Enable PSA tests on K64F/K66F and fix missing PSA Crypto init in TLSSocketWrapper #14815
Conversation
|
@ARMmbed/mbed-os-core I didn't know about the "test_configs" mechanism of When we add CTest support to build & run all Greentea tests with Mbed CLI 2, we need to consider how to handle this... |
ciarmcom
added
the
release-type: patch
|
@LDong-Arm, thank you for your changes. |
|
CI started |
Jenkins CI Test : ❌ FAILEDBuild Number: 1 | 🔒 Jenkins CI Job | 🌐 Logs & ArtifactsCLICK for Detailed Summary
|
|
Enabling PSA on K64F causes |
In `tools/test_configs/`, target-specific test configurations are defined in `target_configs.json` and parsed by `__init__.py`. The latter only makes use of `default_test_configuration` (default test configuration to use) and `test_configurations` (more configurations selectable via `mbed test --test-config <config>`. Anything else is ignored, including nsapi, so this commit cleans up dead entries.
When using the `mbed test` command to build and run tests, some targets have additional configurations/overrides defined in `tools/test_configs/`: * `target_configs.json` lists which targets support which configs. * `config_paths.json` maps the name of each config to the JSON file to use. By default, only `default_test_configuration` from `target_configs.json` gets used when building and running tests. Others listed in `test_configuration` need to be switched via `--test-config <NAME>`. This commit enables Experimental API in the default configurations of K64F and K66F in order to test Mbed OS PSA. Any existing configs are kept, which is why `HeapBlockDeviceAndEthernetAndExperimental.json` is created for K64F.
Some of the lines in `platform_mbed.h` only have `FEATURE_PSA` checked, which is always set for Mbed OS PSA targets but the PSA APIs are not actually available unless `FEATURE_EXPERIMENTAL_API` is also enabled. To fix this and improve readability, group all PSA-related lines and check both macros.
LDong-Arm
force-pushed
the
test_psa_k64f_k66f
branch
from
21fb7c7 to
de2dd02
Compare
LDong-Arm
changed the title
@Patater @ARMmbed/mbed-os-core This is now addressed - added |
|
|
||
| // Required by mbedtls_platform_setup() | ||
|
|
||
| int crypto_platform_setup(crypto_platform_ctx *unused) |
There was a problem hiding this comment.
Should we have an ifdef to catch if cryptocell is enabled to provide a more friendly error message than duplicate symbol definition? We can't have both PSA and cryptocell enabled, unless we chain together their initializers.
There was a problem hiding this comment.
Good point, I need to check whether Mbed TLS can use CryptoCell and PSA Crypto at the same time. If it can, we need to make sure they are both initialised.
There was a problem hiding this comment.
It's tricky to initialise both CryptoCell and PSA Crypto here, because any crypto hardware (e.g. CryptoCell) relies on MBEDTLS_PLATFORM_SETUP_TEARDOWN_ALT (from Mbed TLS) to add initialisation hooks, but the same macro is for overriding mbedtls_platform_setup() for PSA Crypto too. So, there's no way to check if only PSA is available or PSA and some crypto hardware both need to be initialised - we just don't have any macro or anything for this.
Introducing a new config/macro would be a breaking change - it's easy to change CryptoCell as it's in Mbed OS, but if a third-party project has its own crypto hardware integrated with the same hook, it will break. Breaking changes (without a backward compatibility mechanism) are only allowed in Mbed OS between major releases (e.g. 5 -> 6).
So I just've completely changed the approach, and simply call psa_crypto_init() in TLSSocketWrapper if MBEDTLS_USE_PSA_CRYPTO. This is what an example program of Mbed TLS does too.
LDong-Arm
force-pushed
the
test_psa_k64f_k66f
branch
from
de2dd02 to
1e247c2
Compare
LDong-Arm
changed the title
When `MBEDTLS_USE_PSA_CRYPTO` is set, Mbed TLS uses the PSA Crypto API where possible. It is necessary to initialize PSA Crypto beforehand.
LDong-Arm
force-pushed
the
test_psa_k64f_k66f
branch
from
1e247c2 to
929956d
Compare
|
CI started |
Jenkins CI Test : ✔️ SUCCESSBuild Number: 2 | 🔒 Jenkins CI Job | 🌐 Logs & ArtifactsCLICK for Detailed Summary
|
mbedmain
added
release-version: 6.13.0
Release-pending
and removed
release-type: patch
Summary of changes
This PR includes two main changes:
Enable PSA tests on Mbed OS PSA targets (K64F and K66F):
When using the
mbed testcommand to build and run tests, some targets have additional configurations/overrides defined intools/test_configs/:target_configs.jsonlists which targets support which configs.config_paths.jsonmaps the name of each config to the JSON file touse.
By default, only
default_test_configurationfromtarget_configs.jsongets used (i.e. automatically picked up by Mbed CLI 1) when building and running tests. Others listed intest_configurationneed to be switched via--test-config <NAME>.Enable Experimental API in the default configurations on K64F and K66F in order to test Mbed OS PSA. Any existing configs are kept, which is why
HeapBlockDeviceAndEthernetAndExperimental.jsonis created for K64F.Fix missing PSA Crypto initialization in
TLSSocketWrapper:With Experimental API/PSA enabled as above,
TLSSocketdoes not work anymore and its testconnectivity/netsocket/tests/TESTS/netsocket/tlsfails. This is because Mbed TLS uses PSA Crypto for cryptographic operations when available, but PSA Crypto needs to be initialized first (and it currently isn't).To fix this, we call
psa_crypto_init()inTLSSocketWrapperwhenMBEDTLS_USE_PSA_CRYPTO.Impact of changes
Migration actions required
Documentation
None
Pull request type
Test results
Manual testing of CMake support (not yet automated by CTest or run in CI):
Build:
Run (K64F with Ethernet):
Reviewers
@ARMmbed/mbed-os-core @Patater @saheerb