Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update the reference configs to use MBEDTLS_PSA_CRYPTO_CONFIG #9057

Merged
merged 23 commits into from May 23, 2024
Merged

Update the reference configs to use MBEDTLS_PSA_CRYPTO_CONFIG #9057

merged 23 commits into from May 23, 2024

Conversation

Ryan-Everett-arm
Copy link
Contributor

@Ryan-Everett-arm Ryan-Everett-arm commented Apr 25, 2024
edited by ronald-cron-arm

Description

Update the reference configs to use the new PSA symbols and have MBEDTLS_PSA_CRYPTO_CONFIG turned on. These configs are tested by component_test_ref_configs, which runs them with PSA disabled/enabled.

This doesn't modify config-no-entropy.h, it is my understanding that PSA requires entropy so this config does not work with this change.

The new config files were created by replacing legacy symbols with equivalent PSA symbols (the equivalences can be derived from config_adjust_legacy_from_psa.h and config_adjust_psa_from_legacy.h). The crypto config files are referenced in the same style config-tfm uses. Defined and inferred symbols can be checked via ./build/programs/test/query_compile_time_config -l

Progresses #8153.

Dependency: #9063

PR checklist

Please tick as appropriate and edit the reasons (e.g.: "backport: not needed because this is a new feature")

  • changelog not required
  • 3.6 backport for a few small preexisting issues: [Backport 3.6] Partial backport of #9057 #9160
  • 2.28 backport not required - 4.0 work
  • tests check that each configuration still seems to do what it's intended to do, e.g. that it's executing the right test cases

@Ryan-Everett-arm Ryan-Everett-arm added needs-review Every commit must be reviewed by at least two team members, needs-ci Needs to pass CI tests needs-reviewer This PR needs someone to pick it up for review labels Apr 25, 2024
@Ryan-Everett-arm Ryan-Everett-arm self-assigned this Apr 25, 2024
@Ryan-Everett-arm Ryan-Everett-arm added size-s Estimated task size: small (~2d) priority-high High priority - will be reviewed soon labels Apr 26, 2024
@Ryan-Everett-arm Ryan-Everett-arm added this to To Do in Roadmap Board for Mbed TLS via automation Apr 26, 2024
@Ryan-Everett-arm Ryan-Everett-arm moved this from To Do to In Review in Roadmap Board for Mbed TLS Apr 26, 2024
@ronald-cron-arm ronald-cron-arm self-requested a review April 26, 2024 11:43
@tom-daubney-arm
Copy link
Contributor

FYI all_u16-test_m32_o2 error is a timeout rather than a test failure

@tom-daubney-arm
Copy link
Contributor

I am happy to review this PR but won't have time today, and am out Mon and Tues next week, which is not ideal timing for Ryan's rotation. If this is not fully reviewed by Wednesday morning I will pick it up and do it Weds.

@gilles-peskine-arm gilles-peskine-arm removed needs-ci Needs to pass CI tests needs-reviewer This PR needs someone to pick it up for review labels Apr 26, 2024
gilles-peskine-arm
gilles-peskine-arm requested changes Apr 26, 2024
View reviewed changes
Copy link
Contributor

@gilles-peskine-arm gilles-peskine-arm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is on the right track, but incomplete in several ways, notably because some features are still enabled only because we used to need them and not because we still want them.

I noticed a few preexisting small issues, which should be fixed in 3.6 with a small backport.

For validation we should check that we're still testing what we intended to test, and I found a preexisting problem that we're currently not testing what we intended to test. We'll probably need to put this pull request on hold until that is fixed, or at least until we understand the cause and how to fix it.

configs/config-symmetric-only.h Show resolved Hide resolved
configs/crypto-config-ccm-psk-tls1_2.h Outdated Show resolved Hide resolved
configs/config-ccm-psk-dtls1_2.h Outdated Show resolved Hide resolved
configs/config-suite-b.h Outdated Show resolved Hide resolved
configs/config-suite-b.h Outdated Show resolved Hide resolved
configs/crypto-config-thread.h Outdated Show resolved Hide resolved
configs/crypto-config-thread.h Outdated Show resolved Hide resolved
configs/crypto-config-thread.h Show resolved Hide resolved
configs/config-ccm-psk-dtls1_2.h Show resolved Hide resolved
configs/config-ccm-psk-dtls1_2.h Show resolved Hide resolved
Roadmap Board for Mbed TLS automation moved this from In Review to In Development Apr 26, 2024
@gilles-peskine-arm gilles-peskine-arm added needs-work needs-preceding-pr Requires another PR to be merged first and removed needs-review Every commit must be reviewed by at least two team members, labels Apr 26, 2024
@ronald-cron-arm ronald-cron-arm mentioned this pull request Apr 30, 2024
Open
@Ryan-Everett-arm
Copy link
Contributor Author

I have addressed the uncontroversial issues with this PR. The test coverage comments and HMAC comments may need some more discussion before a change can be made.

@ronald-cron-arm ronald-cron-arm requested review from tom-daubney-arm and removed request for ronald-cron-arm May 14, 2024 09:10
@ronald-cron-arm ronald-cron-arm added the needs-ci Needs to pass CI tests label May 15, 2024
@ronald-cron-arm ronald-cron-arm removed needs-work needs-ci Needs to pass CI tests labels May 16, 2024
@ronald-cron-arm
Resolve PBKDF2_AES_CMAC_PRF_128 dependencies
a33a824 
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
@ronald-cron-arm
Fix "maybe-uninitialized" warning with GCC 11.3
1f95ede 
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
gilles-peskine-arm
gilles-peskine-arm requested changes May 16, 2024
View reviewed changes
Copy link
Contributor

@gilles-peskine-arm gilles-peskine-arm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The SSL tests that pass (grep 'configs/config' | grep -v ';test_suite_' | grep PASS) look sensible to me.

The configuration adjustment is unfortunately not quite right. Other than that and a minor thing in the Thread configuration, this looks good to me.

configs/crypto-config-thread.h Outdated Show resolved Hide resolved
tests/scripts/test-ref-configs.pl Outdated Show resolved Hide resolved
include/psa/crypto_adjust_config_dependencies.h Outdated
* \brief Adjust PSA configuration by resolving some dependencies.
*
* See docs/proposed/psa-conditional-inclusion-c.md.
* If a cryptographic mechanism A depends on a cryptographic mechanism B and
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is actually not quite right when drivers are involved. If our implementation of A uses B, then MBEDTLS_PSA_BUILTIN_A should automatically enable PSA_WANT_B. (Not MBEDTLS_PSA_BUILTIN_B, so that we can provide A on top of a driver for B if there is a driver for B but not A.) But there could be a driver for A that doesn't do B.

Please clarify the documentation and fix the implementation. This may also require tweaking the order of the adjustments.

include/psa/crypto_adjust_config_dependencies.h
*/

#ifndef PSA_CRYPTO_ADJUST_CONFIG_DEPENDENCIES_H
#define PSA_CRYPTO_ADJUST_CONFIG_DEPENDENCIES_H
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Note: this will need to be reconciled with #9061, which changes the boilerplate that goes into all adjust-config headers.

Roadmap Board for Mbed TLS automation moved this from In Review to In Development May 16, 2024
@gilles-peskine-arm gilles-peskine-arm added needs-work and removed needs-preceding-pr Requires another PR to be merged first labels May 16, 2024
@gilles-peskine-arm gilles-peskine-arm mentioned this pull request May 17, 2024
Open
4 tasks
@ronald-cron-arm
Fix the resolution of dependencies on HMAC
97f0ea7 
The Mbed TLS implementations of ALG_TLS12_PRF,
ALG_TLS12_PSK_TO_MS, ALG_HKDF, ALG_HKDF_EXTRACT,
ALG_HKDF_EXPAND and ALG_PBKDF2 rely on HMAC
operations through the driver interface. Thus
if one of these algorithms is enabled and not
accelerated, we need ALG_HMAC to be enabled
(PSA_WANT_ALG_HMAC and PSA_WANT_KEY_TYPE_HMAC
defined). As HMAC operations occur through
the driver interface, HMAC operations can be
accelerated even if the caller algorithm
is not.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
@ronald-cron-arm
Fix PBKDF2_AES_CMAC_PRF_128 dependencies
c4c8bdf 
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
@ronald-cron-arm
Fix crypto_adjust_config_dependencies.h documentation
b48c870 
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
@ronald-cron-arm
Adjust crypto-config-thread.h
ca6b1e9 
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
@ronald-cron-arm
Improve test-ref-configs.pl
b30cd3b 
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
@ronald-cron-arm ronald-cron-arm moved this from In Development to In Review in Roadmap Board for Mbed TLS May 17, 2024
@ronald-cron-arm
Copy link
Contributor

@gilles-peskine-arm I've addressed your last comments, please have another look. Thanks.

@gilles-peskine-arm gilles-peskine-arm mentioned this pull request May 21, 2024
Open
4 tasks
gilles-peskine-arm
gilles-peskine-arm approved these changes May 21, 2024
View reviewed changes
Copy link
Contributor

@gilles-peskine-arm gilles-peskine-arm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@ronald-cron-arm ronald-cron-arm added the needs-backports Backports are missing or are pending review and approval. label May 22, 2024
@ronald-cron-arm ronald-cron-arm mentioned this pull request May 22, 2024
Merged
4 tasks
tom-daubney-arm
tom-daubney-arm approved these changes May 22, 2024
View reviewed changes
Copy link
Contributor

@tom-daubney-arm tom-daubney-arm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM - thanks

Roadmap Board for Mbed TLS automation moved this from In Review to Has Approval May 22, 2024
@tom-daubney-arm tom-daubney-arm added approved Design and code approved - may be waiting for CI or backports and removed needs-review Every commit must be reviewed by at least two team members, labels May 22, 2024
@ronald-cron-arm ronald-cron-arm added this pull request to the merge queue May 23, 2024
Merged via the queue into Mbed-TLS:development with commit f5473a0 May 23, 2024
5 of 6 checks passed
Roadmap Board for Mbed TLS automation moved this from Has Approval to Done May 23, 2024
@ronald-cron-arm ronald-cron-arm mentioned this pull request May 23, 2024
Open
5 tasks
github-merge-queue bot pushed a commit that referenced this pull request May 23, 2024
@ronald-cron-arm
Merge pull request #9160 from ronald-cron-arm/crypto-config-test_ref_…
baf6775 
…configs-3.6

[Backport 3.6] Partial backport of #9057
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ronald-cron-arm ronald-cron-arm ronald-cron-arm left review comments

@gilles-peskine-arm gilles-peskine-arm gilles-peskine-arm approved these changes

@tom-daubney-arm tom-daubney-arm tom-daubney-arm approved these changes

Assignees

@ronald-cron-arm ronald-cron-arm

Labels
approved Design and code approved - may be waiting for CI or backports needs-backports Backports are missing or are pending review and approval. priority-high High priority - will be reviewed soon size-s Estimated task size: small (~2d)
Projects
Roadmap Board for Mbed TLS
Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@Ryan-Everett-arm @tom-daubney-arm @ronald-cron-arm @gilles-peskine-arm