Use TF-M PSA API headers when compiling with TF-M enabled.
Fixes: #43249
Signed-off-by: Joakim Andersson <joakim.andersson@nordicsemi.no>
Signed-off-by: Markus Swarowsky <markus.swarowsky@nordicsemi.no>
MbedTLS 3.5.0 requires a implementation of mbedtls_ms_time giving a
time in ms for TLS 1.3
Therefor adding an alternative implementation using zephyrs
k_uptime_get
Signed-off-by: Markus Swarowsky <markus.swarowsky@nordicsemi.no>
build_info.h of mbedtls includes the config file for mbedtls but
also includes check_config.h so its not needed to have it in the
config file
Signed-off-by: Markus Swarowsky <markus.swarowsky@nordicsemi.no>
rand32.h does not make much sense, since the random subsystem
provides more APIs than just getting a random 32 bits value.
Rename it to random.h and get consistently with other
subsystems.
Signed-off-by: Flavio Ceolin <flavio.ceolin@intel.com>
Instead of detecting that we are in a native/POSIX arch based
board by checking for each board specifically,
let checks for the architecture.
In that way other boards (like the upcoming nrf53_bsim ones)
will also work.
Signed-off-by: Alberto Escolar Piedras <alberto.escolar.piedras@nordicsemi.no>
This commit instructs mbedtls to use 64-bit alignment in its internal
memory allocation routines when targeting 64-bit platforms. By default
mbedtls uses 32-bit alignment regardless the platform, what may result
in misaligned memory accesses, possibly inducing access time overhead or
exceptions
Signed-off-by: Vladimir Graudt <vladimir.graudt@syntacore.com>
Commit adds configuration for mesh with mbedtls PSA
to CI BabbleSim tests as well as emulation of
the Internal Trustable Storage(ITS) based on Zephyr's
settings to run in parallel environment.
Signed-off-by: Aleksandr Khromykh <aleksandr.khromykh@nordicsemi.no>
Update trusted-firmware-m to 1.8.0, mbedtls to 3.4.0, and tf-m-tests to
1.8.0. Includes minor cmake changes due to file renames and such, as well
as adjusting the return type of a callback function that has changed since
the previous version of trusted-firmware-m.
Signed-off-by: David Brown <david.brown@linaro.org>
TFM redefines functions from mbed TLS's psa_crypto_slot_management.c,
therefore that file should not be included in build when TFM is enabled.
Otherwise, the linker reports an error about redefined functions like
psa_open_key() etc.
Signed-off-by: Robert Lubos <robert.lubos@nordicsemi.no>
After an update to mbed TLS 3.3.0, dependencies with
CONFIG_MBEDTLS_PSA_CRYPTO_C enabled got affected.
mbed TLS in its build_info.h file, enables MBEDTLS_PK_WRITE_C config
under the hood. MBEDTLS_PK_WRITE_C has a dependency to
MBEDTLS_ASN1_WRITE_C which wasn't reflected anywhere.
Therefore, update Kconfig.tls-generic to enable
CONFIG_MBEDTLS_PK_WRITE_C automatically, when PSA crypto is enabled, to
reflect mbed TLS configuration pattern. Additionally, enable
MBEDTLS_ASN1_WRITE_C automatically, when PK write is enabled.
Signed-off-by: Robert Lubos <robert.lubos@nordicsemi.no>
Add a kconfig symbol to control the mbedtls option
`MBEDTLS_AES_FEWER_TABLES`. 6KiB is a not insignificant ROM/RAM savings,
and the extra arthmetic is quite reasonable.
Signed-off-by: Jordan Yates <jordan.yates@data61.csiro.au>
Update trusted-firmware-m to 1.8.0, mbedtls to 3.4.0, and tf-m-tests to
1.8.0. Includes minor cmake changes due to file renames and such, as well
as adjusting the return type of a callback function that has changed since
the previous version of trusted-firmware-m.
Signed-off-by: David Brown <david.brown@linaro.org>
SYS_INIT() requires pointer to function that takes `void` now, instead of
pointer to device structure. Since the commit was developed before that
switch, it still invoked it with NULL. Fix that now.
Fixes:
zephyr/modules/mbedtls/zephyr_init.c: In function 'mbedtls_init':
zephyr/modules/mbedtls/zephyr_init.c:108:16: error: too many arguments \
to function '_mbedtls_init'
108 | return _mbedtls_init(NULL);
| ^~~~~~~~~~~~~
zephyr/modules/mbedtls/zephyr_init.c:86:12: note: declared here
86 | static int _mbedtls_init(void)
|
Signed-off-by: Marcin Niestroj <m.niestroj@emb.dev>
Add a config flag to enable conditional mbebtls
initialization at startup, defaulting to enabled.
Also add a function, mbedtls_init(), that should be
called by platforms that wish to initialise mbedtls
at a time of their choosing.
Signed-off-by: Eugene Cohen <quic_egmc@quicinc.com>
Signed-off-by: Dave Aldridge <quic_daldridg@quicinc.com>
A mesh key type has been added to be able to choose the different
key representation for different security libraries.
The type as well as some functionality related to Mesh key
management has been added as a public API.
If tynicrypt is chosen then keys have representation
as 16 bytes array. If mbedTLS with PSA is used then keys are
the PSA key id. Raw value is not kept within BLE Mesh stack
for mbedTLS. Keys are imported into the security library
and key ids are gotten back. This refactoring has been done
for the network(including all derivated keys), application,
device, and session keys.
Signed-off-by: Aleksandr Khromykh <aleksandr.khromykh@nordicsemi.no>
Previously, Zephyr's mbedtls module's cmake build created a single static
library, rather than the collection of libraries (mbedtls, mbedcrypto,
and mbedx509) that upstream mbedTLS cmake provides.
To give better control at link time to choose the required libraries to
link, this commit updates the Zephyr MbedTLS module to also define a
collection of libraries rather than a single static MbedTLS library.
One benefit of the three library approach is that if mbedTLS is used in
Zephyr in the the non-secure application in addition to TFM's PSA Crypto
API on the secure side with TF-M, PSA API calls on the non-secure side
will be redirected to the TFM PSA implementation, and the mbedcrypto
library will only be linked to the secure (TF-M) binary, with the mbedtls
and mbedx509 libraries linked against the non-secure (Zephyr) binary,
enabling TLS calls to PSA crypto to be redirected to mbedcrypto in the
secure partition and avoiding function duplication in the non-secure
binary.
Signed-off-by: Rajkumar Kanagaraj <rajkumar.kanagaraj@linaro.org>
Commit adds experimental support mbedtls psa as crypto
backend for ble mesh. It were run only on bsim tests.
Signed-off-by: Aleksandr Khromykh <aleksandr.khromykh@nordicsemi.no>
The init infrastructure, found in `init.h`, is currently used by:
- `SYS_INIT`: to call functions before `main`
- `DEVICE_*`: to initialize devices
They are all sorted according to an initialization level + a priority.
`SYS_INIT` calls are really orthogonal to devices, however, the required
function signature requires a `const struct device *dev` as a first
argument. The only reason for that is because the same init machinery is
used by devices, so we have something like:
```c
struct init_entry {
int (*init)(const struct device *dev);
/* only set by DEVICE_*, otherwise NULL */
const struct device *dev;
}
```
As a result, we end up with such weird/ugly pattern:
```c
static int my_init(const struct device *dev)
{
/* always NULL! add ARG_UNUSED to avoid compiler warning */
ARG_UNUSED(dev);
...
}
```
This is really a result of poor internals isolation. This patch proposes
a to make init entries more flexible so that they can accept sytem
initialization calls like this:
```c
static int my_init(void)
{
...
}
```
This is achieved using a union:
```c
union init_function {
/* for SYS_INIT, used when init_entry.dev == NULL */
int (*sys)(void);
/* for DEVICE*, used when init_entry.dev != NULL */
int (*dev)(const struct device *dev);
};
struct init_entry {
/* stores init function (either for SYS_INIT or DEVICE*)
union init_function init_fn;
/* stores device pointer for DEVICE*, NULL for SYS_INIT. Allows
* to know which union entry to call.
*/
const struct device *dev;
}
```
This solution **does not increase ROM usage**, and allows to offer clean
public APIs for both SYS_INIT and DEVICE*. Note that however, init
machinery keeps a coupling with devices.
**NOTE**: This is a breaking change! All `SYS_INIT` functions will need
to be converted to the new signature. See the script offered in the
following commit.
Signed-off-by: Gerard Marull-Paretas <gerard.marull@nordicsemi.no>
init: convert SYS_INIT functions to the new signature
Conversion scripted using scripts/utils/migrate_sys_init.py.
Signed-off-by: Gerard Marull-Paretas <gerard.marull@nordicsemi.no>
manifest: update projects for SYS_INIT changes
Update modules with updated SYS_INIT calls:
- hal_ti
- lvgl
- sof
- TraceRecorderSource
Signed-off-by: Gerard Marull-Paretas <gerard.marull@nordicsemi.no>
tests: devicetree: devices: adjust test
Adjust test according to the recently introduced SYS_INIT
infrastructure.
Signed-off-by: Gerard Marull-Paretas <gerard.marull@nordicsemi.no>
tests: kernel: threads: adjust SYS_INIT call
Adjust to the new signature: int (*init_fn)(void);
Signed-off-by: Gerard Marull-Paretas <gerard.marull@nordicsemi.no>
This is a follow-up to commit c7327f5f70.
Wrap implementation of the `mbedtls_hardware_poll()` function in
`#if defined(CONFIG_MBEDTLS_ZEPHYR_ENTROPY)` so that the function
is provided only when that option is activated.
Signed-off-by: Andrzej Głąbek <andrzej.glabek@nordicsemi.no>
Instead of using "select" on certain EC configurations, which is
considered unsafe for various reasons, use a "depends on" and rely on
the user to set a proper configuration in the config file.
Update the respective project configurations to comply with the new
configuration scheme.
Signed-off-by: Robert Lubos <robert.lubos@nordicsemi.no>
Debug log messages generated by mbedTLS library contain newline at the end
of log string. Remove this newline, if it exists, so that log output is
much more user friendly.
Add a dedicated Kconfig option for that, so it can be disabled on request.
Signed-off-by: Marcin Niestroj <m.niestroj@emb.dev>
So far LOG_DBG() was used inside debug hook for mbedTLS library. This meant
that it was hard to distinct log messages by simply looking at the log
level number, even though Zephyr logging subsystem supports colorful logs
depending on log level.
Choose an appropriate Zephyr LOG_*() macro based on log level coming from
mbedTLS library. Remove log level number from formatted log messages, as it
is now redundant.
One controversial thing about this change is that mbedTLS' "2 State change"
log level is mapped to Zephyr's "warning" log level. Those are not really
warnings in real life, but rather informational messages. However, using
"warning" log level for those allows to clearly distinguish between "2
State change" and "3 Informational" debug messages from mbedTLS.
Additionally, mbedTLS debug message implementation does not seem to be safe
to use in production, so keeping in mind MBEDTLS_DEBUG will be enabled just
during debugging phase, printing "2 State change" logs as warnings should
not be a big deal.
Set default MBEDTLS_DEBUG_LEVEL value depending on selected Zephyr logging
module level, so that only single option needs to be configured in
application project.
Remove prompt for MBEDTLS_DEBUG_LEVEL, so that interactively (e.g. via
menuconfig) adjusting MBEDTLS_LOG_LEVEL will always result in automatically
updating MBEDTLS_DEBUG_LEVEL option. This is to prevent so called "stuck
symbol syndrome".
Signed-off-by: Marcin Niestroj <m.niestroj@emb.dev>
So far there was a runtime basename extraction of filenames passed to
mbedTLS debug hook. This has both runtime penalty as well as code size
penalty.
Introduce a buildtime support of extracting basename of source filenames
logged using logging subsystem, so that there is no need to do it at
runtime.
Provide Kconfig options for both buildtime and runtime basename extraction,
as in some cases the buildtime basename extraction might not work,
depending on toolchain used for building Zephyr. Default to buildtime when
using Zephyr SDK, as that is proven to work. Use runtime basename
extraction in other cases (other toolchains used).
This saves approximately 204 bytes of code footprint for sample
application with native TLS sockets built for nRF52840.
Signed-off-by: Marcin Niestroj <m.niestroj@emb.dev>
mbedTLS library threshold initialization was done in native TLS socket
implementation (which tends to use mbedTLS now) and inside mbedTLS
benchmark test. Move that to mbedTLS module initialization, as this is a
global setting.
Update description of CONFIG_MBEDTLS_DEBUG_LEVEL to clarify when
mbedtls_debug_set_threshold() is called.
Signed-off-by: Marcin Niestroj <m.niestroj@emb.dev>
So far there was a debug log hook installed in TLS socket implementation.
However, mbedTLS (with debug enabled) might be used outside from TLS socket
and even outside from networking context.
Add new module, which implements debug log hook and makes it available
whenever CONFIG_MBEDTLS_DEBUG is enabled.
Note that debug hook needs to be installed for each mbedTLS context
separately, which means that this requires action from mbedTLS users, such
as TLS sockets implementation.
Signed-off-by: Marcin Niestroj <m.niestroj@emb.dev>
Add module specific compiler flags to suppress reporting unused
variables and unused functions in mbedtls building.
Signed-off-by: Eugene Cohen <quic_egmc@quicinc.com>
Signed-off-by: Dave Aldridge <quic_daldridg@quicinc.com>
Instead of relying on selected ciphesuite to enable mbed TLS EC configs,
add separate config entries to enable them. This allows to use EC
functionality w/o TLS/DTLS enabled.
Signed-off-by: Robert Lubos <robert.lubos@nordicsemi.no>
psa_crypto_cipher.c includes an internal header with <>, causing
complication errors in Zephyr (header not found).
Signed-off-by: Robert Lubos <robert.lubos@nordicsemi.no>
According to mbedTLS' Changelog "Mbed TLS 3.0.0 branch released
2021-07-07" -> "Removals":
MBEDTLS_ECP_MAX_BITS is no longer a configuration option because it
is now determined automatically based on supported curves.
Hence remove MBEDTLS_ECP_MAX_BITS from configuration files to fix build
issues with Zephyr when there is unfortunate order of include
statements.
Signed-off-by: Marcin Niestroj <m.niestroj@emb.dev>
Before mbedTLS 3.0 there was just SHA512 option, which enabled both SHA384
and SHA512 support. mbedTLS 3.0 introduced SHA384 specific option, which
means that SHA384 got unsupported after merging
commit 4e6cfb67f9 ("modules: mbedTLS: Bump mbedTLS to 3.0").
Introduce SHA384 Kconfig options, so that support for it can be selected in
project configuration if needed. Since SHA384 still depends on SHA512 to be
selected, add such dependency in Kconfig.
Select SHA384 support in non-generic (not configured by Kconfig) mbedTLS
config headers, so that previous (before mbedTLS 3.0 was merged) behavior
is regained.
Fixes: 4e6cfb67f9 ("modules: mbedTLS: Bump mbedTLS to 3.0")
Signed-off-by: Marcin Niestroj <m.niestroj@emb.dev>
In order to bring consistency in-tree, migrate all modules code to the
new prefix <zephyr/...>. Note that the conversion has been scripted,
refer to zephyrproject-rtos#45388 for more details.
Signed-off-by: Gerard Marull-Paretas <gerard.marull@nordicsemi.no>
Add Kconfig configuration options which allow to configure
session caching in mbed TLS.
Note, that mbed TLS only takes care of server-side caching, the
application (socket layer) needs to implement a session storage for
client.
Signed-off-by: Robert Lubos <robert.lubos@nordicsemi.no>
According to Kconfig guidelines, boolean prompts must not start with
"Enable...". The following command has been used to automate the changes
in this patch:
sed -i "s/bool \"[Ee]nables\? \(\w\)/bool \"\U\1/g" **/Kconfig*
Signed-off-by: Gerard Marull-Paretas <gerard.marull@nordicsemi.no>
Joakim Andersson