Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update TF-M to v1.3.0 #14582

Merged
merged 7 commits into from
Apr 30, 2021
Merged

Update TF-M to v1.3.0 #14582

merged 7 commits into from
Apr 30, 2021

Conversation

LDong-Arm
Copy link
Contributor

@LDong-Arm LDong-Arm commented Apr 22, 2021
edited by Patater
Loading

Summary of changes

This PR updates TF-M to the new v1.3.0 release.

The following have been changed:

  • Rename ARM_MUSCA_B1's tfm_target_name from musca_b1 to musca_b1/sse_200. This is the new target name for ARM_MUSCA_B1 in TF-M's own build system, and mbed-os-tf-m-regression-tests relies on this entry in targets.json to map the target's Mbed name to TF-M name.
  • Update bootloader and TF-M secure binaries for ARM_MUSCA_B1 and ARM_MUSCA_S1. The following commands were used:
python3 build_tfm.py -m ARM_MUSCA_B1 -t ARMCLANG --commit
python3 build_tfm.py -m ARM_MUSCA_S1 -t ARMCLANG --commit

and the commits are auto-generated by the script.

  • Update PSA API files in platform/FEATURE_EXPERIMENTAL_API/FEATURE_PSA/TARGET_TFM/TARGET_TFM_LATEST. The commit is auto-generated by the aforementioned script.
  • Update VERSION.txt to indicate the TF-M version of the imported files. The commit is auto-generated by the aforementioned script.

Note: psa_set_key_enrollment_algorithm() is no longer supported.

Impact of changes

Standardized PSA APIs in TF-M v1.3.0 are backward compatible with previous versions. Some APIs have been updated, most notably the addition of the new Firmware Update (FWU) API.

Non-standard PSA extensions are not guaranteed to be backwards compatible. Notably, Mbed OS has aligned its PSA support with TF-M and no longer provides psa_set_key_enrollment_algorithm().

Migration actions required

Remove any use of psa_set_key_enrollment_algorithm() in your applications. If enrolling a device in elliptic curve PKI, for e.g. mutually authenticate TLS, is critical to your use case, please reach out to TrustedFirmware-M for support and possible alternative solutions.

Documentation

The Porting PSA targets documentation remains valid and requires no update.

The version number in the README of mbed-os-tf-m-regression-tests needs to be bumped to v1.3.

For TF-M and supported PSA APIs, see its official documentation

Pull request type 

[x] Patch update (Bug fix / Target update / Docs update / Test update / Refactor)
[] Feature update (New feature / Functionality change / New API)
[] Major update (Breaking change E.g. Return code change / API behaviour change)

Test results 

[] No Tests required for this change (E.g docs only update)
[x] Covered by existing mbed-os tests (Greentea or Unittest)
[] Tests / results supplied as part of this PR

Reviewers

@LDong-Arm
Rename tfm_target_name for ARM_MUSCA_B1
7245d5e 
The mbed-os-tf-m-regression-tests build scripts gets a mapping of
Mbed OS target names to TF-M target names from `targets.json`. TF-M
v1.3 has renamed musca_b1 to musca_b1/sse_200, this commit updates
that accordingly to ensure successful build of TF-M and tests for
ARM_MUSCA_B1.
@mergify mergify bot added the do not merge label Apr 22, 2021
@ciarmcom ciarmcom added the release-type: patch Indentifies a PR as containing just a patch label Apr 22, 2021
@ciarmcom ciarmcom requested a review from a team April 22, 2021 17:30
@ciarmcom
Copy link
Member

@LDong-Arm, thank you for your changes.
@ARMmbed/mbed-os-maintainers please review.

@LDong-Arm LDong-Arm changed the title WIP: Update TF-M to v1.3 Update TF-M to v1.3 Apr 23, 2021
@LDong-Arm LDong-Arm mentioned this pull request Apr 23, 2021
Merged
LDong-Arm added a commit to LDong-Arm/mbed-os-tf-m-regression-tests that referenced this pull request Apr 23, 2021
@LDong-Arm
TEMPORARY: use ARMmbed/mbed-os#14582
a220e31
LDong-Arm added a commit to LDong-Arm/mbed-os-tf-m-regression-tests that referenced this pull request Apr 23, 2021
@LDong-Arm
TEMPORARY: use ARMmbed/mbed-os#14582
cf52cff
@LDong-Arm LDong-Arm changed the title Update TF-M to v1.3 Update TF-M to v1.3.0 Apr 23, 2021
LDong-Arm added a commit to LDong-Arm/mbed-os-tf-m-regression-tests that referenced this pull request Apr 23, 2021
@LDong-Arm
TEMPORARY: use ARMmbed/mbed-os#14582
95090da
LDong-Arm added a commit to LDong-Arm/mbed-os-tf-m-regression-tests that referenced this pull request Apr 23, 2021
@LDong-Arm
TEMPORARY: use ARMmbed/mbed-os#14582
59daeeb
Patater pushed a commit to LDong-Arm/mbed-os-tf-m-regression-tests that referenced this pull request Apr 28, 2021
@LDong-Arm @Patater
TEMPORARY: use ARMmbed/mbed-os#14582
06e2bde
Patater pushed a commit to LDong-Arm/mbed-os-tf-m-regression-tests that referenced this pull request Apr 28, 2021
@LDong-Arm @Patater
TEMPORARY: use ARMmbed/mbed-os#14582
c79282e
Patater pushed a commit to LDong-Arm/mbed-os-tf-m-regression-tests that referenced this pull request Apr 28, 2021
@LDong-Arm @Patater
TEMPORARY: use ARMmbed/mbed-os#14582
4799167
Patater pushed a commit to LDong-Arm/mbed-os-tf-m-regression-tests that referenced this pull request Apr 28, 2021
@LDong-Arm @Patater
TEMPORARY: use ARMmbed/mbed-os#14582
4267835
Patater pushed a commit to LDong-Arm/mbed-os-tf-m-regression-tests that referenced this pull request Apr 28, 2021
@LDong-Arm @Patater
TEMPORARY: use ARMmbed/mbed-os#14582
edca942
Patater pushed a commit to LDong-Arm/mbed-os-tf-m-regression-tests that referenced this pull request Apr 29, 2021
@LDong-Arm @Patater
TEMPORARY: use ARMmbed/mbed-os#14582
a7a5a4a
@Patater
Copy link
Contributor

Patater commented Apr 29, 2021

Removed unnecessary quotes from commit messages.

@mergify mergify bot removed the needs: review label Apr 29, 2021
@Patater
Copy link
Contributor

Patater commented Apr 29, 2021

CI started

@mergify mergify bot added needs: work and removed needs: CI labels Apr 29, 2021
@mbed-ci
Copy link

mbed-ci commented Apr 29, 2021

Jenkins CI Test : ❌ FAILED

Build Number: 1 | 🔒 Jenkins CI Job | 🌐 Logs & Artifacts

CLICK for Detailed Summary

jobs Status
jenkins-ci/mbed-os-ci_cmake-cloud-example-ARM ✔️
jenkins-ci/mbed-os-ci_build-cloud-example-ARM ✔️
jenkins-ci/mbed-os-ci_unittests ✔️
jenkins-ci/mbed-os-ci_build-cloud-example-GCC_ARM ✔️
jenkins-ci/mbed-os-ci_cmake-cloud-example-GCC_ARM ✔️
jenkins-ci/mbed-os-ci_build-greentea-GCC_ARM ✔️
jenkins-ci/mbed-os-ci_build-greentea-ARM
jenkins-ci/mbed-os-ci_cmake-example-ARM ✔️
jenkins-ci/mbed-os-ci_cmake-example-GCC_ARM ✔️
jenkins-ci/mbed-os-ci_build-example-GCC_ARM ✔️
jenkins-ci/mbed-os-ci_build-example-ARM

@Patater
Copy link
Contributor

Patater commented Apr 29, 2021

Looks like some issues with mbedtls_ecc_group_to_psa() on ARMCLANG. Will investigate.

  * ARM_MUSCA_B1::ARMC6::HAL-TESTS-TESTS-MBED_HAL-US_TICKER
        Building project us_ticker (ARM_MUSCA_B1, ARMC6)
        Scan: ARM
        Scan: us_ticker
        Configuration error: Bootloader not supported on this target. ROM start not found in targets.json.
        Configuration error: Bootloader not supported on this target. RAM start not found in targets.json.
        Compile [100.0%]: main.cpp
        [Warning] mbed_power_mgmt.h@241,1: function declared 'noreturn' should not return [-Winvalid-noreturn]
        Link: us_ticker
        [Warning] @0,0: L3912W: Option 'legacyalign' is deprecated.
        [Error] @0,0: L6218E: Undefined symbol mbedtls_ecc_group_to_psa (referred from BUILD/tests/ARM_MUSCA_B1/ARM/connectivity/mbedtls/source/pk.o).
        Warning: L3912W: Option 'legacyalign' is deprecated.
        Error: L6218E: Undefined symbol mbedtls_ecc_group_to_psa (referred from BUILD/tests/ARM_MUSCA_B1/ARM/connectivity/mbedtls/source/pk.o).
        Finished: 0 information, 1 warning and 1 error messages.

@Patater
mbedtls: Add mbedtls_ecc_group_to_psa()
07d8aef 
We'd like to enable Mbed TLS's PK module in using TF-M's PSA
implementation, even if it doesn't expose the same set of PSA extensions
as Mbed TLS's PSA implementation. To do this, we add
mbedtls_ecc_group_to_psa() in its own header available when using the
latest TF-M.

Add mbedtls_ecc_group_to_psa(), one of Mbed TLS's PSA compatibility
helpers, for internal use by the Mbed TLS PK module. Without this
conversion function, the Mbed TLS PK module is unable to use any PSA
implementation other than one which provides a compatible set of PSA
extensions.
@mergify mergify bot dismissed Patater’s stale review April 30, 2021 08:09

Pull request has been modified.

@Patater
Copy link
Contributor

Patater commented Apr 30, 2021

Added mbedtls_ecc_group_to_psa() to TF-M's PSA implementation so that Mbed TLS's PK module could use TF-M's PSA implementation. Untested yet, given this issue only appeared on ARMCLANG so far.

@Patater
Copy link
Contributor

Patater commented Apr 30, 2021

CI started

@mbed-ci
Copy link

mbed-ci commented Apr 30, 2021

Jenkins CI Test : ❌ FAILED

Build Number: 2 | 🔒 Jenkins CI Job | 🌐 Logs & Artifacts

CLICK for Detailed Summary

jobs Status
jenkins-ci/mbed-os-ci_unittests ✔️
jenkins-ci/mbed-os-ci_cmake-cloud-example-ARM ✔️
jenkins-ci/mbed-os-ci_build-cloud-example-ARM ✔️
jenkins-ci/mbed-os-ci_cmake-cloud-example-GCC_ARM ✔️
jenkins-ci/mbed-os-ci_build-cloud-example-GCC_ARM ✔️
jenkins-ci/mbed-os-ci_build-greentea-ARM ✔️
jenkins-ci/mbed-os-ci_cmake-example-ARM ✔️
jenkins-ci/mbed-os-ci_build-greentea-GCC_ARM ✔️
jenkins-ci/mbed-os-ci_cmake-example-GCC_ARM ✔️
jenkins-ci/mbed-os-ci_build-example-ARM ✔️
jenkins-ci/mbed-os-ci_build-example-GCC_ARM ✔️
jenkins-ci/mbed-os-ci_greentea-test ✔️
jenkins-ci/mbed-os-ci_tfm-integration

@Patater
tfm: Add mbedtls_ecc_group_to_psa.h to crypto_extra.h
032fe4a 
Include mbedtls_ecc_group_to_psa.h from crypto_extra.h so that clients
of PSA within Mbed OS do not need to behave differently depending on
which PSA implementation they are using.

This solution is not ideal as it makes it more difficult to update the
TF-M-provided psa/crypto_extra.h. We'll have to see what other options
we have for including additional headers based on the Mbed OS
configuration.
@Patater
Copy link
Contributor

Patater commented Apr 30, 2021

CI used the new Musca B1 name with the old TF-M included from master of mbed-os-tf-m-regression-tests. CI started without B1 testing, so we can coordinate updating both mbed-os and mbed-os-tf-m-regression-tests together.

@mbed-ci
Copy link

mbed-ci commented Apr 30, 2021

Jenkins CI Test : ✔️ SUCCESS

Build Number: 3 | 🔒 Jenkins CI Job | 🌐 Logs & Artifacts

CLICK for Detailed Summary

jobs Status
jenkins-ci/mbed-os-ci_unittests ✔️
jenkins-ci/mbed-os-ci_build-cloud-example-ARM ✔️
jenkins-ci/mbed-os-ci_cmake-cloud-example-GCC_ARM ✔️
jenkins-ci/mbed-os-ci_cmake-cloud-example-ARM ✔️
jenkins-ci/mbed-os-ci_build-cloud-example-GCC_ARM ✔️
jenkins-ci/mbed-os-ci_build-greentea-ARM ✔️
jenkins-ci/mbed-os-ci_build-greentea-GCC_ARM ✔️
jenkins-ci/mbed-os-ci_cmake-example-ARM ✔️
jenkins-ci/mbed-os-ci_cmake-example-GCC_ARM ✔️
jenkins-ci/mbed-os-ci_build-example-GCC_ARM ✔️
jenkins-ci/mbed-os-ci_build-example-ARM ✔️
jenkins-ci/mbed-os-ci_greentea-test ✔️
jenkins-ci/mbed-os-ci_tfm-integration ✔️

@0xc0170 0xc0170 merged commit 9f35f29 into ARMmbed:master Apr 30, 2021
@mergify mergify bot removed the ready for merge label Apr 30, 2021
@ccli8 ccli8 mentioned this pull request May 3, 2021
Merged
@mbedmain mbedmain removed release-type: patch Indentifies a PR as containing just a patch Release-pending labels May 24, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Patater Patater Patater approved these changes

@0xc0170 0xc0170 0xc0170 approved these changes

Assignees
No one assigned
Labels
component: core component: security devices: arm release-version: 6.11.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@LDong-Arm @ciarmcom @Patater @mbed-ci @0xc0170 @mbedmain