Use PSA Crypto APIs in Mbed TLS on Non-Secure side #91
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
To enable using PSA Crypto APIs in Mbed TLS running on Non-Secure side, the following changes were done: * `MBEDTLS_PSA_CRYPTO` macro is defined in `aws_mbedtls_config.h` header file to indicate that PSA Crypto APIs should be used. * `tfm-ns-interface` library is linked to mbedtls library to make TF-M's PSA Crypto APIs interfaces available for mbedtls library. * `CRYPTO_IOVEC_BUFFER_SIZE` is changed from 5120 to 20000 as the PSA Crypto APIs require larger buffer size for communication between secure and non-secure spaces. * A new Mbed TLS patch is added to fix guard protection for functions/ headers, the patch is to be added upstream. * All platforms' stack sizes were increased from `0x1000` to `0x2000` as in case of using ARMClang toolchain, a stack overflow was noticed after applying the previous changes. Signed-off-by: Devaraj Ranganna <[email protected]> Signed-off-by: Ahmed Ismail <[email protected]>
A new configuration option is added to control which library (TF-M/MBED TLS) is providing the PSA Crypto APIs implementation. Signed-off-by: Ahmed Ismail <[email protected]>
Signed-off-by: Ahmed Ismail <[email protected]>
-g3 compiler options can be used in generating provisioning AXF file without any issues. Signed-off-by: Ahmed Ismail <[email protected]>
FRI supports PSA crypto implementation either using TF-M on the secure side or using Mbed TLS on the non-secure side. When using Mbed TLS on the non-secure side as PSA crypto implementation, the device and provision keys are defined as volatile since we currently don't have support for file system. In addition, when using Mbed TLS on the non-secure side as PSA crypto implementation, `MBEDTLS_PKCS1_V21` (support for PKCS#1 v2.1 encoding) is enabled for OTA image validation to work. Signed-off-by: Devaraj Ranganna <[email protected]>
FRI supports PSA crypto implementation either using TF-M on the secure side or using Mbed TLS on the non-secure side. When using Mbed TLS on the non-secure side as PSA crypto implementation, the device and provision keys are defined as volatile since we currently don't have support for file system. Signed-off-by: Devaraj Ranganna <[email protected]>
A new configuration option is added to control which library (TF-M/MBED TLS) is providing the PSA Crypto APIs implementation. In addition, enable using PSA crypto APIs in Mbed TLS running on Non-Secure side. Signed-off-by: Devaraj Ranganna <[email protected]>
A new configuration option is added to control which library (TF-M/MBED TLS) is providing the PSA Crypto APIs implementation. In addition, enable using PSA crypto APIs in Mbed TLS running on Non-Secure side. Signed-off-by: Devaraj Ranganna <[email protected]>
Top level README.md along with applications' documents are updated to illustrate how the new PSA Crypto APIs implementation configuration option can be used, and mention the available configurations for the new option. Signed-off-by: Ahmed Ismail <[email protected]>
aggarg
approved these changes
Sep 24, 2024
kar-rahul-aws
approved these changes
Sep 25, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
This PR enables using PSA Crypto APIs in Mbed TLS running on Non-Secure side, the following changes were done:
MBEDTLS_PSA_CRYPTOmacro is defined inaws_mbedtls_config.hheader file to indicate that PSA Crypto APIs should be used.MBEDTLS_PSA_CRYPTO_Cmacro shall be defined inaws_mbedtls_config.hheader file to indicate that PSA Crypto APIs implementation is to be provided by Mbed TLS.MBEDTLS_PSA_CRYPTO_CLIENTmacro shall be defined inaws_mbedtls_config.hheader file to indicate that PSA Crypto APIs implementation is to be provided by TF-M.tfm-ns-interfacelibrary is linked to Mbed TLS library in case of using TF-M as the PSA Crypto APIs implementation to expose TF-M's PSA Crypto APIs interfaces for Mbed TLS library.CRYPTO_IOVEC_BUFFER_SIZEis changed from 5120 to 20000 as the PSA Crypto APIs require larger buffer size for communication between secure and non-secure spaces.0x1000to0x2000as in case of using ARMClang toolchain, a stack overflow was noticed after applying the previous changes.iot-vsocket-psa-crypto-mbedtls-testnightly test.Test Steps
Checklist:
Related Issue
By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.