Crypto: Upgrade mbedtls to v3.0.0
- Remove deprecated macros and functions
- Enable SHA-224 cryptographic hash algorithm by 'define
MBEDTLS_SHA224_C'
- Enable SHA-384 cryptographic hash algorithm by 'define
MBEDTLS_SHA384_C'
- 'psa_cipher_encrypt' and 'psa_cipher_decrypt' is supported by
mbedtls-3.0.0
- 'psa_mac_compute' and 'psa_mac_verify' is supported by mbedtls-3.0.0
- mbedtls-3.0.0 changes some internal mbedtls apis' name, mcuboot needs
to align.
Change-Id: Ia868c93deceee6c8042607acf35ce2f4c9c15e35
Signed-off-by: Summer Qin <summer.qin@arm.com>
diff --git a/lib/ext/mbedcrypto/0003-Disable-export-MbedTLSTargets.patch b/lib/ext/mbedcrypto/0003-Disable-export-MbedTLSTargets.patch
new file mode 100644
index 0000000..565a92e
--- /dev/null
+++ b/lib/ext/mbedcrypto/0003-Disable-export-MbedTLSTargets.patch
@@ -0,0 +1,54 @@
+From e109c8ed57457a2bd62afcf21b5b99dd2a30edea Mon Sep 17 00:00:00 2001
+From: Summer Qin <summer.qin@arm.com>
+Date: Tue, 13 Jul 2021 17:46:47 +0800
+Subject: [PATCH] Disable export MbedTLSTargets
+
+Disable install MbedTLSConfig.cmake, MbedTLSConfigVersion.cmake and
+MbedTLSTargets.cmake. And Disable export MbedTLSTargets since this
+needs to configure some tfm target which for mbedtls to be exported.
+
+Signed-off-by: Summer Qin <summer.qin@arm.com>
+---
+ CMakeLists.txt | 26 --------------------------
+ 1 file changed, 26 deletions(-)
+
+diff --git a/CMakeLists.txt b/CMakeLists.txt
+index 3eef42ec..5ad56c81 100644
+--- a/CMakeLists.txt
++++ b/CMakeLists.txt
+@@ -307,32 +307,6 @@ if(ENABLE_TESTING)
+ endif()
+ endif()
+
+-configure_package_config_file(
+- "cmake/MbedTLSConfig.cmake.in"
+- "cmake/MbedTLSConfig.cmake"
+- INSTALL_DESTINATION "cmake")
+-
+-write_basic_package_version_file(
+- "cmake/MbedTLSConfigVersion.cmake"
+- COMPATIBILITY SameMajorVersion
+- VERSION 3.0.0)
+-
+-install(
+- FILES "${CMAKE_CURRENT_BINARY_DIR}/cmake/MbedTLSConfig.cmake"
+- "${CMAKE_CURRENT_BINARY_DIR}/cmake/MbedTLSConfigVersion.cmake"
+- DESTINATION "cmake")
+-
+-export(
+- EXPORT MbedTLSTargets
+- NAMESPACE MbedTLS::
+- FILE "cmake/MbedTLSTargets.cmake")
+-
+-install(
+- EXPORT MbedTLSTargets
+- NAMESPACE MbedTLS::
+- DESTINATION "cmake"
+- FILE "MbedTLSTargets.cmake")
+-
+ if(CMAKE_VERSION VERSION_GREATER 3.14)
+ # Do not export the package by default
+ cmake_policy(SET CMP0090 NEW)
+--
+2.17.1
+
diff --git a/lib/ext/mbedcrypto/0003-Fix-4162-Return-correct-error-type-for-invalid-key.patch b/lib/ext/mbedcrypto/0003-Fix-4162-Return-correct-error-type-for-invalid-key.patch
deleted file mode 100644
index 6e127b9..0000000
--- a/lib/ext/mbedcrypto/0003-Fix-4162-Return-correct-error-type-for-invalid-key.patch
+++ /dev/null
@@ -1,64 +0,0 @@
-From 374c93c43f8c299adcee91cfbc90a15037317d18 Mon Sep 17 00:00:00 2001
-From: Maulik Patel <Maulik.Patel@arm.com>
-Date: Mon, 15 Mar 2021 14:48:14 +0000
-Subject: [PATCH 3/3] Fix:4162 Return correct error type for invalid key
-
-Return PSA_ERROR_INVALID_HANDLE instead of
-PSA_ERROR_DOES_NOT_EXIST if invalid key is passed for some key
-operations.
-
-Signed-off-by: Maulik Patel <Maulik.Patel@arm.com>
----
- library/psa_crypto_slot_management.c | 17 +++++++++++++----
- 1 file changed, 13 insertions(+), 4 deletions(-)
-
-diff --git a/library/psa_crypto_slot_management.c b/library/psa_crypto_slot_management.c
-index dcbee31aa..b7e3442fb 100644
---- a/library/psa_crypto_slot_management.c
-+++ b/library/psa_crypto_slot_management.c
-@@ -305,13 +305,15 @@ psa_status_t psa_get_and_lock_key_slot( mbedtls_svc_key_id_t key,
-
- status = psa_load_persistent_key_into_slot( *p_slot );
- if( status != PSA_SUCCESS )
-+ {
- psa_wipe_key_slot( *p_slot );
--
-+ if( status == PSA_ERROR_DOES_NOT_EXIST )
-+ status = PSA_ERROR_INVALID_HANDLE;
-+ }
- return( status );
- #else
-- return( PSA_ERROR_DOES_NOT_EXIST );
-+ return( PSA_ERROR_INVALID_HANDLE );
- #endif /* defined(MBEDTLS_PSA_CRYPTO_STORAGE_C) */
--
- }
-
- psa_status_t psa_unlock_key_slot( psa_key_slot_t *slot )
-@@ -399,6 +401,9 @@ psa_status_t psa_open_key( mbedtls_svc_key_id_t key, psa_key_handle_t *handle )
- if( status != PSA_SUCCESS )
- {
- *handle = PSA_KEY_HANDLE_INIT;
-+ if( status == PSA_ERROR_INVALID_HANDLE )
-+ status = PSA_ERROR_DOES_NOT_EXIST;
-+
- return( status );
- }
-
-@@ -423,8 +428,12 @@ psa_status_t psa_close_key( psa_key_handle_t handle )
-
- status = psa_get_and_lock_key_slot_in_memory( handle, &slot );
- if( status != PSA_SUCCESS )
-- return( status );
-+ {
-+ if( status == PSA_ERROR_DOES_NOT_EXIST )
-+ status = PSA_ERROR_INVALID_HANDLE;
-
-+ return( status );
-+ }
- if( slot->lock_count <= 1 )
- return( psa_wipe_key_slot( slot ) );
- else
---
-2.25.1
-
diff --git a/lib/ext/mbedcrypto/mbedcrypto_config/tfm_mbedcrypto_config_default.h b/lib/ext/mbedcrypto/mbedcrypto_config/tfm_mbedcrypto_config_default.h
index 60c42c2..b96670d 100644
--- a/lib/ext/mbedcrypto/mbedcrypto_config/tfm_mbedcrypto_config_default.h
+++ b/lib/ext/mbedcrypto/mbedcrypto_config/tfm_mbedcrypto_config_default.h
@@ -1784,6 +1784,22 @@
//#define MBEDTLS_SHA1_C
/**
+ * \def MBEDTLS_SHA224_C
+ *
+ * Enable the SHA-224 cryptographic hash algorithm.
+ *
+ * Requires: MBEDTLS_SHA256_C. The library does not currently support enabling
+ * SHA-224 without SHA-256.
+ *
+ * Module: library/sha256.c
+ * Caller: library/md.c
+ * library/ssl_cookie.c
+ *
+ * This module adds support for SHA-224.
+ */
+#define MBEDTLS_SHA224_C
+
+/**
* \def MBEDTLS_SHA256_C
*
* Enable the SHA-224 and SHA-256 cryptographic hash algorithms.
@@ -1798,6 +1814,22 @@
#define MBEDTLS_SHA256_C
/**
+ * \def MBEDTLS_SHA384_C
+ *
+ * Enable the SHA-384 cryptographic hash algorithm.
+ *
+ * Requires: MBEDTLS_SHA512_C
+ *
+ * Module: library/sha512.c
+ * Caller: library/md.c
+ * library/ssl_cli.c
+ * library/ssl_srv.c
+ *
+ * Comment to disable SHA-384
+ */
+#define MBEDTLS_SHA384_C
+
+/**
* \def MBEDTLS_SHA512_C
*
* Enable the SHA-384 and SHA-512 cryptographic hash algorithms.
diff --git a/lib/ext/mbedcrypto/mbedcrypto_config/tfm_mbedcrypto_config_profile_large.h b/lib/ext/mbedcrypto/mbedcrypto_config/tfm_mbedcrypto_config_profile_large.h
index b9738e6..d4e1875 100644
--- a/lib/ext/mbedcrypto/mbedcrypto_config/tfm_mbedcrypto_config_profile_large.h
+++ b/lib/ext/mbedcrypto/mbedcrypto_config/tfm_mbedcrypto_config_profile_large.h
@@ -1779,6 +1779,22 @@
//#define MBEDTLS_SHA1_C
/**
+ * \def MBEDTLS_SHA224_C
+ *
+ * Enable the SHA-224 cryptographic hash algorithm.
+ *
+ * Requires: MBEDTLS_SHA256_C. The library does not currently support enabling
+ * SHA-224 without SHA-256.
+ *
+ * Module: library/sha256.c
+ * Caller: library/md.c
+ * library/ssl_cookie.c
+ *
+ * This module adds support for SHA-224.
+ */
+#define MBEDTLS_SHA224_C
+
+/**
* \def MBEDTLS_SHA256_C
*
* Enable the SHA-224 and SHA-256 cryptographic hash algorithms.
@@ -1793,6 +1809,22 @@
#define MBEDTLS_SHA256_C
/**
+ * \def MBEDTLS_SHA384_C
+ *
+ * Enable the SHA-384 cryptographic hash algorithm.
+ *
+ * Requires: MBEDTLS_SHA512_C
+ *
+ * Module: library/sha512.c
+ * Caller: library/md.c
+ * library/ssl_cli.c
+ * library/ssl_srv.c
+ *
+ * Comment to disable SHA-384
+ */
+#define MBEDTLS_SHA384_C
+
+/**
* \def MBEDTLS_SHA512_C
*
* Enable the SHA-384 and SHA-512 cryptographic hash algorithms.
diff --git a/lib/ext/mbedcrypto/mbedcrypto_config/tfm_mbedcrypto_config_profile_medium.h b/lib/ext/mbedcrypto/mbedcrypto_config/tfm_mbedcrypto_config_profile_medium.h
index c1663d0..dd2d390 100644
--- a/lib/ext/mbedcrypto/mbedcrypto_config/tfm_mbedcrypto_config_profile_medium.h
+++ b/lib/ext/mbedcrypto/mbedcrypto_config/tfm_mbedcrypto_config_profile_medium.h
@@ -1779,6 +1779,22 @@
//#define MBEDTLS_SHA1_C
/**
+ * \def MBEDTLS_SHA224_C
+ *
+ * Enable the SHA-224 cryptographic hash algorithm.
+ *
+ * Requires: MBEDTLS_SHA256_C. The library does not currently support enabling
+ * SHA-224 without SHA-256.
+ *
+ * Module: library/sha256.c
+ * Caller: library/md.c
+ * library/ssl_cookie.c
+ *
+ * This module adds support for SHA-224.
+ */
+#define MBEDTLS_SHA224_C
+
+/**
* \def MBEDTLS_SHA256_C
*
* Enable the SHA-224 and SHA-256 cryptographic hash algorithms.
@@ -1793,6 +1809,22 @@
#define MBEDTLS_SHA256_C
/**
+ * \def MBEDTLS_SHA384_C
+ *
+ * Enable the SHA-384 cryptographic hash algorithm.
+ *
+ * Requires: MBEDTLS_SHA512_C
+ *
+ * Module: library/sha512.c
+ * Caller: library/md.c
+ * library/ssl_cli.c
+ * library/ssl_srv.c
+ *
+ * Comment to disable SHA-384
+ */
+//#define MBEDTLS_SHA384_C
+
+/**
* \def MBEDTLS_SHA512_C
*
* Enable the SHA-384 and SHA-512 cryptographic hash algorithms.
diff --git a/lib/ext/mbedcrypto/mbedcrypto_config/tfm_mbedcrypto_config_profile_small.h b/lib/ext/mbedcrypto/mbedcrypto_config/tfm_mbedcrypto_config_profile_small.h
index bbdc060..5b2feaf 100644
--- a/lib/ext/mbedcrypto/mbedcrypto_config/tfm_mbedcrypto_config_profile_small.h
+++ b/lib/ext/mbedcrypto/mbedcrypto_config/tfm_mbedcrypto_config_profile_small.h
@@ -1779,6 +1779,22 @@
//#define MBEDTLS_SHA1_C
/**
+ * \def MBEDTLS_SHA224_C
+ *
+ * Enable the SHA-224 cryptographic hash algorithm.
+ *
+ * Requires: MBEDTLS_SHA256_C. The library does not currently support enabling
+ * SHA-224 without SHA-256.
+ *
+ * Module: library/sha256.c
+ * Caller: library/md.c
+ * library/ssl_cookie.c
+ *
+ * This module adds support for SHA-224.
+ */
+#define MBEDTLS_SHA224_C
+
+/**
* \def MBEDTLS_SHA256_C
*
* Enable the SHA-224 and SHA-256 cryptographic hash algorithms.
@@ -1793,6 +1809,22 @@
#define MBEDTLS_SHA256_C
/**
+ * \def MBEDTLS_SHA384_C
+ *
+ * Enable the SHA-384 cryptographic hash algorithm.
+ *
+ * Requires: MBEDTLS_SHA512_C
+ *
+ * Module: library/sha512.c
+ * Caller: library/md.c
+ * library/ssl_cli.c
+ * library/ssl_srv.c
+ *
+ * Comment to disable SHA-384
+ */
+//#define MBEDTLS_SHA384_C
+
+/**
* \def MBEDTLS_SHA512_C
*
* Enable the SHA-384 and SHA-512 cryptographic hash algorithms.
diff --git a/lib/ext/psa_arch_tests/0001-Align-SPE-libraries-name-with-TF-M.patch b/lib/ext/psa_arch_tests/0001-Align-SPE-libraries-name-with-TF-M.patch
deleted file mode 100644
index 53880cf..0000000
--- a/lib/ext/psa_arch_tests/0001-Align-SPE-libraries-name-with-TF-M.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-From a74762e09a3f0407b10d1494f2b55b034fce70bb Mon Sep 17 00:00:00 2001
-From: Shawn Shan <Shawn.Shan@arm.com>
-Date: Wed, 10 Mar 2021 17:00:30 +0800
-Subject: [PATCH] Align SPE libraries name with TF-M
-
-Change-Id: I3d0030cea15ce5d3e283d766a50d0d43b83eab7b
-Signed-off-by: Shawn Shan <Shawn.Shan@arm.com>
----
- api-tests/CMakeLists.txt | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/api-tests/CMakeLists.txt b/api-tests/CMakeLists.txt
-index c243ebd..e63a7c3 100644
---- a/api-tests/CMakeLists.txt
-+++ b/api-tests/CMakeLists.txt
-@@ -177,9 +177,9 @@ endif()
- set(PSA_TARGET_PAL_NSPE_LIB pal_nspe)
- set(PSA_TARGET_VAL_NSPE_LIB val_nspe)
- set(PSA_TARGET_TEST_COMBINE_LIB test_combine)
--set(PSA_TARGET_DRIVER_PARTITION_LIB driver_partition)
--set(PSA_TARGET_CLIENT_PARTITION_LIB client_partition)
--set(PSA_TARGET_SERVER_PARTITION_LIB server_partition)
-+set(PSA_TARGET_DRIVER_PARTITION_LIB tfm_psa_rot_partition_driver_partition)
-+set(PSA_TARGET_CLIENT_PARTITION_LIB tfm_app_rot_partition_client_partition)
-+set(PSA_TARGET_SERVER_PARTITION_LIB tfm_app_rot_partition_server_partition)
- if(${SUITE} STREQUAL "IPC")
- set(PSA_SUITE_DIR ${PSA_ROOT_DIR}/ff/${SUITE_LOWER})
- set(PSA_SUITE_OUT_DIR ${CMAKE_CURRENT_BINARY_DIR}/ff/${SUITE_LOWER})
---
-2.17.1
-
diff --git a/lib/ext/psa_arch_tests/0001-Fix-wrong-expected-return-value-in-test-46-and-47.patch b/lib/ext/psa_arch_tests/0001-Fix-wrong-expected-return-value-in-test-46-and-47.patch
new file mode 100644
index 0000000..0c3703a
--- /dev/null
+++ b/lib/ext/psa_arch_tests/0001-Fix-wrong-expected-return-value-in-test-46-and-47.patch
@@ -0,0 +1,61 @@
+From 4950186e4da5c8547478cd634c35d69ada6d8037 Mon Sep 17 00:00:00 2001
+From: Summer Qin <summer.qin@arm.com>
+Date: Fri, 9 Jul 2021 17:35:22 +0800
+Subject: [PATCH 1/3] Fix wrong expected return value in test 46 and 47
+
+Update the expected return value in test 46 and 47
+according to the PSA Crypto spec 1.0.
+
+Signed-off-by: Summer Qin <summer.qin@arm.com>
+---
+ api-tests/dev_apis/crypto/test_c046/test_data.h | 4 ++--
+ api-tests/dev_apis/crypto/test_c047/test_data.h | 4 ++--
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/api-tests/dev_apis/crypto/test_c046/test_data.h b/api-tests/dev_apis/crypto/test_c046/test_data.h
+index bfe6553..39b2597 100644
+--- a/api-tests/dev_apis/crypto/test_c046/test_data.h
++++ b/api-tests/dev_apis/crypto/test_c046/test_data.h
+@@ -54,7 +54,7 @@ static const test_data check1[] = {
+ 0x9d, 0xf3, 0x3f, 0x47, 0xb4, 0xb1, 0x16, 0x99, 0x12, 0xba, 0x4f, 0x53, 0x68,
+ 0x4b, 0x22}, 64, 28,
+ PSA_KEY_USAGE_SIGN_HASH, PSA_ALG_CMAC,
+- PSA_ERROR_NOT_SUPPORTED
++ PSA_ERROR_INVALID_ARGUMENT
+ },
+
+ {"Test psa_mac_compute - Invalid usage\n", PSA_KEY_TYPE_HMAC,
+@@ -65,7 +65,7 @@ static const test_data check1[] = {
+ 0x9d, 0xf3, 0x3f, 0x47, 0xb4, 0xb1, 0x16, 0x99, 0x12, 0xba, 0x4f, 0x53, 0x68,
+ 0x4b, 0x22}, 64, 28,
+ PSA_KEY_USAGE_EXPORT, PSA_ALG_HMAC(PSA_ALG_SHA_224),
+- PSA_ERROR_NOT_SUPPORTED
++ PSA_ERROR_NOT_PERMITTED
+ },
+
+ {"Test psa_mac_compute - truncated MAC too small\n", PSA_KEY_TYPE_HMAC,
+diff --git a/api-tests/dev_apis/crypto/test_c047/test_data.h b/api-tests/dev_apis/crypto/test_c047/test_data.h
+index 3c250dc..54f6a28 100644
+--- a/api-tests/dev_apis/crypto/test_c047/test_data.h
++++ b/api-tests/dev_apis/crypto/test_c047/test_data.h
+@@ -66,7 +66,7 @@ static const test_data check1[] = {
+ 0x0b, 0xf1, 0x2b, 0x88, 0x1d, 0xc2, 0x00, 0xc9, 0x83, 0x3d, 0xa7, 0x26, 0xe9,
+ 0x37, 0x6c, 0x2e, 0x32, 0xcf, 0xf7}, 32,
+ PSA_KEY_USAGE_VERIFY_HASH, PSA_ALG_CMAC,
+- PSA_ERROR_NOT_SUPPORTED
++ PSA_ERROR_INVALID_ARGUMENT
+ },
+
+ {"Test psa_mac_verify - Invalid usage\n", PSA_KEY_TYPE_HMAC,
+@@ -77,7 +77,7 @@ static const test_data check1[] = {
+ 0x0b, 0xf1, 0x2b, 0x88, 0x1d, 0xc2, 0x00, 0xc9, 0x83, 0x3d, 0xa7, 0x26, 0xe9,
+ 0x37, 0x6c, 0x2e, 0x32, 0xcf, 0xf7}, 32,
+ PSA_KEY_USAGE_EXPORT, PSA_ALG_HMAC(PSA_ALG_SHA_256),
+- PSA_ERROR_NOT_SUPPORTED
++ PSA_ERROR_NOT_PERMITTED
+ },
+
+ {"Test psa_mac_verify - Truncated MAC too large\n", PSA_KEY_TYPE_HMAC,
+--
+2.17.1
+
diff --git a/lib/ext/psa_arch_tests/0002-Enable-Crypto-1.0-test-cases.patch b/lib/ext/psa_arch_tests/0002-Enable-Crypto-1.0-test-cases.patch
new file mode 100644
index 0000000..6d51e16
--- /dev/null
+++ b/lib/ext/psa_arch_tests/0002-Enable-Crypto-1.0-test-cases.patch
@@ -0,0 +1,67 @@
+From 78094cc82bc595d5c4ca2ffe7fcfc17533d35300 Mon Sep 17 00:00:00 2001
+From: Summer Qin <summer.qin@arm.com>
+Date: Fri, 9 Jul 2021 17:40:28 +0800
+Subject: [PATCH 2/3] Enable Crypto 1.0 test cases
+
+psa_cipher_encrypt(), psa_cipher_decrypt(), psa_sign_message() and
+psa_verify_message() are supported now in tfm and mbedtls 3.0.
+Enable the test case for them.
+
+Signed-off-by: Summer Qin <summer.qin@arm.com>
+---
+ api-tests/dev_apis/crypto/common/test_crypto_common.h | 2 ++
+ .../platform/targets/common/nspe/crypto/pal_crypto_intf.c | 4 ----
+ 2 files changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/api-tests/dev_apis/crypto/common/test_crypto_common.h b/api-tests/dev_apis/crypto/common/test_crypto_common.h
+index c213b7d..b1c6e65 100644
+--- a/api-tests/dev_apis/crypto/common/test_crypto_common.h
++++ b/api-tests/dev_apis/crypto/common/test_crypto_common.h
+@@ -38,6 +38,8 @@
+ #define INPUT_SEED_LEN 4
+ #define INPUT_LABEL_LEN 5
+
++#define CRYPTO_1_0
++
+ extern const uint8_t key_data[];
+
+ extern const uint8_t rsa_128_key_pair[];
+diff --git a/api-tests/platform/targets/common/nspe/crypto/pal_crypto_intf.c b/api-tests/platform/targets/common/nspe/crypto/pal_crypto_intf.c
+index 7d8e633..dc2a292 100644
+--- a/api-tests/platform/targets/common/nspe/crypto/pal_crypto_intf.c
++++ b/api-tests/platform/targets/common/nspe/crypto/pal_crypto_intf.c
+@@ -648,7 +648,6 @@ int32_t pal_crypto_function(int type, va_list valist)
+ mac_operation = va_arg(valist, psa_mac_operation_t *);
+ return psa_mac_abort(mac_operation);
+ break;
+-#ifdef CRYPTO_1_0
+ case PAL_CRYPTO_MAC_COMPUTE:
+ key = va_arg(valist, psa_key_id_t);
+ alg = va_arg(valist, psa_algorithm_t);
+@@ -665,7 +664,6 @@ int32_t pal_crypto_function(int type, va_list valist)
+ output_size,
+ p_output_length);
+ break;
+-#endif
+ case PAL_CRYPTO_MAC_OPERATION_INIT:
+ mac_operation = va_arg(valist, psa_mac_operation_t *);
+ mac_operation_temp = psa_mac_operation_init();
+@@ -814,7 +812,6 @@ int32_t pal_crypto_function(int type, va_list valist)
+ output_size,
+ p_output_length);
+ break;
+-#ifdef CRYPTO_1_0
+ case PAL_CRYPTO_SIGN_MESSAGE:
+ key = va_arg(valist, psa_key_id_t);
+ alg = va_arg(valist, psa_algorithm_t);
+@@ -845,7 +842,6 @@ int32_t pal_crypto_function(int type, va_list valist)
+ input1,
+ input_length1);
+ break;
+-#endif
+ case PAL_CRYPTO_VERIFY_HASH:
+ key = va_arg(valist, psa_key_id_t);
+ alg = va_arg(valist, psa_algorithm_t);
+--
+2.17.1
+
diff --git a/lib/ext/psa_arch_tests/0002-Fix-psa-arch-test-failures.patch b/lib/ext/psa_arch_tests/0002-Fix-psa-arch-test-failures.patch
deleted file mode 100644
index a7626cb..0000000
--- a/lib/ext/psa_arch_tests/0002-Fix-psa-arch-test-failures.patch
+++ /dev/null
@@ -1,58 +0,0 @@
-From 9e3049ccfda24cadd29f67a09c42f6caccd45be2 Mon Sep 17 00:00:00 2001
-From: Maulik Patel <Maulik.Patel@arm.com>
-Date: Wed, 24 Mar 2021 11:01:49 +0000
-Subject: [PATCH] Fix psa arch test failures.
-
-Update expected return value of psa_cipher_finish Decrypt test
-with short input to PSA_ERROR_INVALID_ARGUMENT as per PSA Crypto 1.0.0
-Also update the invalid hash algorithm mask as per Mbedtls 2.25.0.
-
-Signed-off-by: Maulik Patel <maulik.patel@arm.com>
----
- api-tests/dev_apis/crypto/test_c037/test_data.h | 4 ++--
- api-tests/val/nspe/val_crypto.h | 4 ++--
- 2 files changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/api-tests/dev_apis/crypto/test_c037/test_data.h b/api-tests/dev_apis/crypto/test_c037/test_data.h
-index 36e05f0..317ed75 100644
---- a/api-tests/dev_apis/crypto/test_c037/test_data.h
-+++ b/api-tests/dev_apis/crypto/test_c037/test_data.h
-@@ -1,5 +1,5 @@
- /** @file
-- * Copyright (c) 2019-2020, Arm Limited or its affiliates. All rights reserved.
-+ * Copyright (c) 2019-2021, Arm Limited or its affiliates. All rights reserved.
- * SPDX-License-Identifier : Apache-2.0
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
-@@ -269,7 +269,7 @@ static const test_data check1[] = {
- .output_size = 0,
- .expected_output = NULL,
- .expected_output_length = 0,
-- .expected_status = PSA_ERROR_BAD_STATE
-+ .expected_status = PSA_ERROR_INVALID_ARGUMENT
- },
-
- #endif
-diff --git a/api-tests/val/nspe/val_crypto.h b/api-tests/val/nspe/val_crypto.h
-index 7270a40..5045a3f 100644
---- a/api-tests/val/nspe/val_crypto.h
-+++ b/api-tests/val/nspe/val_crypto.h
-@@ -1,5 +1,5 @@
- /** @file
-- * Copyright (c) 2018-2020, Arm Limited or its affiliates. All rights reserved.
-+ * Copyright (c) 2018-2021, Arm Limited or its affiliates. All rights reserved.
- * SPDX-License-Identifier : Apache-2.0
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
-@@ -48,7 +48,7 @@
-
- #define PSA_KEY_LIFETIME_INVALID 0xFFFFFFFF
- #define PSA_KEY_USAGE_INVALID 0xFFFFFFFF
--#define PSA_HASH_ALG_INVALID 0x01FFFFFF
-+#define PSA_HASH_ALG_INVALID 0x02FFFFFF
- #define PSA_ALG_INVALID 0xFFFFFFFF
- #define PSA_KEY_DERIVATION_STEP_INVALID 0x0000FFFF
-
---
-2.17.1
-
diff --git a/lib/ext/psa_arch_tests/0003-Update-test-cases-for-psa-mac-sign-and-verify.patch b/lib/ext/psa_arch_tests/0003-Update-test-cases-for-psa-mac-sign-and-verify.patch
deleted file mode 100644
index 9f1be4c..0000000
--- a/lib/ext/psa_arch_tests/0003-Update-test-cases-for-psa-mac-sign-and-verify.patch
+++ /dev/null
@@ -1,86 +0,0 @@
-From 9c4d00b01062dbb2e0f124027e19562b3c2a3538 Mon Sep 17 00:00:00 2001
-From: Maulik Patel <Maulik.Patel@arm.com>
-Date: Fri, 7 May 2021 13:42:20 +0100
-Subject: [PATCH] Update test cases for psa mac sign and verify.
-
-Update test cases for psa_mac_sign_setup (226) and
-psa_mac_verify_setup (229) against unknown MAC algorithm such that
-key passed is valid but the algorithm is unknown.
-Also, as per PSA Crypto Spec 1.0.0, fix the expected return value to PSA_ERROR_INVALID_ARGUMENT for incompatible key to MAC algorithm.
-
-Change-Id: I8f42736a9e5bd7fbf604146b43ef28180e741fc3
-Signed-off-by: Maulik Patel <maulik.patel@arm.com>
----
- api-tests/dev_apis/crypto/test_c026/test_data.h | 15 +++++++++------
- api-tests/dev_apis/crypto/test_c029/test_data.h | 15 +++++++++------
- 2 files changed, 18 insertions(+), 12 deletions(-)
-
-diff --git a/api-tests/dev_apis/crypto/test_c026/test_data.h b/api-tests/dev_apis/crypto/test_c026/test_data.h
-index 306522a..39619f0 100644
---- a/api-tests/dev_apis/crypto/test_c026/test_data.h
-+++ b/api-tests/dev_apis/crypto/test_c026/test_data.h
-@@ -67,7 +67,7 @@ static const test_data check1[] = {
- {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C,
- 0x0D, 0x0E, 0x0F},
- AES_16B_KEY_SIZE, PSA_KEY_USAGE_SIGN, PSA_ALG_CMAC,
-- PSA_ERROR_NOT_SUPPORTED
-+ PSA_ERROR_INVALID_ARGUMENT
- },
- #endif
-
-@@ -116,11 +116,14 @@ static const test_data check1[] = {
- #endif
- #endif
-
--#ifdef ARCH_TEST_AES_128
--{"Test psa_mac_sign_setup bad algorithm (unknown MAC algorithm)\n", PSA_KEY_TYPE_AES,
--{0x49, 0x8E, 0xC7, 0x7D, 0x01, 0x95, 0x0D, 0x94, 0x2C, 0x16, 0xA5, 0x3E, 0x99,
-- 0x5F, 0xC9, 0x00},
-- AES_16B_KEY_SIZE, PSA_KEY_USAGE_SIGN, PSA_ALG_HMAC(0),
-+#ifdef ARCH_TEST_HMAC
-+{"Test psa_mac_sign_setup bad algorithm (unknown MAC algorithm)\n", PSA_KEY_TYPE_HMAC,
-+{0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c,
-+ 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19,
-+ 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26,
-+ 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f, 0x30, 0x31, 0x32, 0x33,
-+ 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x3a, 0x3b, 0x3c, 0x3d, 0x3e, 0x3f},
-+ 64, PSA_KEY_USAGE_SIGN, PSA_ALG_HMAC(0),
- PSA_ERROR_NOT_SUPPORTED
- },
- #endif
-diff --git a/api-tests/dev_apis/crypto/test_c029/test_data.h b/api-tests/dev_apis/crypto/test_c029/test_data.h
-index 3b4b121..1b85212 100644
---- a/api-tests/dev_apis/crypto/test_c029/test_data.h
-+++ b/api-tests/dev_apis/crypto/test_c029/test_data.h
-@@ -68,7 +68,7 @@ static const test_data check1[] = {
- {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C,
- 0x0D, 0x0E, 0x0F},
- AES_16B_KEY_SIZE, PSA_KEY_USAGE_VERIFY, PSA_ALG_CMAC,
-- PSA_ERROR_NOT_SUPPORTED
-+ PSA_ERROR_INVALID_ARGUMENT
- },
- #endif
-
-@@ -116,11 +116,14 @@ static const test_data check1[] = {
- },
- #endif
-
--#ifdef ARCH_TEST_AES_128
--{"Test psa_mac_verify_setup bad algorithm (unknown MAC algorithm)\n", PSA_KEY_TYPE_AES,
--{0x49, 0x8E, 0xC7, 0x7D, 0x01, 0x95, 0x0D, 0x94, 0x2C, 0x16, 0xA5, 0x3E, 0x99,
-- 0x5F, 0xC9, 0x00},
-- AES_16B_KEY_SIZE, PSA_KEY_USAGE_VERIFY, PSA_ALG_HMAC(0),
-+#ifdef ARCH_TEST_HMAC
-+{"Test psa_mac_verify_setup bad algorithm (unknown MAC algorithm)\n", PSA_KEY_TYPE_HMAC,
-+{0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c,
-+ 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19,
-+ 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26,
-+ 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f, 0x30, 0x31, 0x32, 0x33,
-+ 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x3a, 0x3b, 0x3c, 0x3d, 0x3e, 0x3f},
-+ 64, PSA_KEY_USAGE_VERIFY, PSA_ALG_HMAC(0),
- PSA_ERROR_NOT_SUPPORTED
- },
- #endif
---
-2.17.1
-
diff --git a/lib/ext/psa_arch_tests/0004-Workaround-for-removal-of-initial-attest-get-public-.patch b/lib/ext/psa_arch_tests/0003-Workaround-for-removal-of-initial-attest-get-public-.patch
similarity index 78%
rename from lib/ext/psa_arch_tests/0004-Workaround-for-removal-of-initial-attest-get-public-.patch
rename to lib/ext/psa_arch_tests/0003-Workaround-for-removal-of-initial-attest-get-public-.patch
index 75ee6af..00ce2f9 100644
--- a/lib/ext/psa_arch_tests/0004-Workaround-for-removal-of-initial-attest-get-public-.patch
+++ b/lib/ext/psa_arch_tests/0003-Workaround-for-removal-of-initial-attest-get-public-.patch
@@ -1,7 +1,8 @@
-From d2a1b0816667392b771193abfa532deb24699204 Mon Sep 17 00:00:00 2001
-From: David Hu <david.hu@arm.com>
-Date: Thu, 3 Jun 2021 15:03:33 +0800
-Subject: [PATCH] Workaround for removal of initial attest get public key API
+From 4be33133eb9ae94e7a71c1385a771484322347d6 Mon Sep 17 00:00:00 2001
+From: Summer Qin <summer.qin@arm.com>
+Date: Fri, 9 Jul 2021 17:52:02 +0800
+Subject: [PATCH 3/3] Workaround for removal of initial attest get public key
+ API
TF-M self-defined API of getting initial attestation public key has been
removed to optimize initial attestation interface and implementation.
@@ -10,28 +11,29 @@
enable attestation test suite to fetch Initial Attestation public key.
Signed-off-by: David Hu <david.hu@arm.com>
+Signed-off-by: Summer Qin <summer.qin@arm.com>
---
api-tests/CMakeLists.txt | 4 ++++
.../pal_attestation_crypto.c | 23 +++++++++++++++----
2 files changed, 22 insertions(+), 5 deletions(-)
diff --git a/api-tests/CMakeLists.txt b/api-tests/CMakeLists.txt
-index 07f78fe..06d9207 100644
+index e0f1dbe..0ebf78a 100644
--- a/api-tests/CMakeLists.txt
+++ b/api-tests/CMakeLists.txt
-@@ -472,6 +472,10 @@ endif()
+@@ -610,6 +610,10 @@ endif()
# Build PAL NSPE LIB
include(${PSA_ROOT_DIR}/platform/targets/${TARGET}/target.cmake)
+# Import dummy Initial Attestation public key from TF-M for test
+if (${SUITE} STREQUAL "INITIAL_ATTESTATION")
-+ target_sources(${PSA_TARGET_PAL_NSPE_LIB} PRIVATE ${CMAKE_SOURCE_DIR}/platform/ext/common/template/tfm_initial_attest_pub_key.c)
++ target_sources(${PSA_TARGET_PAL_NSPE_LIB} PRIVATE ${CMAKE_SOURCE_DIR}/platform/ext/common/template/tfm_initial_attest_pub_key.c)
+endif()
# Build VAL NSPE LIB
#add_definitions(-DVAL_NSPE_BUILD)
include(${PSA_ROOT_DIR}/val/val_nspe.cmake)
diff --git a/api-tests/platform/targets/common/nspe/initial_attestation/pal_attestation_crypto.c b/api-tests/platform/targets/common/nspe/initial_attestation/pal_attestation_crypto.c
-index 7f748c2..a45355e 100644
+index 7b233a2..004c25b 100644
--- a/api-tests/platform/targets/common/nspe/initial_attestation/pal_attestation_crypto.c
+++ b/api-tests/platform/targets/common/nspe/initial_attestation/pal_attestation_crypto.c
@@ -17,9 +17,14 @@
@@ -50,14 +52,14 @@
static inline struct q_useful_buf_c useful_buf_head(struct q_useful_buf_c buf,
size_t amount)
{
-@@ -201,10 +206,18 @@ static int32_t pal_attest_get_public_key(uint8_t *public_key_buff, size_t public
+@@ -203,10 +208,18 @@ static int32_t pal_attest_get_public_key(uint8_t *public_key_buff,
memcpy(public_key_buff, (void *)&attest_public_key, *public_key_len);
status = PSA_SUCCESS;
#else
- status = tfm_initial_attest_get_public_key(public_key_buff,
- public_key_buf_size,
- public_key_len,
-- elliptic_curve_type);
+- elliptic_family_type);
+ if (initial_attest_curve_type != PSA_ECC_FAMILY_SECP_R1)
+ return PAL_ATTEST_ERR_KEY_FAIL;
+
@@ -67,12 +69,12 @@
+ memcpy(public_key_buff, initial_attest_pub_key,
+ initial_attest_pub_key_size);
+ *public_key_len = initial_attest_pub_key_size;
-+ *elliptic_curve_type = initial_attest_curve_type;
++ *elliptic_family_type = initial_attest_curve_type;
+
+ status = PSA_SUCCESS;
#endif
return status;
--
-2.25.1
+2.17.1
diff --git a/lib/ext/psa_arch_tests/0004-Align-with-mbedtls-3.0.0.patch b/lib/ext/psa_arch_tests/0004-Align-with-mbedtls-3.0.0.patch
new file mode 100644
index 0000000..900d9cb
--- /dev/null
+++ b/lib/ext/psa_arch_tests/0004-Align-with-mbedtls-3.0.0.patch
@@ -0,0 +1,38 @@
+From b553a6f375fb2f55d776cca4663f8cd491e7445e Mon Sep 17 00:00:00 2001
+From: Summer Qin <summer.qin@arm.com>
+Date: Tue, 20 Jul 2021 11:48:40 +0800
+Subject: [PATCH] Align with mbedtls 3.0.0
+
+PSA_ALG_MD4 is removed from mbedtls 3.0.0. Use PSA_ALG_MD5 instead.
+PSA_KEY_USAGE_VERIFY is replaced by PSA_KEY_USAGE_VERIFY_HASH.
+
+Signed-off-by: Summer Qin <summer.qin@arm.com>
+---
+ .../common/nspe/initial_attestation/pal_attestation_crypto.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/api-tests/platform/targets/common/nspe/initial_attestation/pal_attestation_crypto.c b/api-tests/platform/targets/common/nspe/initial_attestation/pal_attestation_crypto.c
+index 7b233a2..33e77fc 100644
+--- a/api-tests/platform/targets/common/nspe/initial_attestation/pal_attestation_crypto.c
++++ b/api-tests/platform/targets/common/nspe/initial_attestation/pal_attestation_crypto.c
+@@ -36,7 +36,7 @@ static psa_algorithm_t cose_hash_alg_id_to_psa(int32_t cose_hash_alg_id)
+ status = PSA_ALG_SHA_256;
+ break;
+ default:
+- status = PSA_ALG_MD4;
++ status = PSA_ALG_MD5;
+ break;
+ }
+
+@@ -215,7 +215,7 @@ static int32_t pal_attest_get_public_key(uint8_t *public_key_buff,
+ static uint32_t pal_import_attest_key(psa_algorithm_t key_alg)
+ {
+ psa_status_t status = PAL_ATTEST_ERROR;
+- psa_key_usage_t usage = PSA_KEY_USAGE_VERIFY;
++ psa_key_usage_t usage = PSA_KEY_USAGE_VERIFY_HASH;
+ psa_ecc_family_t ecc_family;
+ psa_key_type_t attest_key_type;
+ size_t public_key_size;
+--
+2.17.1
+