diff --git a/.github/.cSpellWords.txt b/.github/.cSpellWords.txt index b00d6ae1..cbcd3f31 100644 --- a/.github/.cSpellWords.txt +++ b/.github/.cSpellWords.txt @@ -65,6 +65,7 @@ docuemnt DONGWOON DPLATFORM DPROJECT +DPSA drbg Drbg DRBG diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 1d84fcd3..9ca94a9a 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -63,13 +63,14 @@ workflow: --toolchain $TOOLCHAIN \ --certificate_path $PWD/certificate.pem \ --private_key_path $PWD/private_key.pem \ - --conn-stack $CONN_STACK + --conn-stack $CONN_STACK \ + --psa-crypto-implementation $PSA_CRYPTO_IMPLEMENTATION - | if [ $APP == "blinky" ];then - tar -czf ${TARGET}_${APP}_${TOOLCHAIN}_${INFERENCE}_${AUDIO}_${CONN_STACK}_build.tar.gz \ + tar -czf ${TARGET}_${APP}_${TOOLCHAIN}_${INFERENCE}_${AUDIO}_${CONN_STACK}_${PSA_CRYPTO_IMPLEMENTATION}_build.tar.gz \ build/${APP}_merged.elf else - tar -czf ${TARGET}_${APP}_${TOOLCHAIN}_${INFERENCE}_${AUDIO}_${CONN_STACK}_build.tar.gz \ + tar -czf ${TARGET}_${APP}_${TOOLCHAIN}_${INFERENCE}_${AUDIO}_${CONN_STACK}_${PSA_CRYPTO_IMPLEMENTATION}_build.tar.gz \ build/${APP}_merged.elf \ build/${APP}-update_signed.bin \ build/update-signature.txt \ @@ -88,9 +89,10 @@ build-applications-corstone315: INFERENCE: [ETHOS] AUDIO: [ROM] CONN_STACK: [FREERTOS_PLUS_TCP] + PSA_CRYPTO_IMPLEMENTATION: [TF-M] artifacts: paths: - - ${TARGET}_${APP}_${TOOLCHAIN}_${INFERENCE}_${AUDIO}_${CONN_STACK}_build.tar.gz + - ${TARGET}_${APP}_${TOOLCHAIN}_${INFERENCE}_${AUDIO}_${CONN_STACK}_${PSA_CRYPTO_IMPLEMENTATION}_build.tar.gz expire_in: 1 week variables: GIT_SUBMODULE_STRATEGY: recursive @@ -107,9 +109,10 @@ build-applications-corstone310: INFERENCE: [ETHOS] AUDIO: [ROM] CONN_STACK: [FREERTOS_PLUS_TCP] + PSA_CRYPTO_IMPLEMENTATION: [TF-M] artifacts: paths: - - ${TARGET}_${APP}_${TOOLCHAIN}_${INFERENCE}_${AUDIO}_${CONN_STACK}_build.tar.gz + - ${TARGET}_${APP}_${TOOLCHAIN}_${INFERENCE}_${AUDIO}_${CONN_STACK}_${PSA_CRYPTO_IMPLEMENTATION}_build.tar.gz expire_in: 1 week variables: GIT_SUBMODULE_STRATEGY: recursive @@ -126,9 +129,10 @@ build-applications-corstone300: INFERENCE: [ETHOS] AUDIO: [ROM] CONN_STACK: [FREERTOS_PLUS_TCP] + PSA_CRYPTO_IMPLEMENTATION: [TF-M] artifacts: paths: - - ${TARGET}_${APP}_${TOOLCHAIN}_${INFERENCE}_${AUDIO}_${CONN_STACK}_build.tar.gz + - ${TARGET}_${APP}_${TOOLCHAIN}_${INFERENCE}_${AUDIO}_${CONN_STACK}_${PSA_CRYPTO_IMPLEMENTATION}_build.tar.gz expire_in: 1 week variables: GIT_SUBMODULE_STRATEGY: recursive @@ -171,7 +175,7 @@ test-blinky-output: - job: build-applications-corstone300 artifacts: true script: - - tar xf ${TARGET}_${APP}_${TOOLCHAIN}_${INFERENCE}_${AUDIO}_${CONN_STACK}_build.tar.gz + - tar xf ${TARGET}_${APP}_${TOOLCHAIN}_${INFERENCE}_${AUDIO}_${CONN_STACK}_${PSA_CRYPTO_IMPLEMENTATION}_build.tar.gz - | pytest -s tools/tests/test_blinky_output.py \ --build-artefacts-path "build" \ @@ -188,25 +192,28 @@ test-blinky-output: INFERENCE: [ETHOS] AUDIO: [ROM] CONN_STACK: [FREERTOS_PLUS_TCP] + PSA_CRYPTO_IMPLEMENTATION: [TF-M] - << : [*pipeline_config_corstone310, *pipeline_config_toolchain] APP: [blinky] INFERENCE: [ETHOS] AUDIO: [ROM] CONN_STACK: [FREERTOS_PLUS_TCP] + PSA_CRYPTO_IMPLEMENTATION: [TF-M] - << : [*pipeline_config_corstone300, *pipeline_config_toolchain] APP: [blinky] INFERENCE: [ETHOS] AUDIO: [ROM] CONN_STACK: [FREERTOS_PLUS_TCP] + PSA_CRYPTO_IMPLEMENTATION: [TF-M] .test-applications_base: extends: .test_job script: - | - if [[ -f "${TARGET}_${APP}_${TOOLCHAIN}_${INFERENCE}_${AUDIO}_${CONN_STACK}_build.tar.gz" ]]; then - tar xf ${TARGET}_${APP}_${TOOLCHAIN}_${INFERENCE}_${AUDIO}_${CONN_STACK}_build.tar.gz + if [[ -f "${TARGET}_${APP}_${TOOLCHAIN}_${INFERENCE}_${AUDIO}_${CONN_STACK}_${PSA_CRYPTO_IMPLEMENTATION}_build.tar.gz" ]]; then + tar xf ${TARGET}_${APP}_${TOOLCHAIN}_${INFERENCE}_${AUDIO}_${CONN_STACK}_${PSA_CRYPTO_IMPLEMENTATION}_build.tar.gz fi - export APP_UNDERSCORED=$(echo ${APP} | tr '-' '_') - | @@ -265,6 +272,7 @@ test-ml-applications-output: AUDIO: [ROM] TOOLCHAIN: [ARMCLANG] CONN_STACK: [FREERTOS_PLUS_TCP] + PSA_CRYPTO_IMPLEMENTATION: [TF-M] - << : *pipeline_config_corstone310 APP: [keyword-detection, speech-recognition] @@ -272,6 +280,7 @@ test-ml-applications-output: AUDIO: [ROM] TOOLCHAIN: [ARMCLANG] CONN_STACK: [FREERTOS_PLUS_TCP] + PSA_CRYPTO_IMPLEMENTATION: [TF-M] - << : *pipeline_config_corstone300 APP: [keyword-detection, speech-recognition] @@ -279,6 +288,7 @@ test-ml-applications-output: AUDIO: [ROM] TOOLCHAIN: [ARMCLANG] CONN_STACK: [FREERTOS_PLUS_TCP] + PSA_CRYPTO_IMPLEMENTATION: [TF-M] unit-tests: extends: .base-job-rules @@ -316,7 +326,7 @@ integration-tests: # communicate with the server. - host_ip_address=`ifconfig eth0 | grep -w 'inet' | awk '{print $2}'` - sed -i "s/#define ECHO_SERVER_ENDPOINT .*$/#define ECHO_SERVER_ENDPOINT \"$host_ip_address\"/g" applications/freertos_iot_libraries_tests/test_param_config.h - - ./tools/scripts/build.sh ${APP} --target $TARGET --toolchain $TOOLCHAIN --certificate_path $PWD/certificate.pem --private_key_path $PWD/private_key.pem --conn-stack $CONN_STACK + - ./tools/scripts/build.sh ${APP} --target $TARGET --toolchain $TOOLCHAIN --certificate_path $PWD/certificate.pem --private_key_path $PWD/private_key.pem --conn-stack $CONN_STACK --psa-crypto-implementation $PSA_CRYPTO_IMPLEMENTATION - pushd components/tools/freertos_libraries_integration_tests/library/tools/echo_server - go run echo_server.go& - popd @@ -335,14 +345,17 @@ integration-tests: << : [*pipeline_config_corstone315, *pipeline_config_toolchain] APP: [freertos-iot-libraries-tests] CONN_STACK: [FREERTOS_PLUS_TCP, IOT_VSOCKET] + PSA_CRYPTO_IMPLEMENTATION: [TF-M] - << : [*pipeline_config_corstone310, *pipeline_config_toolchain] APP: [freertos-iot-libraries-tests] CONN_STACK: [FREERTOS_PLUS_TCP, IOT_VSOCKET] + PSA_CRYPTO_IMPLEMENTATION: [TF-M] - << : [*pipeline_config_corstone300, *pipeline_config_toolchain] APP: [freertos-iot-libraries-tests] CONN_STACK: [FREERTOS_PLUS_TCP, IOT_VSOCKET] + PSA_CRYPTO_IMPLEMENTATION: [TF-M] retry: max: 2 when: @@ -377,6 +390,7 @@ sw-vsi-configs-test: AUDIO: [VSI] TOOLCHAIN: [ARMCLANG] CONN_STACK: [FREERTOS_PLUS_TCP] + PSA_CRYPTO_IMPLEMENTATION: [TF-M] - << : *pipeline_config_corstone315 APP: [keyword-detection, speech-recognition] @@ -384,6 +398,7 @@ sw-vsi-configs-test: AUDIO: [ROM, VSI] TOOLCHAIN: [ARMCLANG] CONN_STACK: [FREERTOS_PLUS_TCP] + PSA_CRYPTO_IMPLEMENTATION: [TF-M] - << : *pipeline_config_corstone315 APP: [object-detection] @@ -391,6 +406,7 @@ sw-vsi-configs-test: AUDIO: [ROM] TOOLCHAIN: [ARMCLANG] CONN_STACK: [FREERTOS_PLUS_TCP] + PSA_CRYPTO_IMPLEMENTATION: [TF-M] - << : *pipeline_config_corstone310 APP: [keyword-detection, speech-recognition] @@ -398,6 +414,7 @@ sw-vsi-configs-test: AUDIO: [VSI] TOOLCHAIN: [ARMCLANG] CONN_STACK: [FREERTOS_PLUS_TCP] + PSA_CRYPTO_IMPLEMENTATION: [TF-M] - << : *pipeline_config_corstone310 APP: [keyword-detection, speech-recognition] @@ -405,6 +422,7 @@ sw-vsi-configs-test: AUDIO: [ROM, VSI] TOOLCHAIN: [ARMCLANG] CONN_STACK: [FREERTOS_PLUS_TCP] + PSA_CRYPTO_IMPLEMENTATION: [TF-M] - << : *pipeline_config_corstone300 APP: [keyword-detection, speech-recognition] @@ -412,6 +430,7 @@ sw-vsi-configs-test: AUDIO: [VSI] TOOLCHAIN: [ARMCLANG] CONN_STACK: [FREERTOS_PLUS_TCP] + PSA_CRYPTO_IMPLEMENTATION: [TF-M] - << : *pipeline_config_corstone300 APP: [keyword-detection, speech-recognition] @@ -419,6 +438,7 @@ sw-vsi-configs-test: AUDIO: [ROM, VSI] TOOLCHAIN: [ARMCLANG] CONN_STACK: [FREERTOS_PLUS_TCP] + PSA_CRYPTO_IMPLEMENTATION: [TF-M] retry: max: 2 when: @@ -453,6 +473,7 @@ gnu-toolchain-test: AUDIO: [ROM,VSI] TOOLCHAIN: [GNU] CONN_STACK: [FREERTOS_PLUS_TCP] + PSA_CRYPTO_IMPLEMENTATION: [TF-M] - << : *pipeline_config_corstone315 APP: [object-detection] @@ -460,6 +481,7 @@ gnu-toolchain-test: AUDIO: [ROM] TOOLCHAIN: [GNU] CONN_STACK: [FREERTOS_PLUS_TCP] + PSA_CRYPTO_IMPLEMENTATION: [TF-M] - << : *pipeline_config_corstone310 APP: [keyword-detection, speech-recognition] @@ -467,6 +489,7 @@ gnu-toolchain-test: AUDIO: [ROM,VSI] TOOLCHAIN: [GNU] CONN_STACK: [FREERTOS_PLUS_TCP] + PSA_CRYPTO_IMPLEMENTATION: [TF-M] - << : *pipeline_config_corstone300 APP: [keyword-detection, speech-recognition] @@ -474,6 +497,7 @@ gnu-toolchain-test: AUDIO: [ROM,VSI] TOOLCHAIN: [GNU] CONN_STACK: [FREERTOS_PLUS_TCP] + PSA_CRYPTO_IMPLEMENTATION: [TF-M] retry: max: 2 when: @@ -483,12 +507,12 @@ gnu-toolchain-test: variables: GIT_SUBMODULE_STRATEGY: recursive -iot-vsocket-test: +iot-vsocket-psa-crypto-mbedtls-test: tags: - iotmsw-amd64 extends: .base-job-rules rules: - - if: ( $SCHEDULED_JOB_TO_RUN == "iot-vsocket-test" ) + - if: ( $SCHEDULED_JOB_TO_RUN == "iot-vsocket-psa-crypto-mbedtls-test" ) before_script: - !reference [.build_job, before_script] - !reference [.build_job, script] @@ -503,18 +527,12 @@ iot-vsocket-test: matrix: - << : *pipeline_config_corstone315 - APP: [keyword-detection, speech-recognition] - INFERENCE: [ETHOS] - AUDIO: [ROM] - TOOLCHAIN: [GNU, ARMCLANG] - CONN_STACK: [IOT_VSOCKET] - - - << : *pipeline_config_corstone315 - APP: [object-detection] + APP: [keyword-detection, speech-recognition, object-detection] INFERENCE: [ETHOS] AUDIO: [ROM] TOOLCHAIN: [GNU, ARMCLANG] CONN_STACK: [IOT_VSOCKET] + PSA_CRYPTO_IMPLEMENTATION: [MBEDTLS] - << : *pipeline_config_corstone310 APP: [keyword-detection, speech-recognition] @@ -522,6 +540,7 @@ iot-vsocket-test: AUDIO: [ROM] TOOLCHAIN: [GNU, ARMCLANG] CONN_STACK: [IOT_VSOCKET] + PSA_CRYPTO_IMPLEMENTATION: [MBEDTLS] - << : *pipeline_config_corstone300 APP: [keyword-detection, speech-recognition] @@ -529,6 +548,7 @@ iot-vsocket-test: AUDIO: [ROM] TOOLCHAIN: [GNU, ARMCLANG] CONN_STACK: [IOT_VSOCKET] + PSA_CRYPTO_IMPLEMENTATION: [MBEDTLS] retry: max: 2 when: diff --git a/README.md b/README.md index 36ff6c52..e533686f 100644 --- a/README.md +++ b/README.md @@ -73,8 +73,10 @@ and [AWS OTA PAL PSA implementation](#aws-ota-pal-psa-implementation) can be per Corstone platform communicates with the AWS IoT Core over a secure TLS connection. Mbed TLS running on the NSPE is used to establish the TLS -connection. Mbed TLS makes use of the PSA Crypto APIs provided by TF-M for -Crypto operations. +connection. For crypto operations, Mbed TLS supports PSA Crypto APIs provided by either +the Mbed TLS itself or the Trusted Firmware-M and the default is +PSA Crypto API from Trusted Firmware-M. For more information about the PSA Crypto APIs +implementation, please refer to [Mbed TLS document](docs/components/security/mbedtls/mbedtls.md#psa-crypto-apis-implementation). [PKCS#11](https://www.freertos.org/pkcs11/index.html) APIs to perform TLS client authentication and import TLS client certificate and private key into diff --git a/applications/helpers/provisioning/CMakeLists.txt b/applications/helpers/provisioning/CMakeLists.txt index 1dac4020..203ec7a3 100644 --- a/applications/helpers/provisioning/CMakeLists.txt +++ b/applications/helpers/provisioning/CMakeLists.txt @@ -7,12 +7,6 @@ if(BUILD_TESTING AND NOT CMAKE_CROSSCOMPILING) else() find_package(Python3) - #FIXME: This is needed in order to run prepoccessor on the linker script. - # The GCC prepoccessor puts std defines if -g3 is set. - if(${CMAKE_C_COMPILER_ID} STREQUAL "GNU") - string(REPLACE "-g3" "" CMAKE_C_FLAGS ${CMAKE_C_FLAGS}) - endif() - list(APPEND CMAKE_MODULE_PATH ${CMAKE_CURRENT_LIST_DIR}/cmake) include(SetProvisioningLinkOptions) diff --git a/applications/helpers/provisioning/dev_mode_key_provisioning.c b/applications/helpers/provisioning/dev_mode_key_provisioning.c index d0851069..dee8f450 100644 --- a/applications/helpers/provisioning/dev_mode_key_provisioning.c +++ b/applications/helpers/provisioning/dev_mode_key_provisioning.c @@ -1,7 +1,7 @@ /* * FreeRTOS V202012.00 * Copyright (C) 2020 Amazon.com, Inc. or its affiliates. All Rights Reserved. - * Copyright (c) 2022-2023, Arm Limited and Contributors. All rights reserved. + * Copyright (c) 2022-2024, Arm Limited and Contributors. All rights reserved. * * Permission is hereby granted, free of charge, to any person obtaining a copy of * this software and associated documentation files (the "Software"), to deal in @@ -1420,6 +1420,10 @@ int xOtaProvisionCodeSigningKey( psa_key_handle_t * pxKeyHandle, goto exit; } + #ifdef PSA_CRYPTO_IMPLEMENTATION_MBEDTLS + psa_set_key_lifetime( &attributes, PSA_KEY_LIFETIME_VOLATILE ); + #endif + psa_set_key_algorithm( &attributes, PSA_ALG_RSA_PSS_ANY_SALT( PSA_ALG_SHA_256 ) ); psa_set_key_bits( &attributes, keyBits ); diff --git a/applications/keyword_detection/configs/aws_configs/core_pkcs11_config.h b/applications/keyword_detection/configs/aws_configs/core_pkcs11_config.h index a612cd22..88e907b9 100644 --- a/applications/keyword_detection/configs/aws_configs/core_pkcs11_config.h +++ b/applications/keyword_detection/configs/aws_configs/core_pkcs11_config.h @@ -147,8 +147,23 @@ extern void vPortFree( void * pv ); * Define the key ID of the device keys which will be saved as * persistent keys in TF-M. The key ID servers as the a name. */ -#define PSA_DEVICE_PRIVATE_KEY_ID 0x01 -#define PSA_DEVICE_PUBLIC_KEY_ID 0x10 +#ifdef PSA_CRYPTO_IMPLEMENTATION_TFM + #define PSA_DEVICE_PRIVATE_KEY_ID 0x01 + #define PSA_DEVICE_PUBLIC_KEY_ID 0x10 +#elif defined PSA_CRYPTO_IMPLEMENTATION_MBEDTLS + +/* The PSA Crypto specification + * https://arm-software.github.io/psa-api/crypto/1.1/api/keys/ids.html + * defines the volatile key range as PSA_KEY_ID_VENDOR_MIN (0x40000000) to + * PSA_KEY_ID_VENDOR_MAX (0x7fffffff). However, in the default PSA Crypto + * configuration in Mbed TLS, volatile key range is defined by + * PSA_KEY_ID_VOLATILE_MIN and PSA_KEY_ID_VOLATILE_MAX. + */ + #define PSA_DEVICE_PRIVATE_KEY_ID 0x7FFFFFE0 +#else + #error "Missing PSA crypto implementation definition. Define either \ + `PSA_CRYPTO_IMPLEMENTATION_TFM` or `PSA_CRYPTO_IMPLEMENTATION_MBEDTLS`" +#endif /* */ /* FIXME: are these needed? */ diff --git a/applications/keyword_detection/configs/mbedtls_config/aws_mbedtls_config.h b/applications/keyword_detection/configs/mbedtls_config/aws_mbedtls_config.h index 0f7a5db6..d7885978 100644 --- a/applications/keyword_detection/configs/mbedtls_config/aws_mbedtls_config.h +++ b/applications/keyword_detection/configs/mbedtls_config/aws_mbedtls_config.h @@ -11,6 +11,8 @@ /* * Copyright The Mbed TLS Contributors * SPDX-License-Identifier: Apache-2.0 + * Copyright 2024 Arm Limited and/or its affiliates + * * * Licensed under the Apache License, Version 2.0 (the "License"); you may * not use this file except in compliance with the License. @@ -1139,7 +1141,9 @@ void mbedtls_platform_free( void * ptr ); * * This enables support for RSAES-OAEP and RSASSA-PSS operations. */ -/*#define MBEDTLS_PKCS1_V21 */ +#ifdef PSA_CRYPTO_IMPLEMENTATION_MBEDTLS + #define MBEDTLS_PKCS1_V21 +#endif /** \def MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS * @@ -1171,7 +1175,9 @@ void mbedtls_platform_free( void * ptr ); * \warning This interface is experimental and may change or be removed * without notice. */ -#define MBEDTLS_PSA_CRYPTO_CLIENT +#ifdef PSA_CRYPTO_IMPLEMENTATION_TFM + #define MBEDTLS_PSA_CRYPTO_CLIENT +#endif /** \def MBEDTLS_PSA_CRYPTO_DRIVERS * @@ -1755,7 +1761,7 @@ void mbedtls_platform_free( void * ptr ); * * Uncomment this to enable internal use of PSA Crypto and new associated APIs. */ -/*#define MBEDTLS_USE_PSA_CRYPTO */ +#define MBEDTLS_USE_PSA_CRYPTO /** * \def MBEDTLS_PSA_CRYPTO_CONFIG @@ -2626,7 +2632,9 @@ void mbedtls_platform_free( void * ptr ); * or MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG. * */ -/*#define MBEDTLS_PSA_CRYPTO_C */ +#ifdef PSA_CRYPTO_IMPLEMENTATION_MBEDTLS + #define MBEDTLS_PSA_CRYPTO_C +#endif /** * \def MBEDTLS_PSA_CRYPTO_SE_C diff --git a/applications/keyword_detection/configs/tfm_config/project_config.h b/applications/keyword_detection/configs/tfm_config/project_config.h index fcb4598e..c4f8d5fa 100644 --- a/applications/keyword_detection/configs/tfm_config/project_config.h +++ b/applications/keyword_detection/configs/tfm_config/project_config.h @@ -1,4 +1,4 @@ -/* Copyright 2023 Arm Limited and/or its affiliates +/* Copyright 2023-2024 Arm Limited and/or its affiliates * * SPDX-License-Identifier: BSD-3-Clause */ @@ -33,7 +33,7 @@ #define CRYPTO_KEY_DERIVATION_MODULE_ENABLED 1 -#define CRYPTO_IOVEC_BUFFER_SIZE 5120 +#define CRYPTO_IOVEC_BUFFER_SIZE 20000 #define CRYPTO_NV_SEED 1 diff --git a/applications/keyword_detection/main.c b/applications/keyword_detection/main.c index 79e6feb6..44b42379 100644 --- a/applications/keyword_detection/main.c +++ b/applications/keyword_detection/main.c @@ -174,6 +174,15 @@ int main( void ) mbedtls_platform_mutex_lock, mbedtls_platform_mutex_unlock ); + #if defined PSA_CRYPTO_IMPLEMENTATION_MBEDTLS + psa_status_t xResult = psa_crypto_init(); + + if( xResult != PSA_SUCCESS ) + { + printf( "Psa crypto init failed with return code = %d\r\n", xResult ); + } + #endif + UBaseType_t xRetVal = vDevModeKeyProvisioning(); if( xRetVal != CKR_OK ) diff --git a/applications/object_detection/configs/aws_configs/core_pkcs11_config.h b/applications/object_detection/configs/aws_configs/core_pkcs11_config.h index 9cdf1322..2393638f 100644 --- a/applications/object_detection/configs/aws_configs/core_pkcs11_config.h +++ b/applications/object_detection/configs/aws_configs/core_pkcs11_config.h @@ -147,8 +147,23 @@ extern void vPortFree( void * pv ); * Define the key ID of the device keys which will be saved as * persistent keys in TF-M. The key ID servers as the a name. */ -#define PSA_DEVICE_PRIVATE_KEY_ID 0x01 -#define PSA_DEVICE_PUBLIC_KEY_ID 0x10 +#ifdef PSA_CRYPTO_IMPLEMENTATION_TFM + #define PSA_DEVICE_PRIVATE_KEY_ID 0x01 + #define PSA_DEVICE_PUBLIC_KEY_ID 0x10 +#elif defined PSA_CRYPTO_IMPLEMENTATION_MBEDTLS + +/* The PSA Crypto specification + * https://arm-software.github.io/psa-api/crypto/1.1/api/keys/ids.html + * defines the volatile key range as PSA_KEY_ID_VENDOR_MIN (0x40000000) to + * PSA_KEY_ID_VENDOR_MAX (0x7fffffff). However, in the default PSA Crypto + * configuration in Mbed TLS, volatile key range is defined by + * PSA_KEY_ID_VOLATILE_MIN and PSA_KEY_ID_VOLATILE_MAX. + */ + #define PSA_DEVICE_PRIVATE_KEY_ID 0x7FFFFFE0 +#else + #error "Missing PSA crypto implementation definition. Define either \ + `PSA_CRYPTO_IMPLEMENTATION_TFM` or `PSA_CRYPTO_IMPLEMENTATION_MBEDTLS`" +#endif /* */ /* FIXME: are these needed? */ diff --git a/applications/object_detection/configs/mbedtls_config/aws_mbedtls_config.h b/applications/object_detection/configs/mbedtls_config/aws_mbedtls_config.h index e0276407..2168f274 100644 --- a/applications/object_detection/configs/mbedtls_config/aws_mbedtls_config.h +++ b/applications/object_detection/configs/mbedtls_config/aws_mbedtls_config.h @@ -11,6 +11,8 @@ /* * Copyright The Mbed TLS Contributors * SPDX-License-Identifier: Apache-2.0 + * Copyright 2024 Arm Limited and/or its affiliates + * * * Licensed under the Apache License, Version 2.0 (the "License"); you may * not use this file except in compliance with the License. @@ -1122,7 +1124,9 @@ void mbedtls_platform_free( void * ptr ); * * This enables support for RSAES-OAEP and RSASSA-PSS operations. */ -/*#define MBEDTLS_PKCS1_V21 */ +#ifdef PSA_CRYPTO_IMPLEMENTATION_MBEDTLS + #define MBEDTLS_PKCS1_V21 +#endif /** \def MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS * @@ -1154,7 +1158,9 @@ void mbedtls_platform_free( void * ptr ); * \warning This interface is experimental and may change or be removed * without notice. */ -#define MBEDTLS_PSA_CRYPTO_CLIENT +#ifdef PSA_CRYPTO_IMPLEMENTATION_TFM + #define MBEDTLS_PSA_CRYPTO_CLIENT +#endif /** \def MBEDTLS_PSA_CRYPTO_DRIVERS * @@ -1738,7 +1744,7 @@ void mbedtls_platform_free( void * ptr ); * * Uncomment this to enable internal use of PSA Crypto and new associated APIs. */ -/*#define MBEDTLS_USE_PSA_CRYPTO */ +#define MBEDTLS_USE_PSA_CRYPTO /** * \def MBEDTLS_PSA_CRYPTO_CONFIG @@ -2609,7 +2615,9 @@ void mbedtls_platform_free( void * ptr ); * or MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG. * */ -/*#define MBEDTLS_PSA_CRYPTO_C */ +#ifdef PSA_CRYPTO_IMPLEMENTATION_MBEDTLS + #define MBEDTLS_PSA_CRYPTO_C +#endif /** * \def MBEDTLS_PSA_CRYPTO_SE_C diff --git a/applications/object_detection/configs/tfm_config/project_config.h b/applications/object_detection/configs/tfm_config/project_config.h index 86414f75..273afb85 100644 --- a/applications/object_detection/configs/tfm_config/project_config.h +++ b/applications/object_detection/configs/tfm_config/project_config.h @@ -33,7 +33,7 @@ #define CRYPTO_KEY_DERIVATION_MODULE_ENABLED 1 -#define CRYPTO_IOVEC_BUFFER_SIZE 5120 +#define CRYPTO_IOVEC_BUFFER_SIZE 20000 #define CRYPTO_NV_SEED 1 diff --git a/applications/object_detection/main.c b/applications/object_detection/main.c index 128db86a..8fb55956 100644 --- a/applications/object_detection/main.c +++ b/applications/object_detection/main.c @@ -162,6 +162,15 @@ int main( void ) mbedtls_platform_mutex_lock, mbedtls_platform_mutex_unlock ); + #if defined PSA_CRYPTO_IMPLEMENTATION_MBEDTLS + psa_status_t xResult = psa_crypto_init(); + + if( xResult != PSA_SUCCESS ) + { + printf( "Psa crypto init failed with return code = %d\r\n", xResult ); + } + #endif + UBaseType_t xReturnValue = vDevModeKeyProvisioning(); if( xReturnValue != CKR_OK ) diff --git a/applications/speech_recognition/configs/aws_configs/core_pkcs11_config.h b/applications/speech_recognition/configs/aws_configs/core_pkcs11_config.h index 93cf984e..2393638f 100644 --- a/applications/speech_recognition/configs/aws_configs/core_pkcs11_config.h +++ b/applications/speech_recognition/configs/aws_configs/core_pkcs11_config.h @@ -1,7 +1,7 @@ /* * Amazon FreeRTOS V1.1.4 * Copyright (C) 2018 Amazon.com, Inc. or its affiliates. All Rights Reserved. - * Copyright (c) 2022, Arm Limited and Contributors. All rights reserved. + * Copyright (c) 2022-2024, Arm Limited and Contributors. All rights reserved. * * Permission is hereby granted, free of charge, to any person obtaining a copy of * this software and associated documentation files (the "Software"), to deal in @@ -147,8 +147,23 @@ extern void vPortFree( void * pv ); * Define the key ID of the device keys which will be saved as * persistent keys in TF-M. The key ID servers as the a name. */ -#define PSA_DEVICE_PRIVATE_KEY_ID 0x01 -#define PSA_DEVICE_PUBLIC_KEY_ID 0x10 +#ifdef PSA_CRYPTO_IMPLEMENTATION_TFM + #define PSA_DEVICE_PRIVATE_KEY_ID 0x01 + #define PSA_DEVICE_PUBLIC_KEY_ID 0x10 +#elif defined PSA_CRYPTO_IMPLEMENTATION_MBEDTLS + +/* The PSA Crypto specification + * https://arm-software.github.io/psa-api/crypto/1.1/api/keys/ids.html + * defines the volatile key range as PSA_KEY_ID_VENDOR_MIN (0x40000000) to + * PSA_KEY_ID_VENDOR_MAX (0x7fffffff). However, in the default PSA Crypto + * configuration in Mbed TLS, volatile key range is defined by + * PSA_KEY_ID_VOLATILE_MIN and PSA_KEY_ID_VOLATILE_MAX. + */ + #define PSA_DEVICE_PRIVATE_KEY_ID 0x7FFFFFE0 +#else + #error "Missing PSA crypto implementation definition. Define either \ + `PSA_CRYPTO_IMPLEMENTATION_TFM` or `PSA_CRYPTO_IMPLEMENTATION_MBEDTLS`" +#endif /* */ /* FIXME: are these needed? */ diff --git a/applications/speech_recognition/configs/mbedtls_config/aws_mbedtls_config.h b/applications/speech_recognition/configs/mbedtls_config/aws_mbedtls_config.h index e0276407..2168f274 100644 --- a/applications/speech_recognition/configs/mbedtls_config/aws_mbedtls_config.h +++ b/applications/speech_recognition/configs/mbedtls_config/aws_mbedtls_config.h @@ -11,6 +11,8 @@ /* * Copyright The Mbed TLS Contributors * SPDX-License-Identifier: Apache-2.0 + * Copyright 2024 Arm Limited and/or its affiliates + * * * Licensed under the Apache License, Version 2.0 (the "License"); you may * not use this file except in compliance with the License. @@ -1122,7 +1124,9 @@ void mbedtls_platform_free( void * ptr ); * * This enables support for RSAES-OAEP and RSASSA-PSS operations. */ -/*#define MBEDTLS_PKCS1_V21 */ +#ifdef PSA_CRYPTO_IMPLEMENTATION_MBEDTLS + #define MBEDTLS_PKCS1_V21 +#endif /** \def MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS * @@ -1154,7 +1158,9 @@ void mbedtls_platform_free( void * ptr ); * \warning This interface is experimental and may change or be removed * without notice. */ -#define MBEDTLS_PSA_CRYPTO_CLIENT +#ifdef PSA_CRYPTO_IMPLEMENTATION_TFM + #define MBEDTLS_PSA_CRYPTO_CLIENT +#endif /** \def MBEDTLS_PSA_CRYPTO_DRIVERS * @@ -1738,7 +1744,7 @@ void mbedtls_platform_free( void * ptr ); * * Uncomment this to enable internal use of PSA Crypto and new associated APIs. */ -/*#define MBEDTLS_USE_PSA_CRYPTO */ +#define MBEDTLS_USE_PSA_CRYPTO /** * \def MBEDTLS_PSA_CRYPTO_CONFIG @@ -2609,7 +2615,9 @@ void mbedtls_platform_free( void * ptr ); * or MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG. * */ -/*#define MBEDTLS_PSA_CRYPTO_C */ +#ifdef PSA_CRYPTO_IMPLEMENTATION_MBEDTLS + #define MBEDTLS_PSA_CRYPTO_C +#endif /** * \def MBEDTLS_PSA_CRYPTO_SE_C diff --git a/applications/speech_recognition/configs/tfm_config/project_config.h b/applications/speech_recognition/configs/tfm_config/project_config.h index fcb4598e..c4f8d5fa 100644 --- a/applications/speech_recognition/configs/tfm_config/project_config.h +++ b/applications/speech_recognition/configs/tfm_config/project_config.h @@ -1,4 +1,4 @@ -/* Copyright 2023 Arm Limited and/or its affiliates +/* Copyright 2023-2024 Arm Limited and/or its affiliates * * SPDX-License-Identifier: BSD-3-Clause */ @@ -33,7 +33,7 @@ #define CRYPTO_KEY_DERIVATION_MODULE_ENABLED 1 -#define CRYPTO_IOVEC_BUFFER_SIZE 5120 +#define CRYPTO_IOVEC_BUFFER_SIZE 20000 #define CRYPTO_NV_SEED 1 diff --git a/applications/speech_recognition/main.c b/applications/speech_recognition/main.c index a1758859..f3325a77 100644 --- a/applications/speech_recognition/main.c +++ b/applications/speech_recognition/main.c @@ -1,4 +1,4 @@ -/* Copyright 2023 Arm Limited and/or its affiliates +/* Copyright 2023-2024 Arm Limited and/or its affiliates * * SPDX-License-Identifier: MIT */ @@ -173,6 +173,15 @@ int main( void ) mbedtls_platform_mutex_lock, mbedtls_platform_mutex_unlock ); + #if defined PSA_CRYPTO_IMPLEMENTATION_MBEDTLS + psa_status_t xResult = psa_crypto_init(); + + if( xResult != PSA_SUCCESS ) + { + printf( "Psa crypto init failed with return code = %d\r\n", xResult ); + } + #endif + UBaseType_t xRetVal = vDevModeKeyProvisioning(); if( xRetVal != CKR_OK ) diff --git a/bsp/corstone300/an552_ns.ld b/bsp/corstone300/an552_ns.ld index 9bdf4e09..5dcd05a9 100644 --- a/bsp/corstone300/an552_ns.ld +++ b/bsp/corstone300/an552_ns.ld @@ -46,7 +46,7 @@ __RAM_NS_SIZE = (__RAM_SIZE - __RAM_S_SIZE - PROVISIONING_SIZE); Heap Size (in Bytes) <0x0-0xFFFFFFFF:8> -----------------------------------------------------------------------------*/ -__STACK_SIZE = 0x00001000; +__STACK_SIZE = 0x00002000; __HEAP_SIZE = 0x000C0000; /* diff --git a/bsp/corstone300/an552_ns.sct b/bsp/corstone300/an552_ns.sct index fd3a048d..27beb96b 100644 --- a/bsp/corstone300/an552_ns.sct +++ b/bsp/corstone300/an552_ns.sct @@ -25,7 +25,7 @@ #define ISRAM0_SIZE 0x00100000 #define ISRAM1_SIZE 0x00100000 #define PROVISIONING_SIZE 0x1000 -#define STACK_SIZE 0x00001000 +#define STACK_SIZE 0x00002000 #define HEAP_SIZE 0x000C0000 LOAD_REGION_0 (ROM_START + ((((0) + (FLASH_S_PARTITION_SIZE)) + (BL2_HEADER_SIZE)))) diff --git a/bsp/corstone310/an555_ns.ld b/bsp/corstone310/an555_ns.ld index eb8d9b09..fac03932 100644 --- a/bsp/corstone310/an555_ns.ld +++ b/bsp/corstone310/an555_ns.ld @@ -59,7 +59,7 @@ __RAM_SIZE = (ISRAM1_SIZE - PROVISIONING_SIZE); Heap Size (in Bytes) <0x0-0xFFFFFFFF:8> -----------------------------------------------------------------------------*/ -__STACK_SIZE = 0x00001000; +__STACK_SIZE = 0x00002000; __HEAP_SIZE = 0x000C0000; /* diff --git a/bsp/corstone310/an555_ns.sct b/bsp/corstone310/an555_ns.sct index 10db093c..13c7cdd9 100644 --- a/bsp/corstone310/an555_ns.sct +++ b/bsp/corstone310/an555_ns.sct @@ -24,7 +24,7 @@ #define ISRAM1_OFFSET 0x00200000 #define ISRAM1_SIZE 0x00200000 #define PROVISIONING_SIZE 0x1000 -#define STACK_SIZE 0x00001000 +#define STACK_SIZE 0x00002000 #define HEAP_SIZE 0x000C0000 LOAD_REGION_0 (ROM_START + ((((0) + (FLASH_S_PARTITION_SIZE)) + BL2_HEADER_SIZE))) diff --git a/bsp/corstone315/corstone_315_ns.ld b/bsp/corstone315/corstone_315_ns.ld index 72092dcc..db101c0a 100644 --- a/bsp/corstone315/corstone_315_ns.ld +++ b/bsp/corstone315/corstone_315_ns.ld @@ -59,7 +59,7 @@ __RAM_SIZE = (ISRAM1_SIZE - PROVISIONING_SIZE); Heap Size (in Bytes) <0x0-0xFFFFFFFF:8> -----------------------------------------------------------------------------*/ -__STACK_SIZE = 0x00001000; +__STACK_SIZE = 0x00002000; __HEAP_SIZE = 0x000C0000; /* diff --git a/bsp/corstone315/corstone_315_ns.sct b/bsp/corstone315/corstone_315_ns.sct index c5ffbec7..8588152f 100644 --- a/bsp/corstone315/corstone_315_ns.sct +++ b/bsp/corstone315/corstone_315_ns.sct @@ -24,7 +24,7 @@ #define ISRAM1_OFFSET 0x00200000 #define ISRAM1_SIZE 0x00200000 #define PROVISIONING_SIZE 0x1000 -#define STACK_SIZE 0x00001000 +#define STACK_SIZE 0x00002000 #define HEAP_SIZE 0x000C0000 LOAD_REGION_0 (ROM_START + ((((0) + (FLASH_S_PARTITION_SIZE)) + BL2_HEADER_SIZE))) diff --git a/components/security/freertos_pkcs11_psa/CMakeLists.txt b/components/security/freertos_pkcs11_psa/CMakeLists.txt index de92b45c..d5ad0b21 100644 --- a/components/security/freertos_pkcs11_psa/CMakeLists.txt +++ b/components/security/freertos_pkcs11_psa/CMakeLists.txt @@ -11,5 +11,17 @@ else () "Path to FreeRTOS PKCS#11 to PSA shim layer source code" ) + # The patch 0001-crypto-Define-device-private-key-as-volatile.patch is only + # needed when Mbed TLS on non-secure side is used as PSA crypto implementation. + if(PSA_CRYPTO_IMPLEMENTATION STREQUAL "MBEDTLS") + include(ApplyPatches) + + set(PATCH_FILES_DIRECTORY "${CMAKE_CURRENT_LIST_DIR}/integration/patches") + set(PATCH_FILES + "${PATCH_FILES_DIRECTORY}/0001-crypto-Define-device-private-key-as-volatile.patch" + ) + iot_reference_arm_corstone3xx_apply_patches("${freertos_pkcs11_psa_SOURCE_DIR}" "${PATCH_FILES}") + endif() + add_subdirectory(integration) endif() diff --git a/components/security/freertos_pkcs11_psa/integration/patches/0001-crypto-Define-device-private-key-as-volatile.patch b/components/security/freertos_pkcs11_psa/integration/patches/0001-crypto-Define-device-private-key-as-volatile.patch new file mode 100644 index 00000000..53d250be --- /dev/null +++ b/components/security/freertos_pkcs11_psa/integration/patches/0001-crypto-Define-device-private-key-as-volatile.patch @@ -0,0 +1,37 @@ +From 62cf09d43fa3662ef13c54a703fd3eca5fa83dac Mon Sep 17 00:00:00 2001 +From: Devaraj Ranganna +Date: Thu, 18 Jul 2024 10:08:50 +0000 +Subject: [PATCH] crypto: Define device private key as volatile + +FRI supports PSA crypto implementation either using TF-M on the secure +side or using Mbed TLS on the non-secure side. When using Mbed TLS on +the non-secure side as PSA crypto implementation, the device and +provision keys are defined as volatile since we currently don't have +support for file system. + +Signed-off-by: Devaraj Ranganna +--- + iot_pkcs11_psa_object_management.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/iot_pkcs11_psa_object_management.c b/iot_pkcs11_psa_object_management.c +index ace6dc6..546fc0c 100644 +--- a/iot_pkcs11_psa_object_management.c ++++ b/iot_pkcs11_psa_object_management.c +@@ -280,9 +280,12 @@ CK_OBJECT_HANDLE PKCS11PSASaveObject( CK_ATTRIBUTE_PTR pxClass, + } + if ( uxStatus == PSA_SUCCESS ) + { +- /* Device private key is saved as persistent key. */ ++ /* Device private key is saved as persistent/volatile key. */ + #ifndef pkcs11configTFM_VERSION_1_0 + psa_set_key_id( &key_attributes, PSA_DEVICE_PRIVATE_KEY_ID ); ++#endif ++#if defined PSA_CRYPTO_IMPLEMENTATION_MBEDTLS ++ psa_set_key_lifetime(&key_attributes, PSA_KEY_LIFETIME_VOLATILE); + #endif + psa_set_key_usage_flags( &key_attributes, PSA_KEY_USAGE_SIGN_HASH ); + psa_set_key_algorithm( &key_attributes, uxAlgorithm ); +-- +2.43.2 + diff --git a/components/security/mbedtls/CMakeLists.txt b/components/security/mbedtls/CMakeLists.txt index 0273f3f5..c2cdff77 100644 --- a/components/security/mbedtls/CMakeLists.txt +++ b/components/security/mbedtls/CMakeLists.txt @@ -18,6 +18,12 @@ else () set(ENABLE_PROGRAMS OFF CACHE BOOL "" FORCE) set(ENABLE_TESTING OFF CACHE BOOL "" FORCE) + include(ApplyPatches) + + set(PATCH_FILES_DIRECTORY "${CMAKE_CURRENT_LIST_DIR}/integration/patches") + set(PATCH_FILES "${PATCH_FILES_DIRECTORY}/0001-md-Fix-guards-for-functions-and-headers.patch") + iot_reference_arm_corstone3xx_apply_patches("${mbedtls_SOURCE_DIR}" "${PATCH_FILES}") + add_subdirectory(library) add_subdirectory(integration) diff --git a/components/security/mbedtls/integration/CMakeLists.txt b/components/security/mbedtls/integration/CMakeLists.txt index 5fb88bd3..8f363de4 100644 --- a/components/security/mbedtls/integration/CMakeLists.txt +++ b/components/security/mbedtls/integration/CMakeLists.txt @@ -1,4 +1,4 @@ -# Copyright 2023 Arm Limited and/or its affiliates +# Copyright 2023-2024 Arm Limited and/or its affiliates # # SPDX-License-Identifier: MIT @@ -12,6 +12,22 @@ target_link_libraries(mbedtls mbedtls-config ) +if(PSA_CRYPTO_IMPLEMENTATION STREQUAL "TF-M") + target_link_libraries(mbedtls + PRIVATE + tfm-ns-interface + ) + target_compile_definitions(mbedtls-config + INTERFACE + -DPSA_CRYPTO_IMPLEMENTATION_TFM + ) +else() + target_compile_definitions(mbedtls-config + INTERFACE + -DPSA_CRYPTO_IMPLEMENTATION_MBEDTLS + ) +endif() + add_library(mbedtls-threading-freertos src/mbedtls_freertos_port.c ) diff --git a/components/security/mbedtls/integration/patches/0001-md-Fix-guards-for-functions-and-headers.patch b/components/security/mbedtls/integration/patches/0001-md-Fix-guards-for-functions-and-headers.patch new file mode 100644 index 00000000..2a6e8624 --- /dev/null +++ b/components/security/mbedtls/integration/patches/0001-md-Fix-guards-for-functions-and-headers.patch @@ -0,0 +1,45 @@ +From 6f7cd697c427d9f7430d668a3412997c0a053701 Mon Sep 17 00:00:00 2001 +From: Ahmed Ismail +Date: Tue, 30 Apr 2024 14:13:29 +0100 +Subject: [PATCH] md: Fix guards for functions and headers + +The guard should be CRYPTO_CLIENT and not CRYPTO_C as these +function/headers can be used even when CRYPTO_C is not defined. + +Signed-off-by: Ahmed Ismail +--- + library/md.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/library/md.c b/library/md.c +index 12a3ea237..c95846aa0 100644 +--- a/library/md.c ++++ b/library/md.c +@@ -41,7 +41,7 @@ + #include "mbedtls/sha512.h" + #include "mbedtls/sha3.h" + +-#if defined(MBEDTLS_PSA_CRYPTO_C) ++#if defined(MBEDTLS_PSA_CRYPTO_CLIENT) + #include + #include "md_psa.h" + #include "psa_util_internal.h" +@@ -761,13 +761,13 @@ mbedtls_md_type_t mbedtls_md_get_type(const mbedtls_md_info_t *md_info) + return md_info->type; + } + +-#if defined(MBEDTLS_PSA_CRYPTO_C) ++#if defined(MBEDTLS_PSA_CRYPTO_CLIENT) + int mbedtls_md_error_from_psa(psa_status_t status) + { + return PSA_TO_MBEDTLS_ERR_LIST(status, psa_to_md_errors, + psa_generic_status_to_mbedtls); + } +-#endif /* MBEDTLS_PSA_CRYPTO_C */ ++#endif /* MBEDTLS_PSA_CRYPTO_CLIENT */ + + + /************************************************************************ +-- +2.34.1 + diff --git a/components/security/trusted_firmware-m/integration/CMakeLists.txt b/components/security/trusted_firmware-m/integration/CMakeLists.txt index 56c88fe4..9ba14612 100644 --- a/components/security/trusted_firmware-m/integration/CMakeLists.txt +++ b/components/security/trusted_firmware-m/integration/CMakeLists.txt @@ -54,5 +54,16 @@ else() target_compile_definitions(tfm-ns-interface-mbedtls-config INTERFACE MBEDTLS_CONFIG_FILE="${APPLICATION_PATH}/configs/mbedtls_config/aws_mbedtls_config.h" + -DPSA_CRYPTO_IMPLEMENTATION_TFM ) + # In case of using Mbed TLS library to provide the PSA Crypto APIs + # implementation, the PSA Crypto APIs implemented and provided by + # TF-M shall be renamed to start with a prefix of tfm_crypto__ + # to avoid multiple definitions for PSA Crypto APIs. + if(PSA_CRYPTO_IMPLEMENTATION STREQUAL "MBEDTLS") + target_compile_definitions(tfm-ns-interface-mbedtls-config + INTERFACE + -DCONFIG_TFM_CRYPTO_API_RENAME=1 + ) + endif() endif() diff --git a/docs/applications/device_advisor/running_aws_iot_core_device_advisor_tests.md b/docs/applications/device_advisor/running_aws_iot_core_device_advisor_tests.md index 7615462d..47bf6ac8 100644 --- a/docs/applications/device_advisor/running_aws_iot_core_device_advisor_tests.md +++ b/docs/applications/device_advisor/running_aws_iot_core_device_advisor_tests.md @@ -65,7 +65,7 @@ Save and close the file. To build the application, run the following command: ```bash -./tools/scripts/build.sh ${APPLICATION_NAME} --certificate_path --private_key_path --target --toolchain GNU +./tools/scripts/build.sh ${APPLICATION_NAME} --certificate_path --private_key_path --target --toolchain GNU --conn-stack --psa-crypto-implementation ``` * The `certificate pem's path` and `private key pem's path` should be the downloaded key's and certificate's paths during the Thing creation. @@ -73,7 +73,7 @@ To build the application, run the following command: Or, run the command below to perform a clean build: ```bash -./tools/scripts/build.sh ${APPLICATION_NAME} --certificate_path --private_key_path --target --toolchain GNU -c +./tools/scripts/build.sh ${APPLICATION_NAME} --certificate_path --private_key_path --target --toolchain GNU --conn-stack --psa-crypto-implementation -c ``` ## Running the application diff --git a/docs/applications/keyword_detection.md b/docs/applications/keyword_detection.md index f85e0511..04b1aaca 100644 --- a/docs/applications/keyword_detection.md +++ b/docs/applications/keyword_detection.md @@ -47,7 +47,7 @@ Follow the instructions described in [Setting Up AWS Connectivity](./aws_iot/set To build the Keyword-Detection example, run the following command: ```bash -./tools/scripts/build.sh keyword-detection --certificate_path --private_key_path --target --inference --audio --toolchain +./tools/scripts/build.sh keyword-detection --certificate_path --private_key_path --target --inference --audio --toolchain --conn-stack --psa-crypto-implementation ``` * The `certificate pem's path` and `private key pem's path` should be the downloaded key's and certificate's path if you chose the **Auto-generate a new certificate** during the Thing creation. If you chose **Skip creating a certificate at this time** then these paths should locate the generated credential files that were created by the `./tools/scripts/generate_credentials.py` script in the previous step. @@ -55,10 +55,15 @@ To build the Keyword-Detection example, run the following command: * The `audio` is used to select the input audio source whether it's preloaded into `ROM` or using Arm's Virtual Streaming Interface `VSI`. +* The `conn-stack` is used to select the connectivity stack to be used whether it's `FREERTOS_PLUS_TCP` or `IOT_VSOCKET`. + +* The `psa-crypto-implementation` is used to select the library providing the PSA Crypto APIs implementation whether it's `TF-M` or `MBEDTLS`. For more information about the PSA Crypto APIs +implementation, please refer to [Mbed TLS document](../components/security/mbedtls/mbedtls.md#psa-crypto-apis-implementation). + Or, run the command below to perform a clean build: ```bash -./tools/scripts/build.sh keyword-detection --certificate_path --private_key_path --target --inference --audio --toolchain -c +./tools/scripts/build.sh keyword-detection --certificate_path --private_key_path --target --inference --audio --toolchain --conn-stack --psa-crypto-implementation -c ``` ## Provisioning the device credentials into Protected Storage diff --git a/docs/applications/object_detection.md b/docs/applications/object_detection.md index 8b3967f3..656a9991 100644 --- a/docs/applications/object_detection.md +++ b/docs/applications/object_detection.md @@ -25,15 +25,20 @@ Follow the instructions described in [Setting Up AWS Connectivity](./aws_iot/set To build the Object-Detection example, run the following command: ```bash -./tools/scripts/build.sh object-detection --certificate_path --private_key_path -t corstone315 --toolchain GNU +./tools/scripts/build.sh object-detection --certificate_path --private_key_path -t corstone315 --toolchain GNU --conn-stack --psa-crypto-implementation ``` - The `certificate pem's path` and `private key pem's path` should be the downloaded key's and certificate's path if you chose the **Auto-generate a new certificate** during the Thing creation. If you chose **Skip creating a certificate at this time** then these paths should locate the generated credential files that were created by the `./tools/scripts/generate_credentials.py` script in the previous step. - The `toolchain` is used to select the `GNU`, that supports the `Mali-C55`. +* The `conn-stack` is used to select the connectivity stack to be used whether it's `FREERTOS_PLUS_TCP` or `IOT_VSOCKET`. + +* The `psa-crypto-implementation` is used to select the library providing the PSA Crypto APIs implementation whether it's `TF-M` or `MBEDTLS`. For more information about the PSA Crypto APIs +implementation, please refer to [Mbed TLS document](../components/security/mbedtls/mbedtls.md#psa-crypto-apis-implementation). + Or, run the command below to perform a clean build: ```bash -./tools/scripts/build.sh object-detection --certificate_path --private_key_path -t corstone315 --toolchain GNU -c +./tools/scripts/build.sh object-detection --certificate_path --private_key_path -t corstone315 --toolchain GNU --conn-stack --psa-crypto-implementation -c ``` ## Provisioning the device credentials into Protected Storage diff --git a/docs/applications/speech_recognition.md b/docs/applications/speech_recognition.md index 05decf21..a6c05824 100644 --- a/docs/applications/speech_recognition.md +++ b/docs/applications/speech_recognition.md @@ -27,16 +27,21 @@ Follow the instructions described in [Setting Up AWS Connectivity](./aws_iot/set To build the Speech-Recognition example, run the following command: ```bash -./tools/scripts/build.sh speech-recognition --certificate_path --private_key_path --target --inference ETHOS --audio --toolchain +./tools/scripts/build.sh speech-recognition --certificate_path --private_key_path --target --inference ETHOS --audio --toolchain --conn-stack --psa-crypto-implementation ``` * The `certificate pem's path` and `private key pem's path` should be the downloaded key's and certificate's path if you chose the **Auto-generate a new certificate** during the Thing creation. If you chose **Skip creating a certificate at this time** then these paths should locate the generated credential files that were created by the `./tools/scripts/generate_credentials.py` script in the previous step. * The `audio` is used to select the input audio source whether it's preloaded into `ROM` or using Arm's Virtual Streaming Interface `VSI`. +* The `conn-stack` is used to select the connectivity stack to be used whether it's `FREERTOS_PLUS_TCP` or `IOT_VSOCKET`. + +* The `psa-crypto-implementation` is used to select the library providing the PSA Crypto APIs implementation whether it's `TF-M` or `MBEDTLS`. For more information about the PSA Crypto APIs +implementation, please refer to [Mbed TLS document](../components/security/mbedtls/mbedtls.md#psa-crypto-apis-implementation). + Or, run the command below to perform a clean build: ```bash -./tools/scripts/build.sh speech-recognition --certificate_path --private_key_path --target --inference ETHOS --audio --toolchain -c +./tools/scripts/build.sh speech-recognition --certificate_path --private_key_path --target --inference ETHOS --audio --toolchain --conn-stack --psa-crypto-implementation -c ``` ## Provisioning the device credentials into Protected Storage diff --git a/docs/components/aws_iot/aws_tool.md b/docs/components/aws_iot/aws_tool.md index 09ed276a..67b0190f 100644 --- a/docs/components/aws_iot/aws_tool.md +++ b/docs/components/aws_iot/aws_tool.md @@ -96,7 +96,7 @@ You may now use MQTT to send and receive message for that device. See section [O You may now rebuild keyword with those certificates: ```sh -./tools/scripts/build.sh keyword-detection --certificate_path certificates/thing_certificate_.pem.crt --private_key_path certificates/thing_private_key_.pem.key --target --inference --audio --toolchain +./tools/scripts/build.sh keyword-detection --certificate_path certificates/thing_certificate_.pem.crt --private_key_path certificates/thing_private_key_.pem.key --target --inference --audio --toolchain --conn-stack --psa-crypto-implementation ``` Next, we'll create the bucket, upload the binary there, create a role capable of running an OTA update, and create the update. All of those with the following command: ```sh diff --git a/docs/components/security/mbedtls/mbedtls.md b/docs/components/security/mbedtls/mbedtls.md index 7c58709d..4dcc01cc 100644 --- a/docs/components/security/mbedtls/mbedtls.md +++ b/docs/components/security/mbedtls/mbedtls.md @@ -38,6 +38,24 @@ target_compile_definitions(mbedtls-config To enable the FreeRTOS threading protection `#define MBEDTLS_THREADING_ALT` should be present in the user provided mbedtls configuration file. +### PSA Crypto APIs Implementation + +PSA Crypto is part of Platform Security Architecture initiative that standardized crypto interfaces. The PSA Crypto specification is available [here](https://arm-software.github.io/psa-api/crypto/1.1/). Mbed TLS, and Trusted Firmware-M libraries provide implementation for PSA Crypto APIs. + +User can choose which library is to be used for implementing PSA Crypto APIs used by Mbed TLS library running on the Non-Secure side through the build option `--psa-crypto-implementation `. + +The default PSA Crypto APIs implementation is the one provided by Trusted Firmware-M library, where the `--psa-crypto-implementation` build option default value is `TF-M`. + +In case of using Trusted Firmware-M as the PSA Crypto APIs implementation, `tfm-ns-interface` library has to be linked to the `mbedtls` target. + +```cmake +target_link_libraries(mbedtls + PUBLIC + mbedtls-config + tfm-ns-interface +) +``` + ## Integration ### FreeRTOS threading support diff --git a/docs/development_environment/vscode_dev_env_build_and_debug.md b/docs/development_environment/vscode_dev_env_build_and_debug.md index ecc42f29..1aa32795 100644 --- a/docs/development_environment/vscode_dev_env_build_and_debug.md +++ b/docs/development_environment/vscode_dev_env_build_and_debug.md @@ -129,7 +129,8 @@ Command Palette (F1) ./tools/scripts/build.sh --toolchain --certificate_path --private_key_path --target ---inference --audio