psa: Replace Mbed PSA with TF-M

Add TF-M to Mbed OS, replacing the previous PSA implementation for
TF-M-capable targets. This commit adds files imported from TF-M, without
modification. The version of TF-M imported can be found in
`features/FEATURE_PSA/TARGET_TFM/VERSION.txt`.

These changes switch to TF-M as the sole PSA implementation for v8-M and
dual core targets, with TF-M running on the secure side and Mbed OS
running on the non-secure side. Single core v7-M targets will continue
to have PSA implemented via PSA emulation, implemented by Mbed OS.

Move or remove many PSA-implementing files, as PSA will be provided by
TF-M on non-single-v7-M targets. Delete any files that are not relevant
for PSA emulation mode.
 - Remove imported TF-M SPM
 - Remove Mbed SPM and tests
 - Remove Mbed-implemented PSA services and tests
 - Remove PSA_SRV_IMPL, PSA_SRV_IPC, PSA_SRV_EMUL and NSPE.
 - Replace PSA_SRV_EMUL and PSA_SRV_IMPL with MBED_PSA_SRV
 - Remove any files autogenerated by
   "tools/psa/generate_partition_code.py", which no longer exists.

Add new feature `PSA` to support PSA in Mbed OS.

Move the Mbed OS implementation of PSA services for v7-M targets (which
employ PSA emulation, and don't yet use TF-M) to
features/FEATURE_PSA/TARGET_MBED_PSA_SRV. Update the `requires`
attribute in TESTS/configs/baremetal.json to avoid breaking baremetal
testing builds.

Update .astyleignore to match new directory structure

Update Mbed TLS importer to place files into FEATURE_PSA

Create the following generic PSA targets:

* `PSA_Target` (Root level PSA generic target)
* `PSA_V7_M` (Single v7-M PSA generic target)
* `PSA_DUAL_CORE` (Dual-core PSA generic target)
* `PSA_V8_M` (v8-M PSA generic target)

Flatten MUSCA_NS and private MUSCA targets into public MUSCA targets.

Move mcuboot.bin to flat location (removing prebuilt folder)

Signed-off-by: Devaraj Ranganna <devaraj.ranganna@arm.com>
Signed-off-by: Jaeden Amero <jaeden.amero@arm.com>

.astyleignore

@@ -2,13 +2,8 @@
 ^cmsis
 ^features/cryptocell
 ^features/FEATURE_BLE
-^features/FEATURE_EXPERIMENTAL_API/TARGET_MBED_PSA_SRV
-^features/FEATURE_EXPERIMENTAL_API/TARGET_PSA/TARGET_MBED_PSA_SRV/services/attestation/attestation.h
-^features/FEATURE_EXPERIMENTAL_API/TARGET_PSA/TARGET_MBED_PSA_SRV/services/attestation/COMPONENT_PSA_SRV_IMPL/tfm_impl
-^features/FEATURE_EXPERIMENTAL_API/TARGET_PSA/TARGET_MBED_PSA_SRV/services/attestation/qcbor
-^features/FEATURE_EXPERIMENTAL_API/TARGET_PSA/TARGET_MBED_PSA_SRV/services/crypto/COMPONENT_PSA_SRV_IPC/crypto_struct_ipc.h
-^features/FEATURE_EXPERIMENTAL_API/TARGET_PSA/TARGET_MBED_PSA_SRV/TARGET_TFM
-^features/FEATURE_EXPERIMENTAL_API/TARGET_PSA/TARGET_MBED_PSA_SRV/TESTS
+^features/FEATURE_EXPERIMENTAL_API/FEATURE_PSA/TARGET_MBED_PSA_SRV
+^features/FEATURE_EXPERIMENTAL_API/FEATURE_PSA/TARGET_TFM
 ^features/frameworks
 ^features/lwipstack/lwip
 ^features/lwipstack/lwip-sys

.gitignore

@@ -97,3 +97,6 @@ test_suite.json
 
 # default delivery dir
 DELIVERY/
+
+# Directory used to clone and build TF-M
+features/FEATURE_EXPERIMENTAL_API/FEATURE_PSA/TARGET_TFM/TARGET_IGNORE/

LICENSE.md

@@ -5,11 +5,12 @@ Folders containing files under different permissive license than Apache 2.0 are
 
 - [cmsis](./cmsis) - MIT, BSD-3-Clause
 - [components/802.15.4_RF/mcr20a-rf-driver](./components/802.15.4_RF/mcr20a-rf-driver) - BSD-3-Clause
-- [components/TARGET_PSA/TARGET_TFM](./components/TARGET_PSA/TARGET_TFM) - BSD-3-Clause
-- [components/TARGET_PSA/TARGET_MBED_PSA_SRV/services/attestation](./components/TARGET_PSA/TARGET_MBED_PSA_SRV/services/attestation) - BSD-3-Clause
 - [features/cryptocell/FEATURE_CRYPTOCELL310](./features/cryptocell/FEATURE_CRYPTOCELL310) - ARM Object Code and Header Files License
 - [features/FEATURE_BOOTLOADER](./features/FEATURE_BOOTLOADER) - PBL
 - [features/FEATURE_BLE/targets](./features/FEATURE_BLE/targets) - BSD-style, PBL, MIT-style
+- [features/FEATURE_PSA/FEATURE_TFM](./features/FEATURE_PSA/FEATURE_TFM) - BSD-3-Clause
+- [features/FEATURE_PSA/FEATURE_MBED_PSA_SRV/services/attestation](./features/FEATURE_PSA/TARGET_MBED_PSA_SRV/services/attestation) - BSD-3-Clause
+- [features/FEATURE_PSA/TARGET_MBED_PSA_SRV/services/attestation/qcbor](./features/FEATURE_PSA/TARGET_MBED_PSA_SRV/services/attestation/qcbor) - BSD-3-Clause
 - [features/lorawan](./features/lorawan) - Revised BSD
 - [features/lwipstack](./features/lwipstack) - BSD-style, MIT-style
 - [features/nanostack/sal-stack-nanostack](./features/nanostack/sal-stack-nanostack) - BSD-3-Clause

TESTS/configs/baremetal.json

@@ -5,6 +5,7 @@
         "utest",
         "unity",
         "psa",
+        "psa-services",
         "mbedtls",
         "psa-compliance-framework",
         "filesystem",

TESTS/mbed_hal/trng/main.cpp

@@ -1,5 +1,5 @@
 /*
-* Copyright (c) 2018 ARM Limited. All rights reserved.
+* Copyright (c) 2018-2020 ARM Limited. All rights reserved.
 * SPDX-License-Identifier: Apache-2.0
 * Licensed under the Apache License, Version 2.0 (the License); you may
 * not use this file except in compliance with the License.
@@ -69,33 +69,6 @@
 
 using namespace utest::v1;
 
-#if (defined(TARGET_PSA) && defined(COMPONENT_PSA_SRV_IPC) && defined(MBEDTLS_PSA_CRYPTO_C))
-#include "entropy.h"
-#include "entropy_poll.h"
-#include "crypto.h"
-#if !defined(MAX)
-#define MAX(a,b) (((a)>(b))?(a):(b))
-#endif
-
-/* Calculating the minimum allowed entropy size in bytes */
-#define MBEDTLS_PSA_INJECT_ENTROPY_MIN_SIZE \
-            MAX(MBEDTLS_ENTROPY_MIN_PLATFORM, MBEDTLS_ENTROPY_BLOCK_SIZE)
-
-void inject_entropy_for_psa()
-{
-    if (psa_crypto_init() == PSA_ERROR_INSUFFICIENT_ENTROPY) {
-        uint8_t seed[MBEDTLS_PSA_INJECT_ENTROPY_MIN_SIZE] = {0};
-        /* inject some a seed for test*/
-        for (int i = 0; i < MBEDTLS_PSA_INJECT_ENTROPY_MIN_SIZE; ++i) {
-            seed[i] = i;
-        }
-
-        /* don't really care if this succeed this is just to make crypto init pass*/
-        mbedtls_psa_inject_entropy(seed, MBEDTLS_PSA_INJECT_ENTROPY_MIN_SIZE);
-    }
-}
-#endif // (defined(TARGET_PSA) && defined(COMPONENT_PSA_SRV_IPC) && defined(MBEDTLS_PSA_CRYPTO_C))
-
 static int fill_buffer_trng(uint8_t *buffer, trng_t *trng_obj, size_t trng_len)
 {
     size_t temp_size = 0, output_length = 0;
@@ -275,9 +248,6 @@ int main()
 #if defined(MBEDTLS_PLATFORM_C)
     ret = mbedtls_platform_setup(NULL);
 #endif /* MBEDTLS_PLATFORM_C */
-#if (defined(TARGET_PSA) && defined(COMPONENT_PSA_SRV_IPC) && defined(MBEDTLS_PSA_CRYPTO_C))
-    inject_entropy_for_psa();
-#endif
     ret = !Harness::run(specification);
 #if defined(MBEDTLS_PLATFORM_C)
     mbedtls_platform_teardown(NULL);

TESTS/mbedtls/sanity/main.cpp

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2018, Arm Limited and affiliates
+ * Copyright (c) 2018-2020, Arm Limited and affiliates
  * SPDX-License-Identifier: Apache-2.0
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
@@ -15,12 +15,11 @@
  * limitations under the License.
  */
 
-#if ((!defined(TARGET_PSA)) || (!defined(MBEDTLS_PSA_CRYPTO_C)))
+#if ((!defined(FEATURE_PSA)) || (!defined(MBEDTLS_PSA_CRYPTO_C)))
 #error [NOT_SUPPORTED] Mbed Crypto is OFF - skipping.
 #else
 
 #include "psa/crypto.h"
-
 #include <stdio.h>
 #include "mbed.h"
 #include "greentea-client/test_env.h"
@@ -31,7 +30,7 @@
 
 using namespace utest::v1;
 
-#if defined(MBEDTLS_ENTROPY_NV_SEED) || defined(COMPONENT_PSA_SRV_IPC)
+#if defined(MBEDTLS_ENTROPY_NV_SEED)
 
 #if !defined(MAX)
 #define MAX(a,b) (((a)>(b))?(a):(b))
@@ -48,7 +47,7 @@ void inject_entropy()
     }
     mbedtls_psa_inject_entropy(seed, MBEDTLS_PSA_INJECT_ENTROPY_MIN_SIZE);
 }
-#endif // defined(MBEDTLS_ENTROPY_NV_SEED) || defined(COMPONENT_PSA_SRV_IPC)
+#endif // defined(MBEDTLS_ENTROPY_NV_SEED)
 
 void test_crypto_random(void)
 {
@@ -431,12 +430,12 @@ void test_crypto_hash_clone(void)
 utest::v1::status_t case_setup_handler(const Case *const source, const size_t index_of_case)
 {
     psa_status_t status = psa_crypto_init();
-#if defined(MBEDTLS_ENTROPY_NV_SEED) || defined(COMPONENT_PSA_SRV_IPC)
+#if defined(MBEDTLS_ENTROPY_NV_SEED)
     if (status == PSA_ERROR_INSUFFICIENT_ENTROPY) {
         inject_entropy();
         status = psa_crypto_init();
     }
-#endif /* defined(MBEDTLS_ENTROPY_NV_SEED) || defined(COMPONENT_PSA_SRV_IPC) */
+#endif /* defined(MBEDTLS_ENTROPY_NV_SEED) */
     TEST_ASSERT_EQUAL(PSA_SUCCESS, status);
     return greentea_case_setup_handler(source, index_of_case);
 }

TESTS/mbedtls/selftest/main.cpp

@@ -1,5 +1,5 @@
 /* mbed Microcontroller Library
- * Copyright (c) 2016 ARM Limited
+ * Copyright (c) 2016-2020 ARM Limited
  * SPDX-License-Identifier: Apache-2.0
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
@@ -87,32 +87,6 @@ Case cases[] = {
 #endif /* MBEDTLS_SELF_TEST */
 };
 
-#if (defined(MBEDTLS_ENTROPY_C) && defined(TARGET_PSA) && defined(COMPONENT_PSA_SRV_IPC) && defined(MBEDTLS_PSA_CRYPTO_C))
-#include "crypto.h"
-#if !defined(MAX)
-#define MAX(a,b) (((a)>(b))?(a):(b))
-#endif
-
-/* Calculating the minimum allowed entropy size in bytes */
-#define MBEDTLS_PSA_INJECT_ENTROPY_MIN_SIZE \
-            MAX(MBEDTLS_ENTROPY_MIN_PLATFORM, MBEDTLS_ENTROPY_BLOCK_SIZE)
-
-void inject_entropy_for_psa()
-{
-    if (psa_crypto_init() == PSA_ERROR_INSUFFICIENT_ENTROPY) {
-        uint8_t seed[MBEDTLS_PSA_INJECT_ENTROPY_MIN_SIZE] = {0};
-        /* inject some a seed for test*/
-        for (int i = 0; i < MBEDTLS_PSA_INJECT_ENTROPY_MIN_SIZE; ++i) {
-            seed[i] = i;
-        }
-
-        /* don't really care if this succeed this is just to make crypto init pass*/
-        mbedtls_psa_inject_entropy(seed, MBEDTLS_PSA_INJECT_ENTROPY_MIN_SIZE);
-    }
-}
-#endif // (defined(MBEDTLS_ENTROPY_C) && defined(TARGET_PSA) && defined(COMPONENT_PSA_SRV_IPC) && defined(MBEDTLS_PSA_CRYPTO_C))
-
-
 utest::v1::status_t test_setup(const size_t num_cases)
 {
     GREENTEA_SETUP(120, "default_auto");
@@ -131,10 +105,6 @@ int main()
     }
 #endif
 
-#if (defined(MBEDTLS_ENTROPY_C) && defined(TARGET_PSA) && defined(COMPONENT_PSA_SRV_IPC) && defined(MBEDTLS_PSA_CRYPTO_C))
-    inject_entropy_for_psa();
-#endif
-
     ret = (Harness::run(specification) ? 0 : 1);
 #if defined(MBEDTLS_PLATFORM_C)
     mbedtls_platform_teardown(NULL);

cmsis/TARGET_CORTEX_M/mbed_tz_context.c

@@ -5,7 +5,7 @@
  * @date     10. January 2018
  ******************************************************************************/
 /*
- * Copyright (c) 2016-2018 Arm Limited. All rights reserved.
+ * Copyright (c) 2016-2020 Arm Limited. All rights reserved.
  *
  * SPDX-License-Identifier: Apache-2.0
  *
@@ -22,7 +22,7 @@
  * limitations under the License.
  */
 
-#if !TARGET_TFM
+#if !FEATURE_TFM
 
 #if defined (__ARM_FEATURE_CMSE) &&  (__ARM_FEATURE_CMSE == 3U)
 
@@ -204,4 +204,4 @@ uint32_t TZ_StoreContext_S (TZ_MemoryId_t id) {
 }
 #endif
 
-#endif // !TARGET_TFM
+#endif // !FEATURE_TFM

features/FEATURE_EXPERIMENTAL_API/FEATURE_PSA/TARGET_MBED_PSA_SRV/TESTS/attestation/main.cpp

@@ -1,5 +1,5 @@
 /*
-* Copyright (c) 2019 ARM Limited. All rights reserved.
+* Copyright (c) 2019-2020 ARM Limited. All rights reserved.
 *
 * SPDX-License-Identifier: Apache-2.0
 *
@@ -135,7 +135,7 @@ utest::v1::status_t case_setup_handler(const Case *const source, const size_t in
     psa_status_t status;
     status = mbed_psa_reboot_and_request_new_security_state(PSA_LIFECYCLE_ASSEMBLY_AND_TEST);
     TEST_ASSERT_EQUAL(PSA_SUCCESS, status);
-#if (defined(COMPONENT_PSA_SRV_IPC) || defined(MBEDTLS_ENTROPY_NV_SEED))
+#if defined(MBEDTLS_ENTROPY_NV_SEED)
     uint8_t seed[MBEDTLS_PSA_INJECT_ENTROPY_MIN_SIZE] = {0};
     /* inject some seed for test*/
     for (int i = 0; i < MBEDTLS_PSA_INJECT_ENTROPY_MIN_SIZE; ++i) {

features/FEATURE_EXPERIMENTAL_API/FEATURE_PSA/TARGET_MBED_PSA_SRV/TESTS/crypto_init/main.cpp

@@ -1,5 +1,5 @@
 /*
-* Copyright (c) 2018 ARM Limited. All rights reserved.
+* Copyright (c) 2018-2020 ARM Limited. All rights reserved.
 *
 * SPDX-License-Identifier: Apache-2.0
 *
@@ -46,31 +46,6 @@ utest::v1::status_t greentea_test_setup(const size_t number_of_cases)
     return greentea_test_setup_handler(number_of_cases);
 }
 
-static void check_multi_crypto_init_deinit()
-{
-#if !defined(COMPONENT_PSA_SRV_IPC)
-    TEST_SKIP();
-#endif
-    uint8_t output[TEST_RANDOM_SIZE] = {0};
-
-    psa_status_t status = psa_crypto_init();
-    TEST_ASSERT_EQUAL(PSA_SUCCESS, status);
-
-    status = psa_crypto_init();
-    TEST_ASSERT_EQUAL(PSA_SUCCESS, status);
-
-    status = psa_generate_random(output, sizeof(output));
-    TEST_ASSERT_NOT_EQUAL(PSA_ERROR_BAD_STATE, status);
-
-    mbedtls_psa_crypto_free();
-    status = psa_generate_random(output, sizeof(output));
-    TEST_ASSERT_NOT_EQUAL(PSA_ERROR_BAD_STATE, status);
-
-    mbedtls_psa_crypto_free();
-    status = psa_generate_random(output, sizeof(output));
-    TEST_ASSERT_EQUAL(PSA_ERROR_BAD_STATE, status);
-}
-
 static void check_crypto_init_deinit()
 {
     psa_status_t status;
@@ -93,14 +68,13 @@ static void check_crypto_init_deinit()
 
 Case cases[] = {
     Case("PSA crypto-init De-init", check_crypto_init_deinit),
-    Case("PSA crypto- multiple init De-init", check_multi_crypto_init_deinit),
 };
 
 Specification specification(greentea_test_setup, cases, greentea_test_teardown_handler);
 
 int main()
 {
-#if (defined(COMPONENT_PSA_SRV_IPC) || defined(MBEDTLS_ENTROPY_NV_SEED))
+#if defined(MBEDTLS_ENTROPY_NV_SEED)
     uint8_t seed[MBEDTLS_PSA_INJECT_ENTROPY_MIN_SIZE] = {0};
     /* inject some a seed for test*/
     for (int i = 0; i < MBEDTLS_PSA_INJECT_ENTROPY_MIN_SIZE; ++i) {

features/FEATURE_EXPERIMENTAL_API/FEATURE_PSA/TARGET_MBED_PSA_SRV/inc/psa/client.h

@@ -1,4 +1,4 @@
-/* Copyright (c) 2017-2018 ARM Limited
+/* Copyright (c) 2017-2020 ARM Limited
  *
  * SPDX-License-Identifier: Apache-2.0
  *
@@ -15,7 +15,7 @@
  * limitations under the License.
  */
 
-#if defined(TARGET_TFM)
+#if defined(FEATURE_TFM)
 #include "interface/include/psa_client.h"
 #else
 

features/FEATURE_EXPERIMENTAL_API/FEATURE_PSA/TARGET_MBED_PSA_SRV/inc/psa/service.h

@@ -1,4 +1,4 @@
-/* Copyright (c) 2017-2018 ARM Limited
+/* Copyright (c) 2017-2020 ARM Limited
  *
  * SPDX-License-Identifier: Apache-2.0
  *
@@ -15,7 +15,7 @@
  * limitations under the License.
  */
 
-#if defined(TARGET_TFM)
+#if defined(FEATURE_TFM)
 
 #include "interface/include/psa_service.h"
 #include "secure_fw/core/ipc/include/tfm_utils.h"