diff --git a/configs/crypto-config-ccm-psk-tls1_2.h b/configs/crypto-config-ccm-psk-tls1_2.h index 163520ed34..c2dabc28e8 100644 --- a/configs/crypto-config-ccm-psk-tls1_2.h +++ b/configs/crypto-config-ccm-psk-tls1_2.h @@ -30,7 +30,6 @@ /* Other MBEDTLS_HAVE_XXX flags irrelevant for this configuration */ #define MBEDTLS_CTR_DRBG_C -#define MBEDTLS_ENTROPY_C #define MBEDTLS_PSA_BUILTIN_GET_ENTROPY /* Save RAM at the expense of ROM */ diff --git a/configs/crypto-config-suite-b.h b/configs/crypto-config-suite-b.h index 0437bda3ce..4bae5a45c6 100644 --- a/configs/crypto-config-suite-b.h +++ b/configs/crypto-config-suite-b.h @@ -48,7 +48,6 @@ #define MBEDTLS_ASN1_PARSE_C #define MBEDTLS_ASN1_WRITE_C #define MBEDTLS_CTR_DRBG_C -#define MBEDTLS_ENTROPY_C #define MBEDTLS_PK_C #define MBEDTLS_PK_PARSE_C #define MBEDTLS_PSA_BUILTIN_GET_ENTROPY diff --git a/configs/crypto-config-thread.h b/configs/crypto-config-thread.h index 5475a0af20..1b2621cf58 100644 --- a/configs/crypto-config-thread.h +++ b/configs/crypto-config-thread.h @@ -55,7 +55,6 @@ #define MBEDTLS_ASN1_PARSE_C #define MBEDTLS_ASN1_WRITE_C #define MBEDTLS_CTR_DRBG_C -#define MBEDTLS_ENTROPY_C #define MBEDTLS_HMAC_DRBG_C #define MBEDTLS_MD_C #define MBEDTLS_PK_C diff --git a/programs/test/selftest.c b/programs/test/selftest.c index 2c2b48ed82..0e906ab4a3 100644 --- a/programs/test/selftest.c +++ b/programs/test/selftest.c @@ -210,7 +210,7 @@ static int run_test_snprintf(void) * back. */ #if defined(MBEDTLS_SELF_TEST) && defined(MBEDTLS_ENTROPY_C) -#if defined(MBEDTLS_ENTROPY_NV_SEED) && !defined(MBEDTLS_PLATFORM_GET_ENTROPY_ALT) +#if defined(MBEDTLS_ENTROPY_NV_SEED) && !defined(MBEDTLS_PSA_DRIVER_GET_ENTROPY) static void dummy_entropy(unsigned char *output, size_t output_size) { srand(1); @@ -239,7 +239,7 @@ static void create_entropy_seed_file(void) static int mbedtls_entropy_self_test_wrapper(int verbose) { -#if defined(MBEDTLS_ENTROPY_NV_SEED) && !defined(MBEDTLS_PLATFORM_GET_ENTROPY_ALT) +#if defined(MBEDTLS_ENTROPY_NV_SEED) && !defined(MBEDTLS_PSA_DRIVER_GET_ENTROPY) create_entropy_seed_file(); #endif return mbedtls_entropy_self_test(verbose); diff --git a/scripts/config.py b/scripts/config.py index 20555db846..e60d1606f1 100755 --- a/scripts/config.py +++ b/scripts/config.py @@ -85,7 +85,6 @@ EXCLUDE_FROM_FULL = frozenset([ 'MBEDTLS_MEMORY_BUFFER_ALLOC_C', # makes sanitizers (e.g. ASan) less effective 'MBEDTLS_MEMORY_DEBUG', # depends on MEMORY_BUFFER_ALLOC_C 'MBEDTLS_NO_64BIT_MULTIPLICATION', # influences anything that uses bignum - 'MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES', # removes a feature 'MBEDTLS_NO_UDBL_DIVISION', # influences anything that uses bignum 'MBEDTLS_PSA_DRIVER_GET_ENTROPY', # incompatible with MBEDTLS_PSA_BUILTIN_GET_ENTROPY 'MBEDTLS_PSA_P256M_DRIVER_ENABLED', # influences SECP256R1 KeyGen/ECDH/ECDSA @@ -180,8 +179,10 @@ def baremetal_adapter(name, value, active): """Config adapter for "baremetal".""" if not is_boolean_setting(name, value): return active - if name == 'MBEDTLS_PLATFORM_GET_ENTROPY_ALT': + if name == 'MBEDTLS_PSA_BUILTIN_GET_ENTROPY': # No OS-provided entropy source + return False + if name == 'MBEDTLS_PSA_DRIVER_GET_ENTROPY': return True return include_in_full(name) and keep_in_baremetal(name) diff --git a/scripts/footprint.sh b/scripts/footprint.sh index e45a9265ac..1f2945159e 100755 --- a/scripts/footprint.sh +++ b/scripts/footprint.sh @@ -19,14 +19,22 @@ set -eu CONFIG_H='include/mbedtls/mbedtls_config.h' +CRYPTO_CONFIG_H='tf-psa-crypto/include/psa/crypto_config.h' -if [ -r $CONFIG_H ]; then :; else +if [ ! -r $CONFIG_H ]; then echo "$CONFIG_H not found" >&2 echo "This script needs to be run from the root of" >&2 echo "a git checkout or uncompressed tarball" >&2 exit 1 fi +if [ ! -r $CRYPTO_CONFIG_H ]; then + echo "$CRYPTO_CONFIG_H not found" >&2 + echo "This script needs to be run from the root of" >&2 + echo "a git checkout or uncompressed tarball" >&2 + exit 1 +fi + if grep -i cmake Makefile >/dev/null; then echo "Not compatible with CMake" >&2 exit 1 @@ -56,15 +64,25 @@ doit() log "$NAME ($FILE):" cp $CONFIG_H ${CONFIG_H}.bak + cp $CRYPTO_CONFIG_H ${CRYPTO_CONFIG_H}.bak if [ "$FILE" != $CONFIG_H ]; then + CRYPTO_FILE="${FILE%/*}/crypto-${FILE##*/}" cp "$FILE" $CONFIG_H + cp "$CRYPTO_FILE" $CRYPTO_CONFIG_H fi { + scripts/config.py unset MBEDTLS_HAVE_TIME || true + scripts/config.py unset MBEDTLS_HAVE_TIME_DATE || true scripts/config.py unset MBEDTLS_NET_C || true scripts/config.py unset MBEDTLS_TIMING_C || true scripts/config.py unset MBEDTLS_FS_IO || true - scripts/config.py --force set MBEDTLS_PLATFORM_GET_ENTROPY_ALT || true + scripts/config.py unset MBEDTLS_PSA_ITS_FILE_C || true + scripts/config.py unset MBEDTLS_PSA_CRYPTO_STORAGE_C || true + scripts/config.py unset MBEDTLS_PSA_BUILTIN_GET_ENTROPY || true + # Force the definition of MBEDTLS_PSA_DRIVER_GET_ENTROPY as it may + # not exist in custom configurations. + scripts/config.py --force -f ${CRYPTO_CONFIG_H} set MBEDTLS_PSA_DRIVER_GET_ENTROPY || true } >/dev/null 2>&1 make clean >/dev/null @@ -76,7 +94,8 @@ doit() log "$( head -n1 "$OUT" )" log "$( tail -n1 "$OUT" )" - cp ${CONFIG_H}.bak $CONFIG_H + mv ${CONFIG_H}.bak $CONFIG_H + mv ${CRYPTO_CONFIG_H}.bak $CRYPTO_CONFIG_H } # truncate the file just this time diff --git a/tests/scripts/analyze_outcomes.py b/tests/scripts/analyze_outcomes.py index d1bb553c67..8660e68942 100755 --- a/tests/scripts/analyze_outcomes.py +++ b/tests/scripts/analyze_outcomes.py @@ -124,10 +124,8 @@ class CoverageTask(outcome_analysis.CoverageTask): # Untested platform-specific optimizations. # https://github.com/Mbed-TLS/mbedtls/issues/9588 'Config: MBEDTLS_HAVE_SSE2', - # Obsolete configuration options, to be replaced by - # PSA entropy drivers. - # https://github.com/Mbed-TLS/mbedtls/issues/8150 - 'Config: MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES', + # Obsolete config option that we are about to remove + 'Config: MBEDTLS_PLATFORM_GET_ENTROPY_ALT', # Untested aspect of the platform interface. # https://github.com/Mbed-TLS/mbedtls/issues/9589 'Config: MBEDTLS_PLATFORM_NO_STD_FUNCTIONS', diff --git a/tests/scripts/components-configuration-crypto.sh b/tests/scripts/components-configuration-crypto.sh index 6ed656bff9..be2b040c29 100644 --- a/tests/scripts/components-configuration-crypto.sh +++ b/tests/scripts/components-configuration-crypto.sh @@ -236,7 +236,6 @@ component_test_psa_external_rng_no_drbg_use_psa () { msg "build: PSA_CRYPTO_EXTERNAL_RNG minus *_DRBG, PSA crypto in TLS" scripts/config.py full scripts/config.py set MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG - scripts/config.py unset MBEDTLS_ENTROPY_C scripts/config.py unset MBEDTLS_ENTROPY_NV_SEED scripts/config.py unset MBEDTLS_PLATFORM_NV_SEED_ALT scripts/config.py unset MBEDTLS_CTR_DRBG_C @@ -252,16 +251,18 @@ component_test_psa_external_rng_no_drbg_use_psa () { } component_test_psa_external_rng_use_psa_crypto () { - msg "build: full + PSA_CRYPTO_EXTERNAL_RNG + USE_PSA_CRYPTO minus CTR_DRBG" + msg "build: full + PSA_CRYPTO_EXTERNAL_RNG + USE_PSA_CRYPTO minus CTR_DRBG/NV_SEED" scripts/config.py full scripts/config.py set MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG scripts/config.py unset MBEDTLS_CTR_DRBG_C + scripts/config.py unset MBEDTLS_ENTROPY_NV_SEED + scripts/config.py unset MBEDTLS_PLATFORM_NV_SEED_ALT make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS" - msg "test: full + PSA_CRYPTO_EXTERNAL_RNG + USE_PSA_CRYPTO minus CTR_DRBG" + msg "test: full + PSA_CRYPTO_EXTERNAL_RNG + USE_PSA_CRYPTO minus CTR_DRBG/NV_SEED" make test - msg "test: full + PSA_CRYPTO_EXTERNAL_RNG + USE_PSA_CRYPTO minus CTR_DRBG" + msg "test: full + PSA_CRYPTO_EXTERNAL_RNG + USE_PSA_CRYPTO minus CTR_DRBG/NV_SEED" tests/ssl-opt.sh -f 'Default\|opaque' } @@ -2090,9 +2091,9 @@ END #define PSA_WANT_ALG_SHA3_384 1 #define PSA_WANT_ALG_SHA3_512 1 #define PSA_WANT_KEY_TYPE_AES 1 - #define MBEDTLS_CTR_DRBG_C - #define MBEDTLS_ENTROPY_C #define MBEDTLS_PSA_CRYPTO_C + #define MBEDTLS_CTR_DRBG_C + #define MBEDTLS_PSA_BUILTIN_GET_ENTROPY #define MBEDTLS_SELF_TEST END diff --git a/tests/scripts/components-configuration-platform.sh b/tests/scripts/components-configuration-platform.sh index ade207a650..b408bec618 100644 --- a/tests/scripts/components-configuration-platform.sh +++ b/tests/scripts/components-configuration-platform.sh @@ -20,17 +20,18 @@ component_build_no_std_function () { make } -component_test_platform_get_entropy_alt() +component_test_psa_driver_get_entropy() { - msg "build: default config + MBEDTLS_PLATFORM_GET_ENTROPY_ALT" + msg "build: default - MBEDTLS_PSA_BUILTIN_GET_ENTROPY + MBEDTLS_PSA_DRIVER_GET_ENTROPY" # Use hardware polling as the only source for entropy - scripts/config.py set MBEDTLS_PLATFORM_GET_ENTROPY_ALT + scripts/config.py unset MBEDTLS_PSA_BUILTIN_GET_ENTROPY scripts/config.py unset MBEDTLS_ENTROPY_NV_SEED + scripts/config.py set MBEDTLS_PSA_DRIVER_GET_ENTROPY make # Run all the tests - msg "test: default config + MBEDTLS_PLATFORM_GET_ENTROPY_ALT" + msg "test: default - MBEDTLS_PSA_BUILTIN_GET_ENTROPY + MBEDTLS_PSA_DRIVER_GET_ENTROPY" make test } @@ -40,7 +41,8 @@ component_build_no_sockets () { msg "build: full config except net_sockets.c, make, gcc -std=c99 -pedantic" # ~ 30s scripts/config.py full scripts/config.py unset MBEDTLS_NET_C # getaddrinfo() undeclared, etc. - scripts/config.py set MBEDTLS_PLATFORM_GET_ENTROPY_ALT # prevent syscall() on GNU/Linux + scripts/config.py unset MBEDTLS_PSA_BUILTIN_GET_ENTROPY # prevent syscall() on GNU/Linux + scripts/config.py set MBEDTLS_PSA_DRIVER_GET_ENTROPY make CC=gcc CFLAGS='-Werror -Wall -Wextra -O1 -std=c99 -pedantic' lib } diff --git a/tests/scripts/components-configuration.sh b/tests/scripts/components-configuration.sh index 5fd9ede124..a35704f299 100644 --- a/tests/scripts/components-configuration.sh +++ b/tests/scripts/components-configuration.sh @@ -284,7 +284,8 @@ component_test_no_platform () { # Use the test alternative implementation of mbedtls_platform_get_entropy() # which is provided in "framework/tests/src/fake_external_rng_for_test.c" # since the default one is excluded in this scenario. - scripts/config.py set MBEDTLS_PLATFORM_GET_ENTROPY_ALT + scripts/config.py unset MBEDTLS_PSA_BUILTIN_GET_ENTROPY + scripts/config.py set MBEDTLS_PSA_DRIVER_GET_ENTROPY # Note, _DEFAULT_SOURCE needs to be defined for platforms using glibc version >2.19, # to re-enable platform integration features otherwise disabled in C99 builds make CC=gcc CFLAGS='-Werror -Wall -Wextra -std=c99 -pedantic -Os -D_DEFAULT_SOURCE' lib programs diff --git a/tests/scripts/depends.py b/tests/scripts/depends.py index ae88abf1e2..cd91b78479 100755 --- a/tests/scripts/depends.py +++ b/tests/scripts/depends.py @@ -515,10 +515,10 @@ class DomainData: 'curves': ExclusiveDomain(curve_symbols, build_and_test), # Hash algorithms. Excluding exclusive domains of MD, RIPEMD, SHA1, SHA3*, - # SHA224 and SHA384 because MBEDTLS_ENTROPY_C is extensively used + # SHA224 and SHA384 because the built-in entropy module is extensively used # across various modules, but it depends on either SHA256 or SHA512. # As a consequence an "exclusive" test of anything other than SHA256 - # or SHA512 with MBEDTLS_ENTROPY_C enabled is not possible. + # or SHA512 with the built-in entropy module enabled is not possible. 'hashes': DualDomain(hash_symbols, build_and_test, exclude=r'PSA_WANT_ALG_(?!SHA_(256|512))'),