Create encrypted block store infrastructure
Create infrastructure with partitioned, encrypted ram for testing,
which contains an MbedTLS instance with minimized config that
enables only HKDF and AES with CBC and ECB.
Change-Id: Ie5a1ade885bb564976cf39f6bea4c3ce4aa59904
Signed-off-by: Gabor Toth <gabor.toth2@arm.com>
diff --git a/deployments/block-storage/infra/ref-encrypt-ram.cmake b/deployments/block-storage/infra/ref-encrypt-ram.cmake
new file mode 100644
index 0000000..78a13dd
--- /dev/null
+++ b/deployments/block-storage/infra/ref-encrypt-ram.cmake
@@ -0,0 +1,43 @@
+#-------------------------------------------------------------------------------
+# Copyright (c) 2024, Arm Limited and Contributors. All rights reserved.
+#
+# SPDX-License-Identifier: BSD-3-Clause
+#
+# Lists components that provide an infrastructure layer for the block-storage
+# service provider that uses a ram-backed block store, partitioned and encrypted
+# by default using the 'ref' configuration. This infrastructure is intended for
+# test purposes.
+#-------------------------------------------------------------------------------
+
+#-------------------------------------------------------------------------------
+# Infrastructure components
+#
+#-------------------------------------------------------------------------------
+add_components(TARGET "block-storage"
+ BASE_DIR ${TS_ROOT}
+ COMPONENTS
+ "components/service/block_storage/block_store/device"
+ "components/service/block_storage/block_store/device/ram"
+ "components/service/block_storage/block_store/partitioned"
+ "components/service/block_storage/block_store/encrypted"
+ "components/service/block_storage/config/ref"
+ "components/service/block_storage/factory/ref_encrypt_ram"
+ "components/service/crypto/backend/mbedcrypto/mbedtls_fake_external_get_random"
+)
+
+#-------------------------------------------------------------------------------
+# External project source-level dependencies
+#
+#-------------------------------------------------------------------------------
+set(MBEDTLS_CONFIG_FILE "${TS_ROOT}/external/MbedTLS/config/blk_encrypt_config.h"
+ CACHE STRING "Configuration file for Mbed TLS")
+set(MBEDTLS_PSA_CRYPTO_CONFIG_FILE "${TS_ROOT}/external/MbedTLS/config/blk_encrypt_config_psa_aes_cbc_ecb_hkdf.h"
+ CACHE STRING "PSA crypto config file for Mbed TLS")
+include(${TS_ROOT}/external/MbedTLS/MbedTLS.cmake)
+target_link_libraries(block-storage PRIVATE MbedTLS::mbedcrypto)
+
+# Pass the location of the mbedtls config file to C preprocessor.
+target_compile_definitions(block-storage PRIVATE
+ MBEDTLS_CONFIG_FILE="${MBEDTLS_CONFIG_FILE}"
+ MBEDTLS_PSA_CRYPTO_CONFIG_FILE="${MBEDTLS_PSA_CRYPTO_CONFIG_FILE}"
+)
diff --git a/external/MbedTLS/config/blk_encrypt_config.h b/external/MbedTLS/config/blk_encrypt_config.h
new file mode 100644
index 0000000..a6d4baa
--- /dev/null
+++ b/external/MbedTLS/config/blk_encrypt_config.h
@@ -0,0 +1,17 @@
+/*
+ * Copyright (c) 2024, Arm Limited and Contributors. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#ifndef BLK_ENCRYPT_CONFIG_H
+#define BLK_ENCRYPT_CONFIG_H
+
+/* MBEDTLS_PSA_CRYPTO_CONFIG_FILE is defined on CMAKE level for custom algorithms */
+#define MBEDTLS_PSA_CRYPTO_CONFIG
+
+#define MBEDTLS_HAVE_ASM
+#define MBEDTLS_PSA_CRYPTO_C
+#define MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG
+
+#endif /* BLK_ENCRYPT_CONFIG_H */
diff --git a/external/MbedTLS/config/blk_encrypt_config_psa_aes_cbc_ecb_hkdf.h b/external/MbedTLS/config/blk_encrypt_config_psa_aes_cbc_ecb_hkdf.h
new file mode 100644
index 0000000..07ea5ea
--- /dev/null
+++ b/external/MbedTLS/config/blk_encrypt_config_psa_aes_cbc_ecb_hkdf.h
@@ -0,0 +1,32 @@
+/*
+ * Copyright (c) 2024, Arm Limited and Contributors. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#ifndef BLK_ENCRYPT_CONFIG_PSA_AES_CBC_ECB_HKDF
+#define BLK_ENCRYPT_CONFIG_PSA_AES_CBC_ECB_HKDF
+
+/*
+ * This file is a PSA crypto configuration file, provided by
+ * MBEDTLS_PSA_CRYPTO_CONFIG_FILE macro for MbedTLS instead of
+ * the MBEDTLS_CONFIG_FILE macro, which is the normal configuration
+ * file.
+ * This configuration helps decreasing the size of the library by
+ * enabling only the necessary crypto algorithms.
+ */
+
+/* Enable AES with CBC and ECB modes */
+#define PSA_WANT_KEY_TYPE_AES 1
+#define PSA_WANT_ALG_CBC_NO_PADDING 1
+#define PSA_WANT_ALG_ECB_NO_PADDING 1
+
+/* Enable HKDF key derivation with HMAC-SHA algorithms */
+#define PSA_WANT_KEY_TYPE_DERIVE 1
+#define PSA_WANT_ALG_HKDF 1
+#define PSA_WANT_ALG_HKDF_EXTRACT 1
+#define PSA_WANT_ALG_HKDF_EXPAND 1
+#define PSA_WANT_ALG_HMAC 1
+#define PSA_WANT_ALG_SHA_256 1
+
+#endif /* BLK_ENCRYPT_CONFIG_PSA_AES_CBC_ECB_HKDF */
diff --git a/external/MbedTLS/mbedtls-init-cache.cmake.in b/external/MbedTLS/mbedtls-init-cache.cmake.in
index a633781..8979cc5 100644
--- a/external/MbedTLS/mbedtls-init-cache.cmake.in
+++ b/external/MbedTLS/mbedtls-init-cache.cmake.in
@@ -12,6 +12,12 @@
set(ENABLE_TESTING Off CACHE BOOL "")
set(UNSAFE_BUILD On CACHE BOOL "")
set(EXTERNAL_DEFINITIONS -DMBEDTLS_CONFIG_FILE="@MBEDTLS_CONFIG_FILE@" CACHE STRING "")
+
+# If there is a crypto config file to fine-tune the algorithms enabled in MbedTLS, add it to the definitions
+if(NOT "" STREQUAL "@MBEDTLS_PSA_CRYPTO_CONFIG_FILE@")
+ set(EXTERNAL_DEFINITIONS ${EXTERNAL_DEFINITIONS} -DMBEDTLS_PSA_CRYPTO_CONFIG_FILE="@MBEDTLS_PSA_CRYPTO_CONFIG_FILE@" CACHE STRING "" FORCE)
+endif()
+
set(EXTERNAL_INCLUDE_PATHS @MBEDTLS_EXTRA_INCLUDES@ CACHE STRING "")
set(BRANCH_PROTECTION @BRANCH_PROTECTION@ CACHE STRING "")