Update Mbed TLS HW acceleration partner code to new hashing API

[k-stachowiak]

Description

This pull request updates partner code in the Mbed TLS feature regarding the hardware acceleration for hashing on certain target devices.

Status

READY

Migrations

NO

This PR changes the alternative implementations of the following hashes:

• MD5,
• SHA1,
• SHA256,
• SHA512,

for the following targets (families):

• Nuvoton M480,
• Nuvoton NUC427,
• Silicon Labs
• STM32F4,
• STM32F7,
• STM32L4.

No user code needs to be changed as the old API has been maintained (however marked as deprecated) as a thin layer of functions calling the new implementations but ignoring the return codes. It is advisable, but not necessary, to refactor users' code to use the new API.

Related PRs

As of creating this PR the upstream functionality has not yet been merged into Mbed OS, therefore this PR should not be merged until Mbed TLS has been updated.

Todos

• Imort the new version of Mbed TLS to enable the new API

Deploy notes

None

Steps to test or reproduce

None

[0xc0170]

@hanno-arm Can you assign reviewers please?

[hanno-becker]

@0xc0170: I expect @mazimkhan and myself to review it - I can't request the review here, though. Could you please do that?

[0xc0170]

@k-stachowiak Please resolve conflicts

[k-stachowiak]

Conflicts resolved.

[mazimkhan]

Some of MBEDTLS_ERR_<XYZ>_HW_ACCEL_FAILED are not defined. Unless they are generated in some way. Please explain or fix.

[mazimkhan]

A general error MBEDTLS_ERR_MD5_HW_ACCEL_FAILED here hides the timeout error 'HASH_BUSY' that could simply be to indicate that a retry after a delay may succeed. In general we have to preserve status indications from HW that do not mean actual failure. This should be reviewed by original developer to confirm if error code is correct.

[k-stachowiak]

The HW_ACCEK_FAILED codes have been added upstream in Mbed TLS, which have not yet been merged to master in Mbed OS. Neither has the int returning API. This PR must be somehow synchronized with the import of the newest upstream Mbed TLS code.

I agree that the codes should be agreed with the original developer. My intention was to return any reasonable error code from the already available ones while maintaining the information about the errors in the comments as it was provided in the first place.

I think that fine tuning the actual return codes (maybe expanding the error code space for the HW acceleration) may be a task big enough for a separate PR, however I am open to suggestions about changing the return codes in this PR.

[mazimkhan]

MBEDTLS_ERR_MD5_HW_ACCEL_FAILED is used but not defined. Can't see a header file change.

[mazimkhan]

MBEDTLS_ERR_SHA1_HW_ACCEL_FAILED used but not defined.

[mazimkhan]

MBEDTLS_ERR_SHA256_HW_ACCEL_FAILED used but not defined.

[mazimkhan]

@0xc0170 this PR updates interface of the hashing functions by adding return value. This has to be utilised by the HW acceleration code. Is there a plan to notify partners to update their code and utilise new interface?

[ciarmcom]

ARM Internal Ref: IOTSSL-2072

[cmonr]

Making a note here that this PR will need to come in before #6040 (comment) can be continued.

[k-stachowiak]

@0xc0170 It seems that the CIs are green so far. I am not sure how long will the other CI tasks take, so maybe it is a good time to resume the review?

[0xc0170]

/morph build

[mbed-ci]

Build : FAILURE

Build number : 1137
Build artifacts/logs : http://mbed-os.s3-website-eu-west-1.amazonaws.com/?prefix=builds/5973/

[0xc0170]

@0xc0170 It seems that the CIs are green so far. I am not sure how long will the other CI tasks take, so maybe it is a good time to resume the review?

Please review the build failures

[k-stachowiak]

/morph build

[mbed-ci]

Build : SUCCESS

Build number : 1139
Build artifacts/logs : http://mbed-os.s3-website-eu-west-1.amazonaws.com/?prefix=builds/5973/

Triggering tests

/morph test
/morph uvisor-test
/morph export-build

[mbed-ci]

Test : SUCCESS

Build number : 945
Test logs :http://mbed-os-logs.s3-website-us-west-1.amazonaws.com/?prefix=logs/5973/945

[mbed-ci]

Exporter Build : SUCCESS

Build number : 814
Build artifacts/logs : http://mbed-os.s3-website-eu-west-1.amazonaws.com/?prefix=builds/exporter/5973/

[mazimkhan]

@hanno-arm this PR has been merged without our approval. Please continue review and provide comments on dependent PR #6040

[cmonr]

@hanno-arm @mazimkhan My mistake on that. Won't happen again.

[mazimkhan]

@cmonr no worries at all.

[hanno-becker]

As observed by @LiyouZhou, this PR currently breaks the build for two reasons: 1. The new hashing API hasn't yet been merged into Mbed OS. 2. Alternative implementations must implement both the new and the legacy API: The dummy wrappers from sha_xxx.h are also guarded by SHA_XXX_ALT.

[mazimkhan]

@k-stachowiak how did this not caught in the CI and wasn't these wrappers suppose to provide legacy API?

[k-stachowiak]

@mazimkhan I don't know how this PR broke the build. I tested it locally and pushed here for the CI to perform tests. Neither my test nor the CIs have failed. While I agree that the PR should have been reviewed before merging, the automated tests gave misleadingly positive results. I did not expect anything here to break before the introduction of Mbed TLS 2.7.0.

[LiyouZhou]

• run mbed new mbedtls-bug && cd mbedtls-bug
• Put the following code into main.cpp

#include "mbedtls/sha256.h" /* SHA-256 only */

static const char hello_str[] = "Hello, world!";
static const unsigned char *hello_buffer = (const unsigned char *) hello_str;
static const size_t hello_len = sizeof hello_str - 1;

int main(void)
{
    unsigned char output2[32];
    mbedtls_sha256_context ctx2;

    mbedtls_sha256_init(&ctx2);
    mbedtls_sha256_starts(&ctx2, 0); /* SHA-256, not 224 */

    /* Simulating multiple fragments */
    mbedtls_sha256_update(&ctx2, hello_buffer, 1);
    mbedtls_sha256_update(&ctx2, hello_buffer + 1, 1);
    mbedtls_sha256_update(&ctx2, hello_buffer + 2, hello_len - 2);

    mbedtls_sha256_finish(&ctx2, output2);

    /* Or you could re-use the context by doing mbedtls_sha256_starts() again */
    mbedtls_sha256_free(&ctx2);
    return 0;
}

• run mbed compile -m UBLOX_C030_U201 -t GCC_ARM will succeed.
• run cd mbed-os && git checkout master && cd ..
• run mbed compile -m UBLOX_C030_U201 -t GCC_ARM will fail with following msg:

[Error] main.cpp@24,5: 'mbedtls_sha256_starts' was not declared in this scope
[Error] main.cpp@27,5: 'mbedtls_sha256_update' was not declared in this scope
[Error] main.cpp@31,5: 'mbedtls_sha256_finish' was not declared in this scope
[ERROR] ./main.cpp: In function 'int main()':
./main.cpp:24:5: error: 'mbedtls_sha256_starts' was not declared in this scope
     mbedtls_sha256_starts(&ctx2, 0); /* SHA-256, not 224 */
     ^~~~~~~~~~~~~~~~~~~~~
./main.cpp:24:5: note: suggested alternative: 'mbedtls_sha256_starts_ret'
     mbedtls_sha256_starts(&ctx2, 0); /* SHA-256, not 224 */
     ^~~~~~~~~~~~~~~~~~~~~
     mbedtls_sha256_starts_ret
./main.cpp:27:5: error: 'mbedtls_sha256_update' was not declared in this scope
     mbedtls_sha256_update(&ctx2, hello_buffer, 1);
     ^~~~~~~~~~~~~~~~~~~~~
./main.cpp:27:5: note: suggested alternative: 'mbedtls_sha256_update_ret'
     mbedtls_sha256_update(&ctx2, hello_buffer, 1);
     ^~~~~~~~~~~~~~~~~~~~~
     mbedtls_sha256_update_ret
./main.cpp:31:5: error: 'mbedtls_sha256_finish' was not declared in this scope
     mbedtls_sha256_finish(&ctx2, output2);
     ^~~~~~~~~~~~~~~~~~~~~
./main.cpp:31:5: note: suggested alternative: 'mbedtls_sha256_init'
     mbedtls_sha256_finish(&ctx2, output2);
     ^~~~~~~~~~~~~~~~~~~~~
     mbedtls_sha256_init

Testing some how does not catch this.

[0xc0170]

Thanks @LiyouZhou

As observed by @LiyouZhou, this PR currently breaks the build for two reasons: 1. The new hashing API hasn't yet been merged into Mbed OS. 2. Alternative implementations must implement both the new and the legacy API: The dummy wrappers from sha_xxx.h are also guarded by SHA_XXX_ALT.

@k-stachowiak This PR shall be reverted if causing build problems. Can you fix the problem asap?

[mazimkhan]

@mazimkhan I don't know how this PR broke the build. I tested it locally and pushed here for the CI to perform tests. Neither my test nor the CIs have failed. While I agree that the PR should have been reviewed before merging, the automated tests gave misleadingly positive results. I did not expect anything here to break before the introduction of Mbed TLS 2.7.0.

This might explain your error #6176 (comment)