update to 3.6.1 #60
Merged
update to 3.6.1 #60
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
In particular, fix an off-by-one error right after I explain how the number is off by one from what you'd expect. State explicitly that the number can be negative. Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
…rflow-3.6 Backport 3.6: Fix stack buffer overflow in ECDSA signature format conversions
Explain that the hybrid key store is the historical implementation and neither alternative is a drop-in replacement. Discuss how we could potentially reduce the number of variants after the next major release. Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
…ument-3.6 Backport 3.6: Document that MBEDTLS_PSA_HMAC_DRBG_MD_TYPE does not force HMAC
This file is used for detecting which project a script is being run from. Signed-off-by: Thomas Daubney <thomas.daubney@arm.com>
Signed-off-by: Thomas Daubney <thomas.daubney@arm.com>
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
[Backport 3.6] Adapt config.py to configuration file split
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
…op_info-3.6 [Backport 3.6] tests/ssl_helpers: Check that message queue is popped
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
…doc-3.6 Backport 3.6: Document the key store design
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
Signed-off-by: Benjamin Baratte <benjamin.baratte@st.com> applied using: git am modules/tee/tf-m/trusted-firmware-m/lib/ext/mbedcrypto/\ 0003-Allow-SE-key-to-use-key-vendor-id-within-PSA-crypto.patch Signed-off-by: Tomi Fontanilles <tomi.fontanilles@nordicsemi.no>
This patch amends the order of initialisations performed in psa_crypto_init() to make sure that the driver wrappers based on the PSA driver API are initialised just after the key slots in memory, both of them at the beginning of the initialisation sequence. Signed-off-by: Antonio de Angelis <antonio.deangelis@arm.com> applied using: git am modules/tee/tf-m/trusted-firmware-m/lib/ext/mbedcrypto/\ 0004-Initialise-driver-wrappers-as-first-step-in-psa_cryp.patch Signed-off-by: Tomi Fontanilles <tomi.fontanilles@nordicsemi.no>
Manually hardcode PSA driver entry points for the CC3XX driver into psa crypto driver wrappers file (and provide missing entry point definitions if any). This is a temporary solution until the codegen framework is available for automatic integration. Signed-off-by: Antonio de Angelis <antonio.deangelis@arm.com> applied using: git am modules/tee/tf-m/trusted-firmware-m/lib/ext/mbedcrypto/\ 0005-Hardcode-CC3XX-entry-points.patch Signed-off-by: Tomi Fontanilles <tomi.fontanilles@nordicsemi.no>
CC312 driver want to use hash in md for entropy operations. Enable psa_can_do_hash by directly returning 1. This is a workaround for current cc312 driver. After switching to new driver, this workaround is not needed. Signed-off-by: Summer Qin <summer.qin@arm.com> applied using: git am modules/tee/tf-m/trusted-firmware-m/lib/ext/mbedcrypto/\ 0006-Enable-psa_can_do_hash.patch Signed-off-by: Tomi Fontanilles <tomi.fontanilles@nordicsemi.no>
carlescufi
requested review from
d3zd3z,
Vge0rge,
valeriosetti,
ceolin,
JordanYates and
ithinuel
This reverts commit f9bbe0d. See the following revert commit for an explanation. Signed-off-by: Tomi Fontanilles <tomi.fontanilles@nordicsemi.no>
This reverts commit 469f781. Remove the dependency on the framework directory. It was introduced in MbedTLS 3.6.0 and for now doesn't do much more than make CMake fail if `git submodule update --init` is not run. This needs to be revisited once bigger changes are made (with Mbed TLS 4.0) and the whole repository structure changes. Signed-off-by: Tomi Fontanilles <tomi.fontanilles@nordicsemi.no>
Gate relevant files for the thin PSA crypto core on MCUBOOT_USE_PSA_CRYPTO during BL2 build instead of MBEDTLS_PSA_CRYPTO_C which is not defined in such case. A full solution might require a change in config strategy of Mbed TLS with the definition Signed-off-by: Antonio de Angelis <antonio.deangelis@arm.com> applied using: git am modules/tee/tf-m/trusted-firmware-m/lib/ext/mbedcrypto/\ 0007-Enable-sources-when-MCUBOOT_USE_PSA_CRYPTO-and-not-M.patch Signed-off-by: Tomi Fontanilles <tomi.fontanilles@nordicsemi.no>
MCUboot has its own version of the PSA Crypto core, named "thin_psa_crypto_core.c" which is included in MCUboot's build process when the MCUBOOT_USE_PSA_CRYPTO build symbol is set. MCUBOOT_USE_PSA_CRYPTO mimics what MBEDTLS_PSA_CRYPTO_C does for the official Mbed TLS, so we need to replicate this symbol in "config_psa.h" in order to get the proper PSA builtin support. Signed-off-by: Valerio Setti <vsetti@baylibre.com> Signed-off-by: Tomi Fontanilles <tomi.fontanilles@nordicsemi.no>
tomi-font
force-pushed
the
bump_to_3.6.1
branch
from
2b11622 to
b9b26b7
Compare
|
Do the commits like |
Yeah, or rather this is the procedure we use. First revert the previously applied patches to be completely aligned with upstream, merge the new version to pull in, then re-apply whatever needed patches. No trying to pull in upstream commits on top of patches. Otherwise, there would be risks of (unending) merge conflicts, plus we getthe benefit that the applied patches don't get lost in the history. |
valeriosetti
approved these changes
Sep 3, 2024
There was a problem hiding this comment.
I checked that:
- up to bd3a26f the only difference with official Mbed TLS
v3.6.1tag is in in theframeworkfolder. This is a submodule now and it's only used for Mbed TLS testing (which is something we don't do in Zephyr), so it's OK to skip it. Patches 5b86c71 and 95583ee are for this indeed. - all other TF-M/Zephyr patches are reverted before and re-applied after the merge of the
v3.6.1branch of Mbed TLS.
In short IMO this is a correct update to the new 3.6.1 LTS release.
This was referenced Sep 3, 2024
Git always shows the commits in order they have been created, so I guess that you are probably talking about commits that come from a merge operation. Those may be displayed differently. |
Vge0rge
reviewed
Sep 3, 2024
Vge0rge
approved these changes
Sep 3, 2024
ithinuel
approved these changes
Sep 4, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Just re-applied the TF-M patches and added a small MCUboot fix from #58.