FreeRTOS · aggarg · Sep 25, 2024 · Apr 3, 2024 · Jul 8, 2024 · Apr 24, 2024
diff --git a/.github/.cSpellWords.txt b/.github/.cSpellWords.txt
@@ -65,6 +65,7 @@ docuemnt
 DONGWOON
 DPLATFORM
 DPROJECT
+DPSA
 drbg
 Drbg
 DRBG

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
@@ -63,13 +63,14 @@ workflow:
         --toolchain $TOOLCHAIN \
         --certificate_path $PWD/certificate.pem \
         --private_key_path $PWD/private_key.pem \
-        --conn-stack $CONN_STACK
+        --conn-stack $CONN_STACK \
+        --psa-crypto-implementation $PSA_CRYPTO_IMPLEMENTATION
     - |
       if [ $APP == "blinky" ];then
-        tar -czf ${TARGET}_${APP}_${TOOLCHAIN}_${INFERENCE}_${AUDIO}_${CONN_STACK}_build.tar.gz \
+        tar -czf ${TARGET}_${APP}_${TOOLCHAIN}_${INFERENCE}_${AUDIO}_${CONN_STACK}_${PSA_CRYPTO_IMPLEMENTATION}_build.tar.gz \
           build/${APP}_merged.elf
       else
-        tar -czf ${TARGET}_${APP}_${TOOLCHAIN}_${INFERENCE}_${AUDIO}_${CONN_STACK}_build.tar.gz \
+        tar -czf ${TARGET}_${APP}_${TOOLCHAIN}_${INFERENCE}_${AUDIO}_${CONN_STACK}_${PSA_CRYPTO_IMPLEMENTATION}_build.tar.gz \
           build/${APP}_merged.elf \
           build/${APP}-update_signed.bin \
           build/update-signature.txt \
@@ -88,9 +89,10 @@ build-applications-corstone315:
          INFERENCE: [ETHOS]
          AUDIO: [ROM]
          CONN_STACK: [FREERTOS_PLUS_TCP]
+         PSA_CRYPTO_IMPLEMENTATION: [TF-M]
   artifacts:
     paths:
-      - ${TARGET}_${APP}_${TOOLCHAIN}_${INFERENCE}_${AUDIO}_${CONN_STACK}_build.tar.gz
+      - ${TARGET}_${APP}_${TOOLCHAIN}_${INFERENCE}_${AUDIO}_${CONN_STACK}_${PSA_CRYPTO_IMPLEMENTATION}_build.tar.gz
     expire_in: 1 week
   variables:
     GIT_SUBMODULE_STRATEGY: recursive
@@ -107,9 +109,10 @@ build-applications-corstone310:
          INFERENCE: [ETHOS]
          AUDIO: [ROM]
          CONN_STACK: [FREERTOS_PLUS_TCP]
+         PSA_CRYPTO_IMPLEMENTATION: [TF-M]
   artifacts:
     paths:
-      - ${TARGET}_${APP}_${TOOLCHAIN}_${INFERENCE}_${AUDIO}_${CONN_STACK}_build.tar.gz
+      - ${TARGET}_${APP}_${TOOLCHAIN}_${INFERENCE}_${AUDIO}_${CONN_STACK}_${PSA_CRYPTO_IMPLEMENTATION}_build.tar.gz
     expire_in: 1 week
   variables:
     GIT_SUBMODULE_STRATEGY: recursive
@@ -126,9 +129,10 @@ build-applications-corstone300:
          INFERENCE: [ETHOS]
          AUDIO: [ROM]
          CONN_STACK: [FREERTOS_PLUS_TCP]
+         PSA_CRYPTO_IMPLEMENTATION: [TF-M]
   artifacts:
     paths:
-      - ${TARGET}_${APP}_${TOOLCHAIN}_${INFERENCE}_${AUDIO}_${CONN_STACK}_build.tar.gz
+      - ${TARGET}_${APP}_${TOOLCHAIN}_${INFERENCE}_${AUDIO}_${CONN_STACK}_${PSA_CRYPTO_IMPLEMENTATION}_build.tar.gz
     expire_in: 1 week
   variables:
     GIT_SUBMODULE_STRATEGY: recursive
@@ -171,7 +175,7 @@ test-blinky-output:
     - job: build-applications-corstone300
       artifacts: true
   script:
-    - tar xf ${TARGET}_${APP}_${TOOLCHAIN}_${INFERENCE}_${AUDIO}_${CONN_STACK}_build.tar.gz
+    - tar xf ${TARGET}_${APP}_${TOOLCHAIN}_${INFERENCE}_${AUDIO}_${CONN_STACK}_${PSA_CRYPTO_IMPLEMENTATION}_build.tar.gz
     - |
         pytest -s tools/tests/test_blinky_output.py \
         --build-artefacts-path "build" \
@@ -188,25 +192,28 @@ test-blinky-output:
          INFERENCE: [ETHOS]
          AUDIO: [ROM]
          CONN_STACK: [FREERTOS_PLUS_TCP]
+         PSA_CRYPTO_IMPLEMENTATION: [TF-M]
        -
          << : [*pipeline_config_corstone310, *pipeline_config_toolchain]
          APP: [blinky]
          INFERENCE: [ETHOS]
          AUDIO: [ROM]
          CONN_STACK: [FREERTOS_PLUS_TCP]
+         PSA_CRYPTO_IMPLEMENTATION: [TF-M]
        -
          << : [*pipeline_config_corstone300, *pipeline_config_toolchain]
          APP: [blinky]
          INFERENCE: [ETHOS]
          AUDIO: [ROM]
          CONN_STACK: [FREERTOS_PLUS_TCP]
+         PSA_CRYPTO_IMPLEMENTATION: [TF-M]
 
 .test-applications_base:
   extends: .test_job
   script:
     - |
-      if [[ -f "${TARGET}_${APP}_${TOOLCHAIN}_${INFERENCE}_${AUDIO}_${CONN_STACK}_build.tar.gz" ]]; then
-        tar xf ${TARGET}_${APP}_${TOOLCHAIN}_${INFERENCE}_${AUDIO}_${CONN_STACK}_build.tar.gz
+      if [[ -f "${TARGET}_${APP}_${TOOLCHAIN}_${INFERENCE}_${AUDIO}_${CONN_STACK}_${PSA_CRYPTO_IMPLEMENTATION}_build.tar.gz" ]]; then
+        tar xf ${TARGET}_${APP}_${TOOLCHAIN}_${INFERENCE}_${AUDIO}_${CONN_STACK}_${PSA_CRYPTO_IMPLEMENTATION}_build.tar.gz
       fi
     - export APP_UNDERSCORED=$(echo ${APP} | tr '-' '_')
     - |
@@ -265,20 +272,23 @@ test-ml-applications-output:
          AUDIO: [ROM]
          TOOLCHAIN: [ARMCLANG]
          CONN_STACK: [FREERTOS_PLUS_TCP]
+         PSA_CRYPTO_IMPLEMENTATION: [TF-M]
        -
          << : *pipeline_config_corstone310
          APP: [keyword-detection, speech-recognition]
          INFERENCE: [ETHOS]
          AUDIO: [ROM]
          TOOLCHAIN: [ARMCLANG]
          CONN_STACK: [FREERTOS_PLUS_TCP]
+         PSA_CRYPTO_IMPLEMENTATION: [TF-M]
        -
          << : *pipeline_config_corstone300
          APP: [keyword-detection, speech-recognition]
          INFERENCE: [ETHOS]
          AUDIO: [ROM]
          TOOLCHAIN: [ARMCLANG]
          CONN_STACK: [FREERTOS_PLUS_TCP]
+         PSA_CRYPTO_IMPLEMENTATION: [TF-M]
 
 unit-tests:
   extends: .base-job-rules
@@ -316,7 +326,7 @@ integration-tests:
     # communicate with the server.
     - host_ip_address=`ifconfig eth0 | grep -w 'inet' | awk '{print $2}'`
     - sed -i "s/#define ECHO_SERVER_ENDPOINT .*$/#define ECHO_SERVER_ENDPOINT \"$host_ip_address\"/g" applications/freertos_iot_libraries_tests/test_param_config.h
-    - ./tools/scripts/build.sh ${APP} --target $TARGET --toolchain $TOOLCHAIN --certificate_path $PWD/certificate.pem  --private_key_path $PWD/private_key.pem --conn-stack $CONN_STACK
+    - ./tools/scripts/build.sh ${APP} --target $TARGET --toolchain $TOOLCHAIN --certificate_path $PWD/certificate.pem  --private_key_path $PWD/private_key.pem --conn-stack $CONN_STACK --psa-crypto-implementation $PSA_CRYPTO_IMPLEMENTATION
     - pushd components/tools/freertos_libraries_integration_tests/library/tools/echo_server
     - go run echo_server.go&
     - popd
@@ -335,14 +345,17 @@ integration-tests:
         << : [*pipeline_config_corstone315, *pipeline_config_toolchain]
         APP: [freertos-iot-libraries-tests]
         CONN_STACK: [FREERTOS_PLUS_TCP, IOT_VSOCKET]
+        PSA_CRYPTO_IMPLEMENTATION: [TF-M]
       -
         << : [*pipeline_config_corstone310, *pipeline_config_toolchain]
         APP: [freertos-iot-libraries-tests]
         CONN_STACK: [FREERTOS_PLUS_TCP, IOT_VSOCKET]
+        PSA_CRYPTO_IMPLEMENTATION: [TF-M]
       -
         << : [*pipeline_config_corstone300, *pipeline_config_toolchain]
         APP: [freertos-iot-libraries-tests]
         CONN_STACK: [FREERTOS_PLUS_TCP, IOT_VSOCKET]
+        PSA_CRYPTO_IMPLEMENTATION: [TF-M]
   retry:
     max: 2
     when:
@@ -377,48 +390,55 @@ sw-vsi-configs-test:
          AUDIO: [VSI]
          TOOLCHAIN: [ARMCLANG]
          CONN_STACK: [FREERTOS_PLUS_TCP]
+         PSA_CRYPTO_IMPLEMENTATION: [TF-M]
        -
          << : *pipeline_config_corstone315
          APP: [keyword-detection, speech-recognition]
          INFERENCE: [SOFTWARE]
          AUDIO: [ROM, VSI]
          TOOLCHAIN: [ARMCLANG]
          CONN_STACK: [FREERTOS_PLUS_TCP]
+         PSA_CRYPTO_IMPLEMENTATION: [TF-M]
        -
          << : *pipeline_config_corstone315
          APP: [object-detection]
          INFERENCE: [SOFTWARE]
          AUDIO: [ROM]
          TOOLCHAIN: [ARMCLANG]
          CONN_STACK: [FREERTOS_PLUS_TCP]
+         PSA_CRYPTO_IMPLEMENTATION: [TF-M]
        -
          << : *pipeline_config_corstone310
          APP: [keyword-detection, speech-recognition]
          INFERENCE: [ETHOS]
          AUDIO: [VSI]
          TOOLCHAIN: [ARMCLANG]
          CONN_STACK: [FREERTOS_PLUS_TCP]
+         PSA_CRYPTO_IMPLEMENTATION: [TF-M]
        -
          << : *pipeline_config_corstone310
          APP: [keyword-detection, speech-recognition]
          INFERENCE: [SOFTWARE]
          AUDIO: [ROM, VSI]
          TOOLCHAIN: [ARMCLANG]
          CONN_STACK: [FREERTOS_PLUS_TCP]
+         PSA_CRYPTO_IMPLEMENTATION: [TF-M]
        -
          << : *pipeline_config_corstone300
          APP: [keyword-detection, speech-recognition]
          INFERENCE: [ETHOS]
          AUDIO: [VSI]
          TOOLCHAIN: [ARMCLANG]
          CONN_STACK: [FREERTOS_PLUS_TCP]
+         PSA_CRYPTO_IMPLEMENTATION: [TF-M]
        -
          << : *pipeline_config_corstone300
          APP: [keyword-detection, speech-recognition]
          INFERENCE: [SOFTWARE]
          AUDIO: [ROM, VSI]
          TOOLCHAIN: [ARMCLANG]
          CONN_STACK: [FREERTOS_PLUS_TCP]
+         PSA_CRYPTO_IMPLEMENTATION: [TF-M]
   retry:
     max: 2
     when:
@@ -453,27 +473,31 @@ gnu-toolchain-test:
          AUDIO: [ROM,VSI]
          TOOLCHAIN: [GNU]
          CONN_STACK: [FREERTOS_PLUS_TCP]
+         PSA_CRYPTO_IMPLEMENTATION: [TF-M]
        -
          << : *pipeline_config_corstone315
          APP: [object-detection]
          INFERENCE: [ETHOS, SOFTWARE]
          AUDIO: [ROM]
          TOOLCHAIN: [GNU]
          CONN_STACK: [FREERTOS_PLUS_TCP]
+         PSA_CRYPTO_IMPLEMENTATION: [TF-M]
        -
          << : *pipeline_config_corstone310
          APP: [keyword-detection, speech-recognition]
          INFERENCE: [ETHOS, SOFTWARE]
          AUDIO: [ROM,VSI]
          TOOLCHAIN: [GNU]
          CONN_STACK: [FREERTOS_PLUS_TCP]
+         PSA_CRYPTO_IMPLEMENTATION: [TF-M]
        -
          << : *pipeline_config_corstone300
          APP: [keyword-detection, speech-recognition]
          INFERENCE: [ETHOS, SOFTWARE]
          AUDIO: [ROM,VSI]
          TOOLCHAIN: [GNU]
          CONN_STACK: [FREERTOS_PLUS_TCP]
+         PSA_CRYPTO_IMPLEMENTATION: [TF-M]
   retry:
     max: 2
     when:
@@ -483,12 +507,12 @@ gnu-toolchain-test:
   variables:
     GIT_SUBMODULE_STRATEGY: recursive
 
-iot-vsocket-test:
+iot-vsocket-psa-crypto-mbedtls-test:
   tags:
     - iotmsw-amd64
   extends: .base-job-rules
   rules:
-  - if: ( $SCHEDULED_JOB_TO_RUN == "iot-vsocket-test" )
+  - if: ( $SCHEDULED_JOB_TO_RUN == "iot-vsocket-psa-crypto-mbedtls-test" )
   before_script:
     - !reference [.build_job, before_script]
     - !reference [.build_job, script]
@@ -503,32 +527,28 @@ iot-vsocket-test:
     matrix:
        -
          << : *pipeline_config_corstone315
-         APP: [keyword-detection, speech-recognition]
-         INFERENCE: [ETHOS]
-         AUDIO: [ROM]
-         TOOLCHAIN: [GNU, ARMCLANG]
-         CONN_STACK: [IOT_VSOCKET]
-       -
-         << : *pipeline_config_corstone315
-         APP: [object-detection]
+         APP: [keyword-detection, speech-recognition, object-detection]
          INFERENCE: [ETHOS]
          AUDIO: [ROM]
          TOOLCHAIN: [GNU, ARMCLANG]
          CONN_STACK: [IOT_VSOCKET]
+         PSA_CRYPTO_IMPLEMENTATION: [MBEDTLS]
        -
          << : *pipeline_config_corstone310
          APP: [keyword-detection, speech-recognition]
          INFERENCE: [ETHOS]
          AUDIO: [ROM]
          TOOLCHAIN: [GNU, ARMCLANG]
          CONN_STACK: [IOT_VSOCKET]
+         PSA_CRYPTO_IMPLEMENTATION: [MBEDTLS]
        -
          << : *pipeline_config_corstone300
          APP: [keyword-detection, speech-recognition]
          INFERENCE: [ETHOS]
          AUDIO: [ROM]
          TOOLCHAIN: [GNU, ARMCLANG]
          CONN_STACK: [IOT_VSOCKET]
+         PSA_CRYPTO_IMPLEMENTATION: [MBEDTLS]
   retry:
     max: 2
     when:

diff --git a/README.md b/README.md
@@ -73,8 +73,10 @@ and [AWS OTA PAL PSA implementation](#aws-ota-pal-psa-implementation) can be per
 
 Corstone platform communicates with the AWS IoT Core over a secure TLS
 connection. Mbed TLS running on the NSPE is used to establish the TLS
-connection. Mbed TLS makes use of the PSA Crypto APIs provided by TF-M for
-Crypto operations.
+connection. For crypto operations, Mbed TLS supports PSA Crypto APIs provided by either
+the Mbed TLS itself or the Trusted Firmware-M and the default is
+PSA Crypto API from Trusted Firmware-M. For more information about the PSA Crypto APIs
+implementation, please refer to [Mbed TLS document](docs/components/security/mbedtls/mbedtls.md#psa-crypto-apis-implementation).
 
 [PKCS#11](https://www.freertos.org/pkcs11/index.html) APIs to perform TLS
 client authentication and import TLS client certificate and private key into

diff --git a/applications/helpers/provisioning/CMakeLists.txt b/applications/helpers/provisioning/CMakeLists.txt
@@ -7,12 +7,6 @@ if(BUILD_TESTING AND NOT CMAKE_CROSSCOMPILING)
 else()
     find_package(Python3)
 
-    #FIXME: This is needed in order to run prepoccessor on the linker script.
-    #       The GCC prepoccessor puts std defines if -g3 is set.
-    if(${CMAKE_C_COMPILER_ID} STREQUAL "GNU")
-        string(REPLACE "-g3" "" CMAKE_C_FLAGS ${CMAKE_C_FLAGS})
-    endif()
-
     list(APPEND CMAKE_MODULE_PATH ${CMAKE_CURRENT_LIST_DIR}/cmake)
 
     include(SetProvisioningLinkOptions)

diff --git a/applications/helpers/provisioning/dev_mode_key_provisioning.c b/applications/helpers/provisioning/dev_mode_key_provisioning.c
@@ -1,7 +1,7 @@
 /*
  * FreeRTOS V202012.00
  * Copyright (C) 2020 Amazon.com, Inc. or its affiliates.  All Rights Reserved.
- * Copyright (c) 2022-2023, Arm Limited and Contributors. All rights reserved.
+ * Copyright (c) 2022-2024, Arm Limited and Contributors. All rights reserved.
  *
  * Permission is hereby granted, free of charge, to any person obtaining a copy of
  * this software and associated documentation files (the "Software"), to deal in
@@ -1420,6 +1420,10 @@ int xOtaProvisionCodeSigningKey( psa_key_handle_t * pxKeyHandle,
         goto exit;
     }
 
+    #ifdef PSA_CRYPTO_IMPLEMENTATION_MBEDTLS
+        psa_set_key_lifetime( &attributes, PSA_KEY_LIFETIME_VOLATILE );
+    #endif
+
     psa_set_key_algorithm( &attributes, PSA_ALG_RSA_PSS_ANY_SALT( PSA_ALG_SHA_256 ) );
     psa_set_key_bits( &attributes, keyBits );
 

diff --git a/applications/keyword_detection/configs/aws_configs/core_pkcs11_config.h b/applications/keyword_detection/configs/aws_configs/core_pkcs11_config.h
@@ -147,8 +147,23 @@ extern void vPortFree( void * pv );
  * Define the key ID of the device keys which will be saved as
  * persistent keys in TF-M. The key ID servers as the a name.
  */
-#define PSA_DEVICE_PRIVATE_KEY_ID                          0x01
-#define PSA_DEVICE_PUBLIC_KEY_ID                           0x10
+#ifdef PSA_CRYPTO_IMPLEMENTATION_TFM
+    #define PSA_DEVICE_PRIVATE_KEY_ID    0x01
+    #define PSA_DEVICE_PUBLIC_KEY_ID     0x10
+#elif defined PSA_CRYPTO_IMPLEMENTATION_MBEDTLS
+
+/* The PSA Crypto specification
+ * https://arm-software.github.io/psa-api/crypto/1.1/api/keys/ids.html
+ * defines the volatile key range as PSA_KEY_ID_VENDOR_MIN (0x40000000) to
+ * PSA_KEY_ID_VENDOR_MAX (0x7fffffff). However, in the default PSA Crypto
+ * configuration in Mbed TLS, volatile key range is defined by
+ * PSA_KEY_ID_VOLATILE_MIN and PSA_KEY_ID_VOLATILE_MAX.
+ */
+    #define PSA_DEVICE_PRIVATE_KEY_ID    0x7FFFFFE0
+#else
+    #error "Missing PSA crypto implementation definition. Define either \
+    `PSA_CRYPTO_IMPLEMENTATION_TFM` or `PSA_CRYPTO_IMPLEMENTATION_MBEDTLS`"
+#endif
 
 /* */
 /* FIXME: are these needed? */
-Original file line number
+Diff line change
@@ Expand Up / @@ -65,6 +65,7 @@ docuemnt @@
     DONGWOON
     DPLATFORM
     DPROJECT
+    DPSA
     drbg
     Drbg
     DRBG
@@ Expand Down @@