Merge pull request #10340 from gilles-peskine-arm/config-checks-generator-mbedtls

Introduce generated config checks in mbedtls

library/.gitignore

@@ -4,6 +4,9 @@ libmbed*
 
 ###START_GENERATED_FILES###
 /error.c
+/mbedtls_config_check_before.h
+/mbedtls_config_check_final.h
+/mbedtls_config_check_user.h
 /version_features.c
 /ssl_debug_helpers_generated.c
 ###END_GENERATED_FILES###

library/CMakeLists.txt

@@ -73,6 +73,27 @@ if(GEN_FILES)
             ${CMAKE_CURRENT_SOURCE_DIR}/../scripts/data_files/version_features.fmt
     )
 
+    execute_process(
+        COMMAND
+            ${MBEDTLS_PYTHON_EXECUTABLE}
+            ${MBEDTLS_DIR}/scripts/generate_config_checks.py
+            --list-for-cmake "${CMAKE_CURRENT_BINARY_DIR}"
+        WORKING_DIRECTORY
+            ${CMAKE_CURRENT_SOURCE_DIR}/..
+        OUTPUT_VARIABLE
+            MBEDTLS_GENERATED_CONFIG_CHECKS_HEADERS)
+
+    add_custom_command(
+        OUTPUT ${MBEDTLS_GENERATED_CONFIG_CHECKS_HEADERS}
+        COMMAND
+            ${MBEDTLS_PYTHON_EXECUTABLE}
+                ${MBEDTLS_DIR}/scripts/generate_config_checks.py
+                ${CMAKE_CURRENT_BINARY_DIR}
+        DEPENDS
+            ${MBEDTLS_DIR}/scripts/generate_config_checks.py
+            ${MBEDTLS_FRAMEWORK_DIR}/scripts/mbedtls_framework/config_checks_generator.py
+    )
+
     add_custom_command(
         OUTPUT
             ${CMAKE_CURRENT_BINARY_DIR}/ssl_debug_helpers_generated.c
@@ -89,6 +110,7 @@ if(GEN_FILES)
     add_custom_target(${MBEDTLS_TARGET_PREFIX}mbedx509_generated_files_target
         DEPENDS
             ${CMAKE_CURRENT_BINARY_DIR}/error.c
+            ${MBEDTLS_GENERATED_CONFIG_CHECKS_HEADERS}
     )
 
     add_custom_target(${MBEDTLS_TARGET_PREFIX}mbedtls_generated_files_target

library/Makefile

@@ -5,12 +5,24 @@ endif
 TF_PSA_CRYPTO_CORE_PATH = $(MBEDTLS_PATH)/tf-psa-crypto/core
 TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH = $(MBEDTLS_PATH)/tf-psa-crypto/drivers/builtin/src
 
+# List the generated files without running a script, so that this
+# works with no tooling dependencies when GEN_FILES is disabled.
 GENERATED_FILES := \
+	mbedtls_config_check_before.h \
+	mbedtls_config_check_final.h \
+	mbedtls_config_check_user.h \
 	error.c \
 	version_features.c \
-	ssl_debug_helpers_generated.c \
+	ssl_debug_helpers_generated.c
+
+# Also list the generated files from crypto that are needed in the build,
+# because we don't have the list in a consumable form.
+GENERATED_FILES += \
 	$(TF_PSA_CRYPTO_CORE_PATH)/psa_crypto_driver_wrappers.h \
-	$(TF_PSA_CRYPTO_CORE_PATH)/psa_crypto_driver_wrappers_no_static.c
+	$(TF_PSA_CRYPTO_CORE_PATH)/psa_crypto_driver_wrappers_no_static.c \
+	$(TF_PSA_CRYPTO_CORE_PATH)/tf_psa_crypto_config_check_before.h \
+	$(TF_PSA_CRYPTO_CORE_PATH)/tf_psa_crypto_config_check_final.h \
+	$(TF_PSA_CRYPTO_CORE_PATH)/tf_psa_crypto_config_check_user.h
 
 ifneq ($(GENERATED_FILES),$(wildcard $(GENERATED_FILES)))
     ifeq (,$(wildcard $(MBEDTLS_PATH)/framework/exported.make))
@@ -326,6 +338,24 @@ $(GENERATED_WRAPPER_FILES):
 
 $(TF_PSA_CRYPTO_CORE_PATH)/psa_crypto.o:$(TF_PSA_CRYPTO_CORE_PATH)/psa_crypto_driver_wrappers.h
 
+GENERATED_CONFIG_CHECK_FILES = $(shell $(PYTHON) ../scripts/generate_config_checks.py --list .)
+$(GENERATED_CONFIG_CHECK_FILES): $(gen_file_dep) \
+	$(TF_PSA_CRYPTO_CORE_PATH)/../scripts/generate_config_checks.py \
+	../framework/scripts/mbedtls_framework/config_checks_generator.py
+$(GENERATED_CONFIG_CHECK_FILES):
+	echo "  Gen   $(GENERATED_CONFIG_CHECK_FILES)"
+	$(PYTHON) ../scripts/generate_config_checks.py
+
+TF_PSA_CRYPTO_GENERATED_CONFIG_CHECK_FILES = $(shell $(PYTHON) \
+	$(TF_PSA_CRYPTO_CORE_PATH)/../scripts/generate_config_checks.py \
+	--list $(TF_PSA_CRYPTO_CORE_PATH))
+$(TF_PSA_CRYPTO_GENERATED_CONFIG_CHECK_FILES): $(gen_file_dep) \
+	../scripts/generate_config_checks.py \
+	../framework/scripts/mbedtls_framework/config_checks_generator.py
+$(TF_PSA_CRYPTO_GENERATED_CONFIG_CHECK_FILES):
+	echo "  Gen   $(TF_PSA_CRYPTO_GENERATED_CONFIG_CHECK_FILES)"
+	$(PYTHON) $(TF_PSA_CRYPTO_CORE_PATH)/../scripts/generate_config_checks.py
+
 clean:
 ifndef WINDOWS
 	rm -f *.o *.s libmbed*

scripts/generate_config_checks.py

@@ -0,0 +1,21 @@
+#!/usr/bin/env python3
+
+"""Generate C preprocessor code to check for bad configurations.
+"""
+
+import framework_scripts_path # pylint: disable=unused-import
+from mbedtls_framework.config_checks_generator import * \
+    #pylint: disable=wildcard-import,unused-wildcard-import
+
+MBEDTLS_CHECKS = BranchData(
+    header_directory='library',
+    header_prefix='mbedtls_',
+    project_cpp_prefix='MBEDTLS',
+    checkers=[
+        Removed('MBEDTLS_KEY_EXCHANGE_RSA_ENABLED', 'Mbed TLS 4.0'),
+        Removed('MBEDTLS_PADLOCK_C', 'Mbed TLS 4.0'),
+    ],
+)
+
+if __name__ == '__main__':
+    main(MBEDTLS_CHECKS)