From 4118961dd7dcb757eb13abf222365b4f9f7c4583 Mon Sep 17 00:00:00 2001 From: ATmobica Date: Tue, 31 Jan 2023 14:00:02 +0000 Subject: [PATCH] [OIS] Add PSA crypto backend support This commit allows the selection of PSA as the cryptographic algorithm used when building Matter CryptoPAL with the Open IoT SDK. The GitHub CI workflow for the SDK examples/unit tests has been updated to add a matrix test setup which builds and runs the examples with both mbedtls and psa cryptographic algorithms. Add call to psa_crypto_init() The Matter PSA implementation still uses some underlying MbedTLS functions (including random number generation). To use these functions however a call to psa_crypto_init() is required. Extend Matter Python builder with crypto backend options. Enable ECP optimization. Co-authored-by: ATmobica Signed-off-by: Anna Bridge --- .github/.wordlist.txt | 1 + .github/workflows/examples-openiotsdk.yaml | 11 ++-- .vscode/tasks.json | 9 ++++ config/openiotsdk/CMakeLists.txt | 1 + config/openiotsdk/chip-gn/args.gni | 1 - config/openiotsdk/cmake/chip.cmake | 11 +++- config/openiotsdk/cmake/sdk.cmake | 35 +++++++------ config/openiotsdk/lwip/user_lwipopts.h | 5 ++ config/openiotsdk/mbedtls/mbedtls_config.h | 6 +-- .../openiotsdk/mbedtls/mbedtls_config_psa.h | 6 +++ docs/guides/openiotsdk_examples.md | 52 ++++++++++++++++--- .../openiotsdk/app/openiotsdk_platform.cpp | 13 +++++ scripts/build/BUILD.gn | 4 +- scripts/build/build/targets.py | 6 ++- scripts/build/builders/openiotsdk.py | 20 ++++++- scripts/build/test.py | 4 +- .../build/testdata/all_targets_linux_x64.txt | 2 +- .../dry_run_openiotsdk-lock-mbedtls.txt | 8 +++ .../testdata/dry_run_openiotsdk-lock.txt | 8 --- .../dry_run_openiotsdk-shell-mbedtls.txt | 8 +++ .../testdata/dry_run_openiotsdk-shell.txt | 8 --- scripts/examples/openiotsdk_example.sh | 21 +++++++- 22 files changed, 183 insertions(+), 57 deletions(-) create mode 100644 config/openiotsdk/mbedtls/mbedtls_config_psa.h create mode 100644 scripts/build/testdata/dry_run_openiotsdk-lock-mbedtls.txt delete mode 100644 scripts/build/testdata/dry_run_openiotsdk-lock.txt create mode 100644 scripts/build/testdata/dry_run_openiotsdk-shell-mbedtls.txt delete mode 100644 scripts/build/testdata/dry_run_openiotsdk-shell.txt diff --git a/.github/.wordlist.txt b/.github/.wordlist.txt index 04179cb874c403..ef5aa8fb290737 100644 --- a/.github/.wordlist.txt +++ b/.github/.wordlist.txt @@ -1071,6 +1071,7 @@ ProxyDiscovery ProxyValid ProxyView PRs +PSA PSCAN PSECT PSK diff --git a/.github/workflows/examples-openiotsdk.yaml b/.github/workflows/examples-openiotsdk.yaml index 2c373d457dfe20..d706b8dbab9273 100644 --- a/.github/workflows/examples-openiotsdk.yaml +++ b/.github/workflows/examples-openiotsdk.yaml @@ -31,6 +31,11 @@ env: jobs: openiotsdk: + strategy: + fail-fast: false + matrix: + cryptoBackend: ["psa", "mbedtls"] + name: Open IoT SDK examples building timeout-minutes: 90 @@ -89,7 +94,7 @@ jobs: id: build_shell timeout-minutes: 10 run: | - scripts/examples/openiotsdk_example.sh shell + scripts/examples/openiotsdk_example.sh -b ${{ matrix.cryptoBackend }} shell .environment/pigweed-venv/bin/python3 scripts/tools/memory/gh_sizes.py \ openiotsdk release shell \ examples/shell/openiotsdk/build/chip-openiotsdk-shell-example.elf \ @@ -99,7 +104,7 @@ jobs: id: build_lock_app timeout-minutes: 10 run: | - scripts/examples/openiotsdk_example.sh lock-app + scripts/examples/openiotsdk_example.sh -b ${{ matrix.cryptoBackend }} lock-app .environment/pigweed-venv/bin/python3 scripts/tools/memory/gh_sizes.py \ openiotsdk release lock-app \ examples/lock-app/openiotsdk/build/chip-openiotsdk-lock-app-example.elf \ @@ -109,7 +114,7 @@ jobs: id: build_unit_tests timeout-minutes: 10 run: | - scripts/examples/openiotsdk_example.sh unit-tests + scripts/examples/openiotsdk_example.sh -b ${{ matrix.cryptoBackend }} unit-tests - name: "Test: shell example" if: steps.build_shell.outcome == 'success' diff --git a/.vscode/tasks.json b/.vscode/tasks.json index 8516b5b12f2e5c..bb0c8ba01853ea 100644 --- a/.vscode/tasks.json +++ b/.vscode/tasks.json @@ -251,6 +251,7 @@ "-Cbuild", "-d${input:openiotsdkDebugMode}", "-l${input:openiotsdkLwipDebug}", + "-b${input:openiotsdkCryptoBackend}", "${input:openiotsdkExample}" ], "group": "build", @@ -271,6 +272,7 @@ "-Cbuild", "-d${input:openiotsdkDebugMode}", "-l${input:openiotsdkLwipDebug}", + "-b${input:openiotsdkCryptoBackend}", "unit-tests" ], "group": "build", @@ -480,6 +482,13 @@ "options": ["false", "true"], "default": "false" }, + { + "type": "pickString", + "id": "openiotsdkCryptoBackend", + "description": "Which Crypto algorithm do you wish to use?", + "options": ["mbedtls", "psa"], + "default": "mbedtls" + }, { "type": "command", "id": "openiotsdkExample", diff --git a/config/openiotsdk/CMakeLists.txt b/config/openiotsdk/CMakeLists.txt index 7f559587a88a66..43f9fca7b5dd9a 100644 --- a/config/openiotsdk/CMakeLists.txt +++ b/config/openiotsdk/CMakeLists.txt @@ -62,6 +62,7 @@ matter_add_gn_arg_bool ("chip_automation_logging" CONFIG_CHIP_AUTO matter_add_gn_arg_bool ("chip_error_logging" CONFIG_CHIP_ERROR_LOGGING) matter_add_gn_arg_bool ("chip_openiotsdk_use_tfm" TFM_SUPPORT) matter_add_gn_arg_bool ("chip_openiotsdk_use_psa_ps" CONFIG_CHIP_OPEN_IOT_SDK_USE_PSA_PS) +matter_add_gn_arg_string("chip_crypto" "${CONFIG_CHIP_CRYPTO}") if (TARGET cmsis-rtos-api) matter_add_gn_arg_string("target_os" "cmsis-rtos") endif() diff --git a/config/openiotsdk/chip-gn/args.gni b/config/openiotsdk/chip-gn/args.gni index fd9edf986f8ee7..12ffb66b844957 100644 --- a/config/openiotsdk/chip-gn/args.gni +++ b/config/openiotsdk/chip-gn/args.gni @@ -31,7 +31,6 @@ chip_system_config_use_lwip = true lwip_platform = "external" chip_system_config_use_sockets = false -chip_crypto = "mbedtls" chip_external_mbedtls = true custom_toolchain = "${chip_root}/config/openiotsdk/chip-gn/toolchain:openiotsdk" diff --git a/config/openiotsdk/cmake/chip.cmake b/config/openiotsdk/cmake/chip.cmake index bdef5870433d23..6e1a78bcb8debf 100644 --- a/config/openiotsdk/cmake/chip.cmake +++ b/config/openiotsdk/cmake/chip.cmake @@ -21,7 +21,7 @@ get_filename_component(GEN_DIR ${CHIP_ROOT}/zzz_generated/ REALPATH) -# Default CHIP build configuration +# Default CHIP build configuration set(CONFIG_CHIP_PROJECT_CONFIG "main/include/CHIPProjectConfig.h" CACHE STRING "") set(CONFIG_CHIP_LIB_TESTS NO CACHE BOOL "") set(CONFIG_CHIP_LIB_SHELL NO CACHE BOOL "") @@ -32,6 +32,7 @@ set(CONFIG_CHIP_AUTOMATION_LOGGING YES CACHE BOOL "Enable logging at automation set(CONFIG_CHIP_ERROR_LOGGING YES CACHE BOOL "Enable logging at error level") set(CONFIG_CHIP_OPEN_IOT_SDK_USE_PSA_PS NO CACHE BOOL "Enable using PSA Protected Storage") +set(CONFIG_CHIP_CRYPTO "mbedtls" CACHE STRING "Matter crypto backend. Mbedtls as default") if(CONFIG_CHIP_OPEN_IOT_SDK_USE_PSA_PS AND NOT TFM_SUPPORT) message( FATAL_ERROR "You can not use PSA Protected Storage without TF-M support" ) @@ -53,8 +54,14 @@ if(TFM_SUPPORT) add_dependencies(chip-gn tfm-ns-interface) endif() +if ("${CONFIG_CHIP_CRYPTO}" STREQUAL "psa") + target_compile_definitions(chip + INTERFACE + CONFIG_CHIP_CRYPTO_PSA) +endif() + function(chip_add_data_model target scope model_name) - target_include_directories(${target} + target_include_directories(${target} PUBLIC ${GEN_DIR}/app-common ${GEN_DIR}/${model_name}-app diff --git a/config/openiotsdk/cmake/sdk.cmake b/config/openiotsdk/cmake/sdk.cmake index 61cd704a030041..6f391bd235033f 100644 --- a/config/openiotsdk/cmake/sdk.cmake +++ b/config/openiotsdk/cmake/sdk.cmake @@ -27,7 +27,7 @@ get_filename_component(OPEN_IOT_SDK_STORAGE_SOURCE ${CHIP_ROOT}/third_party/open # Open IoT SDK targets passed to CHIP build list(APPEND CONFIG_CHIP_EXTERNAL_TARGETS) -# Additional Open IoT SDK build configuration +# Additional Open IoT SDK build configuration set(TFM_SUPPORT NO CACHE BOOL "Add Trusted Firmware-M (TF-M) support to application") set(TFM_NS_APP_VERSION "0.0.0" CACHE STRING "TF-M non-secure application version (in the x.x.x format)") set(CONFIG_CHIP_OPEN_IOT_SDK_LWIP_DEBUG NO CACHE BOOL "Enable LwIP debug logs") @@ -82,7 +82,7 @@ if(TFM_SUPPORT) set(TFM_PLATFORM ${OPEN_IOT_SDK_EXAMPLE_COMMON}/tf-m/targets/an552) set(TFM_PSA_FIRMWARE_UPDATE ON) set(MCUBOOT_IMAGE_VERSION_NS ${TFM_NS_APP_VERSION}) - set(TFM_CMAKE_ARGS "-DCONFIG_TFM_ENABLE_FP=ON;-DTFM_PROFILE=profile_medium;-DTFM_EXCEPTION_INFO_DUMP=ON;-DCONFIG_TFM_HALT_ON_CORE_PANIC=ON;-DTFM_ISOLATION_LEVEL=1") + set(TFM_CMAKE_ARGS "-DCONFIG_TFM_ENABLE_FP=ON;-DTFM_PROFILE=profile_medium;-DTFM_EXCEPTION_INFO_DUMP=ON;-DCONFIG_TFM_HALT_ON_CORE_PANIC=ON;-DTFM_ISOLATION_LEVEL=1;-DTFM_MBEDCRYPTO_PLATFORM_EXTRA_CONFIG_PATH=${OPEN_IOT_SDK_CONFIG}/mbedtls/mbedtls_config_psa.h;-DMBEDCRYPTO_BUILD_TYPE=${CMAKE_BUILD_TYPE};-DCMAKE_BUILD_TYPE=${CMAKE_BUILD_TYPE}") if ("${CMAKE_BUILD_TYPE}" STREQUAL "Debug") set(TFM_CMAKE_ARGS "${TFM_CMAKE_ARGS};-DMCUBOOT_LOG_LEVEL=INFO;-DTFM_SPM_LOG_LEVEL=TFM_SPM_LOG_LEVEL_DEBUG;-DTFM_PARTITION_LOG_LEVEL=TFM_PARTITION_LOG_LEVEL_INFO") else() @@ -117,24 +117,24 @@ endif() # Add RTOS configuration headers # Link cmsis-rtos-api against a concrete implementation if(TARGET cmsis-rtos-api) - target_include_directories(cmsis-core - INTERFACE + target_include_directories(cmsis-core + INTERFACE cmsis-config ) - + target_compile_definitions(cmsis-rtos-api PUBLIC DOMAIN_NS=$,1,0> ) if(TARGET freertos-kernel) - target_include_directories(freertos-kernel - PUBLIC + target_include_directories(freertos-kernel + PUBLIC freertos-config ) - target_link_libraries(freertos-kernel - PUBLIC + target_link_libraries(freertos-kernel + PUBLIC cmsis-core ) @@ -250,14 +250,6 @@ if("cmsis-freertos" IN_LIST IOTSDK_FETCH_LIST) ) endif() -if("mbedtls" IN_LIST IOTSDK_FETCH_LIST) - list(APPEND CONFIG_CHIP_EXTERNAL_TARGETS - mbedtls - mbedtls-config - mbedtls-threading-cmsis-rtos - ) -endif() - if("lwip" IN_LIST IOTSDK_FETCH_LIST) list(APPEND CONFIG_CHIP_EXTERNAL_TARGETS lwipcore @@ -282,6 +274,15 @@ if("trusted-firmware-m" IN_LIST IOTSDK_FETCH_LIST) ) endif() +# Note: Mbed TLS must appear after TF-M otherwise psa from mbed TLS is used +if("mbedtls" IN_LIST IOTSDK_FETCH_LIST) + list(APPEND CONFIG_CHIP_EXTERNAL_TARGETS + mbedtls + mbedtls-config + mbedtls-threading-cmsis-rtos + ) +endif() + # Additional Open IoT SDK port components # Add Open IoT SDK storage source diff --git a/config/openiotsdk/lwip/user_lwipopts.h b/config/openiotsdk/lwip/user_lwipopts.h index 48d8d4aee81b21..1e02add588ca4c 100644 --- a/config/openiotsdk/lwip/user_lwipopts.h +++ b/config/openiotsdk/lwip/user_lwipopts.h @@ -49,6 +49,11 @@ */ #define LWIP_RAW (1) +/** + * Disable DHCP as the IP6 link local address can be used. + */ +#define LWIP_DHCP 0 + #ifdef LWIP_DEBUG // Debug Options diff --git a/config/openiotsdk/mbedtls/mbedtls_config.h b/config/openiotsdk/mbedtls/mbedtls_config.h index 316d43c67940d0..b5927a06b63383 100644 --- a/config/openiotsdk/mbedtls/mbedtls_config.h +++ b/config/openiotsdk/mbedtls/mbedtls_config.h @@ -2692,7 +2692,7 @@ * or MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG. * */ -#define MBEDTLS_PSA_CRYPTO_C +//#define MBEDTLS_PSA_CRYPTO_C /** * \def MBEDTLS_PSA_CRYPTO_SE_C @@ -3313,8 +3313,8 @@ //#define MBEDTLS_HMAC_DRBG_MAX_SEED_INPUT 384 /**< Maximum size of (re)seed buffer */ /* ECP options */ -//#define MBEDTLS_ECP_WINDOW_SIZE 4 /**< Maximum window size used */ -//#define MBEDTLS_ECP_FIXED_POINT_OPTIM 1 /**< Enable fixed-point speed-up */ +#define MBEDTLS_ECP_WINDOW_SIZE 6 /**< Maximum window size used */ +#define MBEDTLS_ECP_FIXED_POINT_OPTIM 1 /**< Enable fixed-point speed-up */ /* Entropy options */ //#define MBEDTLS_ENTROPY_MAX_SOURCES 20 /**< Maximum number of sources supported */ diff --git a/config/openiotsdk/mbedtls/mbedtls_config_psa.h b/config/openiotsdk/mbedtls/mbedtls_config_psa.h new file mode 100644 index 00000000000000..c7241ba53228a5 --- /dev/null +++ b/config/openiotsdk/mbedtls/mbedtls_config_psa.h @@ -0,0 +1,6 @@ + +#define MBEDTLS_SHA1_C +#define PSA_WANT_ALG_SHA_1 +#define MBEDTLS_ECP_WINDOW_SIZE 6 /**< Maximum window size used */ +#undef MBEDTLS_ECP_FIXED_POINT_OPTIM +#define MBEDTLS_ECP_FIXED_POINT_OPTIM 1 /**< Enable fixed-point speed-up */ diff --git a/docs/guides/openiotsdk_examples.md b/docs/guides/openiotsdk_examples.md index 2de1915f3ecf43..add3313e1ae521 100644 --- a/docs/guides/openiotsdk_examples.md +++ b/docs/guides/openiotsdk_examples.md @@ -374,6 +374,42 @@ For `TF-M` protected storage use: [Open IoT SDK build script](../../scripts/examples/openiotsdk_example.sh) provides the `-K,--kvsfile` option to use the persistence options listed above. +### Crypto backend + +Open IoT SDK port supports two crypto backend implementations: + +- [Mbed TLS](../guides/openiotsdk_platform_overview.md#mbed-tls) - it's the + default option +- [PSA crypto service](https://tf-m-user-guide.trustedfirmware.org/integration_guide/services/tfm_crypto_integration_guide.html) + from the + [TrustedFirmware-M (TF-M)](../guides/openiotsdk_platform_overview.md#trusted-firmware-m) + component + +The CMake variable `CONFIG_CHIP_CRYPTO` controls how cryptographic operations +are implemented in Matter. It accepts two values: + +- `mbedtls`: use Mbed TLS for crypto operations. +- `psa`: use + [PSA Cryptography API](https://armmbed.github.io/mbed-crypto/html/) for + crypto operations. + +This variable can be set in the main application `CMakeLists.txt`: + +``` +set(CONFIG_CHIP_CRYPTO ) +``` + +The variable can also be defined with CMake CLI: + +``` +cmake -G <...> -DCONFIG_CHIP_CRYPTO= <...> +``` + +> 💡 **Notes**: +> +> The `TF-M PSA crypto` option requires enabling [TF-M](#trusted-firmware-m) +> support. + ## Building You can build examples using the dedicated VSCode task or by calling directly @@ -386,6 +422,7 @@ the build script from the command line. - Select `Build Open IoT SDK example` - Decide on debug mode support - Decide on LwIP debug logs support +- Choose crypto algorithm - Choose example name This will call the script with the selected parameters. @@ -568,12 +605,12 @@ telnet> close ## Specific examples -### Build lock-app example and run it in the network namespace +### Build lock-app example with PSA crypto backend support and run it in the network namespace **Using CLI** ``` -${MATTER_ROOT}/scripts/examples/openiotsdk_example.sh lock-app +${MATTER_ROOT}/scripts/examples/openiotsdk_example.sh -b psa lock-app export TEST_NETWORK_NAME=OIStest @@ -593,6 +630,7 @@ Build example: - Select `Build Open IoT SDK example` - Deny debug mode support `false` - Deny LwIP debug logs support `false` +- Choose crypto algorithm `psa` - Choose example name `lock-app` Setup network environment: @@ -614,12 +652,12 @@ Run example: The example output should be seen in the terminal window. -### Build lock-app example and execute its test in the network namespace +### Build lock-app example with mbedtls crypto backend support and execute its test in the network namespace **Using CLI** ``` -${MATTER_ROOT}/scripts/examples/openiotsdk_example.sh lock-app +${MATTER_ROOT}/scripts/examples/openiotsdk_example.sh -b mbedtls lock-app export TEST_NETWORK_NAME=OIStest @@ -639,6 +677,7 @@ Build example: - Select `Build Open IoT SDK example` - Deny debug mode support `false` - Deny LwIP debug logs support `false` +- Choose crypto algorithm `mbedtls` - Choose example name `lock-app` Setup network environment: @@ -658,7 +697,7 @@ Test example: - Enter network interface `OIStesttap` - Choose example name `lock-app` -### Build lock-app example in debug mode and debug it in the network namespace using the VSCode task +### Build lock-app example with mbedtls crypto backend support in debug mode and debug it in the network namespace using the VSCode task Build example: @@ -667,6 +706,7 @@ Build example: - Select `Build Open IoT SDK example` - Confirm debug mode support `true` - Deny LwIP debug logs support `false` +- Choose crypto algorithm `mbedtls` - Choose example name `lock-app` Setup network environment: @@ -757,7 +797,7 @@ Example: id: build_new_example timeout-minutes: 10 run: | - scripts/examples/openiotsdk_example.sh new-example + scripts/examples/openiotsdk_example.sh -b ${{ matrix.cryptoBackend }} new-example .environment/pigweed-venv/bin/python3 scripts/tools/memory/gh_sizes.py \ openiotsdk release new-example \ examples/new-example/openiotsdk/build/chip-openiotsdk-new-example-example.elf \ diff --git a/examples/platform/openiotsdk/app/openiotsdk_platform.cpp b/examples/platform/openiotsdk/app/openiotsdk_platform.cpp index 28b6da91f5c176..dff6a15e21cb93 100644 --- a/examples/platform/openiotsdk/app/openiotsdk_platform.cpp +++ b/examples/platform/openiotsdk/app/openiotsdk_platform.cpp @@ -27,6 +27,10 @@ #include "iotsdk/ip_network_api.h" #include "mbedtls/platform.h" +#ifdef CONFIG_CHIP_CRYPTO_PSA +#include "psa/crypto.h" +#endif + #include #include #include @@ -179,6 +183,15 @@ int openiotsdk_platform_init(void) return EXIT_FAILURE; } +#ifdef CONFIG_CHIP_CRYPTO_PSA + ret = psa_crypto_init(); + if (ret) + { + ChipLogError(NotSpecified, "PSA crypto initialization failed: %d", ret); + return EXIT_FAILURE; + } +#endif + #ifdef TFM_SUPPORT ret = get_psa_images_details(); if (ret != 0) diff --git a/scripts/build/BUILD.gn b/scripts/build/BUILD.gn index 11ea4e9b721e84..0e716ae7e9b390 100644 --- a/scripts/build/BUILD.gn +++ b/scripts/build/BUILD.gn @@ -31,8 +31,8 @@ pw_python_package("build_examples") { "testdata/dry_run_linux-arm64-ota-requestor-nodeps-ipv6only.txt", "testdata/dry_run_linux-x64-all-clusters-coverage.txt", "testdata/dry_run_nrf-nrf52840dk-pump.txt", - "testdata/dry_run_openiotsdk-lock.txt", - "testdata/dry_run_openiotsdk-shell.txt", + "testdata/dry_run_openiotsdk-lock-mbedtls.txt", + "testdata/dry_run_openiotsdk-shell-mbedtls.txt", ] sources = [ diff --git a/scripts/build/build/targets.py b/scripts/build/build/targets.py index 279191e45d1bf9..43eed69236dcdf 100755 --- a/scripts/build/build/targets.py +++ b/scripts/build/build/targets.py @@ -28,7 +28,7 @@ from builders.mbed import MbedApp, MbedBoard, MbedBuilder, MbedProfile from builders.mw320 import MW320App, MW320Builder from builders.nrf import NrfApp, NrfBoard, NrfConnectBuilder -from builders.openiotsdk import OpenIotSdkApp, OpenIotSdkBuilder +from builders.openiotsdk import OpenIotSdkApp, OpenIotSdkBuilder, OpenIotSdkCryptoBackend from builders.qpg import QpgApp, QpgBoard, QpgBuilder from builders.telink import TelinkApp, TelinkBoard, TelinkBuilder from builders.ti import TIApp, TIBoard, TIBuilder @@ -679,6 +679,10 @@ def BuildOpenIotSdkTargets(): TargetPart('lock', app=OpenIotSdkApp.LOCK), ]) + # Modifiers + target.AppendModifier('mbedtls', crypto=OpenIotSdkCryptoBackend.MBEDTLS).ExceptIfRe('-(psa)') + target.AppendModifier('psa', crypto=OpenIotSdkCryptoBackend.PSA).ExceptIfRe('-(mbedtls)') + return target diff --git a/scripts/build/builders/openiotsdk.py b/scripts/build/builders/openiotsdk.py index 7f3cd682d86ba3..89aad6a59e9a16 100644 --- a/scripts/build/builders/openiotsdk.py +++ b/scripts/build/builders/openiotsdk.py @@ -42,13 +42,29 @@ def AppNamePrefix(self): raise Exception('Unknown app type: %r' % self) +class OpenIotSdkCryptoBackend(Enum): + PSA = auto() + MBEDTLS = auto() + + @property + def CryptoBackendName(self): + if self == OpenIotSdkCryptoBackend.PSA: + return 'psa' + elif self == OpenIotSdkCryptoBackend.MBEDTLS: + return 'mbedtls' + else: + raise Exception('Unknown crypto backend type: %r' % self) + + class OpenIotSdkBuilder(Builder): def __init__(self, root, runner, - app: OpenIotSdkApp = OpenIotSdkApp.SHELL): + app: OpenIotSdkApp = OpenIotSdkApp.SHELL, + crypto: OpenIotSdkCryptoBackend = OpenIotSdkCryptoBackend.MBEDTLS): super(OpenIotSdkBuilder, self).__init__(root, runner) self.app = app + self.crypto = crypto self.toolchain_path = os.path.join( 'toolchains', 'toolchain-arm-none-eabi-gcc.cmake') self.system_processor = 'cortex-m55' @@ -65,6 +81,8 @@ def generate(self): '-DCMAKE_SYSTEM_PROCESSOR={}'.format( self.system_processor), '-DCMAKE_BUILD_TYPE=Release', + '-DCONFIG_CHIP_CRYPTO={}'.format( + self.crypto.CryptoBackendName), ], title='Generating ' + self.identifier) def _build(self): diff --git a/scripts/build/test.py b/scripts/build/test.py index 70fca73f082f7b..c89a4d98109357 100644 --- a/scripts/build/test.py +++ b/scripts/build/test.py @@ -109,8 +109,8 @@ def test_general_dry_runs(self): 'android-arm64-chip-tool', 'nrf-nrf52840dk-pump', 'efr32-brd4161a-light-rpc-no-version', - 'openiotsdk-lock', - 'openiotsdk-shell' + 'openiotsdk-lock-mbedtls', + 'openiotsdk-shell-mbedtls' ] for target in TARGETS: diff --git a/scripts/build/testdata/all_targets_linux_x64.txt b/scripts/build/testdata/all_targets_linux_x64.txt index 1b8c95d4c51c7d..5ef536ac1bbfdf 100644 --- a/scripts/build/testdata/all_targets_linux_x64.txt +++ b/scripts/build/testdata/all_targets_linux_x64.txt @@ -22,4 +22,4 @@ nrf-native-posix-64-tests qpg-qpg6105-{lock,light,shell,persistent-storage} tizen-arm-{all-clusters,all-clusters-minimal,chip-tool,light,tests}[-no-ble][-no-thread][-no-wifi][-asan][-ubsan] telink-tlsr9518adk80d-{all-clusters,all-clusters-minimal,bridge,contact-sensor,light,light-switch,lock,ota-requestor,pump,pump-controller,temperature-measurement,thermostat,window-covering}[-shell][-rpc][-factory-data] -openiotsdk-{shell,lock} +openiotsdk-{shell,lock}[-mbedtls][-psa] diff --git a/scripts/build/testdata/dry_run_openiotsdk-lock-mbedtls.txt b/scripts/build/testdata/dry_run_openiotsdk-lock-mbedtls.txt new file mode 100644 index 00000000000000..77816cf664190c --- /dev/null +++ b/scripts/build/testdata/dry_run_openiotsdk-lock-mbedtls.txt @@ -0,0 +1,8 @@ +# Commands will be run in CHIP project root. +cd "{root}" + +# Generating openiotsdk-lock-mbedtls +cmake -GNinja -S {root}/examples/lock-app/openiotsdk -B {out}/openiotsdk-lock-mbedtls --toolchain=toolchains/toolchain-arm-none-eabi-gcc.cmake -DCMAKE_SYSTEM_PROCESSOR=cortex-m55 -DCMAKE_BUILD_TYPE=Release -DCONFIG_CHIP_CRYPTO=mbedtls + +# Building openiotsdk-lock-mbedtls +cmake --build {out}/openiotsdk-lock-mbedtls diff --git a/scripts/build/testdata/dry_run_openiotsdk-lock.txt b/scripts/build/testdata/dry_run_openiotsdk-lock.txt deleted file mode 100644 index a0c36ee27f53ad..00000000000000 --- a/scripts/build/testdata/dry_run_openiotsdk-lock.txt +++ /dev/null @@ -1,8 +0,0 @@ -# Commands will be run in CHIP project root. -cd "{root}" - -# Generating openiotsdk-lock -cmake -GNinja -S {root}/examples/lock-app/openiotsdk -B {out}/openiotsdk-lock --toolchain=toolchains/toolchain-arm-none-eabi-gcc.cmake -DCMAKE_SYSTEM_PROCESSOR=cortex-m55 -DCMAKE_BUILD_TYPE=Release - -# Building openiotsdk-lock -cmake --build {out}/openiotsdk-lock diff --git a/scripts/build/testdata/dry_run_openiotsdk-shell-mbedtls.txt b/scripts/build/testdata/dry_run_openiotsdk-shell-mbedtls.txt new file mode 100644 index 00000000000000..70438c5fe091bd --- /dev/null +++ b/scripts/build/testdata/dry_run_openiotsdk-shell-mbedtls.txt @@ -0,0 +1,8 @@ +# Commands will be run in CHIP project root. +cd "{root}" + +# Generating openiotsdk-shell-mbedtls +cmake -GNinja -S {root}/examples/shell/openiotsdk -B {out}/openiotsdk-shell-mbedtls --toolchain=toolchains/toolchain-arm-none-eabi-gcc.cmake -DCMAKE_SYSTEM_PROCESSOR=cortex-m55 -DCMAKE_BUILD_TYPE=Release -DCONFIG_CHIP_CRYPTO=mbedtls + +# Building openiotsdk-shell-mbedtls +cmake --build {out}/openiotsdk-shell-mbedtls diff --git a/scripts/build/testdata/dry_run_openiotsdk-shell.txt b/scripts/build/testdata/dry_run_openiotsdk-shell.txt deleted file mode 100644 index 6c7c63befb4e7a..00000000000000 --- a/scripts/build/testdata/dry_run_openiotsdk-shell.txt +++ /dev/null @@ -1,8 +0,0 @@ -# Commands will be run in CHIP project root. -cd "{root}" - -# Generating openiotsdk-shell -cmake -GNinja -S {root}/examples/shell/openiotsdk -B {out}/openiotsdk-shell --toolchain=toolchains/toolchain-arm-none-eabi-gcc.cmake -DCMAKE_SYSTEM_PROCESSOR=cortex-m55 -DCMAKE_BUILD_TYPE=Release - -# Building openiotsdk-shell -cmake --build {out}/openiotsdk-shell diff --git a/scripts/examples/openiotsdk_example.sh b/scripts/examples/openiotsdk_example.sh index 6b19a8be7f04e7..1f3dcd1d8d11f1 100755 --- a/scripts/examples/openiotsdk_example.sh +++ b/scripts/examples/openiotsdk_example.sh @@ -43,6 +43,7 @@ IS_UNIT_TEST=0 FVP_NETWORK="user" KVS_STORAGE_TYPE="tdb" KVS_STORAGE_FILE="" +CRYPTO_BACKEND="mbedtls" declare -A tdb_storage_param=([instance]=sram [memspace]=0 [address]=0x0 [size]=0x100000) declare -A ps_storage_param=([instance]=qspi_sram [memspace]=0 [address]=0x660000 [size]=0x12000) @@ -66,6 +67,7 @@ Options: -d,--debug Build in debug mode -l,--lwipdebug Build with LwIP debug logs support -k,--kvsstore Select KVS storage type + -b,--backend -p,--path Build path -K,--kvsfile Path to KVS storage file which will be used to ensure persistence -n,--network FVP network interface name @@ -134,6 +136,8 @@ function build_with_cmake() { BUILD_OPTIONS+=(-DCONFIG_CHIP_OPEN_IOT_SDK_USE_PSA_PS=YES) fi + BUILD_OPTIONS+=(-DCONFIG_CHIP_CRYPTO="$CRYPTO_BACKEND") + cmake -G Ninja -S "$EXAMPLE_PATH" -B "$BUILD_PATH" --toolchain="$TOOLCHAIN_PATH" "${BUILD_OPTIONS[@]}" cmake --build "$BUILD_PATH" } @@ -268,8 +272,8 @@ function run_test() { fi } -SHORT=C:,p:,d:,l:,n:,k:,K:,c,s,h -LONG=command:,path:,debug:,lwipdebug:,network:,kvsstore:,kvsfile:,clean,scratch,help +SHORT=C:,p:,d:,l:,b:,n:,k:,K:,c,s,h +LONG=command:,path:,debug:,lwipdebug:,backend:,network:,kvsstore:,kvsfile:,clean,scratch,help OPTS=$(getopt -n build --options "$SHORT" --longoptions "$LONG" -- "$@") eval set -- "$OPTS" @@ -308,6 +312,10 @@ while :; do KVS_STORAGE_FILE=$2 shift 2 ;; + -b | --backend) + CRYPTO_BACKEND=$2 + shift 2 + ;; -p | --path) BUILD_PATH=$CHIP_ROOT/$2 shift 2 @@ -380,6 +388,15 @@ case "$KVS_STORAGE_TYPE" in ;; esac +case "$CRYPTO_BACKEND" in + psa | mbedtls) ;; + *) + echo "Wrong crypto type definition" + show_usage + exit 2 + ;; +esac + TOOLCHAIN_PATH="toolchains/toolchain-$TOOLCHAIN.cmake" if [ -z "$BUILD_PATH" ]; then