Dev/davhaz01/upgrade tfm

applications/blinky/CMakeLists.txt

@@ -4,6 +4,8 @@
 
 cmake_minimum_required(VERSION 3.21.0 FATAL_ERROR)
 
+set(APPLICATION_PATH "${IOT_REFERENCE_ARM_CORSTONE3XX_SOURCE_DIR}/applications/blinky" CACHE STRING "Path to the application folder")
+
 # Trusted Firmware-M setup
 set(TFM_CMAKE_APP_ARGS
     -DPROJECT_CONFIG_HEADER_FILE=${IOT_REFERENCE_ARM_CORSTONE3XX_SOURCE_DIR}/applications/blinky/configs/tfm_config/project_config.h

applications/blinky/tests/pass_output.log

@@ -1,6 +1,6 @@
 Waiting for provisioning bundle
 Running provisioning bundle
-Booting TF-M v2.0.0
+Booting TF-M v2.1.0
 psa_framework_version is: 257
 LED on
 LED off

applications/freertos_iot_libraries_tests/CMakeLists.txt

@@ -20,6 +20,8 @@ cmake_minimum_required(VERSION 3.21.0 FATAL_ERROR)
 set(MCUBOOT_IMAGE_VERSION_NS "0.0.1+10")
 set(MCUBOOT_IMAGE_VERSION_NS_UPDATE "0.0.1+20")
 
+set(APPLICATION_PATH "${IOT_REFERENCE_ARM_CORSTONE3XX_SOURCE_DIR}/applications/freertos_iot_libraries_tests" CACHE STRING "Path to the application folder")
+
 # Trusted Firmware-M setup
 set(TFM_CMAKE_APP_ARGS
     -DPROJECT_CONFIG_HEADER_FILE=${IOT_REFERENCE_ARM_CORSTONE3XX_SOURCE_DIR}/applications/freertos_iot_libraries_tests/configs/tfm_config/project_config.h

applications/freertos_iot_libraries_tests/configs/mbedtls_config/aws_mbedtls_config.h

@@ -1154,7 +1154,7 @@ void mbedtls_platform_free( void * ptr );
  * \warning This interface is experimental and may change or be removed
  * without notice.
  */
-/* #define MBEDTLS_PSA_CRYPTO_CLIENT */
+#define MBEDTLS_PSA_CRYPTO_CLIENT
 
 /** \def MBEDTLS_PSA_CRYPTO_DRIVERS
  *

applications/helpers/provisioning/dev_mode_key_provisioning.c

@@ -1376,8 +1376,10 @@ int xOtaProvisionCodeSigningKey( psa_key_handle_t * pxKeyHandle,
     size_t xPubKeyDerLength = DER_FORMAT_BUFFER_LENGTH;
     size_t xPubKeyPemLength = strlen( ( const char * ) pxProvisioningParamsBundle->codeSigningPublicKey );
     int result = 0;
-    psa_status_t status = PSA_SUCCESS;
     psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+    mbedtls_pk_context xMbedPkContext = { 0 };
+
+    mbedtls_pk_init( &xMbedPkContext );
 
     result = convert_pem_to_der( ( const unsigned char * ) pxProvisioningParamsBundle->codeSigningPublicKey,
                                  xPubKeyPemLength,
@@ -1386,22 +1388,55 @@ int xOtaProvisionCodeSigningKey( psa_key_handle_t * pxKeyHandle,
 
     if( result != 0 )
     {
-        return result;
+        goto exit;
+    }
+
+    /*
+     * From mbedtls 3.6.0 release note:
+     *
+     * Default behavior changes
+     * psa_import_key() now only accepts RSA keys in the PSA standard formats.
+     * The undocumented ability to import other formats (PKCS#8, SubjectPublicKey,
+     * PEM) accepted by the pkparse module has been removed. Applications that
+     * need these formats can call mbedtls_pk_parse_{public,}key() followed by
+     * mbedtls_pk_import_into_psa().
+     */
+
+    result = mbedtls_pk_parse_public_key( &xMbedPkContext,
+                                          ( const unsigned char * ) pucPubKeyDerFormatBuffer,
+                                          xPubKeyDerLength );
+
+    if( result != 0 )
+    {
+        goto exit;
+    }
+
+    result = mbedtls_pk_get_psa_attributes( &xMbedPkContext,
+                                            PSA_KEY_USAGE_VERIFY_HASH,
+                                            &attributes );
+
+    if( result != 0 )
+    {
+        goto exit;
     }
 
-    psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_VERIFY_HASH );
     psa_set_key_algorithm( &attributes, PSA_ALG_RSA_PSS_ANY_SALT( PSA_ALG_SHA_256 ) );
-    psa_set_key_type( &attributes, PSA_KEY_TYPE_RSA_PUBLIC_KEY );
     psa_set_key_bits( &attributes, keyBits );
-    status = psa_import_key( &attributes, ( const uint8_t * ) pucPubKeyDerFormatBuffer,
-                             xPubKeyDerLength, pxKeyHandle );
 
-    if( status != PSA_SUCCESS )
+    result = mbedtls_pk_import_into_psa( &xMbedPkContext,
+                                         &attributes,
+                                         pxKeyHandle );
+
+    if( result != 0 )
     {
         *pxKeyHandle = NULL;
+        goto exit;
     }
 
-    return status;
+exit:
+    mbedtls_pk_free( &xMbedPkContext );
+
+    return result;
 }
 
 /*-----------------------------------------------------------*/

applications/keyword_detection/CMakeLists.txt

@@ -8,6 +8,8 @@ set(ML_INFERENCE_ENGINE "ETHOS" CACHE STRING "Machine Learning inference engine
 
 set(AUDIO_SOURCE "ROM" CACHE STRING "Source of audio data (ROM | VSI)")
 
+set(APPLICATION_PATH "${IOT_REFERENCE_ARM_CORSTONE3XX_SOURCE_DIR}/applications/keyword_detection" CACHE STRING "Path to the application folder")
+
 # From: ota-for-aws-iot-embedded-sdk/source/include/ota_appversion32.h
 # struct version
 # {

applications/keyword_detection/configs/mbedtls_config/aws_mbedtls_config.h

@@ -1171,7 +1171,7 @@ void mbedtls_platform_free( void * ptr );
  * \warning This interface is experimental and may change or be removed
  * without notice.
  */
-/* #define MBEDTLS_PSA_CRYPTO_CLIENT */
+#define MBEDTLS_PSA_CRYPTO_CLIENT
 
 /** \def MBEDTLS_PSA_CRYPTO_DRIVERS
  *

applications/keyword_detection/tests/pass_output.log

@@ -2,7 +2,7 @@ Waiting for provisioning bundle
 Running provisioning bundle
 Application version from appFirmwareVersion 0.0.10
 Starting bootloader
-Booting TF-M v2.0.0
+Booting TF-M v2.1.0
 PSA Framework version is: 257
 Application version from appFirmwareVersion 0.0.20
 ML interface initialised

applications/object_detection/CMakeLists.txt

@@ -8,6 +8,8 @@ set(ML_INFERENCE_ENGINE "ETHOS" CACHE STRING "Machine Learning inference engine
 
 set(AUDIO_SOURCE "ROM" CACHE STRING "Source of audio data (ROM | VSI)")
 
+set(APPLICATION_PATH "${IOT_REFERENCE_ARM_CORSTONE3XX_SOURCE_DIR}/applications/object_detection" CACHE STRING "Path to the application folder")
+
 # From: ota-for-aws-iot-embedded-sdk/source/include/ota_appversion32.h
 # struct version
 # {

applications/object_detection/configs/mbedtls_config/aws_mbedtls_config.h

@@ -1154,7 +1154,7 @@ void mbedtls_platform_free( void * ptr );
  * \warning This interface is experimental and may change or be removed
  * without notice.
  */
-/* #define MBEDTLS_PSA_CRYPTO_CLIENT */
+#define MBEDTLS_PSA_CRYPTO_CLIENT
 
 /** \def MBEDTLS_PSA_CRYPTO_DRIVERS
  *

applications/object_detection/tests/pass_output.log

@@ -2,7 +2,7 @@ Waiting for provisioning bundle
 Running provisioning bundle
 Application version from appFirmwareVersion 0.0.10
 Starting bootloader
-Booting TF-M v2.0.0
+Booting TF-M v2.1.0
 PSA Framework version is: 257
 Application version from appFirmwareVersion 0.0.20
 Complete recognition: Detected faces: 2

applications/speech_recognition/CMakeLists.txt

@@ -8,6 +8,8 @@ set(ML_INFERENCE_ENGINE "ETHOS" CACHE STRING "Machine Learning inference engine
 
 set(AUDIO_SOURCE "ROM" CACHE STRING "Source of audio data (ROM | VSI)")
 
+set(APPLICATION_PATH "${IOT_REFERENCE_ARM_CORSTONE3XX_SOURCE_DIR}/applications/speech_recognition" CACHE STRING "Path to the application folder")
+
 # From: ota-for-aws-iot-embedded-sdk/source/include/ota_appversion32.h
 # struct version
 # {

applications/speech_recognition/configs/mbedtls_config/aws_mbedtls_config.h

@@ -1154,7 +1154,7 @@ void mbedtls_platform_free( void * ptr );
  * \warning This interface is experimental and may change or be removed
  * without notice.
  */
-/* #define MBEDTLS_PSA_CRYPTO_CLIENT */
+#define MBEDTLS_PSA_CRYPTO_CLIENT
 
 /** \def MBEDTLS_PSA_CRYPTO_DRIVERS
  *

applications/speech_recognition/tests/pass_output.log

@@ -2,7 +2,7 @@ Waiting for provisioning bundle
 Running provisioning bundle
 Application version from appFirmwareVersion 0.0.10
 Starting bootloader
-Booting TF-M v2.0.0
+Booting TF-M v2.1.0
 PSA Framework version is: 257
 Application version from appFirmwareVersion 0.0.20
 Init speex

components/aws_iot/coremqtt_agent/integration/CMakeLists.txt

@@ -30,4 +30,5 @@ target_link_libraries(coremqtt-agent
         freertos_kernel
         helpers-events
         helpers-logging
+        tfm-ns-interface-mbedtls-config
 )

components/security/trusted_firmware-m/integration/CMakeLists.txt

@@ -16,11 +16,13 @@ add_dependencies(tfm-ns-interface trusted_firmware-m-build)
 target_include_directories(tfm-ns-interface
     PUBLIC
         ${BINARY_DIR}/api_ns/interface/include
+        ${BINARY_DIR}/api_ns/platform/include
 )
 
 target_link_libraries(tfm-ns-interface
     PRIVATE
         ${s_veneers_generated}
+        tfm-ns-interface-mbedtls-config
 )
 
 target_compile_definitions(tfm-ns-interface
@@ -31,3 +33,26 @@ target_compile_definitions(tfm-ns-interface
         $<$<STREQUAL:${ARM_CORSTONE_BSP_TARGET_PLATFORM},corstone310>:PLATFORM_DEFAULT_CRYPTO_KEYS>
         MCUBOOT_IMAGE_NUMBER=2
 )
+
+add_library(tfm-ns-interface-mbedtls-config INTERFACE)
+
+if(APPLICATION_PATH MATCHES ".*blinky")
+    # TODO: These compile definitions shouldn't be defined explicitly for `blinky` application as
+    # they should have been defined by `psa_crypto_config` library which should be linked
+    # to `tfm-ns-interface-mbedtls-config` library. However, since we are not using TF-M split-build feature,
+    # the exported library `psa_crypto_config` is not used by the non-secure side and these definitions are missing.
+    target_compile_definitions(tfm-ns-interface-mbedtls-config
+        INTERFACE
+            MBEDTLS_CONFIG_FILE="${trusted_firmware-m_SOURCE_DIR}/lib/ext/mbedcrypto/mbedcrypto_config/tfm_mbedcrypto_config_default_client.h"
+            MBEDTLS_PSA_CRYPTO_CONFIG_FILE="${trusted_firmware-m_SOURCE_DIR}/lib/ext/mbedcrypto/mbedcrypto_config/crypto_config_default.h"
+    )
+else()
+    target_link_libraries(tfm-ns-interface-mbedtls-config
+        INTERFACE
+            app-config
+    )
+    target_compile_definitions(tfm-ns-interface-mbedtls-config
+        INTERFACE
+            MBEDTLS_CONFIG_FILE="${APPLICATION_PATH}/configs/mbedtls_config/aws_mbedtls_config.h"
+    )
+endif()

docs/applications/keyword_detection.md

@@ -98,7 +98,7 @@ To run the Keyword-Detection example, run the following command:
 [INF] Bootloader chainload address offset: 0x0
 [INF] Jumping to the first image slot
 [Sec Thread] Secure image initializing!
-<NUL>Booting TF-M v2.0.0
+<NUL>Booting TF-M v2.1.0
 <NUL>Creating an empty ITS flash layout.
 Creating an empty PS flash layout.
 [INF][Crypto] Provisioning entropy seed... complete.
@@ -240,7 +240,7 @@ Follow the instructions described in the [Firmware update with AWS](./aws_iot/aw
 [INF] Bootloader chainload address offset: 0x0
 [INF] Jumping to the first image slot
 [Sec Thread] Secure image initializing!
-<NUL>Booting TF-M v2.0.0
+<NUL>Booting TF-M v2.1.0
 <NUL>Creating an empty ITS flash layout.
 Creating an empty PS flash layout.
 [INF][Crypto] Provisioning entropy seed... complete.
@@ -315,7 +315,7 @@ Creating an empty PS flash layout.
 [INF] Bootloader chainload address offset: 0x0
 [INF] Jumping to the first image slot
 [Sec Thread] Secure image initializing!
-<NUL>Booting TF-M v2.0.0
+<NUL>Booting TF-M v2.1.0
 <NUL>[INF][Crypto] Provisioning entropy seed... complete.
 0 0 [None] [INFO] PSA Framework version is: 257
 1 0 [None] Write certificate...

docs/applications/object_detection.md

@@ -62,7 +62,7 @@ Check [Device Provisioning](./device_provisioning/device_provisioning.md) for de
 [INF] Image index: 0, Swap type: none
 [INF] Bootloader chainload address offset: 0x0
 [INF] Jumping to the first image slot
-Booting TF-M v2.0.0
+Booting TF-M v2.1.0
 <NUL>[Sec Thread] Secure image initializing!
 <NUL>[INF][Crypto] Provisioning entropy seed... complete.
 0 0 [None] [INFO] PSA Framework version is: 257
@@ -373,7 +373,7 @@ Follow the instructions described in the [Firmware update with AWS](./aws_iot/aw
 [INF] Image index: 0, Swap type: none
 [INF] Bootloader chainload address offset: 0x0
 [INF] Jumping to the first image slot
-Booting TF-M v2.0.0
+Booting TF-M v2.1.0
 <NUL>[Sec Thread] Secure image initializing!
 <NUL>Creating an empty ITS flash layout.
 Creating an empty PS flash layout.

docs/applications/speech_recognition.md

@@ -76,7 +76,7 @@ To run the Speech-Recognition example, run the following command:
 [INF] Bootloader chainload address offset: 0x0
 [INF] Jumping to the first image slot
 [Sec Thread] Secure image initializing!
-<NUL>Booting TF-M v2.0.0
+<NUL>Booting TF-M v2.1.0
 <NUL>Creating an empty ITS flash layout.
 Creating an empty PS flash layout.
 [INF][Crypto] Provisioning entropy seed... complete.
@@ -224,7 +224,7 @@ Follow the instructions described in the [Firmware update with AWS](./aws_iot/aw
 [INF] Bootloader chainload address offset: 0x0
 [INF] Jumping to the first image slot
 [Sec Thread] Secure image initializing!
-<NUL>Booting TF-M v2.0.0
+<NUL>Booting TF-M v2.1.0
 <NUL>Creating an empty ITS flash layout.
 Creating an empty PS flash layout.
 [INF][Crypto] Provisioning entropy seed... complete.
@@ -295,7 +295,7 @@ Creating an empty PS flash layout.
 [INF] Bootloader chainload address offset: 0x0
 [INF] Jumping to the first image slot
 [Sec Thread] Secure image initializing!
-<NUL>Booting TF-M v2.0.0
+<NUL>Booting TF-M v2.1.0
 <NUL>[INF][Crypto] Provisioning entropy seed... complete.
 0 0 [None] [INFO] PSA Framework version is: 257
 1 0 [None] Write certificate...

manifest.yml

@@ -19,14 +19,14 @@ dependencies:
       path: "bsp/library"
   - name: "trusted-firmware-m"
     license: "BSD-3-Clause"
-    version: "689dfc1ea7e1e66f26159a24d489261ae2029103"
+    version: "TF-Mv2.1.0"
     repository:
       type: "git"
       url: "https://git.trustedfirmware.org/TF-M/trusted-firmware-m.git"
       path: "components/security/trusted_firmware-m/library"
   - name: "mbedtls"
     license: "Apache-2.0"
-    version: "v3.5.2"
+    version: "v3.6.0"
     repository:
       type: "git"
       url: "https://github.com/Mbed-TLS/mbedtls.git"

release_changes/202404221321.change

@@ -0,0 +1 @@
+build: Bump TF-M version to v2.1.0