From c568688456819a6b63ca8ef7750b85b8f47148c8 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Mon, 24 Mar 2025 15:55:27 +0100 Subject: [PATCH 01/12] config.py: do not enable MBEDTLS_PLATFORM_GET_ENTROPY_ALT in full config Signed-off-by: Valerio Setti --- scripts/config.py | 1 + 1 file changed, 1 insertion(+) diff --git a/scripts/config.py b/scripts/config.py index 3fc3614dc7..6b30c54c70 100755 --- a/scripts/config.py +++ b/scripts/config.py @@ -123,6 +123,7 @@ def is_seamless_alt(name): an implementation of the relevant functions and an xxx_alt.h header. """ if name in ( + 'MBEDTLS_PLATFORM_GET_ENTROPY_ALT', 'MBEDTLS_PLATFORM_GMTIME_R_ALT', 'MBEDTLS_PLATFORM_SETUP_TEARDOWN_ALT', 'MBEDTLS_PLATFORM_MS_TIME_ALT', From 405d4adff2fa5277084bd0cfbf26d8b1046d803a Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Tue, 8 Apr 2025 14:04:57 +0200 Subject: [PATCH 02/12] psasim: add timeout while waiting for psa_server to start Signed-off-by: Valerio Setti --- tests/psa-client-server/psasim/test/start_server.sh | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/tests/psa-client-server/psasim/test/start_server.sh b/tests/psa-client-server/psasim/test/start_server.sh index ef11439777..1249930af1 100755 --- a/tests/psa-client-server/psasim/test/start_server.sh +++ b/tests/psa-client-server/psasim/test/start_server.sh @@ -8,7 +8,14 @@ set -e # The server creates some local files when it starts up so we can wait for this # event as signal that the server is ready so that we can start client(s). function wait_for_server_startup() { + SECONDS=0 + TIMEOUT=10 + while [ $(find . -name "psa_notify_*" | wc -l) -eq 0 ]; do + if [ "$SECONDS" -ge "$TIMEOUT" ]; then + echo "Timeout: psa_server not started within $TIMEOUT seconds." + return 1 + fi sleep 0.1 done } From 73bd210a946e3325272494cf2b977d0acaa83c90 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Tue, 15 Apr 2025 08:56:51 +0200 Subject: [PATCH 03/12] tests: remove usage of MBEDTLS_NO_PLATFORM_ENTROPY Use MBEDTLS_PLATFORM_GET_ENTROPY_ALT instead. Signed-off-by: Valerio Setti --- programs/test/selftest.c | 4 ++-- scripts/config.py | 3 +-- scripts/footprint.sh | 2 +- tests/scripts/analyze_outcomes.py | 1 - tests/scripts/components-configuration-platform.sh | 5 +---- 5 files changed, 5 insertions(+), 10 deletions(-) diff --git a/programs/test/selftest.c b/programs/test/selftest.c index 546716f12d..0941089779 100644 --- a/programs/test/selftest.c +++ b/programs/test/selftest.c @@ -211,7 +211,7 @@ static int run_test_snprintf(void) * back. */ #if defined(MBEDTLS_SELF_TEST) && defined(MBEDTLS_ENTROPY_C) -#if defined(MBEDTLS_ENTROPY_NV_SEED) && !defined(MBEDTLS_NO_PLATFORM_ENTROPY) +#if defined(MBEDTLS_ENTROPY_NV_SEED) && !defined(MBEDTLS_PLATFORM_GET_ENTROPY_ALT) static void create_entropy_seed_file(void) { int result; @@ -244,7 +244,7 @@ static void create_entropy_seed_file(void) static int mbedtls_entropy_self_test_wrapper(int verbose) { -#if defined(MBEDTLS_ENTROPY_NV_SEED) && !defined(MBEDTLS_NO_PLATFORM_ENTROPY) +#if defined(MBEDTLS_ENTROPY_NV_SEED) && !defined(MBEDTLS_PLATFORM_GET_ENTROPY_ALT) create_entropy_seed_file(); #endif return mbedtls_entropy_self_test(verbose); diff --git a/scripts/config.py b/scripts/config.py index 6b30c54c70..e5182a6a59 100755 --- a/scripts/config.py +++ b/scripts/config.py @@ -88,7 +88,6 @@ EXCLUDE_FROM_FULL = frozenset([ 'MBEDTLS_MEMORY_DEBUG', # depends on MEMORY_BUFFER_ALLOC_C 'MBEDTLS_NO_64BIT_MULTIPLICATION', # influences anything that uses bignum 'MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES', # removes a feature - 'MBEDTLS_NO_PLATFORM_ENTROPY', # removes a feature 'MBEDTLS_NO_UDBL_DIVISION', # influences anything that uses bignum 'MBEDTLS_PSA_P256M_DRIVER_ENABLED', # influences SECP256R1 KeyGen/ECDH/ECDSA 'MBEDTLS_PLATFORM_NO_STD_FUNCTIONS', # removes a feature @@ -182,7 +181,7 @@ def baremetal_adapter(name, value, active): """Config adapter for "baremetal".""" if not is_boolean_setting(name, value): return active - if name == 'MBEDTLS_NO_PLATFORM_ENTROPY': + if name == 'MBEDTLS_PLATFORM_GET_ENTROPY_ALT': # No OS-provided entropy source return True return include_in_full(name) and keep_in_baremetal(name) diff --git a/scripts/footprint.sh b/scripts/footprint.sh index 614a493098..e45a9265ac 100755 --- a/scripts/footprint.sh +++ b/scripts/footprint.sh @@ -64,7 +64,7 @@ doit() scripts/config.py unset MBEDTLS_NET_C || true scripts/config.py unset MBEDTLS_TIMING_C || true scripts/config.py unset MBEDTLS_FS_IO || true - scripts/config.py --force set MBEDTLS_NO_PLATFORM_ENTROPY || true + scripts/config.py --force set MBEDTLS_PLATFORM_GET_ENTROPY_ALT || true } >/dev/null 2>&1 make clean >/dev/null diff --git a/tests/scripts/analyze_outcomes.py b/tests/scripts/analyze_outcomes.py index c7c9ed5810..429a04f7f5 100755 --- a/tests/scripts/analyze_outcomes.py +++ b/tests/scripts/analyze_outcomes.py @@ -121,7 +121,6 @@ class CoverageTask(outcome_analysis.CoverageTask): # Obsolete configuration options, to be replaced by # PSA entropy drivers. # https://github.com/Mbed-TLS/mbedtls/issues/8150 - 'Config: MBEDTLS_NO_PLATFORM_ENTROPY', 'Config: MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES', # Untested aspect of the platform interface. # https://github.com/Mbed-TLS/mbedtls/issues/9589 diff --git a/tests/scripts/components-configuration-platform.sh b/tests/scripts/components-configuration-platform.sh index bebd860511..cadd14061c 100644 --- a/tests/scripts/components-configuration-platform.sh +++ b/tests/scripts/components-configuration-platform.sh @@ -26,7 +26,7 @@ component_build_no_sockets () { msg "build: full config except net_sockets.c, make, gcc -std=c99 -pedantic" # ~ 30s scripts/config.py full scripts/config.py unset MBEDTLS_NET_C # getaddrinfo() undeclared, etc. - scripts/config.py set MBEDTLS_NO_PLATFORM_ENTROPY # uses syscall() on GNU/Linux + scripts/config.py set MBEDTLS_PLATFORM_GET_ENTROPY_ALT # prevent syscall() on GNU/Linux make CC=gcc CFLAGS='-Werror -Wall -Wextra -O1 -std=c99 -pedantic' lib } @@ -106,6 +106,3 @@ component_test_no_64bit_multiplication () { msg "test: MBEDTLS_NO_64BIT_MULTIPLICATION native" # ~ 10s make test } - - - From 3775c9b48f39e80cdd527245d54ec6a88d3f4fae Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Tue, 15 Apr 2025 12:49:17 +0200 Subject: [PATCH 04/12] programs: selftest: remove direct call to mbedtls_platform_entropy_poll() The function is now internal so it cannot be referenced from programs. A dummy alternative is used instead. Signed-off-by: Valerio Setti --- programs/test/selftest.c | 22 +++++++++------------- 1 file changed, 9 insertions(+), 13 deletions(-) diff --git a/programs/test/selftest.c b/programs/test/selftest.c index 0941089779..0a6faa778f 100644 --- a/programs/test/selftest.c +++ b/programs/test/selftest.c @@ -212,10 +212,17 @@ static int run_test_snprintf(void) */ #if defined(MBEDTLS_SELF_TEST) && defined(MBEDTLS_ENTROPY_C) #if defined(MBEDTLS_ENTROPY_NV_SEED) && !defined(MBEDTLS_PLATFORM_GET_ENTROPY_ALT) +static void dummy_entropy(unsigned char *output, size_t output_size) +{ + srand(1); + for (size_t i = 0; i < output_size; i++) { + output[i] = rand(); + } +} + static void create_entropy_seed_file(void) { int result; - size_t output_len = 0; unsigned char seed_value[MBEDTLS_ENTROPY_BLOCK_SIZE]; /* Attempt to read the entropy seed file. If this fails - attempt to write @@ -226,18 +233,7 @@ static void create_entropy_seed_file(void) return; } - result = mbedtls_platform_entropy_poll(NULL, - seed_value, - MBEDTLS_ENTROPY_BLOCK_SIZE, - &output_len); - if (0 != result) { - return; - } - - if (MBEDTLS_ENTROPY_BLOCK_SIZE != output_len) { - return; - } - + dummy_entropy(seed_value, MBEDTLS_ENTROPY_BLOCK_SIZE); mbedtls_platform_std_nv_seed_write(seed_value, MBEDTLS_ENTROPY_BLOCK_SIZE); } #endif From 7ac11845d07552a00d0637bb027a99cab2c5f7f5 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Fri, 18 Apr 2025 14:30:28 +0200 Subject: [PATCH 05/12] configs: add PLATFORM_C to configs using ENTROPY_C This is necessary to let entropy being able to gather entropy data from the native platform source. Signed-off-by: Valerio Setti --- configs/crypto-config-ccm-psk-tls1_2.h | 1 + configs/crypto-config-suite-b.h | 1 + configs/crypto-config-thread.h | 1 + tests/scripts/components-configuration-crypto.sh | 1 + 4 files changed, 4 insertions(+) diff --git a/configs/crypto-config-ccm-psk-tls1_2.h b/configs/crypto-config-ccm-psk-tls1_2.h index e4de8b3fb6..7a33b0daa9 100644 --- a/configs/crypto-config-ccm-psk-tls1_2.h +++ b/configs/crypto-config-ccm-psk-tls1_2.h @@ -31,6 +31,7 @@ #define MBEDTLS_CTR_DRBG_C #define MBEDTLS_ENTROPY_C +#define MBEDTLS_PLATFORM_C /* Save RAM at the expense of ROM */ #define MBEDTLS_AES_ROM_TABLES diff --git a/configs/crypto-config-suite-b.h b/configs/crypto-config-suite-b.h index 3fec3d0f10..92549bade1 100644 --- a/configs/crypto-config-suite-b.h +++ b/configs/crypto-config-suite-b.h @@ -49,6 +49,7 @@ #define MBEDTLS_ASN1_WRITE_C #define MBEDTLS_CTR_DRBG_C #define MBEDTLS_ENTROPY_C +#define MBEDTLS_PLATFORM_C #define MBEDTLS_OID_C #define MBEDTLS_PK_C #define MBEDTLS_PK_PARSE_C diff --git a/configs/crypto-config-thread.h b/configs/crypto-config-thread.h index f71b1f079a..d1c449ea98 100644 --- a/configs/crypto-config-thread.h +++ b/configs/crypto-config-thread.h @@ -56,6 +56,7 @@ #define MBEDTLS_ASN1_WRITE_C #define MBEDTLS_CTR_DRBG_C #define MBEDTLS_ENTROPY_C +#define MBEDTLS_PLATFORM_C #define MBEDTLS_HMAC_DRBG_C #define MBEDTLS_MD_C #define MBEDTLS_OID_C diff --git a/tests/scripts/components-configuration-crypto.sh b/tests/scripts/components-configuration-crypto.sh index cb66e371cb..f5b3436179 100644 --- a/tests/scripts/components-configuration-crypto.sh +++ b/tests/scripts/components-configuration-crypto.sh @@ -2204,6 +2204,7 @@ END #define MBEDTLS_AES_C #define MBEDTLS_CTR_DRBG_C #define MBEDTLS_ENTROPY_C + #define MBEDTLS_PLATFORM_C #define MBEDTLS_PSA_CRYPTO_C #define MBEDTLS_SELF_TEST END From b13d29ebb2b35ca2478ec72d3fb89a4a4b397f83 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Fri, 18 Apr 2025 18:11:17 +0200 Subject: [PATCH 06/12] tests: scripts: fix test_cmake_out_of_source By default C++ code would be compiled with GNU while C with Clang and this can create problems at link time. In order to prevent this we use Clang for both. Signed-off-by: Valerio Setti --- tests/scripts/components-build-system.sh | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/tests/scripts/components-build-system.sh b/tests/scripts/components-build-system.sh index 3108aa7b92..e533cdf0f9 100644 --- a/tests/scripts/components-build-system.sh +++ b/tests/scripts/components-build-system.sh @@ -65,7 +65,9 @@ component_test_cmake_out_of_source () { mkdir "$OUT_OF_SOURCE_DIR" cd "$OUT_OF_SOURCE_DIR" # Note: Explicitly generate files as these are turned off in releases - cmake -D CMAKE_BUILD_TYPE:String=Check -D GEN_FILES=ON -D TEST_CPP=1 "$MBEDTLS_ROOT_DIR" + # Note: Use Clang compiler also for C++ (C uses it by default) + CXX=clang++ cmake -D CMAKE_BUILD_TYPE:String=Check -D GEN_FILES=ON \ + -D TEST_CPP=1 "$MBEDTLS_ROOT_DIR" make msg "test: cmake 'out-of-source' build" From 1971eab465606696991c62370141f0b862ecaa70 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Tue, 22 Apr 2025 16:11:00 +0200 Subject: [PATCH 07/12] programs: test: add C++ specific commands to cpp_dummy_build Add C++ specific instructions to the generated *.cpp source file so that the build will fail in case a C compiler is used. Signed-off-by: Valerio Setti --- programs/test/generate_cpp_dummy_build.sh | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/programs/test/generate_cpp_dummy_build.sh b/programs/test/generate_cpp_dummy_build.sh index 7b4f520aca..ecf0149a17 100755 --- a/programs/test/generate_cpp_dummy_build.sh +++ b/programs/test/generate_cpp_dummy_build.sh @@ -73,8 +73,12 @@ EOF cat <<'EOF' +#include + int main() { + std::cout << "CPP dummy build\n"; + mbedtls_platform_context *ctx = NULL; mbedtls_platform_setup(ctx); mbedtls_printf("CPP Build test passed\n"); From 7fb7fdabd730751c38e18fee816d028ec1befed2 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Tue, 22 Apr 2025 16:28:55 +0200 Subject: [PATCH 08/12] tests: scripts: fix component_test_no_platform() Use alternative implementation of mbedtls_platform_get_entropy() since the default one lives in "platform.c" and that one is excluded in this test component. Signed-off-by: Valerio Setti --- tests/scripts/components-configuration.sh | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/tests/scripts/components-configuration.sh b/tests/scripts/components-configuration.sh index 2dfa6d2114..cc2cf0604f 100644 --- a/tests/scripts/components-configuration.sh +++ b/tests/scripts/components-configuration.sh @@ -280,6 +280,10 @@ component_test_no_platform () { scripts/config.py unset MBEDTLS_PSA_CRYPTO_STORAGE_C scripts/config.py unset MBEDTLS_PSA_ITS_FILE_C scripts/config.py unset MBEDTLS_ENTROPY_NV_SEED + # Use the test alternative implementation of mbedtls_platform_get_entropy() + # which is provided in "framework/tests/src/fake_external_rng_for_test.c" + # since the default one is excluded in this scenario. + scripts/config.py set MBEDTLS_PLATFORM_GET_ENTROPY_ALT # Note, _DEFAULT_SOURCE needs to be defined for platforms using glibc version >2.19, # to re-enable platform integration features otherwise disabled in C99 builds make CC=gcc CFLAGS='-Werror -Wall -Wextra -std=c99 -pedantic -Os -D_DEFAULT_SOURCE' lib programs From 0f0304d433cc18a0d9865f30056d84f20346fc57 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Tue, 22 Apr 2025 17:36:17 +0200 Subject: [PATCH 09/12] scripts: tests: fix component_test_full_cmake_clang Use the proper Clang C++ compiler to build C++ code otherwise the C compiler will fail because std::cout() is unknown in "cpp_dummy_build.cpp". Signed-off-by: Valerio Setti --- tests/scripts/components-configuration.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/tests/scripts/components-configuration.sh b/tests/scripts/components-configuration.sh index cc2cf0604f..5fd9ede124 100644 --- a/tests/scripts/components-configuration.sh +++ b/tests/scripts/components-configuration.sh @@ -132,7 +132,8 @@ component_test_full_cmake_gcc_asan_new_bignum () { component_test_full_cmake_clang () { msg "build: cmake, full config, clang" # ~ 50s scripts/config.py full - CC=clang CXX=clang cmake -D CMAKE_BUILD_TYPE:String=Release -D ENABLE_TESTING=On -D TEST_CPP=1 . + CC=clang CXX=clang++ cmake -D CMAKE_BUILD_TYPE:String=Release \ + -D ENABLE_TESTING=On -D TEST_CPP=1 . make msg "test: main suites (full config, clang)" # ~ 5s From 1afedacfea918c47ff55f845a22e95d38d84f836 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Tue, 6 May 2025 06:27:02 +0200 Subject: [PATCH 10/12] tests: scripts: add new component to configuration-platform.sh Import component_test_platform_get_entropy_alt() from its counterpart in TF-PSA-Crypto repo. Signed-off-by: Valerio Setti --- tests/scripts/components-configuration-platform.sh | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/tests/scripts/components-configuration-platform.sh b/tests/scripts/components-configuration-platform.sh index cadd14061c..ade207a650 100644 --- a/tests/scripts/components-configuration-platform.sh +++ b/tests/scripts/components-configuration-platform.sh @@ -20,6 +20,20 @@ component_build_no_std_function () { make } +component_test_platform_get_entropy_alt() +{ + msg "build: default config + MBEDTLS_PLATFORM_GET_ENTROPY_ALT" + # Use hardware polling as the only source for entropy + scripts/config.py set MBEDTLS_PLATFORM_GET_ENTROPY_ALT + scripts/config.py unset MBEDTLS_ENTROPY_NV_SEED + + make + + # Run all the tests + msg "test: default config + MBEDTLS_PLATFORM_GET_ENTROPY_ALT" + make test +} + component_build_no_sockets () { # Note, C99 compliance can also be tested with the sockets support disabled, # as that requires a POSIX platform (which isn't the same as C99). From 55fa8755744814f43c9ed1f88dca5a7a6dae7833 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Tue, 29 Apr 2025 11:02:27 +0200 Subject: [PATCH 11/12] framework: update reference Signed-off-by: Valerio Setti --- framework | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/framework b/framework index 1e7b5d54d3..1a83e0c84d 160000 --- a/framework +++ b/framework @@ -1 +1 @@ -Subproject commit 1e7b5d54d3823b65fd4755bcf60f9ca39cfcbca3 +Subproject commit 1a83e0c84d4b7aa11c7cfd3771322486fc87d281 From 7f8b7b768bbea599f6a50b9fc638192127000f31 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Tue, 29 Apr 2025 11:02:37 +0200 Subject: [PATCH 12/12] tf-psa-crypto: update reference Signed-off-by: Valerio Setti --- tf-psa-crypto | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tf-psa-crypto b/tf-psa-crypto index f936d86b25..5ab6c9c8d6 160000 --- a/tf-psa-crypto +++ b/tf-psa-crypto @@ -1 +1 @@ -Subproject commit f936d86b2587eb4a961cac5b3b95b949ee056ee6 +Subproject commit 5ab6c9c8d6fae90fa46f51fbc7d5d1327a041388