From 91999fbb1f731cbbd84e9bfa8fb99cc9f8fcb2de Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Wed, 11 Dec 2024 15:33:06 +0100 Subject: [PATCH 1/3] mbedtls: auto-enable PSA_WANT_KEY_TYPE_xxx_KEY_PAIR_BASIC PSA_WANT_KEY_TYPE_xxx_KEY_PAIR_BASIC build symbols are automatically enabled in Mbed TLS header files whenever any key pair feature between IMPORT,EXPORT, GENERATE,DERIVE is set. So we mimic the same behavior with Kconfig symbols: - do not add BASIC to the automatic generated Kconfig file; - let BASIC be auto-enabled as soon as any other feature (IMPORT,EXPORT, GENERATE,DERIVE) is enabled for the same key type. The 2nd point is achieved by adding a new Kconfig file which is meant to hold the logic between PSA_WANT symbols. This is necessary because Kconfig.psa is automatically generated. Signed-off-by: Valerio Setti --- modules/mbedtls/Kconfig | 1 + modules/mbedtls/Kconfig.psa | 12 ------------ modules/mbedtls/Kconfig.psa.logic | 27 +++++++++++++++++++++++++++ modules/mbedtls/create_psa_files.py | 16 ++++++++++++++++ 4 files changed, 44 insertions(+), 12 deletions(-) create mode 100644 modules/mbedtls/Kconfig.psa.logic diff --git a/modules/mbedtls/Kconfig b/modules/mbedtls/Kconfig index d15c420f5075cf..a0d27069238165 100644 --- a/modules/mbedtls/Kconfig +++ b/modules/mbedtls/Kconfig @@ -14,6 +14,7 @@ config MBEDTLS_PROMPTLESS dependent sub-configurations and thus prevent stuck symbol behavior. rsource "Kconfig.psa" +rsource "Kconfig.psa.logic" menuconfig MBEDTLS bool "mbed TLS Support" if !MBEDTLS_PROMPTLESS diff --git a/modules/mbedtls/Kconfig.psa b/modules/mbedtls/Kconfig.psa index 7562032bf3d4ed..08b1bbc024107b 100644 --- a/modules/mbedtls/Kconfig.psa +++ b/modules/mbedtls/Kconfig.psa @@ -300,10 +300,6 @@ config PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY bool "PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY" if !MBEDTLS_PROMPTLESS default y if PSA_CRYPTO_ENABLE_ALL -config PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC - bool "PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC" if !MBEDTLS_PROMPTLESS - default y if PSA_CRYPTO_ENABLE_ALL - config PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT bool "PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT" if !MBEDTLS_PROMPTLESS default y if PSA_CRYPTO_ENABLE_ALL @@ -320,10 +316,6 @@ config PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE bool "PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE" if !MBEDTLS_PROMPTLESS default y if PSA_CRYPTO_ENABLE_ALL -config PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC - bool "PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC" if !MBEDTLS_PROMPTLESS - default y if PSA_CRYPTO_ENABLE_ALL - config PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT bool "PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT" if !MBEDTLS_PROMPTLESS default y if PSA_CRYPTO_ENABLE_ALL @@ -336,10 +328,6 @@ config PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE bool "PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE" if !MBEDTLS_PROMPTLESS default y if PSA_CRYPTO_ENABLE_ALL -config PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC - bool "PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC" if !MBEDTLS_PROMPTLESS - default y if PSA_CRYPTO_ENABLE_ALL - config PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT bool "PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT" if !MBEDTLS_PROMPTLESS default y if PSA_CRYPTO_ENABLE_ALL diff --git a/modules/mbedtls/Kconfig.psa.logic b/modules/mbedtls/Kconfig.psa.logic new file mode 100644 index 00000000000000..dcea9e3540527c --- /dev/null +++ b/modules/mbedtls/Kconfig.psa.logic @@ -0,0 +1,27 @@ +# Copyright (c) 2024 BayLibre SAS +# SPDX-License-Identifier: Apache-2.0 + +# This file extends Kconfig.psa (which is automatically generated) by adding +# some logic between PSA_WANT symbols. + +config PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC + bool + default y + depends on PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT || \ + PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT || \ + PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE || \ + PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE + +config PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC + bool + default y + depends on PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT || \ + PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT || \ + PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE + +config PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC + bool + default y + depends on PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT || \ + PSA_WANT_KEY_TYPE_DH_KEY_PAIR_EXPORT || \ + PSA_WANT_KEY_TYPE_DH_KEY_PAIR_GENERATE diff --git a/modules/mbedtls/create_psa_files.py b/modules/mbedtls/create_psa_files.py index fe6d0b79b46555..5698c96490126b 100755 --- a/modules/mbedtls/create_psa_files.py +++ b/modules/mbedtls/create_psa_files.py @@ -57,6 +57,20 @@ H_FOOTER="\n#endif /* CONFIG_PSA_H */\n" +# In Mbed TLS the PSA_WANT_KEY_TYPE_[ECC|RSA|DH]_KEY_PAIR_BASIC build symbols +# are automatically enabled whenever any other _IMPORT, _EXPORT, _GENERATE or +# _DERIVE feature is set for the same key type +# (see "modules/crypto/mbedtls/include/psa/crypto_adjust_config_key_pair_types.h"). +# Therefore we mimic the same pattern with Kconfigs as follows: +# - do not add _BASIC Kconfigs to the automatic generated file (KCONFIG_PATH); +# - add _BASIC Kconfigs to Kconfig.psa.logic and let them "default y" as soon as +# any other _IMPORT, _EXPORT, _GENERATE or _DERIVE Kconfigs are enabled. +SKIP_SYMBOLS = [ + "PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC", + "PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC", + "PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC" +] + def parse_psa_symbols(input_file: str): symbols = [] with open(input_file) as file: @@ -70,6 +84,8 @@ def parse_psa_symbols(input_file: str): def generate_kconfig_content(symbols: List[str]) -> str: output = [] for sym in symbols: + if sym in SKIP_SYMBOLS: + continue output.append(""" config {0} \tbool "{0}" if !MBEDTLS_PROMPTLESS From 5bef2ca55e1f6ba762f144cc899ffd949b02b55d Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Wed, 11 Dec 2024 15:42:43 +0100 Subject: [PATCH 2/3] mbedtls: rename automatically generated Kconfig file for PSA symbols Rename Kconfig.psa to Kconfig.psa.auto to emphasize that this file is automatically generated. Signed-off-by: Valerio Setti --- modules/mbedtls/Kconfig | 2 +- modules/mbedtls/{Kconfig.psa => Kconfig.psa.auto} | 0 modules/mbedtls/create_psa_files.py | 2 +- 3 files changed, 2 insertions(+), 2 deletions(-) rename modules/mbedtls/{Kconfig.psa => Kconfig.psa.auto} (100%) diff --git a/modules/mbedtls/Kconfig b/modules/mbedtls/Kconfig index a0d27069238165..cb178fb3c273ed 100644 --- a/modules/mbedtls/Kconfig +++ b/modules/mbedtls/Kconfig @@ -13,7 +13,7 @@ config MBEDTLS_PROMPTLESS mbed TLS menu prompt and instead handle the selection of MBEDTLS from dependent sub-configurations and thus prevent stuck symbol behavior. -rsource "Kconfig.psa" +rsource "Kconfig.psa.auto" rsource "Kconfig.psa.logic" menuconfig MBEDTLS diff --git a/modules/mbedtls/Kconfig.psa b/modules/mbedtls/Kconfig.psa.auto similarity index 100% rename from modules/mbedtls/Kconfig.psa rename to modules/mbedtls/Kconfig.psa.auto diff --git a/modules/mbedtls/create_psa_files.py b/modules/mbedtls/create_psa_files.py index 5698c96490126b..c2aca4e20b43f4 100755 --- a/modules/mbedtls/create_psa_files.py +++ b/modules/mbedtls/create_psa_files.py @@ -14,7 +14,7 @@ "include", "psa", "crypto_config.h") INPUT_FILE = os.path.normpath(os.path.join(SCRIPT_PATH, INPUT_REL_PATH)) -KCONFIG_PATH=os.path.join(SCRIPT_PATH, "Kconfig.psa") +KCONFIG_PATH=os.path.join(SCRIPT_PATH, "Kconfig.psa.auto") HEADER_PATH=os.path.join(SCRIPT_PATH, "configs", "config-psa.h") KCONFIG_HEADER="""\ From 85b07784ff9658ee1ecd3a4a2f09550839ad17d6 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Thu, 12 Dec 2024 12:49:42 +0100 Subject: [PATCH 3/3] tests: tls_configurations: adjust Kconfig in overlay-ec CONFIG_PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC is promptless so it cannot be selected. Moreover it's also automatically enabled by CONFIG_PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE in the same overlay file so there would be no need to explicitly enable it. As for the IMPORT, EXPORT, DERIVE they are needed for the TLS connection to work properly. Previously it was working because at least IMPORT and EXPORT are internally enabled by Mbed TLS at build time. So here we are basically doing the same enablements with Kconfigs in clear. Signed-off-by: Valerio Setti --- tests/net/socket/tls_configurations/overlay-ec.conf | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/tests/net/socket/tls_configurations/overlay-ec.conf b/tests/net/socket/tls_configurations/overlay-ec.conf index b53dc4bcb555b9..c109147eb8e50e 100644 --- a/tests/net/socket/tls_configurations/overlay-ec.conf +++ b/tests/net/socket/tls_configurations/overlay-ec.conf @@ -1,5 +1,7 @@ CONFIG_PSA_WANT_ALG_ECDH=y CONFIG_PSA_WANT_ALG_ECDSA=y -CONFIG_PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC=y CONFIG_PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE=y +CONFIG_PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT=y +CONFIG_PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT=y +CONFIG_PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE=y CONFIG_PSA_WANT_ECC_SECP_R1_256=y