Fix PSA crypto partition and tests #8935
Conversation
|
Travis failure will be fixed on master soon (we will request rebase once done). See #8945 |
The fix is on master, if you rebase, it should allow travis to run |
|
@orenc17 Please take a look at the astyle test. |
|
@cmonr Fixed astyle |
|
CI started |
TESTS/psa/entropy_inject/main.cpp
Outdated
| @@ -83,31 +84,46 @@ utest::v1::status_t greentea_test_setup(const size_t number_of_cases) | |||
| #ifndef NO_GREENTEA | |||
| GREENTEA_SETUP(60, "default_auto"); | |||
| #endif | |||
|
|
|||
| /* fill seed in some data */ | |||
| for (size_t i = 0; i < MBEDTLS_ENTROPY_MAX_SEED_SIZE + 2; ++i) { | |||
There was a problem hiding this comment.
| for (size_t i = 0; i < MBEDTLS_ENTROPY_MAX_SEED_SIZE + 2; ++i) { | |
| for (size_t i = 0; i < sizeof(seed); ++i) { |
TESTS/psa/entropy_inject/main.cpp
Outdated
| @@ -16,7 +16,7 @@ | |||
| * limitations under the License. | |||
| */ | |||
|
|
|||
| #if ((!defined(TARGET_PSA) || (!defined(COMPONENT_PSA_SRV_IPC)) && !defined(MBEDTLS_ENTROPY_NV_SEED))) | |||
| #if (!defined(TARGET_PSA) || ((!defined(COMPONENT_PSA_SRV_IPC)) && !defined(MBEDTLS_ENTROPY_NV_SEED))) | |||
There was a problem hiding this comment.
please double check this expression - looks suspicious to me
too many parenthesis here
| @@ -1067,7 +1067,7 @@ psa_status_t mbedtls_psa_inject_entropy(const unsigned char *seed, | |||
|
|
|||
| handle = psa_connect(PSA_ENTROPY_ID, MINOR_VER); | |||
| if (handle <= 0) { | |||
| return (PSA_ERROR_COMMUNICATION_FAILURE); | |||
| return (PSA_ERROR_NOT_SUPPORTED); | |||
There was a problem hiding this comment.
psa_connect may fail due to resource exhaustion - does it really means that mbedtls_psa_inject_entropy is not supported?
There was a problem hiding this comment.
Fixed, moved the not_supported logic to the call()
| @@ -0,0 +1,1376 @@ | |||
| // ---------------------------------- Includes --------------------------------- | |||
There was a problem hiding this comment.
i cannot review the changes in this file. It was renamed and modified and now appears as a new file.
can we split rename and modify commits so the changes will be reviewable?
|
CC @Patater please review |
Test run: SUCCESSSummary: 4 of 4 test jobs passed |
|
rebased on master and renamed crypto partition from |
| @@ -102,5 +98,13 @@ Specification specification(greentea_test_setup, cases, greentea_test_teardown_h | |||
|
|
|||
| int main() | |||
| { | |||
| uint8_t seed[MBEDTLS_PSA_INJECT_ENTROPY_MIN_SIZE] = {0}; | |||
| /* inject some a seed for test*/ | |||
There was a problem hiding this comment.
This is only needed if the seed hasn't been injected at the factory yet. Factory tool should do this, not our tests, right?
Our tests should be able to assume the device was manufactured correctly.
There was a problem hiding this comment.
but then the tests won't work. since there is no prior factory injection for tests
There was a problem hiding this comment.
tests are expected to work during OOB - so we must inject entropy in tests.
as a side effects tests executed on a device may destroy/corrupt factory values - but this is true for all the tests. KVStore tests will have same effect.
There was a problem hiding this comment.
The board should have entropy injected before it gets inserted into the box at the factory. Then, OOB should work.
There was a problem hiding this comment.
i tend to think of it as our internal tests. so we need to simulate the injection
There was a problem hiding this comment.
For testing entropy injection itself, yes. For testing everything else, no. Tests should be able to assume a properly manufactured board.
Anyway, nothing to do with this PR. We'll sort this out later.
TESTS/psa/entropy_inject/main.cpp
Outdated
| @@ -16,7 +16,7 @@ | |||
| * limitations under the License. | |||
| */ | |||
|
|
|||
| #if ((!defined(TARGET_PSA) || (!defined(COMPONENT_PSA_SRV_IPC)) && !defined(MBEDTLS_ENTROPY_NV_SEED))) | |||
| #if (!defined(TARGET_PSA) || !defined(COMPONENT_PSA_SRV_IPC)) | |||
There was a problem hiding this comment.
Where do we want the entropy injection tests to run? I'm not sure these defines are right if we want it to run on both "K64F when MBEDTLS_ENTROPY_NV_SEED is configured" and on a "PSoC 6's NSPE when the PSoC 6's SPE has MBEDTLS_ENTROPY_NV_SEED configured".
There was a problem hiding this comment.
@Patater ideally the test should run on dual-MCU(PSoC6) or v8-m systems
this is being taken care of by COMPONENT_PSA_SRV_IPC define which the K64F will never have
There was a problem hiding this comment.
We probably want this test to keep working on K64F or other single v7-M targets.
There was a problem hiding this comment.
indeed inject needs to run also on k64f
| @@ -46,14 +46,14 @@ spm_partition_t g_partitions[3] = { | |||
| .irq_mapper = NULL, | |||
| }, | |||
| { | |||
| .partition_id = PSA_F_ID, | |||
| .partition_id = CRYPTO_SRV_ID, | |||
There was a problem hiding this comment.
Do we want to change PSA_F_ID to CRYPTO_ID everywhere, even in non-crypto tests? Maybe the storage tests should use a storage partition and not a crypto partition?
Do the storage tests need Mbed Crypto? Do they need a Crypto partition?
There was a problem hiding this comment.
this is an auto-generated file which represents all the partitons defined in the system
specific for this test crypto and storage are the base partitions while its_reset is the additional user partition
and again this file will be compiled only for the secure side on dual-MCU(PSoC6) or v8-m systems only
There was a problem hiding this comment.
OK, so Crypto partition should always be available from the SPE.
| @@ -41,6 +41,7 @@ | |||
| using namespace utest::v1; | |||
|
|
|||
| uint8_t seed[MBEDTLS_ENTROPY_MAX_SEED_SIZE + 2] = {0}; | |||
| bool skip_tests = false; | |||
TESTS/psa/crypto_init/main.cpp
Outdated
| @@ -16,7 +16,7 @@ | |||
| * limitations under the License. | |||
| */ | |||
|
|
|||
| #if ((!defined(TARGET_PSA)) || (!defined(MBEDTLS_PSA_CRYPTO_C)) || (!defined(MBEDTLS_PSA_CRYPTO_SPM ))) | |||
| #if ((!defined(TARGET_PSA)) || (!defined(COMPONENT_PSA_SRV_IPC)) || (!defined(MBEDTLS_PSA_CRYPTO_C))) | |||
There was a problem hiding this comment.
These ifdefs prevent K64F from running these tests, don't they?
There was a problem hiding this comment.
repetitive crypto init call will have a different return code on multi core comparing to a single core.
this test as it is written now can only pass on multi core - thus the ifdefs are correct.
you are welcome to update the test and enable it for single core targets in a separate PR.
This PR is a blocker for #8745 thus i suggest to avoid unnecessary last minute enchantments :) .
There was a problem hiding this comment.
Alright. I had assumed when we added the tests for K64F that they were passing there. Seems the tests are in worse condition that expected, or the tests used to work and after this PR they break on K64F. So long as this PR isn't the cause of the tests not working on K64F, I'm fine with disabling the tests on K64F like this.
There was a problem hiding this comment.
OK, looked into the old code more. This didn't work on K64F before. So, no regression.
|
|
||
| #if ( defined(MBEDTLS_ENTROPY_NV_SEED) && defined(MBEDTLS_PSA_HAS_ITS_IO) ) | ||
| psa_get(PSA_ENTROPY_INJECT, &msg); |
* Styling * Correct error codes on failing connection * Add panics where needed * correct skip defines * Fix psa_spm_init_refence_counter bug
|
i saw travis failures - rebased on master |
adbridge
added
release-version: 5.11.0-rc3
and removed
release-version: 5.11.0-rc2
labels
I can see the branch was forced push. Did this address failures ? Is this ready for CI now? |
|
CI started |
Test run: FAILEDSummary: 3 of 7 test jobs failed Failed test jobs:
|
|
Will restart CI when able. There appears to be a parse error with the CI scripts. |
|
CI restarted |
|
@orenc17 Will so as soon as Travis CI has completed its checks. |
|
CI started |
Test run: SUCCESSSummary: 11 of 11 test jobs passed |
Test run: SUCCESSSummary: 11 of 11 test jobs passed |
| @@ -47,7 +47,7 @@ void inject_entropy() | |||
| } | |||
| mbedtls_psa_inject_entropy(seed, MBEDTLS_PSA_INJECT_ENTROPY_MIN_SIZE); | |||
| } | |||
| #endif | |||
| #endif // defined(MBEDTLS_ENTROPY_NV_SEED) || defined(COMPONENT_PSA_SRV_IPC) | |||
There was a problem hiding this comment.
+1 for commenting on closing #endif statements.
| case PSA_IPC_CALL: { | ||
| #if (defined(MBEDTLS_ENTROPY_NV_SEED) && defined(MBEDTLS_PSA_HAS_ITS_IO)) |
There was a problem hiding this comment.
Two )?
(In the end of the line)
There was a problem hiding this comment.
@cmonr i hope the following graphic helps
#if (defined(MBEDTLS_ENTROPY_NV_SEED) && defined(MBEDTLS_PSA_HAS_ITS_IO))
| | | | ||
| ------------------------- ------------------------|
| |
---------------------------------------------------------------------
There was a problem hiding this comment.
That it does. My bad.
( 👍 Nice graphic! )
cmonr
changed the title
Description
Required by #8745
Pull request type