psa: Define mbedtls_ecc_group_to_psa() inline #3301
Conversation
Patater
added
Arm Contribution
component-crypto
|
The CI's not very happy about this: I think setting Otherwise this looks good to me, but as noted in the PR description this changes the ABI - not a problem, but something we need to remember when preparing the next release. |
Patater
force-pushed
the
inline-mbedtls_ecc_group_to_psa
branch
2 times, most recently
from
96c0d8e to
d32988b
Compare
|
Rebased to set |
Patater
added
needs-review
|
The only CI failure is with the ABI test, which this PR changes intentionally. SO version will need bumping. |
Clear bits in mbedtls_ecc_group_to_psa() to avoid static analyzers and
possibly compilers from warning that bits may be used uninitialized in
certain code paths.
For example, if mbedtls_ecc_group_to_psa() were to be inlined in
crypto_extra.h, the following compiler warning is likely.
In file included from ../include/psa/crypto.h:3774:0,
from ../include/mbedtls/pk.h:49,
from pk.c:29:
pk.c: In function 'mbedtls_pk_wrap_as_opaque':
../include/psa/crypto_struct.h:460:33: error: 'bits' may be used uninitialized in this function [-Werror=maybe-uninitialized]
attributes->core.bits = (psa_key_bits_t) bits;
^~~~~~~~~~~~~~~~~~~~~
pk.c:608:12: note: 'bits' was declared here
size_t bits;
^~~~
Signed-off-by: Jaeden Amero <[email protected]>
On dual world platforms, we want to run the PK module (pk.c) on the NS
side so TLS can use PSA APIs via the PK interface. PK currently has a
hard dependency on mbedtls_ecc_group_to_psa() which is declared in
crypto_extra.h, but only defined in psa_crypto.c, which is only built
for the S side.
Without this change, dual world platforms get error messages like the
following.
[Error] @0,0: L6218E: Undefined symbol mbedtls_ecc_group_to_psa (referred from BUILD/LPC55S69_NS/ARM/mbed-os/features/mbedtls/mbed-crypto/src/pk.o)
Make mbedtls_ecc_group_to_psa() inline within crypto_extra.h so that it
is available to both NS and S world code.
Fixes Mbed-TLS#3300
Signed-off-by: Darryl Green <[email protected]>
Signed-off-by: Jaeden Amero <[email protected]>
Patater
force-pushed
the
inline-mbedtls_ecc_group_to_psa
branch
from
d32988b to
2f0eb51
Compare
|
Rebased to revise commit message. It said "the following" a bit too often. No code changes. |
| @@ -578,8 +578,55 @@ psa_status_t psa_get_key_domain_parameters( | |||
| * (`PSA_ECC_CURVE_xxx`). | |||
| * \return \c 0 on failure (\p grpid is not recognized). | |||
| */ | |||
| psa_ecc_curve_t mbedtls_ecc_group_to_psa( mbedtls_ecp_group_id grpid, | |||
| size_t *bits ); | |||
| static inline psa_ecc_curve_t mbedtls_ecc_group_to_psa( mbedtls_ecp_group_id grpid, | |||
There was a problem hiding this comment.
This is not a small function thus is it ok to inline it regarding code size? No other way to do that?
There was a problem hiding this comment.
I'm not sure it is so large, but I'm not one to decide. The compiler may decide it is too large or complicated and avoid inlining, when code size optimizing flags are employed.
Alternatives would include making a new C file to implement this function, included in the S target build and again in the NS target build.
There was a problem hiding this comment.
I decided to do some measurements:
scripts/config.pl baremetal
make CC=arm-none-eabi-gcc CFLAGS='-Os -mthumb -march=armv6-m' lib
arm-none-eabi-size -t library/libmbedcrypto.a | tail -n1Before this PR: 236581
After this PR: 236601
Difference: +20 bytes
IMO this difference is perfectly acceptable, especially considering that this function is meant to disappear at some point, as it's an artifact of the transition from the legacy crypto APIs to PSA (should probably become useless at some point in the 3.x line and then be removed in 4.0).
There was a problem hiding this comment.
Given the small size impact and that it is a temporary situation, fine by me then.
|
Note: the only test failing in the CI is the API/ABI checker, which is fully expected. |
ronald-cron-arm
added
approved
On dual world platforms, we want to run the PK module (pk.c) on the NS
side so TLS can use PSA APIs via the PK interface. PK currently has a
hard dependency on mbedtls_ecc_group_to_psa() which is declared in
crypto_extra.h, but only defined in psa_crypto.c, which is only built
for the S side.
Without this change, dual world platforms get error messages like the
following.
Make mbedtls_ecc_group_to_psa() inline within crypto_extra.h so that it
is available to both NS and S world code.
Fixes #3300
Signed-off-by: Darryl Green [email protected]
Signed-off-by: Jaeden Amero [email protected]
Status
READY
Requires Backporting
NO - PSA related change, and no LTS branches contain PSA.
Migrations
mbedtls_ecc_group_to_psa() is becoming inline. This will require a rebuild of code using this function.
Todos
[ ] Documentation[ ] Backported