From efcec8cecd5afabdfd43d930cccf6c22a6438407 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Tue, 2 Sep 2025 17:22:35 +0200 Subject: [PATCH 1/6] Cleanup following the removal of MBEDTLS_ENTROPY_C option Signed-off-by: Ronald Cron --- configs/crypto-config-ccm-psk-tls1_2.h | 1 - configs/crypto-config-suite-b.h | 1 - configs/crypto-config-thread.h | 1 - tests/scripts/components-configuration-crypto.sh | 2 -- tests/scripts/depends.py | 4 ++-- 5 files changed, 2 insertions(+), 7 deletions(-) diff --git a/configs/crypto-config-ccm-psk-tls1_2.h b/configs/crypto-config-ccm-psk-tls1_2.h index 163520ed34..c2dabc28e8 100644 --- a/configs/crypto-config-ccm-psk-tls1_2.h +++ b/configs/crypto-config-ccm-psk-tls1_2.h @@ -30,7 +30,6 @@ /* Other MBEDTLS_HAVE_XXX flags irrelevant for this configuration */ #define MBEDTLS_CTR_DRBG_C -#define MBEDTLS_ENTROPY_C #define MBEDTLS_PSA_BUILTIN_GET_ENTROPY /* Save RAM at the expense of ROM */ diff --git a/configs/crypto-config-suite-b.h b/configs/crypto-config-suite-b.h index 0437bda3ce..4bae5a45c6 100644 --- a/configs/crypto-config-suite-b.h +++ b/configs/crypto-config-suite-b.h @@ -48,7 +48,6 @@ #define MBEDTLS_ASN1_PARSE_C #define MBEDTLS_ASN1_WRITE_C #define MBEDTLS_CTR_DRBG_C -#define MBEDTLS_ENTROPY_C #define MBEDTLS_PK_C #define MBEDTLS_PK_PARSE_C #define MBEDTLS_PSA_BUILTIN_GET_ENTROPY diff --git a/configs/crypto-config-thread.h b/configs/crypto-config-thread.h index 5475a0af20..1b2621cf58 100644 --- a/configs/crypto-config-thread.h +++ b/configs/crypto-config-thread.h @@ -55,7 +55,6 @@ #define MBEDTLS_ASN1_PARSE_C #define MBEDTLS_ASN1_WRITE_C #define MBEDTLS_CTR_DRBG_C -#define MBEDTLS_ENTROPY_C #define MBEDTLS_HMAC_DRBG_C #define MBEDTLS_MD_C #define MBEDTLS_PK_C diff --git a/tests/scripts/components-configuration-crypto.sh b/tests/scripts/components-configuration-crypto.sh index 6ed656bff9..d5efbffde8 100644 --- a/tests/scripts/components-configuration-crypto.sh +++ b/tests/scripts/components-configuration-crypto.sh @@ -236,7 +236,6 @@ component_test_psa_external_rng_no_drbg_use_psa () { msg "build: PSA_CRYPTO_EXTERNAL_RNG minus *_DRBG, PSA crypto in TLS" scripts/config.py full scripts/config.py set MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG - scripts/config.py unset MBEDTLS_ENTROPY_C scripts/config.py unset MBEDTLS_ENTROPY_NV_SEED scripts/config.py unset MBEDTLS_PLATFORM_NV_SEED_ALT scripts/config.py unset MBEDTLS_CTR_DRBG_C @@ -2091,7 +2090,6 @@ END #define PSA_WANT_ALG_SHA3_512 1 #define PSA_WANT_KEY_TYPE_AES 1 #define MBEDTLS_CTR_DRBG_C - #define MBEDTLS_ENTROPY_C #define MBEDTLS_PSA_CRYPTO_C #define MBEDTLS_SELF_TEST END diff --git a/tests/scripts/depends.py b/tests/scripts/depends.py index ae88abf1e2..cd91b78479 100755 --- a/tests/scripts/depends.py +++ b/tests/scripts/depends.py @@ -515,10 +515,10 @@ class DomainData: 'curves': ExclusiveDomain(curve_symbols, build_and_test), # Hash algorithms. Excluding exclusive domains of MD, RIPEMD, SHA1, SHA3*, - # SHA224 and SHA384 because MBEDTLS_ENTROPY_C is extensively used + # SHA224 and SHA384 because the built-in entropy module is extensively used # across various modules, but it depends on either SHA256 or SHA512. # As a consequence an "exclusive" test of anything other than SHA256 - # or SHA512 with MBEDTLS_ENTROPY_C enabled is not possible. + # or SHA512 with the built-in entropy module enabled is not possible. 'hashes': DualDomain(hash_symbols, build_and_test, exclude=r'PSA_WANT_ALG_(?!SHA_(256|512))'), From 3b30643143553d7e02cca6655fb9487c5b587e4f Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Tue, 2 Sep 2025 18:30:08 +0200 Subject: [PATCH 2/6] Adapt configurations to stricter compile-time checks Adapt configurations to stricter compile-time checks for entropy enablement and MBEDTLS_ENTROPY_NV_SEED option. Signed-off-by: Ronald Cron --- tests/scripts/components-configuration-crypto.sh | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/tests/scripts/components-configuration-crypto.sh b/tests/scripts/components-configuration-crypto.sh index d5efbffde8..be2b040c29 100644 --- a/tests/scripts/components-configuration-crypto.sh +++ b/tests/scripts/components-configuration-crypto.sh @@ -251,16 +251,18 @@ component_test_psa_external_rng_no_drbg_use_psa () { } component_test_psa_external_rng_use_psa_crypto () { - msg "build: full + PSA_CRYPTO_EXTERNAL_RNG + USE_PSA_CRYPTO minus CTR_DRBG" + msg "build: full + PSA_CRYPTO_EXTERNAL_RNG + USE_PSA_CRYPTO minus CTR_DRBG/NV_SEED" scripts/config.py full scripts/config.py set MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG scripts/config.py unset MBEDTLS_CTR_DRBG_C + scripts/config.py unset MBEDTLS_ENTROPY_NV_SEED + scripts/config.py unset MBEDTLS_PLATFORM_NV_SEED_ALT make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS" - msg "test: full + PSA_CRYPTO_EXTERNAL_RNG + USE_PSA_CRYPTO minus CTR_DRBG" + msg "test: full + PSA_CRYPTO_EXTERNAL_RNG + USE_PSA_CRYPTO minus CTR_DRBG/NV_SEED" make test - msg "test: full + PSA_CRYPTO_EXTERNAL_RNG + USE_PSA_CRYPTO minus CTR_DRBG" + msg "test: full + PSA_CRYPTO_EXTERNAL_RNG + USE_PSA_CRYPTO minus CTR_DRBG/NV_SEED" tests/ssl-opt.sh -f 'Default\|opaque' } @@ -2089,8 +2091,9 @@ END #define PSA_WANT_ALG_SHA3_384 1 #define PSA_WANT_ALG_SHA3_512 1 #define PSA_WANT_KEY_TYPE_AES 1 - #define MBEDTLS_CTR_DRBG_C #define MBEDTLS_PSA_CRYPTO_C + #define MBEDTLS_CTR_DRBG_C + #define MBEDTLS_PSA_BUILTIN_GET_ENTROPY #define MBEDTLS_SELF_TEST END From eb16a9d9ea780bccf86ec6e769894034c40e99b4 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Wed, 3 Sep 2025 09:57:29 +0200 Subject: [PATCH 3/6] Prepare for the removal of MBEDTLS_PLATFORM_GET_ENTROPY_ALT We cannot remove it completely yet. It must remain in config.py so that it is not included in the full configuration. A temporary exception is required for it in analyze_outcomes.py. Signed-off-by: Ronald Cron --- programs/test/selftest.c | 4 ++-- scripts/config.py | 4 +++- scripts/footprint.sh | 3 ++- tests/scripts/analyze_outcomes.py | 2 ++ tests/scripts/components-configuration-platform.sh | 12 +++++++----- tests/scripts/components-configuration.sh | 3 ++- 6 files changed, 18 insertions(+), 10 deletions(-) diff --git a/programs/test/selftest.c b/programs/test/selftest.c index 2c2b48ed82..0e906ab4a3 100644 --- a/programs/test/selftest.c +++ b/programs/test/selftest.c @@ -210,7 +210,7 @@ static int run_test_snprintf(void) * back. */ #if defined(MBEDTLS_SELF_TEST) && defined(MBEDTLS_ENTROPY_C) -#if defined(MBEDTLS_ENTROPY_NV_SEED) && !defined(MBEDTLS_PLATFORM_GET_ENTROPY_ALT) +#if defined(MBEDTLS_ENTROPY_NV_SEED) && !defined(MBEDTLS_PSA_DRIVER_GET_ENTROPY) static void dummy_entropy(unsigned char *output, size_t output_size) { srand(1); @@ -239,7 +239,7 @@ static void create_entropy_seed_file(void) static int mbedtls_entropy_self_test_wrapper(int verbose) { -#if defined(MBEDTLS_ENTROPY_NV_SEED) && !defined(MBEDTLS_PLATFORM_GET_ENTROPY_ALT) +#if defined(MBEDTLS_ENTROPY_NV_SEED) && !defined(MBEDTLS_PSA_DRIVER_GET_ENTROPY) create_entropy_seed_file(); #endif return mbedtls_entropy_self_test(verbose); diff --git a/scripts/config.py b/scripts/config.py index 20555db846..8493ee655f 100755 --- a/scripts/config.py +++ b/scripts/config.py @@ -180,8 +180,10 @@ def baremetal_adapter(name, value, active): """Config adapter for "baremetal".""" if not is_boolean_setting(name, value): return active - if name == 'MBEDTLS_PLATFORM_GET_ENTROPY_ALT': + if name == 'MBEDTLS_PSA_BUILTIN_GET_ENTROPY': # No OS-provided entropy source + return False + if name == 'MBEDTLS_PSA_DRIVER_GET_ENTROPY': return True return include_in_full(name) and keep_in_baremetal(name) diff --git a/scripts/footprint.sh b/scripts/footprint.sh index e45a9265ac..e7078cff16 100755 --- a/scripts/footprint.sh +++ b/scripts/footprint.sh @@ -64,7 +64,8 @@ doit() scripts/config.py unset MBEDTLS_NET_C || true scripts/config.py unset MBEDTLS_TIMING_C || true scripts/config.py unset MBEDTLS_FS_IO || true - scripts/config.py --force set MBEDTLS_PLATFORM_GET_ENTROPY_ALT || true + scripts/config.py unset MBEDTLS_PSA_BUILTIN_GET_ENTROPY || true + scripts/config.py --force set MBEDTLS_PSA_DRIVER_GET_ENTROPY || true } >/dev/null 2>&1 make clean >/dev/null diff --git a/tests/scripts/analyze_outcomes.py b/tests/scripts/analyze_outcomes.py index d1bb553c67..a6f03a83c9 100755 --- a/tests/scripts/analyze_outcomes.py +++ b/tests/scripts/analyze_outcomes.py @@ -128,6 +128,8 @@ class CoverageTask(outcome_analysis.CoverageTask): # PSA entropy drivers. # https://github.com/Mbed-TLS/mbedtls/issues/8150 'Config: MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES', + # Obsolete config option that we are about to remove + 'Config: MBEDTLS_PLATFORM_GET_ENTROPY_ALT', # Untested aspect of the platform interface. # https://github.com/Mbed-TLS/mbedtls/issues/9589 'Config: MBEDTLS_PLATFORM_NO_STD_FUNCTIONS', diff --git a/tests/scripts/components-configuration-platform.sh b/tests/scripts/components-configuration-platform.sh index ade207a650..b408bec618 100644 --- a/tests/scripts/components-configuration-platform.sh +++ b/tests/scripts/components-configuration-platform.sh @@ -20,17 +20,18 @@ component_build_no_std_function () { make } -component_test_platform_get_entropy_alt() +component_test_psa_driver_get_entropy() { - msg "build: default config + MBEDTLS_PLATFORM_GET_ENTROPY_ALT" + msg "build: default - MBEDTLS_PSA_BUILTIN_GET_ENTROPY + MBEDTLS_PSA_DRIVER_GET_ENTROPY" # Use hardware polling as the only source for entropy - scripts/config.py set MBEDTLS_PLATFORM_GET_ENTROPY_ALT + scripts/config.py unset MBEDTLS_PSA_BUILTIN_GET_ENTROPY scripts/config.py unset MBEDTLS_ENTROPY_NV_SEED + scripts/config.py set MBEDTLS_PSA_DRIVER_GET_ENTROPY make # Run all the tests - msg "test: default config + MBEDTLS_PLATFORM_GET_ENTROPY_ALT" + msg "test: default - MBEDTLS_PSA_BUILTIN_GET_ENTROPY + MBEDTLS_PSA_DRIVER_GET_ENTROPY" make test } @@ -40,7 +41,8 @@ component_build_no_sockets () { msg "build: full config except net_sockets.c, make, gcc -std=c99 -pedantic" # ~ 30s scripts/config.py full scripts/config.py unset MBEDTLS_NET_C # getaddrinfo() undeclared, etc. - scripts/config.py set MBEDTLS_PLATFORM_GET_ENTROPY_ALT # prevent syscall() on GNU/Linux + scripts/config.py unset MBEDTLS_PSA_BUILTIN_GET_ENTROPY # prevent syscall() on GNU/Linux + scripts/config.py set MBEDTLS_PSA_DRIVER_GET_ENTROPY make CC=gcc CFLAGS='-Werror -Wall -Wextra -O1 -std=c99 -pedantic' lib } diff --git a/tests/scripts/components-configuration.sh b/tests/scripts/components-configuration.sh index 5fd9ede124..a35704f299 100644 --- a/tests/scripts/components-configuration.sh +++ b/tests/scripts/components-configuration.sh @@ -284,7 +284,8 @@ component_test_no_platform () { # Use the test alternative implementation of mbedtls_platform_get_entropy() # which is provided in "framework/tests/src/fake_external_rng_for_test.c" # since the default one is excluded in this scenario. - scripts/config.py set MBEDTLS_PLATFORM_GET_ENTROPY_ALT + scripts/config.py unset MBEDTLS_PSA_BUILTIN_GET_ENTROPY + scripts/config.py set MBEDTLS_PSA_DRIVER_GET_ENTROPY # Note, _DEFAULT_SOURCE needs to be defined for platforms using glibc version >2.19, # to re-enable platform integration features otherwise disabled in C99 builds make CC=gcc CFLAGS='-Werror -Wall -Wextra -std=c99 -pedantic -Os -D_DEFAULT_SOURCE' lib programs From ab7610c318a2d81f65daaa441461ea8b9b85fcba Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Wed, 3 Sep 2025 10:02:03 +0200 Subject: [PATCH 4/6] Cleanup following the removal of entropy options Cleanup following the removal in TF-PSA-Crypto of: - MBEDTLS_NO_PLATFORM_ENTROPY - MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES - MBEDTLS_ENTROPY_HARDWARE_ALT - MBEDTLS_ENTROPY_MIN_HARDWARE Only MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES was still present in Mbed TLS. Signed-off-by: Ronald Cron --- scripts/config.py | 1 - tests/scripts/analyze_outcomes.py | 4 ---- 2 files changed, 5 deletions(-) diff --git a/scripts/config.py b/scripts/config.py index 8493ee655f..e60d1606f1 100755 --- a/scripts/config.py +++ b/scripts/config.py @@ -85,7 +85,6 @@ EXCLUDE_FROM_FULL = frozenset([ 'MBEDTLS_MEMORY_BUFFER_ALLOC_C', # makes sanitizers (e.g. ASan) less effective 'MBEDTLS_MEMORY_DEBUG', # depends on MEMORY_BUFFER_ALLOC_C 'MBEDTLS_NO_64BIT_MULTIPLICATION', # influences anything that uses bignum - 'MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES', # removes a feature 'MBEDTLS_NO_UDBL_DIVISION', # influences anything that uses bignum 'MBEDTLS_PSA_DRIVER_GET_ENTROPY', # incompatible with MBEDTLS_PSA_BUILTIN_GET_ENTROPY 'MBEDTLS_PSA_P256M_DRIVER_ENABLED', # influences SECP256R1 KeyGen/ECDH/ECDSA diff --git a/tests/scripts/analyze_outcomes.py b/tests/scripts/analyze_outcomes.py index a6f03a83c9..8660e68942 100755 --- a/tests/scripts/analyze_outcomes.py +++ b/tests/scripts/analyze_outcomes.py @@ -124,10 +124,6 @@ class CoverageTask(outcome_analysis.CoverageTask): # Untested platform-specific optimizations. # https://github.com/Mbed-TLS/mbedtls/issues/9588 'Config: MBEDTLS_HAVE_SSE2', - # Obsolete configuration options, to be replaced by - # PSA entropy drivers. - # https://github.com/Mbed-TLS/mbedtls/issues/8150 - 'Config: MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES', # Obsolete config option that we are about to remove 'Config: MBEDTLS_PLATFORM_GET_ENTROPY_ALT', # Untested aspect of the platform interface. From b01be14907e669bcf9676e86a5cf73352209a96a Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Wed, 10 Sep 2025 12:01:52 +0200 Subject: [PATCH 5/6] Fix footprint.sh Signed-off-by: Ronald Cron --- scripts/footprint.sh | 22 ++++++++++++++++++++-- 1 file changed, 20 insertions(+), 2 deletions(-) diff --git a/scripts/footprint.sh b/scripts/footprint.sh index e7078cff16..c228a26c04 100755 --- a/scripts/footprint.sh +++ b/scripts/footprint.sh @@ -19,6 +19,7 @@ set -eu CONFIG_H='include/mbedtls/mbedtls_config.h' +CRYPTO_CONFIG_H='tf-psa-crypto/include/psa/crypto_config.h' if [ -r $CONFIG_H ]; then :; else echo "$CONFIG_H not found" >&2 @@ -27,6 +28,13 @@ if [ -r $CONFIG_H ]; then :; else exit 1 fi +if [ -r $CRYPTO_CONFIG_H ]; then :; else + echo "$CRYPTO_CONFIG_H not found" >&2 + echo "This script needs to be run from the root of" >&2 + echo "a git checkout or uncompressed tarball" >&2 + exit 1 +fi + if grep -i cmake Makefile >/dev/null; then echo "Not compatible with CMake" >&2 exit 1 @@ -56,16 +64,25 @@ doit() log "$NAME ($FILE):" cp $CONFIG_H ${CONFIG_H}.bak + cp $CRYPTO_CONFIG_H ${CRYPTO_CONFIG_H}.bak if [ "$FILE" != $CONFIG_H ]; then + CRYPTO_FILE="${FILE%/*}/crypto-${FILE##*/}" cp "$FILE" $CONFIG_H + cp "$CRYPTO_FILE" $CRYPTO_CONFIG_H fi { + scripts/config.py unset MBEDTLS_HAVE_TIME || true + scripts/config.py unset MBEDTLS_HAVE_TIME_DATE || true scripts/config.py unset MBEDTLS_NET_C || true scripts/config.py unset MBEDTLS_TIMING_C || true scripts/config.py unset MBEDTLS_FS_IO || true + scripts/config.py unset MBEDTLS_PSA_ITS_FILE_C || true + scripts/config.py unset MBEDTLS_PSA_CRYPTO_STORAGE_C || true scripts/config.py unset MBEDTLS_PSA_BUILTIN_GET_ENTROPY || true - scripts/config.py --force set MBEDTLS_PSA_DRIVER_GET_ENTROPY || true + # Force the definition of MBEDTLS_PSA_DRIVER_GET_ENTROPY as it may + # not exist in custom configurations. + scripts/config.py --force -f ${CRYPTO_CONFIG_H} set MBEDTLS_PSA_DRIVER_GET_ENTROPY || true } >/dev/null 2>&1 make clean >/dev/null @@ -77,7 +94,8 @@ doit() log "$( head -n1 "$OUT" )" log "$( tail -n1 "$OUT" )" - cp ${CONFIG_H}.bak $CONFIG_H + mv ${CONFIG_H}.bak $CONFIG_H + mv ${CRYPTO_CONFIG_H}.bak $CRYPTO_CONFIG_H } # truncate the file just this time From 9a10e398faac5441ed61075ca74ddc867dda1165 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Wed, 10 Sep 2025 17:08:12 +0200 Subject: [PATCH 6/6] Simplify footprint.sh Signed-off-by: Ronald Cron --- scripts/footprint.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/scripts/footprint.sh b/scripts/footprint.sh index c228a26c04..1f2945159e 100755 --- a/scripts/footprint.sh +++ b/scripts/footprint.sh @@ -21,14 +21,14 @@ set -eu CONFIG_H='include/mbedtls/mbedtls_config.h' CRYPTO_CONFIG_H='tf-psa-crypto/include/psa/crypto_config.h' -if [ -r $CONFIG_H ]; then :; else +if [ ! -r $CONFIG_H ]; then echo "$CONFIG_H not found" >&2 echo "This script needs to be run from the root of" >&2 echo "a git checkout or uncompressed tarball" >&2 exit 1 fi -if [ -r $CRYPTO_CONFIG_H ]; then :; else +if [ ! -r $CRYPTO_CONFIG_H ]; then echo "$CRYPTO_CONFIG_H not found" >&2 echo "This script needs to be run from the root of" >&2 echo "a git checkout or uncompressed tarball" >&2