Support per-deployment configuration of MbedTLS
Up until now, only libmbedcrypto has been used for builds of the
MbedTLS external component. In preparation for using other libraries
produced by MbedTLS (e.g. libmbedx509), this change moves the build
configuration to be defined by a deployment that depends on MbedTLS
in some way. This allows a deployment specific configuration to be
applied that impacts the complete set of mbedTLS library dependencies.
To allow for reuse of common configurations, a new config directory
has been added under external/MbedTLS to provide a home for reusable
config header files.
Signed-off-by: Julian Hall <julian.hall@arm.com>
Signed-off-by: Gabor Toth <gabor.toth2@arm.com>
Change-Id: Icfdeb796d9bda185c30f68e525f7644f1edd4770
diff --git a/components/service/crypto/backend/mbedcrypto/component.cmake b/components/service/crypto/backend/mbedcrypto/component.cmake
index 4b531b7..bd7f4ae 100644
--- a/components/service/crypto/backend/mbedcrypto/component.cmake
+++ b/components/service/crypto/backend/mbedcrypto/component.cmake
@@ -1,5 +1,5 @@
#-------------------------------------------------------------------------------
-# Copyright (c) 2021, Arm Limited and Contributors. All rights reserved.
+# Copyright (c) 2021-2022, Arm Limited and Contributors. All rights reserved.
#
# SPDX-License-Identifier: BSD-3-Clause
#
@@ -12,15 +12,9 @@
"${CMAKE_CURRENT_LIST_DIR}/mbedcrypto_backend.c"
)
-# Force use of the mbed crypto configuration required by the crypto service
-# provider. This configuration includes enabling the use of the PSA ITS API
-# for persistent key storage which is realised by the its client adapter
-# for the secure storage service.
-set(MBEDTLS_USER_CONFIG_FILE
- "${CMAKE_CURRENT_LIST_DIR}/config_mbedtls_user.h"
- CACHE STRING "Configuration file for Mbed TLS" FORCE)
-
+# Use secure storage client to realize PSA ITS C API used by libmbedcrypto for
+# persistent key storage.
set(MBEDTLS_EXTRA_INCLUDES
"${TS_ROOT}/components/service/common/include"
"${TS_ROOT}/components/service/secure_storage/include"
- CACHE STRING "PSA ITS for Mbed TLS" FORCE)
+ CACHE STRING "PSA ITS for MbedTLS" FORCE)
diff --git a/components/service/crypto/backend/mbedcrypto/config_mbedtls_user.h b/components/service/crypto/backend/mbedcrypto/config_mbedtls_user.h
deleted file mode 100644
index b92bded..0000000
--- a/components/service/crypto/backend/mbedcrypto/config_mbedtls_user.h
+++ /dev/null
@@ -1,34 +0,0 @@
-/*
- * Copyright (c) 2020-2021, Arm Limited and Contributors. All rights reserved.
- *
- * SPDX-License-Identifier: BSD-3-Clause
- */
-
-#ifndef CONFIG_MBEDTLS_USER_H
-#define CONFIG_MBEDTLS_USER_H
-
-/**
- * Mbed TLS configuration for building libmbedcrypto to act as a backend
- * for the crypto service provider running in an isolated secure processing
- * environment. Note that supported crypto operations are configured
- * separately using the PSA crypto build interface (PSA_WANT_xxx). This
- * decouples Mbed TLS specific configuration from the more general crypto
- * capabilities configuration.
- */
-#define MBEDTLS_PSA_CRYPTO_CONFIG
-#define MBEDTLS_NO_UDBL_DIVISION
-#undef MBEDTLS_HAVE_TIME
-#undef MBEDTLS_HAVE_TIME_DATE
-#undef MBEDTLS_FS_IO
-#define MBEDTLS_ENTROPY_HARDWARE_ALT
-#define MBEDTLS_NO_PLATFORM_ENTROPY
-#undef MBEDTLS_SELF_TEST
-#undef MBEDTLS_PLATFORM_C
-#undef MBEDTLS_PSA_ITS_FILE_C
-#undef MBEDTLS_TIMING_C
-#undef MBEDTLS_AESNI_C
-#undef MBEDTLS_AESCE_C
-#undef MBEDTLS_PADLOCK_C
-
-
-#endif /* CONFIG_MBEDTLS_USER_H */
diff --git a/components/service/crypto/client/cpp/component.cmake b/components/service/crypto/client/cpp/component.cmake
index 9ee1738..25c59a6 100644
--- a/components/service/crypto/client/cpp/component.cmake
+++ b/components/service/crypto/client/cpp/component.cmake
@@ -1,5 +1,5 @@
#-------------------------------------------------------------------------------
-# Copyright (c) 2020-2021, Arm Limited and Contributors. All rights reserved.
+# Copyright (c) 2020-2022, Arm Limited and Contributors. All rights reserved.
#
# SPDX-License-Identifier: BSD-3-Clause
#
@@ -11,11 +11,3 @@
target_sources(${TGT} PRIVATE
"${CMAKE_CURRENT_LIST_DIR}/crypto_client.cpp"
)
-
-# The crypto client presents the PSA Crypto API and hence has a dependency on mbedcrypto for functions
-# related to setting key attributes. A minimal configuration is provided to allow a minimal library
-# to be built. This configuration may be overridden by other components that have their own
-# dependency on mbedcrypto.
-set(MBEDTLS_USER_CONFIG_FILE
- "${CMAKE_CURRENT_LIST_DIR}/config_mbedtls_user.h"
- CACHE STRING "Configuration file for Mbed TLS")
diff --git a/components/service/crypto/client/cpp/config_mbedtls_user.h b/components/service/crypto/client/cpp/config_mbedtls_user.h
deleted file mode 100644
index 7b3134e..0000000
--- a/components/service/crypto/client/cpp/config_mbedtls_user.h
+++ /dev/null
@@ -1,28 +0,0 @@
-/*
- * Copyright (c) 2020-2021, Arm Limited and Contributors. All rights reserved.
- *
- * SPDX-License-Identifier: BSD-3-Clause
- */
-
-#ifndef CONFIG_MBEDTLS_USER_H
-#define CONFIG_MBEDTLS_USER_H
-
-/* Mbed TLS configuration for using libmbedcrypto in
- * a Posix environment. Supported crypto operations
- * are configured separately via the PSA crypto build
- * interface (PSA_WANT_xxx).
- */
-#define MBEDTLS_PSA_CRYPTO_CONFIG
-#define MBEDTLS_NO_UDBL_DIVISION
-#undef MBEDTLS_HAVE_TIME
-#undef MBEDTLS_HAVE_TIME_DATE
-#undef MBEDTLS_FS_IO
-#undef MBEDTLS_SELF_TEST
-#undef MBEDTLS_AESNI_C
-#undef MBEDTLS_PADLOCK_C
-#undef MBEDTLS_PLATFORM_C
-#undef MBEDTLS_PSA_CRYPTO_STORAGE_C
-#undef MBEDTLS_PSA_ITS_FILE_C
-#undef MBEDTLS_TIMING_C
-
-#endif /* CONFIG_MBEDTLS_USER_H */
diff --git a/deployments/component-test/component-test.cmake b/deployments/component-test/component-test.cmake
index 99ceb78..9852ac2 100644
--- a/deployments/component-test/component-test.cmake
+++ b/deployments/component-test/component-test.cmake
@@ -218,9 +218,12 @@
target_link_libraries(component-test PRIVATE nanopb::protobuf-nanopb-static)
protobuf_generate_all(TGT "component-test" NAMESPACE "protobuf" BASE_DIR "${TS_ROOT}/protocols")
-# Mbed TLS provides libmbedcrypto
+# MbedTLS
+set(MBEDTLS_USER_CONFIG_FILE "${TS_ROOT}/external/MbedTLS/config/libmbedx509.h"
+ CACHE STRING "Configuration file for Mbed TLS" FORCE)
include(${TS_ROOT}/external/MbedTLS/MbedTLS.cmake)
target_link_libraries(component-test PRIVATE MbedTLS::mbedcrypto)
+target_link_libraries(component-test PRIVATE MbedTLS::mbedx509)
# Qcbor
include(${TS_ROOT}/external/qcbor/qcbor.cmake)
diff --git a/deployments/crypto/crypto.cmake b/deployments/crypto/crypto.cmake
index ba5db56..f6c75bf 100644
--- a/deployments/crypto/crypto.cmake
+++ b/deployments/crypto/crypto.cmake
@@ -44,6 +44,8 @@
protobuf_generate_all(TGT "crypto" NAMESPACE "protobuf" BASE_DIR "${TS_ROOT}/protocols")
# Mbed TLS provides libmbedcrypto
+set(MBEDTLS_USER_CONFIG_FILE "${TS_ROOT}/external/MbedTLS/config/crypto_isolated.h"
+ CACHE STRING "Configuration file for Mbed TLS" FORCE)
include(${TS_ROOT}/external/MbedTLS/MbedTLS.cmake)
target_link_libraries(crypto PRIVATE MbedTLS::mbedcrypto)
diff --git a/deployments/libts/linux-pc/CMakeLists.txt b/deployments/libts/linux-pc/CMakeLists.txt
index b457593..32ee621 100644
--- a/deployments/libts/linux-pc/CMakeLists.txt
+++ b/deployments/libts/linux-pc/CMakeLists.txt
@@ -163,9 +163,12 @@
target_link_libraries(ts PRIVATE nanopb::protobuf-nanopb-static)
protobuf_generate_all(TGT "ts" NAMESPACE "protobuf" BASE_DIR "${TS_ROOT}/protocols")
-# Mbed TLS provides libmbedcrypto
+# MbedTLS
+set(MBEDTLS_USER_CONFIG_FILE "${TS_ROOT}/external/MbedTLS/config/libmbedx509.h"
+ CACHE STRING "Configuration file for Mbed TLS" FORCE)
include(${TS_ROOT}/external/MbedTLS/MbedTLS.cmake)
target_link_libraries(ts PRIVATE MbedTLS::mbedcrypto)
+target_link_libraries(ts PRIVATE MbedTLS::mbedx509)
# Qcbor
include(${TS_ROOT}/external/qcbor/qcbor.cmake)
diff --git a/deployments/platform-inspect/platform-inspect.cmake b/deployments/platform-inspect/platform-inspect.cmake
index 77d441a..dc65184 100644
--- a/deployments/platform-inspect/platform-inspect.cmake
+++ b/deployments/platform-inspect/platform-inspect.cmake
@@ -43,13 +43,10 @@
#
#-------------------------------------------------------------------------------
-# Configuration for mbedcrypto
-set(MBEDTLS_USER_CONFIG_FILE
- "${TS_ROOT}/components/service/crypto/client/cpp/config_mbedtls_user.h"
+# MbedTLS provides libmbedcrypto
+set(MBEDTLS_USER_CONFIG_FILE "${TS_ROOT}/external/MbedTLS/config/crypto_posix.h"
CACHE STRING "Configuration file for mbedcrypto")
-
-# Mbed TLS provides libmbedcrypto
-include(../../../external/MbedTLS/MbedTLS.cmake)
+include(${TS_ROOT}/external/MbedTLS/MbedTLS.cmake)
target_link_libraries(platform-inspect PRIVATE MbedTLS::mbedcrypto)
# Qcbor
diff --git a/deployments/psa-api-test/initial_attestation/iat-api-test.cmake b/deployments/psa-api-test/initial_attestation/iat-api-test.cmake
index fdfcbb5..88b5fb9 100644
--- a/deployments/psa-api-test/initial_attestation/iat-api-test.cmake
+++ b/deployments/psa-api-test/initial_attestation/iat-api-test.cmake
@@ -46,12 +46,9 @@
#
#-------------------------------------------------------------------------------
-# Configuration for mbedcrypto
-set(MBEDTLS_USER_CONFIG_FILE
- "${TS_ROOT}/components/service/crypto/client/cpp/config_mbedtls_user.h"
+# MbedTLS used for token verification
+set(MBEDTLS_USER_CONFIG_FILE "${TS_ROOT}/external/MbedTLS/config/crypto_posix.h"
CACHE STRING "Configuration file for mbedcrypto")
-
-# Mbed TLS provides libmbedcrypto
include(${TS_ROOT}/external/MbedTLS/MbedTLS.cmake)
target_link_libraries(${PROJECT_NAME} PRIVATE MbedTLS::mbedcrypto)
diff --git a/deployments/ts-demo/ts-demo.cmake b/deployments/ts-demo/ts-demo.cmake
index ce57ca2..0769df9 100644
--- a/deployments/ts-demo/ts-demo.cmake
+++ b/deployments/ts-demo/ts-demo.cmake
@@ -49,7 +49,9 @@
#
#-------------------------------------------------------------------------------
-# Mbed TLS provides libmbedcrypto
+# MbedTLS provides libmbedcrypto
+set(MBEDTLS_USER_CONFIG_FILE "${TS_ROOT}/external/MbedTLS/config/crypto_posix.h"
+ CACHE STRING "Configuration file for mbedcrypto")
include(${TS_ROOT}/external/MbedTLS/MbedTLS.cmake)
target_link_libraries(ts-demo PRIVATE MbedTLS::mbedcrypto)
diff --git a/deployments/ts-demo/ts-demo.cpp b/deployments/ts-demo/ts-demo.cpp
index d2ee2c0..55948a3 100644
--- a/deployments/ts-demo/ts-demo.cpp
+++ b/deployments/ts-demo/ts-demo.cpp
@@ -1,8 +1,9 @@
// SPDX-License-Identifier: BSD-2-Clause
/*
- * Copyright (c) 2020-2021, Arm Limited and Contributors. All rights reserved.
+ * Copyright (c) 2020-2022, Arm Limited and Contributors. All rights reserved.
*/
+#include <cstdio>
#include <service/crypto/client/cpp/protocol/packed-c/packedc_crypto_client.h>
#include <protocols/rpc/common/packed-c/encoding.h>
#include <app/ts-demo/ts-demo.h>
diff --git a/external/MbedTLS/config/crypto_posix.h b/external/MbedTLS/config/crypto_posix.h
new file mode 100644
index 0000000..eaec37e
--- /dev/null
+++ b/external/MbedTLS/config/crypto_posix.h
@@ -0,0 +1,27 @@
+/*
+ * Copyright (c) 2020-2023, Arm Limited and Contributors. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#ifndef CONFIG_CRYPTO_POSIX_H
+#define CONFIG_CRYPTO_POSIX_H
+
+/*
+ * Mbed TLS configuration for using libmbedcrypto in
+ * a Posix environment (normal world demo and test applications).
+ */
+#define MBEDTLS_PSA_CRYPTO_CONFIG
+#define MBEDTLS_NO_UDBL_DIVISION
+#undef MBEDTLS_HAVE_TIME
+#undef MBEDTLS_HAVE_TIME_DATE
+#undef MBEDTLS_FS_IO
+#undef MBEDTLS_SELF_TEST
+#undef MBEDTLS_AESNI_C
+#undef MBEDTLS_PADLOCK_C
+#undef MBEDTLS_PLATFORM_C
+#undef MBEDTLS_PSA_CRYPTO_STORAGE_C
+#undef MBEDTLS_PSA_ITS_FILE_C
+#undef MBEDTLS_TIMING_C
+
+#endif /* CONFIG_CRYPTO_POSIX_H */
diff --git a/external/MbedTLS/config/libmbedx509.h b/external/MbedTLS/config/libmbedx509.h
new file mode 100644
index 0000000..b369d2b
--- /dev/null
+++ b/external/MbedTLS/config/libmbedx509.h
@@ -0,0 +1,38 @@
+/*
+ * Copyright (c) 2020-2023, Arm Limited and Contributors. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#ifndef CONFIG_LIBMBEDX509_H
+#define CONFIG_LIBMBEDX509_H
+
+/*
+ * MbedTLS configuration for building libmbedcrypto and libx509 to act as a backend
+ * for the crypto service provider running in an isolated secure processing environment.
+ */
+#define MBEDTLS_PSA_CRYPTO_CONFIG
+#define MBEDTLS_NO_UDBL_DIVISION
+#undef MBEDTLS_HAVE_TIME
+#undef MBEDTLS_HAVE_TIME_DATE
+#undef MBEDTLS_FS_IO
+#define MBEDTLS_ENTROPY_HARDWARE_ALT
+#define MBEDTLS_NO_PLATFORM_ENTROPY
+#undef MBEDTLS_SELF_TEST
+#undef MBEDTLS_PLATFORM_C
+#undef MBEDTLS_PSA_ITS_FILE_C
+#undef MBEDTLS_TIMING_C
+#undef MBEDTLS_AESNI_C
+#undef MBEDTLS_AESCE_C
+#undef MBEDTLS_PADLOCK_C
+
+#define MBEDTLS_BIGNUM_C
+#define MBEDTLS_X509_USE_C
+#define MBEDTLS_X509_CRL_PARSE_C
+#define MBEDTLS_X509_CRT_PARSE_C
+#define MBEDTLS_PK_PARSE_C
+#define MBEDTLS_OID_C
+#define MBEDTLS_ASN1_PARSE_C
+#define MBEDTLS_PKCS7_C
+
+#endif /* CONFIG_LIBMBEDX509_H */