psa: Replace Mbed PSA with TF-M

These changes switch to TF-M as the sole PSA implementation for v8-M and
dual core targets, with TF-M running on the secure side and Mbed OS
running on the non-secure side. Single core v7-M targets will continue
to have PSA implemented via PSA emulation, implemented by Mbed OS.

Move or remove many PSA-implementing files, as PSA will be provided by
TF-M on non-single-v7-M targets. Delete any files that are not relevant
for PSA emulation mode.
 - Remove imported TF-M SPM
 - Remove Mbed SPM and tests
 - Remove Mbed-implemented PSA services and tests
 - Remove PSA_SRV_IMPL, PSA_SRV_IPC, PSA_SRV_EMUL and NSPE.
 - Replace PSA_SRV_EMUL and PSA_SRV_IMPL with MBED_PSA_SRV
 - Remove any files autogenerated by
   "tools/psa/generate_partition_code.py", which no longer exists.

Add new feature `PSA` to support PSA in Mbed OS.

Add the document supporting_psa_in_mbed-os.md which describes how to add
PSA support for a target in Mbed 6.

Move the Mbed OS implementation of PSA services for v7-M targets (which
employ PSA emulation, and don't yet use TF-M) to
features/FEATURE_PSA/TARGET_MBED_PSA_SRV. Update the `requires`
attribute in TESTS/configs/baremetal.json to avoid breaking baremetal
testing builds.

Update .astyleignore to match new directory structure

Create the following generic PSA targets:

* `PSA_Target` (Root level PSA target)
* `PSA_V7_M_NSPE` (Single v7-M NSPE generic target)
* `PSA_V7_M_SPE` (Single v7-M SPE generic target)
* `PSA_DUAL_V7_M_NSPE` (Dual v7-M NSPE generic target)
* `PSA_DUAL_V7_M_SPE` (Dual v7-M SPE generic target)
* `PSA_V8_M_NSPE` (v8-M NSPE generic target)
* `PSA_V8_M_SPE` (v8-M SPE generic target)

Flatten MUSCA_NS and private MUSCA targets into public MUSCA targets.

Move mcuboot.bin to flat location (removing prebuilt folder)

Signed-off-by: Devaraj Ranganna <[email protected]>
Signed-off-by: Jaeden Amero <[email protected]>

Author: urutva

.astyleignore

@@ -1,11 +1,10 @@
 ^BUILD
 ^cmsis
-^components/TARGET_PSA/TARGET_MBED_PSA_SRV/services/attestation/attestation.h
-^components/TARGET_PSA/TARGET_MBED_PSA_SRV/services/attestation/COMPONENT_PSA_SRV_IMPL/tfm_impl
-^components/TARGET_PSA/TARGET_MBED_PSA_SRV/services/attestation/qcbor
-^components/TARGET_PSA/TARGET_MBED_PSA_SRV/services/crypto/COMPONENT_PSA_SRV_IPC/crypto_struct_ipc.h
-^components/TARGET_PSA/TARGET_TFM
-^components/TARGET_PSA/TARGET_MBED_PSA_SRV/TESTS
+^features/FEATURE_PSA/TARGET_MBED_PSA_SRV/services/attestation/attestation.h
+^features/FEATURE_PSA/TARGET_MBED_PSA_SRV/services/attestation/tfm_impl
+^features/FEATURE_PSA/TARGET_MBED_PSA_SRV/services/attestation/qcbor
+^features/FEATURE_PSA/TARGET_TFM
+^features/FEATURE_PSA/TARGET_MBED_PSA_SRV/TESTS
 ^features/cryptocell
 ^features/FEATURE_BLE
 ^features/frameworks

.gitignore

@@ -97,3 +97,6 @@ test_suite.json
 
 # default delivery dir
 DELIVERY/
+
+# Directory used to clone and build TF-M
+features/FEATURE_PSA/TARGET_TFM/TARGET_IGNORE/

LICENSE.md

@@ -5,11 +5,11 @@ Folders containing files under different permissive license than Apache 2.0 are
 
 - [cmsis](./cmsis) - MIT, BSD-3-Clause
 - [components/802.15.4_RF/mcr20a-rf-driver](./components/802.15.4_RF/mcr20a-rf-driver) - BSD-3-Clause
-- [components/TARGET_PSA/TARGET_TFM](./components/TARGET_PSA/TARGET_TFM) - BSD-3-Clause
-- [components/TARGET_PSA/TARGET_MBED_PSA_SRV/services/attestation](./components/TARGET_PSA/TARGET_MBED_PSA_SRV/services/attestation) - BSD-3-Clause
 - [features/cryptocell/FEATURE_CRYPTOCELL310](./features/cryptocell/FEATURE_CRYPTOCELL310) - ARM Object Code and Header Files License
 - [features/FEATURE_BOOTLOADER](./features/FEATURE_BOOTLOADER) - PBL
 - [features/FEATURE_BLE/targets](./features/FEATURE_BLE/targets) - BSD-style, PBL, MIT-style
+- [features/FEATURE_PSA/FEATURE_TFM](./features/FEATURE_PSA/FEATURE_TFM) - BSD-3-Clause
+- [features/FEATURE_PSA/FEATURE_MBED_PSA_SRV/services/attestation](./features/FEATURE_PSA/TARGET_MBED_PSA_SRV/services/attestation) - BSD-3-Clause
 - [features/lorawan](./features/lorawan) - Revised BSD
 - [features/lwipstack](./features/lwipstack) - BSD-style, MIT-style
 - [features/nanostack/sal-stack-nanostack](./features/nanostack/sal-stack-nanostack) - BSD-3-Clause

TESTS/configs/baremetal.json

@@ -5,6 +5,7 @@
         "utest",
         "unity",
         "psa",
+        "psa-services",
         "mbedtls",
         "psa-compliance-framework",
         "filesystem",

TESTS/mbed_hal/trng/main.cpp

@@ -69,33 +69,6 @@
 
 using namespace utest::v1;
 
-#if (defined(TARGET_PSA) && defined(COMPONENT_PSA_SRV_IPC) && defined(MBEDTLS_PSA_CRYPTO_C))
-#include "entropy.h"
-#include "entropy_poll.h"
-#include "crypto.h"
-#if !defined(MAX)
-#define MAX(a,b) (((a)>(b))?(a):(b))
-#endif
-
-/* Calculating the minimum allowed entropy size in bytes */
-#define MBEDTLS_PSA_INJECT_ENTROPY_MIN_SIZE \
-            MAX(MBEDTLS_ENTROPY_MIN_PLATFORM, MBEDTLS_ENTROPY_BLOCK_SIZE)
-
-void inject_entropy_for_psa()
-{
-    if (psa_crypto_init() == PSA_ERROR_INSUFFICIENT_ENTROPY) {
-        uint8_t seed[MBEDTLS_PSA_INJECT_ENTROPY_MIN_SIZE] = {0};
-        /* inject some a seed for test*/
-        for (int i = 0; i < MBEDTLS_PSA_INJECT_ENTROPY_MIN_SIZE; ++i) {
-            seed[i] = i;
-        }
-
-        /* don't really care if this succeed this is just to make crypto init pass*/
-        mbedtls_psa_inject_entropy(seed, MBEDTLS_PSA_INJECT_ENTROPY_MIN_SIZE);
-    }
-}
-#endif // (defined(TARGET_PSA) && defined(COMPONENT_PSA_SRV_IPC) && defined(MBEDTLS_PSA_CRYPTO_C))
-
 static int fill_buffer_trng(uint8_t *buffer, trng_t *trng_obj, size_t trng_len)
 {
     size_t temp_size = 0, output_length = 0;
@@ -275,9 +248,6 @@ int main()
 #if defined(MBEDTLS_PLATFORM_C)
     ret = mbedtls_platform_setup(NULL);
 #endif /* MBEDTLS_PLATFORM_C */
-#if (defined(TARGET_PSA) && defined(COMPONENT_PSA_SRV_IPC) && defined(MBEDTLS_PSA_CRYPTO_C))
-    inject_entropy_for_psa();
-#endif
     ret = !Harness::run(specification);
 #if defined(MBEDTLS_PLATFORM_C)
     mbedtls_platform_teardown(NULL);

TESTS/mbedtls/sanity/main.cpp

@@ -15,12 +15,11 @@
  * limitations under the License.
  */
 
-#include "psa/crypto.h"
-
-#if ((!defined(TARGET_PSA)) || (!defined(MBEDTLS_PSA_CRYPTO_C)))
+#if ((!defined(FEATURE_PSA)) || (!defined(MBEDTLS_PSA_CRYPTO_C)))
 #error [NOT_SUPPORTED] Mbed Crypto is OFF - skipping.
 #else
 
+#include "psa/crypto.h"
 #include <stdio.h>
 #include "mbed.h"
 #include "greentea-client/test_env.h"
@@ -31,7 +30,7 @@
 
 using namespace utest::v1;
 
-#if defined(MBEDTLS_ENTROPY_NV_SEED) || defined(COMPONENT_PSA_SRV_IPC)
+#if defined(MBEDTLS_ENTROPY_NV_SEED)
 
 #if !defined(MAX)
 #define MAX(a,b) (((a)>(b))?(a):(b))
@@ -48,7 +47,7 @@ void inject_entropy()
     }
     mbedtls_psa_inject_entropy(seed, MBEDTLS_PSA_INJECT_ENTROPY_MIN_SIZE);
 }
-#endif // defined(MBEDTLS_ENTROPY_NV_SEED) || defined(COMPONENT_PSA_SRV_IPC)
+#endif // defined(MBEDTLS_ENTROPY_NV_SEED)
 
 void test_crypto_random(void)
 {
@@ -431,12 +430,12 @@ void test_crypto_hash_clone(void)
 utest::v1::status_t case_setup_handler(const Case *const source, const size_t index_of_case)
 {
     psa_status_t status = psa_crypto_init();
-#if defined(MBEDTLS_ENTROPY_NV_SEED) || defined(COMPONENT_PSA_SRV_IPC)
+#if defined(MBEDTLS_ENTROPY_NV_SEED)
     if (status == PSA_ERROR_INSUFFICIENT_ENTROPY) {
         inject_entropy();
         status = psa_crypto_init();
     }
-#endif /* defined(MBEDTLS_ENTROPY_NV_SEED) || defined(COMPONENT_PSA_SRV_IPC) */
+#endif /* defined(MBEDTLS_ENTROPY_NV_SEED) */
     TEST_ASSERT_EQUAL(PSA_SUCCESS, status);
     return greentea_case_setup_handler(source, index_of_case);
 }

TESTS/mbedtls/selftest/main.cpp

@@ -87,32 +87,6 @@ Case cases[] = {
 #endif /* MBEDTLS_SELF_TEST */
 };
 
-#if (defined(MBEDTLS_ENTROPY_C) && defined(TARGET_PSA) && defined(COMPONENT_PSA_SRV_IPC) && defined(MBEDTLS_PSA_CRYPTO_C))
-#include "crypto.h"
-#if !defined(MAX)
-#define MAX(a,b) (((a)>(b))?(a):(b))
-#endif
-
-/* Calculating the minimum allowed entropy size in bytes */
-#define MBEDTLS_PSA_INJECT_ENTROPY_MIN_SIZE \
-            MAX(MBEDTLS_ENTROPY_MIN_PLATFORM, MBEDTLS_ENTROPY_BLOCK_SIZE)
-
-void inject_entropy_for_psa()
-{
-    if (psa_crypto_init() == PSA_ERROR_INSUFFICIENT_ENTROPY) {
-        uint8_t seed[MBEDTLS_PSA_INJECT_ENTROPY_MIN_SIZE] = {0};
-        /* inject some a seed for test*/
-        for (int i = 0; i < MBEDTLS_PSA_INJECT_ENTROPY_MIN_SIZE; ++i) {
-            seed[i] = i;
-        }
-
-        /* don't really care if this succeed this is just to make crypto init pass*/
-        mbedtls_psa_inject_entropy(seed, MBEDTLS_PSA_INJECT_ENTROPY_MIN_SIZE);
-    }
-}
-#endif // (defined(MBEDTLS_ENTROPY_C) && defined(TARGET_PSA) && defined(COMPONENT_PSA_SRV_IPC) && defined(MBEDTLS_PSA_CRYPTO_C))
-
-
 utest::v1::status_t test_setup(const size_t num_cases)
 {
     GREENTEA_SETUP(120, "default_auto");
@@ -131,10 +105,6 @@ int main()
     }
 #endif
 
-#if (defined(MBEDTLS_ENTROPY_C) && defined(TARGET_PSA) && defined(COMPONENT_PSA_SRV_IPC) && defined(MBEDTLS_PSA_CRYPTO_C))
-    inject_entropy_for_psa();
-#endif
-
     ret = (Harness::run(specification) ? 0 : 1);
 #if defined(MBEDTLS_PLATFORM_C)
     mbedtls_platform_teardown(NULL);

cmsis/TARGET_CORTEX_M/mbed_tz_context.c

@@ -22,7 +22,7 @@
  * limitations under the License.
  */
 
-#if !TARGET_TFM
+#if !FEATURE_TFM
 
 #if defined (__ARM_FEATURE_CMSE) &&  (__ARM_FEATURE_CMSE == 3U)
 
@@ -204,4 +204,4 @@ uint32_t TZ_StoreContext_S (TZ_MemoryId_t id) {
 }
 #endif
 
-#endif // !TARGET_TFM
+#endif // !FEATURE_TFM