Merge pull request #4715 from gilles-peskine-arm/psa_crypto_spm-from_platform_h-2.x

Backport 2.x: Fix and test the MBEDTLS_PSA_CRYPTO_SPM build
Straightforward backport from development to developement_2.x plus one trivial commit, only one approval is enough.
This commit is contained in:
Ronald Cron 2021-06-25 09:00:58 +02:00 committed by GitHub
commit 132e8c3cab
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
10 changed files with 174 additions and 44 deletions

View file

@ -0,0 +1,4 @@
Bugfix
* When MBEDTLS_PSA_CRYPTO_SPM is enabled, crypto_spe.h was not included
in all the right places. Include it from crypto_platform.h, which is
the natural place. Fixes #4649.

View file

@ -81,6 +81,18 @@ static inline int mbedtls_key_owner_id_equal( mbedtls_key_owner_id_t id1,
#endif /* MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER */ #endif /* MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER */
/*
* When MBEDTLS_PSA_CRYPTO_SPM is defined, the code is being built for SPM
* (Secure Partition Manager) integration which separates the code into two
* parts: NSPE (Non-Secure Processing Environment) and SPE (Secure Processing
* Environment). When building for the SPE, an additional header file should be
* included.
*/
#if defined(MBEDTLS_PSA_CRYPTO_SPM)
#define PSA_CRYPTO_SECURE 1
#include "crypto_spe.h"
#endif // MBEDTLS_PSA_CRYPTO_SPM
#if defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG) #if defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG)
/** The type of the context passed to mbedtls_psa_external_get_random(). /** The type of the context passed to mbedtls_psa_external_get_random().
* *

View file

@ -26,7 +26,6 @@
#include "check_crypto_config.h" #include "check_crypto_config.h"
#endif #endif
#include "psa_crypto_service_integration.h"
#include "psa/crypto.h" #include "psa/crypto.h"
#include "psa_crypto_cipher.h" #include "psa_crypto_cipher.h"

View file

@ -19,7 +19,6 @@
*/ */
#include "common.h" #include "common.h"
#include "psa_crypto_service_integration.h"
#include "psa/crypto.h" #include "psa/crypto.h"
#if defined(MBEDTLS_PSA_CRYPTO_CLIENT) #if defined(MBEDTLS_PSA_CRYPTO_CLIENT)

View file

@ -1,39 +0,0 @@
/*
* Copyright The Mbed TLS Contributors
* SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#ifndef PSA_CRYPTO_SERVICE_INTEGRATION_H
#define PSA_CRYPTO_SERVICE_INTEGRATION_H
/*
* When MBEDTLS_PSA_CRYPTO_SPM is defined, the code is being built for SPM
* (Secure Partition Manager) integration which separates the code into two
* parts: NSPE (Non-Secure Processing Environment) and SPE (Secure Processing
* Environment). When building for the SPE, an additional header file should be
* included.
*/
#if defined(MBEDTLS_PSA_CRYPTO_SPM)
/*
* PSA_CRYPTO_SECURE means that the file which included this file is being
* compiled for SPE. The files crypto_structs.h and crypto_types.h have
* different implementations for NSPE and SPE and are compiled according to this
* flag.
*/
#define PSA_CRYPTO_SECURE 1
#include "crypto_spe.h"
#endif // MBEDTLS_PSA_CRYPTO_SPM
#endif // PSA_CRYPTO_SERVICE_INTEGRATION_H

View file

@ -22,7 +22,6 @@
#if defined(MBEDTLS_PSA_CRYPTO_C) #if defined(MBEDTLS_PSA_CRYPTO_C)
#include "psa_crypto_service_integration.h"
#include "psa/crypto.h" #include "psa/crypto.h"
#include "psa_crypto_core.h" #include "psa_crypto_core.h"

View file

@ -29,7 +29,6 @@
#include <stdlib.h> #include <stdlib.h>
#include <string.h> #include <string.h>
#include "psa_crypto_service_integration.h"
#include "psa/crypto.h" #include "psa/crypto.h"
#include "psa_crypto_storage.h" #include "psa_crypto_storage.h"
#include "mbedtls/platform_util.h" #include "mbedtls/platform_util.h"

View file

@ -0,0 +1,132 @@
/*
* Copyright (c) 2019-2021, Arm Limited. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*
*/
/**
* \file crypto_spe.h
*
* \brief When Mbed Crypto is built with the MBEDTLS_PSA_CRYPTO_SPM option
* enabled, this header is included by all .c files in Mbed Crypto that
* use PSA Crypto function names. This avoids duplication of symbols
* between TF-M and Mbed Crypto.
*
* \note This file should be included before including any PSA Crypto headers
* from Mbed Crypto.
*/
#ifndef CRYPTO_SPE_H
#define CRYPTO_SPE_H
#define PSA_FUNCTION_NAME(x) mbedcrypto__ ## x
#define psa_crypto_init \
PSA_FUNCTION_NAME(psa_crypto_init)
#define psa_key_derivation_get_capacity \
PSA_FUNCTION_NAME(psa_key_derivation_get_capacity)
#define psa_key_derivation_set_capacity \
PSA_FUNCTION_NAME(psa_key_derivation_set_capacity)
#define psa_key_derivation_input_bytes \
PSA_FUNCTION_NAME(psa_key_derivation_input_bytes)
#define psa_key_derivation_output_bytes \
PSA_FUNCTION_NAME(psa_key_derivation_output_bytes)
#define psa_key_derivation_input_key \
PSA_FUNCTION_NAME(psa_key_derivation_input_key)
#define psa_key_derivation_output_key \
PSA_FUNCTION_NAME(psa_key_derivation_output_key)
#define psa_key_derivation_setup \
PSA_FUNCTION_NAME(psa_key_derivation_setup)
#define psa_key_derivation_abort \
PSA_FUNCTION_NAME(psa_key_derivation_abort)
#define psa_key_derivation_key_agreement \
PSA_FUNCTION_NAME(psa_key_derivation_key_agreement)
#define psa_raw_key_agreement \
PSA_FUNCTION_NAME(psa_raw_key_agreement)
#define psa_generate_random \
PSA_FUNCTION_NAME(psa_generate_random)
#define psa_aead_encrypt \
PSA_FUNCTION_NAME(psa_aead_encrypt)
#define psa_aead_decrypt \
PSA_FUNCTION_NAME(psa_aead_decrypt)
#define psa_open_key \
PSA_FUNCTION_NAME(psa_open_key)
#define psa_close_key \
PSA_FUNCTION_NAME(psa_close_key)
#define psa_import_key \
PSA_FUNCTION_NAME(psa_import_key)
#define psa_destroy_key \
PSA_FUNCTION_NAME(psa_destroy_key)
#define psa_get_key_attributes \
PSA_FUNCTION_NAME(psa_get_key_attributes)
#define psa_reset_key_attributes \
PSA_FUNCTION_NAME(psa_reset_key_attributes)
#define psa_export_key \
PSA_FUNCTION_NAME(psa_export_key)
#define psa_export_public_key \
PSA_FUNCTION_NAME(psa_export_public_key)
#define psa_purge_key \
PSA_FUNCTION_NAME(psa_purge_key)
#define psa_copy_key \
PSA_FUNCTION_NAME(psa_copy_key)
#define psa_cipher_operation_init \
PSA_FUNCTION_NAME(psa_cipher_operation_init)
#define psa_cipher_generate_iv \
PSA_FUNCTION_NAME(psa_cipher_generate_iv)
#define psa_cipher_set_iv \
PSA_FUNCTION_NAME(psa_cipher_set_iv)
#define psa_cipher_encrypt_setup \
PSA_FUNCTION_NAME(psa_cipher_encrypt_setup)
#define psa_cipher_decrypt_setup \
PSA_FUNCTION_NAME(psa_cipher_decrypt_setup)
#define psa_cipher_update \
PSA_FUNCTION_NAME(psa_cipher_update)
#define psa_cipher_finish \
PSA_FUNCTION_NAME(psa_cipher_finish)
#define psa_cipher_abort \
PSA_FUNCTION_NAME(psa_cipher_abort)
#define psa_hash_operation_init \
PSA_FUNCTION_NAME(psa_hash_operation_init)
#define psa_hash_setup \
PSA_FUNCTION_NAME(psa_hash_setup)
#define psa_hash_update \
PSA_FUNCTION_NAME(psa_hash_update)
#define psa_hash_finish \
PSA_FUNCTION_NAME(psa_hash_finish)
#define psa_hash_verify \
PSA_FUNCTION_NAME(psa_hash_verify)
#define psa_hash_abort \
PSA_FUNCTION_NAME(psa_hash_abort)
#define psa_hash_clone \
PSA_FUNCTION_NAME(psa_hash_clone)
#define psa_hash_compute \
PSA_FUNCTION_NAME(psa_hash_compute)
#define psa_hash_compare \
PSA_FUNCTION_NAME(psa_hash_compare)
#define psa_mac_operation_init \
PSA_FUNCTION_NAME(psa_mac_operation_init)
#define psa_mac_sign_setup \
PSA_FUNCTION_NAME(psa_mac_sign_setup)
#define psa_mac_verify_setup \
PSA_FUNCTION_NAME(psa_mac_verify_setup)
#define psa_mac_update \
PSA_FUNCTION_NAME(psa_mac_update)
#define psa_mac_sign_finish \
PSA_FUNCTION_NAME(psa_mac_sign_finish)
#define psa_mac_verify_finish \
PSA_FUNCTION_NAME(psa_mac_verify_finish)
#define psa_mac_abort \
PSA_FUNCTION_NAME(psa_mac_abort)
#define psa_sign_hash \
PSA_FUNCTION_NAME(psa_sign_hash)
#define psa_verify_hash \
PSA_FUNCTION_NAME(psa_verify_hash)
#define psa_asymmetric_encrypt \
PSA_FUNCTION_NAME(psa_asymmetric_encrypt)
#define psa_asymmetric_decrypt \
PSA_FUNCTION_NAME(psa_asymmetric_decrypt)
#define psa_generate_key \
PSA_FUNCTION_NAME(psa_generate_key)
#endif /* CRYPTO_SPE_H */

View file

@ -798,6 +798,32 @@ component_test_psa_crypto_key_id_encodes_owner () {
make test make test
} }
# check_renamed_symbols HEADER LIB
# Check that if HEADER contains '#define MACRO ...' then MACRO is not a symbol
# name is LIB.
check_renamed_symbols () {
! nm "$2" | sed 's/.* //' |
grep -x -F "$(sed -n 's/^ *# *define *\([A-Z_a-z][0-9A-Z_a-z]*\)..*/\1/p' "$1")"
}
component_build_psa_crypto_spm () {
msg "build: full config - USE_PSA_CRYPTO + PSA_CRYPTO_KEY_ID_ENCODES_OWNER + PSA_CRYPTO_SPM, make, gcc"
scripts/config.py full
scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO
scripts/config.py unset MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS
scripts/config.py set MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER
scripts/config.py set MBEDTLS_PSA_CRYPTO_SPM
# We can only compile, not link, since our test and sample programs
# aren't equipped for the modified names used when MBEDTLS_PSA_CRYPTO_SPM
# is active.
make CC=gcc CFLAGS='-Werror -Wall -Wextra -I../tests/include/spe' lib
# Check that if a symbol is renamed by crypto_spe.h, the non-renamed
# version is not present.
echo "Checking for renamed symbols in the library"
if_build_succeeded check_renamed_symbols tests/include/spe/crypto_spe.h library/libmbedcrypto.a
}
component_test_psa_crypto_client () { component_test_psa_crypto_client () {
msg "build: default config - PSA_CRYPTO_C + PSA_CRYPTO_CLIENT, make" msg "build: default config - PSA_CRYPTO_C + PSA_CRYPTO_CLIENT, make"
scripts/config.py unset MBEDTLS_PSA_CRYPTO_C scripts/config.py unset MBEDTLS_PSA_CRYPTO_C

View file

@ -272,7 +272,6 @@
<ClInclude Include="..\..\library\psa_crypto_random_impl.h" /> <ClInclude Include="..\..\library\psa_crypto_random_impl.h" />
<ClInclude Include="..\..\library\psa_crypto_rsa.h" /> <ClInclude Include="..\..\library\psa_crypto_rsa.h" />
<ClInclude Include="..\..\library\psa_crypto_se.h" /> <ClInclude Include="..\..\library\psa_crypto_se.h" />
<ClInclude Include="..\..\library\psa_crypto_service_integration.h" />
<ClInclude Include="..\..\library\psa_crypto_slot_management.h" /> <ClInclude Include="..\..\library\psa_crypto_slot_management.h" />
<ClInclude Include="..\..\library\psa_crypto_storage.h" /> <ClInclude Include="..\..\library\psa_crypto_storage.h" />
<ClInclude Include="..\..\library\ssl_invasive.h" /> <ClInclude Include="..\..\library\ssl_invasive.h" />