From d1307a1d40aa18e324f6f7eeafdd2eada1184d7a Mon Sep 17 00:00:00 2001 From: Minos Galanakis Date: Mon, 1 Dec 2025 11:14:17 +0000 Subject: [PATCH 01/12] components-configuration-crypto: Migrated simple ASAN components. Migrate all straightfoward components from using $ASAN_CFLAGS to CMAKE_BUILD_TYPE:String=Asan Signed-off-by: Minos Galanakis --- .../components-configuration-crypto.sh | 23 +++++++++++-------- 1 file changed, 13 insertions(+), 10 deletions(-) diff --git a/tests/scripts/components-configuration-crypto.sh b/tests/scripts/components-configuration-crypto.sh index b17507a9ea..7c0bee9d5a 100644 --- a/tests/scripts/components-configuration-crypto.sh +++ b/tests/scripts/components-configuration-crypto.sh @@ -49,7 +49,9 @@ component_test_crypto_with_static_key_slots() { scripts/config.py unset MBEDTLS_PSA_KEY_STORE_DYNAMIC msg "test: crypto full + MBEDTLS_PSA_STATIC_KEY_SLOTS" - $MAKE_COMMAND CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS" test + CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . + cmake --build . + ctest } # check_renamed_symbols HEADER LIB @@ -238,7 +240,7 @@ component_test_psa_external_rng_no_drbg_use_psa () { scripts/config.py unset PSA_WANT_ALG_DETERMINISTIC_ECDSA # Requires HMAC_DRBG CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . - make + cmake --build . msg "test: PSA_CRYPTO_EXTERNAL_RNG minus *_DRBG, PSA crypto - main suites" make test @@ -256,7 +258,7 @@ component_test_psa_external_rng_use_psa_crypto () { scripts/config.py unset MBEDTLS_PLATFORM_NV_SEED_ALT CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . - make + cmake --build . msg "test: full + PSA_CRYPTO_EXTERNAL_RNG + USE_PSA_CRYPTO minus CTR_DRBG/NV_SEED" make test @@ -273,7 +275,7 @@ component_full_no_pkparse_pkwrite () { scripts/config.py unset MBEDTLS_PK_WRITE_C CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . - make + cmake --build . # Ensure that PK_[PARSE|WRITE]_C were not re-enabled accidentally (additive config). not grep mbedtls_pk_parse_key ${CMAKE_BUILTIN_BUILD_DIR}/pkparse.c.o @@ -466,7 +468,7 @@ component_test_everest_curve25519_only () { scripts/config.py set PSA_WANT_ECC_MONTGOMERY_255 CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . - make + cmake --build . msg "test: Everest ECDH context, only Curve25519" # ~ 50s make test @@ -565,10 +567,11 @@ component_test_psa_crypto_config_ffdh_2048_only () { scripts/config.py unset PSA_WANT_DH_RFC7919_6144 scripts/config.py unset PSA_WANT_DH_RFC7919_8192 - $MAKE_COMMAND CFLAGS="$ASAN_CFLAGS -Werror" LDFLAGS="$ASAN_CFLAGS" + CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . + cmake --build . msg "test: full config - only DH 2048" - $MAKE_COMMAND test + make test msg "ssl-opt: full config - only DH 2048" tests/ssl-opt.sh -f "ffdh" @@ -1365,7 +1368,7 @@ build_and_test_psa_want_key_pair_partial () { scripts/config.py unset "$disabled_psa_want" CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . - make + cmake --build . msg "test: $base_config - ${disabled_psa_want}" make test @@ -1895,7 +1898,7 @@ component_test_aead_chachapoly_disabled () { scripts/config.py unset PSA_WANT_ALG_CHACHA20_POLY1305 CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . - make + cmake --build . msg "test: full minus CHACHAPOLY" make test @@ -1908,7 +1911,7 @@ component_test_aead_only_ccm () { scripts/config.py unset PSA_WANT_ALG_GCM CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . - make + cmake --build . msg "test: full minus CHACHAPOLY and GCM" make test From 3baeee8647cacc821640b633178acd527d99c231 Mon Sep 17 00:00:00 2001 From: Minos Galanakis Date: Mon, 1 Dec 2025 11:18:17 +0000 Subject: [PATCH 02/12] components-configuration-crypto: Migrated test_full_static_keystore to cmake Optimization for size (-Os) is required. Signed-off-by: Minos Galanakis --- tests/scripts/components-configuration-crypto.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tests/scripts/components-configuration-crypto.sh b/tests/scripts/components-configuration-crypto.sh index 7c0bee9d5a..1ceeb67a15 100644 --- a/tests/scripts/components-configuration-crypto.sh +++ b/tests/scripts/components-configuration-crypto.sh @@ -2343,10 +2343,10 @@ component_test_full_static_keystore () { msg "build: full config - MBEDTLS_PSA_KEY_STORE_DYNAMIC" scripts/config.py full scripts/config.py unset MBEDTLS_PSA_KEY_STORE_DYNAMIC - $MAKE_COMMAND CC=clang CFLAGS="$ASAN_CFLAGS -Os" LDFLAGS="$ASAN_CFLAGS" - + CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -Os" LDFLAGS="$ASAN_CFLAGS" cmake -D CMAKE_BUILD_TYPE:String=None . + cmake --build . msg "test: full config - MBEDTLS_PSA_KEY_STORE_DYNAMIC" - $MAKE_COMMAND test + make test } component_test_psa_crypto_drivers () { From 279c016d87f13b2bf703dd700ff010947db6f9e6 Mon Sep 17 00:00:00 2001 From: Minos Galanakis Date: Mon, 1 Dec 2025 11:25:16 +0000 Subject: [PATCH 03/12] components-configuration-crypto: Migrated test_tfm_config_p256m_driver_accel_ec to cmake Compilation flags, and spe include directories have been adjusted Signed-off-by: Minos Galanakis --- tests/scripts/components-configuration-crypto.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/scripts/components-configuration-crypto.sh b/tests/scripts/components-configuration-crypto.sh index 1ceeb67a15..95862ff045 100644 --- a/tests/scripts/components-configuration-crypto.sh +++ b/tests/scripts/components-configuration-crypto.sh @@ -1299,8 +1299,8 @@ component_test_tfm_config_p256m_driver_accel_ec () { common_tfm_config # Build crypto library - CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -I../framework/tests/include/spe" cmake -D CMAKE_BUILD_TYPE:String=Asan . - make + CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -I$PWD/framework/tests/include/spe" cmake -D CMAKE_BUILD_TYPE:String=Asan . + cmake --build . # Make sure any built-in EC alg was not re-enabled by accident (additive config) not grep mbedtls_ecdsa_ ${CMAKE_BUILTIN_BUILD_DIR}/ecdsa.c.o From 6db68f929bae044814d281ad45bfafcd67243f6f Mon Sep 17 00:00:00 2001 From: Minos Galanakis Date: Mon, 1 Dec 2025 11:33:31 +0000 Subject: [PATCH 04/12] components-configuration-crypto: Migrated straightforwad Release components to cmake - By default all unspecified build-type components should be release - CMAKE_BUILD_TYPE:String=Release enables the following CFLAGS: "-O2 -Werror -Wall -Wextra" Signed-off-by: Minos Galanakis --- .../components-configuration-crypto.sh | 106 +++++++++++------- 1 file changed, 63 insertions(+), 43 deletions(-) diff --git a/tests/scripts/components-configuration-crypto.sh b/tests/scripts/components-configuration-crypto.sh index 95862ff045..4a77fede2d 100644 --- a/tests/scripts/components-configuration-crypto.sh +++ b/tests/scripts/components-configuration-crypto.sh @@ -141,10 +141,11 @@ component_test_psa_crypto_without_heap() { component_test_no_rsa_key_pair_generation () { msg "build: default config minus PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE" scripts/config.py unset PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE - $MAKE_COMMAND + cmake -D CMAKE_BUILD_TYPE:String=Release . + cmake --build . msg "test: default config minus PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE" - $MAKE_COMMAND test + make test } component_test_no_pem_no_fs () { @@ -357,13 +358,13 @@ component_test_full_no_cipher () { # The following modules directly depends on CIPHER_C scripts/config.py unset MBEDTLS_NIST_KW_C - $MAKE_COMMAND - + cmake -D CMAKE_BUILD_TYPE:String=Release . + cmake --build . # Ensure that CIPHER_C was not re-enabled not grep mbedtls_cipher_init ${BUILTIN_SRC_PATH}/cipher.o msg "test: full no CIPHER" - $MAKE_COMMAND test + make test } component_test_full_no_ccm () { @@ -382,10 +383,11 @@ component_test_full_no_ccm () { # PSA_WANT_ALG_CCM to be re-enabled. scripts/config.py unset PSA_WANT_ALG_CCM - $MAKE_COMMAND + cmake -D CMAKE_BUILD_TYPE:String=Release . + cmake --build . msg "test: full no PSA_WANT_ALG_CCM" - $MAKE_COMMAND test + make test } component_test_full_no_ccm_star_no_tag () { @@ -413,13 +415,14 @@ component_test_full_no_ccm_star_no_tag () { scripts/config.py unset PSA_WANT_ALG_CBC_NO_PADDING scripts/config.py unset PSA_WANT_ALG_CBC_PKCS7 - $MAKE_COMMAND + cmake -D CMAKE_BUILD_TYPE:String=Release . + cmake --build . # Ensure MBEDTLS_PSA_BUILTIN_CIPHER was not enabled not grep mbedtls_psa_cipher ${PSA_CORE_PATH}/psa_crypto_cipher.o msg "test: full no PSA_WANT_ALG_CCM_STAR_NO_TAG" - $MAKE_COMMAND test + make test } component_test_config_symmetric_only () { @@ -976,10 +979,11 @@ component_test_psa_crypto_config_reference_ecc_ecp_light_only () { config_psa_crypto_config_ecp_light_only 0 - $MAKE_COMMAND + cmake -D CMAKE_BUILD_TYPE:String=Release . + cmake --build . msg "test suites: full with non-accelerated EC algs" - $MAKE_COMMAND test + make test msg "ssl-opt: full with non-accelerated EC algs" tests/ssl-opt.sh @@ -1074,10 +1078,11 @@ component_test_psa_crypto_config_reference_ecc_no_ecp_at_all () { config_psa_crypto_no_ecp_at_all 0 - $MAKE_COMMAND + cmake -D CMAKE_BUILD_TYPE:String=Release . + cmake --build . msg "test: full + non accelerated EC algs" - $MAKE_COMMAND test + make test msg "ssl-opt: full + non accelerated EC algs" tests/ssl-opt.sh @@ -1240,10 +1245,11 @@ common_test_psa_crypto_config_reference_ecc_ffdh_no_bignum () { config_psa_crypto_config_accel_ecc_ffdh_no_bignum 0 "$test_target" - $MAKE_COMMAND + cmake -D CMAKE_BUILD_TYPE:String=Release . + cmake --build . msg "test suites: full + non accelerated EC algs + USE_PSA" - $MAKE_COMMAND test + make test msg "ssl-opt: full + non accelerated $accel_text algs + USE_PSA" tests/ssl-opt.sh @@ -1445,12 +1451,13 @@ component_test_psa_crypto_config_reference_rsa_crypto () { # Build # ----- - $MAKE_COMMAND + cmake -D CMAKE_BUILD_TYPE:String=Release . + cmake --build . # Run the tests # ------------- msg "test: crypto_full with non-accelerated RSA" - $MAKE_COMMAND test + make test } # This is a temporary test to verify that full RSA support is present even when @@ -1480,10 +1487,11 @@ component_test_new_psa_want_key_pair_symbol () { scripts/config.py unset PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT scripts/config.py unset PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE - $MAKE_COMMAND + cmake -D CMAKE_BUILD_TYPE:String=Release . + cmake --build . msg "Test: crypto config - PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC" - $MAKE_COMMAND test + make test # Parse only 1 relevant line from the outcome file, i.e. a test which is # performing RSA signature. @@ -1599,10 +1607,11 @@ component_test_psa_crypto_config_reference_hash_use_psa () { config_psa_crypto_hash_use_psa 0 - $MAKE_COMMAND + cmake -D CMAKE_BUILD_TYPE:String=Release . + cmake --build . msg "test: full without accelerated hashes" - $MAKE_COMMAND test + make test msg "test: ssl-opt.sh, full without accelerated hashes" tests/ssl-opt.sh @@ -1668,10 +1677,11 @@ component_test_psa_crypto_config_reference_hmac () { config_psa_crypto_hmac_use_psa 0 - $MAKE_COMMAND + cmake -D CMAKE_BUILD_TYPE:String=Release . + cmake --build . msg "test: full without accelerated hmac" - $MAKE_COMMAND test + make test } component_test_psa_crypto_config_accel_aead () { @@ -1772,10 +1782,11 @@ component_test_psa_crypto_config_reference_cipher_aead_cmac () { msg "build: full config with non-accelerated cipher inc. AEAD and CMAC" common_psa_crypto_config_accel_cipher_aead_cmac - $MAKE_COMMAND + cmake -D CMAKE_BUILD_TYPE:String=Release . + cmake --build . msg "test: full config with non-accelerated cipher inc. AEAD and CMAC" - $MAKE_COMMAND test + make test msg "ssl-opt: full config with non-accelerated cipher inc. AEAD and CMAC" # Exclude password-protected key tests as in test_psa_crypto_config_accel_cipher_aead_cmac. @@ -1886,10 +1897,11 @@ component_test_full_block_cipher_legacy_dispatch () { common_block_cipher_dispatch 0 - $MAKE_COMMAND + cmake -D CMAKE_BUILD_TYPE:String=Release . + cmake --build . msg "test: full + legacy dispatch in block_cipher" - $MAKE_COMMAND test + make test } component_test_aead_chachapoly_disabled () { @@ -1924,9 +1936,10 @@ component_test_ccm_aes_sha256 () { echo '#define MBEDTLS_CONFIG_H ' >"$CONFIG_H" cp tf-psa-crypto/configs/crypto-config-ccm-aes-sha256.h "$CRYPTO_CONFIG_H" - $MAKE_COMMAND + cmake -D CMAKE_BUILD_TYPE:String=Release . + cmake --build . msg "test: CCM + AES + SHA256 configuration" - $MAKE_COMMAND test + make test } # Test that the given .o file builds with all (valid) combinations of the given options. @@ -2083,10 +2096,11 @@ component_test_aes_only_128_bit_keys () { scripts/config.py set MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH scripts/config.py set MBEDTLS_PSA_CRYPTO_RNG_STRENGTH 128 - $MAKE_COMMAND CFLAGS='-O2 -Werror -Wall -Wextra' + cmake -D CMAKE_BUILD_TYPE:String=Release . + cmake --build . msg "test: default config + AES_ONLY_128_BIT_KEY_LENGTH" - $MAKE_COMMAND test + make test } component_test_no_ctr_drbg_aes_only_128_bit_keys () { @@ -2095,10 +2109,11 @@ component_test_no_ctr_drbg_aes_only_128_bit_keys () { scripts/config.py set MBEDTLS_PSA_CRYPTO_RNG_STRENGTH 128 scripts/config.py unset MBEDTLS_CTR_DRBG_C - $MAKE_COMMAND CC=clang CFLAGS='-Werror -Wall -Wextra' + CC=clang cmake -D CMAKE_BUILD_TYPE:String=Release . + cmake --build . msg "test: default config + AES_ONLY_128_BIT_KEY_LENGTH - CTR_DRBG_C" - $MAKE_COMMAND test + make test } component_test_aes_only_128_bit_keys_have_builtins () { @@ -2108,10 +2123,11 @@ component_test_aes_only_128_bit_keys_have_builtins () { scripts/config.py unset MBEDTLS_AESNI_C scripts/config.py unset MBEDTLS_AESCE_C - $MAKE_COMMAND CFLAGS='-O2 -Werror -Wall -Wextra' + cmake -D CMAKE_BUILD_TYPE:String=Release . + cmake --build . msg "test: default config + AES_ONLY_128_BIT_KEY_LENGTH - AESNI_C - AESCE_C" - $MAKE_COMMAND test + make test msg "selftest: default config + AES_ONLY_128_BIT_KEY_LENGTH - AESNI_C - AESCE_C" programs/test/selftest @@ -2123,38 +2139,42 @@ component_test_gcm_largetable () { scripts/config.py unset MBEDTLS_AESNI_C scripts/config.py unset MBEDTLS_AESCE_C - $MAKE_COMMAND CFLAGS='-O2 -Werror -Wall -Wextra' + cmake -D CMAKE_BUILD_TYPE:String=Release . + cmake --build . msg "test: default config - GCM_LARGE_TABLE - AESNI_C - AESCE_C" - $MAKE_COMMAND test + make test } component_test_aes_fewer_tables () { msg "build: default config with AES_FEWER_TABLES enabled" scripts/config.py set MBEDTLS_AES_FEWER_TABLES - $MAKE_COMMAND CFLAGS='-O2 -Werror -Wall -Wextra' + cmake -D CMAKE_BUILD_TYPE:String=Release . + cmake --build . msg "test: AES_FEWER_TABLES" - $MAKE_COMMAND test + make test } component_test_aes_rom_tables () { msg "build: default config with AES_ROM_TABLES enabled" scripts/config.py set MBEDTLS_AES_ROM_TABLES - $MAKE_COMMAND CFLAGS='-O2 -Werror -Wall -Wextra' + cmake -D CMAKE_BUILD_TYPE:String=Release . + cmake --build . msg "test: AES_ROM_TABLES" - $MAKE_COMMAND test + make test } component_test_aes_fewer_tables_and_rom_tables () { msg "build: default config with AES_ROM_TABLES and AES_FEWER_TABLES enabled" scripts/config.py set MBEDTLS_AES_FEWER_TABLES scripts/config.py set MBEDTLS_AES_ROM_TABLES - $MAKE_COMMAND CFLAGS='-O2 -Werror -Wall -Wextra' + cmake -D CMAKE_BUILD_TYPE:String=Release . + cmake --build . msg "test: AES_FEWER_TABLES + AES_ROM_TABLES" - $MAKE_COMMAND test + make test } # helper for component_test_block_cipher_no_decrypt_aesni() which: From 5e995918703ba53215430ebb8bc4addef111d027 Mon Sep 17 00:00:00 2001 From: Minos Galanakis Date: Mon, 1 Dec 2025 11:42:17 +0000 Subject: [PATCH 05/12] components-configuration-crypto: Migrated include dir dependant Release components to cmake Moved the following components to CMAKE_BUILD_TYPE:String=Release and adjusted the include paths for cmake: * component_build_psa_crypto_spm * component_test_tfm_config_no_p256m Signed-off-by: Minos Galanakis --- tests/scripts/components-configuration-crypto.sh | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/tests/scripts/components-configuration-crypto.sh b/tests/scripts/components-configuration-crypto.sh index 4a77fede2d..7e5f453774 100644 --- a/tests/scripts/components-configuration-crypto.sh +++ b/tests/scripts/components-configuration-crypto.sh @@ -71,7 +71,8 @@ component_build_psa_crypto_spm () { # We can only compile, not link, since our test and sample programs # aren't equipped for the modified names used when MBEDTLS_PSA_CRYPTO_SPM # is active. - $MAKE_COMMAND CC=gcc CFLAGS='-Werror -Wall -Wextra -I../framework/tests/include/spe' lib + CFLAGS="-I$PWD/framework/tests/include/spe" cmake -D CMAKE_BUILD_TYPE:String=Release . + cmake --build . --target lib # Check that if a symbol is renamed by crypto_spe.h, the non-renamed # version is not present. @@ -1339,8 +1340,8 @@ component_test_tfm_config_no_p256m () { scripts/config.py -f "$CRYPTO_CONFIG_H" unset MBEDTLS_PSA_P256M_DRIVER_ENABLED msg "build: TF-M config without p256m" - $MAKE_COMMAND CFLAGS='-Werror -Wall -Wextra -I../framework/tests/include/spe' tests - + CFLAGS="-I$PWD/framework/tests/include/spe" cmake -D CMAKE_BUILD_TYPE:String=Release . + cmake --build . # Check that p256m was not built not grep p256_ecdsa_ library/libmbedcrypto.a @@ -1349,7 +1350,7 @@ component_test_tfm_config_no_p256m () { not grep mbedtls_cipher ${BUILTIN_SRC_PATH}/cipher.o msg "test: TF-M config without p256m" - $MAKE_COMMAND test + make test } # This is an helper used by: From 1fcca1f255e28149b44aa958902889d8018e1f5e Mon Sep 17 00:00:00 2001 From: Minos Galanakis Date: Mon, 1 Dec 2025 11:46:54 +0000 Subject: [PATCH 06/12] component-configuration-crypto: Migrated component_test_crypto_full_md_light_only to cmake Use compilation directory for object discovery in out-of-source CMake builds. Signed-off-by: Minos Galanakis --- tests/scripts/components-configuration-crypto.sh | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/tests/scripts/components-configuration-crypto.sh b/tests/scripts/components-configuration-crypto.sh index 7e5f453774..7b87139994 100644 --- a/tests/scripts/components-configuration-crypto.sh +++ b/tests/scripts/components-configuration-crypto.sh @@ -323,17 +323,23 @@ component_test_crypto_full_md_light_only () { # Disable things that would auto-enable MD_C scripts/config.py unset MBEDTLS_PKCS5_C + # Note: Creating a directory, ensures cmake will not use a random name to + # place the compilation object files. + mkdir mdtest && cd mdtest + MD_OBJECT_PATH="tf-psa-crypto/drivers/builtin/CMakeFiles/builtin.dir/src" + # Note: MD-light is auto-enabled in build_info.h by modules that need it, # which we haven't disabled, so no need to explicitly enable it. - CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . - make + CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan ../ + cmake --build . # Make sure we don't have the HMAC functions, but the hashing functions - not grep mbedtls_md_hmac ${CMAKE_BUILTIN_BUILD_DIR}/md.c.o - grep mbedtls_md ${CMAKE_BUILTIN_BUILD_DIR}/md.c.o + not grep mbedtls_md_hmac ${MD_OBJECT_PATH}/md.c.o + grep mbedtls_md ${MD_OBJECT_PATH}/md.c.o msg "test: crypto_full with only the light subset of MD" make test + cd .. && rm -r mdtest } component_test_full_no_cipher () { From 486b6c82525aa1e363bdd056ff224f9469d37e68 Mon Sep 17 00:00:00 2001 From: Minos Galanakis Date: Mon, 1 Dec 2025 11:56:31 +0000 Subject: [PATCH 07/12] components-configuration-crypto: Migrated components with custom LDFLAGS to cmake Certain testing components require building with a specific subset of LDFLAGS, such as `-O1`. This patch moves them to the default cmake invokation of `cmake .` which is the equivalent of `cmake -D CMAKE_BUILD_TYPE:String=None .` Also remove flags such as `-Werror` which are present in all configs. Improve compilation flag granularity by disabling CMAKE_BUILD_TYPE defaults and asserting test-specific flags manually. Signed-off-by: Minos Galanakis --- tests/scripts/components-configuration-crypto.sh | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/tests/scripts/components-configuration-crypto.sh b/tests/scripts/components-configuration-crypto.sh index 7b87139994..0a10058430 100644 --- a/tests/scripts/components-configuration-crypto.sh +++ b/tests/scripts/components-configuration-crypto.sh @@ -525,14 +525,18 @@ component_test_crypto_for_psa_service () { scripts/config.py unset MBEDTLS_PK_C scripts/config.py unset MBEDTLS_PK_PARSE_C scripts/config.py unset MBEDTLS_PK_WRITE_C - $MAKE_COMMAND CFLAGS='-O1 -Werror' all test + CFLAGS="-O1" cmake . + cmake --build . + make test are_empty_libraries library/libmbedx509.* library/libmbedtls.* } component_build_crypto_baremetal () { msg "build: make, crypto only, baremetal config" scripts/config.py crypto_baremetal - $MAKE_COMMAND CFLAGS="-O1 -Werror -I$PWD/framework/tests/include/baremetal-override/" + CFLAGS="-O1 -I$PWD/framework/tests/include/baremetal-override/" cmake . + cmake --build . + make test are_empty_libraries library/libmbedx509.* library/libmbedtls.* } @@ -2220,7 +2224,8 @@ helper_block_cipher_no_decrypt_build_test () { msg "build: default config + BLOCK_CIPHER_NO_DECRYPT${set_opts:+ + $set_opts}${unset_opts:+ - $unset_opts} with $cflags${ldflags:+, $ldflags}" $MAKE_COMMAND clean - $MAKE_COMMAND CFLAGS="-O2 $cflags" LDFLAGS="$ldflags" + CFLAGS="-O2 $cflags" LDFLAGS="$ldflags" cmake . + cmake --build . # Make sure we don't have mbedtls_xxx_setkey_dec in AES/ARIA/CAMELLIA not grep mbedtls_aes_setkey_dec ${BUILTIN_SRC_PATH}/aes.o @@ -2370,7 +2375,7 @@ component_test_full_static_keystore () { msg "build: full config - MBEDTLS_PSA_KEY_STORE_DYNAMIC" scripts/config.py full scripts/config.py unset MBEDTLS_PSA_KEY_STORE_DYNAMIC - CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -Os" LDFLAGS="$ASAN_CFLAGS" cmake -D CMAKE_BUILD_TYPE:String=None . + CFLAGS="$ASAN_CFLAGS -Os" LDFLAGS="$ASAN_CFLAGS" cmake . cmake --build . msg "test: full config - MBEDTLS_PSA_KEY_STORE_DYNAMIC" make test From 8cdccdecd2e471367bfcd047cbb404c421f7f834 Mon Sep 17 00:00:00 2001 From: Minos Galanakis Date: Mon, 1 Dec 2025 12:14:59 +0000 Subject: [PATCH 08/12] component-configuration-crypto: Migrated build_psa_alt_headers The original make -C tests, contains a perl inliner to generate the alt-headers. Replicated that logic in sed regex. Signed-off-by: Minos Galanakis --- tests/scripts/components-configuration-crypto.sh | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/tests/scripts/components-configuration-crypto.sh b/tests/scripts/components-configuration-crypto.sh index 0a10058430..d8f6a9f3a6 100644 --- a/tests/scripts/components-configuration-crypto.sh +++ b/tests/scripts/components-configuration-crypto.sh @@ -2427,15 +2427,21 @@ component_build_psa_config_file () { component_build_psa_alt_headers () { msg "build: make with PSA alt headers" # ~20s + PSA_ALT_HDRS="$PWD/framework/tests/include/alt-extra" # Generate alternative versions of the substitutable headers with the # same content except different include guards. - make -C tests ../framework/tests/include/alt-extra/psa/crypto_platform_alt.h ../framework/tests/include/alt-extra/psa/crypto_struct_alt.h + sed -E 's/^(# *(define|ifndef) +[A-Za-z0-9_]+)_H\b/\1_ALT_H/' \ + tf-psa-crypto/include/psa/crypto_platform.h \ + > $PSA_ALT_HDRS/psa/crypto_platform_alt.h + + sed -E 's/^(# *(define|ifndef) +[A-Za-z0-9_]+)_H\b/\1_ALT_H/' \ + tf-psa-crypto/include/psa/crypto_struct.h \ + > $PSA_ALT_HDRS/psa/crypto_struct_alt.h # Build the library and some programs. - # Don't build the fuzzers to avoid having to go through hoops to set - # a correct include path for programs/fuzz/Makefile. - $MAKE_COMMAND CFLAGS="-I ../framework/tests/include/alt-extra -DMBEDTLS_PSA_CRYPTO_PLATFORM_FILE='\"psa/crypto_platform_alt.h\"' -DMBEDTLS_PSA_CRYPTO_STRUCT_FILE='\"psa/crypto_struct_alt.h\"'" lib - make -C programs -o fuzz CFLAGS="-I ../framework/tests/include/alt-extra -DMBEDTLS_PSA_CRYPTO_PLATFORM_FILE='\"psa/crypto_platform_alt.h\"' -DMBEDTLS_PSA_CRYPTO_STRUCT_FILE='\"psa/crypto_struct_alt.h\"'" + CFLAGS="-I$PSA_ALT_HDRS -DMBEDTLS_PSA_CRYPTO_PLATFORM_FILE='\"psa/crypto_platform_alt.h\"' -DMBEDTLS_PSA_CRYPTO_STRUCT_FILE='\"psa/crypto_struct_alt.h\"'" cmake -D CMAKE_BUILD_TYPE:String=Release . + cmake --build . --target lib + cmake --build . --target programs # Check that we're getting the alternative include guards and not the # original include guards. From 69545a87af818b7e602d003f95ade2cde8e6af49 Mon Sep 17 00:00:00 2001 From: Minos Galanakis Date: Tue, 2 Dec 2025 11:42:40 +0000 Subject: [PATCH 09/12] component-configuration-crypto: Added consistent cmake commands. Update the previously modified component to use consistent syntax: * make -> cmake --build . * make test -> ctest Signed-off-by: Minos Galanakis --- .../components-configuration-crypto.sh | 72 +++++++++---------- 1 file changed, 36 insertions(+), 36 deletions(-) diff --git a/tests/scripts/components-configuration-crypto.sh b/tests/scripts/components-configuration-crypto.sh index d8f6a9f3a6..67e2949eb7 100644 --- a/tests/scripts/components-configuration-crypto.sh +++ b/tests/scripts/components-configuration-crypto.sh @@ -146,7 +146,7 @@ component_test_no_rsa_key_pair_generation () { cmake --build . msg "test: default config minus PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE" - make test + ctest } component_test_no_pem_no_fs () { @@ -245,7 +245,7 @@ component_test_psa_external_rng_no_drbg_use_psa () { cmake --build . msg "test: PSA_CRYPTO_EXTERNAL_RNG minus *_DRBG, PSA crypto - main suites" - make test + ctest msg "test: PSA_CRYPTO_EXTERNAL_RNG minus *_DRBG, PSA crypto - ssl-opt.sh (subset)" tests/ssl-opt.sh -f 'Default\|opaque' @@ -263,7 +263,7 @@ component_test_psa_external_rng_use_psa_crypto () { cmake --build . msg "test: full + PSA_CRYPTO_EXTERNAL_RNG + USE_PSA_CRYPTO minus CTR_DRBG/NV_SEED" - make test + ctest msg "test: full + PSA_CRYPTO_EXTERNAL_RNG + USE_PSA_CRYPTO minus CTR_DRBG/NV_SEED" tests/ssl-opt.sh -f 'Default\|opaque' @@ -284,7 +284,7 @@ component_full_no_pkparse_pkwrite () { not grep mbedtls_pk_write_key_der ${CMAKE_BUILTIN_BUILD_DIR}/pkwrite.c.o msg "test: full without pkparse and pkwrite" - make test + ctest } component_full_no_pkwrite () { @@ -338,7 +338,7 @@ component_test_crypto_full_md_light_only () { grep mbedtls_md ${MD_OBJECT_PATH}/md.c.o msg "test: crypto_full with only the light subset of MD" - make test + ctest cd .. && rm -r mdtest } @@ -371,7 +371,7 @@ component_test_full_no_cipher () { not grep mbedtls_cipher_init ${BUILTIN_SRC_PATH}/cipher.o msg "test: full no CIPHER" - make test + ctest } component_test_full_no_ccm () { @@ -394,7 +394,7 @@ component_test_full_no_ccm () { cmake --build . msg "test: full no PSA_WANT_ALG_CCM" - make test + ctest } component_test_full_no_ccm_star_no_tag () { @@ -429,7 +429,7 @@ component_test_full_no_ccm_star_no_tag () { not grep mbedtls_psa_cipher ${PSA_CORE_PATH}/psa_crypto_cipher.o msg "test: full no PSA_WANT_ALG_CCM_STAR_NO_TAG" - make test + ctest } component_test_config_symmetric_only () { @@ -481,7 +481,7 @@ component_test_everest_curve25519_only () { cmake --build . msg "test: Everest ECDH context, only Curve25519" # ~ 50s - make test + ctest } component_test_psa_collect_statuses () { @@ -527,7 +527,7 @@ component_test_crypto_for_psa_service () { scripts/config.py unset MBEDTLS_PK_WRITE_C CFLAGS="-O1" cmake . cmake --build . - make test + ctest are_empty_libraries library/libmbedx509.* library/libmbedtls.* } @@ -536,7 +536,7 @@ component_build_crypto_baremetal () { scripts/config.py crypto_baremetal CFLAGS="-O1 -I$PWD/framework/tests/include/baremetal-override/" cmake . cmake --build . - make test + ctest are_empty_libraries library/libmbedx509.* library/libmbedtls.* } @@ -585,7 +585,7 @@ component_test_psa_crypto_config_ffdh_2048_only () { cmake --build . msg "test: full config - only DH 2048" - make test + ctest msg "ssl-opt: full config - only DH 2048" tests/ssl-opt.sh -f "ffdh" @@ -994,7 +994,7 @@ component_test_psa_crypto_config_reference_ecc_ecp_light_only () { cmake --build . msg "test suites: full with non-accelerated EC algs" - make test + ctest msg "ssl-opt: full with non-accelerated EC algs" tests/ssl-opt.sh @@ -1093,7 +1093,7 @@ component_test_psa_crypto_config_reference_ecc_no_ecp_at_all () { cmake --build . msg "test: full + non accelerated EC algs" - make test + ctest msg "ssl-opt: full + non accelerated EC algs" tests/ssl-opt.sh @@ -1260,7 +1260,7 @@ common_test_psa_crypto_config_reference_ecc_ffdh_no_bignum () { cmake --build . msg "test suites: full + non accelerated EC algs + USE_PSA" - make test + ctest msg "ssl-opt: full + non accelerated $accel_text algs + USE_PSA" tests/ssl-opt.sh @@ -1336,7 +1336,7 @@ component_test_tfm_config_p256m_driver_accel_ec () { # Run the tests msg "test: TF-M config + p256m driver + accel ECDH(E)/ECDSA" - make test + ctest } # Keep this in sync with component_test_tfm_config_p256m_driver_accel_ec() as @@ -1360,7 +1360,7 @@ component_test_tfm_config_no_p256m () { not grep mbedtls_cipher ${BUILTIN_SRC_PATH}/cipher.o msg "test: TF-M config without p256m" - make test + ctest } # This is an helper used by: @@ -1388,7 +1388,7 @@ build_and_test_psa_want_key_pair_partial () { cmake --build . msg "test: $base_config - ${disabled_psa_want}" - make test + ctest } component_test_psa_ecc_key_pair_no_derive () { @@ -1468,7 +1468,7 @@ component_test_psa_crypto_config_reference_rsa_crypto () { # Run the tests # ------------- msg "test: crypto_full with non-accelerated RSA" - make test + ctest } # This is a temporary test to verify that full RSA support is present even when @@ -1502,7 +1502,7 @@ component_test_new_psa_want_key_pair_symbol () { cmake --build . msg "Test: crypto config - PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC" - make test + ctest # Parse only 1 relevant line from the outcome file, i.e. a test which is # performing RSA signature. @@ -1622,7 +1622,7 @@ component_test_psa_crypto_config_reference_hash_use_psa () { cmake --build . msg "test: full without accelerated hashes" - make test + ctest msg "test: ssl-opt.sh, full without accelerated hashes" tests/ssl-opt.sh @@ -1692,7 +1692,7 @@ component_test_psa_crypto_config_reference_hmac () { cmake --build . msg "test: full without accelerated hmac" - make test + ctest } component_test_psa_crypto_config_accel_aead () { @@ -1797,7 +1797,7 @@ component_test_psa_crypto_config_reference_cipher_aead_cmac () { cmake --build . msg "test: full config with non-accelerated cipher inc. AEAD and CMAC" - make test + ctest msg "ssl-opt: full config with non-accelerated cipher inc. AEAD and CMAC" # Exclude password-protected key tests as in test_psa_crypto_config_accel_cipher_aead_cmac. @@ -1912,7 +1912,7 @@ component_test_full_block_cipher_legacy_dispatch () { cmake --build . msg "test: full + legacy dispatch in block_cipher" - make test + ctest } component_test_aead_chachapoly_disabled () { @@ -1924,7 +1924,7 @@ component_test_aead_chachapoly_disabled () { cmake --build . msg "test: full minus CHACHAPOLY" - make test + ctest } component_test_aead_only_ccm () { @@ -1937,7 +1937,7 @@ component_test_aead_only_ccm () { cmake --build . msg "test: full minus CHACHAPOLY and GCM" - make test + ctest } component_test_ccm_aes_sha256 () { @@ -1950,7 +1950,7 @@ component_test_ccm_aes_sha256 () { cmake -D CMAKE_BUILD_TYPE:String=Release . cmake --build . msg "test: CCM + AES + SHA256 configuration" - make test + ctest } # Test that the given .o file builds with all (valid) combinations of the given options. @@ -2111,7 +2111,7 @@ component_test_aes_only_128_bit_keys () { cmake --build . msg "test: default config + AES_ONLY_128_BIT_KEY_LENGTH" - make test + ctest } component_test_no_ctr_drbg_aes_only_128_bit_keys () { @@ -2124,7 +2124,7 @@ component_test_no_ctr_drbg_aes_only_128_bit_keys () { cmake --build . msg "test: default config + AES_ONLY_128_BIT_KEY_LENGTH - CTR_DRBG_C" - make test + ctest } component_test_aes_only_128_bit_keys_have_builtins () { @@ -2138,7 +2138,7 @@ component_test_aes_only_128_bit_keys_have_builtins () { cmake --build . msg "test: default config + AES_ONLY_128_BIT_KEY_LENGTH - AESNI_C - AESCE_C" - make test + ctest msg "selftest: default config + AES_ONLY_128_BIT_KEY_LENGTH - AESNI_C - AESCE_C" programs/test/selftest @@ -2154,7 +2154,7 @@ component_test_gcm_largetable () { cmake --build . msg "test: default config - GCM_LARGE_TABLE - AESNI_C - AESCE_C" - make test + ctest } component_test_aes_fewer_tables () { @@ -2164,7 +2164,7 @@ component_test_aes_fewer_tables () { cmake --build . msg "test: AES_FEWER_TABLES" - make test + ctest } component_test_aes_rom_tables () { @@ -2174,7 +2174,7 @@ component_test_aes_rom_tables () { cmake --build . msg "test: AES_ROM_TABLES" - make test + ctest } component_test_aes_fewer_tables_and_rom_tables () { @@ -2185,7 +2185,7 @@ component_test_aes_fewer_tables_and_rom_tables () { cmake --build . msg "test: AES_FEWER_TABLES + AES_ROM_TABLES" - make test + ctest } # helper for component_test_block_cipher_no_decrypt_aesni() which: @@ -2237,7 +2237,7 @@ helper_block_cipher_no_decrypt_build_test () { not grep mbedtls_aesni_inverse_key ${BUILTIN_SRC_PATH}/aesni.o msg "test: default config + BLOCK_CIPHER_NO_DECRYPT${set_opts:+ + $set_opts}${unset_opts:+ - $unset_opts} with $cflags${ldflags:+, $ldflags}" - $MAKE_COMMAND test + ctest msg "selftest: default config + BLOCK_CIPHER_NO_DECRYPT${set_opts:+ + $set_opts}${unset_opts:+ - $unset_opts} with $cflags${ldflags:+, $ldflags}" programs/test/selftest @@ -2378,7 +2378,7 @@ component_test_full_static_keystore () { CFLAGS="$ASAN_CFLAGS -Os" LDFLAGS="$ASAN_CFLAGS" cmake . cmake --build . msg "test: full config - MBEDTLS_PSA_KEY_STORE_DYNAMIC" - make test + ctest } component_test_psa_crypto_drivers () { From 67a9123b23f5399f88e58e75341794a217dfbed2 Mon Sep 17 00:00:00 2001 From: Minos Galanakis Date: Mon, 15 Dec 2025 14:38:01 +0000 Subject: [PATCH 10/12] component-configuration-crypto: Changed location of psa-alt-header build_psa_alt_headers will now generate the headers at ./tests/include/alt-dummy instead of ./framework/tests/include/alt-extra. Signed-off-by: Minos Galanakis --- tests/scripts/components-configuration-crypto.sh | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/tests/scripts/components-configuration-crypto.sh b/tests/scripts/components-configuration-crypto.sh index 67e2949eb7..e742d810c6 100644 --- a/tests/scripts/components-configuration-crypto.sh +++ b/tests/scripts/components-configuration-crypto.sh @@ -2427,16 +2427,17 @@ component_build_psa_config_file () { component_build_psa_alt_headers () { msg "build: make with PSA alt headers" # ~20s - PSA_ALT_HDRS="$PWD/framework/tests/include/alt-extra" + PSA_ALT_HDRS="$PWD/tests/include/alt-dummy" + mkdir -p "$PSA_ALT_HDRS/psa" # Generate alternative versions of the substitutable headers with the # same content except different include guards. sed -E 's/^(# *(define|ifndef) +[A-Za-z0-9_]+)_H\b/\1_ALT_H/' \ tf-psa-crypto/include/psa/crypto_platform.h \ - > $PSA_ALT_HDRS/psa/crypto_platform_alt.h + > "$PSA_ALT_HDRS/psa/crypto_platform_alt.h" sed -E 's/^(# *(define|ifndef) +[A-Za-z0-9_]+)_H\b/\1_ALT_H/' \ tf-psa-crypto/include/psa/crypto_struct.h \ - > $PSA_ALT_HDRS/psa/crypto_struct_alt.h + > "$PSA_ALT_HDRS/psa/crypto_struct_alt.h" # Build the library and some programs. CFLAGS="-I$PSA_ALT_HDRS -DMBEDTLS_PSA_CRYPTO_PLATFORM_FILE='\"psa/crypto_platform_alt.h\"' -DMBEDTLS_PSA_CRYPTO_STRUCT_FILE='\"psa/crypto_struct_alt.h\"'" cmake -D CMAKE_BUILD_TYPE:String=Release . @@ -2449,6 +2450,9 @@ component_build_psa_alt_headers () { programs/test/query_included_headers | grep -x PSA_CRYPTO_STRUCT_ALT_H programs/test/query_included_headers | not grep -x PSA_CRYPTO_PLATFORM_H programs/test/query_included_headers | not grep -x PSA_CRYPTO_STRUCT_H + + # Explicitly clean up generated alt headers + rm -f "$PSA_ALT_HDRS/psa/crypto_platform_alt.h" "$PSA_ALT_HDRS/psa/crypto_struct_alt.h" } component_test_min_mpi_window_size () { From 0c297de53c29bae1ca853f5a3c709a3531ac71be Mon Sep 17 00:00:00 2001 From: Minos Galanakis Date: Mon, 12 Jan 2026 12:10:06 +0000 Subject: [PATCH 11/12] component-configuration-crypto: Changed cleanup order. Adjusted helper_block_cipher_no_decrypt_build_test to cleanup the directory after all the tests have been executed. Signed-off-by: Minos Galanakis --- tests/scripts/components-configuration-crypto.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/scripts/components-configuration-crypto.sh b/tests/scripts/components-configuration-crypto.sh index e742d810c6..6d165a2bd6 100644 --- a/tests/scripts/components-configuration-crypto.sh +++ b/tests/scripts/components-configuration-crypto.sh @@ -2223,7 +2223,6 @@ helper_block_cipher_no_decrypt_build_test () { [ -n "$unset_opts" ] && echo "Disabling: $unset_opts" && scripts/config.py unset-all $unset_opts msg "build: default config + BLOCK_CIPHER_NO_DECRYPT${set_opts:+ + $set_opts}${unset_opts:+ - $unset_opts} with $cflags${ldflags:+, $ldflags}" - $MAKE_COMMAND clean CFLAGS="-O2 $cflags" LDFLAGS="$ldflags" cmake . cmake --build . @@ -2241,6 +2240,7 @@ helper_block_cipher_no_decrypt_build_test () { msg "selftest: default config + BLOCK_CIPHER_NO_DECRYPT${set_opts:+ + $set_opts}${unset_opts:+ - $unset_opts} with $cflags${ldflags:+, $ldflags}" programs/test/selftest + cmake --build . --target clean } # This is a configuration function used in component_test_block_cipher_no_decrypt_xxx: From 2ad6e5ba6c7e341aa0ca0d5cb4a8be44a074cee1 Mon Sep 17 00:00:00 2001 From: Minos Galanakis Date: Mon, 12 Jan 2026 12:18:22 +0000 Subject: [PATCH 12/12] component-configuration-crypto: Adjusted test_crypto_full_md_light_only Adjusted component to utilise the CMAKE_BUILTIN_BUILD_DIR Signed-off-by: Minos Galanakis --- tests/scripts/components-configuration-crypto.sh | 12 +++--------- 1 file changed, 3 insertions(+), 9 deletions(-) diff --git a/tests/scripts/components-configuration-crypto.sh b/tests/scripts/components-configuration-crypto.sh index 6d165a2bd6..19409e5c29 100644 --- a/tests/scripts/components-configuration-crypto.sh +++ b/tests/scripts/components-configuration-crypto.sh @@ -323,23 +323,17 @@ component_test_crypto_full_md_light_only () { # Disable things that would auto-enable MD_C scripts/config.py unset MBEDTLS_PKCS5_C - # Note: Creating a directory, ensures cmake will not use a random name to - # place the compilation object files. - mkdir mdtest && cd mdtest - MD_OBJECT_PATH="tf-psa-crypto/drivers/builtin/CMakeFiles/builtin.dir/src" - # Note: MD-light is auto-enabled in build_info.h by modules that need it, # which we haven't disabled, so no need to explicitly enable it. - CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan ../ + CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . cmake --build . # Make sure we don't have the HMAC functions, but the hashing functions - not grep mbedtls_md_hmac ${MD_OBJECT_PATH}/md.c.o - grep mbedtls_md ${MD_OBJECT_PATH}/md.c.o + not grep mbedtls_md_hmac ${CMAKE_BUILTIN_BUILD_DIR}/md.c.o + grep mbedtls_md ${CMAKE_BUILTIN_BUILD_DIR}/md.c.o msg "test: crypto_full with only the light subset of MD" ctest - cd .. && rm -r mdtest } component_test_full_no_cipher () {