Merge pull request #10340 from gilles-peskine-arm/config-checks-generator-mbedtls
Introduce generated config checks in mbedtls
diff --git a/framework b/framework
index 820a16c..92f5d45 160000
--- a/framework
+++ b/framework
@@ -1 +1 @@
-Subproject commit 820a16cca705c6842a5a79332c6d40644008c814
+Subproject commit 92f5d45b2293363952bdbe28a7b2fcfe4a0d163a
diff --git a/library/.gitignore b/library/.gitignore
index 9794129..92a33de 100644
--- a/library/.gitignore
+++ b/library/.gitignore
@@ -4,6 +4,9 @@
###START_GENERATED_FILES###
/error.c
+/mbedtls_config_check_before.h
+/mbedtls_config_check_final.h
+/mbedtls_config_check_user.h
/version_features.c
/ssl_debug_helpers_generated.c
###END_GENERATED_FILES###
diff --git a/library/CMakeLists.txt b/library/CMakeLists.txt
index 5b8dc80..063703b 100644
--- a/library/CMakeLists.txt
+++ b/library/CMakeLists.txt
@@ -73,6 +73,27 @@
${CMAKE_CURRENT_SOURCE_DIR}/../scripts/data_files/version_features.fmt
)
+ execute_process(
+ COMMAND
+ ${MBEDTLS_PYTHON_EXECUTABLE}
+ ${MBEDTLS_DIR}/scripts/generate_config_checks.py
+ --list-for-cmake "${CMAKE_CURRENT_BINARY_DIR}"
+ WORKING_DIRECTORY
+ ${CMAKE_CURRENT_SOURCE_DIR}/..
+ OUTPUT_VARIABLE
+ MBEDTLS_GENERATED_CONFIG_CHECKS_HEADERS)
+
+ add_custom_command(
+ OUTPUT ${MBEDTLS_GENERATED_CONFIG_CHECKS_HEADERS}
+ COMMAND
+ ${MBEDTLS_PYTHON_EXECUTABLE}
+ ${MBEDTLS_DIR}/scripts/generate_config_checks.py
+ ${CMAKE_CURRENT_BINARY_DIR}
+ DEPENDS
+ ${MBEDTLS_DIR}/scripts/generate_config_checks.py
+ ${MBEDTLS_FRAMEWORK_DIR}/scripts/mbedtls_framework/config_checks_generator.py
+ )
+
add_custom_command(
OUTPUT
${CMAKE_CURRENT_BINARY_DIR}/ssl_debug_helpers_generated.c
@@ -89,6 +110,7 @@
add_custom_target(${MBEDTLS_TARGET_PREFIX}mbedx509_generated_files_target
DEPENDS
${CMAKE_CURRENT_BINARY_DIR}/error.c
+ ${MBEDTLS_GENERATED_CONFIG_CHECKS_HEADERS}
)
add_custom_target(${MBEDTLS_TARGET_PREFIX}mbedtls_generated_files_target
diff --git a/library/Makefile b/library/Makefile
index f872934..21f85b6 100644
--- a/library/Makefile
+++ b/library/Makefile
@@ -5,12 +5,24 @@
TF_PSA_CRYPTO_CORE_PATH = $(MBEDTLS_PATH)/tf-psa-crypto/core
TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH = $(MBEDTLS_PATH)/tf-psa-crypto/drivers/builtin/src
+# List the generated files without running a script, so that this
+# works with no tooling dependencies when GEN_FILES is disabled.
GENERATED_FILES := \
+ mbedtls_config_check_before.h \
+ mbedtls_config_check_final.h \
+ mbedtls_config_check_user.h \
error.c \
version_features.c \
- ssl_debug_helpers_generated.c \
+ ssl_debug_helpers_generated.c
+
+# Also list the generated files from crypto that are needed in the build,
+# because we don't have the list in a consumable form.
+GENERATED_FILES += \
$(TF_PSA_CRYPTO_CORE_PATH)/psa_crypto_driver_wrappers.h \
- $(TF_PSA_CRYPTO_CORE_PATH)/psa_crypto_driver_wrappers_no_static.c
+ $(TF_PSA_CRYPTO_CORE_PATH)/psa_crypto_driver_wrappers_no_static.c \
+ $(TF_PSA_CRYPTO_CORE_PATH)/tf_psa_crypto_config_check_before.h \
+ $(TF_PSA_CRYPTO_CORE_PATH)/tf_psa_crypto_config_check_final.h \
+ $(TF_PSA_CRYPTO_CORE_PATH)/tf_psa_crypto_config_check_user.h
ifneq ($(GENERATED_FILES),$(wildcard $(GENERATED_FILES)))
ifeq (,$(wildcard $(MBEDTLS_PATH)/framework/exported.make))
@@ -326,6 +338,24 @@
$(TF_PSA_CRYPTO_CORE_PATH)/psa_crypto.o:$(TF_PSA_CRYPTO_CORE_PATH)/psa_crypto_driver_wrappers.h
+GENERATED_CONFIG_CHECK_FILES = $(shell $(PYTHON) ../scripts/generate_config_checks.py --list .)
+$(GENERATED_CONFIG_CHECK_FILES): $(gen_file_dep) \
+ $(TF_PSA_CRYPTO_CORE_PATH)/../scripts/generate_config_checks.py \
+ ../framework/scripts/mbedtls_framework/config_checks_generator.py
+$(GENERATED_CONFIG_CHECK_FILES):
+ echo " Gen $(GENERATED_CONFIG_CHECK_FILES)"
+ $(PYTHON) ../scripts/generate_config_checks.py
+
+TF_PSA_CRYPTO_GENERATED_CONFIG_CHECK_FILES = $(shell $(PYTHON) \
+ $(TF_PSA_CRYPTO_CORE_PATH)/../scripts/generate_config_checks.py \
+ --list $(TF_PSA_CRYPTO_CORE_PATH))
+$(TF_PSA_CRYPTO_GENERATED_CONFIG_CHECK_FILES): $(gen_file_dep) \
+ ../scripts/generate_config_checks.py \
+ ../framework/scripts/mbedtls_framework/config_checks_generator.py
+$(TF_PSA_CRYPTO_GENERATED_CONFIG_CHECK_FILES):
+ echo " Gen $(TF_PSA_CRYPTO_GENERATED_CONFIG_CHECK_FILES)"
+ $(PYTHON) $(TF_PSA_CRYPTO_CORE_PATH)/../scripts/generate_config_checks.py
+
clean:
ifndef WINDOWS
rm -f *.o *.s libmbed*
diff --git a/scripts/generate_config_checks.py b/scripts/generate_config_checks.py
new file mode 100755
index 0000000..b0dc26b
--- /dev/null
+++ b/scripts/generate_config_checks.py
@@ -0,0 +1,21 @@
+#!/usr/bin/env python3
+
+"""Generate C preprocessor code to check for bad configurations.
+"""
+
+import framework_scripts_path # pylint: disable=unused-import
+from mbedtls_framework.config_checks_generator import * \
+ #pylint: disable=wildcard-import,unused-wildcard-import
+
+MBEDTLS_CHECKS = BranchData(
+ header_directory='library',
+ header_prefix='mbedtls_',
+ project_cpp_prefix='MBEDTLS',
+ checkers=[
+ Removed('MBEDTLS_KEY_EXCHANGE_RSA_ENABLED', 'Mbed TLS 4.0'),
+ Removed('MBEDTLS_PADLOCK_C', 'Mbed TLS 4.0'),
+ ],
+)
+
+if __name__ == '__main__':
+ main(MBEDTLS_CHECKS)
diff --git a/tf-psa-crypto b/tf-psa-crypto
index 4cc5bb4..9a43f3f 160000
--- a/tf-psa-crypto
+++ b/tf-psa-crypto
@@ -1 +1 @@
-Subproject commit 4cc5bb429554ba14e36163ff3a82bf53766f7e24
+Subproject commit 9a43f3fe868ef6da5a312a3da076b9595e02a75e