From 4aa974f7c73a1012b85d7e47678177d3c793805c Mon Sep 17 00:00:00 2001 From: Gabor Mezei Date: Wed, 23 Apr 2025 17:04:18 +0200 Subject: [PATCH 1/5] Remove `MBEDTLS_SHA3_C` config option Signed-off-by: Gabor Mezei --- programs/test/selftest.c | 5 ++++- tests/scripts/components-configuration-crypto.sh | 5 +++-- tests/scripts/depends.py | 4 ---- 3 files changed, 7 insertions(+), 7 deletions(-) diff --git a/programs/test/selftest.c b/programs/test/selftest.c index 515757311d..8516f3a251 100644 --- a/programs/test/selftest.c +++ b/programs/test/selftest.c @@ -290,7 +290,10 @@ const selftest_t selftests[] = #if defined(MBEDTLS_SHA512_C) { "sha512", mbedtls_sha512_self_test }, #endif -#if defined(MBEDTLS_SHA3_C) +#if defined(PSA_WANT_ALG_SHA3_224) || \ + defined(PSA_WANT_ALG_SHA3_256) || \ + defined(PSA_WANT_ALG_SHA3_384) || \ + defined(PSA_WANT_ALG_SHA3_512) { "sha3", mbedtls_sha3_self_test }, #endif #if defined(MBEDTLS_DES_C) diff --git a/tests/scripts/components-configuration-crypto.sh b/tests/scripts/components-configuration-crypto.sh index a06ef1d132..16a399ab4e 100644 --- a/tests/scripts/components-configuration-crypto.sh +++ b/tests/scripts/components-configuration-crypto.sh @@ -1557,7 +1557,7 @@ component_test_psa_crypto_config_accel_hash () { scripts/config.py unset MBEDTLS_SHA256_C scripts/config.py unset MBEDTLS_SHA384_C scripts/config.py unset MBEDTLS_SHA512_C - scripts/config.py unset MBEDTLS_SHA3_C + scripts/config.py unset-all 'PSA_WANT_ALG_SHA3_*' # Build # ----- @@ -1597,7 +1597,7 @@ config_psa_crypto_hash_use_psa () { scripts/config.py unset MBEDTLS_SHA384_C scripts/config.py unset MBEDTLS_SHA512_C scripts/config.py unset MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT - scripts/config.py unset MBEDTLS_SHA3_C + scripts/config.py unset-all 'PSA_WANT_ALG_SHA3_*' fi } @@ -1680,6 +1680,7 @@ config_psa_crypto_hmac_use_psa () { # Disable also the builtin hashes since they are supported by the driver # and MD module is able to perform PSA dispathing. scripts/config.py unset-all MBEDTLS_SHA + scripts/config.py unset-all 'PSA_WANT_ALG_SHA3_*' scripts/config.py unset MBEDTLS_MD5_C scripts/config.py unset MBEDTLS_RIPEMD160_C fi diff --git a/tests/scripts/depends.py b/tests/scripts/depends.py index cfd9f406d4..138631352f 100755 --- a/tests/scripts/depends.py +++ b/tests/scripts/depends.py @@ -348,10 +348,6 @@ REVERSE_DEPENDENCIES = { 'MBEDTLS_SHA512_C': ['MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT', 'MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY', 'PSA_WANT_ALG_SHA_512'], - 'MBEDTLS_SHA3_C' : ['PSA_WANT_ALG_SHA3_224', - 'PSA_WANT_ALG_SHA3_256', - 'PSA_WANT_ALG_SHA3_384', - 'PSA_WANT_ALG_SHA3_512'], 'PSA_WANT_ALG_ECB_NO_PADDING' : ['MBEDTLS_NIST_KW_C'], } From 588769cc65d88f7d3f8f4d82bb805ce919497744 Mon Sep 17 00:00:00 2001 From: Gabor Mezei Date: Thu, 24 Apr 2025 12:11:26 +0200 Subject: [PATCH 2/5] Update error generation Adapt the `generate_errors.pl` to handle `PSA_WANT` macros and update to handle SHA3 macros. Signed-off-by: Gabor Mezei --- scripts/generate_errors.pl | 60 +++++++++++++++++++++++--------------- 1 file changed, 37 insertions(+), 23 deletions(-) diff --git a/scripts/generate_errors.pl b/scripts/generate_errors.pl index aae1fc8870..499307b9d8 100755 --- a/scripts/generate_errors.pl +++ b/scripts/generate_errors.pl @@ -96,8 +96,8 @@ foreach my $file (@files) { } } -my $ll_old_define = ""; -my $hl_old_define = ""; +my @ll_old_define = ("", "", ""); +my @hl_old_define = ("", "", ""); my $ll_code_check = ""; my $hl_code_check = ""; @@ -129,6 +129,14 @@ foreach my $match (@matches) $define_name = "SSL_TLS" if ($define_name eq "SSL"); $define_name = "PEM_PARSE,PEM_WRITE" if ($define_name eq "PEM"); $define_name = "PKCS7" if ($define_name eq "PKCS7"); + $define_name = "ALG_SHA3_224,ALG_SHA3_256,ALG_SHA3_384,ALG_SHA3_512" + if ($define_name eq "SHA3"); + + my $define_prefix = "MBEDTLS_"; + $define_prefix = "PSA_WANT_" if ($module_name eq "SHA3"); + + my $define_suffix = "_C"; + $define_suffix = "" if ($module_name eq "SHA3"); my $include_name = $module_name; $include_name =~ tr/A-Z/a-z/; @@ -154,26 +162,30 @@ foreach my $match (@matches) if ($found_ll) { $code_check = \$ll_code_check; - $old_define = \$ll_old_define; + $old_define = \@ll_old_define; $white_space = ' '; } else { $code_check = \$hl_code_check; - $old_define = \$hl_old_define; + $old_define = \@hl_old_define; $white_space = ' '; } - if ($define_name ne ${$old_define}) + my $old_define_name = \${$old_define}[0]; + my $old_define_prefix = \${$old_define}[1]; + my $old_define_suffix = \${$old_define}[2]; + + if ($define_name ne ${$old_define_name}) { - if (${$old_define} ne "") + if (${$old_define_name} ne "") { ${$code_check} .= "#endif /* "; $first = 0; - foreach my $dep (split(/,/, ${$old_define})) + foreach my $dep (split(/,/, ${$old_define_name})) { - ${$code_check} .= " || " if ($first++); - ${$code_check} .= "MBEDTLS_${dep}_C"; + ${$code_check} .= " || \n " if ($first++); + ${$code_check} .= "${$old_define_prefix}${dep}${$old_define_suffix}"; } ${$code_check} .= " */\n\n"; } @@ -183,42 +195,44 @@ foreach my $match (@matches) $first = 0; foreach my $dep (split(/,/, ${define_name})) { - ${$code_check} .= " || " if ($first); - $headers .= " || " if ($first++); + ${$code_check} .= " || \\\n " if ($first); + $headers .= " || \\\n " if ($first++); - ${$code_check} .= "defined(MBEDTLS_${dep}_C)"; - $headers .= "defined(MBEDTLS_${dep}_C)" if - ($include_name ne ""); + ${$code_check} .= "defined(${define_prefix}${dep}${define_suffix})"; + $headers .= "defined(${define_prefix}${dep}${define_suffix})" + if ($include_name ne ""); } ${$code_check} .= "\n"; $headers .= "\n#include \"mbedtls/${include_name}.h\"\n". "#endif\n\n" if ($include_name ne ""); - ${$old_define} = $define_name; + ${$old_define_name} = $define_name; + ${$old_define_prefix} = $define_prefix; + ${$old_define_suffix} = $define_suffix; } ${$code_check} .= "${white_space}case -($error_name):\n". "${white_space} return( \"$module_name - $description\" );\n" }; -if ($ll_old_define ne "") +if ($ll_old_define[0] ne "") { $ll_code_check .= "#endif /* "; my $first = 0; - foreach my $dep (split(/,/, $ll_old_define)) + foreach my $dep (split(/,/, $ll_old_define[0])) { - $ll_code_check .= " || " if ($first++); - $ll_code_check .= "MBEDTLS_${dep}_C"; + $ll_code_check .= " || \n " if ($first++); + $ll_code_check .= "${ll_old_define[1]}${dep}${ll_old_define[2]}"; } $ll_code_check .= " */\n"; } -if ($hl_old_define ne "") +if ($hl_old_define[0] ne "") { $hl_code_check .= "#endif /* "; my $first = 0; - foreach my $dep (split(/,/, $hl_old_define)) + foreach my $dep (split(/,/, $hl_old_define[0])) { - $hl_code_check .= " || " if ($first++); - $hl_code_check .= "MBEDTLS_${dep}_C"; + $hl_code_check .= " || \n " if ($first++); + $hl_code_check .= "${hl_old_define[1]}${dep}${hl_old_define[2]}"; } $hl_code_check .= " */\n"; } From 72cc7bb706159e79be5726d6d7096db9931f9449 Mon Sep 17 00:00:00 2001 From: Gabor Mezei Date: Thu, 24 Apr 2025 16:26:37 +0200 Subject: [PATCH 3/5] Start the generation at the beginning of the line The markers for the generated code need to indented due to the code style check. During the replacement remove the spaces along with the markers. Signed-off-by: Gabor Mezei --- scripts/generate_errors.pl | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/scripts/generate_errors.pl b/scripts/generate_errors.pl index 499307b9d8..f4154e37cc 100755 --- a/scripts/generate_errors.pl +++ b/scripts/generate_errors.pl @@ -238,8 +238,8 @@ if ($hl_old_define[0] ne "") } $error_format =~ s/HEADER_INCLUDED\n/$headers/g; -$error_format =~ s/LOW_LEVEL_CODE_CHECKS\n/$ll_code_check/g; -$error_format =~ s/HIGH_LEVEL_CODE_CHECKS\n/$hl_code_check/g; +$error_format =~ s/ *LOW_LEVEL_CODE_CHECKS\n/$ll_code_check/g; +$error_format =~ s/ *HIGH_LEVEL_CODE_CHECKS\n/$hl_code_check/g; open(ERROR_FILE, ">$error_file") or die "Opening destination file '$error_file': $!"; print ERROR_FILE $error_format; From c45f3d6a1d5cbe8e381d603a325627d9d14c83a4 Mon Sep 17 00:00:00 2001 From: Gabor Mezei Date: Wed, 4 Jun 2025 15:47:54 +0200 Subject: [PATCH 4/5] Update PSA repo Signed-off-by: Gabor Mezei --- tf-psa-crypto | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tf-psa-crypto b/tf-psa-crypto index 35ae18cf89..d056817e03 160000 --- a/tf-psa-crypto +++ b/tf-psa-crypto @@ -1 +1 @@ -Subproject commit 35ae18cf891d3675584da41f7e830f1de5f87f07 +Subproject commit d056817e037e350320519613848309559909f581 From 2649800f7c3f48eee871c905219f4e3c895498a5 Mon Sep 17 00:00:00 2001 From: Gabor Mezei Date: Thu, 5 Jun 2025 10:38:25 +0200 Subject: [PATCH 5/5] Do not disable `PSA_WANT_SHA3` macros when driver accel is used The SW implementation is guarded with the `MBEDTLS_PSA_BUILTIN_ALG_SHA3` macros and not enabled when driver accelaration is set. So disabling the `PSA_WANT` macros is not needed. Signed-off-by: Gabor Mezei --- tests/scripts/components-configuration-crypto.sh | 3 --- 1 file changed, 3 deletions(-) diff --git a/tests/scripts/components-configuration-crypto.sh b/tests/scripts/components-configuration-crypto.sh index 16a399ab4e..e72b837898 100644 --- a/tests/scripts/components-configuration-crypto.sh +++ b/tests/scripts/components-configuration-crypto.sh @@ -1557,7 +1557,6 @@ component_test_psa_crypto_config_accel_hash () { scripts/config.py unset MBEDTLS_SHA256_C scripts/config.py unset MBEDTLS_SHA384_C scripts/config.py unset MBEDTLS_SHA512_C - scripts/config.py unset-all 'PSA_WANT_ALG_SHA3_*' # Build # ----- @@ -1597,7 +1596,6 @@ config_psa_crypto_hash_use_psa () { scripts/config.py unset MBEDTLS_SHA384_C scripts/config.py unset MBEDTLS_SHA512_C scripts/config.py unset MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT - scripts/config.py unset-all 'PSA_WANT_ALG_SHA3_*' fi } @@ -1680,7 +1678,6 @@ config_psa_crypto_hmac_use_psa () { # Disable also the builtin hashes since they are supported by the driver # and MD module is able to perform PSA dispathing. scripts/config.py unset-all MBEDTLS_SHA - scripts/config.py unset-all 'PSA_WANT_ALG_SHA3_*' scripts/config.py unset MBEDTLS_MD5_C scripts/config.py unset MBEDTLS_RIPEMD160_C fi