Merge pull request #8859 from Patater/dev/Patater/import-mbed-tls-and-crypto

Import Mbed TLS v2.15.0 with Mbed Crypto

Author: 0xc0170

features/mbedtls/VERSION.txt

@@ -1 +1,2 @@
-mbedtls-2.13.1
+mbedtls-2.15.0
+mbedcrypto-0.1.0b

features/mbedtls/importer/Makefile

@@ -27,20 +27,39 @@
 #
 
 # Set the mbed TLS release to import (this can/should be edited before import)
-MBED_TLS_RELEASE ?= mbedtls-2.13.1
+MBED_TLS_RELEASE ?= mbedtls-2.15.0
 
 # Translate between mbed TLS namespace and mbed namespace
 TARGET_PREFIX:=../
+TARGET_PREFIX_CRYPTO:=../mbed-crypto/
 TARGET_SRC:=$(TARGET_PREFIX)src
 TARGET_INC:=$(TARGET_PREFIX)inc
 TARGET_TESTS:=$(TARGET_PREFIX)TESTS
 
+# New folder structure is introduced here for targets with Secured-Partition-Environment
+# and Non-Secured-Partition-Environment, below documentation for each folder:
+# COMPONENT_PSA_SRV_IMPL - include secure service business logic implementation
+# code. For example Mbed Crypto or secure time core logic
+TARGET_SRV_IMPL:=$(TARGET_PREFIX_CRYPTO)/platform/TARGET_PSA/COMPONENT_PSA_SRV_IMPL
+# COMPONENT_SPE - include code that compiles ONLY to secure image and never
+# compiles to non-secure image
+TARGET_SPE:=$(TARGET_PREFIX_CRYPTO)/platform/TARGET_PSA/COMPONENT_SPE
+# The folder contain specific target implementation using hardware.
+TARGET_PSA_DRIVERS:=$(TARGET_PREFIX_CRYPTO)/targets
+# COMPONENT_NSPE - include code that compiles ONLY to non-secure image and
+# never compiles to secure image
+TARGET_NSPE:=$(TARGET_SRV_IMPL)/COMPONENT_NSPE
+
 # mbed TLS source directory - hidden from mbed via TARGET_IGNORE
 MBED_TLS_URL:[email protected]:ARMmbed/mbedtls-restricted.git
 MBED_TLS_DIR:=TARGET_IGNORE/mbedtls
 MBED_TLS_API:=$(MBED_TLS_DIR)/include/mbedtls
 MBED_TLS_GIT_CFG=$(MBED_TLS_DIR)/.git/config
 
+# Mbed Crypto directory - hidden from mbed via TARGET_IGNORE
+MBED_CRYPTO_DIR:=$(MBED_TLS_DIR)/crypto
+MBED_CRYPTO_API:=$(MBED_CRYPTO_DIR)/include/psa
+
 .PHONY: all deploy deploy-tests rsync mbedtls clean update
 
 all: mbedtls
@@ -62,6 +81,23 @@ rsync:
 	cp $(MBED_TLS_DIR)/LICENSE $(TARGET_PREFIX)
 	cp $(MBED_TLS_DIR)/apache-2.0.txt $(TARGET_PREFIX)
 	#
+	# Create Mbed Crypto target folder
+	mkdir -p $(TARGET_PREFIX_CRYPTO)
+	#
+	# Copying Mbed Crypto into Mbed OS..
+	rm -rf $(TARGET_SRV_IMPL)
+	rm -rf $(TARGET_SPE)
+
+	mkdir -p $(TARGET_SRV_IMPL)
+	mkdir -p $(TARGET_SPE)
+	mkdir -p $(TARGET_NSPE)
+	mkdir -p $(TARGET_PSA_DRIVERS)
+
+	rsync -a --delete --exclude='crypto_struct.h' $(MBED_CRYPTO_API) $(TARGET_INC)
+	rsync -a --delete $(MBED_CRYPTO_API)/crypto_struct.h $(TARGET_NSPE)
+	rsync -a --delete $(MBED_CRYPTO_API)/crypto_struct.h $(TARGET_SPE)/crypto_struct_spe.h
+	rsync -a --delete $(MBED_CRYPTO_DIR)/library/psa_*.c $(TARGET_SRV_IMPL)
+	rsync -a --delete $(MBED_CRYPTO_DIR)/library/psa_*.h $(TARGET_SRV_IMPL)
 
 deploy: rsync
 	#
@@ -92,8 +128,14 @@ update: $(MBED_TLS_GIT_CFG)  $(MBED_TLS_HA_GIT_CFG)
 	# Checking out the required release
 	git -C $(MBED_TLS_DIR) checkout $(MBED_TLS_RELEASE)
 	#
+	# Update and checkout git submodules
+	git -C $(MBED_TLS_DIR) submodule update --init --recursive
+	#
 	# Updating checked out version tag
 	echo $(MBED_TLS_RELEASE) > $(TARGET_PREFIX)VERSION.txt
+	#
+	# Updating Mbed Crypto checked out version tag
+	git -C $(MBED_CRYPTO_DIR) describe --tags --abbrev=12 --dirty --always >> $(TARGET_PREFIX)VERSION.txt
 
 $(MBED_TLS_GIT_CFG):
 	rm -rf $(MBED_TLS_DIR)
@@ -107,4 +149,5 @@ clean:
 	rm -rf $(TARGET_SRC)
 	rm -rf $(TARGET_INC)
 	rm -rf $(MBED_TLS_DIR)
-
+	rm -rf $(TARGET_SRV_IMPL)
+	rm -rf $(TARGET_SPE)

features/mbedtls/importer/adjust-config.sh

@@ -22,7 +22,7 @@ SCRIPT=$1
 FILE=$2
 
 conf() {
-    $SCRIPT -f $FILE $@
+    $SCRIPT -f $FILE --force $@
 }
 
 add_code() {
@@ -140,3 +140,8 @@ conf unset MBEDTLS_SSL_TRUNCATED_HMAC
 
 conf unset MBEDTLS_PLATFORM_TIME_TYPE_MACRO
 
+# The following configurations are a needed for Mbed Crypto submodule.
+# They are related to the persistent key storage feature.
+conf set MBEDTLS_PSA_CRYPTO_STORAGE_C
+conf set MBEDTLS_PSA_CRYPTO_STORAGE_ITS_C
+conf unset MBEDTLS_PSA_CRYPTO_STORAGE_FILE_C

features/mbedtls/inc/mbedtls/aes.h

@@ -60,7 +60,11 @@
 
 /* Error codes in range 0x0021-0x0025 */
 #define MBEDTLS_ERR_AES_BAD_INPUT_DATA                    -0x0021  /**< Invalid input data. */
+
+/* MBEDTLS_ERR_AES_FEATURE_UNAVAILABLE is deprecated and should not be used. */
 #define MBEDTLS_ERR_AES_FEATURE_UNAVAILABLE               -0x0023  /**< Feature not available. For example, an unsupported AES key size. */
+
+/* MBEDTLS_ERR_AES_HW_ACCEL_FAILED is deprecated and should not be used. */
 #define MBEDTLS_ERR_AES_HW_ACCEL_FAILED                   -0x0025  /**< AES hardware accelerator failed. */
 
 #if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \

features/mbedtls/inc/mbedtls/arc4.h

@@ -36,6 +36,7 @@
 
 #include <stddef.h>
 
+/* MBEDTLS_ERR_ARC4_HW_ACCEL_FAILED is deprecated and should not be used. */
 #define MBEDTLS_ERR_ARC4_HW_ACCEL_FAILED                  -0x0019  /**< ARC4 hardware accelerator failed. */
 
 #ifdef __cplusplus

features/mbedtls/inc/mbedtls/aria.h

@@ -48,7 +48,12 @@
 
 #define MBEDTLS_ERR_ARIA_INVALID_KEY_LENGTH   -0x005C  /**< Invalid key length. */
 #define MBEDTLS_ERR_ARIA_INVALID_INPUT_LENGTH -0x005E  /**< Invalid data input length. */
+
+/* MBEDTLS_ERR_ARIA_FEATURE_UNAVAILABLE is deprecated and should not be used.
+ */
 #define MBEDTLS_ERR_ARIA_FEATURE_UNAVAILABLE  -0x005A  /**< Feature not available. For example, an unsupported ARIA key size. */
+
+/* MBEDTLS_ERR_ARIA_HW_ACCEL_FAILED is deprecated and should not be used. */
 #define MBEDTLS_ERR_ARIA_HW_ACCEL_FAILED      -0x0058  /**< ARIA hardware accelerator failed. */
 
 #if !defined(MBEDTLS_ARIA_ALT)