From 29e8cbbb2c21eefba402fed32f65ea2b5e579c93 Mon Sep 17 00:00:00 2001 From: Artur Tynecki <77382963+ATmobica@users.noreply.github.com> Date: Wed, 21 Jun 2023 14:50:38 +0200 Subject: [PATCH] [OIS] Add PSA crypto backend support (#26994) This commit allows the selection of PSA as the cryptographic algorithm used when building Matter CryptoPAL with the Open IoT SDK. The GitHub CI workflow for the SDK examples/unit tests has been updated to add a matrix test setup which builds and runs the examples with both mbedtls and psa cryptographic algorithms. Add call to psa_crypto_init() The Matter PSA implementation still uses some underlying MbedTLS functions (including random number generation). To use these functions however a call to psa_crypto_init() is required. Extend Matter Python builder with crypto backend options. Enable ECP optimization. Signed-off-by: Anna Bridge --- .github/.wordlist.txt | 1 + .github/workflows/examples-openiotsdk.yaml | 11 ++-- .vscode/tasks.json | 9 ++++ config/openiotsdk/CMakeLists.txt | 1 + config/openiotsdk/chip-gn/args.gni | 1 - config/openiotsdk/cmake/chip.cmake | 11 +++- config/openiotsdk/cmake/sdk.cmake | 35 +++++++------ config/openiotsdk/lwip/user_lwipopts.h | 5 ++ config/openiotsdk/mbedtls/mbedtls_config.h | 6 +-- .../openiotsdk/mbedtls/mbedtls_config_psa.h | 6 +++ docs/guides/openiotsdk_examples.md | 52 ++++++++++++++++--- .../openiotsdk/app/openiotsdk_platform.cpp | 13 +++++ scripts/build/BUILD.gn | 4 +- scripts/build/build/targets.py | 6 ++- scripts/build/builders/openiotsdk.py | 20 ++++++- scripts/build/test.py | 4 +- .../build/testdata/all_targets_linux_x64.txt | 2 +- .../dry_run_openiotsdk-lock-mbedtls.txt | 8 +++ .../testdata/dry_run_openiotsdk-lock.txt | 8 --- .../dry_run_openiotsdk-shell-mbedtls.txt | 8 +++ .../testdata/dry_run_openiotsdk-shell.txt | 8 --- scripts/examples/openiotsdk_example.sh | 21 +++++++- 22 files changed, 183 insertions(+), 57 deletions(-) create mode 100644 config/openiotsdk/mbedtls/mbedtls_config_psa.h create mode 100644 scripts/build/testdata/dry_run_openiotsdk-lock-mbedtls.txt delete mode 100644 scripts/build/testdata/dry_run_openiotsdk-lock.txt create mode 100644 scripts/build/testdata/dry_run_openiotsdk-shell-mbedtls.txt delete mode 100644 scripts/build/testdata/dry_run_openiotsdk-shell.txt diff --git a/.github/.wordlist.txt b/.github/.wordlist.txt index 04179cb874c403..ef5aa8fb290737 100644 --- a/.github/.wordlist.txt +++ b/.github/.wordlist.txt @@ -1071,6 +1071,7 @@ ProxyDiscovery ProxyValid ProxyView PRs +PSA PSCAN PSECT PSK diff --git a/.github/workflows/examples-openiotsdk.yaml b/.github/workflows/examples-openiotsdk.yaml index 2c373d457dfe20..d706b8dbab9273 100644 --- a/.github/workflows/examples-openiotsdk.yaml +++ b/.github/workflows/examples-openiotsdk.yaml @@ -31,6 +31,11 @@ env: jobs: openiotsdk: + strategy: + fail-fast: false + matrix: + cryptoBackend: ["psa", "mbedtls"] + name: Open IoT SDK examples building timeout-minutes: 90 @@ -89,7 +94,7 @@ jobs: id: build_shell timeout-minutes: 10 run: | - scripts/examples/openiotsdk_example.sh shell + scripts/examples/openiotsdk_example.sh -b ${{ matrix.cryptoBackend }} shell .environment/pigweed-venv/bin/python3 scripts/tools/memory/gh_sizes.py \ openiotsdk release shell \ examples/shell/openiotsdk/build/chip-openiotsdk-shell-example.elf \ @@ -99,7 +104,7 @@ jobs: id: build_lock_app timeout-minutes: 10 run: | - scripts/examples/openiotsdk_example.sh lock-app + scripts/examples/openiotsdk_example.sh -b ${{ matrix.cryptoBackend }} lock-app .environment/pigweed-venv/bin/python3 scripts/tools/memory/gh_sizes.py \ openiotsdk release lock-app \ examples/lock-app/openiotsdk/build/chip-openiotsdk-lock-app-example.elf \ @@ -109,7 +114,7 @@ jobs: id: build_unit_tests timeout-minutes: 10 run: | - scripts/examples/openiotsdk_example.sh unit-tests + scripts/examples/openiotsdk_example.sh -b ${{ matrix.cryptoBackend }} unit-tests - name: "Test: shell example" if: steps.build_shell.outcome == 'success' diff --git a/.vscode/tasks.json b/.vscode/tasks.json index 8516b5b12f2e5c..bb0c8ba01853ea 100644 --- a/.vscode/tasks.json +++ b/.vscode/tasks.json @@ -251,6 +251,7 @@ "-Cbuild", "-d${input:openiotsdkDebugMode}", "-l${input:openiotsdkLwipDebug}", + "-b${input:openiotsdkCryptoBackend}", "${input:openiotsdkExample}" ], "group": "build", @@ -271,6 +272,7 @@ "-Cbuild", "-d${input:openiotsdkDebugMode}", "-l${input:openiotsdkLwipDebug}", + "-b${input:openiotsdkCryptoBackend}", "unit-tests" ], "group": "build", @@ -480,6 +482,13 @@ "options": ["false", "true"], "default": "false" }, + { + "type": "pickString", + "id": "openiotsdkCryptoBackend", + "description": "Which Crypto algorithm do you wish to use?", + "options": ["mbedtls", "psa"], + "default": "mbedtls" + }, { "type": "command", "id": "openiotsdkExample", diff --git a/config/openiotsdk/CMakeLists.txt b/config/openiotsdk/CMakeLists.txt index 7f559587a88a66..43f9fca7b5dd9a 100644 --- a/config/openiotsdk/CMakeLists.txt +++ b/config/openiotsdk/CMakeLists.txt @@ -62,6 +62,7 @@ matter_add_gn_arg_bool ("chip_automation_logging" CONFIG_CHIP_AUTO matter_add_gn_arg_bool ("chip_error_logging" CONFIG_CHIP_ERROR_LOGGING) matter_add_gn_arg_bool ("chip_openiotsdk_use_tfm" TFM_SUPPORT) matter_add_gn_arg_bool ("chip_openiotsdk_use_psa_ps" CONFIG_CHIP_OPEN_IOT_SDK_USE_PSA_PS) +matter_add_gn_arg_string("chip_crypto" "${CONFIG_CHIP_CRYPTO}") if (TARGET cmsis-rtos-api) matter_add_gn_arg_string("target_os" "cmsis-rtos") endif() diff --git a/config/openiotsdk/chip-gn/args.gni b/config/openiotsdk/chip-gn/args.gni index fd9edf986f8ee7..12ffb66b844957 100644 --- a/config/openiotsdk/chip-gn/args.gni +++ b/config/openiotsdk/chip-gn/args.gni @@ -31,7 +31,6 @@ chip_system_config_use_lwip = true lwip_platform = "external" chip_system_config_use_sockets = false -chip_crypto = "mbedtls" chip_external_mbedtls = true custom_toolchain = "${chip_root}/config/openiotsdk/chip-gn/toolchain:openiotsdk" diff --git a/config/openiotsdk/cmake/chip.cmake b/config/openiotsdk/cmake/chip.cmake index bdef5870433d23..6e1a78bcb8debf 100644 --- a/config/openiotsdk/cmake/chip.cmake +++ b/config/openiotsdk/cmake/chip.cmake @@ -21,7 +21,7 @@ get_filename_component(GEN_DIR ${CHIP_ROOT}/zzz_generated/ REALPATH) -# Default CHIP build configuration +# Default CHIP build configuration set(CONFIG_CHIP_PROJECT_CONFIG "main/include/CHIPProjectConfig.h" CACHE STRING "") set(CONFIG_CHIP_LIB_TESTS NO CACHE BOOL "") set(CONFIG_CHIP_LIB_SHELL NO CACHE BOOL "") @@ -32,6 +32,7 @@ set(CONFIG_CHIP_AUTOMATION_LOGGING YES CACHE BOOL "Enable logging at automation set(CONFIG_CHIP_ERROR_LOGGING YES CACHE BOOL "Enable logging at error level") set(CONFIG_CHIP_OPEN_IOT_SDK_USE_PSA_PS NO CACHE BOOL "Enable using PSA Protected Storage") +set(CONFIG_CHIP_CRYPTO "mbedtls" CACHE STRING "Matter crypto backend. Mbedtls as default") if(CONFIG_CHIP_OPEN_IOT_SDK_USE_PSA_PS AND NOT TFM_SUPPORT) message( FATAL_ERROR "You can not use PSA Protected Storage without TF-M support" ) @@ -53,8 +54,14 @@ if(TFM_SUPPORT) add_dependencies(chip-gn tfm-ns-interface) endif() +if ("${CONFIG_CHIP_CRYPTO}" STREQUAL "psa") + target_compile_definitions(chip + INTERFACE + CONFIG_CHIP_CRYPTO_PSA) +endif() + function(chip_add_data_model target scope model_name) - target_include_directories(${target} + target_include_directories(${target} PUBLIC ${GEN_DIR}/app-common ${GEN_DIR}/${model_name}-app diff --git a/config/openiotsdk/cmake/sdk.cmake b/config/openiotsdk/cmake/sdk.cmake index 61cd704a030041..6f391bd235033f 100644 --- a/config/openiotsdk/cmake/sdk.cmake +++ b/config/openiotsdk/cmake/sdk.cmake @@ -27,7 +27,7 @@ get_filename_component(OPEN_IOT_SDK_STORAGE_SOURCE ${CHIP_ROOT}/third_party/open # Open IoT SDK targets passed to CHIP build list(APPEND CONFIG_CHIP_EXTERNAL_TARGETS) -# Additional Open IoT SDK build configuration +# Additional Open IoT SDK build configuration set(TFM_SUPPORT NO CACHE BOOL "Add Trusted Firmware-M (TF-M) support to application") set(TFM_NS_APP_VERSION "0.0.0" CACHE STRING "TF-M non-secure application version (in the x.x.x format)") set(CONFIG_CHIP_OPEN_IOT_SDK_LWIP_DEBUG NO CACHE BOOL "Enable LwIP debug logs") @@ -82,7 +82,7 @@ if(TFM_SUPPORT) set(TFM_PLATFORM ${OPEN_IOT_SDK_EXAMPLE_COMMON}/tf-m/targets/an552) set(TFM_PSA_FIRMWARE_UPDATE ON) set(MCUBOOT_IMAGE_VERSION_NS ${TFM_NS_APP_VERSION}) - set(TFM_CMAKE_ARGS "-DCONFIG_TFM_ENABLE_FP=ON;-DTFM_PROFILE=profile_medium;-DTFM_EXCEPTION_INFO_DUMP=ON;-DCONFIG_TFM_HALT_ON_CORE_PANIC=ON;-DTFM_ISOLATION_LEVEL=1") + set(TFM_CMAKE_ARGS "-DCONFIG_TFM_ENABLE_FP=ON;-DTFM_PROFILE=profile_medium;-DTFM_EXCEPTION_INFO_DUMP=ON;-DCONFIG_TFM_HALT_ON_CORE_PANIC=ON;-DTFM_ISOLATION_LEVEL=1;-DTFM_MBEDCRYPTO_PLATFORM_EXTRA_CONFIG_PATH=${OPEN_IOT_SDK_CONFIG}/mbedtls/mbedtls_config_psa.h;-DMBEDCRYPTO_BUILD_TYPE=${CMAKE_BUILD_TYPE};-DCMAKE_BUILD_TYPE=${CMAKE_BUILD_TYPE}") if ("${CMAKE_BUILD_TYPE}" STREQUAL "Debug") set(TFM_CMAKE_ARGS "${TFM_CMAKE_ARGS};-DMCUBOOT_LOG_LEVEL=INFO;-DTFM_SPM_LOG_LEVEL=TFM_SPM_LOG_LEVEL_DEBUG;-DTFM_PARTITION_LOG_LEVEL=TFM_PARTITION_LOG_LEVEL_INFO") else() @@ -117,24 +117,24 @@ endif() # Add RTOS configuration headers # Link cmsis-rtos-api against a concrete implementation if(TARGET cmsis-rtos-api) - target_include_directories(cmsis-core - INTERFACE + target_include_directories(cmsis-core + INTERFACE cmsis-config ) - + target_compile_definitions(cmsis-rtos-api PUBLIC DOMAIN_NS=$,1,0> ) if(TARGET freertos-kernel) - target_include_directories(freertos-kernel - PUBLIC + target_include_directories(freertos-kernel + PUBLIC freertos-config ) - target_link_libraries(freertos-kernel - PUBLIC + target_link_libraries(freertos-kernel + PUBLIC cmsis-core ) @@ -250,14 +250,6 @@ if("cmsis-freertos" IN_LIST IOTSDK_FETCH_LIST) ) endif() -if("mbedtls" IN_LIST IOTSDK_FETCH_LIST) - list(APPEND CONFIG_CHIP_EXTERNAL_TARGETS - mbedtls - mbedtls-config - mbedtls-threading-cmsis-rtos - ) -endif() - if("lwip" IN_LIST IOTSDK_FETCH_LIST) list(APPEND CONFIG_CHIP_EXTERNAL_TARGETS lwipcore @@ -282,6 +274,15 @@ if("trusted-firmware-m" IN_LIST IOTSDK_FETCH_LIST) ) endif() +# Note: Mbed TLS must appear after TF-M otherwise psa from mbed TLS is used +if("mbedtls" IN_LIST IOTSDK_FETCH_LIST) + list(APPEND CONFIG_CHIP_EXTERNAL_TARGETS + mbedtls + mbedtls-config + mbedtls-threading-cmsis-rtos + ) +endif() + # Additional Open IoT SDK port components # Add Open IoT SDK storage source diff --git a/config/openiotsdk/lwip/user_lwipopts.h b/config/openiotsdk/lwip/user_lwipopts.h index 48d8d4aee81b21..1e02add588ca4c 100644 --- a/config/openiotsdk/lwip/user_lwipopts.h +++ b/config/openiotsdk/lwip/user_lwipopts.h @@ -49,6 +49,11 @@ */ #define LWIP_RAW (1) +/** + * Disable DHCP as the IP6 link local address can be used. + */ +#define LWIP_DHCP 0 + #ifdef LWIP_DEBUG // Debug Options diff --git a/config/openiotsdk/mbedtls/mbedtls_config.h b/config/openiotsdk/mbedtls/mbedtls_config.h index 316d43c67940d0..b5927a06b63383 100644 --- a/config/openiotsdk/mbedtls/mbedtls_config.h +++ b/config/openiotsdk/mbedtls/mbedtls_config.h @@ -2692,7 +2692,7 @@ * or MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG. * */ -#define MBEDTLS_PSA_CRYPTO_C +//#define MBEDTLS_PSA_CRYPTO_C /** * \def MBEDTLS_PSA_CRYPTO_SE_C @@ -3313,8 +3313,8 @@ //#define MBEDTLS_HMAC_DRBG_MAX_SEED_INPUT 384 /**< Maximum size of (re)seed buffer */ /* ECP options */ -//#define MBEDTLS_ECP_WINDOW_SIZE 4 /**< Maximum window size used */ -//#define MBEDTLS_ECP_FIXED_POINT_OPTIM 1 /**< Enable fixed-point speed-up */ +#define MBEDTLS_ECP_WINDOW_SIZE 6 /**< Maximum window size used */ +#define MBEDTLS_ECP_FIXED_POINT_OPTIM 1 /**< Enable fixed-point speed-up */ /* Entropy options */ //#define MBEDTLS_ENTROPY_MAX_SOURCES 20 /**< Maximum number of sources supported */ diff --git a/config/openiotsdk/mbedtls/mbedtls_config_psa.h b/config/openiotsdk/mbedtls/mbedtls_config_psa.h new file mode 100644 index 00000000000000..c7241ba53228a5 --- /dev/null +++ b/config/openiotsdk/mbedtls/mbedtls_config_psa.h @@ -0,0 +1,6 @@ + +#define MBEDTLS_SHA1_C +#define PSA_WANT_ALG_SHA_1 +#define MBEDTLS_ECP_WINDOW_SIZE 6 /**< Maximum window size used */ +#undef MBEDTLS_ECP_FIXED_POINT_OPTIM +#define MBEDTLS_ECP_FIXED_POINT_OPTIM 1 /**< Enable fixed-point speed-up */ diff --git a/docs/guides/openiotsdk_examples.md b/docs/guides/openiotsdk_examples.md index 2de1915f3ecf43..add3313e1ae521 100644 --- a/docs/guides/openiotsdk_examples.md +++ b/docs/guides/openiotsdk_examples.md @@ -374,6 +374,42 @@ For `TF-M` protected storage use: [Open IoT SDK build script](../../scripts/examples/openiotsdk_example.sh) provides the `-K,--kvsfile` option to use the persistence options listed above. +### Crypto backend + +Open IoT SDK port supports two crypto backend implementations: + +- [Mbed TLS](../guides/openiotsdk_platform_overview.md#mbed-tls) - it's the + default option +- [PSA crypto service](https://tf-m-user-guide.trustedfirmware.org/integration_guide/services/tfm_crypto_integration_guide.html) + from the + [TrustedFirmware-M (TF-M)](../guides/openiotsdk_platform_overview.md#trusted-firmware-m) + component + +The CMake variable `CONFIG_CHIP_CRYPTO` controls how cryptographic operations +are implemented in Matter. It accepts two values: + +- `mbedtls`: use Mbed TLS for crypto operations. +- `psa`: use + [PSA Cryptography API](https://armmbed.github.io/mbed-crypto/html/) for + crypto operations. + +This variable can be set in the main application `CMakeLists.txt`: + +``` +set(CONFIG_CHIP_CRYPTO ) +``` + +The variable can also be defined with CMake CLI: + +``` +cmake -G <...> -DCONFIG_CHIP_CRYPTO= <...> +``` + +> 💡 **Notes**: +> +> The `TF-M PSA crypto` option requires enabling [TF-M](#trusted-firmware-m) +> support. + ## Building You can build examples using the dedicated VSCode task or by calling directly @@ -386,6 +422,7 @@ the build script from the command line. - Select `Build Open IoT SDK example` - Decide on debug mode support - Decide on LwIP debug logs support +- Choose crypto algorithm - Choose example name This will call the script with the selected parameters. @@ -568,12 +605,12 @@ telnet> close ## Specific examples -### Build lock-app example and run it in the network namespace +### Build lock-app example with PSA crypto backend support and run it in the network namespace **Using CLI** ``` -${MATTER_ROOT}/scripts/examples/openiotsdk_example.sh lock-app +${MATTER_ROOT}/scripts/examples/openiotsdk_example.sh -b psa lock-app export TEST_NETWORK_NAME=OIStest @@ -593,6 +630,7 @@ Build example: - Select `Build Open IoT SDK example` - Deny debug mode support `false` - Deny LwIP debug logs support `false` +- Choose crypto algorithm `psa` - Choose example name `lock-app` Setup network environment: @@ -614,12 +652,12 @@ Run example: The example output should be seen in the terminal window. -### Build lock-app example and execute its test in the network namespace +### Build lock-app example with mbedtls crypto backend support and execute its test in the network namespace **Using CLI** ``` -${MATTER_ROOT}/scripts/examples/openiotsdk_example.sh lock-app +${MATTER_ROOT}/scripts/examples/openiotsdk_example.sh -b mbedtls lock-app export TEST_NETWORK_NAME=OIStest @@ -639,6 +677,7 @@ Build example: - Select `Build Open IoT SDK example` - Deny debug mode support `false` - Deny LwIP debug logs support `false` +- Choose crypto algorithm `mbedtls` - Choose example name `lock-app` Setup network environment: @@ -658,7 +697,7 @@ Test example: - Enter network interface `OIStesttap` - Choose example name `lock-app` -### Build lock-app example in debug mode and debug it in the network namespace using the VSCode task +### Build lock-app example with mbedtls crypto backend support in debug mode and debug it in the network namespace using the VSCode task Build example: @@ -667,6 +706,7 @@ Build example: - Select `Build Open IoT SDK example` - Confirm debug mode support `true` - Deny LwIP debug logs support `false` +- Choose crypto algorithm `mbedtls` - Choose example name `lock-app` Setup network environment: @@ -757,7 +797,7 @@ Example: id: build_new_example timeout-minutes: 10 run: | - scripts/examples/openiotsdk_example.sh new-example + scripts/examples/openiotsdk_example.sh -b ${{ matrix.cryptoBackend }} new-example .environment/pigweed-venv/bin/python3 scripts/tools/memory/gh_sizes.py \ openiotsdk release new-example \ examples/new-example/openiotsdk/build/chip-openiotsdk-new-example-example.elf \ diff --git a/examples/platform/openiotsdk/app/openiotsdk_platform.cpp b/examples/platform/openiotsdk/app/openiotsdk_platform.cpp index 28b6da91f5c176..dff6a15e21cb93 100644 --- a/examples/platform/openiotsdk/app/openiotsdk_platform.cpp +++ b/examples/platform/openiotsdk/app/openiotsdk_platform.cpp @@ -27,6 +27,10 @@ #include "iotsdk/ip_network_api.h" #include "mbedtls/platform.h" +#ifdef CONFIG_CHIP_CRYPTO_PSA +#include "psa/crypto.h" +#endif + #include #include #include @@ -179,6 +183,15 @@ int openiotsdk_platform_init(void) return EXIT_FAILURE; } +#ifdef CONFIG_CHIP_CRYPTO_PSA + ret = psa_crypto_init(); + if (ret) + { + ChipLogError(NotSpecified, "PSA crypto initialization failed: %d", ret); + return EXIT_FAILURE; + } +#endif + #ifdef TFM_SUPPORT ret = get_psa_images_details(); if (ret != 0) diff --git a/scripts/build/BUILD.gn b/scripts/build/BUILD.gn index 11ea4e9b721e84..0e716ae7e9b390 100644 --- a/scripts/build/BUILD.gn +++ b/scripts/build/BUILD.gn @@ -31,8 +31,8 @@ pw_python_package("build_examples") { "testdata/dry_run_linux-arm64-ota-requestor-nodeps-ipv6only.txt", "testdata/dry_run_linux-x64-all-clusters-coverage.txt", "testdata/dry_run_nrf-nrf52840dk-pump.txt", - "testdata/dry_run_openiotsdk-lock.txt", - "testdata/dry_run_openiotsdk-shell.txt", + "testdata/dry_run_openiotsdk-lock-mbedtls.txt", + "testdata/dry_run_openiotsdk-shell-mbedtls.txt", ] sources = [ diff --git a/scripts/build/build/targets.py b/scripts/build/build/targets.py index 279191e45d1bf9..43eed69236dcdf 100755 --- a/scripts/build/build/targets.py +++ b/scripts/build/build/targets.py @@ -28,7 +28,7 @@ from builders.mbed import MbedApp, MbedBoard, MbedBuilder, MbedProfile from builders.mw320 import MW320App, MW320Builder from builders.nrf import NrfApp, NrfBoard, NrfConnectBuilder -from builders.openiotsdk import OpenIotSdkApp, OpenIotSdkBuilder +from builders.openiotsdk import OpenIotSdkApp, OpenIotSdkBuilder, OpenIotSdkCryptoBackend from builders.qpg import QpgApp, QpgBoard, QpgBuilder from builders.telink import TelinkApp, TelinkBoard, TelinkBuilder from builders.ti import TIApp, TIBoard, TIBuilder @@ -679,6 +679,10 @@ def BuildOpenIotSdkTargets(): TargetPart('lock', app=OpenIotSdkApp.LOCK), ]) + # Modifiers + target.AppendModifier('mbedtls', crypto=OpenIotSdkCryptoBackend.MBEDTLS).ExceptIfRe('-(psa)') + target.AppendModifier('psa', crypto=OpenIotSdkCryptoBackend.PSA).ExceptIfRe('-(mbedtls)') + return target diff --git a/scripts/build/builders/openiotsdk.py b/scripts/build/builders/openiotsdk.py index 7f3cd682d86ba3..89aad6a59e9a16 100644 --- a/scripts/build/builders/openiotsdk.py +++ b/scripts/build/builders/openiotsdk.py @@ -42,13 +42,29 @@ def AppNamePrefix(self): raise Exception('Unknown app type: %r' % self) +class OpenIotSdkCryptoBackend(Enum): + PSA = auto() + MBEDTLS = auto() + + @property + def CryptoBackendName(self): + if self == OpenIotSdkCryptoBackend.PSA: + return 'psa' + elif self == OpenIotSdkCryptoBackend.MBEDTLS: + return 'mbedtls' + else: + raise Exception('Unknown crypto backend type: %r' % self) + + class OpenIotSdkBuilder(Builder): def __init__(self, root, runner, - app: OpenIotSdkApp = OpenIotSdkApp.SHELL): + app: OpenIotSdkApp = OpenIotSdkApp.SHELL, + crypto: OpenIotSdkCryptoBackend = OpenIotSdkCryptoBackend.MBEDTLS): super(OpenIotSdkBuilder, self).__init__(root, runner) self.app = app + self.crypto = crypto self.toolchain_path = os.path.join( 'toolchains', 'toolchain-arm-none-eabi-gcc.cmake') self.system_processor = 'cortex-m55' @@ -65,6 +81,8 @@ def generate(self): '-DCMAKE_SYSTEM_PROCESSOR={}'.format( self.system_processor), '-DCMAKE_BUILD_TYPE=Release', + '-DCONFIG_CHIP_CRYPTO={}'.format( + self.crypto.CryptoBackendName), ], title='Generating ' + self.identifier) def _build(self): diff --git a/scripts/build/test.py b/scripts/build/test.py index 70fca73f082f7b..c89a4d98109357 100644 --- a/scripts/build/test.py +++ b/scripts/build/test.py @@ -109,8 +109,8 @@ def test_general_dry_runs(self): 'android-arm64-chip-tool', 'nrf-nrf52840dk-pump', 'efr32-brd4161a-light-rpc-no-version', - 'openiotsdk-lock', - 'openiotsdk-shell' + 'openiotsdk-lock-mbedtls', + 'openiotsdk-shell-mbedtls' ] for target in TARGETS: diff --git a/scripts/build/testdata/all_targets_linux_x64.txt b/scripts/build/testdata/all_targets_linux_x64.txt index 1b8c95d4c51c7d..5ef536ac1bbfdf 100644 --- a/scripts/build/testdata/all_targets_linux_x64.txt +++ b/scripts/build/testdata/all_targets_linux_x64.txt @@ -22,4 +22,4 @@ nrf-native-posix-64-tests qpg-qpg6105-{lock,light,shell,persistent-storage} tizen-arm-{all-clusters,all-clusters-minimal,chip-tool,light,tests}[-no-ble][-no-thread][-no-wifi][-asan][-ubsan] telink-tlsr9518adk80d-{all-clusters,all-clusters-minimal,bridge,contact-sensor,light,light-switch,lock,ota-requestor,pump,pump-controller,temperature-measurement,thermostat,window-covering}[-shell][-rpc][-factory-data] -openiotsdk-{shell,lock} +openiotsdk-{shell,lock}[-mbedtls][-psa] diff --git a/scripts/build/testdata/dry_run_openiotsdk-lock-mbedtls.txt b/scripts/build/testdata/dry_run_openiotsdk-lock-mbedtls.txt new file mode 100644 index 00000000000000..77816cf664190c --- /dev/null +++ b/scripts/build/testdata/dry_run_openiotsdk-lock-mbedtls.txt @@ -0,0 +1,8 @@ +# Commands will be run in CHIP project root. +cd "{root}" + +# Generating openiotsdk-lock-mbedtls +cmake -GNinja -S {root}/examples/lock-app/openiotsdk -B {out}/openiotsdk-lock-mbedtls --toolchain=toolchains/toolchain-arm-none-eabi-gcc.cmake -DCMAKE_SYSTEM_PROCESSOR=cortex-m55 -DCMAKE_BUILD_TYPE=Release -DCONFIG_CHIP_CRYPTO=mbedtls + +# Building openiotsdk-lock-mbedtls +cmake --build {out}/openiotsdk-lock-mbedtls diff --git a/scripts/build/testdata/dry_run_openiotsdk-lock.txt b/scripts/build/testdata/dry_run_openiotsdk-lock.txt deleted file mode 100644 index a0c36ee27f53ad..00000000000000 --- a/scripts/build/testdata/dry_run_openiotsdk-lock.txt +++ /dev/null @@ -1,8 +0,0 @@ -# Commands will be run in CHIP project root. -cd "{root}" - -# Generating openiotsdk-lock -cmake -GNinja -S {root}/examples/lock-app/openiotsdk -B {out}/openiotsdk-lock --toolchain=toolchains/toolchain-arm-none-eabi-gcc.cmake -DCMAKE_SYSTEM_PROCESSOR=cortex-m55 -DCMAKE_BUILD_TYPE=Release - -# Building openiotsdk-lock -cmake --build {out}/openiotsdk-lock diff --git a/scripts/build/testdata/dry_run_openiotsdk-shell-mbedtls.txt b/scripts/build/testdata/dry_run_openiotsdk-shell-mbedtls.txt new file mode 100644 index 00000000000000..70438c5fe091bd --- /dev/null +++ b/scripts/build/testdata/dry_run_openiotsdk-shell-mbedtls.txt @@ -0,0 +1,8 @@ +# Commands will be run in CHIP project root. +cd "{root}" + +# Generating openiotsdk-shell-mbedtls +cmake -GNinja -S {root}/examples/shell/openiotsdk -B {out}/openiotsdk-shell-mbedtls --toolchain=toolchains/toolchain-arm-none-eabi-gcc.cmake -DCMAKE_SYSTEM_PROCESSOR=cortex-m55 -DCMAKE_BUILD_TYPE=Release -DCONFIG_CHIP_CRYPTO=mbedtls + +# Building openiotsdk-shell-mbedtls +cmake --build {out}/openiotsdk-shell-mbedtls diff --git a/scripts/build/testdata/dry_run_openiotsdk-shell.txt b/scripts/build/testdata/dry_run_openiotsdk-shell.txt deleted file mode 100644 index 6c7c63befb4e7a..00000000000000 --- a/scripts/build/testdata/dry_run_openiotsdk-shell.txt +++ /dev/null @@ -1,8 +0,0 @@ -# Commands will be run in CHIP project root. -cd "{root}" - -# Generating openiotsdk-shell -cmake -GNinja -S {root}/examples/shell/openiotsdk -B {out}/openiotsdk-shell --toolchain=toolchains/toolchain-arm-none-eabi-gcc.cmake -DCMAKE_SYSTEM_PROCESSOR=cortex-m55 -DCMAKE_BUILD_TYPE=Release - -# Building openiotsdk-shell -cmake --build {out}/openiotsdk-shell diff --git a/scripts/examples/openiotsdk_example.sh b/scripts/examples/openiotsdk_example.sh index 6b19a8be7f04e7..1f3dcd1d8d11f1 100755 --- a/scripts/examples/openiotsdk_example.sh +++ b/scripts/examples/openiotsdk_example.sh @@ -43,6 +43,7 @@ IS_UNIT_TEST=0 FVP_NETWORK="user" KVS_STORAGE_TYPE="tdb" KVS_STORAGE_FILE="" +CRYPTO_BACKEND="mbedtls" declare -A tdb_storage_param=([instance]=sram [memspace]=0 [address]=0x0 [size]=0x100000) declare -A ps_storage_param=([instance]=qspi_sram [memspace]=0 [address]=0x660000 [size]=0x12000) @@ -66,6 +67,7 @@ Options: -d,--debug Build in debug mode -l,--lwipdebug Build with LwIP debug logs support -k,--kvsstore Select KVS storage type + -b,--backend -p,--path Build path -K,--kvsfile Path to KVS storage file which will be used to ensure persistence -n,--network FVP network interface name @@ -134,6 +136,8 @@ function build_with_cmake() { BUILD_OPTIONS+=(-DCONFIG_CHIP_OPEN_IOT_SDK_USE_PSA_PS=YES) fi + BUILD_OPTIONS+=(-DCONFIG_CHIP_CRYPTO="$CRYPTO_BACKEND") + cmake -G Ninja -S "$EXAMPLE_PATH" -B "$BUILD_PATH" --toolchain="$TOOLCHAIN_PATH" "${BUILD_OPTIONS[@]}" cmake --build "$BUILD_PATH" } @@ -268,8 +272,8 @@ function run_test() { fi } -SHORT=C:,p:,d:,l:,n:,k:,K:,c,s,h -LONG=command:,path:,debug:,lwipdebug:,network:,kvsstore:,kvsfile:,clean,scratch,help +SHORT=C:,p:,d:,l:,b:,n:,k:,K:,c,s,h +LONG=command:,path:,debug:,lwipdebug:,backend:,network:,kvsstore:,kvsfile:,clean,scratch,help OPTS=$(getopt -n build --options "$SHORT" --longoptions "$LONG" -- "$@") eval set -- "$OPTS" @@ -308,6 +312,10 @@ while :; do KVS_STORAGE_FILE=$2 shift 2 ;; + -b | --backend) + CRYPTO_BACKEND=$2 + shift 2 + ;; -p | --path) BUILD_PATH=$CHIP_ROOT/$2 shift 2 @@ -380,6 +388,15 @@ case "$KVS_STORAGE_TYPE" in ;; esac +case "$CRYPTO_BACKEND" in + psa | mbedtls) ;; + *) + echo "Wrong crypto type definition" + show_usage + exit 2 + ;; +esac + TOOLCHAIN_PATH="toolchains/toolchain-$TOOLCHAIN.cmake" if [ -z "$BUILD_PATH" ]; then