From a1502f54f5c15e7ae00793001b7e56813af624ef Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Wed, 10 Dec 2025 18:19:36 +0100 Subject: [PATCH 01/20] Drop the ability to build the library without the framework We put that in 3.6.0 because we wanted to minimize changes in a minor release, and in particular we wanted users to be able to build the library if they were checking out a release tag without checking out submodules recursively. That was possible because 3.6.x release tags contain the generated files. Since 4.0.0, it's completely impossible to build Mbed TLS without the `tf-psa-crypto` submodule. So there's no point in trying to allow a build without the `framework` submodule. In the libtestdriver1 build, where we copy part of the framework, copy the framework makefile as well, which is what we use to check for the presence of the framework (even though the framework makefile doesn't do anything useful after all). Signed-off-by: Gilles Peskine --- library/Makefile | 16 +++++++--------- tests/Makefile | 2 +- 2 files changed, 8 insertions(+), 10 deletions(-) diff --git a/library/Makefile b/library/Makefile index 9085ab481c..6d43b85e18 100644 --- a/library/Makefile +++ b/library/Makefile @@ -24,19 +24,17 @@ GENERATED_FILES += \ $(TF_PSA_CRYPTO_CORE_PATH)/tf_psa_crypto_config_check_final.h \ $(TF_PSA_CRYPTO_CORE_PATH)/tf_psa_crypto_config_check_user.h -ifneq ($(GENERATED_FILES),$(wildcard $(GENERATED_FILES))) - ifeq (,$(wildcard $(MBEDTLS_PATH)/framework/exported.make)) - # Use the define keyword to get a multi-line message. - # GNU make appends ". Stop.", so tweak the ending of our message accordingly. - define error_message +ifeq (,$(wildcard $(MBEDTLS_PATH)/framework/exported.make)) + # Use the define keyword to get a multi-line message. + # GNU make appends ". Stop.", so tweak the ending of our message accordingly. + define error_message $(MBEDTLS_PATH)/framework/exported.make not found. Run `git submodule update --init` to fetch the submodule contents. This is a fatal error - endef - $(error $(error_message)) - endif - include $(MBEDTLS_PATH)/framework/exported.make + endef + $(error $(error_message)) endif +include $(MBEDTLS_PATH)/framework/exported.make # Also see "include/mbedtls/mbedtls_config.h" diff --git a/tests/Makefile b/tests/Makefile index a52bc32f57..782ebc1200 100644 --- a/tests/Makefile +++ b/tests/Makefile @@ -334,7 +334,7 @@ libtestdriver1.a: mkdir ./libtestdriver1/tf-psa-crypto/drivers/p256-m touch ./libtestdriver1/tf-psa-crypto/drivers/everest/Makefile.inc touch ./libtestdriver1/tf-psa-crypto/drivers/p256-m/Makefile.inc - cp -Rf ../framework/scripts ./libtestdriver1/framework + cp -Rf ../framework/scripts ../framework/exported.make ./libtestdriver1/framework cp -Rf ../library ./libtestdriver1 cp -Rf ../include ./libtestdriver1 cp -Rf ../scripts ./libtestdriver1 From d13d041ed090bec4324687c4c154b2e66f7d0429 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Wed, 10 Dec 2025 18:23:21 +0100 Subject: [PATCH 02/20] Check for the framework submodule before anything else If we don't have submodules, we can't do anything. Signed-off-by: Gilles Peskine --- library/Makefile | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/library/Makefile b/library/Makefile index 6d43b85e18..c0d37fdb8d 100644 --- a/library/Makefile +++ b/library/Makefile @@ -2,6 +2,18 @@ ifndef MBEDTLS_PATH MBEDTLS_PATH := .. endif +ifeq (,$(wildcard $(MBEDTLS_PATH)/framework/exported.make)) + # Use the define keyword to get a multi-line message. + # GNU make appends ". Stop.", so tweak the ending of our message accordingly. + define error_message +$(MBEDTLS_PATH)/framework/exported.make not found. +Run `git submodule update --init` to fetch the submodule contents. +This is a fatal error + endef + $(error $(error_message)) +endif +include $(MBEDTLS_PATH)/framework/exported.make + TF_PSA_CRYPTO_CORE_PATH = $(MBEDTLS_PATH)/tf-psa-crypto/core TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH = $(MBEDTLS_PATH)/tf-psa-crypto/drivers/builtin/src @@ -24,18 +36,6 @@ GENERATED_FILES += \ $(TF_PSA_CRYPTO_CORE_PATH)/tf_psa_crypto_config_check_final.h \ $(TF_PSA_CRYPTO_CORE_PATH)/tf_psa_crypto_config_check_user.h -ifeq (,$(wildcard $(MBEDTLS_PATH)/framework/exported.make)) - # Use the define keyword to get a multi-line message. - # GNU make appends ". Stop.", so tweak the ending of our message accordingly. - define error_message -$(MBEDTLS_PATH)/framework/exported.make not found. -Run `git submodule update --init` to fetch the submodule contents. -This is a fatal error - endef - $(error $(error_message)) -endif -include $(MBEDTLS_PATH)/framework/exported.make - # Also see "include/mbedtls/mbedtls_config.h" CFLAGS ?= -O2 From 3884bf3d89eda2dd99d309845cd245b131ddeaf1 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Tue, 16 Dec 2025 14:31:33 +0100 Subject: [PATCH 03/20] Remove a XySSL-era comment that has run its course Signed-off-by: Gilles Peskine --- library/Makefile | 2 -- scripts/common.make | 4 ++-- 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/library/Makefile b/library/Makefile index c0d37fdb8d..1c05e1691f 100644 --- a/library/Makefile +++ b/library/Makefile @@ -36,8 +36,6 @@ GENERATED_FILES += \ $(TF_PSA_CRYPTO_CORE_PATH)/tf_psa_crypto_config_check_final.h \ $(TF_PSA_CRYPTO_CORE_PATH)/tf_psa_crypto_config_check_user.h -# Also see "include/mbedtls/mbedtls_config.h" - CFLAGS ?= -O2 WARNING_CFLAGS ?= -Wall -Wextra -Wformat=2 -Wno-format-nonliteral LDFLAGS ?= diff --git a/scripts/common.make b/scripts/common.make index c0e7b1d966..63be983cd4 100644 --- a/scripts/common.make +++ b/scripts/common.make @@ -1,5 +1,3 @@ -# To compile on SunOS: add "-lsocket -lnsl" to LDFLAGS - ifndef MBEDTLS_PATH MBEDTLS_PATH := .. endif @@ -23,6 +21,8 @@ WARNING_CFLAGS ?= -Wall -Wextra -Wformat=2 -Wno-format-nonliteral WARNING_CXXFLAGS ?= -Wall -Wextra -Wformat=2 -Wno-format-nonliteral -std=c++11 -pedantic LDFLAGS ?= +# To compile on SunOS: add "-lsocket -lnsl" to LDFLAGS + LOCAL_CFLAGS = $(WARNING_CFLAGS) -I$(MBEDTLS_TEST_PATH)/include \ -I$(MBEDTLS_PATH)/framework/tests/include \ -I$(MBEDTLS_PATH)/include -I$(MBEDTLS_PATH)/tf-psa-crypto/include \ From f79f4014b67fc07fb8610c75fa6df3ac025834fd Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Mon, 15 Dec 2025 19:26:25 +0100 Subject: [PATCH 04/20] Fix missing dependencies of test_certs.h Signed-off-by: Gilles Peskine --- tests/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/Makefile b/tests/Makefile index 782ebc1200..5c956149e0 100644 --- a/tests/Makefile +++ b/tests/Makefile @@ -185,7 +185,7 @@ all: $(BINARIES) $(CRYPTO_BINARIES) mbedtls_test: $(MBEDTLS_TEST_OBJS) include/test/test_certs.h: ../framework/scripts/generate_test_cert_macros.py \ - $($(PYTHON) ../framework/scripts/generate_test_cert_macros.py --list-dependencies) + $(shell $(PYTHON) ../framework/scripts/generate_test_cert_macros.py --list-dependencies) echo " Gen $@" $(PYTHON) ../framework/scripts/generate_test_cert_macros.py --output $@ From d78060bda6bb2ef2e1948bd6377204898dab2264 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Tue, 16 Dec 2025 14:43:57 +0100 Subject: [PATCH 05/20] Get a clean run from make --warn-undefined-variables Except in psasim, which I am not touching at this time. Signed-off-by: Gilles Peskine --- scripts/common.make | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/scripts/common.make b/scripts/common.make index 63be983cd4..5350d87efc 100644 --- a/scripts/common.make +++ b/scripts/common.make @@ -95,6 +95,16 @@ $(strip $(shell )) endef +# Ensure that `THREADING` is always defined. This lets us get a clean run +# with `make --warn-undefined-variables` without making the conditionals +# below more complex than they already are. At this stage, if `$(THREADING)` +# is empty, it means we don't know yet whether the threading implementation +# requires extra `LDFLAGS`. Once we've done the analysis, if `$(THREADING)` +# is empty, it will mean that no extra `LDFLAGS` are required, either +# because threading is disabled or because the threading implementation +# doesn't require any extra `LDFLAGS`. +THREADING ?= + ifdef WINDOWS_BUILD DLEXT=dll EXEXT=.exe @@ -107,7 +117,7 @@ else # Not building for Windows DLEXT ?= so EXEXT= SHARED_SUFFIX= - ifndef THREADING + ifeq ($(THREADING),) # Auto-detect configurations with pthread. # If the call to remove_enabled_options returns "control", the symbols # are confirmed set and we link with pthread. @@ -123,6 +133,8 @@ else # Not building for Windows endif endif +PERL ?= perl + ifdef WINDOWS PYTHON ?= python else From a47cc276572371386d64378521f89a3860ee8c16 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Fri, 12 Dec 2025 19:38:09 +0100 Subject: [PATCH 06/20] Fix mixup in dependencies for generated config checks Signed-off-by: Gilles Peskine --- library/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/library/Makefile b/library/Makefile index 1c05e1691f..807e3f1adb 100644 --- a/library/Makefile +++ b/library/Makefile @@ -336,7 +336,7 @@ $(TF_PSA_CRYPTO_CORE_PATH)/psa_crypto.o:$(TF_PSA_CRYPTO_CORE_PATH)/psa_crypto_dr GENERATED_CONFIG_CHECK_FILES = $(shell $(PYTHON) ../scripts/generate_config_checks.py --list .) $(GENERATED_CONFIG_CHECK_FILES): $(gen_file_dep) \ - $(TF_PSA_CRYPTO_CORE_PATH)/../scripts/generate_config_checks.py \ + ../scripts/generate_config_checks.py \ ../framework/scripts/mbedtls_framework/config_checks_generator.py $(GENERATED_CONFIG_CHECK_FILES): echo " Gen $(GENERATED_CONFIG_CHECK_FILES)" @@ -348,7 +348,7 @@ TF_PSA_CRYPTO_GENERATED_CONFIG_CHECK_FILES = $(shell $(PYTHON) \ $(TF_PSA_CRYPTO_CORE_PATH)/../scripts/generate_config_checks.py \ --list $(TF_PSA_CRYPTO_CORE_PATH)) $(TF_PSA_CRYPTO_GENERATED_CONFIG_CHECK_FILES): $(gen_file_dep) \ - ../scripts/generate_config_checks.py \ + $(TF_PSA_CRYPTO_CORE_PATH)/../scripts/generate_config_checks.py \ ../framework/scripts/mbedtls_framework/config_checks_generator.py $(TF_PSA_CRYPTO_GENERATED_CONFIG_CHECK_FILES): echo " Gen $(TF_PSA_CRYPTO_GENERATED_CONFIG_CHECK_FILES)" From 7bef731f0b709f3b9858bf6210fab79c0b675c23 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Wed, 10 Dec 2025 18:16:03 +0100 Subject: [PATCH 07/20] Create a TF-PSA-Crypto make helper for Mbed TLS Currently, Mbed TLS can be built with make, and we rely on this in many `all.sh` components. Mbed TLS knows how to build TF-PSA-Crypto, but this changes from time to time, and it's hard to do the necessary changes in both repositories at the same time. Create a file that Mbed TLS can consume to find out some information needed to build TF-PSA-Crypto, such as the locations of various files. Create this file in Mbed TLS. Once we have finished moving code to it, the file will move to TF-PSA-Crypto. Signed-off-by: Gilles Peskine --- library/Makefile | 2 ++ scripts/common.make | 2 ++ scripts/crypto-common.make | 25 +++++++++++++++++++++++++ 3 files changed, 29 insertions(+) create mode 100644 scripts/crypto-common.make diff --git a/library/Makefile b/library/Makefile index 807e3f1adb..8195e2423a 100644 --- a/library/Makefile +++ b/library/Makefile @@ -14,6 +14,8 @@ This is a fatal error endif include $(MBEDTLS_PATH)/framework/exported.make +include $(MBEDTLS_PATH)/scripts/crypto-common.make + TF_PSA_CRYPTO_CORE_PATH = $(MBEDTLS_PATH)/tf-psa-crypto/core TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH = $(MBEDTLS_PATH)/tf-psa-crypto/drivers/builtin/src diff --git a/scripts/common.make b/scripts/common.make index 5350d87efc..9be3b2db53 100644 --- a/scripts/common.make +++ b/scripts/common.make @@ -16,6 +16,8 @@ This is a fatal error endif include $(MBEDTLS_PATH)/framework/exported.make +include $(MBEDTLS_PATH)/scripts/crypto-common.make + CFLAGS ?= -O2 WARNING_CFLAGS ?= -Wall -Wextra -Wformat=2 -Wno-format-nonliteral WARNING_CXXFLAGS ?= -Wall -Wextra -Wformat=2 -Wno-format-nonliteral -std=c++11 -pedantic diff --git a/scripts/crypto-common.make b/scripts/crypto-common.make new file mode 100644 index 0000000000..5a79bc482b --- /dev/null +++ b/scripts/crypto-common.make @@ -0,0 +1,25 @@ +# Helper code for the make build system in Mbed TLS: define some variables +# providing information such as file paths. +# This file is only meant to exist for a short transition period. +# It may change or be removed without notice. +# Do not use it if you are not Mbed TLS! + +# Assume that this makefile is located in a first-level subdirectory of the +# Mbed TLS root, and is accessed directly (not via VPATH or such). +# If this is not the case, TF_PSA_CRYPTO_PATH or MBEDTLS_PATH must be defined +# before including this file. +ifneq ($(origin TF_PSA_CRYPTO_PATH), undefined) + # TF_PSA_CRYPTO_PATH was defined before including this file, good. +else ifneq ($(origin MBEDTLS_PATH), undefined) + TF_PSA_CRYPTO_PATH := $(MBEDTLS_PATH)/tf-psa-crypto +else + # $(dir $(lastword $(MAKEFILE_LIST))) is the path to this file, possibly + # a relative path, with a trailing slash. Strip off another directory + # from that. + TF_PSA_CRYPTO_PATH := $(patsubst %/,%,$(dir $(patsubst %/,%,$(dir $(lastword $(MAKEFILE_LIST))))))/tf-psa-crypto +endif + +ifeq (,$(wildcard $(TF_PSA_CRYPTO_PATH)/core/psa_crypto.c)) + $(error $$(TF_PSA_CRYPTO_PATH)/core/psa_crypto.c not found) +endif + From 46568f3c6ec367d0757bc9bbc6a7dea1304a8dec Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Thu, 11 Dec 2025 21:06:21 +0100 Subject: [PATCH 08/20] Move some crypto core and drivers variable definitions to crypto-common.make No behavior change. Signed-off-by: Gilles Peskine --- library/Makefile | 18 +++++++----------- scripts/common.make | 5 ----- scripts/crypto-common.make | 9 +++++++++ 3 files changed, 16 insertions(+), 16 deletions(-) diff --git a/library/Makefile b/library/Makefile index 8195e2423a..fc0cffb5c7 100644 --- a/library/Makefile +++ b/library/Makefile @@ -16,9 +16,6 @@ include $(MBEDTLS_PATH)/framework/exported.make include $(MBEDTLS_PATH)/scripts/crypto-common.make -TF_PSA_CRYPTO_CORE_PATH = $(MBEDTLS_PATH)/tf-psa-crypto/core -TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH = $(MBEDTLS_PATH)/tf-psa-crypto/drivers/builtin/src - # List the generated files without running a script, so that this # works with no tooling dependencies when GEN_FILES is disabled. GENERATED_FILES := \ @@ -46,10 +43,14 @@ LDFLAGS ?= # ../tf-psa-crypto/drivers/builtin/include for public headers and ., # ../tf-psa-crypto/core and ../tf-psa-crypto/drivers/builtin/src for # private headers. -LOCAL_CFLAGS = $(WARNING_CFLAGS) -I. -I../tf-psa-crypto/core \ +LOCAL_CFLAGS = $(WARNING_CFLAGS) -I. \ + -I../tf-psa-crypto/core \ -I../tf-psa-crypto/drivers/builtin/src \ - -I../include -I../tf-psa-crypto/include \ - -I../tf-psa-crypto/drivers/builtin/include -D_FILE_OFFSET_BITS=64 + -I../include \ + -I../tf-psa-crypto/include \ + -I../tf-psa-crypto/drivers/builtin/include \ + $(THIRDPARTY_INCLUDES) \ + -D_FILE_OFFSET_BITS=64 LOCAL_LDFLAGS = ifdef DEBUG @@ -123,11 +124,6 @@ OBJS_CRYPTO = $(patsubst %.c, %.o,$(wildcard $(TF_PSA_CRYPTO_CORE_PATH)/*.c $(TF GENERATED_OBJS_CRYPTO = $(TF_PSA_CRYPTO_CORE_PATH)/psa_crypto_driver_wrappers_no_static.o OBJS_CRYPTO := $(filter-out $(GENERATED_OBJS_CRYPTO),$(OBJS_CRYPTO)) OBJS_CRYPTO += $(GENERATED_OBJS_CRYPTO) - -THIRDPARTY_DIR := $(MBEDTLS_PATH)/tf-psa-crypto/drivers -include $(MBEDTLS_PATH)/tf-psa-crypto/drivers/everest/Makefile.inc -include $(MBEDTLS_PATH)/tf-psa-crypto/drivers/p256-m/Makefile.inc -LOCAL_CFLAGS+=$(THIRDPARTY_INCLUDES) OBJS_CRYPTO+=$(THIRDPARTY_CRYPTO_OBJECTS) OBJS_X509= \ diff --git a/scripts/common.make b/scripts/common.make index 9be3b2db53..f3754e587c 100644 --- a/scripts/common.make +++ b/scripts/common.make @@ -47,11 +47,6 @@ LOCAL_LDFLAGS = ${MBEDTLS_TEST_OBJS} \ -lmbedcrypto$(SHARED_SUFFIX) endif -THIRDPARTY_DIR = $(MBEDTLS_PATH)/tf-psa-crypto/drivers -include $(THIRDPARTY_DIR)/everest/Makefile.inc -include $(THIRDPARTY_DIR)/p256-m/Makefile.inc -LOCAL_CFLAGS+=$(THIRDPARTY_INCLUDES) - ifdef PSASIM MBEDLIBS=$(PSASIM_PATH)/client_libs/libmbedcrypto.a \ $(PSASIM_PATH)/client_libs/libmbedx509.a \ diff --git a/scripts/crypto-common.make b/scripts/crypto-common.make index 5a79bc482b..315f14df10 100644 --- a/scripts/crypto-common.make +++ b/scripts/crypto-common.make @@ -23,3 +23,12 @@ ifeq (,$(wildcard $(TF_PSA_CRYPTO_PATH)/core/psa_crypto.c)) $(error $$(TF_PSA_CRYPTO_PATH)/core/psa_crypto.c not found) endif +TF_PSA_CRYPTO_CORE_PATH = $(MBEDTLS_PATH)/tf-psa-crypto/core +TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH = $(MBEDTLS_PATH)/tf-psa-crypto/drivers/builtin/src + +# Gather information about crypto drivers that are separate from the main +# "builtin" driver (historically located in /3rdparty in Mbed TLS 2.x/3.x). +THIRDPARTY_DIR := $(TF_PSA_CRYPTO_PATH)/drivers +THIRDPARTY_INCLUDES = +include $(TF_PSA_CRYPTO_PATH)/drivers/everest/Makefile.inc +include $(TF_PSA_CRYPTO_PATH)/drivers/p256-m/Makefile.inc From e3e4da61a8df430c1d1a6d43f7ecaf7893291e45 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Fri, 12 Dec 2025 19:29:45 +0100 Subject: [PATCH 09/20] Use intermediate variables for TF-PSA-Crypto's contribution to LOCAL_CFLAGS Define these intermediate variables in the crypto helper file. No behavior change except possibly an inconsequential reordering of compiler options. Signed-off-by: Gilles Peskine --- library/Makefile | 13 ++++--------- scripts/common.make | 4 ++-- scripts/crypto-common.make | 13 +++++++++++++ tests/Makefile | 3 ++- 4 files changed, 21 insertions(+), 12 deletions(-) diff --git a/library/Makefile b/library/Makefile index fc0cffb5c7..ce18353950 100644 --- a/library/Makefile +++ b/library/Makefile @@ -39,17 +39,12 @@ CFLAGS ?= -O2 WARNING_CFLAGS ?= -Wall -Wextra -Wformat=2 -Wno-format-nonliteral LDFLAGS ?= -# Include ../include, ../tf-psa-crypto/include and -# ../tf-psa-crypto/drivers/builtin/include for public headers and ., -# ../tf-psa-crypto/core and ../tf-psa-crypto/drivers/builtin/src for -# private headers. +# For the time being, Mbed TLS uses non-public interfaces of TF-PSA-Crypto, +# so we include both public and internal headers. LOCAL_CFLAGS = $(WARNING_CFLAGS) -I. \ - -I../tf-psa-crypto/core \ - -I../tf-psa-crypto/drivers/builtin/src \ + $(TF_PSA_CRYPTO_LIBRARY_PRIVATE_INCLUDE) \ -I../include \ - -I../tf-psa-crypto/include \ - -I../tf-psa-crypto/drivers/builtin/include \ - $(THIRDPARTY_INCLUDES) \ + $(TF_PSA_CRYPTO_LIBRARY_PUBLIC_INCLUDE) \ -D_FILE_OFFSET_BITS=64 LOCAL_LDFLAGS = diff --git a/scripts/common.make b/scripts/common.make index f3754e587c..67ad341522 100644 --- a/scripts/common.make +++ b/scripts/common.make @@ -27,8 +27,8 @@ LDFLAGS ?= LOCAL_CFLAGS = $(WARNING_CFLAGS) -I$(MBEDTLS_TEST_PATH)/include \ -I$(MBEDTLS_PATH)/framework/tests/include \ - -I$(MBEDTLS_PATH)/include -I$(MBEDTLS_PATH)/tf-psa-crypto/include \ - -I$(MBEDTLS_PATH)/tf-psa-crypto/drivers/builtin/include \ + -I$(MBEDTLS_PATH)/include \ + $(TF_PSA_CRYPTO_LIBRARY_PUBLIC_INCLUDE) \ -D_FILE_OFFSET_BITS=64 LOCAL_CXXFLAGS = $(WARNING_CXXFLAGS) $(LOCAL_CFLAGS) diff --git a/scripts/crypto-common.make b/scripts/crypto-common.make index 315f14df10..8d00bd8bed 100644 --- a/scripts/crypto-common.make +++ b/scripts/crypto-common.make @@ -32,3 +32,16 @@ THIRDPARTY_DIR := $(TF_PSA_CRYPTO_PATH)/drivers THIRDPARTY_INCLUDES = include $(TF_PSA_CRYPTO_PATH)/drivers/everest/Makefile.inc include $(TF_PSA_CRYPTO_PATH)/drivers/p256-m/Makefile.inc + +# Directories with headers of public interfaces of TF-PSA-Crypto +TF_PSA_CRYPTO_LIBRARY_PUBLIC_INCLUDE = \ + -I$(TF_PSA_CRYPTO_PATH)/include \ + -I$(TF_PSA_CRYPTO_PATH)/drivers/builtin/include \ + $(THIRDPARTY_INCLUDES) + +# Directories with headers of internal interfaces of TF-PSA-Crypto +# (currently consumed by Mbed TLS, eventually not so when we've finished +# cleaning up) +TF_PSA_CRYPTO_LIBRARY_PRIVATE_INCLUDE = \ + -I$(TF_PSA_CRYPTO_PATH)/core \ + -I$(TF_PSA_CRYPTO_PATH)/drivers/builtin/src diff --git a/tests/Makefile b/tests/Makefile index 5c956149e0..7ebc10b6d0 100644 --- a/tests/Makefile +++ b/tests/Makefile @@ -5,7 +5,8 @@ include ../scripts/common.make TEST_FLAGS ?= $(if $(filter-out 0 OFF Off off NO No no FALSE False false N n,$(CTEST_OUTPUT_ON_FAILURE)),-v,) # Also include private headers, for the sake of invasive tests. -LOCAL_CFLAGS += -I$(MBEDTLS_PATH)/library -I$(MBEDTLS_PATH)/tf-psa-crypto/core -I$(MBEDTLS_PATH)/tf-psa-crypto/drivers/builtin/src +LOCAL_CFLAGS += -I$(MBEDTLS_PATH)/library +LOCAL_CFLAGS += $(TF_PSA_CRYPTO_LIBRARY_PRIVATE_INCLUDE) # Enable definition of various functions used throughout the testsuite # (gethostname, strdup, fileno...) even when compiling with -std=c99. Harmless From 260713499839bd1696c18704804482dc6a40483c Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Thu, 18 Dec 2025 14:57:15 +0100 Subject: [PATCH 10/20] Move configurable variables to the top Define variables that are meant to be possibly overridden on the make command line (or in a parent makefile) at the top. In particular, define them before including the crypto and framework makefiles, so these makefiles can use the default values if there's no parent setting. Also move some internal variables earlier or later, so that a subsequent refactoring step can have things in the right order in the mbedtls per-directory makefile: 1. Define variables consumed by the per-directory crypto makefile. 2. Include the per-directory crypto makefile. 3. Use variables defined by the per-directory crypto makefile. Signed-off-by: Gilles Peskine --- library/Makefile | 98 ++++++++++++++++++++++----------------------- scripts/common.make | 26 ++++++------ 2 files changed, 62 insertions(+), 62 deletions(-) diff --git a/library/Makefile b/library/Makefile index ce18353950..3ee40fb71c 100644 --- a/library/Makefile +++ b/library/Makefile @@ -1,3 +1,25 @@ +CFLAGS ?= -O2 +WARNING_CFLAGS ?= -Wall -Wextra -Wformat=2 -Wno-format-nonliteral +LDFLAGS ?= + +# MicroBlaze specific options: +# CFLAGS += -mno-xl-soft-mul -mxl-barrel-shift + +# To compile on Plan9: +# CFLAGS += -D_BSD_EXTENSION + +PERL ?= perl + +ifdef WINDOWS +PYTHON ?= python +else +PYTHON ?= $(shell if type python3 >/dev/null 2>/dev/null; then echo python3; else echo python; fi) +endif + +# Set AR_DASH= (empty string) to use an ar implementation that does not accept +# the - prefix for command line options (e.g. llvm-ar) +AR_DASH ?= - + ifndef MBEDTLS_PATH MBEDTLS_PATH := .. endif @@ -16,29 +38,6 @@ include $(MBEDTLS_PATH)/framework/exported.make include $(MBEDTLS_PATH)/scripts/crypto-common.make -# List the generated files without running a script, so that this -# works with no tooling dependencies when GEN_FILES is disabled. -GENERATED_FILES := \ - mbedtls_config_check_before.h \ - mbedtls_config_check_final.h \ - mbedtls_config_check_user.h \ - error.c \ - version_features.c \ - ssl_debug_helpers_generated.c - -# Also list the generated files from crypto that are needed in the build, -# because we don't have the list in a consumable form. -GENERATED_FILES += \ - $(TF_PSA_CRYPTO_CORE_PATH)/psa_crypto_driver_wrappers.h \ - $(TF_PSA_CRYPTO_CORE_PATH)/psa_crypto_driver_wrappers_no_static.c \ - $(TF_PSA_CRYPTO_CORE_PATH)/tf_psa_crypto_config_check_before.h \ - $(TF_PSA_CRYPTO_CORE_PATH)/tf_psa_crypto_config_check_final.h \ - $(TF_PSA_CRYPTO_CORE_PATH)/tf_psa_crypto_config_check_user.h - -CFLAGS ?= -O2 -WARNING_CFLAGS ?= -Wall -Wextra -Wformat=2 -Wno-format-nonliteral -LDFLAGS ?= - # For the time being, Mbed TLS uses non-public interfaces of TF-PSA-Crypto, # so we include both public and internal headers. LOCAL_CFLAGS = $(WARNING_CFLAGS) -I. \ @@ -52,20 +51,6 @@ ifdef DEBUG LOCAL_CFLAGS += -g3 endif -# MicroBlaze specific options: -# CFLAGS += -mno-xl-soft-mul -mxl-barrel-shift - -# To compile on Plan9: -# CFLAGS += -D_BSD_EXTENSION - -PERL ?= perl - -ifdef WINDOWS -PYTHON ?= python -else -PYTHON ?= $(shell if type python3 >/dev/null 2>/dev/null; then echo python3; else echo python; fi) -endif - # if were running on Windows build for Windows ifdef WINDOWS WINDOWS_BUILD=1 @@ -91,10 +76,6 @@ SOEXT_TLS?=so.21 SOEXT_X509?=so.8 SOEXT_CRYPTO?=so.16 -# Set AR_DASH= (empty string) to use an ar implementation that does not accept -# the - prefix for command line options (e.g. llvm-ar) -AR_DASH ?= - - ARFLAGS = $(AR_DASH)src ifdef APPLE_BUILD ifneq ($(APPLE_BUILD),0) @@ -115,6 +96,14 @@ DLEXT = dylib endif endif +# See root Makefile +GEN_FILES ?= yes +ifdef GEN_FILES +gen_file_dep = +else +gen_file_dep = | +endif + OBJS_CRYPTO = $(patsubst %.c, %.o,$(wildcard $(TF_PSA_CRYPTO_CORE_PATH)/*.c $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/*.c)) GENERATED_OBJS_CRYPTO = $(TF_PSA_CRYPTO_CORE_PATH)/psa_crypto_driver_wrappers_no_static.o OBJS_CRYPTO := $(filter-out $(GENERATED_OBJS_CRYPTO),$(OBJS_CRYPTO)) @@ -279,17 +268,28 @@ libmbedcrypto.dll: $(OBJS_CRYPTO) echo " CC $<" $(CC) $(LOCAL_CFLAGS) $(CFLAGS) -S -o $@ -c $< +# List the generated files without running a script, so that this +# works with no tooling dependencies when GEN_FILES is disabled. +GENERATED_FILES := \ + mbedtls_config_check_before.h \ + mbedtls_config_check_final.h \ + mbedtls_config_check_user.h \ + error.c \ + version_features.c \ + ssl_debug_helpers_generated.c + +# Also list the generated files from crypto that are needed in the build, +# because we don't have the list in a consumable form. +GENERATED_FILES += \ + $(TF_PSA_CRYPTO_CORE_PATH)/psa_crypto_driver_wrappers.h \ + $(TF_PSA_CRYPTO_CORE_PATH)/psa_crypto_driver_wrappers_no_static.c \ + $(TF_PSA_CRYPTO_CORE_PATH)/tf_psa_crypto_config_check_before.h \ + $(TF_PSA_CRYPTO_CORE_PATH)/tf_psa_crypto_config_check_final.h \ + $(TF_PSA_CRYPTO_CORE_PATH)/tf_psa_crypto_config_check_user.h + .PHONY: generated_files generated_files: $(GENERATED_FILES) -# See root Makefile -GEN_FILES ?= yes -ifdef GEN_FILES -gen_file_dep = -else -gen_file_dep = | -endif - error.c: $(gen_file_dep) ../scripts/generate_errors.pl error.c: $(gen_file_dep) ../scripts/data_files/error.fmt error.c: $(gen_file_dep) $(filter-out %config%,$(wildcard ../include/mbedtls/*.h)) diff --git a/scripts/common.make b/scripts/common.make index 67ad341522..dc9e148ee3 100644 --- a/scripts/common.make +++ b/scripts/common.make @@ -1,3 +1,16 @@ +CFLAGS ?= -O2 +WARNING_CFLAGS ?= -Wall -Wextra -Wformat=2 -Wno-format-nonliteral +WARNING_CXXFLAGS ?= -Wall -Wextra -Wformat=2 -Wno-format-nonliteral -std=c++11 -pedantic +LDFLAGS ?= + +PERL ?= perl + +ifdef WINDOWS +PYTHON ?= python +else +PYTHON ?= $(shell if type python3 >/dev/null 2>/dev/null; then echo python3; else echo python; fi) +endif + ifndef MBEDTLS_PATH MBEDTLS_PATH := .. endif @@ -18,11 +31,6 @@ include $(MBEDTLS_PATH)/framework/exported.make include $(MBEDTLS_PATH)/scripts/crypto-common.make -CFLAGS ?= -O2 -WARNING_CFLAGS ?= -Wall -Wextra -Wformat=2 -Wno-format-nonliteral -WARNING_CXXFLAGS ?= -Wall -Wextra -Wformat=2 -Wno-format-nonliteral -std=c++11 -pedantic -LDFLAGS ?= - # To compile on SunOS: add "-lsocket -lnsl" to LDFLAGS LOCAL_CFLAGS = $(WARNING_CFLAGS) -I$(MBEDTLS_TEST_PATH)/include \ @@ -130,14 +138,6 @@ else # Not building for Windows endif endif -PERL ?= perl - -ifdef WINDOWS -PYTHON ?= python -else -PYTHON ?= $(shell if type python3 >/dev/null 2>/dev/null; then echo python3; else echo python; fi) -endif - # See root Makefile GEN_FILES ?= yes ifdef GEN_FILES From c00bd2a6fb8bd1070b70174bb1b664cec3c79b0e Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Tue, 16 Dec 2025 21:11:44 +0100 Subject: [PATCH 11/20] THREADING autodetection: only check the crypto config MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit When running the preprocessor to determine whether pthread is enabled, only use TF-PSA-Crypto include paths. Don't use the rest of `LOCAL_CFLAGS`, including Mbed TLS include paths, which aren't really useful here. This will simplify later refactorings, because it simplifies a dependency chain [crypto paths] → `LOCAL_CFLAGS` → `THREADING` → `LOCAL_LDFLAGS` into just [crypto paths] → `THREADING` → `LOCAL_LDFLAGS`. Signed-off-by: Gilles Peskine --- scripts/common.make | 21 ++++++++++++--------- 1 file changed, 12 insertions(+), 9 deletions(-) diff --git a/scripts/common.make b/scripts/common.make index dc9e148ee3..ee120a8ae8 100644 --- a/scripts/common.make +++ b/scripts/common.make @@ -79,23 +79,23 @@ ifdef WINDOWS WINDOWS_BUILD=1 endif -## Usage: $(call remove_enabled_options,PREPROCESSOR_INPUT) +## Usage: $(call remove_enabled_options_crypto,PREPROCESSOR_INPUT) ## Remove the preprocessor symbols that are set in the current configuration ## from PREPROCESSOR_INPUT. Also normalize whitespace. ## Example: -## $(call remove_enabled_options,MBEDTLS_FOO MBEDTLS_BAR) +## $(call remove_enabled_options_crypto,MBEDTLS_FOO MBEDTLS_BAR) ## This expands to an empty string "" if MBEDTLS_FOO and MBEDTLS_BAR are both -## enabled, to "MBEDTLS_FOO" if MBEDTLS_BAR is enabled but MBEDTLS_FOO is -## disabled, etc. +## enabled in the TF-PSA-Crypto configuration, to "MBEDTLS_FOO" if +## MBEDTLS_BAR is enabled but MBEDTLS_FOO is disabled, etc. ## ## This only works with a Unix-like shell environment (Bourne/POSIX-style shell ## and standard commands) and a Unix-like compiler (supporting -E). In ## other environments, the output is likely to be empty. -define remove_enabled_options +define remove_enabled_options_crypto $(strip $(shell exec 2>/dev/null; - { echo '#include '; echo $(1); } | - $(CC) $(LOCAL_CFLAGS) $(CFLAGS) -E - | + { echo '#include '; echo $(1); } | + $(CC) $(TF_PSA_CRYPTO_LIBRARY_PUBLIC_INCLUDE) $(CFLAGS) -E - | tail -n 1 )) endef @@ -117,21 +117,24 @@ ifdef WINDOWS_BUILD ifdef SHARED SHARED_SUFFIX=.$(DLEXT) endif - else # Not building for Windows DLEXT ?= so EXEXT= SHARED_SUFFIX= +endif + +ifndef WINDOWS_BUILD ifeq ($(THREADING),) # Auto-detect configurations with pthread. # If the call to remove_enabled_options returns "control", the symbols # are confirmed set and we link with pthread. # If the auto-detection fails, the result of the call is empty and # we keep THREADING undefined. - ifeq (control,$(call remove_enabled_options,control MBEDTLS_THREADING_C MBEDTLS_THREADING_PTHREAD)) + ifeq (control,$(call remove_enabled_options_crypto,control MBEDTLS_THREADING_C MBEDTLS_THREADING_PTHREAD)) THREADING := pthread endif endif + #$(info THREADING = $(THREADING)) ifeq ($(THREADING),pthread) LOCAL_LDFLAGS += -lpthread From ef25955786a81535c4479fe661ee58f7345136cf Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Wed, 17 Dec 2025 14:55:42 +0100 Subject: [PATCH 12/20] Move THREADING autodetection to crypto-common.make Note that `THREADING` detection must be done after `TF_PSA_CRYPTO_LIBRARY_PUBLIC_INCLUDE` is defined. Otherwise it won't detect whether pthread is needed, and will never link with `-lpthread`. Signed-off-by: Gilles Peskine --- scripts/common.make | 49 -------------------------------------- scripts/crypto-common.make | 49 ++++++++++++++++++++++++++++++++++++++ 2 files changed, 49 insertions(+), 49 deletions(-) diff --git a/scripts/common.make b/scripts/common.make index ee120a8ae8..e88506b308 100644 --- a/scripts/common.make +++ b/scripts/common.make @@ -79,37 +79,6 @@ ifdef WINDOWS WINDOWS_BUILD=1 endif -## Usage: $(call remove_enabled_options_crypto,PREPROCESSOR_INPUT) -## Remove the preprocessor symbols that are set in the current configuration -## from PREPROCESSOR_INPUT. Also normalize whitespace. -## Example: -## $(call remove_enabled_options_crypto,MBEDTLS_FOO MBEDTLS_BAR) -## This expands to an empty string "" if MBEDTLS_FOO and MBEDTLS_BAR are both -## enabled in the TF-PSA-Crypto configuration, to "MBEDTLS_FOO" if -## MBEDTLS_BAR is enabled but MBEDTLS_FOO is disabled, etc. -## -## This only works with a Unix-like shell environment (Bourne/POSIX-style shell -## and standard commands) and a Unix-like compiler (supporting -E). In -## other environments, the output is likely to be empty. -define remove_enabled_options_crypto -$(strip $(shell - exec 2>/dev/null; - { echo '#include '; echo $(1); } | - $(CC) $(TF_PSA_CRYPTO_LIBRARY_PUBLIC_INCLUDE) $(CFLAGS) -E - | - tail -n 1 -)) -endef - -# Ensure that `THREADING` is always defined. This lets us get a clean run -# with `make --warn-undefined-variables` without making the conditionals -# below more complex than they already are. At this stage, if `$(THREADING)` -# is empty, it means we don't know yet whether the threading implementation -# requires extra `LDFLAGS`. Once we've done the analysis, if `$(THREADING)` -# is empty, it will mean that no extra `LDFLAGS` are required, either -# because threading is disabled or because the threading implementation -# doesn't require any extra `LDFLAGS`. -THREADING ?= - ifdef WINDOWS_BUILD DLEXT=dll EXEXT=.exe @@ -123,24 +92,6 @@ else # Not building for Windows SHARED_SUFFIX= endif -ifndef WINDOWS_BUILD - ifeq ($(THREADING),) - # Auto-detect configurations with pthread. - # If the call to remove_enabled_options returns "control", the symbols - # are confirmed set and we link with pthread. - # If the auto-detection fails, the result of the call is empty and - # we keep THREADING undefined. - ifeq (control,$(call remove_enabled_options_crypto,control MBEDTLS_THREADING_C MBEDTLS_THREADING_PTHREAD)) - THREADING := pthread - endif - endif - #$(info THREADING = $(THREADING)) - - ifeq ($(THREADING),pthread) - LOCAL_LDFLAGS += -lpthread - endif -endif - # See root Makefile GEN_FILES ?= yes ifdef GEN_FILES diff --git a/scripts/crypto-common.make b/scripts/crypto-common.make index 8d00bd8bed..85da8d802a 100644 --- a/scripts/crypto-common.make +++ b/scripts/crypto-common.make @@ -45,3 +45,52 @@ TF_PSA_CRYPTO_LIBRARY_PUBLIC_INCLUDE = \ TF_PSA_CRYPTO_LIBRARY_PRIVATE_INCLUDE = \ -I$(TF_PSA_CRYPTO_PATH)/core \ -I$(TF_PSA_CRYPTO_PATH)/drivers/builtin/src + +## Usage: $(call remove_enabled_options_crypto,PREPROCESSOR_INPUT) +## Remove the preprocessor symbols that are set in the current configuration +## from PREPROCESSOR_INPUT. Also normalize whitespace. +## Example: +## $(call remove_enabled_options_crypto,MBEDTLS_FOO MBEDTLS_BAR) +## This expands to an empty string "" if MBEDTLS_FOO and MBEDTLS_BAR are both +## enabled in the TF-PSA-Crypto configuration, to "MBEDTLS_FOO" if +## MBEDTLS_BAR is enabled but MBEDTLS_FOO is disabled, etc. +## +## This only works with a Unix-like shell environment (Bourne/POSIX-style shell +## and standard commands) and a Unix-like compiler (supporting -E). In +## other environments, the output is likely to be empty. +define remove_enabled_options_crypto +$(strip $(shell + exec 2>/dev/null; + { echo '#include '; echo $(1); } | + $(CC) $(TF_PSA_CRYPTO_LIBRARY_PUBLIC_INCLUDE) $(CFLAGS) -E - | + tail -n 1 +)) +endef + +# Ensure that `THREADING` is always defined. This lets us get a clean run +# with `make --warn-undefined-variables` without making the conditionals +# below more complex than they already are. At this stage, if `$(THREADING)` +# is empty, it means we don't know yet whether the threading implementation +# requires extra `LDFLAGS`. Once we've done the analysis, if `$(THREADING)` +# is empty, it will mean that no extra `LDFLAGS` are required, either +# because threading is disabled or because the threading implementation +# doesn't require any extra `LDFLAGS`. +THREADING ?= + +ifndef WINDOWS_BUILD + ifeq ($(THREADING),) + # Auto-detect configurations with pthread. + # If the call to remove_enabled_options returns "control", the symbols + # are confirmed set and we link with pthread. + # If the auto-detection fails, the result of the call is empty and + # we keep THREADING undefined. + ifeq (control,$(call remove_enabled_options_crypto,control MBEDTLS_THREADING_C MBEDTLS_THREADING_PTHREAD)) + THREADING := pthread + endif + endif + #$(info THREADING = $(THREADING)) + + ifeq ($(THREADING),pthread) + LOCAL_LDFLAGS += -lpthread + endif +endif From d9c6a411c69168e17402c616c58caf22c0a4b003 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Fri, 12 Dec 2025 19:56:26 +0100 Subject: [PATCH 13/20] Introduce intermediate variables for various TF-PSA-Crypto lists Use separate variables for the crypto part of lists of generated C files, generated objects, sample programs and test data files. No behavior change. Signed-off-by: Gilles Peskine Signed-off-by: Gilles Peskine --- library/Makefile | 33 ++++++++++++++++++--------------- programs/Makefile | 25 +++++++++++++++++-------- tests/Makefile | 28 +++++++++++++++++----------- 3 files changed, 52 insertions(+), 34 deletions(-) diff --git a/library/Makefile b/library/Makefile index 3ee40fb71c..4c2e21dab5 100644 --- a/library/Makefile +++ b/library/Makefile @@ -104,11 +104,13 @@ else gen_file_dep = | endif -OBJS_CRYPTO = $(patsubst %.c, %.o,$(wildcard $(TF_PSA_CRYPTO_CORE_PATH)/*.c $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/*.c)) -GENERATED_OBJS_CRYPTO = $(TF_PSA_CRYPTO_CORE_PATH)/psa_crypto_driver_wrappers_no_static.o -OBJS_CRYPTO := $(filter-out $(GENERATED_OBJS_CRYPTO),$(OBJS_CRYPTO)) -OBJS_CRYPTO += $(GENERATED_OBJS_CRYPTO) -OBJS_CRYPTO+=$(THIRDPARTY_CRYPTO_OBJECTS) +TF_PSA_CRYPTO_LIBRARY_OBJS := $(patsubst %.c, %.o,$(wildcard $(TF_PSA_CRYPTO_CORE_PATH)/*.c $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/*.c)) +TF_PSA_CRYPTO_LIBRARY_GENERATED_OBJS = $(TF_PSA_CRYPTO_CORE_PATH)/psa_crypto_driver_wrappers_no_static.o +TF_PSA_CRYPTO_LIBRARY_OBJS := $(filter-out $(TF_PSA_CRYPTO_LIBRARY_GENERATED_OBJS),$(TF_PSA_CRYPTO_LIBRARY_OBJS)) +TF_PSA_CRYPTO_LIBRARY_OBJS += $(TF_PSA_CRYPTO_LIBRARY_GENERATED_OBJS) +TF_PSA_CRYPTO_LIBRARY_OBJS+=$(THIRDPARTY_CRYPTO_OBJECTS) + +OBJS_CRYPTO = $(TF_PSA_CRYPTO_LIBRARY_OBJS) OBJS_X509= \ mbedtls_config.o \ @@ -268,6 +270,15 @@ libmbedcrypto.dll: $(OBJS_CRYPTO) echo " CC $<" $(CC) $(LOCAL_CFLAGS) $(CFLAGS) -S -o $@ -c $< +# List the generated files from crypto that are needed in the build, +# because we don't have the list in a consumable form. +TF_PSA_CRYPTO_LIBRARY_GENERATED_FILES := \ + $(TF_PSA_CRYPTO_CORE_PATH)/psa_crypto_driver_wrappers.h \ + $(TF_PSA_CRYPTO_CORE_PATH)/psa_crypto_driver_wrappers_no_static.c \ + $(TF_PSA_CRYPTO_CORE_PATH)/tf_psa_crypto_config_check_before.h \ + $(TF_PSA_CRYPTO_CORE_PATH)/tf_psa_crypto_config_check_final.h \ + $(TF_PSA_CRYPTO_CORE_PATH)/tf_psa_crypto_config_check_user.h + # List the generated files without running a script, so that this # works with no tooling dependencies when GEN_FILES is disabled. GENERATED_FILES := \ @@ -276,16 +287,8 @@ GENERATED_FILES := \ mbedtls_config_check_user.h \ error.c \ version_features.c \ - ssl_debug_helpers_generated.c - -# Also list the generated files from crypto that are needed in the build, -# because we don't have the list in a consumable form. -GENERATED_FILES += \ - $(TF_PSA_CRYPTO_CORE_PATH)/psa_crypto_driver_wrappers.h \ - $(TF_PSA_CRYPTO_CORE_PATH)/psa_crypto_driver_wrappers_no_static.c \ - $(TF_PSA_CRYPTO_CORE_PATH)/tf_psa_crypto_config_check_before.h \ - $(TF_PSA_CRYPTO_CORE_PATH)/tf_psa_crypto_config_check_final.h \ - $(TF_PSA_CRYPTO_CORE_PATH)/tf_psa_crypto_config_check_user.h + ssl_debug_helpers_generated.c \ + $(TF_PSA_CRYPTO_LIBRARY_GENERATED_FILES) .PHONY: generated_files generated_files: $(GENERATED_FILES) diff --git a/programs/Makefile b/programs/Makefile index 47745de052..e6bbf70a02 100644 --- a/programs/Makefile +++ b/programs/Makefile @@ -27,6 +27,16 @@ endif LOCAL_CFLAGS += -I$(FRAMEWORK)/tests/programs +TF_PSA_CRYPTO_APPS := \ + $(TF_PSA_CRYPTO_PATH)/programs/psa/aead_demo \ + $(TF_PSA_CRYPTO_PATH)/programs/psa/crypto_examples \ + $(TF_PSA_CRYPTO_PATH)/programs/psa/hmac_demo \ + $(TF_PSA_CRYPTO_PATH)/programs/psa/key_ladder_demo \ + $(TF_PSA_CRYPTO_PATH)/programs/psa/psa_constant_names \ + $(TF_PSA_CRYPTO_PATH)/programs/psa/psa_hash \ + $(TF_PSA_CRYPTO_PATH)/programs/test/which_aes \ +# End of APPS + ## The following assignment is the list of base names of applications that ## will be built on Windows. Extra Linux/Unix/POSIX-only applications can ## be declared by appending with `APPS += ...` afterwards. @@ -36,13 +46,7 @@ LOCAL_CFLAGS += -I$(FRAMEWORK)/tests/programs ## Note: Variables cannot be used to define an apps path. This cannot be ## substituted by the script generate_visualc_files.pl. APPS = \ - ../tf-psa-crypto/programs/psa/aead_demo \ - ../tf-psa-crypto/programs/psa/crypto_examples \ - ../tf-psa-crypto/programs/psa/hmac_demo \ - ../tf-psa-crypto/programs/psa/key_ladder_demo \ - ../tf-psa-crypto/programs/psa/psa_constant_names \ - ../tf-psa-crypto/programs/psa/psa_hash \ - ../tf-psa-crypto/programs/test/which_aes \ + $(TF_PSA_CRYPTO_APPS) \ ssl/dtls_client \ ssl/dtls_server \ ssl/mini_client \ @@ -107,8 +111,13 @@ fuzz: ${MBEDLIBS} ${MBEDTLS_TEST_OBJS} ${MBEDTLS_TEST_OBJS}: $(MAKE) -C ../tests mbedtls_test +TF_PSA_CRYPTO_PROGRAMS_GENERATED_FILES := \ + $(TF_PSA_CRYPTO_PATH)/programs/psa/psa_constant_names_generated.c + .PHONY: generated_files -GENERATED_FILES = ../tf-psa-crypto/programs/psa/psa_constant_names_generated.c test/query_config.c +GENERATED_FILES := \ + test/query_config.c \ + $(TF_PSA_CRYPTO_PROGRAMS_GENERATED_FILES) generated_files: $(GENERATED_FILES) ../tf-psa-crypto/programs/psa/psa_constant_names_generated.c: $(gen_file_dep) ../tf-psa-crypto/scripts/generate_psa_constants.py diff --git a/tests/Makefile b/tests/Makefile index 7ebc10b6d0..8e8dcf6177 100644 --- a/tests/Makefile +++ b/tests/Makefile @@ -24,7 +24,7 @@ GENERATED_BIGNUM_DATA_FILES := $(addprefix ../tf-psa-crypto/,$(shell \ ifeq ($(GENERATED_BIGNUM_DATA_FILES),FAILED) $(error "$(PYTHON) ../framework/scripts/generate_bignum_tests.py --list" failed) endif -GENERATED_CRYPTO_DATA_FILES += $(GENERATED_BIGNUM_DATA_FILES) +TF_PSA_CRYPTO_TESTS_GENERATED_DATA_FILES += $(GENERATED_BIGNUM_DATA_FILES) GENERATED_MBEDTLS_CONFIG_DATA_FILES := $(patsubst tests/%,%,$(shell \ $(PYTHON) ../framework/scripts/generate_config_tests.py --list || \ @@ -44,7 +44,7 @@ endif GENERATED_CONFIG_DATA_FILES := $(GENERATED_MBEDTLS_CONFIG_DATA_FILES) $(GENERATED_PSA_CONFIG_DATA_FILES) GENERATED_DATA_FILES += $(GENERATED_MBEDTLS_CONFIG_DATA_FILES) -GENERATED_CRYPTO_DATA_FILES += $(GENERATED_PSA_CONFIG_DATA_FILES) +TF_PSA_CRYPTO_TESTS_GENERATED_DATA_FILES += $(GENERATED_PSA_CONFIG_DATA_FILES) GENERATED_ECP_DATA_FILES := $(addprefix ../tf-psa-crypto/,$(shell \ $(PYTHON) ../framework/scripts/generate_ecp_tests.py --list || \ @@ -53,7 +53,7 @@ GENERATED_ECP_DATA_FILES := $(addprefix ../tf-psa-crypto/,$(shell \ ifeq ($(GENERATED_ECP_DATA_FILES),FAILED) $(error "$(PYTHON) ../framework/scripts/generate_ecp_tests.py --list" failed) endif -GENERATED_CRYPTO_DATA_FILES += $(GENERATED_ECP_DATA_FILES) +TF_PSA_CRYPTO_TESTS_GENERATED_DATA_FILES += $(GENERATED_ECP_DATA_FILES) GENERATED_PSA_DATA_FILES := $(addprefix ../tf-psa-crypto/,$(shell \ $(PYTHON) ../framework/scripts/generate_psa_tests.py --list || \ @@ -62,12 +62,18 @@ GENERATED_PSA_DATA_FILES := $(addprefix ../tf-psa-crypto/,$(shell \ ifeq ($(GENERATED_PSA_DATA_FILES),FAILED) $(error "$(PYTHON) ../framework/scripts/generate_psa_tests.py --list" failed) endif -GENERATED_CRYPTO_DATA_FILES += $(GENERATED_PSA_DATA_FILES) +TF_PSA_CRYPTO_TESTS_GENERATED_DATA_FILES += $(GENERATED_PSA_DATA_FILES) -GENERATED_FILES = $(GENERATED_DATA_FILES) $(GENERATED_CRYPTO_DATA_FILES) -GENERATED_FILES += include/test/test_keys.h \ - ../tf-psa-crypto/tests/include/test/test_keys.h \ - include/test/test_certs.h +TF_PSA_CRYPTO_TESTS_GENERATED_C_FILES = \ + ../tf-psa-crypto/tests/include/test/test_keys.h +GENERATED_C_FILES = \ + include/test/test_keys.h include/test/test_certs.h + +GENERATED_FILES = \ + $(GENERATED_DATA_FILES) \ + $(TF_PSA_CRYPTO_TESTS_GENERATED_DATA_FILES) \ + $(GENERATED_C_FILES) \ + $(TF_PSA_CRYPTO_TESTS_GENERATED_C_FILES) # Generated files needed to (fully) run ssl-opt.sh .PHONY: ssl-opt @@ -163,15 +169,15 @@ generated_psa_test_data: # Application name is same as .data file's base name and can be # constructed by stripping path 'suites/' and extension .data. DATA_FILES = $(filter-out $(GENERATED_DATA_FILES), $(wildcard suites/test_suite_*.data)) -CRYPTO_DATA_FILES = $(filter-out $(GENERATED_CRYPTO_DATA_FILES), $(wildcard ../tf-psa-crypto/tests/suites/test_suite_*.data)) +TF_PSA_CRYPTO_TESTS_DATA_FILES = $(filter-out $(TF_PSA_CRYPTO_TESTS_GENERATED_DATA_FILES), $(wildcard $(TF_PSA_CRYPTO_PATH)/tests/suites/test_suite_*.data)) # Make sure that generated data files are included even if they don't # exist yet when the makefile is parsed. DATA_FILES += $(GENERATED_DATA_FILES) -CRYPTO_DATA_FILES += $(GENERATED_CRYPTO_DATA_FILES) +TF_PSA_CRYPTO_TESTS_DATA_FILES += $(TF_PSA_CRYPTO_TESTS_GENERATED_DATA_FILES) APPS = $(basename $(subst suites/,,$(DATA_FILES))) -CRYPTO_APPS = $(basename $(subst suites/,,$(CRYPTO_DATA_FILES))) +CRYPTO_APPS = $(basename $(subst suites/,,$(TF_PSA_CRYPTO_TESTS_DATA_FILES))) # Construct executable name by adding OS specific suffix $(EXEXT). BINARIES := $(addsuffix $(EXEXT),$(APPS)) From 8ac7168799d07e01a5ca1a87899ff73345639790 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Thu, 18 Dec 2025 15:18:03 +0100 Subject: [PATCH 14/20] Move crypto-specific code from library/Makefile to a new file The new file is in Mbed TLS for now. Once we have finished moving code to it, it will move to TF-PSA-Crypto. What got moved: * List of object files from crypto * List of generated .c files in crypto * Rules to build generated .c files in crypto Signed-off-by: Gilles Peskine --- library/Makefile | 41 ++------------------------------- library/crypto-library.make | 45 +++++++++++++++++++++++++++++++++++++ 2 files changed, 47 insertions(+), 39 deletions(-) create mode 100644 library/crypto-library.make diff --git a/library/Makefile b/library/Makefile index 4c2e21dab5..17155c80ad 100644 --- a/library/Makefile +++ b/library/Makefile @@ -104,12 +104,6 @@ else gen_file_dep = | endif -TF_PSA_CRYPTO_LIBRARY_OBJS := $(patsubst %.c, %.o,$(wildcard $(TF_PSA_CRYPTO_CORE_PATH)/*.c $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/*.c)) -TF_PSA_CRYPTO_LIBRARY_GENERATED_OBJS = $(TF_PSA_CRYPTO_CORE_PATH)/psa_crypto_driver_wrappers_no_static.o -TF_PSA_CRYPTO_LIBRARY_OBJS := $(filter-out $(TF_PSA_CRYPTO_LIBRARY_GENERATED_OBJS),$(TF_PSA_CRYPTO_LIBRARY_OBJS)) -TF_PSA_CRYPTO_LIBRARY_OBJS += $(TF_PSA_CRYPTO_LIBRARY_GENERATED_OBJS) -TF_PSA_CRYPTO_LIBRARY_OBJS+=$(THIRDPARTY_CRYPTO_OBJECTS) - OBJS_CRYPTO = $(TF_PSA_CRYPTO_LIBRARY_OBJS) OBJS_X509= \ @@ -161,6 +155,8 @@ else all: shared static endif +include crypto-library.make + static: libmbedcrypto.a libmbedx509.a libmbedtls.a cd ../tests && echo "This is a seedfile that contains 64 bytes (65 on Windows)......" > seedfile cd ../tf-psa-crypto/tests && echo "This is a seedfile that contains 64 bytes (65 on Windows)......" > seedfile @@ -270,15 +266,6 @@ libmbedcrypto.dll: $(OBJS_CRYPTO) echo " CC $<" $(CC) $(LOCAL_CFLAGS) $(CFLAGS) -S -o $@ -c $< -# List the generated files from crypto that are needed in the build, -# because we don't have the list in a consumable form. -TF_PSA_CRYPTO_LIBRARY_GENERATED_FILES := \ - $(TF_PSA_CRYPTO_CORE_PATH)/psa_crypto_driver_wrappers.h \ - $(TF_PSA_CRYPTO_CORE_PATH)/psa_crypto_driver_wrappers_no_static.c \ - $(TF_PSA_CRYPTO_CORE_PATH)/tf_psa_crypto_config_check_before.h \ - $(TF_PSA_CRYPTO_CORE_PATH)/tf_psa_crypto_config_check_final.h \ - $(TF_PSA_CRYPTO_CORE_PATH)/tf_psa_crypto_config_check_user.h - # List the generated files without running a script, so that this # works with no tooling dependencies when GEN_FILES is disabled. GENERATED_FILES := \ @@ -318,18 +305,6 @@ version_features.c: echo " Gen $@" $(PERL) ../scripts/generate_features.pl -GENERATED_WRAPPER_FILES = \ - $(TF_PSA_CRYPTO_CORE_PATH)/psa_crypto_driver_wrappers.h \ - $(TF_PSA_CRYPTO_CORE_PATH)/psa_crypto_driver_wrappers_no_static.c -$(GENERATED_WRAPPER_FILES): ../tf-psa-crypto/scripts/generate_driver_wrappers.py -$(GENERATED_WRAPPER_FILES): ../tf-psa-crypto/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.h.jinja -$(GENERATED_WRAPPER_FILES): ../tf-psa-crypto/scripts/data_files/driver_templates/psa_crypto_driver_wrappers_no_static.c.jinja -$(GENERATED_WRAPPER_FILES): - echo " Gen $(GENERATED_WRAPPER_FILES)" - $(PYTHON) ../tf-psa-crypto/scripts/generate_driver_wrappers.py $(TF_PSA_CRYPTO_CORE_PATH) - -$(TF_PSA_CRYPTO_CORE_PATH)/psa_crypto.o:$(TF_PSA_CRYPTO_CORE_PATH)/psa_crypto_driver_wrappers.h - GENERATED_CONFIG_CHECK_FILES = $(shell $(PYTHON) ../scripts/generate_config_checks.py --list .) $(GENERATED_CONFIG_CHECK_FILES): $(gen_file_dep) \ ../scripts/generate_config_checks.py \ @@ -340,18 +315,6 @@ $(GENERATED_CONFIG_CHECK_FILES): mbedtls_config.o: $(GENERATED_CONFIG_CHECK_FILES) -TF_PSA_CRYPTO_GENERATED_CONFIG_CHECK_FILES = $(shell $(PYTHON) \ - $(TF_PSA_CRYPTO_CORE_PATH)/../scripts/generate_config_checks.py \ - --list $(TF_PSA_CRYPTO_CORE_PATH)) -$(TF_PSA_CRYPTO_GENERATED_CONFIG_CHECK_FILES): $(gen_file_dep) \ - $(TF_PSA_CRYPTO_CORE_PATH)/../scripts/generate_config_checks.py \ - ../framework/scripts/mbedtls_framework/config_checks_generator.py -$(TF_PSA_CRYPTO_GENERATED_CONFIG_CHECK_FILES): - echo " Gen $(TF_PSA_CRYPTO_GENERATED_CONFIG_CHECK_FILES)" - $(PYTHON) $(TF_PSA_CRYPTO_CORE_PATH)/../scripts/generate_config_checks.py - -$(TF_PSA_CRYPTO_CORE_PATH)/tf_psa_crypto_config.o: $(TF_PSA_CRYPTO_GENERATED_CONFIG_CHECK_FILES) - clean: ifndef WINDOWS rm -f *.o *.s libmbed* diff --git a/library/crypto-library.make b/library/crypto-library.make new file mode 100644 index 0000000000..2e521ef448 --- /dev/null +++ b/library/crypto-library.make @@ -0,0 +1,45 @@ +# Helper code for library/Makefile in Mbed TLS. +# This file is only meant to be included by library/Makefile in Mbed TLS and +# is unlikely to work in another context. + +TF_PSA_CRYPTO_CORE_PATH = $(MBEDTLS_PATH)/tf-psa-crypto/core +TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH = $(MBEDTLS_PATH)/tf-psa-crypto/drivers/builtin/src + +# List the generated files from crypto that are needed in the build, +# because we don't have the list in a consumable form. +TF_PSA_CRYPTO_LIBRARY_GENERATED_FILES := \ + $(TF_PSA_CRYPTO_CORE_PATH)/psa_crypto_driver_wrappers.h \ + $(TF_PSA_CRYPTO_CORE_PATH)/psa_crypto_driver_wrappers_no_static.c \ + $(TF_PSA_CRYPTO_CORE_PATH)/tf_psa_crypto_config_check_before.h \ + $(TF_PSA_CRYPTO_CORE_PATH)/tf_psa_crypto_config_check_final.h \ + $(TF_PSA_CRYPTO_CORE_PATH)/tf_psa_crypto_config_check_user.h + +GENERATED_WRAPPER_FILES = \ + $(TF_PSA_CRYPTO_CORE_PATH)/psa_crypto_driver_wrappers.h \ + $(TF_PSA_CRYPTO_CORE_PATH)/psa_crypto_driver_wrappers_no_static.c +$(GENERATED_WRAPPER_FILES): ../tf-psa-crypto/scripts/generate_driver_wrappers.py +$(GENERATED_WRAPPER_FILES): ../tf-psa-crypto/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.h.jinja +$(GENERATED_WRAPPER_FILES): ../tf-psa-crypto/scripts/data_files/driver_templates/psa_crypto_driver_wrappers_no_static.c.jinja +$(GENERATED_WRAPPER_FILES): + echo " Gen $(GENERATED_WRAPPER_FILES)" + $(PYTHON) ../tf-psa-crypto/scripts/generate_driver_wrappers.py $(TF_PSA_CRYPTO_CORE_PATH) + +$(TF_PSA_CRYPTO_CORE_PATH)/psa_crypto.o:$(TF_PSA_CRYPTO_CORE_PATH)/psa_crypto_driver_wrappers.h + +TF_PSA_CRYPTO_GENERATED_CONFIG_CHECK_FILES = $(shell $(PYTHON) \ + $(TF_PSA_CRYPTO_CORE_PATH)/../scripts/generate_config_checks.py \ + --list $(TF_PSA_CRYPTO_CORE_PATH)) +$(TF_PSA_CRYPTO_GENERATED_CONFIG_CHECK_FILES): $(gen_file_dep) \ + $(TF_PSA_CRYPTO_CORE_PATH)/../scripts/generate_config_checks.py \ + ../framework/scripts/mbedtls_framework/config_checks_generator.py +$(TF_PSA_CRYPTO_GENERATED_CONFIG_CHECK_FILES): + echo " Gen $(TF_PSA_CRYPTO_GENERATED_CONFIG_CHECK_FILES)" + $(PYTHON) $(TF_PSA_CRYPTO_CORE_PATH)/../scripts/generate_config_checks.py + +$(TF_PSA_CRYPTO_CORE_PATH)/tf_psa_crypto_config.o: $(TF_PSA_CRYPTO_GENERATED_CONFIG_CHECK_FILES) + +TF_PSA_CRYPTO_LIBRARY_OBJS := $(patsubst %.c, %.o,$(wildcard $(TF_PSA_CRYPTO_CORE_PATH)/*.c $(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/*.c)) +TF_PSA_CRYPTO_LIBRARY_GENERATED_OBJS = $(TF_PSA_CRYPTO_CORE_PATH)/psa_crypto_driver_wrappers_no_static.o +TF_PSA_CRYPTO_LIBRARY_OBJS := $(filter-out $(TF_PSA_CRYPTO_LIBRARY_GENERATED_OBJS),$(TF_PSA_CRYPTO_LIBRARY_OBJS)) +TF_PSA_CRYPTO_LIBRARY_OBJS += $(TF_PSA_CRYPTO_LIBRARY_GENERATED_OBJS) +TF_PSA_CRYPTO_LIBRARY_OBJS+=$(THIRDPARTY_CRYPTO_OBJECTS) From cffc11878fae93a8ec66ab6de9d57c9d972a74f4 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Thu, 18 Dec 2025 15:56:40 +0100 Subject: [PATCH 15/20] Move crypto-specific code from programs/Makefile to a new file The new file is in Mbed TLS for now. Once we have finished moving code to it, it will move to TF-PSA-Crypto. What got moved: * List of generated .c files in crypto * Rules to build generated .c files in crypto * List of apps in crypto * Rules to build apps in crypto Signed-off-by: Gilles Peskine --- programs/Makefile | 55 ++++------------------------------- programs/crypto-programs.make | 52 +++++++++++++++++++++++++++++++++ 2 files changed, 58 insertions(+), 49 deletions(-) create mode 100644 programs/crypto-programs.make diff --git a/programs/Makefile b/programs/Makefile index e6bbf70a02..b1aee9c57a 100644 --- a/programs/Makefile +++ b/programs/Makefile @@ -25,17 +25,13 @@ else BUILD_DLOPEN = endif -LOCAL_CFLAGS += -I$(FRAMEWORK)/tests/programs +# Declare the default rule early, since it must come first, in particular +# before including crypto-programs.make. +default: all -TF_PSA_CRYPTO_APPS := \ - $(TF_PSA_CRYPTO_PATH)/programs/psa/aead_demo \ - $(TF_PSA_CRYPTO_PATH)/programs/psa/crypto_examples \ - $(TF_PSA_CRYPTO_PATH)/programs/psa/hmac_demo \ - $(TF_PSA_CRYPTO_PATH)/programs/psa/key_ladder_demo \ - $(TF_PSA_CRYPTO_PATH)/programs/psa/psa_constant_names \ - $(TF_PSA_CRYPTO_PATH)/programs/psa/psa_hash \ - $(TF_PSA_CRYPTO_PATH)/programs/test/which_aes \ -# End of APPS +include crypto-programs.make + +LOCAL_CFLAGS += -I$(FRAMEWORK)/tests/programs ## The following assignment is the list of base names of applications that ## will be built on Windows. Extra Linux/Unix/POSIX-only applications can @@ -111,23 +107,12 @@ fuzz: ${MBEDLIBS} ${MBEDTLS_TEST_OBJS} ${MBEDTLS_TEST_OBJS}: $(MAKE) -C ../tests mbedtls_test -TF_PSA_CRYPTO_PROGRAMS_GENERATED_FILES := \ - $(TF_PSA_CRYPTO_PATH)/programs/psa/psa_constant_names_generated.c - .PHONY: generated_files GENERATED_FILES := \ test/query_config.c \ $(TF_PSA_CRYPTO_PROGRAMS_GENERATED_FILES) generated_files: $(GENERATED_FILES) -../tf-psa-crypto/programs/psa/psa_constant_names_generated.c: $(gen_file_dep) ../tf-psa-crypto/scripts/generate_psa_constants.py -../tf-psa-crypto/programs/psa/psa_constant_names_generated.c: $(gen_file_dep) ../tf-psa-crypto/include/psa/crypto_values.h -../tf-psa-crypto/programs/psa/psa_constant_names_generated.c: $(gen_file_dep) ../tf-psa-crypto/include/psa/crypto_extra.h -../tf-psa-crypto/programs/psa/psa_constant_names_generated.c: $(gen_file_dep) ../tf-psa-crypto/tests/suites/test_suite_psa_crypto_metadata.data -../tf-psa-crypto/programs/psa/psa_constant_names_generated.c: - echo " Gen $@" - cd ../tf-psa-crypto; $(PYTHON) ./scripts/generate_psa_constants.py - test/query_config.c: $(gen_file_dep) ../scripts/generate_query_config.pl ## The generated file only depends on the options that are present in mbedtls_config.h, ## not on which options are set. To avoid regenerating this file all the time @@ -140,34 +125,6 @@ test/query_config.c: echo " Gen $@" $(PERL) ../scripts/generate_query_config.pl -../tf-psa-crypto/programs/psa/aead_demo$(EXEXT): ../tf-psa-crypto/programs/psa/aead_demo.c $(DEP) - echo " CC psa/aead_demo.c" - $(CC) $(LOCAL_CFLAGS) $(CFLAGS) ../tf-psa-crypto/programs/psa/aead_demo.c $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@ - -../tf-psa-crypto/programs/psa/crypto_examples$(EXEXT): ../tf-psa-crypto/programs/psa/crypto_examples.c $(DEP) - echo " CC psa/crypto_examples.c" - $(CC) $(LOCAL_CFLAGS) $(CFLAGS) ../tf-psa-crypto/programs/psa/crypto_examples.c $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@ - -../tf-psa-crypto/programs/psa/hmac_demo$(EXEXT): ../tf-psa-crypto/programs/psa/hmac_demo.c $(DEP) - echo " CC psa/hmac_demo.c" - $(CC) $(LOCAL_CFLAGS) $(CFLAGS) ../tf-psa-crypto/programs/psa/hmac_demo.c $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@ - -../tf-psa-crypto/programs/psa/key_ladder_demo$(EXEXT): ../tf-psa-crypto/programs/psa/key_ladder_demo.c $(DEP) - echo " CC psa/key_ladder_demo.c" - $(CC) $(LOCAL_CFLAGS) $(CFLAGS) ../tf-psa-crypto/programs/psa/key_ladder_demo.c $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@ - -../tf-psa-crypto/programs/psa/psa_constant_names$(EXEXT): ../tf-psa-crypto/programs/psa/psa_constant_names.c ../tf-psa-crypto/programs/psa/psa_constant_names_generated.c $(DEP) - echo " CC psa/psa_constant_names.c" - $(CC) $(LOCAL_CFLAGS) $(CFLAGS) ../tf-psa-crypto/programs/psa/psa_constant_names.c $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@ - -../tf-psa-crypto/programs/psa/psa_hash$(EXEXT): ../tf-psa-crypto/programs/psa/psa_hash.c $(DEP) - echo " CC psa/psa_hash.c" - $(CC) $(LOCAL_CFLAGS) $(CFLAGS) ../tf-psa-crypto/programs/psa/psa_hash.c $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@ - -../tf-psa-crypto/programs/test/which_aes$(EXEXT): ../tf-psa-crypto/programs/test/which_aes.c $(DEP) - echo " CC test/which_aes.c" - $(CC) $(LOCAL_CFLAGS) $(CFLAGS) ../tf-psa-crypto/programs/test/which_aes.c $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@ - ssl/dtls_client$(EXEXT): ssl/dtls_client.c $(DEP) echo " CC ssl/dtls_client.c" $(CC) $(LOCAL_CFLAGS) $(CFLAGS) ssl/dtls_client.c $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@ diff --git a/programs/crypto-programs.make b/programs/crypto-programs.make new file mode 100644 index 0000000000..37a759ca7d --- /dev/null +++ b/programs/crypto-programs.make @@ -0,0 +1,52 @@ +# Helper code for programs/Makefile in Mbed TLS. +# This file is only meant to be included by programs/Makefile in Mbed TLS and +# is unlikely to work in another context. + +TF_PSA_CRYPTO_PROGRAMS_GENERATED_FILES := \ + $(TF_PSA_CRYPTO_PATH)/programs/psa/psa_constant_names_generated.c + +../tf-psa-crypto/programs/psa/psa_constant_names_generated.c: $(gen_file_dep) ../tf-psa-crypto/scripts/generate_psa_constants.py +../tf-psa-crypto/programs/psa/psa_constant_names_generated.c: $(gen_file_dep) ../tf-psa-crypto/include/psa/crypto_values.h +../tf-psa-crypto/programs/psa/psa_constant_names_generated.c: $(gen_file_dep) ../tf-psa-crypto/include/psa/crypto_extra.h +../tf-psa-crypto/programs/psa/psa_constant_names_generated.c: $(gen_file_dep) ../tf-psa-crypto/tests/suites/test_suite_psa_crypto_metadata.data +../tf-psa-crypto/programs/psa/psa_constant_names_generated.c: + echo " Gen $@" + cd ../tf-psa-crypto; $(PYTHON) ./scripts/generate_psa_constants.py + +TF_PSA_CRYPTO_APPS := \ + $(TF_PSA_CRYPTO_PATH)/programs/psa/aead_demo \ + $(TF_PSA_CRYPTO_PATH)/programs/psa/crypto_examples \ + $(TF_PSA_CRYPTO_PATH)/programs/psa/hmac_demo \ + $(TF_PSA_CRYPTO_PATH)/programs/psa/key_ladder_demo \ + $(TF_PSA_CRYPTO_PATH)/programs/psa/psa_constant_names \ + $(TF_PSA_CRYPTO_PATH)/programs/psa/psa_hash \ + $(TF_PSA_CRYPTO_PATH)/programs/test/which_aes \ +# End of APPS + +../tf-psa-crypto/programs/psa/aead_demo$(EXEXT): ../tf-psa-crypto/programs/psa/aead_demo.c $(DEP) + echo " CC psa/aead_demo.c" + $(CC) $(LOCAL_CFLAGS) $(CFLAGS) ../tf-psa-crypto/programs/psa/aead_demo.c $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@ + +../tf-psa-crypto/programs/psa/crypto_examples$(EXEXT): ../tf-psa-crypto/programs/psa/crypto_examples.c $(DEP) + echo " CC psa/crypto_examples.c" + $(CC) $(LOCAL_CFLAGS) $(CFLAGS) ../tf-psa-crypto/programs/psa/crypto_examples.c $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@ + +../tf-psa-crypto/programs/psa/hmac_demo$(EXEXT): ../tf-psa-crypto/programs/psa/hmac_demo.c $(DEP) + echo " CC psa/hmac_demo.c" + $(CC) $(LOCAL_CFLAGS) $(CFLAGS) ../tf-psa-crypto/programs/psa/hmac_demo.c $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@ + +../tf-psa-crypto/programs/psa/key_ladder_demo$(EXEXT): ../tf-psa-crypto/programs/psa/key_ladder_demo.c $(DEP) + echo " CC psa/key_ladder_demo.c" + $(CC) $(LOCAL_CFLAGS) $(CFLAGS) ../tf-psa-crypto/programs/psa/key_ladder_demo.c $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@ + +../tf-psa-crypto/programs/psa/psa_constant_names$(EXEXT): ../tf-psa-crypto/programs/psa/psa_constant_names.c ../tf-psa-crypto/programs/psa/psa_constant_names_generated.c $(DEP) + echo " CC psa/psa_constant_names.c" + $(CC) $(LOCAL_CFLAGS) $(CFLAGS) ../tf-psa-crypto/programs/psa/psa_constant_names.c $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@ + +../tf-psa-crypto/programs/psa/psa_hash$(EXEXT): ../tf-psa-crypto/programs/psa/psa_hash.c $(DEP) + echo " CC psa/psa_hash.c" + $(CC) $(LOCAL_CFLAGS) $(CFLAGS) ../tf-psa-crypto/programs/psa/psa_hash.c $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@ + +../tf-psa-crypto/programs/test/which_aes$(EXEXT): ../tf-psa-crypto/programs/test/which_aes.c $(DEP) + echo " CC test/which_aes.c" + $(CC) $(LOCAL_CFLAGS) $(CFLAGS) ../tf-psa-crypto/programs/test/which_aes.c $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@ From 49d698588b0455c52f23fc2718a7dcd113e3a555 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Thu, 18 Dec 2025 16:05:11 +0100 Subject: [PATCH 16/20] Move crypto-specific code from tests/Makefile to a new file The new file is in Mbed TLS for now. Once we have finished moving code to it, it will move to TF-PSA-Crypto. What got moved: * List of generated .data files in crypto * Rules to generate .data files in crypto * List of test suites in crypto * List of generated .h files in crypto * Rules to generate .h in crypto What didn't get moved: * Rules to generate the crypto part of `$(GENERATED_CONFIG_DATA_FILES)`, because they are currently mixed with the rule for the mbedtls part. This will be done in a subsequent commit. * Rules to generate .c files from .function files, and to compile the resulting .c files. At least for now, we let Mbed TLS decide how to do that on its own. Signed-off-by: Gilles Peskine --- tests/Makefile | 103 +++------------------------------------ tests/crypto-tests.make | 104 ++++++++++++++++++++++++++++++++++++++++ 2 files changed, 110 insertions(+), 97 deletions(-) create mode 100644 tests/crypto-tests.make diff --git a/tests/Makefile b/tests/Makefile index 8e8dcf6177..d3b488e661 100644 --- a/tests/Makefile +++ b/tests/Makefile @@ -4,6 +4,12 @@ include ../scripts/common.make # Set this to -v to see the details of failing test cases TEST_FLAGS ?= $(if $(filter-out 0 OFF Off off NO No no FALSE False false N n,$(CTEST_OUTPUT_ON_FAILURE)),-v,) +# Declare the default rule early, since it must come first, in particular +# before including crypto-programs.make. +default: all + +include crypto-tests.make + # Also include private headers, for the sake of invasive tests. LOCAL_CFLAGS += -I$(MBEDTLS_PATH)/library LOCAL_CFLAGS += $(TF_PSA_CRYPTO_LIBRARY_PRIVATE_INCLUDE) @@ -17,15 +23,6 @@ ifdef RECORD_PSA_STATUS_COVERAGE_LOG LOCAL_CFLAGS += -Werror -DRECORD_PSA_STATUS_COVERAGE_LOG endif -GENERATED_BIGNUM_DATA_FILES := $(addprefix ../tf-psa-crypto/,$(shell \ - $(PYTHON) ../framework/scripts/generate_bignum_tests.py --list || \ - echo FAILED \ -)) -ifeq ($(GENERATED_BIGNUM_DATA_FILES),FAILED) -$(error "$(PYTHON) ../framework/scripts/generate_bignum_tests.py --list" failed) -endif -TF_PSA_CRYPTO_TESTS_GENERATED_DATA_FILES += $(GENERATED_BIGNUM_DATA_FILES) - GENERATED_MBEDTLS_CONFIG_DATA_FILES := $(patsubst tests/%,%,$(shell \ $(PYTHON) ../framework/scripts/generate_config_tests.py --list || \ echo FAILED \ @@ -34,38 +31,10 @@ ifeq ($(GENERATED_MBEDTLS_CONFIG_DATA_FILES),FAILED) $(error "$(PYTHON) ../framework/scripts/generate_config_tests.py --list" failed) endif -GENERATED_PSA_CONFIG_DATA_FILES := $(addprefix ../tf-psa-crypto/,$(shell \ - $(PYTHON) ../tf-psa-crypto/framework/scripts/generate_config_tests.py --list || \ - echo FAILED \ -)) -ifeq ($(GENERATED_PSA_CONFIG_DATA_FILES),FAILED) -$(error "$(PYTHON) ../tf-psa-crypto/framework/scripts/generate_config_tests.py --list" failed) -endif - GENERATED_CONFIG_DATA_FILES := $(GENERATED_MBEDTLS_CONFIG_DATA_FILES) $(GENERATED_PSA_CONFIG_DATA_FILES) GENERATED_DATA_FILES += $(GENERATED_MBEDTLS_CONFIG_DATA_FILES) TF_PSA_CRYPTO_TESTS_GENERATED_DATA_FILES += $(GENERATED_PSA_CONFIG_DATA_FILES) -GENERATED_ECP_DATA_FILES := $(addprefix ../tf-psa-crypto/,$(shell \ - $(PYTHON) ../framework/scripts/generate_ecp_tests.py --list || \ - echo FAILED \ -)) -ifeq ($(GENERATED_ECP_DATA_FILES),FAILED) -$(error "$(PYTHON) ../framework/scripts/generate_ecp_tests.py --list" failed) -endif -TF_PSA_CRYPTO_TESTS_GENERATED_DATA_FILES += $(GENERATED_ECP_DATA_FILES) - -GENERATED_PSA_DATA_FILES := $(addprefix ../tf-psa-crypto/,$(shell \ - $(PYTHON) ../framework/scripts/generate_psa_tests.py --list || \ - echo FAILED \ -)) -ifeq ($(GENERATED_PSA_DATA_FILES),FAILED) -$(error "$(PYTHON) ../framework/scripts/generate_psa_tests.py --list" failed) -endif -TF_PSA_CRYPTO_TESTS_GENERATED_DATA_FILES += $(GENERATED_PSA_DATA_FILES) - -TF_PSA_CRYPTO_TESTS_GENERATED_C_FILES = \ - ../tf-psa-crypto/tests/include/test/test_keys.h GENERATED_C_FILES = \ include/test/test_keys.h include/test/test_certs.h @@ -94,25 +63,6 @@ ssl-opt: opt-testcases/tls13-compat.sh .PHONY: generated_files generated_files: $(GENERATED_FILES) -# generate_bignum_tests.py and generate_psa_tests.py spend more time analyzing -# inputs than generating outputs. Its inputs are the same no matter which files -# are being generated. -# It's rare not to want all the outputs. So always generate all of its outputs. -# Use an intermediate phony dependency so that parallel builds don't run -# a separate instance of the recipe for each output file. -$(GENERATED_BIGNUM_DATA_FILES): $(gen_file_dep) generated_bignum_test_data -generated_bignum_test_data: ../framework/scripts/generate_bignum_tests.py -generated_bignum_test_data: ../framework/scripts/mbedtls_framework/bignum_common.py -generated_bignum_test_data: ../framework/scripts/mbedtls_framework/bignum_core.py -generated_bignum_test_data: ../framework/scripts/mbedtls_framework/bignum_mod_raw.py -generated_bignum_test_data: ../framework/scripts/mbedtls_framework/bignum_mod.py -generated_bignum_test_data: ../framework/scripts/mbedtls_framework/test_case.py -generated_bignum_test_data: ../framework/scripts/mbedtls_framework/test_data_generation.py -generated_bignum_test_data: - echo " Gen $(GENERATED_BIGNUM_DATA_FILES)" - $(PYTHON) ../framework/scripts/generate_bignum_tests.py --directory ../tf-psa-crypto/tests/suites -.SECONDARY: generated_bignum_test_data - # We deliberately omit the configuration files (mbedtls_config.h, # crypto_config.h) from the depenency list because during development # and on the CI, we often edit those in a way that doesn't change the @@ -130,51 +80,14 @@ generated_config_test_data: cd ../tf-psa-crypto && $(PYTHON) ./framework/scripts/generate_config_tests.py .SECONDARY: generated_config_test_data -$(GENERATED_ECP_DATA_FILES): $(gen_file_dep) generated_ecp_test_data -generated_ecp_test_data: ../framework/scripts/generate_ecp_tests.py -generated_ecp_test_data: ../framework/scripts/mbedtls_framework/bignum_common.py -generated_ecp_test_data: ../framework/scripts/mbedtls_framework/ecp.py -generated_ecp_test_data: ../framework/scripts/mbedtls_framework/test_case.py -generated_ecp_test_data: ../framework/scripts/mbedtls_framework/test_data_generation.py -generated_ecp_test_data: - echo " Gen $(GENERATED_ECP_DATA_FILES)" - $(PYTHON) ../framework/scripts/generate_ecp_tests.py --directory ../tf-psa-crypto/tests/suites -.SECONDARY: generated_ecp_test_data - -$(GENERATED_PSA_DATA_FILES): $(gen_file_dep) generated_psa_test_data -generated_psa_test_data: ../framework/scripts/generate_psa_tests.py -generated_psa_test_data: ../framework/scripts/mbedtls_framework/crypto_data_tests.py -generated_psa_test_data: ../framework/scripts/mbedtls_framework/crypto_knowledge.py -generated_psa_test_data: ../framework/scripts/mbedtls_framework/macro_collector.py -generated_psa_test_data: ../framework/scripts/mbedtls_framework/psa_information.py -generated_psa_test_data: ../framework/scripts/mbedtls_framework/psa_storage.py -generated_psa_test_data: ../framework/scripts/mbedtls_framework/psa_test_case.py -generated_psa_test_data: ../framework/scripts/mbedtls_framework/test_case.py -generated_psa_test_data: ../framework/scripts/mbedtls_framework/test_data_generation.py -## The generated file only depends on the options that are present in -## crypto_config.h, not on which options are set. To avoid regenerating this -## file all the time when switching between configurations, don't declare -## crypto_config.h as a dependency. Remove this file from your working tree -## if you've just added or removed an option in crypto_config.h. -#generated_psa_test_data: ../tf-psa-crypto/include/psa/crypto_config.h -generated_psa_test_data: ../tf-psa-crypto/include/psa/crypto_values.h -generated_psa_test_data: ../tf-psa-crypto/include/psa/crypto_extra.h -generated_psa_test_data: ../tf-psa-crypto/tests/suites/test_suite_psa_crypto_metadata.data -generated_psa_test_data: - echo " Gen $(GENERATED_PSA_DATA_FILES) ..." - $(PYTHON) ../framework/scripts/generate_psa_tests.py --directory ../tf-psa-crypto/tests/suites -.SECONDARY: generated_psa_test_data - # A test application is built for each suites/test_suite_*.data file. # Application name is same as .data file's base name and can be # constructed by stripping path 'suites/' and extension .data. DATA_FILES = $(filter-out $(GENERATED_DATA_FILES), $(wildcard suites/test_suite_*.data)) -TF_PSA_CRYPTO_TESTS_DATA_FILES = $(filter-out $(TF_PSA_CRYPTO_TESTS_GENERATED_DATA_FILES), $(wildcard $(TF_PSA_CRYPTO_PATH)/tests/suites/test_suite_*.data)) # Make sure that generated data files are included even if they don't # exist yet when the makefile is parsed. DATA_FILES += $(GENERATED_DATA_FILES) -TF_PSA_CRYPTO_TESTS_DATA_FILES += $(TF_PSA_CRYPTO_TESTS_GENERATED_DATA_FILES) APPS = $(basename $(subst suites/,,$(DATA_FILES))) CRYPTO_APPS = $(basename $(subst suites/,,$(TF_PSA_CRYPTO_TESTS_DATA_FILES))) @@ -200,10 +113,6 @@ include/test/test_keys.h: ../framework/scripts/generate_test_keys.py echo " Gen $@" $(PYTHON) ../framework/scripts/generate_test_keys.py --output $@ -../tf-psa-crypto/tests/include/test/test_keys.h: ../tf-psa-crypto/framework/scripts/generate_test_keys.py - echo " Gen $@" - $(PYTHON) ../tf-psa-crypto/framework/scripts/generate_test_keys.py --output $@ - TEST_OBJS_DEPS = $(wildcard include/test/*.h include/test/*/*.h) ifdef RECORD_PSA_STATUS_COVERAGE_LOG # Explicitly depend on this header because on a clean copy of the source tree, diff --git a/tests/crypto-tests.make b/tests/crypto-tests.make new file mode 100644 index 0000000000..f603a8e0c4 --- /dev/null +++ b/tests/crypto-tests.make @@ -0,0 +1,104 @@ +# Helper code for tests/Makefile in Mbed TLS. +# This file is only meant to be included by tests/Makefile in Mbed TLS and +# is unlikely to work in another context. + +GENERATED_BIGNUM_DATA_FILES := $(addprefix ../tf-psa-crypto/,$(shell \ + $(PYTHON) ../framework/scripts/generate_bignum_tests.py --list || \ + echo FAILED \ +)) +ifeq ($(GENERATED_BIGNUM_DATA_FILES),FAILED) +$(error "$(PYTHON) ../framework/scripts/generate_bignum_tests.py --list" failed) +endif +TF_PSA_CRYPTO_TESTS_GENERATED_DATA_FILES += $(GENERATED_BIGNUM_DATA_FILES) + +# generate_bignum_tests.py and generate_psa_tests.py spend more time analyzing +# inputs than generating outputs. Its inputs are the same no matter which files +# are being generated. +# It's rare not to want all the outputs. So always generate all of its outputs. +# Use an intermediate phony dependency so that parallel builds don't run +# a separate instance of the recipe for each output file. +$(GENERATED_BIGNUM_DATA_FILES): $(gen_file_dep) generated_bignum_test_data +generated_bignum_test_data: ../framework/scripts/generate_bignum_tests.py +generated_bignum_test_data: ../framework/scripts/mbedtls_framework/bignum_common.py +generated_bignum_test_data: ../framework/scripts/mbedtls_framework/bignum_core.py +generated_bignum_test_data: ../framework/scripts/mbedtls_framework/bignum_mod_raw.py +generated_bignum_test_data: ../framework/scripts/mbedtls_framework/bignum_mod.py +generated_bignum_test_data: ../framework/scripts/mbedtls_framework/test_case.py +generated_bignum_test_data: ../framework/scripts/mbedtls_framework/test_data_generation.py +generated_bignum_test_data: + echo " Gen $(GENERATED_BIGNUM_DATA_FILES)" + $(PYTHON) ../framework/scripts/generate_bignum_tests.py --directory ../tf-psa-crypto/tests/suites +.SECONDARY: generated_bignum_test_data + +GENERATED_PSA_CONFIG_DATA_FILES := $(addprefix ../tf-psa-crypto/,$(shell \ + $(PYTHON) ../tf-psa-crypto/framework/scripts/generate_config_tests.py --list || \ + echo FAILED \ +)) +ifeq ($(GENERATED_PSA_CONFIG_DATA_FILES),FAILED) +$(error "$(PYTHON) ../tf-psa-crypto/framework/scripts/generate_config_tests.py --list" failed) +endif + +GENERATED_ECP_DATA_FILES := $(addprefix ../tf-psa-crypto/,$(shell \ + $(PYTHON) ../framework/scripts/generate_ecp_tests.py --list || \ + echo FAILED \ +)) +ifeq ($(GENERATED_ECP_DATA_FILES),FAILED) +$(error "$(PYTHON) ../framework/scripts/generate_ecp_tests.py --list" failed) +endif +TF_PSA_CRYPTO_TESTS_GENERATED_DATA_FILES += $(GENERATED_ECP_DATA_FILES) + +$(GENERATED_ECP_DATA_FILES): $(gen_file_dep) generated_ecp_test_data +generated_ecp_test_data: ../framework/scripts/generate_ecp_tests.py +generated_ecp_test_data: ../framework/scripts/mbedtls_framework/bignum_common.py +generated_ecp_test_data: ../framework/scripts/mbedtls_framework/ecp.py +generated_ecp_test_data: ../framework/scripts/mbedtls_framework/test_case.py +generated_ecp_test_data: ../framework/scripts/mbedtls_framework/test_data_generation.py +generated_ecp_test_data: + echo " Gen $(GENERATED_ECP_DATA_FILES)" + $(PYTHON) ../framework/scripts/generate_ecp_tests.py --directory ../tf-psa-crypto/tests/suites +.SECONDARY: generated_ecp_test_data + +GENERATED_PSA_DATA_FILES := $(addprefix ../tf-psa-crypto/,$(shell \ + $(PYTHON) ../framework/scripts/generate_psa_tests.py --list || \ + echo FAILED \ +)) +ifeq ($(GENERATED_PSA_DATA_FILES),FAILED) +$(error "$(PYTHON) ../framework/scripts/generate_psa_tests.py --list" failed) +endif +TF_PSA_CRYPTO_TESTS_GENERATED_DATA_FILES += $(GENERATED_PSA_DATA_FILES) + +$(GENERATED_PSA_DATA_FILES): $(gen_file_dep) generated_psa_test_data +generated_psa_test_data: ../framework/scripts/generate_psa_tests.py +generated_psa_test_data: ../framework/scripts/mbedtls_framework/crypto_data_tests.py +generated_psa_test_data: ../framework/scripts/mbedtls_framework/crypto_knowledge.py +generated_psa_test_data: ../framework/scripts/mbedtls_framework/macro_collector.py +generated_psa_test_data: ../framework/scripts/mbedtls_framework/psa_information.py +generated_psa_test_data: ../framework/scripts/mbedtls_framework/psa_storage.py +generated_psa_test_data: ../framework/scripts/mbedtls_framework/psa_test_case.py +generated_psa_test_data: ../framework/scripts/mbedtls_framework/test_case.py +generated_psa_test_data: ../framework/scripts/mbedtls_framework/test_data_generation.py +## The generated file only depends on the options that are present in +## crypto_config.h, not on which options are set. To avoid regenerating this +## file all the time when switching between configurations, don't declare +## crypto_config.h as a dependency. Remove this file from your working tree +## if you've just added or removed an option in crypto_config.h. +#generated_psa_test_data: ../tf-psa-crypto/include/psa/crypto_config.h +generated_psa_test_data: ../tf-psa-crypto/include/psa/crypto_values.h +generated_psa_test_data: ../tf-psa-crypto/include/psa/crypto_extra.h +generated_psa_test_data: ../tf-psa-crypto/tests/suites/test_suite_psa_crypto_metadata.data +generated_psa_test_data: + echo " Gen $(GENERATED_PSA_DATA_FILES) ..." + $(PYTHON) ../framework/scripts/generate_psa_tests.py --directory ../tf-psa-crypto/tests/suites +.SECONDARY: generated_psa_test_data + +TF_PSA_CRYPTO_TESTS_DATA_FILES = $(filter-out $(TF_PSA_CRYPTO_TESTS_GENERATED_DATA_FILES), $(wildcard $(TF_PSA_CRYPTO_PATH)/tests/suites/test_suite_*.data)) +# Make sure that generated data files are included even if they don't +# exist yet when the makefile is parsed. +TF_PSA_CRYPTO_TESTS_DATA_FILES += $(TF_PSA_CRYPTO_TESTS_GENERATED_DATA_FILES) + +../tf-psa-crypto/tests/include/test/test_keys.h: ../tf-psa-crypto/framework/scripts/generate_test_keys.py + echo " Gen $@" + $(PYTHON) ../tf-psa-crypto/framework/scripts/generate_test_keys.py --output $@ + +TF_PSA_CRYPTO_TESTS_GENERATED_C_FILES = \ + ../tf-psa-crypto/tests/include/test/test_keys.h From 8a528cfed5aebf7927051338f4f03b40866ef143 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Thu, 18 Dec 2025 16:40:32 +0100 Subject: [PATCH 17/20] Split the rules to generate config tests Have crypto handle the crypto part and tls handle the tls part. Signed-off-by: Gilles Peskine --- tests/Makefile | 8 ++------ tests/crypto-tests.make | 21 +++++++++++++++++++-- 2 files changed, 21 insertions(+), 8 deletions(-) diff --git a/tests/Makefile b/tests/Makefile index d3b488e661..2a7040279f 100644 --- a/tests/Makefile +++ b/tests/Makefile @@ -30,10 +30,7 @@ GENERATED_MBEDTLS_CONFIG_DATA_FILES := $(patsubst tests/%,%,$(shell \ ifeq ($(GENERATED_MBEDTLS_CONFIG_DATA_FILES),FAILED) $(error "$(PYTHON) ../framework/scripts/generate_config_tests.py --list" failed) endif - -GENERATED_CONFIG_DATA_FILES := $(GENERATED_MBEDTLS_CONFIG_DATA_FILES) $(GENERATED_PSA_CONFIG_DATA_FILES) GENERATED_DATA_FILES += $(GENERATED_MBEDTLS_CONFIG_DATA_FILES) -TF_PSA_CRYPTO_TESTS_GENERATED_DATA_FILES += $(GENERATED_PSA_CONFIG_DATA_FILES) GENERATED_C_FILES = \ include/test/test_keys.h include/test/test_certs.h @@ -69,15 +66,14 @@ generated_files: $(GENERATED_FILES) # output, to comment out certain options, or even to remove certain # lines which do affect the output negatively (it will miss the # corresponding test cases). -$(GENERATED_CONFIG_DATA_FILES): $(gen_file_dep) generated_config_test_data +$(GENERATED_MBEDTLS_CONFIG_DATA_FILES): $(gen_file_dep) generated_config_test_data generated_config_test_data: ../framework/scripts/generate_config_tests.py generated_config_test_data: ../scripts/config.py generated_config_test_data: ../framework/scripts/mbedtls_framework/test_case.py generated_config_test_data: ../framework/scripts/mbedtls_framework/test_data_generation.py generated_config_test_data: - echo " Gen $(GENERATED_CONFIG_DATA_FILES)" + echo " Gen $(GENERATED_MBEDTLS_CONFIG_DATA_FILES)" $(PYTHON) ../framework/scripts/generate_config_tests.py - cd ../tf-psa-crypto && $(PYTHON) ./framework/scripts/generate_config_tests.py .SECONDARY: generated_config_test_data # A test application is built for each suites/test_suite_*.data file. diff --git a/tests/crypto-tests.make b/tests/crypto-tests.make index f603a8e0c4..fbfc12dbd2 100644 --- a/tests/crypto-tests.make +++ b/tests/crypto-tests.make @@ -30,13 +30,30 @@ generated_bignum_test_data: $(PYTHON) ../framework/scripts/generate_bignum_tests.py --directory ../tf-psa-crypto/tests/suites .SECONDARY: generated_bignum_test_data -GENERATED_PSA_CONFIG_DATA_FILES := $(addprefix ../tf-psa-crypto/,$(shell \ +GENERATED_CRYPTO_CONFIG_DATA_FILES := $(addprefix ../tf-psa-crypto/,$(shell \ $(PYTHON) ../tf-psa-crypto/framework/scripts/generate_config_tests.py --list || \ echo FAILED \ )) -ifeq ($(GENERATED_PSA_CONFIG_DATA_FILES),FAILED) +ifeq ($(GENERATED_CRYPTO_CONFIG_DATA_FILES),FAILED) $(error "$(PYTHON) ../tf-psa-crypto/framework/scripts/generate_config_tests.py --list" failed) endif +TF_PSA_CRYPTO_TESTS_GENERATED_DATA_FILES += $(GENERATED_CRYPTO_CONFIG_DATA_FILES) + +# We deliberately omit the configuration files (mbedtls_config.h, +# crypto_config.h) from the depenency list because during development +# and on the CI, we often edit those in a way that doesn't change the +# output, to comment out certain options, or even to remove certain +# lines which do affect the output negatively (it will miss the +# corresponding test cases). +$(GENERATED_CRYPTO_CONFIG_DATA_FILES): $(gen_file_dep) generated_crypto_config_test_data +generated_crypto_config_test_data: ../framework/scripts/generate_config_tests.py +generated_crypto_config_test_data: ../scripts/config.py +generated_crypto_config_test_data: ../framework/scripts/mbedtls_framework/test_case.py +generated_crypto_config_test_data: ../framework/scripts/mbedtls_framework/test_data_generation.py +generated_crypto_config_test_data: + echo " Gen $(GENERATED_CRYPTO_CONFIG_DATA_FILES)" + cd ../tf-psa-crypto && $(PYTHON) ./framework/scripts/generate_config_tests.py +.SECONDARY: generated_crypto_config_test_data GENERATED_ECP_DATA_FILES := $(addprefix ../tf-psa-crypto/,$(shell \ $(PYTHON) ../framework/scripts/generate_ecp_tests.py --list || \ From 562677945bf12b8073c8677b3bfb83a0de8cb889 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Thu, 18 Dec 2025 20:23:45 +0100 Subject: [PATCH 18/20] Use intermediate variable for TF-PSA-Crypto's contribution to LOCAL_LDFLAGS Fix a bug whereby `crypto-common.make` was appending to `LOCAL_LDFLAGS` before `common.make` set the initial value. This broke the build with pthread enabled: `THREADING` was correctly getting autodetected, but the addition of `-lpthread` to `LOCAL_LDFLAGS` didn't work. Signed-off-by: Gilles Peskine --- scripts/common.make | 6 ++++-- scripts/crypto-common.make | 5 ++++- 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/scripts/common.make b/scripts/common.make index e88506b308..18dd29d2ed 100644 --- a/scripts/common.make +++ b/scripts/common.make @@ -46,13 +46,15 @@ LOCAL_LDFLAGS = ${MBEDTLS_TEST_OBJS} \ -lpsaclient \ -lmbedtls$(SHARED_SUFFIX) \ -lmbedx509$(SHARED_SUFFIX) \ - -lmbedcrypto$(SHARED_SUFFIX) + -lmbedcrypto$(SHARED_SUFFIX) \ + $(TF_PSA_CRYPTO_EXTRA_LDFLAGS) else LOCAL_LDFLAGS = ${MBEDTLS_TEST_OBJS} \ -L$(MBEDTLS_PATH)/library \ -lmbedtls$(SHARED_SUFFIX) \ -lmbedx509$(SHARED_SUFFIX) \ - -lmbedcrypto$(SHARED_SUFFIX) + -lmbedcrypto$(SHARED_SUFFIX) \ + $(TF_PSA_CRYPTO_EXTRA_LDFLAGS) endif ifdef PSASIM diff --git a/scripts/crypto-common.make b/scripts/crypto-common.make index 85da8d802a..c944cc528b 100644 --- a/scripts/crypto-common.make +++ b/scripts/crypto-common.make @@ -46,6 +46,9 @@ TF_PSA_CRYPTO_LIBRARY_PRIVATE_INCLUDE = \ -I$(TF_PSA_CRYPTO_PATH)/core \ -I$(TF_PSA_CRYPTO_PATH)/drivers/builtin/src +# Extra linker flags required by the crypto library or the platform +TF_PSA_CRYPTO_EXTRA_LDFLAGS = + ## Usage: $(call remove_enabled_options_crypto,PREPROCESSOR_INPUT) ## Remove the preprocessor symbols that are set in the current configuration ## from PREPROCESSOR_INPUT. Also normalize whitespace. @@ -91,6 +94,6 @@ ifndef WINDOWS_BUILD #$(info THREADING = $(THREADING)) ifeq ($(THREADING),pthread) - LOCAL_LDFLAGS += -lpthread + TF_PSA_CRYPTO_EXTRA_LDFLAGS += -lpthread endif endif From b988dd8f359bfd7803bc5f6903b3e8811c14201f Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Wed, 7 Jan 2026 10:53:26 +0100 Subject: [PATCH 19/20] Remove accidentally duplicated definitions "Move crypto-specific code from library/Makefile to a new file" accidentally copied two lines instead of moving them. Remove the copy that's now in `crypto-library.make`, since the variables are defined earlier in `crypto-common.make`. The variables aren't actually used in `crypto-common.make`, but they could be (arguably should be used to define `TF_PSA_CRYPTO_LIBRARY_PRIVATE_INCLUDE`). Signed-off-by: Gilles Peskine --- library/crypto-library.make | 3 --- 1 file changed, 3 deletions(-) diff --git a/library/crypto-library.make b/library/crypto-library.make index 2e521ef448..826b118ca2 100644 --- a/library/crypto-library.make +++ b/library/crypto-library.make @@ -2,9 +2,6 @@ # This file is only meant to be included by library/Makefile in Mbed TLS and # is unlikely to work in another context. -TF_PSA_CRYPTO_CORE_PATH = $(MBEDTLS_PATH)/tf-psa-crypto/core -TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH = $(MBEDTLS_PATH)/tf-psa-crypto/drivers/builtin/src - # List the generated files from crypto that are needed in the build, # because we don't have the list in a consumable form. TF_PSA_CRYPTO_LIBRARY_GENERATED_FILES := \ From dd255696a554e476b41200ed16e805d4bc0ca798 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Wed, 7 Jan 2026 11:07:01 +0100 Subject: [PATCH 20/20] Make use of some intermediate variables Signed-off-by: Gilles Peskine --- scripts/crypto-common.make | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/scripts/crypto-common.make b/scripts/crypto-common.make index c944cc528b..c5c24e2b09 100644 --- a/scripts/crypto-common.make +++ b/scripts/crypto-common.make @@ -23,8 +23,8 @@ ifeq (,$(wildcard $(TF_PSA_CRYPTO_PATH)/core/psa_crypto.c)) $(error $$(TF_PSA_CRYPTO_PATH)/core/psa_crypto.c not found) endif -TF_PSA_CRYPTO_CORE_PATH = $(MBEDTLS_PATH)/tf-psa-crypto/core -TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH = $(MBEDTLS_PATH)/tf-psa-crypto/drivers/builtin/src +TF_PSA_CRYPTO_CORE_PATH = $(TF_PSA_CRYPTO_PATH)/core +TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH = $(TF_PSA_CRYPTO_PATH)/drivers/builtin/src # Gather information about crypto drivers that are separate from the main # "builtin" driver (historically located in /3rdparty in Mbed TLS 2.x/3.x). @@ -43,8 +43,8 @@ TF_PSA_CRYPTO_LIBRARY_PUBLIC_INCLUDE = \ # (currently consumed by Mbed TLS, eventually not so when we've finished # cleaning up) TF_PSA_CRYPTO_LIBRARY_PRIVATE_INCLUDE = \ - -I$(TF_PSA_CRYPTO_PATH)/core \ - -I$(TF_PSA_CRYPTO_PATH)/drivers/builtin/src + -I$(TF_PSA_CRYPTO_CORE_PATH) \ + -I$(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH) # Extra linker flags required by the crypto library or the platform TF_PSA_CRYPTO_EXTRA_LDFLAGS =