES_ZEROIZE -Werror -Wsizeof-pointer-memaccess" + make CFLAGS="'-DTF_PSA_CRYPTO_USER_CONFIG_FILE=\"../tests/configs/user-config-zeroize-memset.h\"' -DMBEDTLS_TEST_DEFINES_ZEROIZE -Werror -Wsizeof-pointer-memaccess" } component_test_zeroize () { diff --git a/tests/scripts/components-configuration-crypto.sh b/tests/scripts/components-configuration-crypto.sh index fe8fe913a0..b7cef0d31d 100644 --- a/tests/scripts/components-configuration-crypto.sh +++ b/tests/scripts/components-configuration-crypto.sh @@ -413,16 +413,7 @@ component_test_config_symmetric_only () { msg "build: configs/config-symmetric-only.h" MBEDTLS_CONFIG="configs/config-symmetric-only.h" CRYPTO_CONFIG="configs/crypto-config-symmetric-only.h" - # test-ref-configs works by overwriting mbedtls_config.h; this makes cmake - # want to re-generate generated files that depend on it, quite correctly. - # However this doesn't work as the generation script expects a specific - # format for mbedtls_config.h, which the other files don't follow. Also, - # cmake can't know this, but re-generation is actually not necessary as - # the generated files only depend on the list of available options, not - # whether they're on or off. So, disable cmake's (over-sensitive here) - # dependency resolution for generated files and just rely on them being - # present (thanks to pre_generate_files) by turning GEN_FILES off. - CC=$ASAN_CC cmake -D GEN_FILES=Off -DMBEDTLS_CONFIG_FILE="$MBEDTLS_CONFIG" -DTF_PSA_CRYPTO_CONFIG_FILE="$CRYPTO_CONFIG" -D CMAKE_BUILD_TYPE:String=Asan . + CC=$ASAN_CC cmake -DMBEDTLS_CONFIG_FILE="$MBEDTLS_CONFIG" -DTF_PSA_CRYPTO_CONFIG_FILE="$CRYPTO_CONFIG" -D CMAKE_BUILD_TYPE:String=Asan . make msg "test: configs/config-symmetric-only.h - unit tests" @@ -2167,6 +2158,8 @@ component_test_ccm_aes_sha256 () { # Setting a blank config disables everyhing in the library side. echo '#define MBEDTLS_CONFIG_H ' >"$CONFIG_H" + cp configs/crypto-config-ccm-aes-sha256.h "$CRYPTO_CONFIG_H" + make msg "test: CCM + AES + SHA256 configuration" make test @@ -2299,11 +2292,6 @@ component_test_sha3_variations () { # define minimal config sufficient to test SHA3 cat > include/mbedtls/mbedtls_config.h << END - #define MBEDTLS_AES_C - #define MBEDTLS_CTR_DRBG_C - #define MBEDTLS_ENTROPY_C - #define MBEDTLS_PSA_CRYPTO_C - #define MBEDTLS_SELF_TEST END cat > tf-psa-crypto/include/psa/crypto_config.h << END @@ -2312,6 +2300,11 @@ END #define PSA_WANT_ALG_SHA3_256 1 #define PSA_WANT_ALG_SHA3_384 1 #define PSA_WANT_ALG_SHA3_512 1 + #define MBEDTLS_AES_C + #define MBEDTLS_CTR_DRBG_C + #define MBEDTLS_ENTROPY_C + #define MBEDTLS_PSA_CRYPTO_C + #define MBEDTLS_SELF_TEST END msg "all loops unrolled" diff --git a/tests/scripts/components-configuration-tls.sh b/tests/scripts/components-configuration-tls.sh index a60bb93268..83795012f3 100644 --- a/tests/scripts/components-configuration-tls.sh +++ b/tests/scripts/components-configuration-tls.sh @@ -13,16 +13,7 @@ component_test_config_suite_b () { msg "build: configs/config-suite-b.h" MBEDTLS_CONFIG="configs/config-suite-b.h" CRYPTO_CONFIG="configs/crypto-config-suite-b.h" - # test-ref-configs works by overwriting mbedtls_config.h; this makes cmake - # want to re-generate generated files that depend on it, quite correctly. - # However this doesn't work as the generation script expects a specific - # format for mbedtls_config.h, which the other files don't follow. Also, - # cmake can't know this, but re-generation is actually not necessary as - # the generated files only depend on the list of available options, not - # whether they're on or off. So, disable cmake's (over-sensitive here) - # dependency resolution for generated files and just rely on them being - # present (thanks to pre_generate_files) by turning GEN_FILES off. - CC=$ASAN_CC cmake -D GEN_FILES=Off -DMBEDTLS_CONFIG_FILE="$MBEDTLS_CONFIG" -DTF_PSA_CRYPTO_CONFIG_FILE="$CRYPTO_CONFIG" -D CMAKE_BUILD_TYPE:String=Asan . + CC=$ASAN_CC cmake -DMBEDTLS_CONFIG_FILE="$MBEDTLS_CONFIG" -DTF_PSA_CRYPTO_CONFIG_FILE="$CRYPTO_CONFIG" -D CMAKE_BUILD_TYPE:String=Asan . make msg "test: configs/config-suite-b.h - unit tests" @@ -161,16 +152,7 @@ component_test_config_thread () { msg "build: configs/config-thread.h" MBEDTLS_CONFIG="configs/config-thread.h" CRYPTO_CONFIG="configs/crypto-config-thread.h" - # test-ref-configs works by overwriting mbedtls_config.h; this makes cmake - # want to re-generate generated files that depend on it, quite correctly. - # However this doesn't work as the generation script expects a specific - # format for mbedtls_config.h, which the other files don't follow. Also, - # cmake can't know this, but re-generation is actually not necessary as - # the generated files only depend on the list of available options, not - # whether they're on or off. So, disable cmake's (over-sensitive here) - # dependency resolution for generated files and just rely on them being - # present (thanks to pre_generate_files) by turning GEN_FILES off. - CC=$ASAN_CC cmake -D GEN_FILES=Off -DMBEDTLS_CONFIG_FILE="$MBEDTLS_CONFIG" -DTF_PSA_CRYPTO_CONFIG_FILE="$CRYPTO_CONFIG" -D CMAKE_BUILD_TYPE:String=Asan . + CC=$ASAN_CC cmake -DMBEDTLS_CONFIG_FILE="$MBEDTLS_CONFIG" -DTF_PSA_CRYPTO_CONFIG_FILE="$CRYPTO_CONFIG" -D CMAKE_BUILD_TYPE:String=Asan . make msg "test: configs/config-thread.h - unit tests" @@ -184,16 +166,7 @@ component_test_tls1_2_ccm_psk () { msg "build: configs/config-ccm-psk-tls1_2.h" MBEDTLS_CONFIG="configs/config-ccm-psk-tls1_2.h" CRYPTO_CONFIG="configs/crypto-config-ccm-psk-tls1_2.h" - # test-ref-configs works by overwriting mbedtls_config.h; this makes cmake - # want to re-generate generated files that depend on it, quite correctly. - # However this doesn't work as the generation script expects a specific - # format for mbedtls_config.h, which the other files don't follow. Also, - # cmake can't know this, but re-generation is actually not necessary as - # the generated files only depend on the list of available options, not - # whether they're on or off. So, disable cmake's (over-sensitive here) - # dependency resolution for generated files and just rely on them being - # present (thanks to pre_generate_files) by turning GEN_FILES off. - CC=$ASAN_CC cmake -D GEN_FILES=Off -DMBEDTLS_CONFIG_FILE="$MBEDTLS_CONFIG" -DTF_PSA_CRYPTO_CONFIG_FILE="$CRYPTO_CONFIG" -D CMAKE_BUILD_TYPE:String=Asan . + CC=$ASAN_CC cmake -DMBEDTLS_CONFIG_FILE="$MBEDTLS_CONFIG" -DTF_PSA_CRYPTO_CONFIG_FILE="$CRYPTO_CONFIG" -D CMAKE_BUILD_TYPE:String=Asan . make msg "test: configs/config-ccm-psk-tls1_2.h - unit tests" @@ -207,16 +180,7 @@ component_test_tls1_2_ccm_psk_dtls () { msg "build: configs/config-ccm-psk-dtls1_2.h" MBEDTLS_CONFIG="configs/config-ccm-psk-dtls1_2.h" CRYPTO_CONFIG="configs/crypto-config-ccm-psk-tls1_2.h" - # test-ref-configs works by overwriting mbedtls_config.h; this makes cmake - # want to re-generate generated files that depend on it, quite correctly. - # However this doesn't work as the generation script expects a specific - # format for mbedtls_config.h, which the other files don't follow. Also, - # cmake can't know this, but re-generation is actually not necessary as - # the generated files only depend on the list of available options, not - # whether they're on or off. So, disable cmake's (over-sensitive here) - # dependency resolution for generated files and just rely on them being - # present (thanks to pre_generate_files) by turning GEN_FILES off. - CC=$ASAN_CC cmake -D GEN_FILES=Off -DMBEDTLS_CONFIG_FILE="$MBEDTLS_CONFIG" -DTF_PSA_CRYPTO_CONFIG_FILE="$CRYPTO_CONFIG" -D CMAKE_BUILD_TYPE:String=Asan . + CC=$ASAN_CC cmake -DMBEDTLS_CONFIG_FILE="$MBEDTLS_CONFIG" -DTF_PSA_CRYPTO_CONFIG_FILE="$CRYPTO_CONFIG" -D CMAKE_BUILD_TYPE:String=Asan . make msg "test: configs/config-ccm-psk-dtls1_2.h - unit tests" @@ -463,6 +427,8 @@ component_test_tls13_only () { msg "build: default config without MBEDTLS_SSL_PROTO_TLS1_2" scripts/config.py set MBEDTLS_SSL_EARLY_DATA scripts/config.py set MBEDTLS_SSL_RECORD_SIZE_LIMIT + + scripts/config.py set MBEDTLS_TEST_HOOKS make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/tls13-only.h\"'" msg "test: TLS 1.3 only, all key exchange modes enabled" @@ -482,6 +448,7 @@ component_test_tls13_only_psk () { scripts/config.py unset MBEDTLS_PKCS7_C scripts/config.py set MBEDTLS_SSL_EARLY_DATA + scripts/config.py set MBEDTLS_TEST_HOOKS scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_ECDH scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_ECDSA scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_DETERMINISTIC_ECDSA @@ -518,6 +485,8 @@ component_test_tls13_only_ephemeral () { scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED scripts/config.py unset MBEDTLS_SSL_EARLY_DATA + + scripts/config.py set MBEDTLS_TEST_HOOKS make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/tls13-only.h\"'" msg "test_suite_ssl: TLS 1.3 only, only ephemeral key exchange mode" @@ -533,6 +502,7 @@ component_test_tls13_only_ephemeral_ffdh () { scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED scripts/config.py unset MBEDTLS_SSL_EARLY_DATA + scripts/config.py set MBEDTLS_TEST_HOOKS scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_ECDH # Note: The unset below is to be removed for Mbed TLS 4.0 scripts/config.py unset MBEDTLS_ECDH_C @@ -556,6 +526,7 @@ component_test_tls13_only_psk_ephemeral () { scripts/config.py unset MBEDTLS_PKCS7_C scripts/config.py set MBEDTLS_SSL_EARLY_DATA + scripts/config.py set MBEDTLS_TEST_HOOKS scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_ECDSA scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_DETERMINISTIC_ECDSA scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_RSA_OAEP @@ -583,6 +554,7 @@ component_test_tls13_only_psk_ephemeral_ffdh () { scripts/config.py unset MBEDTLS_PKCS7_C scripts/config.py set MBEDTLS_SSL_EARLY_DATA + scripts/config.py set MBEDTLS_TEST_HOOKS scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_ECDH scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_ECDSA scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_DETERMINISTIC_ECDSA @@ -611,6 +583,7 @@ component_test_tls13_only_psk_all () { scripts/config.py unset MBEDTLS_PKCS7_C scripts/config.py set MBEDTLS_SSL_EARLY_DATA + scripts/config.py set MBEDTLS_TEST_HOOKS scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_ECDSA scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_DETERMINISTIC_ECDSA scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_RSA_OAEP @@ -632,6 +605,8 @@ component_test_tls13_only_ephemeral_all () { msg "build: TLS 1.3 only from default, without PSK key exchange mode" scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED scripts/config.py set MBEDTLS_SSL_EARLY_DATA + + scripts/config.py set MBEDTLS_TEST_HOOKS make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/tls13-only.h\"'" msg "test_suite_ssl: TLS 1.3 only, ephemeral and PSK ephemeral key exchange modes" diff --git a/tests/scripts/components-configuration.sh b/tests/scripts/components-configuration.sh index 6d1f2a8879..74408457d9 100644 --- a/tests/scripts/components-configuration.sh +++ b/tests/scripts/components-configuration.sh @@ -249,7 +249,7 @@ component_build_tfm () { component_test_malloc_0_null () { msg "build: malloc(0) returns NULL (ASan+UBSan build)" scripts/config.py full - make CC=$ASAN_CC CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"$PWD/tests/configs/user-config-malloc-0-null.h\"' $ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS" + make CC=$ASAN_CC CFLAGS="'-DTF_PSA_CRYPTO_USER_CONFIG_FILE=\"$PWD/tests/configs/user-config-malloc-0-null.h\"' $ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS" msg "test: malloc(0) returns NULL (ASan+UBSan build)" make test diff --git a/tf-psa-crypto/CMakeLists.txt b/tf-psa-crypto/CMakeLists.txt index a55b1625b9..bbc191ffa3 100644 --- a/tf-psa-crypto/CMakeLists.txt +++ b/tf-psa-crypto/CMakeLists.txt @@ -400,33 +400,31 @@ add_subdirectory(pkgconfig) # files to define the test executables. # if(ENABLE_TESTING OR ENABLE_PROGRAMS) - file(GLOB MBEDTLS_TEST_FILES + file(GLOB TF_PSA_CRYPTO_TEST_FILES ${TF_PSA_CRYPTO_FRAMEWORK_DIR}/tests/src/*.c ${TF_PSA_CRYPTO_FRAMEWORK_DIR}/tests/src/drivers/*.c - ${TF_PSA_CRYPTO_DIR}/tests/src/*.c) - add_library(tf_psa_crypto_test OBJECT ${MBEDTLS_TEST_FILES}) + tests/src/*.c) + add_library(tf_psa_crypto_test OBJECT ${TF_PSA_CRYPTO_TEST_FILES}) set_base_compile_options(tf_psa_crypto_test) if(GEN_FILES) add_custom_command( OUTPUT - ${TF_PSA_CRYPTO_FRAMEWORK_DIR}/tests/src/test_keys.h - WORKING_DIRECTORY - ${MBEDTLS_DIR}/tests + ${TF_PSA_CRYPTO_FRAMEWORK_DIR}/tests/include/test/test_keys.h COMMAND "${TF_PSA_CRYPTO_PYTHON_EXECUTABLE}" "${TF_PSA_CRYPTO_FRAMEWORK_DIR}/scripts/generate_test_keys.py" "--output" - "${TF_PSA_CRYPTO_FRAMEWORK_DIR}/tests/src/test_keys.h" + "${TF_PSA_CRYPTO_FRAMEWORK_DIR}/tests/include/test/test_keys.h" DEPENDS ${TF_PSA_CRYPTO_FRAMEWORK_DIR}/scripts/generate_test_keys.py ) add_custom_target(tf_psa_crypto_test_keys_header - DEPENDS ${TF_PSA_CRYPTO_FRAMEWORK_DIR}/tests/src/test_keys.h) + DEPENDS ${TF_PSA_CRYPTO_FRAMEWORK_DIR}/tests/include/test/test_keys.h) add_dependencies(tf_psa_crypto_test tf_psa_crypto_test_keys_header) endif() target_include_directories(tf_psa_crypto_test PRIVATE ${TF_PSA_CRYPTO_FRAMEWORK_DIR}/tests/include - PRIVATE ${TF_PSA_CRYPTO_DIR}/tests/include + PRIVATE tests/include PRIVATE ${MBEDTLS_DIR}/include PRIVATE include PRIVATE drivers/builtin/include diff --git a/docs/architecture/mbed-crypto-storage-specification.md b/tf-psa-crypto/docs/architecture/mbed-crypto-storage-specification.md similarity index 100% rename from docs/architecture/mbed-crypto-storage-specification.md rename to tf-psa-crypto/docs/architecture/mbed-crypto-storage-specification.md diff --git a/docs/architecture/psa-crypto-implementation-structure.md b/tf-psa-crypto/docs/architecture/psa-crypto-implementation-structure.md similarity index 100% rename from docs/architecture/psa-crypto-implementation-structure.md rename to tf-psa-crypto/docs/architecture/psa-crypto-implementation-structure.md diff --git a/docs/architecture/psa-keystore-design.md b/tf-psa-crypto/docs/architecture/psa-keystore-design.md similarity index 100% rename from docs/architecture/psa-keystore-design.md rename to tf-psa-crypto/docs/architecture/psa-keystore-design.md diff --git a/docs/architecture/psa-shared-memory.md b/tf-psa-crypto/docs/architecture/psa-shared-memory.md similarity index 100% rename from docs/architecture/psa-shared-memory.md rename to tf-psa-crypto/docs/architecture/psa-shared-memory.md diff --git a/docs/architecture/psa-storage-resilience.md b/tf-psa-crypto/docs/architecture/psa-storage-resilience.md similarity index 100% rename from docs/architecture/psa-storage-resilience.md rename to tf-psa-crypto/docs/architecture/psa-storage-resilience.md diff --git a/docs/architecture/psa-thread-safety/key-slot-state-transitions.png b/tf-psa-crypto/docs/architecture/psa-thread-safety/key-slot-state-transitions.png similarity index 100% rename from docs/architecture/psa-thread-safety/key-slot-state-transitions.png rename to tf-psa-crypto/docs/architecture/psa-thread-safety/key-slot-state-transitions.png diff --git a/docs/architecture/psa-thread-safety/psa-thread-safety.md b/tf-psa-crypto/docs/architecture/psa-thread-safety/psa-thread-safety.md similarity index 100% rename from docs/architecture/psa-thread-safety/psa-thread-safety.md rename to tf-psa-crypto/docs/architecture/psa-thread-safety/psa-thread-safety.md diff --git a/docs/architecture/testing/driver-interface-test-strategy.md b/tf-psa-crypto/docs/architecture/testing/driver-interface-test-strategy.md similarity index 100% rename from docs/architecture/testing/driver-interface-test-strategy.md rename to tf-psa-crypto/docs/architecture/testing/driver-interface-test-strategy.md diff --git a/docs/architecture/testing/psa-storage-format-testing.md b/tf-psa-crypto/docs/architecture/testing/psa-storage-format-testing.md similarity index 100% rename from docs/architecture/testing/psa-storage-format-testing.md rename to tf-psa-crypto/docs/architecture/testing/psa-storage-format-testing.md diff --git a/docs/driver-only-builds.md b/tf-psa-crypto/docs/driver-only-builds.md similarity index 100% rename from docs/driver-only-builds.md rename to tf-psa-crypto/docs/driver-only-builds.md diff --git a/docs/proposed/psa-conditional-inclusion-c.md b/tf-psa-crypto/docs/proposed/psa-conditional-inclusion-c.md similarity index 100% rename from docs/proposed/psa-conditional-inclusion-c.md rename to tf-psa-crypto/docs/proposed/psa-conditional-inclusion-c.md diff --git a/docs/proposed/psa-driver-developer-guide.md b/tf-psa-crypto/docs/proposed/psa-driver-developer-guide.md similarity index 100% rename from docs/proposed/psa-driver-developer-guide.md rename to tf-psa-crypto/docs/proposed/psa-driver-developer-guide.md diff --git a/docs/proposed/psa-driver-integration-guide.md b/tf-psa-crypto/docs/proposed/psa-driver-integration-guide.md similarity index 100% rename from docs/proposed/psa-driver-integration-guide.md rename to tf-psa-crypto/docs/proposed/psa-driver-integration-guide.md diff --git a/docs/proposed/psa-driver-interface.md b/tf-psa-crypto/docs/proposed/psa-driver-interface.md similarity index 100% rename from docs/proposed/psa-driver-interface.md rename to tf-psa-crypto/docs/proposed/psa-driver-interface.md diff --git a/docs/proposed/psa-driver-wrappers-codegen-migration-guide.md b/tf-psa-crypto/docs/proposed/psa-driver-wrappers-codegen-migration-guide.md similarity index 100% rename from docs/proposed/psa-driver-wrappers-codegen-migration-guide.md rename to tf-psa-crypto/docs/proposed/psa-driver-wrappers-codegen-migration-guide.md diff --git a/docs/psa-driver-example-and-guide.md b/tf-psa-crypto/docs/psa-driver-example-and-guide.md similarity index 100% rename from docs/psa-driver-example-and-guide.md rename to tf-psa-crypto/docs/psa-driver-example-and-guide.md diff --git a/tf-psa-crypto/programs/CMakeLists.txt b/tf-psa-crypto/programs/CMakeLists.txt index e69de29bb2..c394db6f89 100644 --- a/tf-psa-crypto/programs/CMakeLists.txt +++ b/tf-psa-crypto/programs/CMakeLists.txt @@ -0,0 +1,4 @@ +set(programs_target "${TF_PSA_CRYPTO_TARGET_PREFIX}tfpsacrypto-programs") +add_custom_target(${programs_target}) + +add_subdirectory(psa) diff --git a/tf-psa-crypto/tests/suites/test_suite_pk.function b/tf-psa-crypto/tests/suites/test_suite_pk.function index 96ea591390..259e3cb650 100644 --- a/tf-psa-crypto/tests/suites/test_suite_pk.function +++ b/tf-psa-crypto/tests/suites/test_suite_pk.function @@ -177,7 +177,7 @@ #define MBEDTLS_MD_ALG_FOR_TEST MBEDTLS_MD_SHA512 #endif -#include <../src/test_keys.h> +#include /* Define an RSA key size we know it's present in predefined_key[] array. */ #define RSA_KEY_SIZE 1024