Disabling MBEDTLS_FS_IO for FreeRTOS application on coretex-m7 results in missing headers

[JLReitz]

Summary

I started setting my MbedTLS configurations according to the paragraph mentioning bare-metal at the bottom of the overview section in the porting guide. After commenting out MBEDTLS_FS_IO from my mbedtls_config.h, I got the following build error from include/mbedtls/check_config.h.

#if defined(MBEDTLS_PSA_ITS_FILE_C) && \
    !defined(MBEDTLS_FS_IO)
#error "MBEDTLS_PSA_ITS_FILE_C defined, but not all prerequisites"
#endif

If I also comment out MBEDTLS_PSA_ITS_FILE_C, I receive an error that psa/error.h can not be found. The offending include directive is from psa_crypto_storage.c, copied below:

#if defined(MBEDTLS_PSA_ITS_FILE_C)
#include "psa_crypto_its.h"
#else /* Native ITS implementation */
#include "psa/error.h"
#include "psa/internal_trusted_storage.h"
#endif

There are no files named error.h or internal_trusted_storage.h under the include/psa directory.

System information

Mbed TLS version (number or commit id): 3.4.0 (1873d3b)
Operating system and version: FreeRTOS 10.4.4
Configuration (if not default, please attach mbedtls_config.h): attached
Compiler and options (if you used a pre-built binary, please indicate how you obtained it):
gcc-arm-none-eabi 10-2020-q4-major
-x assembler-with-cpp -mthumb -mno-thumb-interwork -mfloat-abi=hard -fno-rtti -fno-exceptions -specs=nosys.specs -specs=nano.specs -nostartfiles -lc -lm -lgcc -fdata-sections -ffunction-sections
Additional environment information:

Expected behavior

Per the porting guide, it should be possible to disable MBEDTLS_FS_IO without further implications to the other submodules and overall build.

Actual behavior

Disabling MBEDTLS_FS_IO breaks the build.

Steps to reproduce

Apply provided mbedtls_config.h to build while using gcc-arm-none-eabi and the included options.

Additional information

mbedtls_config.h.zip

[daverodgman]

I think this is happening because you're requiring ITS (via MBEDTLS_PSA_CRYPTO_STORAGE_C), but disabling our implementation of ITS and not providing an alternative implementation. Disabling MBEDTLS_PSA_CRYPTO_STORAGE_C resolves this, assuming you don't need this feature.

I'm not sure this is a bug, although arguably the documentation for the options could be improved. @gilles-peskine-arm WDYT?

[gilles-peskine-arm]

Indeed this is working as intended. Persistent keys (MBEDTLS_PSA_CRYPTO_STORAGE_C) require a storage implementation which can either be a standard PSA storage implementation or the implementation that we provide over stdio (MBEDTLS_PSA_ITS_FILE_C). This is documented in mbedtls_config.h.

We should document this in the porting guide, which hasn't been updated since before PSA.

There's no entry in check_config.h because if MBEDTLS_PSA_CRYPTO_STORAGE_C is enabled but MBEDTLS_PSA_ITS_FILE_C is disabled, it might still be ok if "psa/internal_trusted_storage.h" is available, and we can't portably check that with a preprocessor directive. The only improvement I can think of is that we could use __has_include on supported compilers.