Add `full` adapter for tf-psa_crypto_config.py
Add the `full` adapter to enable most of the config feature.
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
diff --git a/tf-psa-crypto/scripts/tf_psa_crypto_config.py b/tf-psa-crypto/scripts/tf_psa_crypto_config.py
index 33faeec..b822ac5 100755
--- a/tf-psa-crypto/scripts/tf_psa_crypto_config.py
+++ b/tf-psa-crypto/scripts/tf_psa_crypto_config.py
@@ -25,10 +25,92 @@
'PSA_WANT_KEY_TYPE_DH_KEY_PAIR_DERIVE'
])
+PSA_DEPRECATED_FEATURE = frozenset([
+ 'PSA_WANT_KEY_TYPE_ECC_KEY_PAIR',
+ 'PSA_WANT_KEY_TYPE_RSA_KEY_PAIR'
+])
+
PSA_UNSTABLE_FEATURE = frozenset([
'PSA_WANT_ECC_SECP_K1_224'
])
+# The goal of the full configuration is to have everything that can be tested
+# together. This includes deprecated or insecure options. It excludes:
+# * Options that require additional build dependencies or unusual hardware.
+# * Options that make testing less effective.
+# * Options that are incompatible with other options, or more generally that
+# interact with other parts of the code in such a way that a bulk enabling
+# is not a good way to test them.
+# * Options that remove features.
+EXCLUDE_FROM_FULL = frozenset([
+ #pylint: disable=line-too-long
+ 'MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH', # interacts with CTR_DRBG_128_BIT_KEY
+ 'MBEDTLS_AES_USE_HARDWARE_ONLY', # hardware dependency
+ 'MBEDTLS_BLOCK_CIPHER_NO_DECRYPT', # incompatible with ECB in PSA, CBC/XTS/NIST_KW/DES
+ 'MBEDTLS_CTR_DRBG_USE_128_BIT_KEY', # interacts with ENTROPY_FORCE_SHA256
+ 'MBEDTLS_DEPRECATED_REMOVED', # conflicts with deprecated options
+ 'MBEDTLS_DEPRECATED_WARNING', # conflicts with deprecated options
+ 'MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED', # influences the use of ECDH in TLS
+ 'MBEDTLS_ECP_WITH_MPI_UINT', # disables the default ECP and is experimental
+ 'MBEDTLS_ENTROPY_FORCE_SHA256', # interacts with CTR_DRBG_128_BIT_KEY
+ 'MBEDTLS_HAVE_SSE2', # hardware dependency
+ 'MBEDTLS_MEMORY_BACKTRACE', # depends on MEMORY_BUFFER_ALLOC_C
+ 'MBEDTLS_MEMORY_DEBUG', # depends on MEMORY_BUFFER_ALLOC_C
+ 'MBEDTLS_NO_64BIT_MULTIPLICATION', # influences anything that uses bignum
+ 'MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES', # removes a feature
+ 'MBEDTLS_NO_PLATFORM_ENTROPY', # removes a feature
+ 'MBEDTLS_NO_UDBL_DIVISION', # influences anything that uses bignum
+ 'MBEDTLS_PSA_P256M_DRIVER_ENABLED', # influences SECP256R1 KeyGen/ECDH/ECDSA
+ 'MBEDTLS_PLATFORM_NO_STD_FUNCTIONS', # removes a feature
+ 'MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS', # removes a feature
+ 'MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG', # behavior change + build dependency
+ 'MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER', # interface and behavior change
+ 'MBEDTLS_PSA_CRYPTO_SPM', # platform dependency (PSA SPM)
+ 'MBEDTLS_PSA_INJECT_ENTROPY', # conflicts with platform entropy sources
+ 'MBEDTLS_RSA_NO_CRT', # influences the use of RSA in X.509 and TLS
+ 'MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY', # interacts with *_USE_A64_CRYPTO_IF_PRESENT
+ 'MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY', # interacts with *_USE_ARMV8_A_CRYPTO_IF_PRESENT
+ 'MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY', # interacts with *_USE_A64_CRYPTO_IF_PRESENT
+ 'MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT', # setting *_USE_ARMV8_A_CRYPTO is sufficient
+ 'MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN', # build dependency (clang+memsan)
+ 'MBEDTLS_TEST_CONSTANT_FLOW_VALGRIND', # build dependency (valgrind headers)
+ 'MBEDTLS_X509_REMOVE_INFO', # removes a feature
+ *PSA_UNSUPPORTED_FEATURE,
+ *PSA_DEPRECATED_FEATURE,
+ *PSA_UNSTABLE_FEATURE
+])
+
+def is_boolean_setting(name, value):
+ """Is this a boolean setting?
+
+ Mbed TLS boolean settings are enabled if the preprocessor macro is
+ defined, and disabled if the preprocessor macro is not defined. The
+ macro definition line in the configuration file has an empty expansion.
+
+ PSA_WANT_xxx settings are also boolean, but when they are enabled,
+ they expand to a nonzero value. We leave them undefined when they
+ are disabled. (Setting them to 0 currently means to enable them, but
+ this might change to mean disabling them. Currently we just never set
+ them to 0.)
+ """
+ if name.startswith('PSA_WANT_'):
+ return True
+ if not value:
+ return True
+ return False
+
+def include_in_full(name):
+ """Rules for symbols in the "full" configuration."""
+ if name in EXCLUDE_FROM_FULL:
+ return False
+ return True
+
+def full_adapter(name, value, active):
+ """Config adapter for "full"."""
+ if not is_boolean_setting(name, value):
+ return active
+ return include_in_full(name)
+
class TfPSACryptoConfigFile(config_common.ConfigFile):
"""Representation of a TF PSA Crypto configuration file."""
@@ -90,6 +172,13 @@
def custom_parser_options(self):
"""Adds TF PSA Crypto specific options for the parser."""
+ self.add_adapter(
+ 'full', full_adapter,
+ """Uncomment most features.
+ Exclude alternative implementations and platform support options, as well as
+ some options that are awkward to test.
+ """)
+
if __name__ == '__main__':
sys.exit(TfPSACryptoConfigTool().main())