nrfconnect · frkv · May 14, 2024 · May 16, 2024 · May 23, 2024 · May 28, 2024
diff --git a/bl2/ext/mcuboot/config/mcuboot-mbedtls-cfg.h b/bl2/ext/mcuboot/config/mcuboot-mbedtls-cfg.h
@@ -51,6 +51,7 @@
 #define MBEDTLS_ENTROPY_C
 #define MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG
 #define MBEDTLS_PSA_CRYPTO_CONFIG
+#define MBEDTLS_PSA_CRYPTO_C
 #if defined(MCUBOOT_SIGN_EC256)
 #define MBEDTLS_PSA_P256M_DRIVER_ENABLED
 #endif

diff --git a/bl2/src/thin_psa_crypto_core.c b/bl2/src/thin_psa_crypto_core.c
@@ -165,9 +165,7 @@ psa_status_t psa_hash_setup(psa_hash_operation_t *operation,
 
     status = psa_driver_wrapper_hash_setup(operation, alg);
 
-    if (status != PSA_SUCCESS) {
-        psa_hash_abort(operation);
-    }
+    assert(status == PSA_SUCCESS);
 
     return status;
 }
@@ -189,9 +187,7 @@ psa_status_t psa_hash_update(psa_hash_operation_t *operation,
 
     status = psa_driver_wrapper_hash_update(operation, input, input_length);
 
-    if (status != PSA_SUCCESS) {
-        psa_hash_abort(operation);
-    }
+    assert(status == PSA_SUCCESS);
 
     return status;
 }
@@ -349,28 +345,6 @@ psa_status_t mbedtls_to_psa_error(int ret)
     }
 }
 
-#if defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG)
-int mbedtls_psa_get_random(void *p_rng,
-                           unsigned char *output,
-                           size_t output_size)
-{
-    /* This function takes a pointer to the RNG state because that's what
-     * classic mbedtls functions using an RNG expect. The PSA RNG manages
-     * its own state internally and doesn't let the caller access that state.
-     * So we just ignore the state parameter, and in practice we'll pass
-     * NULL.
-     */
-    (void) p_rng;
-    psa_status_t status = psa_generate_random(output, output_size);
-
-    if (status == PSA_SUCCESS) {
-        return 0;
-    } else {
-        return MBEDTLS_ERR_ENTROPY_SOURCE_FAILED;
-    }
-}
-#endif /* MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG */
-
 psa_status_t psa_generate_random(uint8_t *output,
                                  size_t output_size)
 {
@@ -446,86 +420,6 @@ psa_status_t psa_verify_hash_builtin(
     return PSA_ERROR_NOT_SUPPORTED;
 }
 
-/* Required when Mbed TLS backend converts from PSA to Mbed TLS native */
-mbedtls_ecp_group_id mbedtls_ecc_group_from_psa(psa_ecc_family_t family,
-                                                size_t bits)
-{
-    switch (family) {
-    case PSA_ECC_FAMILY_SECP_R1:
-        switch (bits) {
-#if defined(PSA_WANT_ECC_SECP_R1_192)
-        case 192:
-            return MBEDTLS_ECP_DP_SECP192R1;
-#endif
-#if defined(PSA_WANT_ECC_SECP_R1_224)
-        case 224:
-            return MBEDTLS_ECP_DP_SECP224R1;
-#endif
-#if defined(PSA_WANT_ECC_SECP_R1_256)
-        case 256:
-            return MBEDTLS_ECP_DP_SECP256R1;
-#endif
-#if defined(PSA_WANT_ECC_SECP_R1_384)
-        case 384:
-            return MBEDTLS_ECP_DP_SECP384R1;
-#endif
-#if defined(PSA_WANT_ECC_SECP_R1_521)
-        case 521:
-            return MBEDTLS_ECP_DP_SECP521R1;
-#endif
-        }
-        break;
-
-    case PSA_ECC_FAMILY_BRAINPOOL_P_R1:
-        switch (bits) {
-#if defined(PSA_WANT_ECC_BRAINPOOL_P_R1_256)
-        case 256:
-            return MBEDTLS_ECP_DP_BP256R1;
-#endif
-#if defined(PSA_WANT_ECC_BRAINPOOL_P_R1_384)
-        case 384:
-            return MBEDTLS_ECP_DP_BP384R1;
-#endif
-#if defined(PSA_WANT_ECC_BRAINPOOL_P_R1_512)
-        case 512:
-            return MBEDTLS_ECP_DP_BP512R1;
-#endif
-        }
-        break;
-
-    case PSA_ECC_FAMILY_MONTGOMERY:
-        switch (bits) {
-#if defined(PSA_WANT_ECC_MONTGOMERY_255)
-        case 255:
-            return MBEDTLS_ECP_DP_CURVE25519;
-#endif
-#if defined(PSA_WANT_ECC_MONTGOMERY_448)
-        case 448:
-            return MBEDTLS_ECP_DP_CURVE448;
-#endif
-        }
-        break;
-
-    case PSA_ECC_FAMILY_SECP_K1:
-        switch (bits) {
-#if defined(PSA_WANT_ECC_SECP_K1_192)
-        case 192:
-            return MBEDTLS_ECP_DP_SECP192K1;
-#endif
-#if defined(PSA_WANT_ECC_SECP_K1_224)
-            /* secp224k1 is not and will not be supported in PSA (#3541). */
-#endif
-#if defined(PSA_WANT_ECC_SECP_K1_256)
-        case 256:
-            return MBEDTLS_ECP_DP_SECP256K1;
-#endif
-        }
-        break;
-    }
-
-    return MBEDTLS_ECP_DP_NONE;
-}
-
 /* We don't need the full driver wrapper, we know the key is already a public key */
 psa_status_t psa_driver_wrapper_export_public_key(
     const psa_key_attributes_t *attributes,

diff --git a/cmake/install.cmake b/cmake/install.cmake
@@ -75,33 +75,38 @@ if (TFM_PARTITION_INTERNAL_TRUSTED_STORAGE)
 endif()
 
 if (TFM_PARTITION_CRYPTO)
-    install(FILES       ${INTERFACE_INC_DIR}/psa/README.rst
-                        ${INTERFACE_INC_DIR}/psa/build_info.h
-                        ${INTERFACE_INC_DIR}/psa/crypto.h
-                        ${INTERFACE_INC_DIR}/psa/crypto_adjust_auto_enabled.h
-                        ${INTERFACE_INC_DIR}/psa/crypto_adjust_config_key_pair_types.h
-                        ${INTERFACE_INC_DIR}/psa/crypto_adjust_config_synonyms.h
-                        ${INTERFACE_INC_DIR}/psa/crypto_builtin_composites.h
-                        ${INTERFACE_INC_DIR}/psa/crypto_builtin_key_derivation.h
-                        ${INTERFACE_INC_DIR}/psa/crypto_builtin_primitives.h
-                        ${INTERFACE_INC_DIR}/psa/crypto_compat.h
-                        ${INTERFACE_INC_DIR}/psa/crypto_driver_common.h
-                        ${INTERFACE_INC_DIR}/psa/crypto_driver_contexts_composites.h
-                        ${INTERFACE_INC_DIR}/psa/crypto_driver_contexts_key_derivation.h
-                        ${INTERFACE_INC_DIR}/psa/crypto_driver_contexts_primitives.h
-                        ${INTERFACE_INC_DIR}/psa/crypto_extra.h
-                        ${INTERFACE_INC_DIR}/psa/crypto_legacy.h
-                        ${INTERFACE_INC_DIR}/psa/crypto_platform.h
-                        ${INTERFACE_INC_DIR}/psa/crypto_se_driver.h
-                        ${INTERFACE_INC_DIR}/psa/crypto_sizes.h
-                        ${INTERFACE_INC_DIR}/psa/crypto_struct.h
-                        ${INTERFACE_INC_DIR}/psa/crypto_types.h
-                        ${INTERFACE_INC_DIR}/psa/crypto_values.h
-            DESTINATION ${INSTALL_INTERFACE_INC_DIR}/psa)
-    install(FILES       ${INTERFACE_INC_DIR}/tfm_crypto_defs.h
-            DESTINATION ${INSTALL_INTERFACE_INC_DIR})
-    install(DIRECTORY   ${INTERFACE_INC_DIR}/mbedtls
-            DESTINATION ${INSTALL_INTERFACE_INC_DIR})
+        if(PSA_CRYPTO_EXTERNAL_CORE)
+                include(${TARGET_PLATFORM_PATH}/../external_core_install.cmake)
+        else()
+                install(FILES       ${INTERFACE_INC_DIR}/psa/README.rst
+                                        ${INTERFACE_INC_DIR}/psa/build_info.h
+                                        ${INTERFACE_INC_DIR}/psa/crypto.h
+                                        ${INTERFACE_INC_DIR}/psa/crypto_adjust_auto_enabled.h
+                                        ${INTERFACE_INC_DIR}/psa/crypto_adjust_config_dependencies.h
+                                        ${INTERFACE_INC_DIR}/psa/crypto_adjust_config_key_pair_types.h
+                                        ${INTERFACE_INC_DIR}/psa/crypto_adjust_config_synonyms.h
+                                        ${INTERFACE_INC_DIR}/psa/crypto_builtin_composites.h
+                                        ${INTERFACE_INC_DIR}/psa/crypto_builtin_key_derivation.h
+                                        ${INTERFACE_INC_DIR}/psa/crypto_builtin_primitives.h
+                                        ${INTERFACE_INC_DIR}/psa/crypto_compat.h
+                                        ${INTERFACE_INC_DIR}/psa/crypto_driver_common.h
+                                        ${INTERFACE_INC_DIR}/psa/crypto_driver_contexts_composites.h
+                                        ${INTERFACE_INC_DIR}/psa/crypto_driver_contexts_key_derivation.h
+                                        ${INTERFACE_INC_DIR}/psa/crypto_driver_contexts_primitives.h
+                                        ${INTERFACE_INC_DIR}/psa/crypto_extra.h
+                                        ${INTERFACE_INC_DIR}/psa/crypto_legacy.h
+                                        ${INTERFACE_INC_DIR}/psa/crypto_platform.h
+                                        ${INTERFACE_INC_DIR}/psa/crypto_se_driver.h
+                                        ${INTERFACE_INC_DIR}/psa/crypto_sizes.h
+                                        ${INTERFACE_INC_DIR}/psa/crypto_struct.h
+                                        ${INTERFACE_INC_DIR}/psa/crypto_types.h
+                                        ${INTERFACE_INC_DIR}/psa/crypto_values.h
+                        DESTINATION ${INSTALL_INTERFACE_INC_DIR}/psa)
+                install(FILES       ${INTERFACE_INC_DIR}/tfm_crypto_defs.h
+                        DESTINATION ${INSTALL_INTERFACE_INC_DIR})
+                install(DIRECTORY   ${INTERFACE_INC_DIR}/mbedtls
+                        DESTINATION ${INSTALL_INTERFACE_INC_DIR})
+        endif()
 endif()
 
 if (TFM_PARTITION_INITIAL_ATTESTATION)
@@ -284,10 +289,11 @@ else()
         )
 endif()
 
+# PSA_CRYPTO_EXTERNAL_CORE
 target_include_directories(psa_interface
         INTERFACE
         $<INSTALL_INTERFACE:interface/include>
-        )
+)
 
 install(EXPORT tfm-config
         FILE spe_export.cmake

diff --git a/cmake/spe-CMakeLists.cmake b/cmake/spe-CMakeLists.cmake
@@ -34,6 +34,15 @@ target_sources(tfm_api_ns
 )
 
 # Include interface headers exported by TF-M
+if(PSA_CRYPTO_EXTERNAL_CORE)
+    include(${TARGET_PLATFORM_PATH}/../external_core.cmake)
+else()
+    target_include_directories(tfm_api_ns
+        PUBLIC
+            ${INTERFACE_INC_DIR}
+    )
+endif()
+
 target_include_directories(tfm_api_ns
     PUBLIC
         ${INTERFACE_INC_DIR}

diff --git a/cmake/version.cmake b/cmake/version.cmake
@@ -16,7 +16,7 @@ execute_process(COMMAND git describe --tags --always
 # In a repository cloned with --no-tags option TFM_VERSION_FULL will be a hash
 # only hence checking it for a tag format to accept as valid version.
 
-string(FIND ${TFM_VERSION_FULL} "TF-M" TFM_TAG)
+string(FIND ${TFM_VERSION_FULL} "v" TFM_TAG)
 if(TFM_TAG EQUAL -1)
     set(TFM_VERSION_FULL v${TFM_VERSION_MANUAL})
 endif()

diff --git a/config/check_config.cmake b/config/check_config.cmake
@@ -17,6 +17,8 @@ tfm_invalid_config(TFM_MULTI_CORE_TOPOLOGY AND TFM_NS_MANAGE_NSID)
 tfm_invalid_config(TFM_PLAT_SPECIFIC_MULTI_CORE_COMM AND NOT TFM_MULTI_CORE_TOPOLOGY)
 tfm_invalid_config(TFM_ISOLATION_LEVEL EQUAL 3 AND CONFIG_TFM_STACK_WATERMARKS)
 
+tfm_invalid_config(CONFIG_TFM_LOG_SHARE_UART AND NOT SECURE_UART1)
+
 ########################## BL1 #################################################
 
 tfm_invalid_config(TFM_BL1_2_IN_OTP AND TFM_BL1_2_IN_FLASH)

diff --git a/config/config_base.cmake b/config/config_base.cmake
@@ -37,7 +37,7 @@ set(PROJECT_CONFIG_HEADER_FILE          ""          CACHE FILEPATH  "User define
 # External libraries source and version
 set(MBEDCRYPTO_PATH                     "DOWNLOAD"  CACHE PATH      "Path to Mbed Crypto (or DOWNLOAD to fetch automatically")
 set(MBEDCRYPTO_FORCE_PATCH              OFF         CACHE BOOL      "Always apply MBed Crypto patches")
-set(MBEDCRYPTO_VERSION                  "mbedtls-3.6.0" CACHE STRING "The version of Mbed Crypto to use")
+set(MBEDCRYPTO_VERSION                  "mbedtls-3.6.1" CACHE STRING "The version of Mbed Crypto to use")
 set(MBEDCRYPTO_GIT_REMOTE               "https://github.com/Mbed-TLS/mbedtls.git" CACHE STRING "The URL (or path) to retrieve MbedTLS from.")
 
 set(MCUBOOT_PATH                        "DOWNLOAD"  CACHE PATH      "Path to MCUboot (or DOWNLOAD to fetch automatically")
@@ -90,6 +90,9 @@ set(CONFIG_TFM_HALT_ON_CORE_PANIC       OFF         CACHE BOOL       "On fatal e
 
 set(CONFIG_TFM_STACK_WATERMARKS         OFF         CACHE BOOL      "Whether to pre-fill partition stacks with a set value to help determine stack usage")
 
+set(PROJECT_CONFIG_HEADER_FILE          "${CMAKE_SOURCE_DIR}/config/config_base.h" CACHE FILEPATH "User defined header file for TF-M config")
+
+set(CONFIG_TFM_LOG_SHARE_UART           OFF         CACHE BOOL      "Allow TF-M and the non-secure application to share the UART instance. TF-M will use it while it is booting, after which the non-secure application will use it until an eventual fatal error is handled and logged by TF-M. Logging from TF-M will therefore otherwise be suppressed")
 ############################ Platform ##########################################
 
 set(NUM_MAILBOX_QUEUE_SLOT              1           CACHE BOOL      "Number of mailbox queue slots")
@@ -130,6 +133,7 @@ set(BL2_TRAILER_SIZE                    0x000       CACHE STRING    "BL2 Trailer
 set(TFM_PARTITION_PROTECTED_STORAGE     OFF         CACHE BOOL      "Enable Protected Storage partition")
 set(PS_ENCRYPTION                       ON          CACHE BOOL      "Enable encryption for Protected Storage partition")
 set(PS_CRYPTO_AEAD_ALG                  PSA_ALG_GCM CACHE STRING    "The AEAD algorithm to use for authenticated encryption in Protected Storage")
+set(PS_CRYPTO_KDF_ALG                   PSA_ALG_HKDF\(PSA_ALG_SHA_256\) CACHE STRING "KDF Algorithm to use for Protect Storage")
 
 set(TFM_PARTITION_INTERNAL_TRUSTED_STORAGE OFF      CACHE BOOL      "Enable Internal Trusted Storage partition")
 set(ITS_ENCRYPTION                   OFF         CACHE BOOL      "Enable authenticated encryption of ITS files using platform specific APIs")

diff --git a/config/config_base.h b/config/config_base.h
@@ -111,6 +111,16 @@
 #define CRYPTO_SINGLE_PART_FUNCS_DISABLED      0
 #endif
 
+/*
+ * The service assumes that the client interface and internal
+ * interface towards the library that provides the PSA Crypto
+ * core component maintain the same ABI. This is not the default
+ * when using the Mbed TLS reference implementation
+ */
+#ifndef CRYPTO_LIBRARY_ABI_COMPAT
+#define CRYPTO_LIBRARY_ABI_COMPAT (0)
+#endif
+
 /* The stack size of the Crypto Secure Partition */
 #ifndef CRYPTO_STACK_SIZE
 #define CRYPTO_STACK_SIZE                      0x1B00

diff --git a/config/profile/config_profile_large.h b/config/profile/config_profile_large.h
@@ -32,6 +32,16 @@
 
 /* Crypto Partition Configs */
 
+/*
+ * The service assumes that the client interface and internal
+ * interface towards the library that provides the PSA Crypto
+ * core component maintain the same ABI. This is not the default
+ * when using the Mbed TLS reference implementation
+ */
+#ifndef CRYPTO_LIBRARY_ABI_COMPAT
+#define CRYPTO_LIBRARY_ABI_COMPAT (0)
+#endif
+
 /*
  * Heap size for the crypto backend
  * CRYPTO_ENGINE_BUF_SIZE needs to be >8KB for EC signing by attest module.

diff --git a/config/profile/config_profile_medium.h b/config/profile/config_profile_medium.h
@@ -108,6 +108,16 @@
 #define CRYPTO_SINGLE_PART_FUNCS_DISABLED      0
 #endif
 
+/*
+ * The service assumes that the client interface and internal
+ * interface towards the library that provides the PSA Crypto
+ * core component maintain the same ABI. This is not the default
+ * when using the Mbed TLS reference implementation
+ */
+#ifndef CRYPTO_LIBRARY_ABI_COMPAT
+#define CRYPTO_LIBRARY_ABI_COMPAT (0)
+#endif
+
 /* The stack size of the Crypto Secure Partition */
 #ifndef CRYPTO_STACK_SIZE
 #define CRYPTO_STACK_SIZE                      0x1B00

diff --git a/config/profile/config_profile_medium_arotless.h b/config/profile/config_profile_medium_arotless.h
@@ -108,6 +108,16 @@
 #define CRYPTO_SINGLE_PART_FUNCS_DISABLED      0
 #endif
 
+/*
+ * The service assumes that the client interface and internal
+ * interface towards the library that provides the PSA Crypto
+ * core component maintain the same ABI. This is not the default
+ * when using the Mbed TLS reference implementation
+ */
+#ifndef CRYPTO_LIBRARY_ABI_COMPAT
+#define CRYPTO_LIBRARY_ABI_COMPAT (0)
+#endif
+
 /* The stack size of the Crypto Secure Partition */
 #ifndef CRYPTO_STACK_SIZE
 #define CRYPTO_STACK_SIZE                      0x1B00

diff --git a/config/profile/config_profile_small.h b/config/profile/config_profile_small.h
@@ -105,6 +105,16 @@
 #define CRYPTO_SINGLE_PART_FUNCS_DISABLED      1
 #endif
 
+/*
+ * The service assumes that the client interface and internal
+ * interface towards the library that provides the PSA Crypto
+ * core component maintain the same ABI. This is not the default
+ * when using the Mbed TLS reference implementation
+ */
+#ifndef CRYPTO_LIBRARY_ABI_COMPAT
+#define CRYPTO_LIBRARY_ABI_COMPAT (0)
+#endif
+
 /* The stack size of the Crypto Secure Partition */
 #ifndef CRYPTO_STACK_SIZE
 #define CRYPTO_STACK_SIZE                      0x1B00

diff --git a/docs/platform/stm/b_u585i_iot02a/readme.rst b/docs/platform/stm/b_u585i_iot02a/readme.rst
@@ -16,6 +16,9 @@ line arguments. Required arguments are noted below.
 The following instructions build multi-core TF-M with regression test suites
 in Isolation Level 1.
 
+In common STM (``platform\ext\target\stm\common\build_stm``)
+There are scripts that help users to build the TF-M project on all STM platforms
+
 .. code-block:: bash
 
 

diff --git a/docs/platform/stm/nucleo_l552ze_q/readme.rst b/docs/platform/stm/nucleo_l552ze_q/readme.rst
@@ -16,6 +16,9 @@ line arguments. Required arguments are noted below.
 The following instructions build multi-core TF-M with regression test suites
 in Isolation Level 1.
 
+In common STM (``platform\ext\target\stm\common\build_stm``)
+There are scripts that help users to build the TF-M project on all STM platforms
+
 .. code-block:: bash