Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update to TF-M v1.4.0 #15050

Merged
merged 12 commits into from
Sep 15, 2021
Merged

Update to TF-M v1.4.0 #15050

merged 12 commits into from
Sep 15, 2021

Conversation

rwalton-arm
Copy link
Contributor

@rwalton-arm rwalton-arm commented Sep 2, 2021

Summary of changes

Bring the latest changes from TF-M v1.4.0 into mbed-os.

Update the Nuvoton python scripts to bump the hard coded TF-M version.

Update locations of ARM_MUSCA target support in targets.json.

Impact of changes

Migration actions required

Documentation


Pull request type

[x] Patch update (Bug fix / Target update / Docs update / Test update / Refactor)
[] Feature update (New feature / Functionality change / New API)
[] Major update (Breaking change E.g. Return code change / API behaviour change)

Test results

[] No Tests required for this change (E.g docs only update)
[x] Covered by existing mbed-os tests (Greentea or Unittest)
[] Tests / results supplied as part of this PR

Reviewers


@ciarmcom ciarmcom added the release-type: patch Indentifies a PR as containing just a patch label Sep 2, 2021
@ciarmcom ciarmcom requested a review from a team September 2, 2021 15:30
@ciarmcom
Copy link
Member

ciarmcom commented Sep 2, 2021

@rwalton-arm, thank you for your changes.
@ARMmbed/mbed-os-maintainers please review.

@ciarmcom
Copy link
Member

ciarmcom commented Sep 7, 2021

This pull request has automatically been marked as stale because it has had no recent activity. @ARMmbed/mbed-os-maintainers, please complete review of the changes to move the PR forward. Thank you for your contributions.

@rwalton-arm rwalton-arm linked an issue Sep 10, 2021 that may be closed by this pull request
@rwalton-arm rwalton-arm force-pushed the TF-Mv1.4.0 branch 3 times, most recently from 58aa9d7 to 8b97701 Compare September 10, 2021 16:05
@ciarmcom ciarmcom added stale Stale Pull Request and removed stale Stale Pull Request labels Sep 10, 2021
@rwalton-arm rwalton-arm changed the title [WIP] Update to TF-M v1.4.0 Update to TF-M v1.4.0 Sep 13, 2021
@rwalton-arm rwalton-arm marked this pull request as ready for review September 13, 2021 12:28
Copy link
Contributor

@LDong-Arm LDong-Arm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@rwalton-arm Thanks, it looks good.

In #14977 I forgot to mention we need to ensure Mbed TLS compatibility. The way to check this is build mbed-os-example-tls for those three targets. So far I can think of the following that need to be done:

  • Cherry-pick compatibility patches in imported PSA headers. There are four patches in the link, but only two of them got overridden by the import scripts (032fe4a and e5230c9) so those two need to be cherry picked. (We need those patches because TF-M maintains its own PSA headers rather than using the ones from Mbed TLS, and headers from the two repos are always inconsistent no matter what revisions we check out...)
  • mbedtls/psa_util.h from Mbed TLS 2.25 (which we have in Mbed OS) contains support for older algorithms (e.g. MD2, MD4, etc.), which have been dropped from the latest TF-M and Mbed TLS (see TF-M 1.4 commit and Mbed TLS 3.0 PR). Those algorithms are not enabled in Mbed OS (see connectivity/mbedtls/include/mbedtls/config.h) so we're okay. But some configs in mbed-os-example-tls do have MD4 enabled and cause a build error, shall we disable it in the example? @Patater
  • PSA_ALG_AEAD_WITH_TAG_LENGTH has been replaced by PSA_ALG_AEAD_WITH_SHORTENED_TAG in the latest PSA (see commit) but Mbed TLS 2.25 uses the old one. Adding back the old macro for compatibility fixes the problem.

I only tried to build the "benchmark" example in mbed-os-example-tls on Musca S1 and not anything else. Please make sure to try all of them on those targets & toolchains, and we might spot more things to fix!

@ciarmcom ciarmcom removed the stale Stale Pull Request label Sep 13, 2021
@rwalton-arm
Copy link
Contributor Author

some configs in mbed-os-example-tls do have MD4 enabled and cause a build error, shall we disable it in the example?

MD4 is rather insecure. Now that mbedtls have deprecated the obsolete algorithms, I don't see a reason to try and continue supporting them for the example. IMO we should just disable them in the example.

@mergify mergify bot dismissed LDong-Arm’s stale review September 14, 2021 13:27

Pull request has been modified.

@rwalton-arm rwalton-arm force-pushed the TF-Mv1.4.0 branch 2 times, most recently from a5b3d14 to 13ee303 Compare September 14, 2021 14:32
rwalton-arm and others added 11 commits September 14, 2021 17:32
tfm_ns_interface.c is intended to be overriden by clients to support
different targets. We copy this file from upstream into the mbed-os
platform library. We also have a specific "strong" overridden version
for the NU_M2354 target, which is located in its target library.
Previously the implementations in the platform library were decorated
with __attribute__(weak), and we provided a strong definition for the
NU_M2354 target. This worked fine because of weak linking, the linker
will pick the first "strong" definition and use that, avoiding any ODR
violations. However, upstream have removed __attribute__(weak) from the
function definitions, which caused multiply defined symbol errors when
trying to build the NU_M2354 target.

To work around the above issue, we remove the common definition in the
platform library; instead we copy the file to the Musca B1 and Musca S1
target libaries. This means the appropriate tfm_ns_interface.c is only
included in the build when compiling for the specific target which uses
it.
The directory structure upstream has changed. Now ARM_MUSCA board
support has been moved under an "arm" subdirectory. Update targets.json
with the new locations.
Include mbedtls_ecc_group_to_psa.h from crypto_extra.h so that clients
of PSA within Mbed OS do not need to behave differently depending on
which PSA implementation they are using.

This solution is not ideal as it makes it more difficult to update the
TF-M-provided psa/crypto_extra.h. We'll have to see what other options
we have for including additional headers based on the Mbed OS
configuration.
We have added definitions that are needed by Mbed TLS's PSK key exchange
but missing from TF-M's PSA to `mbedtls_svc_key_id.h`. To pick up those
definitions, TF-M's `psa/crypto_values.h' needs to include
`mbedtls_svc_key_id.h`.
PSA_ALG_AEAD_WITH_TAG_LENGTH has been replaced with
PSA_ALG_AEAD_WITH_SHORTENED_TAG upstream. We could just update
psa_util.h to use the new macro, but we still have some targets that
only support older versions of PSA, so we reinstate the removed macro.
We worked around an issue with mbed-cli1 not recognising the BL2 macro
from targets.json by adding patched versions of region_defs.h and
flash_layout.h for ARM_MUSCA targets. In the patched headers we defined
the BL2 macro to ensure it can be picked up by the ARM scatter files
that include the headers.

The current solution is not robust, because it means that the
aforementioned headers easily become out of date. A workaround of
defining the macros in the scatter files which need them was suggested
in ARMmbed#14762

This commit applies the suggested changes to the ARM_MUSCA scatter
files.
Import the latest partition headers from upstream. We no longer need to
patch the headers to define the BL2 macro as we now define it in the
scatter files for the MUSCA targets.
@mergify mergify bot dismissed LDong-Arm’s stale review September 14, 2021 16:33

Pull request has been modified.

@rwalton-arm rwalton-arm linked an issue Sep 14, 2021 that may be closed by this pull request
@mbed-ci
Copy link

mbed-ci commented Sep 14, 2021

Jenkins CI Test : ✔️ SUCCESS

Build Number: 2 | 🔒 Jenkins CI Job | 🌐 Logs & Artifacts

CLICK for Detailed Summary

jobs Status
jenkins-ci/mbed-os-ci_unittests ✔️
jenkins-ci/mbed-os-ci_build-cloud-example-ARM ✔️
jenkins-ci/mbed-os-ci_cmake-cloud-example-ARM ✔️
jenkins-ci/mbed-os-ci_build-cloud-example-GCC_ARM ✔️
jenkins-ci/mbed-os-ci_cmake-cloud-example-GCC_ARM ✔️
jenkins-ci/mbed-os-ci_build-greentea-ARM ✔️
jenkins-ci/mbed-os-ci_build-greentea-GCC_ARM ✔️
jenkins-ci/mbed-os-ci_cmake-example-GCC_ARM ✔️
jenkins-ci/mbed-os-ci_build-example-ARM ✔️
jenkins-ci/mbed-os-ci_cmake-example-ARM ✔️
jenkins-ci/mbed-os-ci_build-example-GCC_ARM ✔️
jenkins-ci/mbed-os-ci_greentea-test ✔️
jenkins-ci/mbed-os-ci_tfm-integration ✔️

Copy link
Contributor

@LDong-Arm LDong-Arm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@mergify mergify bot added needs: CI and removed needs: work labels Sep 14, 2021
@LDong-Arm
Copy link
Contributor

Started CI after the force push

@mbed-ci
Copy link

mbed-ci commented Sep 14, 2021

Jenkins CI Test : ✔️ SUCCESS

Build Number: 3 | 🔒 Jenkins CI Job | 🌐 Logs & Artifacts

CLICK for Detailed Summary

jobs Status
jenkins-ci/mbed-os-ci_unittests ✔️
jenkins-ci/mbed-os-ci_cmake-cloud-example-ARM ✔️
jenkins-ci/mbed-os-ci_build-cloud-example-ARM ✔️
jenkins-ci/mbed-os-ci_cmake-cloud-example-GCC_ARM ✔️
jenkins-ci/mbed-os-ci_build-cloud-example-GCC_ARM ✔️
jenkins-ci/mbed-os-ci_build-greentea-ARM ✔️
jenkins-ci/mbed-os-ci_build-greentea-GCC_ARM ✔️
jenkins-ci/mbed-os-ci_cmake-example-ARM ✔️
jenkins-ci/mbed-os-ci_build-example-ARM ✔️
jenkins-ci/mbed-os-ci_cmake-example-GCC_ARM ✔️
jenkins-ci/mbed-os-ci_build-example-GCC_ARM ✔️
jenkins-ci/mbed-os-ci_greentea-test ✔️
jenkins-ci/mbed-os-ci_tfm-integration ✔️

@Patater Patater merged commit 64a3419 into ARMmbed:master Sep 15, 2021
@mergify mergify bot removed the ready for merge label Sep 15, 2021
@ccli8 ccli8 mentioned this pull request Sep 17, 2021
@mbedmain mbedmain removed release-type: patch Indentifies a PR as containing just a patch Release-pending labels Sep 21, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Upgrade to TF-M v1.4 Musca B1/S1: memory layout headers out of date
6 participants