From 01fa8035a0c99d3ccf35be9730e126873be76f13 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?D=C3=A1vid=20H=C3=A1zi?= Date: Mon, 22 Apr 2024 13:22:46 +0200 Subject: [PATCH 1/2] build: Bump TF-M version to v2.1.0 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Dávid Házi --- applications/blinky/CMakeLists.txt | 2 ++ applications/blinky/tests/pass_output.log | 2 +- .../CMakeLists.txt | 2 ++ applications/keyword_detection/CMakeLists.txt | 2 ++ .../keyword_detection/tests/pass_output.log | 2 +- applications/object_detection/CMakeLists.txt | 2 ++ .../object_detection/tests/pass_output.log | 2 +- .../speech_recognition/CMakeLists.txt | 2 ++ .../speech_recognition/tests/pass_output.log | 2 +- .../coremqtt_agent/integration/CMakeLists.txt | 1 + .../integration/CMakeLists.txt | 25 +++++++++++++++++++ .../security/trusted_firmware-m/library | 2 +- docs/applications/keyword_detection.md | 6 ++--- docs/applications/object_detection.md | 4 +-- docs/applications/speech_recognition.md | 6 ++--- manifest.yml | 2 +- release_changes/202404221321.change | 1 + 17 files changed, 51 insertions(+), 14 deletions(-) create mode 100644 release_changes/202404221321.change diff --git a/applications/blinky/CMakeLists.txt b/applications/blinky/CMakeLists.txt index 394bd0f1..cae66d90 100644 --- a/applications/blinky/CMakeLists.txt +++ b/applications/blinky/CMakeLists.txt @@ -4,6 +4,8 @@ cmake_minimum_required(VERSION 3.21.0 FATAL_ERROR) +set(APPLICATION_PATH "${IOT_REFERENCE_ARM_CORSTONE3XX_SOURCE_DIR}/applications/blinky" CACHE STRING "Path to the application folder") + # Trusted Firmware-M setup set(TFM_CMAKE_APP_ARGS -DPROJECT_CONFIG_HEADER_FILE=${IOT_REFERENCE_ARM_CORSTONE3XX_SOURCE_DIR}/applications/blinky/configs/tfm_config/project_config.h diff --git a/applications/blinky/tests/pass_output.log b/applications/blinky/tests/pass_output.log index 0e393dfa..c03de573 100644 --- a/applications/blinky/tests/pass_output.log +++ b/applications/blinky/tests/pass_output.log @@ -1,6 +1,6 @@ Waiting for provisioning bundle Running provisioning bundle -Booting TF-M v2.0.0 +Booting TF-M v2.1.0 psa_framework_version is: 257 LED on LED off diff --git a/applications/freertos_iot_libraries_tests/CMakeLists.txt b/applications/freertos_iot_libraries_tests/CMakeLists.txt index 739b024a..5f512f43 100644 --- a/applications/freertos_iot_libraries_tests/CMakeLists.txt +++ b/applications/freertos_iot_libraries_tests/CMakeLists.txt @@ -20,6 +20,8 @@ cmake_minimum_required(VERSION 3.21.0 FATAL_ERROR) set(MCUBOOT_IMAGE_VERSION_NS "0.0.1+10") set(MCUBOOT_IMAGE_VERSION_NS_UPDATE "0.0.1+20") +set(APPLICATION_PATH "${IOT_REFERENCE_ARM_CORSTONE3XX_SOURCE_DIR}/applications/freertos_iot_libraries_tests" CACHE STRING "Path to the application folder") + # Trusted Firmware-M setup set(TFM_CMAKE_APP_ARGS -DPROJECT_CONFIG_HEADER_FILE=${IOT_REFERENCE_ARM_CORSTONE3XX_SOURCE_DIR}/applications/freertos_iot_libraries_tests/configs/tfm_config/project_config.h diff --git a/applications/keyword_detection/CMakeLists.txt b/applications/keyword_detection/CMakeLists.txt index b9b7c8e3..2426d440 100644 --- a/applications/keyword_detection/CMakeLists.txt +++ b/applications/keyword_detection/CMakeLists.txt @@ -8,6 +8,8 @@ set(ML_INFERENCE_ENGINE "ETHOS" CACHE STRING "Machine Learning inference engine set(AUDIO_SOURCE "ROM" CACHE STRING "Source of audio data (ROM | VSI)") +set(APPLICATION_PATH "${IOT_REFERENCE_ARM_CORSTONE3XX_SOURCE_DIR}/applications/keyword_detection" CACHE STRING "Path to the application folder") + # From: ota-for-aws-iot-embedded-sdk/source/include/ota_appversion32.h # struct version # { diff --git a/applications/keyword_detection/tests/pass_output.log b/applications/keyword_detection/tests/pass_output.log index 82c03a8f..3230c094 100644 --- a/applications/keyword_detection/tests/pass_output.log +++ b/applications/keyword_detection/tests/pass_output.log @@ -2,7 +2,7 @@ Waiting for provisioning bundle Running provisioning bundle Application version from appFirmwareVersion 0.0.10 Starting bootloader -Booting TF-M v2.0.0 +Booting TF-M v2.1.0 PSA Framework version is: 257 Application version from appFirmwareVersion 0.0.20 ML interface initialised diff --git a/applications/object_detection/CMakeLists.txt b/applications/object_detection/CMakeLists.txt index 730096db..ebd677f4 100644 --- a/applications/object_detection/CMakeLists.txt +++ b/applications/object_detection/CMakeLists.txt @@ -8,6 +8,8 @@ set(ML_INFERENCE_ENGINE "ETHOS" CACHE STRING "Machine Learning inference engine set(AUDIO_SOURCE "ROM" CACHE STRING "Source of audio data (ROM | VSI)") +set(APPLICATION_PATH "${IOT_REFERENCE_ARM_CORSTONE3XX_SOURCE_DIR}/applications/object_detection" CACHE STRING "Path to the application folder") + # From: ota-for-aws-iot-embedded-sdk/source/include/ota_appversion32.h # struct version # { diff --git a/applications/object_detection/tests/pass_output.log b/applications/object_detection/tests/pass_output.log index f36b4c12..2a39f0a9 100644 --- a/applications/object_detection/tests/pass_output.log +++ b/applications/object_detection/tests/pass_output.log @@ -2,7 +2,7 @@ Waiting for provisioning bundle Running provisioning bundle Application version from appFirmwareVersion 0.0.10 Starting bootloader -Booting TF-M v2.0.0 +Booting TF-M v2.1.0 PSA Framework version is: 257 Application version from appFirmwareVersion 0.0.20 Complete recognition: Detected faces: 2 diff --git a/applications/speech_recognition/CMakeLists.txt b/applications/speech_recognition/CMakeLists.txt index f8ebf848..9a3dbd64 100644 --- a/applications/speech_recognition/CMakeLists.txt +++ b/applications/speech_recognition/CMakeLists.txt @@ -8,6 +8,8 @@ set(ML_INFERENCE_ENGINE "ETHOS" CACHE STRING "Machine Learning inference engine set(AUDIO_SOURCE "ROM" CACHE STRING "Source of audio data (ROM | VSI)") +set(APPLICATION_PATH "${IOT_REFERENCE_ARM_CORSTONE3XX_SOURCE_DIR}/applications/speech_recognition" CACHE STRING "Path to the application folder") + # From: ota-for-aws-iot-embedded-sdk/source/include/ota_appversion32.h # struct version # { diff --git a/applications/speech_recognition/tests/pass_output.log b/applications/speech_recognition/tests/pass_output.log index 5f70b568..bea8cc05 100644 --- a/applications/speech_recognition/tests/pass_output.log +++ b/applications/speech_recognition/tests/pass_output.log @@ -2,7 +2,7 @@ Waiting for provisioning bundle Running provisioning bundle Application version from appFirmwareVersion 0.0.10 Starting bootloader -Booting TF-M v2.0.0 +Booting TF-M v2.1.0 PSA Framework version is: 257 Application version from appFirmwareVersion 0.0.20 Init speex diff --git a/components/aws_iot/coremqtt_agent/integration/CMakeLists.txt b/components/aws_iot/coremqtt_agent/integration/CMakeLists.txt index 1ac80c8a..c139a913 100644 --- a/components/aws_iot/coremqtt_agent/integration/CMakeLists.txt +++ b/components/aws_iot/coremqtt_agent/integration/CMakeLists.txt @@ -30,4 +30,5 @@ target_link_libraries(coremqtt-agent freertos_kernel helpers-events helpers-logging + tfm-ns-interface-mbedtls-config ) diff --git a/components/security/trusted_firmware-m/integration/CMakeLists.txt b/components/security/trusted_firmware-m/integration/CMakeLists.txt index 0f0e5114..56c88fe4 100644 --- a/components/security/trusted_firmware-m/integration/CMakeLists.txt +++ b/components/security/trusted_firmware-m/integration/CMakeLists.txt @@ -16,11 +16,13 @@ add_dependencies(tfm-ns-interface trusted_firmware-m-build) target_include_directories(tfm-ns-interface PUBLIC ${BINARY_DIR}/api_ns/interface/include + ${BINARY_DIR}/api_ns/platform/include ) target_link_libraries(tfm-ns-interface PRIVATE ${s_veneers_generated} + tfm-ns-interface-mbedtls-config ) target_compile_definitions(tfm-ns-interface @@ -31,3 +33,26 @@ target_compile_definitions(tfm-ns-interface $<$:PLATFORM_DEFAULT_CRYPTO_KEYS> MCUBOOT_IMAGE_NUMBER=2 ) + +add_library(tfm-ns-interface-mbedtls-config INTERFACE) + +if(APPLICATION_PATH MATCHES ".*blinky") + # TODO: These compile definitions shouldn't be defined explicitly for `blinky` application as + # they should have been defined by `psa_crypto_config` library which should be linked + # to `tfm-ns-interface-mbedtls-config` library. However, since we are not using TF-M split-build feature, + # the exported library `psa_crypto_config` is not used by the non-secure side and these definitions are missing. + target_compile_definitions(tfm-ns-interface-mbedtls-config + INTERFACE + MBEDTLS_CONFIG_FILE="${trusted_firmware-m_SOURCE_DIR}/lib/ext/mbedcrypto/mbedcrypto_config/tfm_mbedcrypto_config_default_client.h" + MBEDTLS_PSA_CRYPTO_CONFIG_FILE="${trusted_firmware-m_SOURCE_DIR}/lib/ext/mbedcrypto/mbedcrypto_config/crypto_config_default.h" + ) +else() + target_link_libraries(tfm-ns-interface-mbedtls-config + INTERFACE + app-config + ) + target_compile_definitions(tfm-ns-interface-mbedtls-config + INTERFACE + MBEDTLS_CONFIG_FILE="${APPLICATION_PATH}/configs/mbedtls_config/aws_mbedtls_config.h" + ) +endif() diff --git a/components/security/trusted_firmware-m/library b/components/security/trusted_firmware-m/library index 689dfc1e..0c4c99ba 160000 --- a/components/security/trusted_firmware-m/library +++ b/components/security/trusted_firmware-m/library @@ -1 +1 @@ -Subproject commit 689dfc1ea7e1e66f26159a24d489261ae2029103 +Subproject commit 0c4c99ba33b3e66deea070e149279278dc7647f4 diff --git a/docs/applications/keyword_detection.md b/docs/applications/keyword_detection.md index dfae3447..f85e0511 100644 --- a/docs/applications/keyword_detection.md +++ b/docs/applications/keyword_detection.md @@ -98,7 +98,7 @@ To run the Keyword-Detection example, run the following command: [INF] Bootloader chainload address offset: 0x0 [INF] Jumping to the first image slot [Sec Thread] Secure image initializing! -Booting TF-M v2.0.0 +Booting TF-M v2.1.0 Creating an empty ITS flash layout. Creating an empty PS flash layout. [INF][Crypto] Provisioning entropy seed... complete. @@ -240,7 +240,7 @@ Follow the instructions described in the [Firmware update with AWS](./aws_iot/aw [INF] Bootloader chainload address offset: 0x0 [INF] Jumping to the first image slot [Sec Thread] Secure image initializing! -Booting TF-M v2.0.0 +Booting TF-M v2.1.0 Creating an empty ITS flash layout. Creating an empty PS flash layout. [INF][Crypto] Provisioning entropy seed... complete. @@ -315,7 +315,7 @@ Creating an empty PS flash layout. [INF] Bootloader chainload address offset: 0x0 [INF] Jumping to the first image slot [Sec Thread] Secure image initializing! -Booting TF-M v2.0.0 +Booting TF-M v2.1.0 [INF][Crypto] Provisioning entropy seed... complete. 0 0 [None] [INFO] PSA Framework version is: 257 1 0 [None] Write certificate... diff --git a/docs/applications/object_detection.md b/docs/applications/object_detection.md index 96461e8a..8b3967f3 100644 --- a/docs/applications/object_detection.md +++ b/docs/applications/object_detection.md @@ -62,7 +62,7 @@ Check [Device Provisioning](./device_provisioning/device_provisioning.md) for de [INF] Image index: 0, Swap type: none [INF] Bootloader chainload address offset: 0x0 [INF] Jumping to the first image slot -Booting TF-M v2.0.0 +Booting TF-M v2.1.0 [Sec Thread] Secure image initializing! [INF][Crypto] Provisioning entropy seed... complete. 0 0 [None] [INFO] PSA Framework version is: 257 @@ -373,7 +373,7 @@ Follow the instructions described in the [Firmware update with AWS](./aws_iot/aw [INF] Image index: 0, Swap type: none [INF] Bootloader chainload address offset: 0x0 [INF] Jumping to the first image slot -Booting TF-M v2.0.0 +Booting TF-M v2.1.0 [Sec Thread] Secure image initializing! Creating an empty ITS flash layout. Creating an empty PS flash layout. diff --git a/docs/applications/speech_recognition.md b/docs/applications/speech_recognition.md index 41420f6f..05decf21 100644 --- a/docs/applications/speech_recognition.md +++ b/docs/applications/speech_recognition.md @@ -76,7 +76,7 @@ To run the Speech-Recognition example, run the following command: [INF] Bootloader chainload address offset: 0x0 [INF] Jumping to the first image slot [Sec Thread] Secure image initializing! -Booting TF-M v2.0.0 +Booting TF-M v2.1.0 Creating an empty ITS flash layout. Creating an empty PS flash layout. [INF][Crypto] Provisioning entropy seed... complete. @@ -224,7 +224,7 @@ Follow the instructions described in the [Firmware update with AWS](./aws_iot/aw [INF] Bootloader chainload address offset: 0x0 [INF] Jumping to the first image slot [Sec Thread] Secure image initializing! -Booting TF-M v2.0.0 +Booting TF-M v2.1.0 Creating an empty ITS flash layout. Creating an empty PS flash layout. [INF][Crypto] Provisioning entropy seed... complete. @@ -295,7 +295,7 @@ Creating an empty PS flash layout. [INF] Bootloader chainload address offset: 0x0 [INF] Jumping to the first image slot [Sec Thread] Secure image initializing! -Booting TF-M v2.0.0 +Booting TF-M v2.1.0 [INF][Crypto] Provisioning entropy seed... complete. 0 0 [None] [INFO] PSA Framework version is: 257 1 0 [None] Write certificate... diff --git a/manifest.yml b/manifest.yml index 5a65ef60..497d4e98 100644 --- a/manifest.yml +++ b/manifest.yml @@ -19,7 +19,7 @@ dependencies: path: "bsp/library" - name: "trusted-firmware-m" license: "BSD-3-Clause" - version: "689dfc1ea7e1e66f26159a24d489261ae2029103" + version: "TF-Mv2.1.0" repository: type: "git" url: "https://git.trustedfirmware.org/TF-M/trusted-firmware-m.git" diff --git a/release_changes/202404221321.change b/release_changes/202404221321.change new file mode 100644 index 00000000..39dc95f4 --- /dev/null +++ b/release_changes/202404221321.change @@ -0,0 +1 @@ +build: Bump TF-M version to v2.1.0 From db2099d4a3e52ddb91f3c92ee0ea2fb150529226 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?D=C3=A1vid=20H=C3=A1zi?= Date: Tue, 23 Apr 2024 13:15:57 +0200 Subject: [PATCH 2/2] mbedtls: Update mbedtls to v3.6.0 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The provisioning code which used by OTA has been changed, because from mbedtls 3.6.0 the psa_import_key() only accepts RSA keys in standard PSA format, mbedtls_pk_import_into_psa() is used instead. Signed-off-by: Dávid Házi --- .../mbedtls_config/aws_mbedtls_config.h | 2 +- .../provisioning/dev_mode_key_provisioning.c | 51 ++++++++++++++++--- .../mbedtls_config/aws_mbedtls_config.h | 2 +- .../mbedtls_config/aws_mbedtls_config.h | 2 +- .../mbedtls_config/aws_mbedtls_config.h | 2 +- components/security/mbedtls/library | 2 +- manifest.yml | 2 +- 7 files changed, 49 insertions(+), 14 deletions(-) diff --git a/applications/freertos_iot_libraries_tests/configs/mbedtls_config/aws_mbedtls_config.h b/applications/freertos_iot_libraries_tests/configs/mbedtls_config/aws_mbedtls_config.h index d5be8045..e0276407 100644 --- a/applications/freertos_iot_libraries_tests/configs/mbedtls_config/aws_mbedtls_config.h +++ b/applications/freertos_iot_libraries_tests/configs/mbedtls_config/aws_mbedtls_config.h @@ -1154,7 +1154,7 @@ void mbedtls_platform_free( void * ptr ); * \warning This interface is experimental and may change or be removed * without notice. */ -/* #define MBEDTLS_PSA_CRYPTO_CLIENT */ +#define MBEDTLS_PSA_CRYPTO_CLIENT /** \def MBEDTLS_PSA_CRYPTO_DRIVERS * diff --git a/applications/helpers/provisioning/dev_mode_key_provisioning.c b/applications/helpers/provisioning/dev_mode_key_provisioning.c index 2592b2fd..d0851069 100644 --- a/applications/helpers/provisioning/dev_mode_key_provisioning.c +++ b/applications/helpers/provisioning/dev_mode_key_provisioning.c @@ -1376,8 +1376,10 @@ int xOtaProvisionCodeSigningKey( psa_key_handle_t * pxKeyHandle, size_t xPubKeyDerLength = DER_FORMAT_BUFFER_LENGTH; size_t xPubKeyPemLength = strlen( ( const char * ) pxProvisioningParamsBundle->codeSigningPublicKey ); int result = 0; - psa_status_t status = PSA_SUCCESS; psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; + mbedtls_pk_context xMbedPkContext = { 0 }; + + mbedtls_pk_init( &xMbedPkContext ); result = convert_pem_to_der( ( const unsigned char * ) pxProvisioningParamsBundle->codeSigningPublicKey, xPubKeyPemLength, @@ -1386,22 +1388,55 @@ int xOtaProvisionCodeSigningKey( psa_key_handle_t * pxKeyHandle, if( result != 0 ) { - return result; + goto exit; + } + + /* + * From mbedtls 3.6.0 release note: + * + * Default behavior changes + * psa_import_key() now only accepts RSA keys in the PSA standard formats. + * The undocumented ability to import other formats (PKCS#8, SubjectPublicKey, + * PEM) accepted by the pkparse module has been removed. Applications that + * need these formats can call mbedtls_pk_parse_{public,}key() followed by + * mbedtls_pk_import_into_psa(). + */ + + result = mbedtls_pk_parse_public_key( &xMbedPkContext, + ( const unsigned char * ) pucPubKeyDerFormatBuffer, + xPubKeyDerLength ); + + if( result != 0 ) + { + goto exit; + } + + result = mbedtls_pk_get_psa_attributes( &xMbedPkContext, + PSA_KEY_USAGE_VERIFY_HASH, + &attributes ); + + if( result != 0 ) + { + goto exit; } - psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_VERIFY_HASH ); psa_set_key_algorithm( &attributes, PSA_ALG_RSA_PSS_ANY_SALT( PSA_ALG_SHA_256 ) ); - psa_set_key_type( &attributes, PSA_KEY_TYPE_RSA_PUBLIC_KEY ); psa_set_key_bits( &attributes, keyBits ); - status = psa_import_key( &attributes, ( const uint8_t * ) pucPubKeyDerFormatBuffer, - xPubKeyDerLength, pxKeyHandle ); - if( status != PSA_SUCCESS ) + result = mbedtls_pk_import_into_psa( &xMbedPkContext, + &attributes, + pxKeyHandle ); + + if( result != 0 ) { *pxKeyHandle = NULL; + goto exit; } - return status; +exit: + mbedtls_pk_free( &xMbedPkContext ); + + return result; } /*-----------------------------------------------------------*/ diff --git a/applications/keyword_detection/configs/mbedtls_config/aws_mbedtls_config.h b/applications/keyword_detection/configs/mbedtls_config/aws_mbedtls_config.h index c221573f..0f7a5db6 100644 --- a/applications/keyword_detection/configs/mbedtls_config/aws_mbedtls_config.h +++ b/applications/keyword_detection/configs/mbedtls_config/aws_mbedtls_config.h @@ -1171,7 +1171,7 @@ void mbedtls_platform_free( void * ptr ); * \warning This interface is experimental and may change or be removed * without notice. */ -/* #define MBEDTLS_PSA_CRYPTO_CLIENT */ +#define MBEDTLS_PSA_CRYPTO_CLIENT /** \def MBEDTLS_PSA_CRYPTO_DRIVERS * diff --git a/applications/object_detection/configs/mbedtls_config/aws_mbedtls_config.h b/applications/object_detection/configs/mbedtls_config/aws_mbedtls_config.h index d5be8045..e0276407 100644 --- a/applications/object_detection/configs/mbedtls_config/aws_mbedtls_config.h +++ b/applications/object_detection/configs/mbedtls_config/aws_mbedtls_config.h @@ -1154,7 +1154,7 @@ void mbedtls_platform_free( void * ptr ); * \warning This interface is experimental and may change or be removed * without notice. */ -/* #define MBEDTLS_PSA_CRYPTO_CLIENT */ +#define MBEDTLS_PSA_CRYPTO_CLIENT /** \def MBEDTLS_PSA_CRYPTO_DRIVERS * diff --git a/applications/speech_recognition/configs/mbedtls_config/aws_mbedtls_config.h b/applications/speech_recognition/configs/mbedtls_config/aws_mbedtls_config.h index d5be8045..e0276407 100644 --- a/applications/speech_recognition/configs/mbedtls_config/aws_mbedtls_config.h +++ b/applications/speech_recognition/configs/mbedtls_config/aws_mbedtls_config.h @@ -1154,7 +1154,7 @@ void mbedtls_platform_free( void * ptr ); * \warning This interface is experimental and may change or be removed * without notice. */ -/* #define MBEDTLS_PSA_CRYPTO_CLIENT */ +#define MBEDTLS_PSA_CRYPTO_CLIENT /** \def MBEDTLS_PSA_CRYPTO_DRIVERS * diff --git a/components/security/mbedtls/library b/components/security/mbedtls/library index daca7a39..2ca6c285 160000 --- a/components/security/mbedtls/library +++ b/components/security/mbedtls/library @@ -1 +1 @@ -Subproject commit daca7a3979c22da155ec9dce49ab1abf3b65d3a9 +Subproject commit 2ca6c285a0dd3f33982dd57299012dacab1ff206 diff --git a/manifest.yml b/manifest.yml index 497d4e98..786c434e 100644 --- a/manifest.yml +++ b/manifest.yml @@ -26,7 +26,7 @@ dependencies: path: "components/security/trusted_firmware-m/library" - name: "mbedtls" license: "Apache-2.0" - version: "v3.5.2" + version: "v3.6.0" repository: type: "git" url: "https://github.com/Mbed-TLS/mbedtls.git"