Mechanism to error out on removed configuration options

[gilles-peskine-arm]

Set up a mechanism for erroring out if users try to use removed options in their configuration file. Resolves Mbed-TLS/mbedtls#10147. Specification in #184.

In this PR:

• config_checks_generator.py: classes for options of a subproject.
• Support static assert in config checks, not just preprocessor errors.
• Scripts to save and load historical lists of config macros and derived macros. save 3.6, near-1.0 and near-4.0.

Status: ready for review. If the consuming brnaches require extra work in the framework, I'll do that in new commits.

PR checklist

• TF-PSA-Crypto PR Mechanism to error out on removed configuration options TF-PSA-Crypto#269
• development PR TODO
• 3.6 PR not required because: new code for use in 1.0/4.0 only

[mpg]

Looks pretty good to me, the only blockers are the two issues with option handling in the shell script.

I have generated the files locally using the instructions in the commit messages and verified with sha256sum that I'm getting identical outputs.

[mpg]

In general, I don't think "before" without saying before what is a great name. Suggesting before_user here.

[gilles-peskine-arm]

This used to be before/after [the user config] and changed to before/user/final. I agree that the names aren't ideal, but I don't think before_user/user/final is better. It should be before_user/after_user/final. Or it could be just before_user/after_user, since final is currently unused. But then we could go back to before/after since there's only one thing to be before/after and it's a pretty natural one (we're doing config checks, so before/after refers to reading the config.)

I'm not very happy about the “user” part, whether on its own or in after_user, because of the ambiguity between “the whole configuration provided by the user” and “MBEDTLS_USER_CONFIG_FILE (or crypto equivalent) specifically”. Any ideas for a better name?

Note that we'd better commit to names now, because once Mbed-TLS/TF-PSA-Crypto#269 is merged, changing the names will require back-and-forth between the framework and the consuming branches,

[gilles-peskine-arm]

I've handled (or replied to) all your comments except this name change. A name change will require coordinated action over the three PR so I'd rather get a consensus first.

[mpg]

I don't think before_user/user/final is better. It should be before_user/after_user/final.

Yes, that's how I meant it, but didn't express it clearly.

I'm not very happy about the “user” part, whether on its own or in after_user, because of the ambiguity between “the whole configuration provided by the user” and “MBEDTLS_USER_CONFIG_FILE (or crypto equivalent) specifically”.

Good point. I'm not sure what would be a better name. Perhaps "input"? Or "editable" (sounds a bit weird, but perhaps less ambiguous)? Or config_file? Ah, perhaps editable_config_files - a bit long, but probably clearer: the plural suggests it includes the main config.h and MBEDTLS_USER_CONFIG_FILE if it exists.

For "final", I'm wondering about "after_adjust"? But I'm happy with "final" too.

A name change will require coordinated action over the three PR so I'd rather get a consensus first.

Sure. Also, if we can't converge on better names quickly, I wouldn't block this series of PRs over this. Since this is internal and unlikely to be edited every other day, we can probably just compensate sub-optimal naming with comments.

[minosgalanakis]

Given that the main users of this script would be us, I think we can get away with it with a comment, just giving some nomeclature on the names, rather than effectively changing the code.

If as we polish it we come up with better ones, we can do it later.

[gilles-peskine-arm]

Since we're pressed for time and we don't have a consensus on better names, I'm going ahead and merging with the current names.

[gilles-peskine-arm]

The final file, introduced in a previous pull request, is currently unused. It was strongly needed in an earlier incarnation (back when the config checks were public headers, included every time build_info.h was included, we needed to clean up macros defined by the previous files). Now there's no immediate need for it, but it might become useful in the future. For example, I think it would be needed if we wanted to reject user config files that try to #undef something (which is not a feature, currently, because I'm guessing that nobody does that).

At this point, removing it is more work than leaving it in, which is why I've kept it in.

[mpg]

LGTM, thanks!

I don't consider the remaining naming issue to be a blocker: I'm happy to improve naming if we quickly find a scheme we can all agree on, otherwise getting this merged in time for the release seems more important than getting internal names right.

[minosgalanakis]

Looks good, just one note on portability of the newly introduced code.

[minosgalanakis]

Given that we just introduced config_checks_generator.py it would make sense to do this whole functionality in python, and not rely on external tools like sed and temporary files?

This is even more important if we consider that sed is not using the same syntax across GNU and BSD/MacOS

It would only need to pull regex, subprocess and argparse

The equivalent would be.
parsing_rex = re.compile(r'^[\s/*]*#\s*define\s+([A-Za-z_]\w*)\b', re.MULTILINE)

I wont be blocking the PR for this

[gilles-peskine-arm]

I agree that for maintainability this script should be probably in Python. But I had started to write it in sh, and we needed the result urgently, so I polished and commited the sh code that I had rather than rewrite the thing in Python.

This script won't run on the CI and we'll probably only ever run it manually a couple of times each time we make a new major version. I almost left it in a commit message, but the adjust part was getting a bit too complicated for that.

AFAICT I haven't used any non-POSIX sed feature.