Include mbedtls_ecc_group_to_psa.h from crypto_extra.h so that clients
of PSA within Mbed OS do not need to behave differently depending on
which PSA implementation they are using.
This solution is not ideal as it makes it more difficult to update the
TF-M-provided psa/crypto_extra.h. We'll have to see what other options
we have for including additional headers based on the Mbed OS
configuration.
We'd like to enable Mbed TLS's PK module in using TF-M's PSA
implementation, even if it doesn't expose the same set of PSA extensions
as Mbed TLS's PSA implementation. To do this, we add
mbedtls_ecc_group_to_psa() in its own header available when using the
latest TF-M.
Add mbedtls_ecc_group_to_psa(), one of Mbed TLS's PSA compatibility
helpers, for internal use by the Mbed TLS PK module. Without this
conversion function, the Mbed TLS PK module is unable to use any PSA
implementation other than one which provides a compatible set of PSA
extensions.
Update CMAKE_MODULE_PATH at once place.
Note, we update also CMAKE_MODULE_PATH in app.cmake. This is temporary until we get a proper way to include
Mbed Os (removing app.cmake need to be included by an application).
CMAKE_CURRENT_LIST_DIR behaves differently in functions. We store it in the CMakeLists itself, so anyone
calling a function would get the actual list dir where the scripts are.
To illustrate: if I call a function from src/CMakelists.txt, function located in src/scripts, `CMAKE_CURRENT_LIST_DIR` in the function would point
to the src/ folder but not to src/scripts.
Some host operating systems are case-insensitive and cannot
distinguish (for example) `semaphore.h` in `os_wrapper` from
`Semaphore.h` from Mbed OS `rtos`. This causes the wrong header to be
included.
By adding `os_wrapper/.mbedignore`, we guarantee that
#include "Semaphore.h"
always points to `rtos/Semaphore.h`, while the fully-qualified include
#include "os_wrapper/semaphore.h"
continues to work because its parent directory is still in the include
path.
Previous, we patched TF-M to replace its OS wrapper with CMSIS RTOS
to resolve manage management issue when integrated with Mbed OS. But
as of TF-M v1.2, the OS wrapper has been reworked in the vanilla TF-M,
and now it makes identical calls to its underlying CMSIS RTOS as our
patches do. So, we remove our patches and use vanilla TF-M's OS
wrapper instead to avoid extra maintenance overhead.
This commit re-imports TF-M files associated with the OS wrapper.
This commit adds post binary hook support for TF-M targets.
To apply this hook to a TF-M target, do the following in the target's
`CMakeLists.txt`:
* include `mbed_set_post_build_tfm.cmake`
* call `mbed_post_build_tfm_sign_image()`, passing
- Mbed OS target name
- TF-M target name
- path containing the target's bootloader, layout files and signing
keys
- path to the secure binary
- path to the non-secure binary (i.e. the "raw" Mbed application)
Mbed TLS 2.24.0 requires a few new macros and an inline function in
the PSA Crypto header. This PR adds them to make sure the TF-M v1.0
target (specifically CYTFM_064B0S2_4343W) continues to compile with
the new Mbed TLS.
Note: Support for older versions of TF-M than v1.2 will be dropped,
so existing TF-M targets should migrate to TF-M v1.2 as soon as
possible.
Setting/getting key enrollment algorithm is not recommended and not
part of the vanilla PSA or TF-M. For now keep the API just for
backward compatibility with existing projects, and this commit
adds deprecation warnings.
Add `psa_set_key_enrollment_algorithm()` and
`psa_get_key_enrollment_algorithm()` for TF-M targets.
Note: This is deprecated and for backward compatibility only.
Setting an enrollment algorithm is not recommended, because
using the same key with different algorithms can allow some
attacks based on arithmetic relations between different
computations made with the same key, or can escalate harmless
side channels into exploitable ones. Use this function only
if it is necessary to support a protocol for which it has been
verified that the usage of the key with multiple algorithms
is safe.
The PSA headers imported from TF-M does not contain a declaration of
mbedtls_ecc_group_to_psa(), which is expected by pk.c from Mbed TLS.
This leads to an "undefined symbol" error when using the ARM toolchain
to compile an application for a TF-M target.
These files have been imported/copied from:
* ARMmbed/trusted-firmware-m
* ARMmbed/tf-m-tests
These are generic files, which are required for TF-M v1.2 integration
with Mbed OS for PSA_V8M and PSA_DUAL_CORE targets.
Rather than maintaining a specific `TARGET_TFM_V1_x`, its better to use
more generic name `TARGET_TFM_LATEST` to avoid confusion on the latest
TFM version supported by Mbed OS
* Rename the folder from `TARGET_TFM_V1_1` to `TARGET_TFM_LATEST`
* Update the CmakeLists.txt
* Change the name of the MUSCA targets to maintain uniformity
with TF-M v1.2
* Update target.json for PSA_V8_M to use `TFM_LATEST`
Files have been automatically imported by setting MBED_TLS_RELEASE to
mbedtls-2.24.0 in connectivity/mbedtls/tools/importer/Makefile and
running `make` in that directory.
Aside from the core mbed-os CMake target, a number of targets have been created so they can optionally be included by application executables that require them using `target_link_libraries()`.
Co-authored-by: Martin Kojtal <martin.kojtal@arm.com>
Co-authored-by: Rajkumar Kanagaraj <rajkumar.kanagaraj@arm.com>
Martin Kojtal
Jaeden Amero
Lingkai Dong
plan-do-break-fix
Vikas Katariya
Hugues Kamba
Hugues Kamba
Moshe Shahar
Rajkumar Kanagaraj