Merge pull request #12955 from Patater/replace-mbed-psa-with-tfm

Replace Mbed PSA with TF-M PSA

.astyleignore

@@ -2,13 +2,8 @@
 ^cmsis
 ^features/cryptocell
 ^features/FEATURE_BLE
-^features/FEATURE_EXPERIMENTAL_API/TARGET_MBED_PSA_SRV
+^features/FEATURE_EXPERIMENTAL_API/FEATURE_PSA/TARGET_MBED_PSA_SRV
-^features/FEATURE_EXPERIMENTAL_API/TARGET_PSA/TARGET_MBED_PSA_SRV/services/attestation/attestation.h
+^features/FEATURE_EXPERIMENTAL_API/FEATURE_PSA/TARGET_TFM
-^features/FEATURE_EXPERIMENTAL_API/TARGET_PSA/TARGET_MBED_PSA_SRV/services/attestation/COMPONENT_PSA_SRV_IMPL/tfm_impl
-^features/FEATURE_EXPERIMENTAL_API/TARGET_PSA/TARGET_MBED_PSA_SRV/services/attestation/qcbor
-^features/FEATURE_EXPERIMENTAL_API/TARGET_PSA/TARGET_MBED_PSA_SRV/services/crypto/COMPONENT_PSA_SRV_IPC/crypto_struct_ipc.h
-^features/FEATURE_EXPERIMENTAL_API/TARGET_PSA/TARGET_MBED_PSA_SRV/TARGET_TFM
-^features/FEATURE_EXPERIMENTAL_API/TARGET_PSA/TARGET_MBED_PSA_SRV/TESTS
 ^features/frameworks
 ^features/lwipstack/lwip
 ^features/lwipstack/lwip-sys

.gitignore

@@ -97,3 +97,6 @@ test_suite.json
 
 # default delivery dir
 DELIVERY/
+
+# Directory used to clone and build TF-M
+features/FEATURE_EXPERIMENTAL_API/FEATURE_PSA/TARGET_TFM/TARGET_IGNORE/

LICENSE.md

@@ -5,11 +5,12 @@ Folders containing files under different permissive license than Apache 2.0 are
 
 - [cmsis](./cmsis) - MIT, BSD-3-Clause
 - [components/802.15.4_RF/mcr20a-rf-driver](./components/802.15.4_RF/mcr20a-rf-driver) - BSD-3-Clause
-- [components/TARGET_PSA/TARGET_TFM](./components/TARGET_PSA/TARGET_TFM) - BSD-3-Clause
-- [components/TARGET_PSA/TARGET_MBED_PSA_SRV/services/attestation](./components/TARGET_PSA/TARGET_MBED_PSA_SRV/services/attestation) - BSD-3-Clause
 - [features/cryptocell/FEATURE_CRYPTOCELL310](./features/cryptocell/FEATURE_CRYPTOCELL310) - ARM Object Code and Header Files License
 - [features/FEATURE_BOOTLOADER](./features/FEATURE_BOOTLOADER) - PBL
 - [features/FEATURE_BLE/targets](./features/FEATURE_BLE/targets) - BSD-style, PBL, MIT-style
+- [features/FEATURE_PSA/FEATURE_TFM](./features/FEATURE_PSA/FEATURE_TFM) - BSD-3-Clause
+- [features/FEATURE_PSA/FEATURE_MBED_PSA_SRV/services/attestation](./features/FEATURE_PSA/TARGET_MBED_PSA_SRV/services/attestation) - BSD-3-Clause
+- [features/FEATURE_PSA/TARGET_MBED_PSA_SRV/services/attestation/qcbor](./features/FEATURE_PSA/TARGET_MBED_PSA_SRV/services/attestation/qcbor) - BSD-3-Clause
 - [features/lorawan](./features/lorawan) - Revised BSD
 - [features/lwipstack](./features/lwipstack) - BSD-style, MIT-style
 - [features/nanostack/sal-stack-nanostack](./features/nanostack/sal-stack-nanostack) - BSD-3-Clause

TESTS/configs/baremetal.json

@@ -5,6 +5,7 @@
         "utest",
         "unity",
         "psa",
+        "psa-services",
         "mbedtls",
         "psa-compliance-framework",
         "filesystem",

TESTS/mbed_hal/trng/main.cpp

@@ -1,5 +1,5 @@
 /*
-* Copyright (c) 2018 ARM Limited. All rights reserved.
+* Copyright (c) 2018-2020 ARM Limited. All rights reserved.
 * SPDX-License-Identifier: Apache-2.0
 * Licensed under the Apache License, Version 2.0 (the License); you may
 * not use this file except in compliance with the License.
@@ -69,33 +69,6 @@
 
 using namespace utest::v1;
 
-#if (defined(TARGET_PSA) && defined(COMPONENT_PSA_SRV_IPC) && defined(MBEDTLS_PSA_CRYPTO_C))
-#include "entropy.h"
-#include "entropy_poll.h"
-#include "crypto.h"
-#if !defined(MAX)
-#define MAX(a,b) (((a)>(b))?(a):(b))
-#endif
-
-/* Calculating the minimum allowed entropy size in bytes */
-#define MBEDTLS_PSA_INJECT_ENTROPY_MIN_SIZE \
-            MAX(MBEDTLS_ENTROPY_MIN_PLATFORM, MBEDTLS_ENTROPY_BLOCK_SIZE)
-
-void inject_entropy_for_psa()
-{
-    if (psa_crypto_init() == PSA_ERROR_INSUFFICIENT_ENTROPY) {
-        uint8_t seed[MBEDTLS_PSA_INJECT_ENTROPY_MIN_SIZE] = {0};
-        /* inject some a seed for test*/
-        for (int i = 0; i < MBEDTLS_PSA_INJECT_ENTROPY_MIN_SIZE; ++i) {
-            seed[i] = i;
-        }
-
-        /* don't really care if this succeed this is just to make crypto init pass*/
-        mbedtls_psa_inject_entropy(seed, MBEDTLS_PSA_INJECT_ENTROPY_MIN_SIZE);
-    }
-}
-#endif // (defined(TARGET_PSA) && defined(COMPONENT_PSA_SRV_IPC) && defined(MBEDTLS_PSA_CRYPTO_C))
-
 static int fill_buffer_trng(uint8_t *buffer, trng_t *trng_obj, size_t trng_len)
 {
     size_t temp_size = 0, output_length = 0;
@@ -275,9 +248,6 @@ int main()
 #if defined(MBEDTLS_PLATFORM_C)
     ret = mbedtls_platform_setup(NULL);
 #endif /* MBEDTLS_PLATFORM_C */
-#if (defined(TARGET_PSA) && defined(COMPONENT_PSA_SRV_IPC) && defined(MBEDTLS_PSA_CRYPTO_C))
-    inject_entropy_for_psa();
-#endif
     ret = !Harness::run(specification);
 #if defined(MBEDTLS_PLATFORM_C)
     mbedtls_platform_teardown(NULL);

TESTS/mbedtls/sanity/main.cpp

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2018, Arm Limited and affiliates
+ * Copyright (c) 2018-2020, Arm Limited and affiliates
  * SPDX-License-Identifier: Apache-2.0
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
@@ -15,12 +15,11 @@
  * limitations under the License.
  */
 
-#if ((!defined(TARGET_PSA)) || (!defined(MBEDTLS_PSA_CRYPTO_C)))
+#if ((!defined(FEATURE_PSA)) || (!defined(MBEDTLS_PSA_CRYPTO_C)))
 #error [NOT_SUPPORTED] Mbed Crypto is OFF - skipping.
 #else
 
 #include "psa/crypto.h"
-
 #include <stdio.h>
 #include "mbed.h"
 #include "greentea-client/test_env.h"
@@ -31,7 +30,7 @@
 
 using namespace utest::v1;
 
-#if defined(MBEDTLS_ENTROPY_NV_SEED) || defined(COMPONENT_PSA_SRV_IPC)
+#if defined(MBEDTLS_ENTROPY_NV_SEED)
 
 #if !defined(MAX)
 #define MAX(a,b) (((a)>(b))?(a):(b))
@@ -48,7 +47,7 @@ void inject_entropy()
     }
     mbedtls_psa_inject_entropy(seed, MBEDTLS_PSA_INJECT_ENTROPY_MIN_SIZE);
 }
-#endif // defined(MBEDTLS_ENTROPY_NV_SEED) || defined(COMPONENT_PSA_SRV_IPC)
+#endif // defined(MBEDTLS_ENTROPY_NV_SEED)
 
 void test_crypto_random(void)
 {
@@ -431,12 +430,12 @@ void test_crypto_hash_clone(void)
 utest::v1::status_t case_setup_handler(const Case *const source, const size_t index_of_case)
 {
     psa_status_t status = psa_crypto_init();
-#if defined(MBEDTLS_ENTROPY_NV_SEED) || defined(COMPONENT_PSA_SRV_IPC)
+#if defined(MBEDTLS_ENTROPY_NV_SEED)
     if (status == PSA_ERROR_INSUFFICIENT_ENTROPY) {
         inject_entropy();
         status = psa_crypto_init();
     }
-#endif /* defined(MBEDTLS_ENTROPY_NV_SEED) || defined(COMPONENT_PSA_SRV_IPC) */
+#endif /* defined(MBEDTLS_ENTROPY_NV_SEED) */
     TEST_ASSERT_EQUAL(PSA_SUCCESS, status);
     return greentea_case_setup_handler(source, index_of_case);
 }

TESTS/mbedtls/selftest/main.cpp

@@ -1,5 +1,5 @@
 /* mbed Microcontroller Library
- * Copyright (c) 2016 ARM Limited
+ * Copyright (c) 2016-2020 ARM Limited
  * SPDX-License-Identifier: Apache-2.0
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
@@ -87,32 +87,6 @@ Case cases[] = {
 #endif /* MBEDTLS_SELF_TEST */
 };
 
-#if (defined(MBEDTLS_ENTROPY_C) && defined(TARGET_PSA) && defined(COMPONENT_PSA_SRV_IPC) && defined(MBEDTLS_PSA_CRYPTO_C))
-#include "crypto.h"
-#if !defined(MAX)
-#define MAX(a,b) (((a)>(b))?(a):(b))
-#endif
-
-/* Calculating the minimum allowed entropy size in bytes */
-#define MBEDTLS_PSA_INJECT_ENTROPY_MIN_SIZE \
-            MAX(MBEDTLS_ENTROPY_MIN_PLATFORM, MBEDTLS_ENTROPY_BLOCK_SIZE)
-
-void inject_entropy_for_psa()
-{
-    if (psa_crypto_init() == PSA_ERROR_INSUFFICIENT_ENTROPY) {
-        uint8_t seed[MBEDTLS_PSA_INJECT_ENTROPY_MIN_SIZE] = {0};
-        /* inject some a seed for test*/
-        for (int i = 0; i < MBEDTLS_PSA_INJECT_ENTROPY_MIN_SIZE; ++i) {
-            seed[i] = i;
-        }
-
-        /* don't really care if this succeed this is just to make crypto init pass*/
-        mbedtls_psa_inject_entropy(seed, MBEDTLS_PSA_INJECT_ENTROPY_MIN_SIZE);
-    }
-}
-#endif // (defined(MBEDTLS_ENTROPY_C) && defined(TARGET_PSA) && defined(COMPONENT_PSA_SRV_IPC) && defined(MBEDTLS_PSA_CRYPTO_C))
-
-
 utest::v1::status_t test_setup(const size_t num_cases)
 {
     GREENTEA_SETUP(120, "default_auto");
@@ -131,10 +105,6 @@ int main()
     }
 #endif
 
-#if (defined(MBEDTLS_ENTROPY_C) && defined(TARGET_PSA) && defined(COMPONENT_PSA_SRV_IPC) && defined(MBEDTLS_PSA_CRYPTO_C))
-    inject_entropy_for_psa();
-#endif
-
     ret = (Harness::run(specification) ? 0 : 1);
 #if defined(MBEDTLS_PLATFORM_C)
     mbedtls_platform_teardown(NULL);

cmsis/TARGET_CORTEX_M/mbed_tz_context.c

@@ -5,7 +5,7 @@
  * @date     10. January 2018
  ******************************************************************************/
 /*
- * Copyright (c) 2016-2018 Arm Limited. All rights reserved.
+ * Copyright (c) 2016-2020 Arm Limited. All rights reserved.
  *
  * SPDX-License-Identifier: Apache-2.0
  *
@@ -22,7 +22,7 @@
  * limitations under the License.
  */
 
-#if !TARGET_TFM
+#if !FEATURE_TFM
 
 #if defined (__ARM_FEATURE_CMSE) &&  (__ARM_FEATURE_CMSE == 3U)
 
@@ -204,4 +204,4 @@ uint32_t TZ_StoreContext_S (TZ_MemoryId_t id) {
 }
 #endif
 
-#endif // !TARGET_TFM
+#endif // !FEATURE_TFM

features/FEATURE_EXPERIMENTAL_API/FEATURE_PSA/TARGET_MBED_PSA_SRV/TESTS/attestation/main.cpp

@@ -1,5 +1,5 @@
 /*
-* Copyright (c) 2019 ARM Limited. All rights reserved.
+* Copyright (c) 2019-2020 ARM Limited. All rights reserved.
 *
 * SPDX-License-Identifier: Apache-2.0
 *
@@ -135,7 +135,7 @@ utest::v1::status_t case_setup_handler(const Case *const source, const size_t in
     psa_status_t status;
     status = mbed_psa_reboot_and_request_new_security_state(PSA_LIFECYCLE_ASSEMBLY_AND_TEST);
     TEST_ASSERT_EQUAL(PSA_SUCCESS, status);
-#if (defined(COMPONENT_PSA_SRV_IPC) || defined(MBEDTLS_ENTROPY_NV_SEED))
+#if defined(MBEDTLS_ENTROPY_NV_SEED)
     uint8_t seed[MBEDTLS_PSA_INJECT_ENTROPY_MIN_SIZE] = {0};
     /* inject some seed for test*/
     for (int i = 0; i < MBEDTLS_PSA_INJECT_ENTROPY_MIN_SIZE; ++i) {

features/FEATURE_EXPERIMENTAL_API/FEATURE_PSA/TARGET_MBED_PSA_SRV/TESTS/crypto_init/main.cpp

@@ -1,5 +1,5 @@
 /*
-* Copyright (c) 2018 ARM Limited. All rights reserved.
+* Copyright (c) 2018-2020 ARM Limited. All rights reserved.
 *
 * SPDX-License-Identifier: Apache-2.0
 *
@@ -46,31 +46,6 @@ utest::v1::status_t greentea_test_setup(const size_t number_of_cases)
     return greentea_test_setup_handler(number_of_cases);
 }
 
-static void check_multi_crypto_init_deinit()
-{
-#if !defined(COMPONENT_PSA_SRV_IPC)
-    TEST_SKIP();
-#endif
-    uint8_t output[TEST_RANDOM_SIZE] = {0};
-
-    psa_status_t status = psa_crypto_init();
-    TEST_ASSERT_EQUAL(PSA_SUCCESS, status);
-
-    status = psa_crypto_init();
-    TEST_ASSERT_EQUAL(PSA_SUCCESS, status);
-
-    status = psa_generate_random(output, sizeof(output));
-    TEST_ASSERT_NOT_EQUAL(PSA_ERROR_BAD_STATE, status);
-
-    mbedtls_psa_crypto_free();
-    status = psa_generate_random(output, sizeof(output));
-    TEST_ASSERT_NOT_EQUAL(PSA_ERROR_BAD_STATE, status);
-
-    mbedtls_psa_crypto_free();
-    status = psa_generate_random(output, sizeof(output));
-    TEST_ASSERT_EQUAL(PSA_ERROR_BAD_STATE, status);
-}
-
 static void check_crypto_init_deinit()
 {
     psa_status_t status;
@@ -93,14 +68,13 @@ static void check_crypto_init_deinit()
 
 Case cases[] = {
     Case("PSA crypto-init De-init", check_crypto_init_deinit),
-    Case("PSA crypto- multiple init De-init", check_multi_crypto_init_deinit),
 };
 
 Specification specification(greentea_test_setup, cases, greentea_test_teardown_handler);
 
 int main()
 {
-#if (defined(COMPONENT_PSA_SRV_IPC) || defined(MBEDTLS_ENTROPY_NV_SEED))
+#if defined(MBEDTLS_ENTROPY_NV_SEED)
     uint8_t seed[MBEDTLS_PSA_INJECT_ENTROPY_MIN_SIZE] = {0};
     /* inject some a seed for test*/
     for (int i = 0; i < MBEDTLS_PSA_INJECT_ENTROPY_MIN_SIZE; ++i) {

features/FEATURE_EXPERIMENTAL_API/FEATURE_PSA/TARGET_MBED_PSA_SRV/inc/psa/client.h

@@ -0,0 +1,155 @@
+/* Copyright (c) 2017-2020 ARM Limited
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#if defined(FEATURE_TFM)
+#include "interface/include/psa_client.h"
+#else
+
+#ifndef __MBED_OS_DEFAULT_PSA_CLIENT_API_H__
+#define __MBED_OS_DEFAULT_PSA_CLIENT_API_H__
+
+#include <stddef.h>
+#include "psa/error.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#if !defined(UINT32_MAX)
+#define UINT32_MAX ((uint32_t)-1)
+#endif
+
+#if !defined(INT32_MIN)
+#define INT32_MIN   (-0x7fffffff - 1)
+#endif
+
+#define PSA_FRAMEWORK_VERSION   (0x0100) /**< Version of the PSA Framework API. */
+#define PSA_VERSION_NONE        (0L)     /**< Identifier for an unimplemented Root of Trust (RoT) Service. */
+#define PSA_CONNECTION_REFUSED  (INT32_MIN + 1)   /**< The return value from psa_connect() if the RoT Service or SPM was unable to establish a connection.*/
+#define PSA_CONNECTION_BUSY     (INT32_MIN + 2)   /**< The return value from psa_connect() if the RoT Service rejects the connection for a transient reason.*/
+#define PSA_DROP_CONNECTION     (INT32_MIN)       /**< The result code in a call to psa_reply() to indicate a nonrecoverable error in the client.*/
+#define PSA_NULL_HANDLE         ((psa_handle_t)0)   /**< Denotes an invalid handle.*/
+
+typedef int32_t psa_handle_t;
+
+typedef struct psa_invec {
+    const void *base;   /**< Starting address of the buffer.*/
+    size_t len;         /**< Length in bytes of the buffer.*/
+} psa_invec;
+
+
+typedef struct psa_outvec {
+    void *base;      /**< Starting address of the buffer.*/
+    size_t len;      /**< Length in bytes of the buffer.*/
+} psa_outvec;
+
+/**
+ * \brief Retrieve the version of the PSA Framework API that is implemented.
+ *
+ * \return version              The version of the PSA Framework implementation
+ *                              that is providing the runtime services to the
+ *                              caller. The major and minor version are encoded
+ *                              as follows:
+ * \arg                           version[15:8] -- major version number.
+ * \arg                           version[7:0]  -- minor version number.
+ */
+uint32_t psa_framework_version(void);
+
+/**
+ * \brief Retrieve the version of an RoT Service or indicate that it is not
+ *        present on this system.
+ *
+ * \param[in] sid               ID of the RoT Service to query.
+ *
+ * \retval PSA_VERSION_NONE     The RoT Service is not implemented, or the
+ *                              caller is not permitted to access the service.
+ * \retval > 0                  The version of the implemented RoT Service.
+ */
+uint32_t psa_version(uint32_t sid);
+
+/**
+ * \brief Connect to an RoT Service by its SID.
+ *
+ * \param[in] sid               ID of the RoT Service to connect to.
+ * \param[in] version           Requested version of the RoT Service.
+ *
+ * \retval > 0                  A handle for the connection.
+ * \retval PSA_ERROR_CONNECTION_REFUSED The SPM or RoT Service has refused the
+ *                              connection.
+ * \retval PSA_ERROR_CONNECTION_BUSY The SPM or RoT Service cannot make the
+ *                              connection at the moment.
+ * \retval "PROGRAMMER ERROR"   The call is a PROGRAMMER ERROR if one or more
+ *                              of the following are true:
+ * \arg                           The RoT Service ID is not present.
+ * \arg                           The RoT Service version is not supported.
+ * \arg                           The caller is not allowed to access the RoT
+ *                                service.
+ */
+psa_handle_t psa_connect(uint32_t sid, uint32_t version);
+
+/**
+ * \brief Call an RoT Service on an established connection.
+ *
+ * \param[in] handle            A handle to an established connection.
+ * \param[in] type              The reuqest type.
+ *                              Must be zero( \ref PSA_IPC_CALL) or positive.
+ * \param[in] in_vec            Array of input \ref psa_invec structures.
+ * \param[in] in_len            Number of input \ref psa_invec structures.
+ * \param[in/out] out_vec       Array of output \ref psa_outvec structures.
+ * \param[in] out_len           Number of output \ref psa_outvec structures.
+ *
+ * \retval >=0                  RoT Service-specific status value.
+ * \retval <0                   RoT Service-specific error code.
+ * \retval PSA_ERROR_PROGRAMMER_ERROR The connection has been terminated by the
+ *                              RoT Service. The call is a PROGRAMMER ERROR if
+ *                              one or more of the following are true:
+ * \arg                           An invalid handle was passed.
+ * \arg                           The connection is already handling a request.
+ * \arg                           type < 0.
+ * \arg                           An invalid memory reference was provided.
+ * \arg                           in_len + out_len > PSA_MAX_IOVEC.
+ * \arg                           The message is unrecognized by the RoT
+ *                                Service or incorrectly formatted.
+ */
+psa_status_t psa_call(psa_handle_t handle, int32_t type,
+                      const psa_invec *in_vec,
+                      size_t in_len,
+                      psa_outvec *out_vec,
+                      size_t out_len);
+
+/**
+ * \brief Close a connection to an RoT Service.
+ *
+ * \param[in] handle            A handle to an established connection, or the
+ *                              null handle.
+ *
+ * \retval void                 Success.
+ * \retval "PROGRAMMER ERROR"   The call is a PROGRAMMER ERROR if one or more
+ *                              of the following are true:
+ * \arg                           An invalid handle was provided that is not
+ *                                the null handle.
+ * \arg                           The connection is currently handling a
+ *                                request.
+ */
+void psa_close(psa_handle_t handle);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif // __MBED_OS_DEFAULT_PSA_CLIENT_API_H__
+#endif

features/FEATURE_EXPERIMENTAL_API/FEATURE_PSA/TARGET_MBED_PSA_SRV/inc/psa/service.h

@@ -1,4 +1,4 @@
-/* Copyright (c) 2017-2018 ARM Limited
+/* Copyright (c) 2017-2020 ARM Limited
  *
  * SPDX-License-Identifier: Apache-2.0
  *
@@ -15,7 +15,7 @@
  * limitations under the License.
  */
 
-#if defined(TARGET_TFM)
+#if defined(FEATURE_TFM)
 
 #include "interface/include/psa_service.h"
 #include "secure_fw/core/ipc/include/tfm_utils.h"