search

Mbed-TLS / mbedtls

An open source, portable, easy to use, readable and flexible TLS library, and reference implementation of the PSA Cryptography API. Releases are on a varying cadence, typically around 3 - 6 months between releases.
https://www.trustedfirmware.org/projects/mbed-tls/
Other
5.22k stars 2.55k forks source link

Disabling MBEDTLS_FS_IO for FreeRTOS application on coretex-m7 results in missing headers #7403

Open JLReitz opened 1 year ago

JLReitz commented 1 year ago

Summary

I started setting my MbedTLS configurations according to the paragraph mentioning bare-metal at the bottom of the overview section in the porting guide. After commenting out MBEDTLS_FS_IO from my mbedtls_config.h, I got the following build error from include/mbedtls/check_config.h.

#if defined(MBEDTLS_PSA_ITS_FILE_C) && \
    !defined(MBEDTLS_FS_IO)
#error "MBEDTLS_PSA_ITS_FILE_C defined, but not all prerequisites"
#endif

If I also comment out MBEDTLS_PSA_ITS_FILE_C, I receive an error that psa/error.h can not be found. The offending include directive is from psa_crypto_storage.c, copied below:

#if defined(MBEDTLS_PSA_ITS_FILE_C)
#include "psa_crypto_its.h"
#else /* Native ITS implementation */
#include "psa/error.h"
#include "psa/internal_trusted_storage.h"
#endif

There are no files named error.h or internal_trusted_storage.h under the include/psa directory.

System information

Mbed TLS version (number or commit id): 3.4.0 (1873d3bfc) Operating system and version: FreeRTOS 10.4.4 Configuration (if not default, please attach mbedtls_config.h): attached Compiler and options (if you used a pre-built binary, please indicate how you obtained it): gcc-arm-none-eabi 10-2020-q4-major -x assembler-with-cpp -mthumb -mno-thumb-interwork -mfloat-abi=hard -fno-rtti -fno-exceptions -specs=nosys.specs -specs=nano.specs -nostartfiles -lc -lm -lgcc -fdata-sections -ffunction-sections Additional environment information:

Expected behavior

Per the porting guide, it should be possible to disable MBEDTLS_FS_IO without further implications to the other submodules and overall build.

Actual behavior

Disabling MBEDTLS_FS_IO breaks the build.

Steps to reproduce

Apply provided mbedtls_config.h to build while using gcc-arm-none-eabi and the included options.

Additional information

mbedtls_config.h.zip

daverodgman commented 1 year ago

I think this is happening because you're requiring ITS (via MBEDTLS_PSA_CRYPTO_STORAGE_C), but disabling our implementation of ITS and not providing an alternative implementation. Disabling MBEDTLS_PSA_CRYPTO_STORAGE_C resolves this, assuming you don't need this feature.

I'm not sure this is a bug, although arguably the documentation for the options could be improved. @gilles-peskine-arm WDYT?

gilles-peskine-arm commented 1 year ago

Indeed this is working as intended. Persistent keys (MBEDTLS_PSA_CRYPTO_STORAGE_C) require a storage implementation which can either be a standard PSA storage implementation or the implementation that we provide over stdio (MBEDTLS_PSA_ITS_FILE_C). This is documented in mbedtls_config.h.

We should document this in the porting guide, which hasn't been updated since before PSA.

There's no entry in check_config.h because if MBEDTLS_PSA_CRYPTO_STORAGE_C is enabled but MBEDTLS_PSA_ITS_FILE_C is disabled, it might still be ok if "psa/internal_trusted_storage.h" is available, and we can't portably check that with a preprocessor directive. The only improvement I can think of is that we could use __has_include on supported compilers.