Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update mbedtls-prepare-build for Mbed TLS 3.4+ #108

Open
wants to merge 38 commits into
base: main
Choose a base branch
from
Open

Update mbedtls-prepare-build for Mbed TLS 3.4+ #108

wants to merge 38 commits into from

Conversation

gilles-peskine-arm
Copy link
Contributor

@gilles-peskine-arm gilles-peskine-arm commented Jul 11, 2023
edited
Loading

This is a collection of updates to mbedtls-prepare-build to add more presets and support some changes in mbedtls from the last couple of years. Has changes needed for 3.4, for 3.6, for the post-3.6 framework moves and for tf-psa-crypto as of 2024-07-17.

@gilles-peskine-arm
Add type annotations and pass mypy
0125a0c 
Signed-off-by: Gilles Peskine <[email protected]>
@gilles-peskine-arm
Add type annotations and pass mypy
a1b89bd 
Signed-off-by: Gilles Peskine <[email protected]>
@gilles-peskine-arm
New config mode: explicit
660e493 
Make a config file that only sets the options given explicitly, without
copying or including a base file.

Signed-off-by: Gilles Peskine <[email protected]>
@gilles-peskine-arm
New source subdirectory in 3.1+: tests/opt-testcases
b738dff 
Signed-off-by: Gilles Peskine <[email protected]>
@gilles-peskine-arm
New preset: ecc-heap
b4196ff 
Similar to scripts/ecc-heap.sh.

Signed-off-by: Gilles Peskine <[email protected]>
@gilles-peskine-arm
Improve support for 3rdparty "submodules"
49a8ddc 
Fix the build with Everest enabled.

Signed-off-by: Gilles Peskine <[email protected]>
@gilles-peskine-arm
Add pkcs7 to the list of x509 modules
99f539d 
Signed-off-by: Gilles Peskine <[email protected]>
@gilles-peskine-arm
Support zeroize test program properly
d66dd97 
Signed-off-by: Gilles Peskine <[email protected]>
@gilles-peskine-arm
Fix dependencies of the dlopen test program
822b172 
Signed-off-by: Gilles Peskine <[email protected]>
@gilles-peskine-arm
Use Clang for ASAn+UBSan builds
6061435 
Clang finds more things than GCC

Signed-off-by: Gilles Peskine <[email protected]>
@gilles-peskine-arm
New preset 'cf' for constant-flow testing with MSan
6d834a9 
Signed-off-by: Gilles Peskine <[email protected]>

Signed-off-by: Gilles Peskine <[email protected]>
@gilles-peskine-arm
New preset 'opt' for a straightforward performance-optimized build
eb5917e 
Signed-off-by: Gilles Peskine <[email protected]>
@gilles-peskine-arm
New preset 'noplatform' for a configuration without platform stuff
4a2fd1a 
Signed-off-by: Gilles Peskine <[email protected]>
@gilles-peskine-arm
Add more Clang warnings to 'asan' and 'msan' presets
8602431 
Signed-off-by: Gilles Peskine <[email protected]>
@gilles-peskine-arm
Fix test suite running when there is both foo.data and foo.bar.data
578f793 
Signed-off-by: Gilles Peskine <[email protected]>
@gilles-peskine-arm
Support test helper files under src/test_helpers
6767167 
Signed-off-by: Gilles Peskine <[email protected]>
@gilles-peskine-arm gilles-peskine-arm added enhancement New feature or request needs-review needs-reviewer size-s Estimated task size: small (~2d) priority-medium labels Jul 11, 2023
@gilles-peskine-arm
Completion for many mbedtls sample programs
a86e8f4 
* pk: dh_genprime, gen_key, key_app, key_app_writer.
* ssl: ssl_client2, ssl_mail_client, ssl_server2.
* x509: pem2der, cert_app, cert_req, cert_write, crl_app, req_app.

Signed-off-by: Gilles Peskine <[email protected]>
@gilles-peskine-arm
Improve config.py completion
3340323 
Recognize -f/--file option.

Recognize PSA_xxx symbols as well as MBEDTLS_xxx.

Signed-off-by: Gilles Peskine <[email protected]>
@gilles-peskine-arm
New target: ssl-opt
7a8b825 
Signed-off-by: Gilles Peskine <[email protected]>
@gilles-peskine-arm
Support Mbed TLS 3.5+ generated files
ec7454c 
Signed-off-by: Gilles Peskine <[email protected]>
@gilles-peskine-arm
New presets asan-gcc, full-asan-gcc, tsan
7ad5049 
Signed-off-by: Gilles Peskine <[email protected]>
@gilles-peskine-arm
New preset alt
fcd3441 
Signed-off-by: Gilles Peskine <[email protected]>
@gilles-peskine-arm
Support framework after generate_test_code.py move
c6a50c5 
Support mbedtls after Mbed-TLS/mbedtls#9200

Signed-off-by: Gilles Peskine <[email protected]>
@gilles-peskine-arm
m0plus preset: use baremetal_size rather than baremetal
f145d54 
The point of that preset is for code size measurements, so baremetal_size is
the configuration to use, now that it exists.

Signed-off-by: Gilles Peskine <[email protected]>
@gilles-peskine-arm
Support framework after move of include/psa/*.h to tf-psa-crypto
2d9350d 
Support mbedtls after Mbed-TLS/mbedtls#9247

Signed-off-by: Gilles Peskine <[email protected]>

Signed-off-by: Gilles Peskine <[email protected]>
@gilles-peskine-arm
Fix ambiguous "generated by" line and add "prepare" target
6b4a5a4 
Add shell quoting to the "generated by" line so that it can be copy-pasted
into a shell, even if some arguments contain spaces and other special
characters.

Add a new target `prepare`, alias `dep`: `make prepare` or `make dep`
regenerates the makefile. This might not yet work in all arrangements of the
build directory relative to the source directory; it works at least when
`mbedtls-prepare-build` is invoked inside the source directory.

Signed-off-by: Gilles Peskine <[email protected]>
@gilles-peskine-arm
Support move of crypto headers and C sources to tf-psa-crypto
5b3bed2 
The build works on development as of cb854d5d19e05339448afb03839bee7f7e3ecd23.

Signed-off-by: Gilles Peskine <[email protected]>
@gilles-peskine-arm gilles-peskine-arm added size-m Estimated task size: medium (~1w) and removed size-s Estimated task size: small (~2d) labels Jul 17, 2024
@gilles-peskine-arm
Fix build failures on Everest even when it's disabled
cff5d81 
Fix build failures on Everest files that can happen even when Everst is
disabled (observed in development after Everest moved to tf-psa-crypto, but
that might occur in <=3.6 as well in some configurations). The build
failures are genuine, but our official build system skips those files
because they get the code from Hacl_Curve25519_joined.c instead.

Signed-off-by: Gilles Peskine <[email protected]>
@gilles-peskine-arm
Add an IAR preset
358e168 
Tested on mbedtls-3.6.1.

Signed-off-by: Gilles Peskine <[email protected]>
@gilles-peskine-arm
Support test helpers in the tf-psa-crypto subtree
5e6dc1a 
Needed for mbedtls during repo split work between 3.6 and 4.0.

Signed-off-by: Gilles Peskine <[email protected]>
@gilles-peskine-arm
Have a run target for all the programs
5076e36 
Signed-off-by: Gilles Peskine <[email protected]>
@gilles-peskine-arm
Build all the SSL sample programs for ssl-opt
f376765 
Needed after Mbed-TLS/mbedtls#9638, no big deal
before.

Signed-off-by: Gilles Peskine <[email protected]>
@gilles-peskine-arm
New method MakefileMaker.library_modules
16f85cb 
Signed-off-by: Gilles Peskine <[email protected]>
@gilles-peskine-arm
Support libtestdriver1 builds
8ba447a 
Initial commit to support builds with libtestdriver1.

The following command results in a configuration that should be the same as
`component_test_psa_crypto_config_accel_ecdsa`:
```
mbedtls-prepare-build -d build-accel-ecdsa-sha1-debug -p debug --config-set=MBEDTLS_PSA_CRYPTO_CONFIG --config-unset=MBEDTLS_PSA_CRYPTO_SE_C --accel-list={ALG_ECDSA,ALG_DETERMINISTIC_ECDSA,KEY_TYPE_ECC_PUBLIC_KEY,KEY_TYPE_ECC_KEY_PAIR_{BASIC,IMPORT,EXPORT,GENERATE,DERIVE},ECC_{SECP_R1_{192,224,256,384,521},SECP_K1_{192,224,256},BRAINPOOL_P_R1_{256,384,512},MONTGOMERY_{255,448}}} --config-unset=MBEDTLS_ECDSA_C,MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED,MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED --libtestdriver1-extra-list=ALG_SHA{_1,{,3}_{224,256,384,512}}
```

Known limitations:

* Barely tested.
* Only tested with a commit that's close to
  de4d5b78558666d2e258d95e6c5875f9c72687ed (development soon after the 3.6.1
  release).
* Only static library builds are supported.
* Only configurations based on the default configuration are supported.
  In particular, a configuration with threading (e.g. derived from `full`)
  requires setting `MBEDTLS_THREADING_C` and `MBEDTLS_THREADING_PTHREAD`
  manually in `--libtestdriver1-extra-cflags`.

Signed-off-by: Gilles Peskine <[email protected]>
@gilles-peskine-arm
Fix overly broad declared type
3b70ffd 
Signed-off-by: Gilles Peskine <[email protected]>
@gilles-peskine-arm
Protect against accidentally overwriting the source Makefile
856b217 
More generally, refuse to overwrite an existing file unless it has
"Generated by" in the first line. Make an exception for the config
header, which we commonly expect to be modified by test scripts.

Signed-off-by: Gilles Peskine <[email protected]>
@gilles-peskine-arm
Fix dodgy regex quoting
2383eea 
Signed-off-by: Gilles Peskine <[email protected]>
@gilles-peskine-arm
Make pylint slightly happier
16c7ec7 
Signed-off-by: Gilles Peskine <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
enhancement New feature or request needs-review needs-reviewer priority-medium size-m Estimated task size: medium (~1w)
Projects
Non-roadmap pull requests
Status: In Development
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@gilles-peskine-arm