From 4e815caadb62969cc188a82b789f963069d9b415 Mon Sep 17 00:00:00 2001 From: Devaraj Ranganna Date: Wed, 3 Apr 2024 15:05:54 +0000 Subject: [PATCH 1/9] psa-crypto: Enable PSA crypto APIs in Mbed TLS on NS side To enable using PSA Crypto APIs in Mbed TLS running on Non-Secure side, the following changes were done: * `MBEDTLS_PSA_CRYPTO` macro is defined in `aws_mbedtls_config.h` header file to indicate that PSA Crypto APIs should be used. * `tfm-ns-interface` library is linked to mbedtls library to make TF-M's PSA Crypto APIs interfaces available for mbedtls library. * `CRYPTO_IOVEC_BUFFER_SIZE` is changed from 5120 to 20000 as the PSA Crypto APIs require larger buffer size for communication between secure and non-secure spaces. * A new Mbed TLS patch is added to fix guard protection for functions/ headers, the patch is to be added upstream. * All platforms' stack sizes were increased from `0x1000` to `0x2000` as in case of using ARMClang toolchain, a stack overflow was noticed after applying the previous changes. Signed-off-by: Devaraj Ranganna Signed-off-by: Ahmed Ismail --- .../mbedtls_config/aws_mbedtls_config.h | 4 +- .../configs/tfm_config/project_config.h | 4 +- bsp/corstone300/an552_ns.ld | 2 +- bsp/corstone300/an552_ns.sct | 2 +- bsp/corstone310/an555_ns.ld | 2 +- bsp/corstone310/an555_ns.sct | 2 +- bsp/corstone315/corstone_315_ns.ld | 2 +- bsp/corstone315/corstone_315_ns.sct | 2 +- components/security/mbedtls/CMakeLists.txt | 6 +++ .../mbedtls/integration/CMakeLists.txt | 3 +- ...Fix-guards-for-functions-and-headers.patch | 45 +++++++++++++++++++ release_changes/202404241052.change | 1 + 12 files changed, 65 insertions(+), 10 deletions(-) create mode 100644 components/security/mbedtls/integration/patches/0001-md-Fix-guards-for-functions-and-headers.patch create mode 100644 release_changes/202404241052.change diff --git a/applications/keyword_detection/configs/mbedtls_config/aws_mbedtls_config.h b/applications/keyword_detection/configs/mbedtls_config/aws_mbedtls_config.h index 0f7a5db6..e9882e52 100644 --- a/applications/keyword_detection/configs/mbedtls_config/aws_mbedtls_config.h +++ b/applications/keyword_detection/configs/mbedtls_config/aws_mbedtls_config.h @@ -11,6 +11,8 @@ /* * Copyright The Mbed TLS Contributors * SPDX-License-Identifier: Apache-2.0 + * Copyright 2024 Arm Limited and/or its affiliates + * * * Licensed under the Apache License, Version 2.0 (the "License"); you may * not use this file except in compliance with the License. @@ -1755,7 +1757,7 @@ void mbedtls_platform_free( void * ptr ); * * Uncomment this to enable internal use of PSA Crypto and new associated APIs. */ -/*#define MBEDTLS_USE_PSA_CRYPTO */ +#define MBEDTLS_USE_PSA_CRYPTO /** * \def MBEDTLS_PSA_CRYPTO_CONFIG diff --git a/applications/keyword_detection/configs/tfm_config/project_config.h b/applications/keyword_detection/configs/tfm_config/project_config.h index fcb4598e..c4f8d5fa 100644 --- a/applications/keyword_detection/configs/tfm_config/project_config.h +++ b/applications/keyword_detection/configs/tfm_config/project_config.h @@ -1,4 +1,4 @@ -/* Copyright 2023 Arm Limited and/or its affiliates +/* Copyright 2023-2024 Arm Limited and/or its affiliates * * SPDX-License-Identifier: BSD-3-Clause */ @@ -33,7 +33,7 @@ #define CRYPTO_KEY_DERIVATION_MODULE_ENABLED 1 -#define CRYPTO_IOVEC_BUFFER_SIZE 5120 +#define CRYPTO_IOVEC_BUFFER_SIZE 20000 #define CRYPTO_NV_SEED 1 diff --git a/bsp/corstone300/an552_ns.ld b/bsp/corstone300/an552_ns.ld index 9bdf4e09..5dcd05a9 100644 --- a/bsp/corstone300/an552_ns.ld +++ b/bsp/corstone300/an552_ns.ld @@ -46,7 +46,7 @@ __RAM_NS_SIZE = (__RAM_SIZE - __RAM_S_SIZE - PROVISIONING_SIZE); Heap Size (in Bytes) <0x0-0xFFFFFFFF:8> -----------------------------------------------------------------------------*/ -__STACK_SIZE = 0x00001000; +__STACK_SIZE = 0x00002000; __HEAP_SIZE = 0x000C0000; /* diff --git a/bsp/corstone300/an552_ns.sct b/bsp/corstone300/an552_ns.sct index fd3a048d..27beb96b 100644 --- a/bsp/corstone300/an552_ns.sct +++ b/bsp/corstone300/an552_ns.sct @@ -25,7 +25,7 @@ #define ISRAM0_SIZE 0x00100000 #define ISRAM1_SIZE 0x00100000 #define PROVISIONING_SIZE 0x1000 -#define STACK_SIZE 0x00001000 +#define STACK_SIZE 0x00002000 #define HEAP_SIZE 0x000C0000 LOAD_REGION_0 (ROM_START + ((((0) + (FLASH_S_PARTITION_SIZE)) + (BL2_HEADER_SIZE)))) diff --git a/bsp/corstone310/an555_ns.ld b/bsp/corstone310/an555_ns.ld index eb8d9b09..fac03932 100644 --- a/bsp/corstone310/an555_ns.ld +++ b/bsp/corstone310/an555_ns.ld @@ -59,7 +59,7 @@ __RAM_SIZE = (ISRAM1_SIZE - PROVISIONING_SIZE); Heap Size (in Bytes) <0x0-0xFFFFFFFF:8> -----------------------------------------------------------------------------*/ -__STACK_SIZE = 0x00001000; +__STACK_SIZE = 0x00002000; __HEAP_SIZE = 0x000C0000; /* diff --git a/bsp/corstone310/an555_ns.sct b/bsp/corstone310/an555_ns.sct index 10db093c..13c7cdd9 100644 --- a/bsp/corstone310/an555_ns.sct +++ b/bsp/corstone310/an555_ns.sct @@ -24,7 +24,7 @@ #define ISRAM1_OFFSET 0x00200000 #define ISRAM1_SIZE 0x00200000 #define PROVISIONING_SIZE 0x1000 -#define STACK_SIZE 0x00001000 +#define STACK_SIZE 0x00002000 #define HEAP_SIZE 0x000C0000 LOAD_REGION_0 (ROM_START + ((((0) + (FLASH_S_PARTITION_SIZE)) + BL2_HEADER_SIZE))) diff --git a/bsp/corstone315/corstone_315_ns.ld b/bsp/corstone315/corstone_315_ns.ld index 72092dcc..db101c0a 100644 --- a/bsp/corstone315/corstone_315_ns.ld +++ b/bsp/corstone315/corstone_315_ns.ld @@ -59,7 +59,7 @@ __RAM_SIZE = (ISRAM1_SIZE - PROVISIONING_SIZE); Heap Size (in Bytes) <0x0-0xFFFFFFFF:8> -----------------------------------------------------------------------------*/ -__STACK_SIZE = 0x00001000; +__STACK_SIZE = 0x00002000; __HEAP_SIZE = 0x000C0000; /* diff --git a/bsp/corstone315/corstone_315_ns.sct b/bsp/corstone315/corstone_315_ns.sct index c5ffbec7..8588152f 100644 --- a/bsp/corstone315/corstone_315_ns.sct +++ b/bsp/corstone315/corstone_315_ns.sct @@ -24,7 +24,7 @@ #define ISRAM1_OFFSET 0x00200000 #define ISRAM1_SIZE 0x00200000 #define PROVISIONING_SIZE 0x1000 -#define STACK_SIZE 0x00001000 +#define STACK_SIZE 0x00002000 #define HEAP_SIZE 0x000C0000 LOAD_REGION_0 (ROM_START + ((((0) + (FLASH_S_PARTITION_SIZE)) + BL2_HEADER_SIZE))) diff --git a/components/security/mbedtls/CMakeLists.txt b/components/security/mbedtls/CMakeLists.txt index 0273f3f5..c2cdff77 100644 --- a/components/security/mbedtls/CMakeLists.txt +++ b/components/security/mbedtls/CMakeLists.txt @@ -18,6 +18,12 @@ else () set(ENABLE_PROGRAMS OFF CACHE BOOL "" FORCE) set(ENABLE_TESTING OFF CACHE BOOL "" FORCE) + include(ApplyPatches) + + set(PATCH_FILES_DIRECTORY "${CMAKE_CURRENT_LIST_DIR}/integration/patches") + set(PATCH_FILES "${PATCH_FILES_DIRECTORY}/0001-md-Fix-guards-for-functions-and-headers.patch") + iot_reference_arm_corstone3xx_apply_patches("${mbedtls_SOURCE_DIR}" "${PATCH_FILES}") + add_subdirectory(library) add_subdirectory(integration) diff --git a/components/security/mbedtls/integration/CMakeLists.txt b/components/security/mbedtls/integration/CMakeLists.txt index 5fb88bd3..127b581d 100644 --- a/components/security/mbedtls/integration/CMakeLists.txt +++ b/components/security/mbedtls/integration/CMakeLists.txt @@ -1,4 +1,4 @@ -# Copyright 2023 Arm Limited and/or its affiliates +# Copyright 2023-2024 Arm Limited and/or its affiliates # # SPDX-License-Identifier: MIT @@ -10,6 +10,7 @@ add_library(mbedtls-config INTERFACE) target_link_libraries(mbedtls PUBLIC mbedtls-config + tfm-ns-interface ) add_library(mbedtls-threading-freertos diff --git a/components/security/mbedtls/integration/patches/0001-md-Fix-guards-for-functions-and-headers.patch b/components/security/mbedtls/integration/patches/0001-md-Fix-guards-for-functions-and-headers.patch new file mode 100644 index 00000000..2a6e8624 --- /dev/null +++ b/components/security/mbedtls/integration/patches/0001-md-Fix-guards-for-functions-and-headers.patch @@ -0,0 +1,45 @@ +From 6f7cd697c427d9f7430d668a3412997c0a053701 Mon Sep 17 00:00:00 2001 +From: Ahmed Ismail +Date: Tue, 30 Apr 2024 14:13:29 +0100 +Subject: [PATCH] md: Fix guards for functions and headers + +The guard should be CRYPTO_CLIENT and not CRYPTO_C as these +function/headers can be used even when CRYPTO_C is not defined. + +Signed-off-by: Ahmed Ismail +--- + library/md.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/library/md.c b/library/md.c +index 12a3ea237..c95846aa0 100644 +--- a/library/md.c ++++ b/library/md.c +@@ -41,7 +41,7 @@ + #include "mbedtls/sha512.h" + #include "mbedtls/sha3.h" + +-#if defined(MBEDTLS_PSA_CRYPTO_C) ++#if defined(MBEDTLS_PSA_CRYPTO_CLIENT) + #include + #include "md_psa.h" + #include "psa_util_internal.h" +@@ -761,13 +761,13 @@ mbedtls_md_type_t mbedtls_md_get_type(const mbedtls_md_info_t *md_info) + return md_info->type; + } + +-#if defined(MBEDTLS_PSA_CRYPTO_C) ++#if defined(MBEDTLS_PSA_CRYPTO_CLIENT) + int mbedtls_md_error_from_psa(psa_status_t status) + { + return PSA_TO_MBEDTLS_ERR_LIST(status, psa_to_md_errors, + psa_generic_status_to_mbedtls); + } +-#endif /* MBEDTLS_PSA_CRYPTO_C */ ++#endif /* MBEDTLS_PSA_CRYPTO_CLIENT */ + + + /************************************************************************ +-- +2.34.1 + diff --git a/release_changes/202404241052.change b/release_changes/202404241052.change new file mode 100644 index 00000000..7d955fdc --- /dev/null +++ b/release_changes/202404241052.change @@ -0,0 +1 @@ +psa-crypto: Enable PSA crypto APIs in Mbed TLS on NS side. From 9200ec4da95035305f870ab3002733202fa476a1 Mon Sep 17 00:00:00 2001 From: Ahmed Ismail Date: Mon, 8 Jul 2024 11:44:55 +0100 Subject: [PATCH 2/9] psa-crypto: Add implementation configuration option A new configuration option is added to control which library (TF-M/MBED TLS) is providing the PSA Crypto APIs implementation. Signed-off-by: Ahmed Ismail --- .github/.cSpellWords.txt | 1 + .../mbedtls_config/aws_mbedtls_config.h | 8 +++++-- applications/keyword_detection/main.c | 9 ++++++++ .../mbedtls/integration/CMakeLists.txt | 17 ++++++++++++++- .../integration/CMakeLists.txt | 11 ++++++++++ tools/scripts/build.sh | 21 ++++++++++++++++++- 6 files changed, 63 insertions(+), 4 deletions(-) diff --git a/.github/.cSpellWords.txt b/.github/.cSpellWords.txt index b00d6ae1..cbcd3f31 100644 --- a/.github/.cSpellWords.txt +++ b/.github/.cSpellWords.txt @@ -65,6 +65,7 @@ docuemnt DONGWOON DPLATFORM DPROJECT +DPSA drbg Drbg DRBG diff --git a/applications/keyword_detection/configs/mbedtls_config/aws_mbedtls_config.h b/applications/keyword_detection/configs/mbedtls_config/aws_mbedtls_config.h index e9882e52..b457ceb8 100644 --- a/applications/keyword_detection/configs/mbedtls_config/aws_mbedtls_config.h +++ b/applications/keyword_detection/configs/mbedtls_config/aws_mbedtls_config.h @@ -1173,7 +1173,9 @@ void mbedtls_platform_free( void * ptr ); * \warning This interface is experimental and may change or be removed * without notice. */ -#define MBEDTLS_PSA_CRYPTO_CLIENT +#ifdef PSA_CRYPTO_IMPLEMENTATION_TFM + #define MBEDTLS_PSA_CRYPTO_CLIENT +#endif /** \def MBEDTLS_PSA_CRYPTO_DRIVERS * @@ -2628,7 +2630,9 @@ void mbedtls_platform_free( void * ptr ); * or MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG. * */ -/*#define MBEDTLS_PSA_CRYPTO_C */ +#ifdef PSA_CRYPTO_IMPLEMENTATION_MBEDTLS + #define MBEDTLS_PSA_CRYPTO_C +#endif /** * \def MBEDTLS_PSA_CRYPTO_SE_C diff --git a/applications/keyword_detection/main.c b/applications/keyword_detection/main.c index 79e6feb6..44b42379 100644 --- a/applications/keyword_detection/main.c +++ b/applications/keyword_detection/main.c @@ -174,6 +174,15 @@ int main( void ) mbedtls_platform_mutex_lock, mbedtls_platform_mutex_unlock ); + #if defined PSA_CRYPTO_IMPLEMENTATION_MBEDTLS + psa_status_t xResult = psa_crypto_init(); + + if( xResult != PSA_SUCCESS ) + { + printf( "Psa crypto init failed with return code = %d\r\n", xResult ); + } + #endif + UBaseType_t xRetVal = vDevModeKeyProvisioning(); if( xRetVal != CKR_OK ) diff --git a/components/security/mbedtls/integration/CMakeLists.txt b/components/security/mbedtls/integration/CMakeLists.txt index 127b581d..8f363de4 100644 --- a/components/security/mbedtls/integration/CMakeLists.txt +++ b/components/security/mbedtls/integration/CMakeLists.txt @@ -10,9 +10,24 @@ add_library(mbedtls-config INTERFACE) target_link_libraries(mbedtls PUBLIC mbedtls-config - tfm-ns-interface ) +if(PSA_CRYPTO_IMPLEMENTATION STREQUAL "TF-M") + target_link_libraries(mbedtls + PRIVATE + tfm-ns-interface + ) + target_compile_definitions(mbedtls-config + INTERFACE + -DPSA_CRYPTO_IMPLEMENTATION_TFM + ) +else() + target_compile_definitions(mbedtls-config + INTERFACE + -DPSA_CRYPTO_IMPLEMENTATION_MBEDTLS + ) +endif() + add_library(mbedtls-threading-freertos src/mbedtls_freertos_port.c ) diff --git a/components/security/trusted_firmware-m/integration/CMakeLists.txt b/components/security/trusted_firmware-m/integration/CMakeLists.txt index 56c88fe4..9ba14612 100644 --- a/components/security/trusted_firmware-m/integration/CMakeLists.txt +++ b/components/security/trusted_firmware-m/integration/CMakeLists.txt @@ -54,5 +54,16 @@ else() target_compile_definitions(tfm-ns-interface-mbedtls-config INTERFACE MBEDTLS_CONFIG_FILE="${APPLICATION_PATH}/configs/mbedtls_config/aws_mbedtls_config.h" + -DPSA_CRYPTO_IMPLEMENTATION_TFM ) + # In case of using Mbed TLS library to provide the PSA Crypto APIs + # implementation, the PSA Crypto APIs implemented and provided by + # TF-M shall be renamed to start with a prefix of tfm_crypto__ + # to avoid multiple definitions for PSA Crypto APIs. + if(PSA_CRYPTO_IMPLEMENTATION STREQUAL "MBEDTLS") + target_compile_definitions(tfm-ns-interface-mbedtls-config + INTERFACE + -DCONFIG_TFM_CRYPTO_API_RENAME=1 + ) + endif() endif() diff --git a/tools/scripts/build.sh b/tools/scripts/build.sh index 7f5929f2..615aa476 100755 --- a/tools/scripts/build.sh +++ b/tools/scripts/build.sh @@ -24,6 +24,7 @@ BUILD=1 CERTIFICATE_PATH="" PRIVATE_KEY_PATH="" CONNECTIVITY_STACK="FREERTOS_PLUS_TCP" +PSA_CRYPTO_IMPLEMENTATION="TF-M" set -e @@ -57,6 +58,7 @@ function build_with_cmake { cmake_args+=(-DML_INFERENCE_ENGINE=$ML_INFERENCE_ENGINE) cmake_args+=(-DAUDIO_SOURCE=$AUDIO_SOURCE) cmake_args+=(-DCONNECTIVITY_STACK=$CONNECTIVITY_STACK) + cmake_args+=(-DPSA_CRYPTO_IMPLEMENTATION=$PSA_CRYPTO_IMPLEMENTATION) if [ ! -z "$ETHOS_U_NPU_ID" ]; then cmake_args+=(-DETHOS_U_NPU_ID=$ETHOS_U_NPU_ID) else @@ -94,6 +96,7 @@ Options: -C,--certificate_path Path to the AWS device certificate -P,--private_key_path Path to the AWS device private key --conn-stack Connectivity stack selection (FREERTOS_PLUS_TCP | IOT_VSOCKET) + --psa-crypto-implementation PSA Crypto APIs implementation selection (TF-M, MBEDTLS) Examples: blinky, freertos-iot-libraries-tests, keyword-detection, object-detection, speech-recognition EOF @@ -105,7 +108,7 @@ if [[ $# -eq 0 ]]; then fi SHORT=t:,i:,T:,s:,c,h,C:,P:p:,n: -LONG=target:,inference:,toolchain:,audio:,clean,help,configure-only,certificate_path:,private_key_path:,path:,npu-id:,npu-mac:,conn-stack: +LONG=target:,inference:,toolchain:,audio:,clean,help,configure-only,certificate_path:,private_key_path:,path:,npu-id:,npu-mac:,conn-stack:,psa-crypto-implementation: OPTS=$(getopt -n build --options $SHORT --longoptions $LONG -- "$@") eval set -- "$OPTS" @@ -161,6 +164,10 @@ do CONNECTIVITY_STACK=$2 shift 2 ;; + --psa-crypto-implementation ) + PSA_CRYPTO_IMPLEMENTATION=$2 + shift 2 + ;; --) shift; break @@ -283,6 +290,18 @@ case "$CONNECTIVITY_STACK" in ;; esac +case "$PSA_CRYPTO_IMPLEMENTATION" in + TF-M ) + ;; + MBEDTLS ) + ;; + *) + echo "Invalid PSA Crypto APIs selection " + show_usage + exit 2 + ;; +esac + if [ "$EXAMPLE" != "blinky" ] && [ ! -f "$CERTIFICATE_PATH" ]; then echo "The --certificate_path must be set to an existing file." show_usage From 16101bee9791330ffd49ac6741a7c40f0567ffb9 Mon Sep 17 00:00:00 2001 From: Ahmed Ismail Date: Wed, 24 Apr 2024 14:36:38 +0100 Subject: [PATCH 3/9] ci: Add PSA Crypto test to IoT_vSocket nightly job Signed-off-by: Ahmed Ismail --- .gitlab-ci.yml | 60 +++++++++++++++++++++++++++++++++----------------- 1 file changed, 40 insertions(+), 20 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 1d84fcd3..9ca94a9a 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -63,13 +63,14 @@ workflow: --toolchain $TOOLCHAIN \ --certificate_path $PWD/certificate.pem \ --private_key_path $PWD/private_key.pem \ - --conn-stack $CONN_STACK + --conn-stack $CONN_STACK \ + --psa-crypto-implementation $PSA_CRYPTO_IMPLEMENTATION - | if [ $APP == "blinky" ];then - tar -czf ${TARGET}_${APP}_${TOOLCHAIN}_${INFERENCE}_${AUDIO}_${CONN_STACK}_build.tar.gz \ + tar -czf ${TARGET}_${APP}_${TOOLCHAIN}_${INFERENCE}_${AUDIO}_${CONN_STACK}_${PSA_CRYPTO_IMPLEMENTATION}_build.tar.gz \ build/${APP}_merged.elf else - tar -czf ${TARGET}_${APP}_${TOOLCHAIN}_${INFERENCE}_${AUDIO}_${CONN_STACK}_build.tar.gz \ + tar -czf ${TARGET}_${APP}_${TOOLCHAIN}_${INFERENCE}_${AUDIO}_${CONN_STACK}_${PSA_CRYPTO_IMPLEMENTATION}_build.tar.gz \ build/${APP}_merged.elf \ build/${APP}-update_signed.bin \ build/update-signature.txt \ @@ -88,9 +89,10 @@ build-applications-corstone315: INFERENCE: [ETHOS] AUDIO: [ROM] CONN_STACK: [FREERTOS_PLUS_TCP] + PSA_CRYPTO_IMPLEMENTATION: [TF-M] artifacts: paths: - - ${TARGET}_${APP}_${TOOLCHAIN}_${INFERENCE}_${AUDIO}_${CONN_STACK}_build.tar.gz + - ${TARGET}_${APP}_${TOOLCHAIN}_${INFERENCE}_${AUDIO}_${CONN_STACK}_${PSA_CRYPTO_IMPLEMENTATION}_build.tar.gz expire_in: 1 week variables: GIT_SUBMODULE_STRATEGY: recursive @@ -107,9 +109,10 @@ build-applications-corstone310: INFERENCE: [ETHOS] AUDIO: [ROM] CONN_STACK: [FREERTOS_PLUS_TCP] + PSA_CRYPTO_IMPLEMENTATION: [TF-M] artifacts: paths: - - ${TARGET}_${APP}_${TOOLCHAIN}_${INFERENCE}_${AUDIO}_${CONN_STACK}_build.tar.gz + - ${TARGET}_${APP}_${TOOLCHAIN}_${INFERENCE}_${AUDIO}_${CONN_STACK}_${PSA_CRYPTO_IMPLEMENTATION}_build.tar.gz expire_in: 1 week variables: GIT_SUBMODULE_STRATEGY: recursive @@ -126,9 +129,10 @@ build-applications-corstone300: INFERENCE: [ETHOS] AUDIO: [ROM] CONN_STACK: [FREERTOS_PLUS_TCP] + PSA_CRYPTO_IMPLEMENTATION: [TF-M] artifacts: paths: - - ${TARGET}_${APP}_${TOOLCHAIN}_${INFERENCE}_${AUDIO}_${CONN_STACK}_build.tar.gz + - ${TARGET}_${APP}_${TOOLCHAIN}_${INFERENCE}_${AUDIO}_${CONN_STACK}_${PSA_CRYPTO_IMPLEMENTATION}_build.tar.gz expire_in: 1 week variables: GIT_SUBMODULE_STRATEGY: recursive @@ -171,7 +175,7 @@ test-blinky-output: - job: build-applications-corstone300 artifacts: true script: - - tar xf ${TARGET}_${APP}_${TOOLCHAIN}_${INFERENCE}_${AUDIO}_${CONN_STACK}_build.tar.gz + - tar xf ${TARGET}_${APP}_${TOOLCHAIN}_${INFERENCE}_${AUDIO}_${CONN_STACK}_${PSA_CRYPTO_IMPLEMENTATION}_build.tar.gz - | pytest -s tools/tests/test_blinky_output.py \ --build-artefacts-path "build" \ @@ -188,25 +192,28 @@ test-blinky-output: INFERENCE: [ETHOS] AUDIO: [ROM] CONN_STACK: [FREERTOS_PLUS_TCP] + PSA_CRYPTO_IMPLEMENTATION: [TF-M] - << : [*pipeline_config_corstone310, *pipeline_config_toolchain] APP: [blinky] INFERENCE: [ETHOS] AUDIO: [ROM] CONN_STACK: [FREERTOS_PLUS_TCP] + PSA_CRYPTO_IMPLEMENTATION: [TF-M] - << : [*pipeline_config_corstone300, *pipeline_config_toolchain] APP: [blinky] INFERENCE: [ETHOS] AUDIO: [ROM] CONN_STACK: [FREERTOS_PLUS_TCP] + PSA_CRYPTO_IMPLEMENTATION: [TF-M] .test-applications_base: extends: .test_job script: - | - if [[ -f "${TARGET}_${APP}_${TOOLCHAIN}_${INFERENCE}_${AUDIO}_${CONN_STACK}_build.tar.gz" ]]; then - tar xf ${TARGET}_${APP}_${TOOLCHAIN}_${INFERENCE}_${AUDIO}_${CONN_STACK}_build.tar.gz + if [[ -f "${TARGET}_${APP}_${TOOLCHAIN}_${INFERENCE}_${AUDIO}_${CONN_STACK}_${PSA_CRYPTO_IMPLEMENTATION}_build.tar.gz" ]]; then + tar xf ${TARGET}_${APP}_${TOOLCHAIN}_${INFERENCE}_${AUDIO}_${CONN_STACK}_${PSA_CRYPTO_IMPLEMENTATION}_build.tar.gz fi - export APP_UNDERSCORED=$(echo ${APP} | tr '-' '_') - | @@ -265,6 +272,7 @@ test-ml-applications-output: AUDIO: [ROM] TOOLCHAIN: [ARMCLANG] CONN_STACK: [FREERTOS_PLUS_TCP] + PSA_CRYPTO_IMPLEMENTATION: [TF-M] - << : *pipeline_config_corstone310 APP: [keyword-detection, speech-recognition] @@ -272,6 +280,7 @@ test-ml-applications-output: AUDIO: [ROM] TOOLCHAIN: [ARMCLANG] CONN_STACK: [FREERTOS_PLUS_TCP] + PSA_CRYPTO_IMPLEMENTATION: [TF-M] - << : *pipeline_config_corstone300 APP: [keyword-detection, speech-recognition] @@ -279,6 +288,7 @@ test-ml-applications-output: AUDIO: [ROM] TOOLCHAIN: [ARMCLANG] CONN_STACK: [FREERTOS_PLUS_TCP] + PSA_CRYPTO_IMPLEMENTATION: [TF-M] unit-tests: extends: .base-job-rules @@ -316,7 +326,7 @@ integration-tests: # communicate with the server. - host_ip_address=`ifconfig eth0 | grep -w 'inet' | awk '{print $2}'` - sed -i "s/#define ECHO_SERVER_ENDPOINT .*$/#define ECHO_SERVER_ENDPOINT \"$host_ip_address\"/g" applications/freertos_iot_libraries_tests/test_param_config.h - - ./tools/scripts/build.sh ${APP} --target $TARGET --toolchain $TOOLCHAIN --certificate_path $PWD/certificate.pem --private_key_path $PWD/private_key.pem --conn-stack $CONN_STACK + - ./tools/scripts/build.sh ${APP} --target $TARGET --toolchain $TOOLCHAIN --certificate_path $PWD/certificate.pem --private_key_path $PWD/private_key.pem --conn-stack $CONN_STACK --psa-crypto-implementation $PSA_CRYPTO_IMPLEMENTATION - pushd components/tools/freertos_libraries_integration_tests/library/tools/echo_server - go run echo_server.go& - popd @@ -335,14 +345,17 @@ integration-tests: << : [*pipeline_config_corstone315, *pipeline_config_toolchain] APP: [freertos-iot-libraries-tests] CONN_STACK: [FREERTOS_PLUS_TCP, IOT_VSOCKET] + PSA_CRYPTO_IMPLEMENTATION: [TF-M] - << : [*pipeline_config_corstone310, *pipeline_config_toolchain] APP: [freertos-iot-libraries-tests] CONN_STACK: [FREERTOS_PLUS_TCP, IOT_VSOCKET] + PSA_CRYPTO_IMPLEMENTATION: [TF-M] - << : [*pipeline_config_corstone300, *pipeline_config_toolchain] APP: [freertos-iot-libraries-tests] CONN_STACK: [FREERTOS_PLUS_TCP, IOT_VSOCKET] + PSA_CRYPTO_IMPLEMENTATION: [TF-M] retry: max: 2 when: @@ -377,6 +390,7 @@ sw-vsi-configs-test: AUDIO: [VSI] TOOLCHAIN: [ARMCLANG] CONN_STACK: [FREERTOS_PLUS_TCP] + PSA_CRYPTO_IMPLEMENTATION: [TF-M] - << : *pipeline_config_corstone315 APP: [keyword-detection, speech-recognition] @@ -384,6 +398,7 @@ sw-vsi-configs-test: AUDIO: [ROM, VSI] TOOLCHAIN: [ARMCLANG] CONN_STACK: [FREERTOS_PLUS_TCP] + PSA_CRYPTO_IMPLEMENTATION: [TF-M] - << : *pipeline_config_corstone315 APP: [object-detection] @@ -391,6 +406,7 @@ sw-vsi-configs-test: AUDIO: [ROM] TOOLCHAIN: [ARMCLANG] CONN_STACK: [FREERTOS_PLUS_TCP] + PSA_CRYPTO_IMPLEMENTATION: [TF-M] - << : *pipeline_config_corstone310 APP: [keyword-detection, speech-recognition] @@ -398,6 +414,7 @@ sw-vsi-configs-test: AUDIO: [VSI] TOOLCHAIN: [ARMCLANG] CONN_STACK: [FREERTOS_PLUS_TCP] + PSA_CRYPTO_IMPLEMENTATION: [TF-M] - << : *pipeline_config_corstone310 APP: [keyword-detection, speech-recognition] @@ -405,6 +422,7 @@ sw-vsi-configs-test: AUDIO: [ROM, VSI] TOOLCHAIN: [ARMCLANG] CONN_STACK: [FREERTOS_PLUS_TCP] + PSA_CRYPTO_IMPLEMENTATION: [TF-M] - << : *pipeline_config_corstone300 APP: [keyword-detection, speech-recognition] @@ -412,6 +430,7 @@ sw-vsi-configs-test: AUDIO: [VSI] TOOLCHAIN: [ARMCLANG] CONN_STACK: [FREERTOS_PLUS_TCP] + PSA_CRYPTO_IMPLEMENTATION: [TF-M] - << : *pipeline_config_corstone300 APP: [keyword-detection, speech-recognition] @@ -419,6 +438,7 @@ sw-vsi-configs-test: AUDIO: [ROM, VSI] TOOLCHAIN: [ARMCLANG] CONN_STACK: [FREERTOS_PLUS_TCP] + PSA_CRYPTO_IMPLEMENTATION: [TF-M] retry: max: 2 when: @@ -453,6 +473,7 @@ gnu-toolchain-test: AUDIO: [ROM,VSI] TOOLCHAIN: [GNU] CONN_STACK: [FREERTOS_PLUS_TCP] + PSA_CRYPTO_IMPLEMENTATION: [TF-M] - << : *pipeline_config_corstone315 APP: [object-detection] @@ -460,6 +481,7 @@ gnu-toolchain-test: AUDIO: [ROM] TOOLCHAIN: [GNU] CONN_STACK: [FREERTOS_PLUS_TCP] + PSA_CRYPTO_IMPLEMENTATION: [TF-M] - << : *pipeline_config_corstone310 APP: [keyword-detection, speech-recognition] @@ -467,6 +489,7 @@ gnu-toolchain-test: AUDIO: [ROM,VSI] TOOLCHAIN: [GNU] CONN_STACK: [FREERTOS_PLUS_TCP] + PSA_CRYPTO_IMPLEMENTATION: [TF-M] - << : *pipeline_config_corstone300 APP: [keyword-detection, speech-recognition] @@ -474,6 +497,7 @@ gnu-toolchain-test: AUDIO: [ROM,VSI] TOOLCHAIN: [GNU] CONN_STACK: [FREERTOS_PLUS_TCP] + PSA_CRYPTO_IMPLEMENTATION: [TF-M] retry: max: 2 when: @@ -483,12 +507,12 @@ gnu-toolchain-test: variables: GIT_SUBMODULE_STRATEGY: recursive -iot-vsocket-test: +iot-vsocket-psa-crypto-mbedtls-test: tags: - iotmsw-amd64 extends: .base-job-rules rules: - - if: ( $SCHEDULED_JOB_TO_RUN == "iot-vsocket-test" ) + - if: ( $SCHEDULED_JOB_TO_RUN == "iot-vsocket-psa-crypto-mbedtls-test" ) before_script: - !reference [.build_job, before_script] - !reference [.build_job, script] @@ -503,18 +527,12 @@ iot-vsocket-test: matrix: - << : *pipeline_config_corstone315 - APP: [keyword-detection, speech-recognition] - INFERENCE: [ETHOS] - AUDIO: [ROM] - TOOLCHAIN: [GNU, ARMCLANG] - CONN_STACK: [IOT_VSOCKET] - - - << : *pipeline_config_corstone315 - APP: [object-detection] + APP: [keyword-detection, speech-recognition, object-detection] INFERENCE: [ETHOS] AUDIO: [ROM] TOOLCHAIN: [GNU, ARMCLANG] CONN_STACK: [IOT_VSOCKET] + PSA_CRYPTO_IMPLEMENTATION: [MBEDTLS] - << : *pipeline_config_corstone310 APP: [keyword-detection, speech-recognition] @@ -522,6 +540,7 @@ iot-vsocket-test: AUDIO: [ROM] TOOLCHAIN: [GNU, ARMCLANG] CONN_STACK: [IOT_VSOCKET] + PSA_CRYPTO_IMPLEMENTATION: [MBEDTLS] - << : *pipeline_config_corstone300 APP: [keyword-detection, speech-recognition] @@ -529,6 +548,7 @@ iot-vsocket-test: AUDIO: [ROM] TOOLCHAIN: [GNU, ARMCLANG] CONN_STACK: [IOT_VSOCKET] + PSA_CRYPTO_IMPLEMENTATION: [MBEDTLS] retry: max: 2 when: From c5b8ce08b7392ac628075f060cc7e468a2f16ca0 Mon Sep 17 00:00:00 2001 From: Ahmed Ismail Date: Fri, 12 Jul 2024 11:05:59 +0100 Subject: [PATCH 4/9] provisioning: Remove g3 compiler option replacement -g3 compiler options can be used in generating provisioning AXF file without any issues. Signed-off-by: Ahmed Ismail --- applications/helpers/provisioning/CMakeLists.txt | 6 ------ 1 file changed, 6 deletions(-) diff --git a/applications/helpers/provisioning/CMakeLists.txt b/applications/helpers/provisioning/CMakeLists.txt index 1dac4020..203ec7a3 100644 --- a/applications/helpers/provisioning/CMakeLists.txt +++ b/applications/helpers/provisioning/CMakeLists.txt @@ -7,12 +7,6 @@ if(BUILD_TESTING AND NOT CMAKE_CROSSCOMPILING) else() find_package(Python3) - #FIXME: This is needed in order to run prepoccessor on the linker script. - # The GCC prepoccessor puts std defines if -g3 is set. - if(${CMAKE_C_COMPILER_ID} STREQUAL "GNU") - string(REPLACE "-g3" "" CMAKE_C_FLAGS ${CMAKE_C_FLAGS}) - endif() - list(APPEND CMAKE_MODULE_PATH ${CMAKE_CURRENT_LIST_DIR}/cmake) include(SetProvisioningLinkOptions) From a8db0e5f2c41b96232f3f7aba9d84a7956ca2e3d Mon Sep 17 00:00:00 2001 From: Devaraj Ranganna Date: Thu, 18 Jul 2024 09:55:58 +0000 Subject: [PATCH 5/9] keyword: Define device and provision keys as volatile FRI supports PSA crypto implementation either using TF-M on the secure side or using Mbed TLS on the non-secure side. When using Mbed TLS on the non-secure side as PSA crypto implementation, the device and provision keys are defined as volatile since we currently don't have support for file system. In addition, when using Mbed TLS on the non-secure side as PSA crypto implementation, `MBEDTLS_PKCS1_V21` (support for PKCS#1 v2.1 encoding) is enabled for OTA image validation to work. Signed-off-by: Devaraj Ranganna --- .../provisioning/dev_mode_key_provisioning.c | 6 +++++- .../configs/aws_configs/core_pkcs11_config.h | 19 +++++++++++++++++-- .../mbedtls_config/aws_mbedtls_config.h | 4 +++- 3 files changed, 25 insertions(+), 4 deletions(-) diff --git a/applications/helpers/provisioning/dev_mode_key_provisioning.c b/applications/helpers/provisioning/dev_mode_key_provisioning.c index d0851069..dee8f450 100644 --- a/applications/helpers/provisioning/dev_mode_key_provisioning.c +++ b/applications/helpers/provisioning/dev_mode_key_provisioning.c @@ -1,7 +1,7 @@ /* * FreeRTOS V202012.00 * Copyright (C) 2020 Amazon.com, Inc. or its affiliates. All Rights Reserved. - * Copyright (c) 2022-2023, Arm Limited and Contributors. All rights reserved. + * Copyright (c) 2022-2024, Arm Limited and Contributors. All rights reserved. * * Permission is hereby granted, free of charge, to any person obtaining a copy of * this software and associated documentation files (the "Software"), to deal in @@ -1420,6 +1420,10 @@ int xOtaProvisionCodeSigningKey( psa_key_handle_t * pxKeyHandle, goto exit; } + #ifdef PSA_CRYPTO_IMPLEMENTATION_MBEDTLS + psa_set_key_lifetime( &attributes, PSA_KEY_LIFETIME_VOLATILE ); + #endif + psa_set_key_algorithm( &attributes, PSA_ALG_RSA_PSS_ANY_SALT( PSA_ALG_SHA_256 ) ); psa_set_key_bits( &attributes, keyBits ); diff --git a/applications/keyword_detection/configs/aws_configs/core_pkcs11_config.h b/applications/keyword_detection/configs/aws_configs/core_pkcs11_config.h index a612cd22..88e907b9 100644 --- a/applications/keyword_detection/configs/aws_configs/core_pkcs11_config.h +++ b/applications/keyword_detection/configs/aws_configs/core_pkcs11_config.h @@ -147,8 +147,23 @@ extern void vPortFree( void * pv ); * Define the key ID of the device keys which will be saved as * persistent keys in TF-M. The key ID servers as the a name. */ -#define PSA_DEVICE_PRIVATE_KEY_ID 0x01 -#define PSA_DEVICE_PUBLIC_KEY_ID 0x10 +#ifdef PSA_CRYPTO_IMPLEMENTATION_TFM + #define PSA_DEVICE_PRIVATE_KEY_ID 0x01 + #define PSA_DEVICE_PUBLIC_KEY_ID 0x10 +#elif defined PSA_CRYPTO_IMPLEMENTATION_MBEDTLS + +/* The PSA Crypto specification + * https://arm-software.github.io/psa-api/crypto/1.1/api/keys/ids.html + * defines the volatile key range as PSA_KEY_ID_VENDOR_MIN (0x40000000) to + * PSA_KEY_ID_VENDOR_MAX (0x7fffffff). However, in the default PSA Crypto + * configuration in Mbed TLS, volatile key range is defined by + * PSA_KEY_ID_VOLATILE_MIN and PSA_KEY_ID_VOLATILE_MAX. + */ + #define PSA_DEVICE_PRIVATE_KEY_ID 0x7FFFFFE0 +#else + #error "Missing PSA crypto implementation definition. Define either \ + `PSA_CRYPTO_IMPLEMENTATION_TFM` or `PSA_CRYPTO_IMPLEMENTATION_MBEDTLS`" +#endif /* */ /* FIXME: are these needed? */ diff --git a/applications/keyword_detection/configs/mbedtls_config/aws_mbedtls_config.h b/applications/keyword_detection/configs/mbedtls_config/aws_mbedtls_config.h index b457ceb8..d7885978 100644 --- a/applications/keyword_detection/configs/mbedtls_config/aws_mbedtls_config.h +++ b/applications/keyword_detection/configs/mbedtls_config/aws_mbedtls_config.h @@ -1141,7 +1141,9 @@ void mbedtls_platform_free( void * ptr ); * * This enables support for RSAES-OAEP and RSASSA-PSS operations. */ -/*#define MBEDTLS_PKCS1_V21 */ +#ifdef PSA_CRYPTO_IMPLEMENTATION_MBEDTLS + #define MBEDTLS_PKCS1_V21 +#endif /** \def MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS * From 912feba26f709270e619a99e69c5477ca6fae2a0 Mon Sep 17 00:00:00 2001 From: Devaraj Ranganna Date: Thu, 18 Jul 2024 10:25:07 +0000 Subject: [PATCH 6/9] freertos-pkcs11-psa: Add volatile private keys patch file FRI supports PSA crypto implementation either using TF-M on the secure side or using Mbed TLS on the non-secure side. When using Mbed TLS on the non-secure side as PSA crypto implementation, the device and provision keys are defined as volatile since we currently don't have support for file system. Signed-off-by: Devaraj Ranganna --- .../freertos_pkcs11_psa/CMakeLists.txt | 12 ++++++ ...efine-device-private-key-as-volatile.patch | 37 +++++++++++++++++++ 2 files changed, 49 insertions(+) create mode 100644 components/security/freertos_pkcs11_psa/integration/patches/0001-crypto-Define-device-private-key-as-volatile.patch diff --git a/components/security/freertos_pkcs11_psa/CMakeLists.txt b/components/security/freertos_pkcs11_psa/CMakeLists.txt index de92b45c..d5ad0b21 100644 --- a/components/security/freertos_pkcs11_psa/CMakeLists.txt +++ b/components/security/freertos_pkcs11_psa/CMakeLists.txt @@ -11,5 +11,17 @@ else () "Path to FreeRTOS PKCS#11 to PSA shim layer source code" ) + # The patch 0001-crypto-Define-device-private-key-as-volatile.patch is only + # needed when Mbed TLS on non-secure side is used as PSA crypto implementation. + if(PSA_CRYPTO_IMPLEMENTATION STREQUAL "MBEDTLS") + include(ApplyPatches) + + set(PATCH_FILES_DIRECTORY "${CMAKE_CURRENT_LIST_DIR}/integration/patches") + set(PATCH_FILES + "${PATCH_FILES_DIRECTORY}/0001-crypto-Define-device-private-key-as-volatile.patch" + ) + iot_reference_arm_corstone3xx_apply_patches("${freertos_pkcs11_psa_SOURCE_DIR}" "${PATCH_FILES}") + endif() + add_subdirectory(integration) endif() diff --git a/components/security/freertos_pkcs11_psa/integration/patches/0001-crypto-Define-device-private-key-as-volatile.patch b/components/security/freertos_pkcs11_psa/integration/patches/0001-crypto-Define-device-private-key-as-volatile.patch new file mode 100644 index 00000000..53d250be --- /dev/null +++ b/components/security/freertos_pkcs11_psa/integration/patches/0001-crypto-Define-device-private-key-as-volatile.patch @@ -0,0 +1,37 @@ +From 62cf09d43fa3662ef13c54a703fd3eca5fa83dac Mon Sep 17 00:00:00 2001 +From: Devaraj Ranganna +Date: Thu, 18 Jul 2024 10:08:50 +0000 +Subject: [PATCH] crypto: Define device private key as volatile + +FRI supports PSA crypto implementation either using TF-M on the secure +side or using Mbed TLS on the non-secure side. When using Mbed TLS on +the non-secure side as PSA crypto implementation, the device and +provision keys are defined as volatile since we currently don't have +support for file system. + +Signed-off-by: Devaraj Ranganna +--- + iot_pkcs11_psa_object_management.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/iot_pkcs11_psa_object_management.c b/iot_pkcs11_psa_object_management.c +index ace6dc6..546fc0c 100644 +--- a/iot_pkcs11_psa_object_management.c ++++ b/iot_pkcs11_psa_object_management.c +@@ -280,9 +280,12 @@ CK_OBJECT_HANDLE PKCS11PSASaveObject( CK_ATTRIBUTE_PTR pxClass, + } + if ( uxStatus == PSA_SUCCESS ) + { +- /* Device private key is saved as persistent key. */ ++ /* Device private key is saved as persistent/volatile key. */ + #ifndef pkcs11configTFM_VERSION_1_0 + psa_set_key_id( &key_attributes, PSA_DEVICE_PRIVATE_KEY_ID ); ++#endif ++#if defined PSA_CRYPTO_IMPLEMENTATION_MBEDTLS ++ psa_set_key_lifetime(&key_attributes, PSA_KEY_LIFETIME_VOLATILE); + #endif + psa_set_key_usage_flags( &key_attributes, PSA_KEY_USAGE_SIGN_HASH ); + psa_set_key_algorithm( &key_attributes, uxAlgorithm ); +-- +2.43.2 + From 3bfe890ababdb0d4dec93ed7149fd2bfe81e7914 Mon Sep 17 00:00:00 2001 From: Devaraj Ranganna Date: Thu, 18 Jul 2024 14:47:08 +0000 Subject: [PATCH 7/9] speech-recognition: Add a config option for PSA crypto implementation A new configuration option is added to control which library (TF-M/MBED TLS) is providing the PSA Crypto APIs implementation. In addition, enable using PSA crypto APIs in Mbed TLS running on Non-Secure side. Signed-off-by: Devaraj Ranganna --- .../configs/aws_configs/core_pkcs11_config.h | 21 ++++++++++++++++--- .../mbedtls_config/aws_mbedtls_config.h | 16 ++++++++++---- .../configs/tfm_config/project_config.h | 4 ++-- applications/speech_recognition/main.c | 11 +++++++++- 4 files changed, 42 insertions(+), 10 deletions(-) diff --git a/applications/speech_recognition/configs/aws_configs/core_pkcs11_config.h b/applications/speech_recognition/configs/aws_configs/core_pkcs11_config.h index 93cf984e..2393638f 100644 --- a/applications/speech_recognition/configs/aws_configs/core_pkcs11_config.h +++ b/applications/speech_recognition/configs/aws_configs/core_pkcs11_config.h @@ -1,7 +1,7 @@ /* * Amazon FreeRTOS V1.1.4 * Copyright (C) 2018 Amazon.com, Inc. or its affiliates. All Rights Reserved. - * Copyright (c) 2022, Arm Limited and Contributors. All rights reserved. + * Copyright (c) 2022-2024, Arm Limited and Contributors. All rights reserved. * * Permission is hereby granted, free of charge, to any person obtaining a copy of * this software and associated documentation files (the "Software"), to deal in @@ -147,8 +147,23 @@ extern void vPortFree( void * pv ); * Define the key ID of the device keys which will be saved as * persistent keys in TF-M. The key ID servers as the a name. */ -#define PSA_DEVICE_PRIVATE_KEY_ID 0x01 -#define PSA_DEVICE_PUBLIC_KEY_ID 0x10 +#ifdef PSA_CRYPTO_IMPLEMENTATION_TFM + #define PSA_DEVICE_PRIVATE_KEY_ID 0x01 + #define PSA_DEVICE_PUBLIC_KEY_ID 0x10 +#elif defined PSA_CRYPTO_IMPLEMENTATION_MBEDTLS + +/* The PSA Crypto specification + * https://arm-software.github.io/psa-api/crypto/1.1/api/keys/ids.html + * defines the volatile key range as PSA_KEY_ID_VENDOR_MIN (0x40000000) to + * PSA_KEY_ID_VENDOR_MAX (0x7fffffff). However, in the default PSA Crypto + * configuration in Mbed TLS, volatile key range is defined by + * PSA_KEY_ID_VOLATILE_MIN and PSA_KEY_ID_VOLATILE_MAX. + */ + #define PSA_DEVICE_PRIVATE_KEY_ID 0x7FFFFFE0 +#else + #error "Missing PSA crypto implementation definition. Define either \ + `PSA_CRYPTO_IMPLEMENTATION_TFM` or `PSA_CRYPTO_IMPLEMENTATION_MBEDTLS`" +#endif /* */ /* FIXME: are these needed? */ diff --git a/applications/speech_recognition/configs/mbedtls_config/aws_mbedtls_config.h b/applications/speech_recognition/configs/mbedtls_config/aws_mbedtls_config.h index e0276407..2168f274 100644 --- a/applications/speech_recognition/configs/mbedtls_config/aws_mbedtls_config.h +++ b/applications/speech_recognition/configs/mbedtls_config/aws_mbedtls_config.h @@ -11,6 +11,8 @@ /* * Copyright The Mbed TLS Contributors * SPDX-License-Identifier: Apache-2.0 + * Copyright 2024 Arm Limited and/or its affiliates + * * * Licensed under the Apache License, Version 2.0 (the "License"); you may * not use this file except in compliance with the License. @@ -1122,7 +1124,9 @@ void mbedtls_platform_free( void * ptr ); * * This enables support for RSAES-OAEP and RSASSA-PSS operations. */ -/*#define MBEDTLS_PKCS1_V21 */ +#ifdef PSA_CRYPTO_IMPLEMENTATION_MBEDTLS + #define MBEDTLS_PKCS1_V21 +#endif /** \def MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS * @@ -1154,7 +1158,9 @@ void mbedtls_platform_free( void * ptr ); * \warning This interface is experimental and may change or be removed * without notice. */ -#define MBEDTLS_PSA_CRYPTO_CLIENT +#ifdef PSA_CRYPTO_IMPLEMENTATION_TFM + #define MBEDTLS_PSA_CRYPTO_CLIENT +#endif /** \def MBEDTLS_PSA_CRYPTO_DRIVERS * @@ -1738,7 +1744,7 @@ void mbedtls_platform_free( void * ptr ); * * Uncomment this to enable internal use of PSA Crypto and new associated APIs. */ -/*#define MBEDTLS_USE_PSA_CRYPTO */ +#define MBEDTLS_USE_PSA_CRYPTO /** * \def MBEDTLS_PSA_CRYPTO_CONFIG @@ -2609,7 +2615,9 @@ void mbedtls_platform_free( void * ptr ); * or MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG. * */ -/*#define MBEDTLS_PSA_CRYPTO_C */ +#ifdef PSA_CRYPTO_IMPLEMENTATION_MBEDTLS + #define MBEDTLS_PSA_CRYPTO_C +#endif /** * \def MBEDTLS_PSA_CRYPTO_SE_C diff --git a/applications/speech_recognition/configs/tfm_config/project_config.h b/applications/speech_recognition/configs/tfm_config/project_config.h index fcb4598e..c4f8d5fa 100644 --- a/applications/speech_recognition/configs/tfm_config/project_config.h +++ b/applications/speech_recognition/configs/tfm_config/project_config.h @@ -1,4 +1,4 @@ -/* Copyright 2023 Arm Limited and/or its affiliates +/* Copyright 2023-2024 Arm Limited and/or its affiliates * * SPDX-License-Identifier: BSD-3-Clause */ @@ -33,7 +33,7 @@ #define CRYPTO_KEY_DERIVATION_MODULE_ENABLED 1 -#define CRYPTO_IOVEC_BUFFER_SIZE 5120 +#define CRYPTO_IOVEC_BUFFER_SIZE 20000 #define CRYPTO_NV_SEED 1 diff --git a/applications/speech_recognition/main.c b/applications/speech_recognition/main.c index a1758859..f3325a77 100644 --- a/applications/speech_recognition/main.c +++ b/applications/speech_recognition/main.c @@ -1,4 +1,4 @@ -/* Copyright 2023 Arm Limited and/or its affiliates +/* Copyright 2023-2024 Arm Limited and/or its affiliates * * SPDX-License-Identifier: MIT */ @@ -173,6 +173,15 @@ int main( void ) mbedtls_platform_mutex_lock, mbedtls_platform_mutex_unlock ); + #if defined PSA_CRYPTO_IMPLEMENTATION_MBEDTLS + psa_status_t xResult = psa_crypto_init(); + + if( xResult != PSA_SUCCESS ) + { + printf( "Psa crypto init failed with return code = %d\r\n", xResult ); + } + #endif + UBaseType_t xRetVal = vDevModeKeyProvisioning(); if( xRetVal != CKR_OK ) From 65edf83d99f7da831bff19bc714f511ecdafa065 Mon Sep 17 00:00:00 2001 From: Devaraj Ranganna Date: Thu, 18 Jul 2024 14:49:51 +0000 Subject: [PATCH 8/9] object-detection: Add a config option for PSA crypto implementation A new configuration option is added to control which library (TF-M/MBED TLS) is providing the PSA Crypto APIs implementation. In addition, enable using PSA crypto APIs in Mbed TLS running on Non-Secure side. Signed-off-by: Devaraj Ranganna --- .../configs/aws_configs/core_pkcs11_config.h | 19 +++++++++++++++++-- .../mbedtls_config/aws_mbedtls_config.h | 16 ++++++++++++---- .../configs/tfm_config/project_config.h | 2 +- applications/object_detection/main.c | 9 +++++++++ 4 files changed, 39 insertions(+), 7 deletions(-) diff --git a/applications/object_detection/configs/aws_configs/core_pkcs11_config.h b/applications/object_detection/configs/aws_configs/core_pkcs11_config.h index 9cdf1322..2393638f 100644 --- a/applications/object_detection/configs/aws_configs/core_pkcs11_config.h +++ b/applications/object_detection/configs/aws_configs/core_pkcs11_config.h @@ -147,8 +147,23 @@ extern void vPortFree( void * pv ); * Define the key ID of the device keys which will be saved as * persistent keys in TF-M. The key ID servers as the a name. */ -#define PSA_DEVICE_PRIVATE_KEY_ID 0x01 -#define PSA_DEVICE_PUBLIC_KEY_ID 0x10 +#ifdef PSA_CRYPTO_IMPLEMENTATION_TFM + #define PSA_DEVICE_PRIVATE_KEY_ID 0x01 + #define PSA_DEVICE_PUBLIC_KEY_ID 0x10 +#elif defined PSA_CRYPTO_IMPLEMENTATION_MBEDTLS + +/* The PSA Crypto specification + * https://arm-software.github.io/psa-api/crypto/1.1/api/keys/ids.html + * defines the volatile key range as PSA_KEY_ID_VENDOR_MIN (0x40000000) to + * PSA_KEY_ID_VENDOR_MAX (0x7fffffff). However, in the default PSA Crypto + * configuration in Mbed TLS, volatile key range is defined by + * PSA_KEY_ID_VOLATILE_MIN and PSA_KEY_ID_VOLATILE_MAX. + */ + #define PSA_DEVICE_PRIVATE_KEY_ID 0x7FFFFFE0 +#else + #error "Missing PSA crypto implementation definition. Define either \ + `PSA_CRYPTO_IMPLEMENTATION_TFM` or `PSA_CRYPTO_IMPLEMENTATION_MBEDTLS`" +#endif /* */ /* FIXME: are these needed? */ diff --git a/applications/object_detection/configs/mbedtls_config/aws_mbedtls_config.h b/applications/object_detection/configs/mbedtls_config/aws_mbedtls_config.h index e0276407..2168f274 100644 --- a/applications/object_detection/configs/mbedtls_config/aws_mbedtls_config.h +++ b/applications/object_detection/configs/mbedtls_config/aws_mbedtls_config.h @@ -11,6 +11,8 @@ /* * Copyright The Mbed TLS Contributors * SPDX-License-Identifier: Apache-2.0 + * Copyright 2024 Arm Limited and/or its affiliates + * * * Licensed under the Apache License, Version 2.0 (the "License"); you may * not use this file except in compliance with the License. @@ -1122,7 +1124,9 @@ void mbedtls_platform_free( void * ptr ); * * This enables support for RSAES-OAEP and RSASSA-PSS operations. */ -/*#define MBEDTLS_PKCS1_V21 */ +#ifdef PSA_CRYPTO_IMPLEMENTATION_MBEDTLS + #define MBEDTLS_PKCS1_V21 +#endif /** \def MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS * @@ -1154,7 +1158,9 @@ void mbedtls_platform_free( void * ptr ); * \warning This interface is experimental and may change or be removed * without notice. */ -#define MBEDTLS_PSA_CRYPTO_CLIENT +#ifdef PSA_CRYPTO_IMPLEMENTATION_TFM + #define MBEDTLS_PSA_CRYPTO_CLIENT +#endif /** \def MBEDTLS_PSA_CRYPTO_DRIVERS * @@ -1738,7 +1744,7 @@ void mbedtls_platform_free( void * ptr ); * * Uncomment this to enable internal use of PSA Crypto and new associated APIs. */ -/*#define MBEDTLS_USE_PSA_CRYPTO */ +#define MBEDTLS_USE_PSA_CRYPTO /** * \def MBEDTLS_PSA_CRYPTO_CONFIG @@ -2609,7 +2615,9 @@ void mbedtls_platform_free( void * ptr ); * or MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG. * */ -/*#define MBEDTLS_PSA_CRYPTO_C */ +#ifdef PSA_CRYPTO_IMPLEMENTATION_MBEDTLS + #define MBEDTLS_PSA_CRYPTO_C +#endif /** * \def MBEDTLS_PSA_CRYPTO_SE_C diff --git a/applications/object_detection/configs/tfm_config/project_config.h b/applications/object_detection/configs/tfm_config/project_config.h index 86414f75..273afb85 100644 --- a/applications/object_detection/configs/tfm_config/project_config.h +++ b/applications/object_detection/configs/tfm_config/project_config.h @@ -33,7 +33,7 @@ #define CRYPTO_KEY_DERIVATION_MODULE_ENABLED 1 -#define CRYPTO_IOVEC_BUFFER_SIZE 5120 +#define CRYPTO_IOVEC_BUFFER_SIZE 20000 #define CRYPTO_NV_SEED 1 diff --git a/applications/object_detection/main.c b/applications/object_detection/main.c index 128db86a..8fb55956 100644 --- a/applications/object_detection/main.c +++ b/applications/object_detection/main.c @@ -162,6 +162,15 @@ int main( void ) mbedtls_platform_mutex_lock, mbedtls_platform_mutex_unlock ); + #if defined PSA_CRYPTO_IMPLEMENTATION_MBEDTLS + psa_status_t xResult = psa_crypto_init(); + + if( xResult != PSA_SUCCESS ) + { + printf( "Psa crypto init failed with return code = %d\r\n", xResult ); + } + #endif + UBaseType_t xReturnValue = vDevModeKeyProvisioning(); if( xReturnValue != CKR_OK ) From ac424ebf39b787442171639bb3e4f6bf0c061e6b Mon Sep 17 00:00:00 2001 From: Ahmed Ismail Date: Mon, 23 Sep 2024 18:39:54 +0100 Subject: [PATCH 9/9] docs: Update documents to include the PSA Crypto option Top level README.md along with applications' documents are updated to illustrate how the new PSA Crypto APIs implementation configuration option can be used, and mention the available configurations for the new option. Signed-off-by: Ahmed Ismail --- README.md | 6 ++++-- ...unning_aws_iot_core_device_advisor_tests.md | 4 ++-- docs/applications/keyword_detection.md | 9 +++++++-- docs/applications/object_detection.md | 9 +++++++-- docs/applications/speech_recognition.md | 9 +++++++-- docs/components/aws_iot/aws_tool.md | 2 +- docs/components/security/mbedtls/mbedtls.md | 18 ++++++++++++++++++ .../vscode_dev_env_build_and_debug.md | 3 ++- 8 files changed, 48 insertions(+), 12 deletions(-) diff --git a/README.md b/README.md index 36ff6c52..e533686f 100644 --- a/README.md +++ b/README.md @@ -73,8 +73,10 @@ and [AWS OTA PAL PSA implementation](#aws-ota-pal-psa-implementation) can be per Corstone platform communicates with the AWS IoT Core over a secure TLS connection. Mbed TLS running on the NSPE is used to establish the TLS -connection. Mbed TLS makes use of the PSA Crypto APIs provided by TF-M for -Crypto operations. +connection. For crypto operations, Mbed TLS supports PSA Crypto APIs provided by either +the Mbed TLS itself or the Trusted Firmware-M and the default is +PSA Crypto API from Trusted Firmware-M. For more information about the PSA Crypto APIs +implementation, please refer to [Mbed TLS document](docs/components/security/mbedtls/mbedtls.md#psa-crypto-apis-implementation). [PKCS#11](https://www.freertos.org/pkcs11/index.html) APIs to perform TLS client authentication and import TLS client certificate and private key into diff --git a/docs/applications/device_advisor/running_aws_iot_core_device_advisor_tests.md b/docs/applications/device_advisor/running_aws_iot_core_device_advisor_tests.md index 7615462d..47bf6ac8 100644 --- a/docs/applications/device_advisor/running_aws_iot_core_device_advisor_tests.md +++ b/docs/applications/device_advisor/running_aws_iot_core_device_advisor_tests.md @@ -65,7 +65,7 @@ Save and close the file. To build the application, run the following command: ```bash -./tools/scripts/build.sh ${APPLICATION_NAME} --certificate_path --private_key_path --target --toolchain GNU +./tools/scripts/build.sh ${APPLICATION_NAME} --certificate_path --private_key_path --target --toolchain GNU --conn-stack --psa-crypto-implementation ``` * The `certificate pem's path` and `private key pem's path` should be the downloaded key's and certificate's paths during the Thing creation. @@ -73,7 +73,7 @@ To build the application, run the following command: Or, run the command below to perform a clean build: ```bash -./tools/scripts/build.sh ${APPLICATION_NAME} --certificate_path --private_key_path --target --toolchain GNU -c +./tools/scripts/build.sh ${APPLICATION_NAME} --certificate_path --private_key_path --target --toolchain GNU --conn-stack --psa-crypto-implementation -c ``` ## Running the application diff --git a/docs/applications/keyword_detection.md b/docs/applications/keyword_detection.md index f85e0511..04b1aaca 100644 --- a/docs/applications/keyword_detection.md +++ b/docs/applications/keyword_detection.md @@ -47,7 +47,7 @@ Follow the instructions described in [Setting Up AWS Connectivity](./aws_iot/set To build the Keyword-Detection example, run the following command: ```bash -./tools/scripts/build.sh keyword-detection --certificate_path --private_key_path --target --inference --audio --toolchain +./tools/scripts/build.sh keyword-detection --certificate_path --private_key_path --target --inference --audio --toolchain --conn-stack --psa-crypto-implementation ``` * The `certificate pem's path` and `private key pem's path` should be the downloaded key's and certificate's path if you chose the **Auto-generate a new certificate** during the Thing creation. If you chose **Skip creating a certificate at this time** then these paths should locate the generated credential files that were created by the `./tools/scripts/generate_credentials.py` script in the previous step. @@ -55,10 +55,15 @@ To build the Keyword-Detection example, run the following command: * The `audio` is used to select the input audio source whether it's preloaded into `ROM` or using Arm's Virtual Streaming Interface `VSI`. +* The `conn-stack` is used to select the connectivity stack to be used whether it's `FREERTOS_PLUS_TCP` or `IOT_VSOCKET`. + +* The `psa-crypto-implementation` is used to select the library providing the PSA Crypto APIs implementation whether it's `TF-M` or `MBEDTLS`. For more information about the PSA Crypto APIs +implementation, please refer to [Mbed TLS document](../components/security/mbedtls/mbedtls.md#psa-crypto-apis-implementation). + Or, run the command below to perform a clean build: ```bash -./tools/scripts/build.sh keyword-detection --certificate_path --private_key_path --target --inference --audio --toolchain -c +./tools/scripts/build.sh keyword-detection --certificate_path --private_key_path --target --inference --audio --toolchain --conn-stack --psa-crypto-implementation -c ``` ## Provisioning the device credentials into Protected Storage diff --git a/docs/applications/object_detection.md b/docs/applications/object_detection.md index 8b3967f3..656a9991 100644 --- a/docs/applications/object_detection.md +++ b/docs/applications/object_detection.md @@ -25,15 +25,20 @@ Follow the instructions described in [Setting Up AWS Connectivity](./aws_iot/set To build the Object-Detection example, run the following command: ```bash -./tools/scripts/build.sh object-detection --certificate_path --private_key_path -t corstone315 --toolchain GNU +./tools/scripts/build.sh object-detection --certificate_path --private_key_path -t corstone315 --toolchain GNU --conn-stack --psa-crypto-implementation ``` - The `certificate pem's path` and `private key pem's path` should be the downloaded key's and certificate's path if you chose the **Auto-generate a new certificate** during the Thing creation. If you chose **Skip creating a certificate at this time** then these paths should locate the generated credential files that were created by the `./tools/scripts/generate_credentials.py` script in the previous step. - The `toolchain` is used to select the `GNU`, that supports the `Mali-C55`. +* The `conn-stack` is used to select the connectivity stack to be used whether it's `FREERTOS_PLUS_TCP` or `IOT_VSOCKET`. + +* The `psa-crypto-implementation` is used to select the library providing the PSA Crypto APIs implementation whether it's `TF-M` or `MBEDTLS`. For more information about the PSA Crypto APIs +implementation, please refer to [Mbed TLS document](../components/security/mbedtls/mbedtls.md#psa-crypto-apis-implementation). + Or, run the command below to perform a clean build: ```bash -./tools/scripts/build.sh object-detection --certificate_path --private_key_path -t corstone315 --toolchain GNU -c +./tools/scripts/build.sh object-detection --certificate_path --private_key_path -t corstone315 --toolchain GNU --conn-stack --psa-crypto-implementation -c ``` ## Provisioning the device credentials into Protected Storage diff --git a/docs/applications/speech_recognition.md b/docs/applications/speech_recognition.md index 05decf21..a6c05824 100644 --- a/docs/applications/speech_recognition.md +++ b/docs/applications/speech_recognition.md @@ -27,16 +27,21 @@ Follow the instructions described in [Setting Up AWS Connectivity](./aws_iot/set To build the Speech-Recognition example, run the following command: ```bash -./tools/scripts/build.sh speech-recognition --certificate_path --private_key_path --target --inference ETHOS --audio --toolchain +./tools/scripts/build.sh speech-recognition --certificate_path --private_key_path --target --inference ETHOS --audio --toolchain --conn-stack --psa-crypto-implementation ``` * The `certificate pem's path` and `private key pem's path` should be the downloaded key's and certificate's path if you chose the **Auto-generate a new certificate** during the Thing creation. If you chose **Skip creating a certificate at this time** then these paths should locate the generated credential files that were created by the `./tools/scripts/generate_credentials.py` script in the previous step. * The `audio` is used to select the input audio source whether it's preloaded into `ROM` or using Arm's Virtual Streaming Interface `VSI`. +* The `conn-stack` is used to select the connectivity stack to be used whether it's `FREERTOS_PLUS_TCP` or `IOT_VSOCKET`. + +* The `psa-crypto-implementation` is used to select the library providing the PSA Crypto APIs implementation whether it's `TF-M` or `MBEDTLS`. For more information about the PSA Crypto APIs +implementation, please refer to [Mbed TLS document](../components/security/mbedtls/mbedtls.md#psa-crypto-apis-implementation). + Or, run the command below to perform a clean build: ```bash -./tools/scripts/build.sh speech-recognition --certificate_path --private_key_path --target --inference ETHOS --audio --toolchain -c +./tools/scripts/build.sh speech-recognition --certificate_path --private_key_path --target --inference ETHOS --audio --toolchain --conn-stack --psa-crypto-implementation -c ``` ## Provisioning the device credentials into Protected Storage diff --git a/docs/components/aws_iot/aws_tool.md b/docs/components/aws_iot/aws_tool.md index 09ed276a..67b0190f 100644 --- a/docs/components/aws_iot/aws_tool.md +++ b/docs/components/aws_iot/aws_tool.md @@ -96,7 +96,7 @@ You may now use MQTT to send and receive message for that device. See section [O You may now rebuild keyword with those certificates: ```sh -./tools/scripts/build.sh keyword-detection --certificate_path certificates/thing_certificate_.pem.crt --private_key_path certificates/thing_private_key_.pem.key --target --inference --audio --toolchain +./tools/scripts/build.sh keyword-detection --certificate_path certificates/thing_certificate_.pem.crt --private_key_path certificates/thing_private_key_.pem.key --target --inference --audio --toolchain --conn-stack --psa-crypto-implementation ``` Next, we'll create the bucket, upload the binary there, create a role capable of running an OTA update, and create the update. All of those with the following command: ```sh diff --git a/docs/components/security/mbedtls/mbedtls.md b/docs/components/security/mbedtls/mbedtls.md index 7c58709d..4dcc01cc 100644 --- a/docs/components/security/mbedtls/mbedtls.md +++ b/docs/components/security/mbedtls/mbedtls.md @@ -38,6 +38,24 @@ target_compile_definitions(mbedtls-config To enable the FreeRTOS threading protection `#define MBEDTLS_THREADING_ALT` should be present in the user provided mbedtls configuration file. +### PSA Crypto APIs Implementation + +PSA Crypto is part of Platform Security Architecture initiative that standardized crypto interfaces. The PSA Crypto specification is available [here](https://arm-software.github.io/psa-api/crypto/1.1/). Mbed TLS, and Trusted Firmware-M libraries provide implementation for PSA Crypto APIs. + +User can choose which library is to be used for implementing PSA Crypto APIs used by Mbed TLS library running on the Non-Secure side through the build option `--psa-crypto-implementation `. + +The default PSA Crypto APIs implementation is the one provided by Trusted Firmware-M library, where the `--psa-crypto-implementation` build option default value is `TF-M`. + +In case of using Trusted Firmware-M as the PSA Crypto APIs implementation, `tfm-ns-interface` library has to be linked to the `mbedtls` target. + +```cmake +target_link_libraries(mbedtls + PUBLIC + mbedtls-config + tfm-ns-interface +) +``` + ## Integration ### FreeRTOS threading support diff --git a/docs/development_environment/vscode_dev_env_build_and_debug.md b/docs/development_environment/vscode_dev_env_build_and_debug.md index ecc42f29..1aa32795 100644 --- a/docs/development_environment/vscode_dev_env_build_and_debug.md +++ b/docs/development_environment/vscode_dev_env_build_and_debug.md @@ -129,7 +129,8 @@ Command Palette (F1) ./tools/scripts/build.sh --toolchain --certificate_path --private_key_path --target ---inference --audio