From 5cbc1423e12c70cf277f6b5b60e0936e451d4245 Mon Sep 17 00:00:00 2001 From: Aditya Deshpande Date: Tue, 11 Apr 2023 16:25:02 +0100 Subject: [PATCH 01/25] Bring over both necessary medium config files (regular and PSA style) from TFM. Signed-off-by: Aditya Deshpande --- configs/crypto_config_profile_medium.h | 115 +++++++++++++++++++++++++ 1 file changed, 115 insertions(+) create mode 100644 configs/crypto_config_profile_medium.h diff --git a/configs/crypto_config_profile_medium.h b/configs/crypto_config_profile_medium.h new file mode 100644 index 0000000000..939e2a33e3 --- /dev/null +++ b/configs/crypto_config_profile_medium.h @@ -0,0 +1,115 @@ +/* + * Copyright (c) 2018-2022, Arm Limited. All rights reserved. + * + * SPDX-License-Identifier: BSD-3-Clause + * + */ +/** + * \file psa/crypto_config.h + * \brief PSA crypto configuration options (set of defines) + * + */ +#if defined(MBEDTLS_PSA_CRYPTO_CONFIG) +/** + * When #MBEDTLS_PSA_CRYPTO_CONFIG is enabled in mbedtls_config.h, + * this file determines which cryptographic mechanisms are enabled + * through the PSA Cryptography API (\c psa_xxx() functions). + * + * To enable a cryptographic mechanism, uncomment the definition of + * the corresponding \c PSA_WANT_xxx preprocessor symbol. + * To disable a cryptographic mechanism, comment out the definition of + * the corresponding \c PSA_WANT_xxx preprocessor symbol. + * The names of cryptographic mechanisms correspond to values + * defined in psa/crypto_values.h, with the prefix \c PSA_WANT_ instead + * of \c PSA_. + * + * Note that many cryptographic mechanisms involve two symbols: one for + * the key type (\c PSA_WANT_KEY_TYPE_xxx) and one for the algorithm + * (\c PSA_WANT_ALG_xxx). Mechanisms with additional parameters may involve + * additional symbols. + */ +#else +/** + * When \c MBEDTLS_PSA_CRYPTO_CONFIG is disabled in mbedtls_config.h, + * this file is not used, and cryptographic mechanisms are supported + * through the PSA API if and only if they are supported through the + * mbedtls_xxx API. + */ +#endif + +#ifndef PROFILE_M_PSA_CRYPTO_CONFIG_H +#define PROFILE_M_PSA_CRYPTO_CONFIG_H + +/* + * CBC-MAC is not yet supported via the PSA API in Mbed TLS. + */ +//#define PSA_WANT_ALG_CBC_MAC 1 +//#define PSA_WANT_ALG_CBC_NO_PADDING 1 +//#define PSA_WANT_ALG_CBC_PKCS7 1 +#define PSA_WANT_ALG_CCM 1 +//#define PSA_WANT_ALG_CMAC 1 +//#define PSA_WANT_ALG_CFB 1 +//#define PSA_WANT_ALG_CHACHA20_POLY1305 1 +//#define PSA_WANT_ALG_CTR 1 +#define PSA_WANT_ALG_DETERMINISTIC_ECDSA 1 +//#define PSA_WANT_ALG_ECB_NO_PADDING 1 +#define PSA_WANT_ALG_ECDH 1 +#define PSA_WANT_ALG_ECDSA 1 +//#define PSA_WANT_ALG_GCM 1 +#define PSA_WANT_ALG_HKDF 1 +#define PSA_WANT_ALG_HMAC 1 +//#define PSA_WANT_ALG_MD5 1 +//#define PSA_WANT_ALG_OFB 1 +/* PBKDF2-HMAC is not yet supported via the PSA API in Mbed TLS. + * Note: when adding support, also adjust include/mbedtls/config_psa.h */ +//#define PSA_WANT_ALG_PBKDF2_HMAC 1 +//#define PSA_WANT_ALG_RIPEMD160 1 +//#define PSA_WANT_ALG_RSA_OAEP 1 +//#define PSA_WANT_ALG_RSA_PKCS1V15_CRYPT 1 +//#define PSA_WANT_ALG_RSA_PKCS1V15_SIGN 1 +//#define PSA_WANT_ALG_RSA_PSS 1 +//#define PSA_WANT_ALG_SHA_1 1 +#define PSA_WANT_ALG_SHA_224 1 +#define PSA_WANT_ALG_SHA_256 1 +//#define PSA_WANT_ALG_SHA_384 1 +//#define PSA_WANT_ALG_SHA_512 1 +//#define PSA_WANT_ALG_STREAM_CIPHER 1 +#define PSA_WANT_ALG_TLS12_PRF 1 +#define PSA_WANT_ALG_TLS12_PSK_TO_MS 1 +/* PBKDF2-HMAC is not yet supported via the PSA API in Mbed TLS. + * Note: when adding support, also adjust include/mbedtls/config_psa.h */ +//#define PSA_WANT_ALG_XTS 1 + +//#define PSA_WANT_ECC_BRAINPOOL_P_R1_256 1 +//#define PSA_WANT_ECC_BRAINPOOL_P_R1_384 1 +//#define PSA_WANT_ECC_BRAINPOOL_P_R1_512 1 +//#define PSA_WANT_ECC_MONTGOMERY_255 1 +//#define PSA_WANT_ECC_MONTGOMERY_448 1 +//#define PSA_WANT_ECC_SECP_K1_192 1 +/* + * SECP224K1 is buggy via the PSA API in Mbed TLS + * (https://github.com/Mbed-TLS/mbedtls/issues/3541). Thus, do not enable it by + * default. + */ +//#define PSA_WANT_ECC_SECP_K1_224 1 +//#define PSA_WANT_ECC_SECP_K1_256 1 +//#define PSA_WANT_ECC_SECP_R1_192 1 +//#define PSA_WANT_ECC_SECP_R1_224 1 +#define PSA_WANT_ECC_SECP_R1_256 1 +//#define PSA_WANT_ECC_SECP_R1_384 1 +//#define PSA_WANT_ECC_SECP_R1_521 1 + +#define PSA_WANT_KEY_TYPE_DERIVE 1 +#define PSA_WANT_KEY_TYPE_HMAC 1 +#define PSA_WANT_KEY_TYPE_AES 1 +//#define PSA_WANT_KEY_TYPE_ARIA 1 +//#define PSA_WANT_KEY_TYPE_CAMELLIA 1 +//#define PSA_WANT_KEY_TYPE_CHACHA20 1 +//#define PSA_WANT_KEY_TYPE_DES 1 +#define PSA_WANT_KEY_TYPE_ECC_KEY_PAIR 1 +#define PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY 1 +#define PSA_WANT_KEY_TYPE_RAW_DATA 1 +//#define PSA_WANT_KEY_TYPE_RSA_KEY_PAIR 1 +//#define PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY 1 + +#endif /* PROFILE_M_PSA_CRYPTO_CONFIG_H */ From 16347febf1992a9414d7ebfbbc72c61dd41e610f Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Mon, 26 Jun 2023 12:13:38 +0200 Subject: [PATCH 02/25] configs: adapt to new symbols Signed-off-by: Valerio Setti --- configs/crypto_config_profile_medium.h | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/configs/crypto_config_profile_medium.h b/configs/crypto_config_profile_medium.h index 939e2a33e3..dda7d4d0f1 100644 --- a/configs/crypto_config_profile_medium.h +++ b/configs/crypto_config_profile_medium.h @@ -106,7 +106,11 @@ //#define PSA_WANT_KEY_TYPE_CAMELLIA 1 //#define PSA_WANT_KEY_TYPE_CHACHA20 1 //#define PSA_WANT_KEY_TYPE_DES 1 -#define PSA_WANT_KEY_TYPE_ECC_KEY_PAIR 1 +#define PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC 1 +#define PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT 1 +#define PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT 1 +#define PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE 1 +#define PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE 1 #define PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY 1 #define PSA_WANT_KEY_TYPE_RAW_DATA 1 //#define PSA_WANT_KEY_TYPE_RSA_KEY_PAIR 1 From d5c989b52a9858de8f8552e7df271720b06e5494 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Mon, 10 Jul 2023 08:31:19 +0200 Subject: [PATCH 03/25] Add change log and non-regression test Add change log and non-regression test for CCM* with no tag not supported in CCM only configuration. Signed-off-by: Ronald Cron --- configs/crypto-config-ccm-aes-sha256.h | 37 ++++++++++++++++++++++++++ 1 file changed, 37 insertions(+) create mode 100644 configs/crypto-config-ccm-aes-sha256.h diff --git a/configs/crypto-config-ccm-aes-sha256.h b/configs/crypto-config-ccm-aes-sha256.h new file mode 100644 index 0000000000..fb66ae2c06 --- /dev/null +++ b/configs/crypto-config-ccm-aes-sha256.h @@ -0,0 +1,37 @@ +/** + * \file configs/ccm-aes-sha256.h + * + * \brief PSA crypto configuration with only symmetric cryptography: CCM-AES, + * SHA-256, HMAC and key derivation + */ +/* + * Copyright The Mbed TLS Contributors + * SPDX-License-Identifier: Apache-2.0 + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may + * not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#ifndef PSA_CRYPTO_CONFIG_H +#define PSA_CRYPTO_CONFIG_H + +#define PSA_WANT_ALG_CCM 1 +#define PSA_WANT_ALG_HMAC 1 +#define PSA_WANT_ALG_SHA_256 1 +#define PSA_WANT_ALG_TLS12_PRF 1 +#define PSA_WANT_ALG_TLS12_PSK_TO_MS 1 +#define PSA_WANT_KEY_TYPE_DERIVE 1 +#define PSA_WANT_KEY_TYPE_HMAC 1 +#define PSA_WANT_KEY_TYPE_AES 1 +#define PSA_WANT_KEY_TYPE_RAW_DATA 1 + +#endif /* PSA_CRYPTO_CONFIG_H */ From 5b7c0771055b476a046875986098b077286d17df Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Thu, 20 Jul 2023 09:09:10 +0200 Subject: [PATCH 04/25] Fix PSA crypto configuration file name Signed-off-by: Ronald Cron --- configs/crypto-config-ccm-aes-sha256.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configs/crypto-config-ccm-aes-sha256.h b/configs/crypto-config-ccm-aes-sha256.h index fb66ae2c06..6c12bd7b68 100644 --- a/configs/crypto-config-ccm-aes-sha256.h +++ b/configs/crypto-config-ccm-aes-sha256.h @@ -1,5 +1,5 @@ /** - * \file configs/ccm-aes-sha256.h + * \file configs/crypto-config-ccm-aes-sha256.h * * \brief PSA crypto configuration with only symmetric cryptography: CCM-AES, * SHA-256, HMAC and key derivation From 2d53fffd0461b09351156ebb98af50cda8a3b0a3 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Wed, 2 Aug 2023 09:55:21 +0200 Subject: [PATCH 05/25] crypto_config_profile_medium: add comment for new KEY_PAIR symbols Signed-off-by: Valerio Setti --- configs/crypto_config_profile_medium.h | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/configs/crypto_config_profile_medium.h b/configs/crypto_config_profile_medium.h index dda7d4d0f1..3fa8552c91 100644 --- a/configs/crypto_config_profile_medium.h +++ b/configs/crypto_config_profile_medium.h @@ -116,4 +116,23 @@ //#define PSA_WANT_KEY_TYPE_RSA_KEY_PAIR 1 //#define PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY 1 +/*********************************************************************** + * Local edits below this delimiter + **********************************************************************/ + +/* Between Mbed TLS 3.4 and 3.5, the PSA_WANT_KEY_TYPE_RSA_KEY_PAIR macro + * (commented-out above) has been replaced with the following new macros: */ +//#define PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC 1 +//#define PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT 1 +//#define PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT 1 +//#define PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE 1 +//#define PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_DERIVE 1 /* Not supported */ + +/* Between Mbed TLS 3.4 and 3.5, the following macros have been added: */ +//#define PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC 1 +//#define PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT 1 +//#define PSA_WANT_KEY_TYPE_DH_KEY_PAIR_EXPORT 1 +//#define PSA_WANT_KEY_TYPE_DH_KEY_PAIR_GENERATE 1 +//#define PSA_WANT_KEY_TYPE_DH_KEY_PAIR_DERIVE 1 // Not supported + #endif /* PROFILE_M_PSA_CRYPTO_CONFIG_H */ From 34d187b1bc0a300f1169f07a2651305405801cbd Mon Sep 17 00:00:00 2001 From: Yanray Wang Date: Wed, 6 Sep 2023 11:50:45 +0800 Subject: [PATCH 06/25] configs: move TFM config to a subdirectory Signed-off-by: Yanray Wang --- configs/{ => ext}/crypto_config_profile_medium.h | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename configs/{ => ext}/crypto_config_profile_medium.h (100%) diff --git a/configs/crypto_config_profile_medium.h b/configs/ext/crypto_config_profile_medium.h similarity index 100% rename from configs/crypto_config_profile_medium.h rename to configs/ext/crypto_config_profile_medium.h From 98f726f5c96dfb07ef2a959364e9bca1cf28103b Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Thu, 2 Nov 2023 19:47:20 +0000 Subject: [PATCH 07/25] update headers Signed-off-by: Dave Rodgman --- configs/crypto-config-ccm-aes-sha256.h | 14 +------------- 1 file changed, 1 insertion(+), 13 deletions(-) diff --git a/configs/crypto-config-ccm-aes-sha256.h b/configs/crypto-config-ccm-aes-sha256.h index 6c12bd7b68..7f8d58768c 100644 --- a/configs/crypto-config-ccm-aes-sha256.h +++ b/configs/crypto-config-ccm-aes-sha256.h @@ -6,19 +6,7 @@ */ /* * Copyright The Mbed TLS Contributors - * SPDX-License-Identifier: Apache-2.0 - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may - * not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT - * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. + * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later */ #ifndef PSA_CRYPTO_CONFIG_H From c55c8bf333c99bd4c484cea6cf73dd4877bead8d Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Fri, 3 Nov 2023 11:40:56 +0000 Subject: [PATCH 08/25] Update license and copyright in config files Signed-off-by: Dave Rodgman --- configs/ext/crypto_config_profile_medium.h | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/configs/ext/crypto_config_profile_medium.h b/configs/ext/crypto_config_profile_medium.h index 3fa8552c91..682835a064 100644 --- a/configs/ext/crypto_config_profile_medium.h +++ b/configs/ext/crypto_config_profile_medium.h @@ -1,14 +1,13 @@ -/* - * Copyright (c) 2018-2022, Arm Limited. All rights reserved. - * - * SPDX-License-Identifier: BSD-3-Clause - * - */ /** * \file psa/crypto_config.h * \brief PSA crypto configuration options (set of defines) * */ +/* + * Copyright The Mbed TLS Contributors + * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later + */ + #if defined(MBEDTLS_PSA_CRYPTO_CONFIG) /** * When #MBEDTLS_PSA_CRYPTO_CONFIG is enabled in mbedtls_config.h, From 5a57f20331fc3fc3804e665e36def93407eaa4c0 Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Wed, 15 Nov 2023 12:23:29 +0000 Subject: [PATCH 09/25] Use latest TF-M config with bare-minimum changes Move all changes local to Mbed TLS into config-tfm.h (except for commenting out a couple of #include's). Signed-off-by: Dave Rodgman --- configs/ext/crypto_config_profile_medium.h | 42 ++++++++++------------ 1 file changed, 18 insertions(+), 24 deletions(-) diff --git a/configs/ext/crypto_config_profile_medium.h b/configs/ext/crypto_config_profile_medium.h index 682835a064..63ed4701de 100644 --- a/configs/ext/crypto_config_profile_medium.h +++ b/configs/ext/crypto_config_profile_medium.h @@ -50,7 +50,7 @@ //#define PSA_WANT_ALG_CFB 1 //#define PSA_WANT_ALG_CHACHA20_POLY1305 1 //#define PSA_WANT_ALG_CTR 1 -#define PSA_WANT_ALG_DETERMINISTIC_ECDSA 1 +//#define PSA_WANT_ALG_DETERMINISTIC_ECDSA 1 //#define PSA_WANT_ALG_ECB_NO_PADDING 1 #define PSA_WANT_ALG_ECDH 1 #define PSA_WANT_ALG_ECDSA 1 @@ -105,33 +105,27 @@ //#define PSA_WANT_KEY_TYPE_CAMELLIA 1 //#define PSA_WANT_KEY_TYPE_CHACHA20 1 //#define PSA_WANT_KEY_TYPE_DES 1 -#define PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC 1 -#define PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT 1 -#define PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT 1 -#define PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE 1 -#define PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE 1 +//#define PSA_WANT_KEY_TYPE_ECC_KEY_PAIR 1 /* Deprecated */ #define PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY 1 #define PSA_WANT_KEY_TYPE_RAW_DATA 1 -//#define PSA_WANT_KEY_TYPE_RSA_KEY_PAIR 1 +//#define PSA_WANT_KEY_TYPE_RSA_KEY_PAIR 1 /* Deprecated */ //#define PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY 1 -/*********************************************************************** - * Local edits below this delimiter - **********************************************************************/ - -/* Between Mbed TLS 3.4 and 3.5, the PSA_WANT_KEY_TYPE_RSA_KEY_PAIR macro - * (commented-out above) has been replaced with the following new macros: */ -//#define PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC 1 -//#define PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT 1 -//#define PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT 1 -//#define PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE 1 -//#define PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_DERIVE 1 /* Not supported */ +/* + * The following symbols extend and deprecate the legacy + * PSA_WANT_KEY_TYPE_xxx_KEY_PAIR ones. They include the usage of that key in + * the name's suffix. "_USE" is the most generic and it can be used to describe + * a generic suport, whereas other ones add more features on top of that and + * they are more specific. + */ +#define PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC 1 +#define PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT 1 +#define PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT 1 +#define PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE 1 +//#define PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE 1 -/* Between Mbed TLS 3.4 and 3.5, the following macros have been added: */ -//#define PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC 1 -//#define PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT 1 -//#define PSA_WANT_KEY_TYPE_DH_KEY_PAIR_EXPORT 1 -//#define PSA_WANT_KEY_TYPE_DH_KEY_PAIR_GENERATE 1 -//#define PSA_WANT_KEY_TYPE_DH_KEY_PAIR_DERIVE 1 // Not supported +#ifdef CRYPTO_HW_ACCELERATOR +#include "crypto_accelerator_config.h" +#endif #endif /* PROFILE_M_PSA_CRYPTO_CONFIG_H */ From ed3a58a414036030e5cc3320d5e66742f4e58fff Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Fri, 8 Dec 2023 15:26:32 +0000 Subject: [PATCH 10/25] Add supporting files to enable use of verbatim TF-M config Signed-off-by: Dave Rodgman --- configs/ext/README.md | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) create mode 100644 configs/ext/README.md diff --git a/configs/ext/README.md b/configs/ext/README.md new file mode 100644 index 0000000000..dbd7c43e66 --- /dev/null +++ b/configs/ext/README.md @@ -0,0 +1,20 @@ +Summary +------- + +All files in this directory are distributed under the normal Mbed TLS dual Apache 2.0 or GPLv2-or-later +license. + +Background +----------- + +The two files crypto_config_profile_medium.h and tfm_mbedcrypto_config_profile_medium.h +are taken verbatim from the TF-M source code here: + +https://git.trustedfirmware.org/TF-M/trusted-firmware-m.git/tree/lib/ext/mbedcrypto/mbedcrypto_config + +In TF-M, they are distributed under a 3-Clause BSD license, as noted at the top of the files. + +In Mbed TLS, with permission from the TF-M project, they are distributed under a dual [Apache-2.0](https://spdx.org/licenses/Apache-2.0.html) OR [GPL-2.0-or-later](https://spdx.org/licenses/GPL-2.0-or-later.html) license. + +We only retain the note at the top of the files because we are taking the files un-modified, for ease of +maintenance. From 3e610d5b9b43dec0479bbde2c871be2caf616776 Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Fri, 8 Dec 2023 15:27:49 +0000 Subject: [PATCH 11/25] Use verbatim TF-M configs from upstream Signed-off-by: Dave Rodgman --- configs/ext/crypto_config_profile_medium.h | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/configs/ext/crypto_config_profile_medium.h b/configs/ext/crypto_config_profile_medium.h index 63ed4701de..af8869f136 100644 --- a/configs/ext/crypto_config_profile_medium.h +++ b/configs/ext/crypto_config_profile_medium.h @@ -1,13 +1,14 @@ +/* + * Copyright (c) 2018-2023, Arm Limited. All rights reserved. + * + * SPDX-License-Identifier: BSD-3-Clause + * + */ /** * \file psa/crypto_config.h * \brief PSA crypto configuration options (set of defines) * */ -/* - * Copyright The Mbed TLS Contributors - * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later - */ - #if defined(MBEDTLS_PSA_CRYPTO_CONFIG) /** * When #MBEDTLS_PSA_CRYPTO_CONFIG is enabled in mbedtls_config.h, From ff9a21e691593b94a2fb29579af1972d87555c4e Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Fri, 8 Dec 2023 15:33:50 +0000 Subject: [PATCH 12/25] Mention copyright in the readme Signed-off-by: Dave Rodgman --- configs/ext/README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/configs/ext/README.md b/configs/ext/README.md index dbd7c43e66..adcebbf509 100644 --- a/configs/ext/README.md +++ b/configs/ext/README.md @@ -2,7 +2,7 @@ Summary ------- All files in this directory are distributed under the normal Mbed TLS dual Apache 2.0 or GPLv2-or-later -license. +license, and are copyright The Mbed TLS Contributors. Background ----------- @@ -14,7 +14,7 @@ https://git.trustedfirmware.org/TF-M/trusted-firmware-m.git/tree/lib/ext/mbedcry In TF-M, they are distributed under a 3-Clause BSD license, as noted at the top of the files. -In Mbed TLS, with permission from the TF-M project, they are distributed under a dual [Apache-2.0](https://spdx.org/licenses/Apache-2.0.html) OR [GPL-2.0-or-later](https://spdx.org/licenses/GPL-2.0-or-later.html) license. +In Mbed TLS, with permission from the TF-M project, they are distributed under a dual [Apache-2.0](https://spdx.org/licenses/Apache-2.0.html) OR [GPL-2.0-or-later](https://spdx.org/licenses/GPL-2.0-or-later.html) license, with copyright assigned to The Mbed TLS Contributors. We only retain the note at the top of the files because we are taking the files un-modified, for ease of maintenance. From 5e2033a0d7ce3b46683e2589d56724e599c94ae0 Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Fri, 8 Dec 2023 16:04:29 +0000 Subject: [PATCH 13/25] minor tidy-up Signed-off-by: Dave Rodgman --- configs/ext/README.md | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/configs/ext/README.md b/configs/ext/README.md index adcebbf509..1358bd4426 100644 --- a/configs/ext/README.md +++ b/configs/ext/README.md @@ -1,11 +1,16 @@ Summary ------- -All files in this directory are distributed under the normal Mbed TLS dual Apache 2.0 or GPLv2-or-later -license, and are copyright The Mbed TLS Contributors. +The two files: + +* crypto_config_profile_medium.h +* tfm_mbedcrypto_config_profile_medium.h + +are copyright The Mbed TLS Contributors, and are distributed under the license normally +used by Mbed TLS: a dual Apache 2.0 or GPLv2-or-later license. Background ------------ +---------- The two files crypto_config_profile_medium.h and tfm_mbedcrypto_config_profile_medium.h are taken verbatim from the TF-M source code here: @@ -16,5 +21,5 @@ In TF-M, they are distributed under a 3-Clause BSD license, as noted at the top In Mbed TLS, with permission from the TF-M project, they are distributed under a dual [Apache-2.0](https://spdx.org/licenses/Apache-2.0.html) OR [GPL-2.0-or-later](https://spdx.org/licenses/GPL-2.0-or-later.html) license, with copyright assigned to The Mbed TLS Contributors. -We only retain the note at the top of the files because we are taking the files un-modified, for ease of +We only retain the note at the top of the files because we are taking the files verbatim, for ease of maintenance. From 5ae7a696dc984c8d7bfe8251197e1edb9855a447 Mon Sep 17 00:00:00 2001 From: Ryan Everett Date: Thu, 25 Apr 2024 14:34:33 +0100 Subject: [PATCH 14/25] Add a crypto-config file for symmetric-only Replaces legacy symbols with the PSA equivalents. This doesn't change the code generated when this config is active Signed-off-by: Ryan Everett --- configs/crypto-config-symmetric-only.h | 55 ++++++++++++++++++++++++++ 1 file changed, 55 insertions(+) create mode 100644 configs/crypto-config-symmetric-only.h diff --git a/configs/crypto-config-symmetric-only.h b/configs/crypto-config-symmetric-only.h new file mode 100644 index 0000000000..799890d4ef --- /dev/null +++ b/configs/crypto-config-symmetric-only.h @@ -0,0 +1,55 @@ +/** + * \file crypto-config-symmetric-only.h + * + * \brief Crypto configuration without any asymmetric cryptography. + */ +/* + * Copyright The Mbed TLS Contributors + * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later + */ + +/** + * To be used in conjunction with configs/config-symmetric-only.h. */ + +#ifndef PSA_CRYPTO_CONFIG_H +#define PSA_CRYPTO_CONFIG_H + +#define PSA_WANT_ALG_CBC_NO_PADDING 1 +#define PSA_WANT_ALG_CBC_PKCS7 1 +#define PSA_WANT_ALG_CCM 1 +#define PSA_WANT_ALG_CCM_STAR_NO_TAG 1 +#define PSA_WANT_ALG_CFB 1 +#define PSA_WANT_ALG_CHACHA20_POLY1305 1 +#define PSA_WANT_ALG_CMAC 1 +#define PSA_WANT_ALG_CTR 1 +#define PSA_WANT_ALG_ECB_NO_PADDING 1 +#define PSA_WANT_ALG_GCM 1 +#define PSA_WANT_ALG_HKDF 1 +#define PSA_WANT_ALG_HKDF_EXTRACT 1 +#define PSA_WANT_ALG_HKDF_EXPAND 1 +#define PSA_WANT_ALG_HMAC 1 +#define PSA_WANT_ALG_MD5 1 +#define PSA_WANT_ALG_OFB 1 +#define PSA_WANT_ALG_RIPEMD160 1 +#define PSA_WANT_ALG_SHA_1 1 +#define PSA_WANT_ALG_STREAM_CIPHER 1 +#define PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS 1 +#define PSA_WANT_ALG_TLS12_PRF 1 +#define PSA_WANT_ALG_TLS12_PSK_TO_MS 1 + +/* The library does not currently support enabling SHA-224 without SHA-256. + * A future version of the library will have this option disabled + * by default. */ +#define PSA_WANT_ALG_SHA_224 1 +#define PSA_WANT_ALG_SHA_256 1 +#define PSA_WANT_ALG_SHA_384 1 +#define PSA_WANT_ALG_SHA_512 1 + +#define PSA_WANT_KEY_TYPE_AES 1 +#define PSA_WANT_KEY_TYPE_ARIA 1 +#define PSA_WANT_KEY_TYPE_CAMELLIA 1 +#define PSA_WANT_KEY_TYPE_CHACHA20 1 +#define PSA_WANT_KEY_TYPE_DES 1 +#define PSA_WANT_KEY_TYPE_HMAC 1 + +#endif /* PSA_CRYPTO_CONFIG_H */ From 7910df17a609050a1e279bf3ecfa2f9f904e50d7 Mon Sep 17 00:00:00 2001 From: Ryan Everett Date: Tue, 30 Apr 2024 17:21:15 +0100 Subject: [PATCH 15/25] Address symmetric-only comments Signed-off-by: Ryan Everett --- configs/crypto-config-symmetric-only.h | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) diff --git a/configs/crypto-config-symmetric-only.h b/configs/crypto-config-symmetric-only.h index 799890d4ef..5d6bf85291 100644 --- a/configs/crypto-config-symmetric-only.h +++ b/configs/crypto-config-symmetric-only.h @@ -33,17 +33,20 @@ #define PSA_WANT_ALG_RIPEMD160 1 #define PSA_WANT_ALG_SHA_1 1 #define PSA_WANT_ALG_STREAM_CIPHER 1 -#define PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS 1 -#define PSA_WANT_ALG_TLS12_PRF 1 -#define PSA_WANT_ALG_TLS12_PSK_TO_MS 1 - -/* The library does not currently support enabling SHA-224 without SHA-256. - * A future version of the library will have this option disabled - * by default. */ #define PSA_WANT_ALG_SHA_224 1 #define PSA_WANT_ALG_SHA_256 1 #define PSA_WANT_ALG_SHA_384 1 #define PSA_WANT_ALG_SHA_512 1 +#define PSA_WANT_ALG_SHA3_224 1 +#define PSA_WANT_ALG_SHA3_256 1 +#define PSA_WANT_ALG_SHA3_384 1 +#define PSA_WANT_ALG_SHA3_512 1 +#define PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS 1 +#define PSA_WANT_ALG_TLS12_PRF 1 +#define PSA_WANT_ALG_TLS12_PSK_TO_MS 1 + +/* XTS is not yet supported via the PSA API in Mbed TLS. */ +//#define PSA_WANT_ALG_XTS 1 #define PSA_WANT_KEY_TYPE_AES 1 #define PSA_WANT_KEY_TYPE_ARIA 1 From 933910bf3299b053c72c25ff06cc44aa11999438 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Wed, 15 May 2024 09:27:27 +0200 Subject: [PATCH 16/25] Resolve some HMAC dependencies automatically Signed-off-by: Ronald Cron --- configs/crypto-config-ccm-aes-sha256.h | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/configs/crypto-config-ccm-aes-sha256.h b/configs/crypto-config-ccm-aes-sha256.h index 7f8d58768c..68a9c0a539 100644 --- a/configs/crypto-config-ccm-aes-sha256.h +++ b/configs/crypto-config-ccm-aes-sha256.h @@ -2,7 +2,7 @@ * \file configs/crypto-config-ccm-aes-sha256.h * * \brief PSA crypto configuration with only symmetric cryptography: CCM-AES, - * SHA-256, HMAC and key derivation + * SHA-256 and key derivation (uses HMAC). */ /* * Copyright The Mbed TLS Contributors @@ -13,12 +13,10 @@ #define PSA_CRYPTO_CONFIG_H #define PSA_WANT_ALG_CCM 1 -#define PSA_WANT_ALG_HMAC 1 #define PSA_WANT_ALG_SHA_256 1 #define PSA_WANT_ALG_TLS12_PRF 1 #define PSA_WANT_ALG_TLS12_PSK_TO_MS 1 #define PSA_WANT_KEY_TYPE_DERIVE 1 -#define PSA_WANT_KEY_TYPE_HMAC 1 #define PSA_WANT_KEY_TYPE_AES 1 #define PSA_WANT_KEY_TYPE_RAW_DATA 1 From 15471f7c97ea8bd366cdcfd45933f99166fc465e Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Mon, 2 Dec 2024 13:10:42 +0000 Subject: [PATCH 17/25] Adapt configs/ext/README.md Recent commits have changed these reference configurations and they are not verbatim copies anymore. Signed-off-by: Janos Follath --- configs/ext/README.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/configs/ext/README.md b/configs/ext/README.md index 1358bd4426..b07cbc18c5 100644 --- a/configs/ext/README.md +++ b/configs/ext/README.md @@ -21,5 +21,6 @@ In TF-M, they are distributed under a 3-Clause BSD license, as noted at the top In Mbed TLS, with permission from the TF-M project, they are distributed under a dual [Apache-2.0](https://spdx.org/licenses/Apache-2.0.html) OR [GPL-2.0-or-later](https://spdx.org/licenses/GPL-2.0-or-later.html) license, with copyright assigned to The Mbed TLS Contributors. -We only retain the note at the top of the files because we are taking the files verbatim, for ease of -maintenance. +We only retain the note at the top of the files because the intent is to take these files verbatim, +for ease of maintenance. Currently however, they contain changes, showing how these configurations +will need to be adapted for 4.0. From 383e8f4ffb4a03a05900c1e6f6af5bf312d11b84 Mon Sep 17 00:00:00 2001 From: Minos Galanakis Date: Fri, 1 Nov 2024 17:32:54 +0000 Subject: [PATCH 18/25] configs: Migrated config-tfm Signed-off-by: Minos Galanakis --- configs/ext/crypto_config_profile_medium.h | 53 ++++++++++++++++++++++ 1 file changed, 53 insertions(+) diff --git a/configs/ext/crypto_config_profile_medium.h b/configs/ext/crypto_config_profile_medium.h index af8869f136..2871c9456b 100644 --- a/configs/ext/crypto_config_profile_medium.h +++ b/configs/ext/crypto_config_profile_medium.h @@ -125,6 +125,59 @@ #define PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE 1 //#define PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE 1 +/***********************************************************/ +/* Tweak the configuration to remove dependencies on TF-M. */ +/***********************************************************/ + +/* MBEDTLS_PSA_CRYPTO_SPM needs third-party files, so disable it. */ +#undef MBEDTLS_PSA_CRYPTO_SPM + +/* Disable buffer-based memory allocator. This isn't strictly required, + * but using the native allocator is faster and works better with + * memory management analysis frameworks such as ASan. */ +#undef MBEDTLS_MEMORY_BUFFER_ALLOC_C + +// This macro is enabled in TFM Medium but is disabled here because it is +// incompatible with baremetal builds in Mbed TLS. +#undef MBEDTLS_PSA_CRYPTO_STORAGE_C + +// This macro is enabled in TFM Medium but is disabled here because it is +// incompatible with baremetal builds in Mbed TLS. +#undef MBEDTLS_ENTROPY_NV_SEED + +// These platform-related TF-M settings are not useful here. +#undef MBEDTLS_PLATFORM_NO_STD_FUNCTIONS +#undef MBEDTLS_PLATFORM_STD_MEM_HDR +#undef MBEDTLS_PLATFORM_SNPRINTF_MACRO +#undef MBEDTLS_PLATFORM_PRINTF_ALT +#undef MBEDTLS_PLATFORM_STD_EXIT_SUCCESS +#undef MBEDTLS_PLATFORM_STD_EXIT_FAILURE + +/* + * In order to get an example config that works cleanly out-of-the-box + * for both baremetal and non-baremetal builds, we detect baremetal builds + * (either IAR, Arm compiler or __ARM_EABI__ defined), and adjust some + * variables accordingly. + */ +#if defined(__IAR_SYSTEMS_ICC__) || defined(__ARMCC_VERSION) || defined(__ARM_EABI__) +#define MBEDTLS_NO_PLATFORM_ENTROPY +#else +/* Use built-in platform entropy functions (TF-M provides its own). */ +#undef MBEDTLS_NO_PLATFORM_ENTROPY +#endif + +/*********************************************************************** + * Local changes to crypto config below this delimiter + **********************************************************************/ + +// We expect TF-M to pick this up soon +#define MBEDTLS_BLOCK_CIPHER_NO_DECRYPT + +/* CCM is the only cipher/AEAD enabled in TF-M configuration files, but it + * does not need CIPHER_C to be enabled, so we can disable it in order + * to reduce code size further. */ +#undef MBEDTLS_CIPHER_C + #ifdef CRYPTO_HW_ACCELERATOR #include "crypto_accelerator_config.h" #endif From 21c822ae753ba5acc63852a36c3995d948910364 Mon Sep 17 00:00:00 2001 From: Minos Galanakis Date: Tue, 22 Oct 2024 16:55:58 +0100 Subject: [PATCH 19/25] configs: Migrated config-symmetric-only Signed-off-by: Minos Galanakis --- configs/crypto-config-symmetric-only.h | 34 ++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) diff --git a/configs/crypto-config-symmetric-only.h b/configs/crypto-config-symmetric-only.h index 5d6bf85291..5393541625 100644 --- a/configs/crypto-config-symmetric-only.h +++ b/configs/crypto-config-symmetric-only.h @@ -55,4 +55,38 @@ #define PSA_WANT_KEY_TYPE_DES 1 #define PSA_WANT_KEY_TYPE_HMAC 1 +#define MBEDTLS_SELF_TEST + +#define MBEDTLS_PSA_CRYPTO_C +#define MBEDTLS_USE_PSA_CRYPTO + +/* System support */ +//#define MBEDTLS_HAVE_ASM +#define MBEDTLS_HAVE_TIME +#define MBEDTLS_HAVE_TIME_DATE + +#define MBEDTLS_FS_IO +#define MBEDTLS_ENTROPY_NV_SEED + +/* Mbed TLS modules */ +#define MBEDTLS_ASN1_PARSE_C +#define MBEDTLS_ASN1_WRITE_C +#define MBEDTLS_BASE64_C +#define MBEDTLS_CTR_DRBG_C +#define MBEDTLS_ENTROPY_C +#define MBEDTLS_ERROR_C +#define MBEDTLS_HMAC_DRBG_C +#define MBEDTLS_NIST_KW_C +#define MBEDTLS_OID_C +#define MBEDTLS_PEM_PARSE_C +#define MBEDTLS_PEM_WRITE_C +#define MBEDTLS_PKCS5_C +#define MBEDTLS_PKCS12_C +#define MBEDTLS_PLATFORM_C +#define MBEDTLS_PSA_CRYPTO_SE_C +#define MBEDTLS_PSA_CRYPTO_STORAGE_C +#define MBEDTLS_PSA_ITS_FILE_C + +//#define MBEDTLS_THREADING_C + #endif /* PSA_CRYPTO_CONFIG_H */ From 471cabe80de0f8c68921911319ce730526c31e5c Mon Sep 17 00:00:00 2001 From: Minos Galanakis Date: Mon, 2 Dec 2024 17:10:04 +0000 Subject: [PATCH 20/25] configs: Removed references to MBEDTLS_USE_PSA_CRYPTO Signed-off-by: Minos Galanakis --- configs/crypto-config-symmetric-only.h | 1 - 1 file changed, 1 deletion(-) diff --git a/configs/crypto-config-symmetric-only.h b/configs/crypto-config-symmetric-only.h index 5393541625..dfe9e81251 100644 --- a/configs/crypto-config-symmetric-only.h +++ b/configs/crypto-config-symmetric-only.h @@ -58,7 +58,6 @@ #define MBEDTLS_SELF_TEST #define MBEDTLS_PSA_CRYPTO_C -#define MBEDTLS_USE_PSA_CRYPTO /* System support */ //#define MBEDTLS_HAVE_ASM From 4e5f187061dd5a09b714914ed31f1bdc19ef7f0c Mon Sep 17 00:00:00 2001 From: Minos Galanakis Date: Mon, 2 Dec 2024 23:57:30 +0000 Subject: [PATCH 21/25] test suites: Refactored component_test_ccm_aes_sha256. This commit moves the tf-psa-crypto configuration options for this test to `crypto-config-ccm-aes-sha256.h`. A blank MbedTLS configuration file is now used for the library side. Signed-off-by: Minos Galanakis --- configs/crypto-config-ccm-aes-sha256.h | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/configs/crypto-config-ccm-aes-sha256.h b/configs/crypto-config-ccm-aes-sha256.h index 68a9c0a539..be8a7467eb 100644 --- a/configs/crypto-config-ccm-aes-sha256.h +++ b/configs/crypto-config-ccm-aes-sha256.h @@ -20,4 +20,9 @@ #define PSA_WANT_KEY_TYPE_AES 1 #define PSA_WANT_KEY_TYPE_RAW_DATA 1 + +#define MBEDTLS_PSA_CRYPTO_C +#define MBEDTLS_CTR_DRBG_C +#define MBEDTLS_ENTROPY_C + #endif /* PSA_CRYPTO_CONFIG_H */ From c8d0234ad54c992501be18f271a3b912aaa12d26 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Thu, 5 Dec 2024 16:52:17 +0100 Subject: [PATCH 22/25] Adapt TF-M configurations to config split Signed-off-by: Ronald Cron --- configs/ext/crypto_config_profile_medium.h | 566 ++++++++++++++++++++- 1 file changed, 543 insertions(+), 23 deletions(-) diff --git a/configs/ext/crypto_config_profile_medium.h b/configs/ext/crypto_config_profile_medium.h index 2871c9456b..67de4c0fd9 100644 --- a/configs/ext/crypto_config_profile_medium.h +++ b/configs/ext/crypto_config_profile_medium.h @@ -9,37 +9,149 @@ * \brief PSA crypto configuration options (set of defines) * */ -#if defined(MBEDTLS_PSA_CRYPTO_CONFIG) + +#ifndef PROFILE_M_PSA_CRYPTO_CONFIG_H +#define PROFILE_M_PSA_CRYPTO_CONFIG_H + +/** + * \name SECTION: Platform abstraction layer + * + * This section sets platform specific settings. + * \{ + */ + /** - * When #MBEDTLS_PSA_CRYPTO_CONFIG is enabled in mbedtls_config.h, - * this file determines which cryptographic mechanisms are enabled - * through the PSA Cryptography API (\c psa_xxx() functions). + * \def MBEDTLS_MEMORY_BUFFER_ALLOC_C + * + * Enable the buffer allocator implementation that makes use of a (stack) + * based buffer to 'allocate' dynamic memory. (replaces calloc() and free() + * calls) * - * To enable a cryptographic mechanism, uncomment the definition of - * the corresponding \c PSA_WANT_xxx preprocessor symbol. - * To disable a cryptographic mechanism, comment out the definition of - * the corresponding \c PSA_WANT_xxx preprocessor symbol. - * The names of cryptographic mechanisms correspond to values - * defined in psa/crypto_values.h, with the prefix \c PSA_WANT_ instead - * of \c PSA_. + * Module: library/memory_buffer_alloc.c * - * Note that many cryptographic mechanisms involve two symbols: one for - * the key type (\c PSA_WANT_KEY_TYPE_xxx) and one for the algorithm - * (\c PSA_WANT_ALG_xxx). Mechanisms with additional parameters may involve - * additional symbols. + * Requires: MBEDTLS_PLATFORM_C + * MBEDTLS_PLATFORM_MEMORY (to use it within Mbed TLS) + * + * Enable this module to enable the buffer memory allocator. */ -#else +#define MBEDTLS_MEMORY_BUFFER_ALLOC_C + /** - * When \c MBEDTLS_PSA_CRYPTO_CONFIG is disabled in mbedtls_config.h, - * this file is not used, and cryptographic mechanisms are supported - * through the PSA API if and only if they are supported through the - * mbedtls_xxx API. + * \def MBEDTLS_PLATFORM_C + * + * Enable the platform abstraction layer that allows you to re-assign + * functions like calloc(), free(), snprintf(), printf(), fprintf(), exit(). + * + * Enabling MBEDTLS_PLATFORM_C enables to use of MBEDTLS_PLATFORM_XXX_ALT + * or MBEDTLS_PLATFORM_XXX_MACRO directives, allowing the functions mentioned + * above to be specified at runtime or compile time respectively. + * + * \note This abstraction layer must be enabled on Windows (including MSYS2) + * as other modules rely on it for a fixed snprintf implementation. + * + * Module: library/platform.c + * Caller: Most other .c files + * + * This module enables abstraction of common (libc) functions. */ -#endif +#define MBEDTLS_PLATFORM_C -#ifndef PROFILE_M_PSA_CRYPTO_CONFIG_H -#define PROFILE_M_PSA_CRYPTO_CONFIG_H +/** + * \def MBEDTLS_PLATFORM_MEMORY + * + * Enable the memory allocation layer. + * + * By default Mbed TLS uses the system-provided calloc() and free(). + * This allows different allocators (self-implemented or provided) to be + * provided to the platform abstraction layer. + * + * Enabling #MBEDTLS_PLATFORM_MEMORY without the + * MBEDTLS_PLATFORM_{FREE,CALLOC}_MACROs will provide + * "mbedtls_platform_set_calloc_free()" allowing you to set an alternative calloc() and + * free() function pointer at runtime. + * + * Enabling #MBEDTLS_PLATFORM_MEMORY and specifying + * MBEDTLS_PLATFORM_{CALLOC,FREE}_MACROs will allow you to specify the + * alternate function at compile time. + * + * An overview of how the value of mbedtls_calloc is determined: + * + * - if !MBEDTLS_PLATFORM_MEMORY + * - mbedtls_calloc = calloc + * - if MBEDTLS_PLATFORM_MEMORY + * - if (MBEDTLS_PLATFORM_CALLOC_MACRO && MBEDTLS_PLATFORM_FREE_MACRO): + * - mbedtls_calloc = MBEDTLS_PLATFORM_CALLOC_MACRO + * - if !(MBEDTLS_PLATFORM_CALLOC_MACRO && MBEDTLS_PLATFORM_FREE_MACRO): + * - Dynamic setup via mbedtls_platform_set_calloc_free is now possible with a default value MBEDTLS_PLATFORM_STD_CALLOC. + * - How is MBEDTLS_PLATFORM_STD_CALLOC handled? + * - if MBEDTLS_PLATFORM_NO_STD_FUNCTIONS: + * - MBEDTLS_PLATFORM_STD_CALLOC is not set to anything; + * - MBEDTLS_PLATFORM_STD_MEM_HDR can be included if present; + * - if !MBEDTLS_PLATFORM_NO_STD_FUNCTIONS: + * - if MBEDTLS_PLATFORM_STD_CALLOC is present: + * - User-defined MBEDTLS_PLATFORM_STD_CALLOC is respected; + * - if !MBEDTLS_PLATFORM_STD_CALLOC: + * - MBEDTLS_PLATFORM_STD_CALLOC = calloc + * + * - At this point the presence of MBEDTLS_PLATFORM_STD_CALLOC is checked. + * - if !MBEDTLS_PLATFORM_STD_CALLOC + * - MBEDTLS_PLATFORM_STD_CALLOC = uninitialized_calloc + * + * - mbedtls_calloc = MBEDTLS_PLATFORM_STD_CALLOC. + * + * Defining MBEDTLS_PLATFORM_CALLOC_MACRO and #MBEDTLS_PLATFORM_STD_CALLOC at the same time is not possible. + * MBEDTLS_PLATFORM_CALLOC_MACRO and MBEDTLS_PLATFORM_FREE_MACRO must both be defined or undefined at the same time. + * #MBEDTLS_PLATFORM_STD_CALLOC and #MBEDTLS_PLATFORM_STD_FREE do not have to be defined at the same time, as, if they are used, + * dynamic setup of these functions is possible. See the tree above to see how are they handled in all cases. + * An uninitialized #MBEDTLS_PLATFORM_STD_CALLOC always fails, returning a null pointer. + * An uninitialized #MBEDTLS_PLATFORM_STD_FREE does not do anything. + * + * Requires: MBEDTLS_PLATFORM_C + * + * Enable this layer to allow use of alternative memory allocators. + */ +#define MBEDTLS_PLATFORM_MEMORY + +/** + * \def MBEDTLS_PLATFORM_NO_STD_FUNCTIONS + * + * Do not assign standard functions in the platform layer (e.g. calloc() to + * MBEDTLS_PLATFORM_STD_CALLOC and printf() to MBEDTLS_PLATFORM_STD_PRINTF) + * + * This makes sure there are no linking errors on platforms that do not support + * these functions. You will HAVE to provide alternatives, either at runtime + * via the platform_set_xxx() functions or at compile time by setting + * the MBEDTLS_PLATFORM_STD_XXX defines, or enabling a + * MBEDTLS_PLATFORM_XXX_MACRO. + * + * Requires: MBEDTLS_PLATFORM_C + * + * Uncomment to prevent default assignment of standard functions in the + * platform layer. + */ +#define MBEDTLS_PLATFORM_NO_STD_FUNCTIONS + +#define MBEDTLS_PLATFORM_PRINTF_ALT + +/* To use the following function macros, MBEDTLS_PLATFORM_C must be enabled. */ +/* MBEDTLS_PLATFORM_XXX_MACRO and MBEDTLS_PLATFORM_XXX_ALT cannot both be defined */ + +#include + +#define MBEDTLS_PLATFORM_SNPRINTF_MACRO snprintf +#define MBEDTLS_PLATFORM_STD_EXIT_FAILURE EXIT_FAILURE +#define MBEDTLS_PLATFORM_STD_EXIT_SUCCESS EXIT_SUCCESS + +#define MBEDTLS_PLATFORM_STD_MEM_HDR + +/** \} name SECTION: Platform abstraction layer */ +/** + * \name SECTION: SECTION Cryptographic mechanism selection (PSA API) + * + * This section sets PSA API settings. + * \{ + */ /* * CBC-MAC is not yet supported via the PSA API in Mbed TLS. */ @@ -125,6 +237,406 @@ #define PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE 1 //#define PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE 1 +/** \} name SECTION Cryptographic mechanism selection (PSA API) */ + +/** + * \name SECTION: PSA core + * + * This section sets PSA specific settings. + * \{ + */ + +/** + * \def MBEDTLS_ENTROPY_C + * + * Enable the platform-specific entropy code. + * + * Module: library/entropy.c + * Caller: + * + * Requires: MBEDTLS_SHA512_C or MBEDTLS_SHA256_C + * + * This module provides a generic entropy pool + */ +#define MBEDTLS_ENTROPY_C + +/** + * \def MBEDTLS_ENTROPY_NV_SEED + * + * Enable the non-volatile (NV) seed file-based entropy source. + * (Also enables the NV seed read/write functions in the platform layer) + * + * This is crucial (if not required) on systems that do not have a + * cryptographic entropy source (in hardware or kernel) available. + * + * Requires: MBEDTLS_ENTROPY_C, MBEDTLS_PLATFORM_C + * + * \note The read/write functions that are used by the entropy source are + * determined in the platform layer, and can be modified at runtime and/or + * compile-time depending on the flags (MBEDTLS_PLATFORM_NV_SEED_*) used. + * + * \note If you use the default implementation functions that read a seedfile + * with regular fopen(), please make sure you make a seedfile with the + * proper name (defined in MBEDTLS_PLATFORM_STD_NV_SEED_FILE) and at + * least MBEDTLS_ENTROPY_BLOCK_SIZE bytes in size that can be read from + * and written to or you will get an entropy source error! The default + * implementation will only use the first MBEDTLS_ENTROPY_BLOCK_SIZE + * bytes from the file. + * + * \note The entropy collector will write to the seed file before entropy is + * given to an external source, to update it. + */ +#define MBEDTLS_ENTROPY_NV_SEED + +/** + * \def MBEDTLS_NO_PLATFORM_ENTROPY + * + * Do not use built-in platform entropy functions. + * This is useful if your platform does not support + * standards like the /dev/urandom or Windows CryptoAPI. + * + * Uncomment this macro to disable the built-in platform entropy functions. + */ +#define MBEDTLS_NO_PLATFORM_ENTROPY + +/** + * \def MBEDTLS_PSA_CRYPTO_C + * + * Enable the Platform Security Architecture cryptography API. + * + * Module: library/psa_crypto.c + * + * Requires: either MBEDTLS_CTR_DRBG_C and MBEDTLS_ENTROPY_C, + * or MBEDTLS_HMAC_DRBG_C and MBEDTLS_ENTROPY_C, + * or MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG. + * Auto-enables: MBEDTLS_CIPHER_C if any unauthenticated (ie, non-AEAD) cipher + * is enabled in PSA (unless it's fully accelerated, see + * docs/driver-only-builds.md about that). + */ +#define MBEDTLS_PSA_CRYPTO_C + +/** + * \def MBEDTLS_PSA_CRYPTO_SPM + * + * When MBEDTLS_PSA_CRYPTO_SPM is defined, the code is built for SPM (Secure + * Partition Manager) integration which separates the code into two parts: a + * NSPE (Non-Secure Process Environment) and an SPE (Secure Process + * Environment). + * + * If you enable this option, your build environment must include a header + * file `"crypto_spe.h"` (either in the `psa` subdirectory of the Mbed TLS + * header files, or in another directory on the compiler's include search + * path). Alternatively, your platform may customize the header + * `psa/crypto_platform.h`, in which case it can skip or replace the + * inclusion of `"crypto_spe.h"`. + * + * Module: library/psa_crypto.c + * Requires: MBEDTLS_PSA_CRYPTO_C + * + */ +#define MBEDTLS_PSA_CRYPTO_SPM + +/** + * \def MBEDTLS_PSA_CRYPTO_STORAGE_C + * + * Enable the Platform Security Architecture persistent key storage. + * + * Module: library/psa_crypto_storage.c + * + * Requires: MBEDTLS_PSA_CRYPTO_C, + * either MBEDTLS_PSA_ITS_FILE_C or a native implementation of + * the PSA ITS interface + */ +#define MBEDTLS_PSA_CRYPTO_STORAGE_C + +/** \} name SECTION: PSA core */ + +/** + * \name SECTION: Builtin drivers + * + * This section sets driver specific settings. + * \{ + */ + +/** + * \def MBEDTLS_AES_ROM_TABLES + * + * Use precomputed AES tables stored in ROM. + * + * Uncomment this macro to use precomputed AES tables stored in ROM. + * Comment this macro to generate AES tables in RAM at runtime. + * + * Tradeoff: Using precomputed ROM tables reduces RAM usage by ~8kb + * (or ~2kb if \c MBEDTLS_AES_FEWER_TABLES is used) and reduces the + * initialization time before the first AES operation can be performed. + * It comes at the cost of additional ~8kb ROM use (resp. ~2kb if \c + * MBEDTLS_AES_FEWER_TABLES below is used), and potentially degraded + * performance if ROM access is slower than RAM access. + * + * This option is independent of \c MBEDTLS_AES_FEWER_TABLES. + */ +#define MBEDTLS_AES_ROM_TABLES + +/** + * \def MBEDTLS_AES_FEWER_TABLES + * + * Use less ROM/RAM for AES tables. + * + * Uncommenting this macro omits 75% of the AES tables from + * ROM / RAM (depending on the value of \c MBEDTLS_AES_ROM_TABLES) + * by computing their values on the fly during operations + * (the tables are entry-wise rotations of one another). + * + * Tradeoff: Uncommenting this reduces the RAM / ROM footprint + * by ~6kb but at the cost of more arithmetic operations during + * runtime. Specifically, one has to compare 4 accesses within + * different tables to 4 accesses with additional arithmetic + * operations within the same table. The performance gain/loss + * depends on the system and memory details. + * + * This option is independent of \c MBEDTLS_AES_ROM_TABLES. + */ +#define MBEDTLS_AES_FEWER_TABLES + +/** + * \def MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH + * + * Use only 128-bit keys in AES operations to save ROM. + * + * Uncomment this macro to remove support for AES operations that use 192- + * or 256-bit keys. + * + * Uncommenting this macro reduces the size of AES code by ~300 bytes + * on v8-M/Thumb2. + * + * Module: library/aes.c + * + * Requires: MBEDTLS_AES_C + */ +#define MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH + +/** + * \def MBEDTLS_ECP_NIST_OPTIM + * + * Enable specific 'modulo p' routines for each NIST prime. + * Depending on the prime and architecture, makes operations 4 to 8 times + * faster on the corresponding curve. + * + * Comment this macro to disable NIST curves optimisation. + */ +#define MBEDTLS_ECP_NIST_OPTIM + +/** + * \def MBEDTLS_HAVE_ASM + * + * The compiler has support for asm(). + * + * Requires support for asm() in compiler. + * + * Used in: + * library/aesni.h + * library/aria.c + * library/bn_mul.h + * library/constant_time.c + * + * Required by: + * MBEDTLS_AESCE_C + * MBEDTLS_AESNI_C (on some platforms) + * + * Comment to disable the use of assembly code. + */ +#define MBEDTLS_HAVE_ASM + +/** + * Uncomment to enable p256-m. This is an alternative implementation of + * key generation, ECDH and (randomized) ECDSA on the curve SECP256R1. + * Compared to the default implementation: + * + * - p256-m has a much smaller code size and RAM footprint. + * - p256-m is only available via the PSA API. This includes the pk module. + * - p256-m does not support deterministic ECDSA, EC-JPAKE, custom protocols + * over the core arithmetic, or deterministic derivation of keys. + * + * We recommend enabling this option if your application uses the PSA API + * and the only elliptic curve support it needs is ECDH and ECDSA over + * SECP256R1. + * + * If you enable this option, you do not need to enable any ECC-related + * MBEDTLS_xxx option. You do need to separately request support for the + * cryptographic mechanisms through the PSA API: + * - #MBEDTLS_PSA_CRYPTO_C for PSA-based configuration; + * - #PSA_WANT_ECC_SECP_R1_256; + * - #PSA_WANT_ALG_ECDH and/or #PSA_WANT_ALG_ECDSA as needed; + * - #PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY, #PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC, + * #PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT, + * #PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT and/or + * #PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE as needed. + * + * \note To benefit from the smaller code size of p256-m, make sure that you + * do not enable any ECC-related option not supported by p256-m: this + * would cause the built-in ECC implementation to be built as well, in + * order to provide the required option. + * Make sure #PSA_WANT_ALG_DETERMINISTIC_ECDSA, #PSA_WANT_ALG_JPAKE and + * #PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE, and curves other than + * SECP256R1 are disabled as they are not supported by this driver. + * Also, avoid defining #MBEDTLS_PK_PARSE_EC_COMPRESSED or + * #MBEDTLS_PK_PARSE_EC_EXTENDED as those currently require a subset of + * the built-in ECC implementation, see docs/driver-only-builds.md. + */ +#define MBEDTLS_PSA_P256M_DRIVER_ENABLED + +/** + * \def MBEDTLS_SHA256_SMALLER + * + * Enable an implementation of SHA-256 that has lower ROM footprint but also + * lower performance. + * + * The default implementation is meant to be a reasonable compromise between + * performance and size. This version optimizes more aggressively for size at + * the expense of performance. Eg on Cortex-M4 it reduces the size of + * mbedtls_sha256_process() from ~2KB to ~0.5KB for a performance hit of about + * 30%. + * + * Uncomment to enable the smaller implementation of SHA256. + */ +#define MBEDTLS_SHA256_SMALLER + +/* ECP options */ +#define MBEDTLS_ECP_FIXED_POINT_OPTIM 0 /**< Disable fixed-point speed-up */ + +/** \} name SECTION: Builtin drivers */ + +/** + * \name SECTION: Legacy cryptography + * + * This section sets legacy settings. + * \{ + */ + +/** + * \def MBEDTLS_AES_C + * + * Enable the AES block cipher. + * + * Module: library/aes.c + * Caller: library/cipher.c + * library/pem.c + * library/ctr_drbg.c + * + * This module enables the following ciphersuites (if other requisites are + * enabled as well): + * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA + * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA + * MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA + * MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA + * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 + * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 + * MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 + * MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 + * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 + * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 + * MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 + * MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 + * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 + * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 + * MBEDTLS_TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 + * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 + * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 + * MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 + * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA + * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA + * MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA + * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 + * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 + * MBEDTLS_TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 + * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 + * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 + * MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 + * MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA + * MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA + * MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA + * MBEDTLS_TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 + * MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384 + * MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA384 + * MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA + * MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA + * MBEDTLS_TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 + * MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 + * MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 + * MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA + * MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA + * MBEDTLS_TLS_RSA_WITH_AES_256_GCM_SHA384 + * MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA256 + * MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA + * MBEDTLS_TLS_RSA_WITH_AES_128_GCM_SHA256 + * MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA256 + * MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA + * MBEDTLS_TLS_PSK_WITH_AES_256_GCM_SHA384 + * MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA384 + * MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA + * MBEDTLS_TLS_PSK_WITH_AES_128_GCM_SHA256 + * MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA256 + * MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA + * + * PEM_PARSE uses AES for decrypting encrypted keys. + */ +#define MBEDTLS_AES_C + +/** + * \def MBEDTLS_CIPHER_C + * + * Enable the generic cipher layer. + * + * Module: library/cipher.c + * Caller: library/ccm.c + * library/cmac.c + * library/gcm.c + * library/nist_kw.c + * library/pkcs12.c + * library/pkcs5.c + * library/psa_crypto_aead.c + * library/psa_crypto_mac.c + * library/ssl_ciphersuites.c + * library/ssl_msg.c + * Auto-enabled by: MBEDTLS_PSA_CRYPTO_C depending on which ciphers are enabled + * (see the documentation of that option for details). + * + * Uncomment to enable generic cipher wrappers. + */ +#define MBEDTLS_CIPHER_C + +/** + * \def MBEDTLS_CTR_DRBG_C + * + * Enable the CTR_DRBG AES-based random generator. + * The CTR_DRBG generator uses AES-256 by default. + * To use AES-128 instead, enable \c MBEDTLS_CTR_DRBG_USE_128_BIT_KEY above. + * + * AES support can either be achieved through builtin (MBEDTLS_AES_C) or PSA. + * Builtin is the default option when MBEDTLS_AES_C is defined otherwise PSA + * is used. + * + * \warning When using PSA, the user should call `psa_crypto_init()` before + * using any CTR_DRBG operation (except `mbedtls_ctr_drbg_init()`). + * + * \note AES-128 will be used if \c MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH is set. + * + * \note To achieve a 256-bit security strength with CTR_DRBG, + * you must use AES-256 *and* use sufficient entropy. + * See ctr_drbg.h for more details. + * + * Module: library/ctr_drbg.c + * Caller: + * + * Requires: MBEDTLS_AES_C or + * (PSA_WANT_KEY_TYPE_AES and PSA_WANT_ALG_ECB_NO_PADDING and + * MBEDTLS_PSA_CRYPTO_C) + * + * This module provides the CTR_DRBG AES random number generator. + */ +#define MBEDTLS_CTR_DRBG_C +/** \} name SECTION: Legacy cryptography */ + /***********************************************************/ /* Tweak the configuration to remove dependencies on TF-M. */ /***********************************************************/ @@ -178,6 +690,14 @@ * to reduce code size further. */ #undef MBEDTLS_CIPHER_C +#if CRYPTO_NV_SEED +#include "tfm_mbedcrypto_config_extra_nv_seed.h" +#endif /* CRYPTO_NV_SEED */ + +#if !defined(CRYPTO_HW_ACCELERATOR) && defined(MBEDTLS_ENTROPY_NV_SEED) +#include "mbedtls_entropy_nv_seed_config.h" +#endif + #ifdef CRYPTO_HW_ACCELERATOR #include "crypto_accelerator_config.h" #endif From 517658918b127aa9eb0660a13c9504d2a4d7df2f Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Thu, 2 Jan 2025 11:30:55 +0100 Subject: [PATCH 23/25] Remove uses of secp244k1 Remove all code guarded by `PSA_WANT_ECC_SECP_K1_224`, which is not and will not be implemented. (It would be K1_225 anyway, but we don't intend to implement it anyway.) Signed-off-by: Gilles Peskine --- configs/ext/crypto_config_profile_medium.h | 6 ------ 1 file changed, 6 deletions(-) diff --git a/configs/ext/crypto_config_profile_medium.h b/configs/ext/crypto_config_profile_medium.h index 67de4c0fd9..637c2ff11c 100644 --- a/configs/ext/crypto_config_profile_medium.h +++ b/configs/ext/crypto_config_profile_medium.h @@ -198,12 +198,6 @@ //#define PSA_WANT_ECC_MONTGOMERY_255 1 //#define PSA_WANT_ECC_MONTGOMERY_448 1 //#define PSA_WANT_ECC_SECP_K1_192 1 -/* - * SECP224K1 is buggy via the PSA API in Mbed TLS - * (https://github.com/Mbed-TLS/mbedtls/issues/3541). Thus, do not enable it by - * default. - */ -//#define PSA_WANT_ECC_SECP_K1_224 1 //#define PSA_WANT_ECC_SECP_K1_256 1 //#define PSA_WANT_ECC_SECP_R1_192 1 //#define PSA_WANT_ECC_SECP_R1_224 1 From 63060b92798e133748480f481eb995cd95c3280d Mon Sep 17 00:00:00 2001 From: Harry Ramsey Date: Thu, 23 Jan 2025 09:48:35 +0000 Subject: [PATCH 24/25] Update configs README This commit updates configs/README.txt and configs/ext/README.md to reflect the necessary files which were moved to TF-PSA-Crypto. Signed-off-by: Harry Ramsey --- configs/README.txt | 20 ++++++++++++++++++++ configs/ext/README.md | 7 +++---- 2 files changed, 23 insertions(+), 4 deletions(-) create mode 100644 configs/README.txt diff --git a/configs/README.txt b/configs/README.txt new file mode 100644 index 0000000000..e394e5d648 --- /dev/null +++ b/configs/README.txt @@ -0,0 +1,20 @@ +This directory contains example configuration files. + +The examples are generally focused on a particular usage case (eg, support for +a restricted number of ciphersuites) and aim at minimizing resource usage for +this target. They can be used as a basis for custom configurations. + +These files are complete replacements for the default crypto_config.h. To use one of +them, you can pick one of the following methods: + +1. Replace the default file include/psa/crypto_config.h with the chosen one. + +2. Define TF_PSA_CRYPTO_CONFIG_FILE and adjust the include path accordingly. + For example, using cmake: + + find . -iname '*cmake*' -not -name CMakeLists.txt -exec rm -rf {} + + CFLAGS="-I$PWD/configs -DCRYPTO_CONFIG_FILE=''" cmake . + make + +Note that the second method also works if you want to keep your custom +configuration file outside the TF-PSA-Crypto tree. diff --git a/configs/ext/README.md b/configs/ext/README.md index b07cbc18c5..9a9c9b4b11 100644 --- a/configs/ext/README.md +++ b/configs/ext/README.md @@ -1,10 +1,9 @@ Summary ------- -The two files: +The file: * crypto_config_profile_medium.h -* tfm_mbedcrypto_config_profile_medium.h are copyright The Mbed TLS Contributors, and are distributed under the license normally used by Mbed TLS: a dual Apache 2.0 or GPLv2-or-later license. @@ -12,8 +11,8 @@ used by Mbed TLS: a dual Apache 2.0 or GPLv2-or-later license. Background ---------- -The two files crypto_config_profile_medium.h and tfm_mbedcrypto_config_profile_medium.h -are taken verbatim from the TF-M source code here: +The file crypto_config_profile_medium.h is taken verbatim from the TF-M source +code here: https://git.trustedfirmware.org/TF-M/trusted-firmware-m.git/tree/lib/ext/mbedcrypto/mbedcrypto_config From c9df6f613ef73cba1709e1de9a8f243de157a01d Mon Sep 17 00:00:00 2001 From: Harry Ramsey Date: Mon, 6 Jan 2025 11:41:43 +0000 Subject: [PATCH 25/25] Add various configuration components This commit adds various configuration components to TF-PSA-Crypto. These components have been adapted from Mbed TLS to use CMake. Signed-off-by: Harry Ramsey --- tests/scripts/components-configuration.sh | 136 ++++++++++++++++++++++ 1 file changed, 136 insertions(+) create mode 100644 tests/scripts/components-configuration.sh diff --git a/tests/scripts/components-configuration.sh b/tests/scripts/components-configuration.sh new file mode 100644 index 0000000000..650baa4f31 --- /dev/null +++ b/tests/scripts/components-configuration.sh @@ -0,0 +1,136 @@ +# components-configuration.sh +# +# Copyright The Mbed TLS Contributors +# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later + +# This file contains test components that are executed by all.sh + +################################################################ +#### Configuration Testing +################################################################ + +component_tf_psa_crypto_test_default_out_of_box () { + msg "build: make, default config (out-of-box)" # ~1min + cd $OUT_OF_SOURCE_DIR + cmake -DCMAKE_BUILD_TYPE:String=Check -DGEN_FILES=ON "$TF_PSA_CRYPTO_ROOT_DIR" + make + # Disable fancy stuff + unset MBEDTLS_TEST_OUTCOME_FILE + + msg "test: main suites make, default config (out-of-box)" # ~10s + make test +} + +component_tf_psa_crypto_test_default_cmake_gcc_asan () { + msg "build: cmake, gcc, ASan" # ~ 1 min 50s + cd $OUT_OF_SOURCE_DIR + cmake -DCMAKE_C_COMPILER=gcc -DCMAKE_BUILD_TYPE:String=Asan -DGEN_FILES=ON "$TF_PSA_CRYPTO_ROOT_DIR" + make + + msg "test: main suites (inc. selftests) (ASan build)" # ~ 50s + make test +} + +component_tf_psa_crypto_test_default_cmake_gcc_asan_new_bignum () { + msg "build: cmake, gcc, ASan" # ~ 1 min 50s + scripts/config.py set MBEDTLS_ECP_WITH_MPI_UINT + cd $OUT_OF_SOURCE_DIR + cmake -DCMAKE_C_COMPILER=gcc -DCMAKE_BUILD_TYPE:String=Asan -DGEN_FILES=ON "$TF_PSA_CRYPTO_ROOT_DIR" + make + + msg "test: main suites (inc. selftests) (ASan build)" # ~ 50s + make test +} + +component_tf_psa_crypto_test_full_cmake_gcc_asan () { + msg "build: full config, cmake, gcc, ASan" + scripts/config.py full + cd $OUT_OF_SOURCE_DIR + cmake -DCMAKE_C_COMPILER=gcc -DCMAKE_BUILD_TYPE:String=Asan -DGEN_FILES=ON "$TF_PSA_CRYPTO_ROOT_DIR" + make + + msg "test: main suites (inc. selftests) (full config, ASan build)" + make test +} + +component_tf_psa_crypto_test_full_cmake_gcc_asan_new_bignum () { + msg "build: full config, cmake, gcc, ASan" + scripts/config.py full + scripts/config.py set MBEDTLS_ECP_WITH_MPI_UINT + cd $OUT_OF_SOURCE_DIR + cmake -DCMAKE_C_COMPILER=gcc -DCMAKE_BUILD_TYPE:String=Asan -DGEN_FILES=ON "$TF_PSA_CRYPTO_ROOT_DIR" + make + + msg "test: main suites (inc. selftests) (full config, new bignum, ASan)" + make test +} + +component_tf_psa_crypto_test_full_cmake_clang () { + msg "build: cmake, full config, clang" # ~ 50s + scripts/config.py full + cd $OUT_OF_SOURCE_DIR + cmake -DCMAKE_C_COMPILER=clang -DCMAKE_CXX_COMPILER=clang -DCMAKE_BUILD_TYPE:String=Release -DENABLE_TESTING=ON -DTEST_CPP=1 -DGEN_FILES=ON "$TF_PSA_CRYPTO_ROOT_DIR" + make + + msg "test: main suites (full config, clang)" # ~ 5s + make test +} + +component_tf_psa_crypto_build_tfm () { + # Check that the TF-M configuration can build cleanly with various + # warning flags enabled. We don't build or run tests, since the + # TF-M configuration needs a TF-M platform. A tweaked version of + # the configuration that works on mainstream platforms is in + # configs/config-tfm.h, tested via test-ref-configs.pl. + cp configs/ext/crypto_config_profile_medium.h "$CRYPTO_CONFIG_H" + + cd $OUT_OF_SOURCE_DIR + msg "build: TF-M config, clang, armv7-m thumb2" + cmake -DCMAKE_C_COMPILER=clang -DCMAKE_C_FLAGS="--target=arm-linux-gnueabihf -march=armv7-m -mthumb -Os -std=c99 -Werror -Wall -Wextra -Wwrite-strings -Wpointer-arith -Wimplicit-fallthrough -Wshadow -Wvla -Wformat=2 -Wno-format-nonliteral -Wshadow -Wasm-operand-widths -Wunused -I../framework/tests/include/spe" "$TF_PSA_CRYPTO_ROOT_DIR" + make + + cd $TF_PSA_CRYPTO_ROOT_DIR + rm -rf $OUT_OF_SOURCE_DIR + mkdir $OUT_OF_SOURCE_DIR + cd $OUT_OF_SOURCE_DIR + msg "build: TF-M config, gcc native build" + cmake -DCMAKE_C_COMPILER=gcc -DCMAKE_C_FLAGS="-Os -std=c99 -Werror -Wall -Wextra -Wwrite-strings -Wpointer-arith -Wshadow -Wvla -Wformat=2 -Wno-format-nonliteral -Wshadow -Wformat-signedness -Wlogical-op -I../framework/tests/include/spe" + make +} + +component_tf_psa_crypto_test_malloc_0_null () { + msg "build: malloc(0) returns NULL (ASan+UBSan build)" + scripts/config.py full + cd $OUT_OF_SOURCE_DIR + cmake -DCMAKE_C_COMPILER="$ASAN_CC" -DCMAKE_C_FLAGS="'-DTF_PSA_CRYPTO_USER_CONFIG_FILE=\"$PWD/tests/configs/user-config-malloc-0-null.h\"' $ASAN_CFLAGS" -DCMAKE_EXE_LINKER_FLAGS="$ASAN_CFLAGS" "$TF_PSA_CRYPTO_ROOT_DIR" + make + + msg "test: malloc(0) returns NULL (ASan+UBSan build)" + make test +} + +component_tf_psa_crypto_test_memory_buffer_allocator_backtrace () { + msg "build: default config with memory buffer allocator and backtrace enabled" + scripts/config.py set MBEDTLS_MEMORY_BUFFER_ALLOC_C + scripts/config.py set MBEDTLS_PLATFORM_MEMORY + scripts/config.py set MBEDTLS_MEMORY_BACKTRACE + scripts/config.py set MBEDTLS_MEMORY_DEBUG + cd $OUT_OF_SOURCE_DIR + cmake -DCMAKE_BUILD_TYPE:String=Release -DGEN_FILES=ON "$TF_PSA_CRYPTO_ROOT_DIR" + make + + msg "test: MBEDTLS_MEMORY_BUFFER_ALLOC_C and MBEDTLS_MEMORY_BACKTRACE" + make test +} + +component_tf_psa_crypto_test_memory_buffer_allocator () { + msg "build: default config with memory buffer allocator" + scripts/config.py set MBEDTLS_MEMORY_BUFFER_ALLOC_C + scripts/config.py set MBEDTLS_PLATFORM_MEMORY + cd $OUT_OF_SOURCE_DIR + cmake -DCMAKE_BUILD_TYPE:String=Release -DGEN_FILES=ON "$TF_PSA_CRYPTO_ROOT_DIR" + make + + msg "test: MBEDTLS_MEMORY_BUFFER_ALLOC_C" + make test +}