From ff6306655b3e3cc1f1b5cd7bed102e5dd6cc10b1 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Thu, 31 Jul 2025 21:53:41 +0200 Subject: [PATCH 1/5] Update submodules with config_checks_generator.py * Update framework with `config_checks_generator.py`. * Update crypto with the files generated by `generate_config_checks.py`. Signed-off-by: Gilles Peskine --- framework | 2 +- tf-psa-crypto | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/framework b/framework index 820a16cca7..92f5d45b22 160000 --- a/framework +++ b/framework @@ -1 +1 @@ -Subproject commit 820a16cca705c6842a5a79332c6d40644008c814 +Subproject commit 92f5d45b2293363952bdbe28a7b2fcfe4a0d163a diff --git a/tf-psa-crypto b/tf-psa-crypto index 4cc5bb4295..9a43f3fe86 160000 --- a/tf-psa-crypto +++ b/tf-psa-crypto @@ -1 +1 @@ -Subproject commit 4cc5bb429554ba14e36163ff3a82bf53766f7e24 +Subproject commit 9a43f3fe868ef6da5a312a3da076b9595e02a75e From 3374f6e90bec9d060f038208e04f2ffabe215993 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Thu, 31 Jul 2025 21:09:39 +0200 Subject: [PATCH 2/5] Generate checks for bad options in the config file Just a proof-of-concept for now. Interesting checks will come later. Signed-off-by: Gilles Peskine --- scripts/generate_config_checks.py | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100755 scripts/generate_config_checks.py diff --git a/scripts/generate_config_checks.py b/scripts/generate_config_checks.py new file mode 100755 index 0000000000..b0dc26b191 --- /dev/null +++ b/scripts/generate_config_checks.py @@ -0,0 +1,21 @@ +#!/usr/bin/env python3 + +"""Generate C preprocessor code to check for bad configurations. +""" + +import framework_scripts_path # pylint: disable=unused-import +from mbedtls_framework.config_checks_generator import * \ + #pylint: disable=wildcard-import,unused-wildcard-import + +MBEDTLS_CHECKS = BranchData( + header_directory='library', + header_prefix='mbedtls_', + project_cpp_prefix='MBEDTLS', + checkers=[ + Removed('MBEDTLS_KEY_EXCHANGE_RSA_ENABLED', 'Mbed TLS 4.0'), + Removed('MBEDTLS_PADLOCK_C', 'Mbed TLS 4.0'), + ], +) + +if __name__ == '__main__': + main(MBEDTLS_CHECKS) From b53b443f8ec1a391039109fddc8d3e0d34f07a0b Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Thu, 31 Jul 2025 21:50:35 +0200 Subject: [PATCH 3/5] Register generate_config_files.py outputs as generated files Signed-off-by: Gilles Peskine --- library/.gitignore | 3 +++ library/CMakeLists.txt | 34 ++++++++++++++++++++++++++++++++++ library/Makefile | 13 +++++++++++++ 3 files changed, 50 insertions(+) diff --git a/library/.gitignore b/library/.gitignore index 9794129d94..92a33de2bc 100644 --- a/library/.gitignore +++ b/library/.gitignore @@ -4,6 +4,9 @@ libmbed* ###START_GENERATED_FILES### /error.c +/mbedtls_config_check_before.h +/mbedtls_config_check_final.h +/mbedtls_config_check_user.h /version_features.c /ssl_debug_helpers_generated.c ###END_GENERATED_FILES### diff --git a/library/CMakeLists.txt b/library/CMakeLists.txt index 5b8dc80b53..b31d2ea70e 100644 --- a/library/CMakeLists.txt +++ b/library/CMakeLists.txt @@ -73,6 +73,39 @@ if(GEN_FILES) ${CMAKE_CURRENT_SOURCE_DIR}/../scripts/data_files/version_features.fmt ) + execute_process( + COMMAND + ${MBEDTLS_PYTHON_EXECUTABLE} + ${MBEDTLS_DIR}/scripts/generate_config_checks.py + --list "" + WORKING_DIRECTORY + ${CMAKE_CURRENT_SOURCE_DIR}/.. + OUTPUT_VARIABLE + MBEDTLS_GENERATED_CONFIG_CHECKS_HEADERS) + # Turn newline-terminated non-empty list into semicolon-separated list. + string(REPLACE "\n" ";" + MBEDTLS_GENERATED_CONFIG_CHECKS_HEADERS "${MBEDTLS_GENERATED_CONFIG_CHECKS_HEADERS}") + string(REGEX REPLACE ";\$" "" + MBEDTLS_GENERATED_CONFIG_CHECKS_HEADERS "${MBEDTLS_GENERATED_CONFIG_CHECKS_HEADERS}") + # Prepend the binary dir to all element of MBEDTLS_GENERATED_CONFIG_CHECKS_HEADERS, + # using features that exist in CMake 3.5.1. + string(REPLACE ";" ";${CMAKE_CURRENT_BINARY_DIR}/" + MBEDTLS_GENERATED_CONFIG_CHECKS_HEADERS + "${MBEDTLS_GENERATED_CONFIG_CHECKS_HEADERS}") + set(MBEDTLS_GENERATED_CONFIG_CHECKS_HEADERS + "${CMAKE_CURRENT_BINARY_DIR}/${MBEDTLS_GENERATED_CONFIG_CHECKS_HEADERS}") + + add_custom_command( + OUTPUT ${MBEDTLS_GENERATED_CONFIG_CHECKS_HEADERS} + COMMAND + ${MBEDTLS_PYTHON_EXECUTABLE} + ${MBEDTLS_DIR}/scripts/generate_config_checks.py + ${CMAKE_CURRENT_BINARY_DIR} + DEPENDS + ${MBEDTLS_DIR}/scripts/generate_config_checks.py + ${MBEDTLS_FRAMEWORK_DIR}/scripts/mbedtls_framework/config_checks_generator.py + ) + add_custom_command( OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/ssl_debug_helpers_generated.c @@ -89,6 +122,7 @@ if(GEN_FILES) add_custom_target(${MBEDTLS_TARGET_PREFIX}mbedx509_generated_files_target DEPENDS ${CMAKE_CURRENT_BINARY_DIR}/error.c + ${MBEDTLS_GENERATED_CONFIG_CHECKS_HEADERS} ) add_custom_target(${MBEDTLS_TARGET_PREFIX}mbedtls_generated_files_target diff --git a/library/Makefile b/library/Makefile index f8729344b4..f3667ba307 100644 --- a/library/Makefile +++ b/library/Makefile @@ -5,7 +5,12 @@ endif TF_PSA_CRYPTO_CORE_PATH = $(MBEDTLS_PATH)/tf-psa-crypto/core TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH = $(MBEDTLS_PATH)/tf-psa-crypto/drivers/builtin/src +# List the generated files without running a script, so that this +# works with no tooling dependencies when GEN_FILES is disabled. GENERATED_FILES := \ + mbedtls_config_check_before.h \ + mbedtls_config_check_final.h \ + mbedtls_config_check_user.h \ error.c \ version_features.c \ ssl_debug_helpers_generated.c \ @@ -326,6 +331,14 @@ $(GENERATED_WRAPPER_FILES): $(TF_PSA_CRYPTO_CORE_PATH)/psa_crypto.o:$(TF_PSA_CRYPTO_CORE_PATH)/psa_crypto_driver_wrappers.h +GENERATED_CONFIG_CHECK_FILES = $(shell $(PYTHON) ../scripts/generate_config_checks.py --list .) +$(GENERATED_CONFIG_CHECK_FILES): $(gen_file_dep) \ + $(TF_PSA_CRYPTO_CORE_PATH)/../scripts/generate_config_checks.py \ + ../framework/scripts/mbedtls_framework/config_checks_generator.py +$(GENERATED_CONFIG_CHECK_FILES): + echo " Gen $(GENERATED_CONFIG_CHECK_FILES)" + $(PYTHON) ../scripts/generate_config_checks.py + clean: ifndef WINDOWS rm -f *.o *.s libmbed* From 67b115cfda5fe3e2e221c58d86ed40623f6634f9 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Thu, 31 Jul 2025 21:50:45 +0200 Subject: [PATCH 4/5] Register crypto's generate_config_files.py outputs as generated files Mbed TLS needs to know the generated files of TF-PSA-Crypto. There's no mechanism for TF-PSA-Crypto to declare them. Signed-off-by: Gilles Peskine --- library/Makefile | 21 +++++++++++++++++++-- 1 file changed, 19 insertions(+), 2 deletions(-) diff --git a/library/Makefile b/library/Makefile index f3667ba307..21f85b67d9 100644 --- a/library/Makefile +++ b/library/Makefile @@ -13,9 +13,16 @@ GENERATED_FILES := \ mbedtls_config_check_user.h \ error.c \ version_features.c \ - ssl_debug_helpers_generated.c \ + ssl_debug_helpers_generated.c + +# Also list the generated files from crypto that are needed in the build, +# because we don't have the list in a consumable form. +GENERATED_FILES += \ $(TF_PSA_CRYPTO_CORE_PATH)/psa_crypto_driver_wrappers.h \ - $(TF_PSA_CRYPTO_CORE_PATH)/psa_crypto_driver_wrappers_no_static.c + $(TF_PSA_CRYPTO_CORE_PATH)/psa_crypto_driver_wrappers_no_static.c \ + $(TF_PSA_CRYPTO_CORE_PATH)/tf_psa_crypto_config_check_before.h \ + $(TF_PSA_CRYPTO_CORE_PATH)/tf_psa_crypto_config_check_final.h \ + $(TF_PSA_CRYPTO_CORE_PATH)/tf_psa_crypto_config_check_user.h ifneq ($(GENERATED_FILES),$(wildcard $(GENERATED_FILES))) ifeq (,$(wildcard $(MBEDTLS_PATH)/framework/exported.make)) @@ -339,6 +346,16 @@ $(GENERATED_CONFIG_CHECK_FILES): echo " Gen $(GENERATED_CONFIG_CHECK_FILES)" $(PYTHON) ../scripts/generate_config_checks.py +TF_PSA_CRYPTO_GENERATED_CONFIG_CHECK_FILES = $(shell $(PYTHON) \ + $(TF_PSA_CRYPTO_CORE_PATH)/../scripts/generate_config_checks.py \ + --list $(TF_PSA_CRYPTO_CORE_PATH)) +$(TF_PSA_CRYPTO_GENERATED_CONFIG_CHECK_FILES): $(gen_file_dep) \ + ../scripts/generate_config_checks.py \ + ../framework/scripts/mbedtls_framework/config_checks_generator.py +$(TF_PSA_CRYPTO_GENERATED_CONFIG_CHECK_FILES): + echo " Gen $(TF_PSA_CRYPTO_GENERATED_CONFIG_CHECK_FILES)" + $(PYTHON) $(TF_PSA_CRYPTO_CORE_PATH)/../scripts/generate_config_checks.py + clean: ifndef WINDOWS rm -f *.o *.s libmbed* From 6712f1b6af19da1b0c39f59aed772c50cfb80b50 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Mon, 15 Sep 2025 20:09:37 +0200 Subject: [PATCH 5/5] Use --list-for-cmake with generate_config_checks.py Signed-off-by: Gilles Peskine --- library/CMakeLists.txt | 14 +------------- 1 file changed, 1 insertion(+), 13 deletions(-) diff --git a/library/CMakeLists.txt b/library/CMakeLists.txt index b31d2ea70e..063703bfe8 100644 --- a/library/CMakeLists.txt +++ b/library/CMakeLists.txt @@ -77,23 +77,11 @@ if(GEN_FILES) COMMAND ${MBEDTLS_PYTHON_EXECUTABLE} ${MBEDTLS_DIR}/scripts/generate_config_checks.py - --list "" + --list-for-cmake "${CMAKE_CURRENT_BINARY_DIR}" WORKING_DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR}/.. OUTPUT_VARIABLE MBEDTLS_GENERATED_CONFIG_CHECKS_HEADERS) - # Turn newline-terminated non-empty list into semicolon-separated list. - string(REPLACE "\n" ";" - MBEDTLS_GENERATED_CONFIG_CHECKS_HEADERS "${MBEDTLS_GENERATED_CONFIG_CHECKS_HEADERS}") - string(REGEX REPLACE ";\$" "" - MBEDTLS_GENERATED_CONFIG_CHECKS_HEADERS "${MBEDTLS_GENERATED_CONFIG_CHECKS_HEADERS}") - # Prepend the binary dir to all element of MBEDTLS_GENERATED_CONFIG_CHECKS_HEADERS, - # using features that exist in CMake 3.5.1. - string(REPLACE ";" ";${CMAKE_CURRENT_BINARY_DIR}/" - MBEDTLS_GENERATED_CONFIG_CHECKS_HEADERS - "${MBEDTLS_GENERATED_CONFIG_CHECKS_HEADERS}") - set(MBEDTLS_GENERATED_CONFIG_CHECKS_HEADERS - "${CMAKE_CURRENT_BINARY_DIR}/${MBEDTLS_GENERATED_CONFIG_CHECKS_HEADERS}") add_custom_command( OUTPUT ${MBEDTLS_GENERATED_CONFIG_CHECKS_HEADERS}