Replace Mbed PSA with TF-M PSA #12955
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Patater
force-pushed
the
replace-mbed-psa-with-tfm
branch
from
e7f9c22
to
6a2b930
Compare
ciarmcom
requested review from
ashok-rao,
urutva,
jainvikas8,
maclobdell and
a team
|
@Patater, thank you for your changes. |
0xc0170
changed the title
Patater
force-pushed
the
replace-mbed-psa-with-tfm
branch
from
6a2b930
to
fb0c244
Compare
|
Force pushed to update astyle. |
Patater
force-pushed
the
replace-mbed-psa-with-tfm
branch
2 times, most recently
from
6e3b8a3
to
c0a8f2c
Compare
|
Rebased to fix Mbed TLS importer script. |
Patater
force-pushed
the
replace-mbed-psa-with-tfm
branch
from
c0a8f2c
to
b1b74a8
Compare
|
This PR cannot be merged due to conflicts. Please rebase to resolve them. |
Patater
force-pushed
the
replace-mbed-psa-with-tfm
branch
from
b1b74a8
to
75c03cf
Compare
|
Rebased to update the porting guide and to simplify PSA target addition. |
Patater
force-pushed
the
replace-mbed-psa-with-tfm
branch
from
75c03cf
to
3432316
Compare
|
Rebased on latest master |
Patater
force-pushed
the
replace-mbed-psa-with-tfm
branch
from
3432316
to
f6af90a
Compare
Partially revert f38e21f ("Update PSoC 6 BSPs to verion 1.2") to restore TF-M compatibility. Make the CY8CKIT_064S2_4343W target TF-M compatible by addding flash and region definitions from TF-M (at c4f37c18c4a0) and by updating the CY8CKIT_064S2_4343W linker script to create a flash image compatible with TF-M. Fixes: f38e21f ("Update PSoC 6 BSPs to verion 1.2") Signed-off-by: Jaeden Amero <jaeden.amero@arm.com>
When python3 is enforced to build the ARM_MUSCA_A1 or ARM_MUSCA_B1 targets, it is unable to find binary utility tool scripts which are imported from TF-M. The reason to use the python3 environment is as follows: Mbed OS + TFM contained a faulty boot record TLV, which failed the attestation test (TF-M regression). The data in the boot record TLV will be included in the generated attestation token as 1 item in the SW_COMPONENTS claim. This data (in the boot record TLV) is pre-encoded in CBOR format at build time and appended to the image during the image signing process (done by the imgtool Python3 script). Signed-off-by: Vikas Katariya <vikas.katariya@arm.com>
Use instead the general TF-M v8-M virtual NVIC which will be added in the commit that replaces Mbed PSA with TF-M PSA: features/FEATURE_PSA/TARGET_TFM/TARGET_TFM_V8M/src/cmsis_nvic_virtual.c
Currently, the final binary (TF-M + Mbed OS) is signed after concatenating TF-M and Mbed OS binaries. But TF-M signs the images separately and then concatenates them. Update the Musca B1 signing strategy to match TF-M. Signed-off-by: Devaraj Ranganna <devaraj.ranganna@arm.com>
BL2 macro is used in `region_defs.h` to define the `BL2_HEADER_SIZE`. Without BL2 macro, `BL2_HEADER_SIZE` is set to 0. This leads to incorrect start address (Reset_Handler of Mbed OS) derived by TF-M based on `region_defs.h` and BL2 macro. BL2 macro is set for MUSCA B in TF-M. Signed-off-by: Devaraj Ranganna <devaraj.ranganna@arm.com>
The header `cmsis_nvic.h` defines vector start address in RAM `NVIC_RAM_VECTOR_ADDRESS` which is used in `mbed_boot.c:mbed_cpy_nvic()`. But `mbed_boot.c` only includes `cmsis.h`. Due to this `mbed_cpy_nvic` becomes an empty function and the vectors don't get relocated to RAM. This causes BusFault error when Mbed OS tries to update any of the IRQ handlers. Signed-off-by: Devaraj Ranganna <devaraj.ranganna@arm.com>
Add TF-M to Mbed OS, replacing the previous PSA implementation for TF-M-capable targets. This commit adds files imported from TF-M, without modification. The version of TF-M imported can be found in `features/FEATURE_PSA/TARGET_TFM/VERSION.txt`. These changes switch to TF-M as the sole PSA implementation for v8-M and dual core targets, with TF-M running on the secure side and Mbed OS running on the non-secure side. Single core v7-M targets will continue to have PSA implemented via PSA emulation, implemented by Mbed OS. Move or remove many PSA-implementing files, as PSA will be provided by TF-M on non-single-v7-M targets. Delete any files that are not relevant for PSA emulation mode. - Remove imported TF-M SPM - Remove Mbed SPM and tests - Remove Mbed-implemented PSA services and tests - Remove PSA_SRV_IMPL, PSA_SRV_IPC, PSA_SRV_EMUL and NSPE. - Replace PSA_SRV_EMUL and PSA_SRV_IMPL with MBED_PSA_SRV - Remove any files autogenerated by "tools/psa/generate_partition_code.py", which no longer exists. Add new feature `PSA` to support PSA in Mbed OS. Move the Mbed OS implementation of PSA services for v7-M targets (which employ PSA emulation, and don't yet use TF-M) to features/FEATURE_PSA/TARGET_MBED_PSA_SRV. Update the `requires` attribute in TESTS/configs/baremetal.json to avoid breaking baremetal testing builds. Update .astyleignore to match new directory structure Update Mbed TLS importer to place files into FEATURE_PSA Create the following generic PSA targets: * `PSA_Target` (Root level PSA generic target) * `PSA_V7_M` (Single v7-M PSA generic target) * `PSA_DUAL_CORE` (Dual-core PSA generic target) * `PSA_V8_M` (v8-M PSA generic target) Flatten MUSCA_NS and private MUSCA targets into public MUSCA targets. Move mcuboot.bin to flat location (removing prebuilt folder) Signed-off-by: Devaraj Ranganna <devaraj.ranganna@arm.com> Signed-off-by: Jaeden Amero <jaeden.amero@arm.com>
Import the latest image signing scripts from TF-M version TF-Mv1.0-85-g3b7cc95a042c. Signed-off-by: Devaraj Ranganna <devaraj.ranganna@arm.com>
Add a stubbed PSA Client API implementation for application compatibility. The interface is non-functional, but provides sane error codes.
Mbed Crypto 3.0.1 ships with TF-M. To make Mbed TLS 2.22.0 compatible with Mbed Crypto 3.0.1, changes are needed in psa_util.h (which abstracts some portions of the PSA Crypto API for use with TLS) to deal with new ECC curve define changes. Signed-off-by: Jaeden Amero <jaeden.amero@arm.com> Signed-off-by: Devaraj Ranganna <devaraj.ranganna@arm.com>
Current logic `is_TFM_target` relies on the availability of attribute `tfm_target_name` to identify PSA targets. The API `is_TFM_target` is used in pytest to validate PSA target configuration which again checks the availability of `tfm_target_name`. If a target doesn't contain the attribute `tfm_target_name` then this check will fail instead of catching it. Therefore, we now check for `TFM` config option in `labels` attribute. The API `is_TFM_target()` returns true for Mbed OS PSA targets which are supported by TF-M also. Add a new API `is_PSA_target()` which returns true for all Mbed OS PSA targets. Signed-off-by: Devaraj Ranganna <devaraj.ranganna@arm.com>
The API is_PSA_non_secure_target() uses obsolete labels to detect if a target is PSA non-secure target and is not needed anymore. Mbed OS depends on TF-M for PSA SPM and services. TF-M is built using it's own build system. Therefore, we don't need to differentiate secure and non-secure targets anymore in Mbed OS as all PSA targets in Mbed OS are non-secure targets. Signed-off-by: Devaraj Ranganna <devaraj.ranganna@arm.com>
Add a script to parse `targets.json` to identify PSA targets and ensure mandatory parameters are configured correctly for all PSA targets. Signed-off-by: Devaraj Ranganna <devaraj.ranganna@arm.com>
Configure Mbed TLS to automatically enable PSA as needed. When Mbed OS is configured to use PSA, configure Mbed TLS to use PSA. This prevents leaking of the "how to make Mbed TLS use PSA" knowledge up into targets.json, and thus makes porting simpler. There is now one place where "how to make TLS use PSA" exists rather than repeated throughout targets.json for each target that can't inherit from PSA_Target.
Patater
force-pushed
the
replace-mbed-psa-with-tfm
branch
from
47d5cdd
to
4961d4a
Compare
|
Rebased on latest master to resolve conflicts in |
Test run: SUCCESSSummary: 6 of 6 test jobs passed |
0xc0170
approved these changes
Jun 18, 2020
adbridge
added
release-version: 6.1.0
Release-pending
and removed
release-type: feature
Release-pending
labels
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary of changes
Replace the Mbed implementation of PSA with the implementation from TrustedFirmware-M (TF-M).
PSA is and continues to be provided as an experimental feature (under FEATURE_EXPERIMENTAL_API). The PSA implementation provided by TF-M is not guaranteed to provide the same functionality or API as the previous Mbed PSA implmementation being replaced.
Impact of changes
v8-M NS targets are now the only v8-M targets supported in Mbed OS for PSA platforms, as the TF-M build system outputs the S binary that Mbed OS consumes as-is. As such, targets like
ARM_MUSCA_A1_NShave been renamed toARM_MUSCA_A1(although old names are temporarily provided for backwards compatibility).Migration actions required
How targets enable PSA has changed. Please refer to features/FEATURE_PSA/supporting_psa_in_mbed-os.md for updated instructions on adding PSA to your target as a new target porting person.
Documentation
Porting guide updates for PSA at features/FEATURE_PSA/supporting_psa_in_mbed-os.md
Pull request type
Test results
Reviewers
@Devran01 @jainvikas8