From 077f4c3d4676ca809cbef252d2548674137107e3 Mon Sep 17 00:00:00 2001 From: Darryl Green Date: Thu, 25 Jun 2020 14:16:26 +0100 Subject: [PATCH 1/2] Move code additions to end of adjust_config.sh The config.py script that adjusts config.h in Mbed TLS doesn't handle having configurations being defined in it multiple times very well. As Mbed OS needs to have certain configurations settings based on what features are set, these code additions to config.h are moved to being added after the rest of the configuration is adjusted. --- features/mbedtls/importer/adjust-config.sh | 86 +++++++++++----------- 1 file changed, 43 insertions(+), 43 deletions(-) diff --git a/features/mbedtls/importer/adjust-config.sh b/features/mbedtls/importer/adjust-config.sh index f172d5dc2e..60b9502282 100755 --- a/features/mbedtls/importer/adjust-config.sh +++ b/features/mbedtls/importer/adjust-config.sh @@ -47,49 +47,6 @@ append_code() { "$FILE" } -# add an #ifndef to include config-no-entropy.h when the target does not have -# an entropy source we can use. -append_code \ - "#ifndef MBEDTLS_CONFIG_H\n" \ - "\n" \ - "#include \"platform\/inc\/platform_mbed.h\"\n" \ - "\n" \ - "\/*\n" \ - " * Only use features that do not require an entropy source when\n" \ - " * DEVICE_ENTROPY_SOURCE is not defined in mbed OS.\n" \ - " *\/\n" \ - "#if !defined(MBEDTLS_ENTROPY_HARDWARE_ALT) && !defined(MBEDTLS_TEST_NULL_ENTROPY) && \\\\\n" \ - " !defined(MBEDTLS_ENTROPY_NV_SEED)\n" \ - "#include \"mbedtls\/config-no-entropy.h\"\n" \ - "\n" \ - "#if defined(MBEDTLS_USER_CONFIG_FILE)\n" \ - "#include MBEDTLS_USER_CONFIG_FILE\n" \ - "#endif\n" \ - "\n" \ - "#else\n" - -prepend_code \ - "#endif \/\* MBEDTLS_CONFIG_H \*\/" \ - "\n" \ - "#endif \/* !MBEDTLS_ENTROPY_HARDWARE_ALT && !MBEDTLS_TEST_NULL_ENTROPY && !MBEDTLS_ENTROPY_NV_SEED *\/\n" \ - "\n" \ - "#if defined(MBEDTLS_TEST_NULL_ENTROPY)\n" \ - "#warning \"MBEDTLS_TEST_NULL_ENTROPY has been enabled. This \" \\\\\n" \ - " \"configuration is not secure and is not suitable for production use\"\n" \ - "#endif\n" \ - "\n" \ - "#if defined(MBEDTLS_SSL_TLS_C) && !defined(MBEDTLS_TEST_NULL_ENTROPY) && \\\\\n" \ - " !defined(MBEDTLS_ENTROPY_HARDWARE_ALT) && !defined(MBEDTLS_ENTROPY_NV_SEED)\n" \ - "#error \"No entropy source was found at build time, so TLS \" \\\\\n" \ - " \"functionality is not available\"\n" \ - "#endif\n" \ - "\n" \ - "#if defined(FEATURE_EXPERIMENTAL_API) && defined(FEATURE_PSA)\n" \ - " #define MBEDTLS_PSA_HAS_ITS_IO\n" \ - " #define MBEDTLS_USE_PSA_CRYPTO\n" \ - "#endif\n" \ - "\n" - # not supported on mbed OS, nor used by mbed Client conf unset MBEDTLS_NET_C conf unset MBEDTLS_TIMING_C @@ -165,3 +122,46 @@ conf unset MBEDTLS_PLATFORM_TIME_TYPE_MACRO # Reduce the maximal MBEDTLS_MPI_MAX_SIZE to 512 bytes, # which should fit RSA 4096 bit keys. conf set MBEDTLS_MPI_MAX_SIZE 512 + +# add an #ifndef to include config-no-entropy.h when the target does not have +# an entropy source we can use. +append_code \ + "#ifndef MBEDTLS_CONFIG_H\n" \ + "\n" \ + "#include \"platform\/inc\/platform_mbed.h\"\n" \ + "\n" \ + "\/*\n" \ + " * Only use features that do not require an entropy source when\n" \ + " * DEVICE_ENTROPY_SOURCE is not defined in mbed OS.\n" \ + " *\/\n" \ + "#if !defined(MBEDTLS_ENTROPY_HARDWARE_ALT) && !defined(MBEDTLS_TEST_NULL_ENTROPY) && \\\\\n" \ + " !defined(MBEDTLS_ENTROPY_NV_SEED)\n" \ + "#include \"mbedtls\/config-no-entropy.h\"\n" \ + "\n" \ + "#if defined(MBEDTLS_USER_CONFIG_FILE)\n" \ + "#include MBEDTLS_USER_CONFIG_FILE\n" \ + "#endif\n" \ + "\n" \ + "#else\n" + +prepend_code \ + "#endif \/\* MBEDTLS_CONFIG_H \*\/" \ + "\n" \ + "#endif \/* !MBEDTLS_ENTROPY_HARDWARE_ALT && !MBEDTLS_TEST_NULL_ENTROPY && !MBEDTLS_ENTROPY_NV_SEED *\/\n" \ + "\n" \ + "#if defined(MBEDTLS_TEST_NULL_ENTROPY)\n" \ + "#warning \"MBEDTLS_TEST_NULL_ENTROPY has been enabled. This \" \\\\\n" \ + " \"configuration is not secure and is not suitable for production use\"\n" \ + "#endif\n" \ + "\n" \ + "#if defined(MBEDTLS_SSL_TLS_C) && !defined(MBEDTLS_TEST_NULL_ENTROPY) && \\\\\n" \ + " !defined(MBEDTLS_ENTROPY_HARDWARE_ALT) && !defined(MBEDTLS_ENTROPY_NV_SEED)\n" \ + "#error \"No entropy source was found at build time, so TLS \" \\\\\n" \ + " \"functionality is not available\"\n" \ + "#endif\n" \ + "\n" \ + "#if defined(FEATURE_EXPERIMENTAL_API) && defined(FEATURE_PSA)\n" \ + " #define MBEDTLS_PSA_HAS_ITS_IO\n" \ + " #define MBEDTLS_USE_PSA_CRYPTO\n" \ + "#endif\n" \ + "\n" From a3af4305bc83772375d87c40b1e2b45caeac5a59 Mon Sep 17 00:00:00 2001 From: Darryl Green Date: Thu, 25 Jun 2020 14:24:25 +0100 Subject: [PATCH 2/2] Ensure that MBEDTLS_USE_PSA_CRYPTO is only defined when it should be MBEDTLS_USE_PSA_CRYPTO should only be defined in Mbed OS when the appropriate Mbed OS flags are set. --- features/mbedtls/importer/adjust-config.sh | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/features/mbedtls/importer/adjust-config.sh b/features/mbedtls/importer/adjust-config.sh index 60b9502282..4825661989 100755 --- a/features/mbedtls/importer/adjust-config.sh +++ b/features/mbedtls/importer/adjust-config.sh @@ -123,6 +123,10 @@ conf unset MBEDTLS_PLATFORM_TIME_TYPE_MACRO # which should fit RSA 4096 bit keys. conf set MBEDTLS_MPI_MAX_SIZE 512 +# Explicitly unset MBEDTLS_USE_PSA_CRYPTO as this will be set based on the +# FEATURE_PSA flag in Mbed OS +conf unset MBEDTLS_USE_PSA_CRYPTO + # add an #ifndef to include config-no-entropy.h when the target does not have # an entropy source we can use. append_code \