From f4966c86b7948a984ac11cfe76cca44933dfb57e Mon Sep 17 00:00:00 2001 From: Darryl Green Date: Mon, 24 Jun 2019 13:47:38 +0100 Subject: [PATCH] Add adjust-check-config script to mbedtls importer In Mbed OS, there are configuration options with Mbed TLS that we are more comfortable allowing than we do with Mbed TLS on its own. Add a check-config adjusting script to enable removing or changing options in check_config.h --- features/mbedtls/importer/Makefile | 3 + .../mbedtls/importer/adjust-check-config.sh | 58 +++++++++++++++++++ 2 files changed, 61 insertions(+) create mode 100755 features/mbedtls/importer/adjust-check-config.sh diff --git a/features/mbedtls/importer/Makefile b/features/mbedtls/importer/Makefile index 6c048a1205..8aae98e3ee 100644 --- a/features/mbedtls/importer/Makefile +++ b/features/mbedtls/importer/Makefile @@ -132,6 +132,9 @@ deploy: rsync # Adjusting the default mbed TLS config file to mbed purposes ./adjust-config.sh $(MBED_TLS_DIR)/scripts/config.pl $(TARGET_INC)/mbedtls/config.h # + # Adjusting the default mbed TLS check-config file to mbed purposes + ./adjust-check-config.sh $(TARGET_INC)/mbedtls/check_config.h + # # Copy and adjust the trimmed config that does not require entropy source cp $(MBED_TLS_DIR)/configs/config-no-entropy.h $(TARGET_INC)/mbedtls/. ./adjust-no-entropy-config.sh $(MBED_TLS_DIR)/scripts/config.pl $(TARGET_INC)/mbedtls/config-no-entropy.h diff --git a/features/mbedtls/importer/adjust-check-config.sh b/features/mbedtls/importer/adjust-check-config.sh new file mode 100755 index 0000000000..b3960203b0 --- /dev/null +++ b/features/mbedtls/importer/adjust-check-config.sh @@ -0,0 +1,58 @@ +#!/bin/sh +# +# This file is part of mbed TLS (https://tls.mbed.org) +# +# Copyright (c) 2019, Arm Limited, All Rights Reserved +# +# SPDX-License-Identifier: Apache-2.0 +# Licensed under the Apache License, Version 2.0 (the License); you may +# not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# * http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an AS IS BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# Purpose +# +# Removes checks from check_config.h that aren't needed for Mbed OS +# +# Usage: adjust-check-config.sh [path to check_config file] +# +set -eu + +if [ $# -ne 1 ]; then + echo "Usage: $0 path/to/check_config.h" >&2 + exit 1 +fi + +FILE=$1 + +conf() { + $SCRIPT -f $FILE --force $@ +} + +remove_code() { + MATCH_PATTERN=$(IFS=""; printf "%s" "$*") + + perl -0pi -e "s/$MATCH_PATTERN//g" "$FILE" +} + +# When using Mbed Crypto's PSA Entropy Injection feature on Mbed OS, it is +# not required to opt out of having entropy sources added to your entropy +# contexts by default (via MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES). +# As integrated in Mbed OS, MBEDTLS_PSA_INJECT_ENTROPY is compatible with +# actual entropy sources. PSA entropy injection is implemented using the +# standard Mbed TLS NV Seed feature, and is as compatible with other +# entropy sources as the standard Mbed TLS NV Seed feature which does +# support entropy mixing. +remove_code \ + "#if defined\(MBEDTLS_PSA_INJECT_ENTROPY\) && \\\\\n" \ + " !defined\(MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES\)\n" \ + "#error \"MBEDTLS_PSA_INJECT_ENTROPY is not compatible with actual entropy sources\"\n" \ + "#endif\n" \ + "\n"