Update mbedtls importer to import mbed-crypto #8723
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,4 @@ | ||
| { | ||
| "name": "mbed-crypto", | ||
| "macros": ["MBEDTLS_PSA_HAS_ITS_IO"] | ||
| } |
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -31,16 +31,35 @@ MBED_TLS_RELEASE ?= mbedtls-2.13.1 | |
|
|
||
| # Translate between mbed TLS namespace and mbed namespace | ||
| TARGET_PREFIX:=../ | ||
| TARGET_PREFIX_CRYPTO:=../mbed-crypto/ | ||
| TARGET_SRC:=$(TARGET_PREFIX)src | ||
| TARGET_INC:=$(TARGET_PREFIX)inc | ||
| TARGET_TESTS:=$(TARGET_PREFIX)TESTS | ||
|
|
||
| # New folder structure is introduced here for targets with Secured-Partition-Environment | ||
| # and Non-Secured-Partition-Environment, below documentation for each folder: | ||
| # COMPONENT_PSA_SRV_IMPL - include secure service business logic implementation | ||
| # code. For example mbedCrytpo or secure time core logic | ||
| TARGET_SRV_IMPL:=$(TARGET_PREFIX_CRYPTO)/platform/TARGET_PSA/COMPONENT_PSA_SRV_IMPL | ||
|
There was a problem hiding this comment. @orenc17 does the build system recognize the |
||
| # COMPONENT_SPE - include code that compiles ONLY to secure image and never | ||
| # compiles to non-secure image | ||
| TARGET_SPE:=$(TARGET_PREFIX_CRYPTO)/platform/TARGET_PSA/COMPONENT_SPE | ||
| # The folder contain specific target implementation using hardware. | ||
| TARGET_PSA_DRIVERS:=$(TARGET_PREFIX_CRYPTO)/targets | ||
| # COMPONENT_NSPE - include code that compiles ONLY to snon-secure image and | ||
| # never compiles to secure image | ||
| TARGET_NSPE:=$(TARGET_SRV_IMPL)/COMPONENT_NSPE | ||
|
|
||
| # mbed TLS source directory - hidden from mbed via TARGET_IGNORE | ||
| MBED_TLS_URL:[email protected]:ARMmbed/mbedtls-restricted.git | ||
| MBED_TLS_DIR:=TARGET_IGNORE/mbedtls | ||
| MBED_TLS_API:=$(MBED_TLS_DIR)/include/mbedtls | ||
| MBED_TLS_GIT_CFG=$(MBED_TLS_DIR)/.git/config | ||
|
|
||
| # Mbed Crypto directory - hidden from mbed via TARGET_IGNORE | ||
| MBED_CRYPTO_DIR:=$(MBED_TLS_DIR)/crypto | ||
| MBED_CRYPTO_API:=$(MBED_CRYPTO_DIR)/include/psa | ||
|
|
||
| .PHONY: all deploy deploy-tests rsync mbedtls clean update | ||
|
|
||
| all: mbedtls | ||
|
|
@@ -62,6 +81,23 @@ rsync: | |
| cp $(MBED_TLS_DIR)/LICENSE $(TARGET_PREFIX) | ||
| cp $(MBED_TLS_DIR)/apache-2.0.txt $(TARGET_PREFIX) | ||
| # | ||
| # Create Mbed Crypto target folder | ||
| mkdir -p $(TARGET_PREFIX_CRYPTO) | ||
| # | ||
| # Copying Mbed Crypto into Mbed OS.. | ||
|
There was a problem hiding this comment. I think what's going on here is a bit opaque to outsiders and other teams. There needs to be explanation here, (or pointers to documentation elsewhere) what these directories are and what they mean. We need to explain what SPE, NSPE are, and what the other directories are and what they mean. And most of all, we need to explain why we have so many directories. It will seem bizarre and unnecessarily complicated to outsiders. There was a problem hiding this comment. Since this directory hierarchy is exist in mbed-os I don't know how adding explanation here will help outsiders. There was a problem hiding this comment. Ok - Mbed TLS is my project that I work on daily, and these directories mean nothing to me. What do they do? What are they for? There's no explanation. I think we need to either:
There was a problem hiding this comment. I added the required documentation in the importer. |
||
| rm -rf $(TARGET_SRV_IMPL) | ||
| rm -rf $(TARGET_SPE) | ||
|
|
||
| mkdir -p $(TARGET_SRV_IMPL) | ||
|
There was a problem hiding this comment. Why are we removing and making these directories? Unlike the other directories being made, won't there be other files in these directories which aren't being imported? There was a problem hiding this comment. I think only |
||
| mkdir -p $(TARGET_SPE) | ||
| mkdir -p $(TARGET_NSPE) | ||
| mkdir -p $(TARGET_PSA_DRIVERS) | ||
|
|
||
| rsync -a --delete --exclude='crypto_struct.h' $(MBED_CRYPTO_API) $(TARGET_INC) | ||
| rsync -a --delete $(MBED_CRYPTO_API)/crypto_struct.h $(TARGET_NSPE) | ||
| rsync -a --delete $(MBED_CRYPTO_API)/crypto_struct.h $(TARGET_SPE)/crypto_struct_spe.h | ||
| rsync -a --delete $(MBED_CRYPTO_DIR)/library/psa_*.c $(TARGET_SRV_IMPL) | ||
|
There was a problem hiding this comment. The header files for these .c files are in the library folder as well, they'll need to be handled as well. They follow a There was a problem hiding this comment. @dgreen-arm changes added. can you please re review. There was a problem hiding this comment. That looks fine. The other change that's needed is adding the following lines to the end of `adjust-config.sh:
There was a problem hiding this comment. When we have ITS storage, we'll have to There was a problem hiding this comment. @dgreen-arm I've updated |
||
| rsync -a --delete $(MBED_CRYPTO_DIR)/library/psa_*.h $(TARGET_SRV_IMPL) | ||
|
|
||
| deploy: rsync | ||
| # | ||
|
|
@@ -92,8 +128,15 @@ update: $(MBED_TLS_GIT_CFG) $(MBED_TLS_HA_GIT_CFG) | |
| # Checking out the required release | ||
| git -C $(MBED_TLS_DIR) checkout $(MBED_TLS_RELEASE) | ||
| # | ||
| # Update and checkout git submodules | ||
| git -C $(MBED_TLS_DIR) submodule update --init --recursive | ||
| # | ||
| # Updating checked out version tag | ||
| echo $(MBED_TLS_RELEASE) > $(TARGET_PREFIX)VERSION.txt | ||
|
There was a problem hiding this comment. Should we also capture the Crypto version? Or is the commit id of the submodule enough? There was a problem hiding this comment. The submodule ties down the Mbed Crypto version, but I think it'd be nice to add to the VERSION.txt file for humans so they don't have to go dig it up themselves. |
||
| # | ||
| # Updating Mbed Crypto checked out version tag | ||
| git -C $(MBED_TLS_DIR) describe --tags --abbrev=12 --dirty --always >> $(TARGET_PREFIX)VERSION.txt | ||
|
|
||
|
|
||
| $(MBED_TLS_GIT_CFG): | ||
| rm -rf $(MBED_TLS_DIR) | ||
|
|
@@ -107,4 +150,5 @@ clean: | |
| rm -rf $(TARGET_SRC) | ||
| rm -rf $(TARGET_INC) | ||
| rm -rf $(MBED_TLS_DIR) | ||
| rm -rf $(TARGET_SRV_IMPL) | ||
| rm -rf $(TARGET_SPE) | ||
|
There was a problem hiding this comment. What about COMPONENT_NSPE or others? Should we remove those as well here? There was a problem hiding this comment.
|
||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -140,3 +140,8 @@ conf unset MBEDTLS_SSL_TRUNCATED_HMAC | |
|
|
||
| conf unset MBEDTLS_PLATFORM_TIME_TYPE_MACRO | ||
|
|
||
| # The following configurations are a needed for Mbed Crypto submodule. | ||
|
There was a problem hiding this comment. Not a blocker - but it should be:
|
||
| # They are related to the persistent key storage feature. | ||
| conf set MBEDTLS_PSA_CRYPTO_STORAGE_C | ||
|
There was a problem hiding this comment. These will be configurations of the crypto Therefore, I suggest putting a comment in to identify these as Crypto configs, as they have no meaning outside the Crypto submodule, and possibly structuring this to make the transition easier later. There was a problem hiding this comment. Added documentation for the configurations |
||
| conf set MBEDTLS_PSA_CRYPTO_STORAGE_ITS_C | ||
| conf unset MBEDTLS_PSA_CRYPTO_STORAGE_FILE_C | ||
|
There was a problem hiding this comment. @itayzafrir I think we need to do this: There was a problem hiding this comment. It looks like the file permissions were changed, I'm not sure that was intended. There was a problem hiding this comment. @dgreen-arm I fixed the file permission. |
||
Uh oh!
There was an error while loading. Please reload this page.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not a blocker - there are a few typos here, and the phrasing can be better. You don't need to say "New folder". In a year's time, the comment will still be there, and it won't be new! Revising the language I'd suggest:
There's also a few typos in the following lines. eg. "includes" not "include"