From 29f178746a579ddfb2d9de5089d907f6e6a83f0b Mon Sep 17 00:00:00 2001 From: Minos Galanakis Date: Mon, 1 Dec 2025 11:14:17 +0000 Subject: [PATCH 01/15] components-configuration-crypto: Migrated simple ASAN components. Migrate all straightfoward components from using $ASAN_CFLAGS to CMAKE_BUILD_TYPE:String=Asan Signed-off-by: Minos Galanakis --- .../components-configuration-crypto.sh | 44 ++++++++++++------- 1 file changed, 27 insertions(+), 17 deletions(-) diff --git a/tests/scripts/components-configuration-crypto.sh b/tests/scripts/components-configuration-crypto.sh index a03dce152c8..83cd521e655 100644 --- a/tests/scripts/components-configuration-crypto.sh +++ b/tests/scripts/components-configuration-crypto.sh @@ -47,7 +47,9 @@ component_test_crypto_with_static_key_slots() { scripts/config.py unset MBEDTLS_PSA_KEY_STORE_DYNAMIC msg "test: crypto full + MBEDTLS_PSA_STATIC_KEY_SLOTS" - $MAKE_COMMAND CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS" test + cmake -D CMAKE_BUILD_TYPE:String=Asan . + make + make test } # check_renamed_symbols HEADER LIB @@ -234,10 +236,11 @@ component_test_psa_external_rng_no_drbg_use_psa () { scripts/config.py unset MBEDTLS_CTR_DRBG_C scripts/config.py unset MBEDTLS_HMAC_DRBG_C scripts/config.py unset PSA_WANT_ALG_DETERMINISTIC_ECDSA # Requires HMAC_DRBG - $MAKE_COMMAND CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS" + CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . + cmake --build . msg "test: PSA_CRYPTO_EXTERNAL_RNG minus *_DRBG, PSA crypto - main suites" - $MAKE_COMMAND test + make test msg "test: PSA_CRYPTO_EXTERNAL_RNG minus *_DRBG, PSA crypto - ssl-opt.sh (subset)" tests/ssl-opt.sh -f 'Default\|opaque' @@ -250,10 +253,11 @@ component_test_psa_external_rng_use_psa_crypto () { scripts/config.py unset MBEDTLS_CTR_DRBG_C scripts/config.py unset MBEDTLS_ENTROPY_NV_SEED scripts/config.py unset MBEDTLS_PLATFORM_NV_SEED_ALT - $MAKE_COMMAND CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS" + CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . + cmake --build . msg "test: full + PSA_CRYPTO_EXTERNAL_RNG + USE_PSA_CRYPTO minus CTR_DRBG/NV_SEED" - $MAKE_COMMAND test + make test msg "test: full + PSA_CRYPTO_EXTERNAL_RNG + USE_PSA_CRYPTO minus CTR_DRBG/NV_SEED" tests/ssl-opt.sh -f 'Default\|opaque' @@ -266,14 +270,15 @@ component_full_no_pkparse_pkwrite () { scripts/config.py unset MBEDTLS_PK_PARSE_C scripts/config.py unset MBEDTLS_PK_WRITE_C - $MAKE_COMMAND CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS" + CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . + cmake --build . # Ensure that PK_[PARSE|WRITE]_C were not re-enabled accidentally (additive config). not grep mbedtls_pk_parse_key ${BUILTIN_SRC_PATH}/pkparse.o not grep mbedtls_pk_write_key_der ${BUILTIN_SRC_PATH}/pkwrite.o msg "test: full without pkparse and pkwrite" - $MAKE_COMMAND test + make test } component_test_crypto_full_md_light_only () { @@ -436,10 +441,11 @@ component_test_everest_curve25519_only () { scripts/config.py unset-all "PSA_WANT_ECC_[0-9A-Z_a-z]*$" scripts/config.py set PSA_WANT_ECC_MONTGOMERY_255 - $MAKE_COMMAND CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS" + CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . + cmake --build . msg "test: Everest ECDH context, only Curve25519" # ~ 50s - $MAKE_COMMAND test + make test } component_test_psa_collect_statuses () { @@ -535,10 +541,11 @@ component_test_psa_crypto_config_ffdh_2048_only () { scripts/config.py unset PSA_WANT_DH_RFC7919_6144 scripts/config.py unset PSA_WANT_DH_RFC7919_8192 - $MAKE_COMMAND CFLAGS="$ASAN_CFLAGS -Werror" LDFLAGS="$ASAN_CFLAGS" + CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . + cmake --build . msg "test: full config - only DH 2048" - $MAKE_COMMAND test + make test msg "ssl-opt: full config - only DH 2048" tests/ssl-opt.sh -f "ffdh" @@ -1333,10 +1340,11 @@ build_and_test_psa_want_key_pair_partial () { # crypto_config.h so we just disable the one we don't want. scripts/config.py unset "$disabled_psa_want" - $MAKE_COMMAND CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS" + CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . + cmake --build . msg "test: $base_config - ${disabled_psa_want}" - $MAKE_COMMAND test + make test } component_test_psa_ecc_key_pair_no_derive () { @@ -1861,10 +1869,11 @@ component_test_aead_chachapoly_disabled () { msg "build: full minus CHACHAPOLY" scripts/config.py full scripts/config.py unset PSA_WANT_ALG_CHACHA20_POLY1305 - $MAKE_COMMAND CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS" + CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . + cmake --build . msg "test: full minus CHACHAPOLY" - $MAKE_COMMAND test + make test } component_test_aead_only_ccm () { @@ -1872,10 +1881,11 @@ component_test_aead_only_ccm () { scripts/config.py full scripts/config.py unset PSA_WANT_ALG_CHACHA20_POLY1305 scripts/config.py unset PSA_WANT_ALG_GCM - $MAKE_COMMAND CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS" + CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . + cmake --build . msg "test: full minus CHACHAPOLY and GCM" - $MAKE_COMMAND test + make test } component_test_ccm_aes_sha256 () { From cb6e5dffe4cdd84ab705113e7d2d2744396e0d9a Mon Sep 17 00:00:00 2001 From: Minos Galanakis Date: Mon, 1 Dec 2025 11:18:17 +0000 Subject: [PATCH 02/15] components-configuration-crypto: Migrated test_full_static_keystore to cmake Optimization for size (-Os) is required. Signed-off-by: Minos Galanakis --- tests/scripts/components-configuration-crypto.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tests/scripts/components-configuration-crypto.sh b/tests/scripts/components-configuration-crypto.sh index 83cd521e655..cc79135e153 100644 --- a/tests/scripts/components-configuration-crypto.sh +++ b/tests/scripts/components-configuration-crypto.sh @@ -2345,10 +2345,10 @@ component_test_full_static_keystore () { msg "build: full config - MBEDTLS_PSA_KEY_STORE_DYNAMIC" scripts/config.py full scripts/config.py unset MBEDTLS_PSA_KEY_STORE_DYNAMIC - $MAKE_COMMAND CC=clang CFLAGS="$ASAN_CFLAGS -Os" LDFLAGS="$ASAN_CFLAGS" - + CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -Os" LDFLAGS="$ASAN_CFLAGS" cmake -D CMAKE_BUILD_TYPE:String=None . + cmake --build . msg "test: full config - MBEDTLS_PSA_KEY_STORE_DYNAMIC" - $MAKE_COMMAND test + make test } component_test_psa_crypto_drivers () { From 3cbd7599e2be303c8c4eb0fd2bdcc94270854f4d Mon Sep 17 00:00:00 2001 From: Minos Galanakis Date: Mon, 1 Dec 2025 11:25:16 +0000 Subject: [PATCH 03/15] components-configuration-crypto: Migrated test_tfm_config_p256m_driver_accel_ec to cmake Compilation flags, and spe include directories have been adjusted Signed-off-by: Minos Galanakis --- tests/scripts/components-configuration-crypto.sh | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/tests/scripts/components-configuration-crypto.sh b/tests/scripts/components-configuration-crypto.sh index cc79135e153..3c735dee3f6 100644 --- a/tests/scripts/components-configuration-crypto.sh +++ b/tests/scripts/components-configuration-crypto.sh @@ -1273,7 +1273,8 @@ component_test_tfm_config_p256m_driver_accel_ec () { common_tfm_config # Build crypto library - $MAKE_COMMAND CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -I../framework/tests/include/spe" LDFLAGS="$ASAN_CFLAGS" + CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -I$PWD/framework/tests/include/spe" cmake -D CMAKE_BUILD_TYPE:String=Asan . + cmake --build . # Make sure any built-in EC alg was not re-enabled by accident (additive config) not grep mbedtls_ecdsa_ ${BUILTIN_SRC_PATH}/ecdsa.o @@ -1292,7 +1293,7 @@ component_test_tfm_config_p256m_driver_accel_ec () { # Run the tests msg "test: TF-M config + p256m driver + accel ECDH(E)/ECDSA" - $MAKE_COMMAND test + make test } # Keep this in sync with component_test_tfm_config_p256m_driver_accel_ec() as From b447cb2a8d6ee7578bcbb4181b09ce9001201545 Mon Sep 17 00:00:00 2001 From: Minos Galanakis Date: Mon, 1 Dec 2025 11:33:31 +0000 Subject: [PATCH 04/15] components-configuration-crypto: Migrated straightforwad Release components to cmake - By default all unspecified build-type components should be release - CMAKE_BUILD_TYPE:String=Release enables the following CFLAGS: "-O2 -Werror -Wall -Wextra" Signed-off-by: Minos Galanakis --- .../components-configuration-crypto.sh | 106 +++++++++++------- 1 file changed, 63 insertions(+), 43 deletions(-) diff --git a/tests/scripts/components-configuration-crypto.sh b/tests/scripts/components-configuration-crypto.sh index 3c735dee3f6..def9e8f641e 100644 --- a/tests/scripts/components-configuration-crypto.sh +++ b/tests/scripts/components-configuration-crypto.sh @@ -139,10 +139,11 @@ component_test_psa_crypto_without_heap() { component_test_no_rsa_key_pair_generation () { msg "build: default config minus PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE" scripts/config.py unset PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE - $MAKE_COMMAND + cmake -D CMAKE_BUILD_TYPE:String=Release . + cmake --build . msg "test: default config minus PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE" - $MAKE_COMMAND test + make test } component_test_no_pem_no_fs () { @@ -331,13 +332,13 @@ component_test_full_no_cipher () { # The following modules directly depends on CIPHER_C scripts/config.py unset MBEDTLS_NIST_KW_C - $MAKE_COMMAND - + cmake -D CMAKE_BUILD_TYPE:String=Release . + cmake --build . # Ensure that CIPHER_C was not re-enabled not grep mbedtls_cipher_init ${BUILTIN_SRC_PATH}/cipher.o msg "test: full no CIPHER" - $MAKE_COMMAND test + make test } component_test_full_no_ccm () { @@ -356,10 +357,11 @@ component_test_full_no_ccm () { # PSA_WANT_ALG_CCM to be re-enabled. scripts/config.py unset PSA_WANT_ALG_CCM - $MAKE_COMMAND + cmake -D CMAKE_BUILD_TYPE:String=Release . + cmake --build . msg "test: full no PSA_WANT_ALG_CCM" - $MAKE_COMMAND test + make test } component_test_full_no_ccm_star_no_tag () { @@ -387,13 +389,14 @@ component_test_full_no_ccm_star_no_tag () { scripts/config.py unset PSA_WANT_ALG_CBC_NO_PADDING scripts/config.py unset PSA_WANT_ALG_CBC_PKCS7 - $MAKE_COMMAND + cmake -D CMAKE_BUILD_TYPE:String=Release . + cmake --build . # Ensure MBEDTLS_PSA_BUILTIN_CIPHER was not enabled not grep mbedtls_psa_cipher ${PSA_CORE_PATH}/psa_crypto_cipher.o msg "test: full no PSA_WANT_ALG_CCM_STAR_NO_TAG" - $MAKE_COMMAND test + make test } component_test_config_symmetric_only () { @@ -950,10 +953,11 @@ component_test_psa_crypto_config_reference_ecc_ecp_light_only () { config_psa_crypto_config_ecp_light_only 0 - $MAKE_COMMAND + cmake -D CMAKE_BUILD_TYPE:String=Release . + cmake --build . msg "test suites: full with non-accelerated EC algs" - $MAKE_COMMAND test + make test msg "ssl-opt: full with non-accelerated EC algs" tests/ssl-opt.sh @@ -1048,10 +1052,11 @@ component_test_psa_crypto_config_reference_ecc_no_ecp_at_all () { config_psa_crypto_no_ecp_at_all 0 - $MAKE_COMMAND + cmake -D CMAKE_BUILD_TYPE:String=Release . + cmake --build . msg "test: full + non accelerated EC algs" - $MAKE_COMMAND test + make test msg "ssl-opt: full + non accelerated EC algs" tests/ssl-opt.sh @@ -1214,10 +1219,11 @@ common_test_psa_crypto_config_reference_ecc_ffdh_no_bignum () { config_psa_crypto_config_accel_ecc_ffdh_no_bignum 0 "$test_target" - $MAKE_COMMAND + cmake -D CMAKE_BUILD_TYPE:String=Release . + cmake --build . msg "test suites: full + non accelerated EC algs + USE_PSA" - $MAKE_COMMAND test + make test msg "ssl-opt: full + non accelerated $accel_text algs + USE_PSA" tests/ssl-opt.sh @@ -1419,12 +1425,13 @@ component_test_psa_crypto_config_reference_rsa_crypto () { # Build # ----- - $MAKE_COMMAND + cmake -D CMAKE_BUILD_TYPE:String=Release . + cmake --build . # Run the tests # ------------- msg "test: crypto_full with non-accelerated RSA" - $MAKE_COMMAND test + make test } # This is a temporary test to verify that full RSA support is present even when @@ -1454,10 +1461,11 @@ component_test_new_psa_want_key_pair_symbol () { scripts/config.py unset PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT scripts/config.py unset PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE - $MAKE_COMMAND + cmake -D CMAKE_BUILD_TYPE:String=Release . + cmake --build . msg "Test: crypto config - PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC" - $MAKE_COMMAND test + make test # Parse only 1 relevant line from the outcome file, i.e. a test which is # performing RSA signature. @@ -1573,10 +1581,11 @@ component_test_psa_crypto_config_reference_hash_use_psa () { config_psa_crypto_hash_use_psa 0 - $MAKE_COMMAND + cmake -D CMAKE_BUILD_TYPE:String=Release . + cmake --build . msg "test: full without accelerated hashes" - $MAKE_COMMAND test + make test msg "test: ssl-opt.sh, full without accelerated hashes" tests/ssl-opt.sh @@ -1642,10 +1651,11 @@ component_test_psa_crypto_config_reference_hmac () { config_psa_crypto_hmac_use_psa 0 - $MAKE_COMMAND + cmake -D CMAKE_BUILD_TYPE:String=Release . + cmake --build . msg "test: full without accelerated hmac" - $MAKE_COMMAND test + make test } component_test_psa_crypto_config_accel_aead () { @@ -1746,10 +1756,11 @@ component_test_psa_crypto_config_reference_cipher_aead_cmac () { msg "build: full config with non-accelerated cipher inc. AEAD and CMAC" common_psa_crypto_config_accel_cipher_aead_cmac - $MAKE_COMMAND + cmake -D CMAKE_BUILD_TYPE:String=Release . + cmake --build . msg "test: full config with non-accelerated cipher inc. AEAD and CMAC" - $MAKE_COMMAND test + make test msg "ssl-opt: full config with non-accelerated cipher inc. AEAD and CMAC" # Exclude password-protected key tests as in test_psa_crypto_config_accel_cipher_aead_cmac. @@ -1860,10 +1871,11 @@ component_test_full_block_cipher_legacy_dispatch () { common_block_cipher_dispatch 0 - $MAKE_COMMAND + cmake -D CMAKE_BUILD_TYPE:String=Release . + cmake --build . msg "test: full + legacy dispatch in block_cipher" - $MAKE_COMMAND test + make test } component_test_aead_chachapoly_disabled () { @@ -1896,9 +1908,10 @@ component_test_ccm_aes_sha256 () { echo '#define MBEDTLS_CONFIG_H ' >"$CONFIG_H" cp tf-psa-crypto/configs/crypto-config-ccm-aes-sha256.h "$CRYPTO_CONFIG_H" - $MAKE_COMMAND + cmake -D CMAKE_BUILD_TYPE:String=Release . + cmake --build . msg "test: CCM + AES + SHA256 configuration" - $MAKE_COMMAND test + make test } # Test that the given .o file builds with all (valid) combinations of the given options. @@ -2086,10 +2099,11 @@ component_test_aes_only_128_bit_keys () { scripts/config.py set MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH scripts/config.py set MBEDTLS_PSA_CRYPTO_RNG_STRENGTH 128 - $MAKE_COMMAND CFLAGS='-O2 -Werror -Wall -Wextra' + cmake -D CMAKE_BUILD_TYPE:String=Release . + cmake --build . msg "test: default config + AES_ONLY_128_BIT_KEY_LENGTH" - $MAKE_COMMAND test + make test } component_test_no_ctr_drbg_aes_only_128_bit_keys () { @@ -2098,10 +2112,11 @@ component_test_no_ctr_drbg_aes_only_128_bit_keys () { scripts/config.py set MBEDTLS_PSA_CRYPTO_RNG_STRENGTH 128 scripts/config.py unset MBEDTLS_CTR_DRBG_C - $MAKE_COMMAND CC=clang CFLAGS='-Werror -Wall -Wextra' + CC=clang cmake -D CMAKE_BUILD_TYPE:String=Release . + cmake --build . msg "test: default config + AES_ONLY_128_BIT_KEY_LENGTH - CTR_DRBG_C" - $MAKE_COMMAND test + make test } component_test_aes_only_128_bit_keys_have_builtins () { @@ -2111,10 +2126,11 @@ component_test_aes_only_128_bit_keys_have_builtins () { scripts/config.py unset MBEDTLS_AESNI_C scripts/config.py unset MBEDTLS_AESCE_C - $MAKE_COMMAND CFLAGS='-O2 -Werror -Wall -Wextra' + cmake -D CMAKE_BUILD_TYPE:String=Release . + cmake --build . msg "test: default config + AES_ONLY_128_BIT_KEY_LENGTH - AESNI_C - AESCE_C" - $MAKE_COMMAND test + make test msg "selftest: default config + AES_ONLY_128_BIT_KEY_LENGTH - AESNI_C - AESCE_C" programs/test/selftest @@ -2126,38 +2142,42 @@ component_test_gcm_largetable () { scripts/config.py unset MBEDTLS_AESNI_C scripts/config.py unset MBEDTLS_AESCE_C - $MAKE_COMMAND CFLAGS='-O2 -Werror -Wall -Wextra' + cmake -D CMAKE_BUILD_TYPE:String=Release . + cmake --build . msg "test: default config - GCM_LARGE_TABLE - AESNI_C - AESCE_C" - $MAKE_COMMAND test + make test } component_test_aes_fewer_tables () { msg "build: default config with AES_FEWER_TABLES enabled" scripts/config.py set MBEDTLS_AES_FEWER_TABLES - $MAKE_COMMAND CFLAGS='-O2 -Werror -Wall -Wextra' + cmake -D CMAKE_BUILD_TYPE:String=Release . + cmake --build . msg "test: AES_FEWER_TABLES" - $MAKE_COMMAND test + make test } component_test_aes_rom_tables () { msg "build: default config with AES_ROM_TABLES enabled" scripts/config.py set MBEDTLS_AES_ROM_TABLES - $MAKE_COMMAND CFLAGS='-O2 -Werror -Wall -Wextra' + cmake -D CMAKE_BUILD_TYPE:String=Release . + cmake --build . msg "test: AES_ROM_TABLES" - $MAKE_COMMAND test + make test } component_test_aes_fewer_tables_and_rom_tables () { msg "build: default config with AES_ROM_TABLES and AES_FEWER_TABLES enabled" scripts/config.py set MBEDTLS_AES_FEWER_TABLES scripts/config.py set MBEDTLS_AES_ROM_TABLES - $MAKE_COMMAND CFLAGS='-O2 -Werror -Wall -Wextra' + cmake -D CMAKE_BUILD_TYPE:String=Release . + cmake --build . msg "test: AES_FEWER_TABLES + AES_ROM_TABLES" - $MAKE_COMMAND test + make test } # helper for component_test_block_cipher_no_decrypt_aesni() which: From e25b3150b4c0b9426c80c825304f2d7338828781 Mon Sep 17 00:00:00 2001 From: Minos Galanakis Date: Mon, 1 Dec 2025 11:42:17 +0000 Subject: [PATCH 05/15] components-configuration-crypto: Migrated include dir dependant Release components to cmake Moved the following components to CMAKE_BUILD_TYPE:String=Release and adjusted the include paths for cmake: * component_build_psa_crypto_spm * component_test_tfm_config_no_p256m Signed-off-by: Minos Galanakis --- tests/scripts/components-configuration-crypto.sh | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/tests/scripts/components-configuration-crypto.sh b/tests/scripts/components-configuration-crypto.sh index def9e8f641e..09b25456dc1 100644 --- a/tests/scripts/components-configuration-crypto.sh +++ b/tests/scripts/components-configuration-crypto.sh @@ -69,8 +69,9 @@ component_build_psa_crypto_spm () { # We can only compile, not link, since our test and sample programs # aren't equipped for the modified names used when MBEDTLS_PSA_CRYPTO_SPM # is active. - $MAKE_COMMAND CC=gcc CFLAGS='-Werror -Wall -Wextra -I../framework/tests/include/spe' lib + CFLAGS="-I$PWD/framework/tests/include/spe" cmake -D CMAKE_BUILD_TYPE:String=Release . + cmake --build . --target lib # Check that if a symbol is renamed by crypto_spe.h, the non-renamed # version is not present. echo "Checking for renamed symbols in the library" @@ -1313,8 +1314,8 @@ component_test_tfm_config_no_p256m () { scripts/config.py -f "$CRYPTO_CONFIG_H" unset MBEDTLS_PSA_P256M_DRIVER_ENABLED msg "build: TF-M config without p256m" - $MAKE_COMMAND CFLAGS='-Werror -Wall -Wextra -I../framework/tests/include/spe' tests - + CFLAGS="-I$PWD/framework/tests/include/spe" cmake -D CMAKE_BUILD_TYPE:String=Release . + cmake --build . # Check that p256m was not built not grep p256_ecdsa_ library/libmbedcrypto.a @@ -1323,7 +1324,7 @@ component_test_tfm_config_no_p256m () { not grep mbedtls_cipher ${BUILTIN_SRC_PATH}/cipher.o msg "test: TF-M config without p256m" - $MAKE_COMMAND test + make test } # This is an helper used by: From 6760d1a6e22a23005ff8d2b2647e80d756f8ca4b Mon Sep 17 00:00:00 2001 From: Minos Galanakis Date: Mon, 1 Dec 2025 11:46:54 +0000 Subject: [PATCH 06/15] component-configuration-crypto: Migrated component_test_crypto_full_md_light_only to cmake Use compilation directory for object discovery in out-of-source CMake builds. Signed-off-by: Minos Galanakis --- tests/scripts/components-configuration-crypto.sh | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/tests/scripts/components-configuration-crypto.sh b/tests/scripts/components-configuration-crypto.sh index 09b25456dc1..cf064381961 100644 --- a/tests/scripts/components-configuration-crypto.sh +++ b/tests/scripts/components-configuration-crypto.sh @@ -298,16 +298,23 @@ component_test_crypto_full_md_light_only () { # Disable things that would auto-enable MD_C scripts/config.py unset MBEDTLS_PKCS5_C + # Note: Creating a directory, ensures cmake will not use a random name to + # place the compilation object files. + mkdir mdtest && cd mdtest + MD_OBJECT_PATH="tf-psa-crypto/drivers/builtin/CMakeFiles/builtin.dir/src" + # Note: MD-light is auto-enabled in build_info.h by modules that need it, # which we haven't disabled, so no need to explicitly enable it. - $MAKE_COMMAND CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS" + CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan ../ + cmake --build . # Make sure we don't have the HMAC functions, but the hashing functions - not grep mbedtls_md_hmac ${BUILTIN_SRC_PATH}/md.o - grep mbedtls_md ${BUILTIN_SRC_PATH}/md.o + not grep mbedtls_md_hmac ${MD_OBJECT_PATH}/md.c.o + grep mbedtls_md ${MD_OBJECT_PATH}/md.c.o msg "test: crypto_full with only the light subset of MD" - $MAKE_COMMAND test + make test + cd .. && rm -r mdtest } component_test_full_no_cipher () { From 578f222bf48110e834ecb4f33545f4be96265553 Mon Sep 17 00:00:00 2001 From: Minos Galanakis Date: Mon, 1 Dec 2025 11:56:31 +0000 Subject: [PATCH 07/15] components-configuration-crypto: Migrated components to cmakes' CMAKE_BUILD_TYPE:String=None Improve compilation flag granularity by disabling CMAKE_BUILD_TYPE defaults and asserting test-specific flags manually. Signed-off-by: Minos Galanakis --- tests/scripts/components-configuration-crypto.sh | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/tests/scripts/components-configuration-crypto.sh b/tests/scripts/components-configuration-crypto.sh index cf064381961..9b855fadf6f 100644 --- a/tests/scripts/components-configuration-crypto.sh +++ b/tests/scripts/components-configuration-crypto.sh @@ -500,14 +500,18 @@ component_test_crypto_for_psa_service () { scripts/config.py unset MBEDTLS_PK_C scripts/config.py unset MBEDTLS_PK_PARSE_C scripts/config.py unset MBEDTLS_PK_WRITE_C - $MAKE_COMMAND CFLAGS='-O1 -Werror' all test + CFLAGS="-O1" cmake -D CMAKE_BUILD_TYPE:String=None . + cmake --build . + make test are_empty_libraries library/libmbedx509.* library/libmbedtls.* } component_build_crypto_baremetal () { msg "build: make, crypto only, baremetal config" scripts/config.py crypto_baremetal - $MAKE_COMMAND CFLAGS="-O1 -Werror -I$PWD/framework/tests/include/baremetal-override/" + CFLAGS="-O1 -I$PWD/framework/tests/include/baremetal-override/" cmake -D CMAKE_BUILD_TYPE:String=None . + cmake --build . + make test are_empty_libraries library/libmbedx509.* library/libmbedtls.* } @@ -2223,8 +2227,10 @@ helper_block_cipher_no_decrypt_build_test () { [ -n "$unset_opts" ] && echo "Disabling: $unset_opts" && scripts/config.py unset-all $unset_opts msg "build: default config + BLOCK_CIPHER_NO_DECRYPT${set_opts:+ + $set_opts}${unset_opts:+ - $unset_opts} with $cflags${ldflags:+, $ldflags}" - $MAKE_COMMAND clean - $MAKE_COMMAND CFLAGS="-O2 $cflags" LDFLAGS="$ldflags" + + make -f ./scripts/legacy.make clean + CFLAGS="-O2 $cflags" LDFLAGS="$ldflags" cmake -D CMAKE_BUILD_TYPE:String=None . + cmake --build . # Make sure we don't have mbedtls_xxx_setkey_dec in AES/ARIA/CAMELLIA not grep mbedtls_aes_setkey_dec ${BUILTIN_SRC_PATH}/aes.o @@ -2236,7 +2242,7 @@ helper_block_cipher_no_decrypt_build_test () { not grep mbedtls_aesni_inverse_key ${BUILTIN_SRC_PATH}/aesni.o msg "test: default config + BLOCK_CIPHER_NO_DECRYPT${set_opts:+ + $set_opts}${unset_opts:+ - $unset_opts} with $cflags${ldflags:+, $ldflags}" - $MAKE_COMMAND test + make test msg "selftest: default config + BLOCK_CIPHER_NO_DECRYPT${set_opts:+ + $set_opts}${unset_opts:+ - $unset_opts} with $cflags${ldflags:+, $ldflags}" programs/test/selftest From ad05060b4415abd634a2a77453310dd24764783d Mon Sep 17 00:00:00 2001 From: Minos Galanakis Date: Mon, 1 Dec 2025 14:53:37 +0000 Subject: [PATCH 08/15] components-configuration-crypto: Migrated test_sha3_variations to cmake Signed-off-by: Minos Galanakis --- tests/scripts/components-configuration-crypto.sh | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/tests/scripts/components-configuration-crypto.sh b/tests/scripts/components-configuration-crypto.sh index 9b855fadf6f..a8023b93772 100644 --- a/tests/scripts/components-configuration-crypto.sh +++ b/tests/scripts/components-configuration-crypto.sh @@ -2057,6 +2057,8 @@ END #define PSA_WANT_ALG_SHA3_384 1 #define PSA_WANT_ALG_SHA3_512 1 #define PSA_WANT_KEY_TYPE_AES 1 + #define PSA_WANT_ALG_GCM 1 + #define PSA_WANT_ALG_HKDF 1 #define MBEDTLS_PSA_CRYPTO_C #define MBEDTLS_CTR_DRBG_C #define MBEDTLS_PSA_BUILTIN_GET_ENTROPY @@ -2064,13 +2066,14 @@ END END msg "all loops unrolled" - $MAKE_COMMAND clean - make -C tests ../tf-psa-crypto/tests/test_suite_shax CFLAGS="-DMBEDTLS_SHA3_THETA_UNROLL=1 -DMBEDTLS_SHA3_PI_UNROLL=1 -DMBEDTLS_SHA3_CHI_UNROLL=1 -DMBEDTLS_SHA3_RHO_UNROLL=1" + CFLAGS="-DMBEDTLS_SHA3_THETA_UNROLL=1 -DMBEDTLS_SHA3_PI_UNROLL=1 -DMBEDTLS_SHA3_CHI_UNROLL=1 -DMBEDTLS_SHA3_RHO_UNROLL=1" cmake -D CMAKE_BUILD_TYPE:String=None . + cmake --build . ./tf-psa-crypto/tests/test_suite_shax msg "all loops rolled up" - $MAKE_COMMAND clean - make -C tests ../tf-psa-crypto/tests/test_suite_shax CFLAGS="-DMBEDTLS_SHA3_THETA_UNROLL=0 -DMBEDTLS_SHA3_PI_UNROLL=0 -DMBEDTLS_SHA3_CHI_UNROLL=0 -DMBEDTLS_SHA3_RHO_UNROLL=0" + cmake --build . --target clean + CFLAGS="-DMBEDTLS_SHA3_THETA_UNROLL=0 -DMBEDTLS_SHA3_PI_UNROLL=0 -DMBEDTLS_SHA3_CHI_UNROLL=0 -DMBEDTLS_SHA3_RHO_UNROLL=0" cmake -D CMAKE_BUILD_TYPE:String=None . + cmake --build . ./tf-psa-crypto/tests/test_suite_shax } From 8256f2170e8967c4eee0212dff2e7020339e2ae0 Mon Sep 17 00:00:00 2001 From: Minos Galanakis Date: Mon, 1 Dec 2025 12:14:59 +0000 Subject: [PATCH 09/15] component-configuration-crypto: Migrated build_psa_alt_headers The original make -C tests, contains a perl inliner to generate the alt-headers. Replicated that logic in sed regex. Signed-off-by: Minos Galanakis --- tests/scripts/components-configuration-crypto.sh | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/tests/scripts/components-configuration-crypto.sh b/tests/scripts/components-configuration-crypto.sh index a8023b93772..ac2a1713ce5 100644 --- a/tests/scripts/components-configuration-crypto.sh +++ b/tests/scripts/components-configuration-crypto.sh @@ -2434,15 +2434,21 @@ component_build_psa_config_file () { component_build_psa_alt_headers () { msg "build: make with PSA alt headers" # ~20s + PSA_ALT_HDRS="$PWD/framework/tests/include/alt-extra" # Generate alternative versions of the substitutable headers with the # same content except different include guards. - make -C tests ../framework/tests/include/alt-extra/psa/crypto_platform_alt.h ../framework/tests/include/alt-extra/psa/crypto_struct_alt.h + sed -E 's/^(# *(define|ifndef) +[A-Za-z0-9_]+)_H\b/\1_ALT_H/' \ + tf-psa-crypto/include/psa/crypto_platform.h \ + > $PSA_ALT_HDRS/psa/crypto_platform_alt.h + + sed -E 's/^(# *(define|ifndef) +[A-Za-z0-9_]+)_H\b/\1_ALT_H/' \ + tf-psa-crypto/include/psa/crypto_struct.h \ + > $PSA_ALT_HDRS/psa/crypto_struct_alt.h # Build the library and some programs. - # Don't build the fuzzers to avoid having to go through hoops to set - # a correct include path for programs/fuzz/Makefile. - $MAKE_COMMAND CFLAGS="-I ../framework/tests/include/alt-extra -DMBEDTLS_PSA_CRYPTO_PLATFORM_FILE='\"psa/crypto_platform_alt.h\"' -DMBEDTLS_PSA_CRYPTO_STRUCT_FILE='\"psa/crypto_struct_alt.h\"'" lib - make -C programs -o fuzz CFLAGS="-I ../framework/tests/include/alt-extra -DMBEDTLS_PSA_CRYPTO_PLATFORM_FILE='\"psa/crypto_platform_alt.h\"' -DMBEDTLS_PSA_CRYPTO_STRUCT_FILE='\"psa/crypto_struct_alt.h\"'" + CFLAGS="-I$PSA_ALT_HDRS -DMBEDTLS_PSA_CRYPTO_PLATFORM_FILE='\"psa/crypto_platform_alt.h\"' -DMBEDTLS_PSA_CRYPTO_STRUCT_FILE='\"psa/crypto_struct_alt.h\"'" cmake -D CMAKE_BUILD_TYPE:String=Release . + cmake --build . --target lib + cmake --build . --target programs # Check that we're getting the alternative include guards and not the # original include guards. From 711af3dffa1f431260a24f3158152e04cd3e670d Mon Sep 17 00:00:00 2001 From: Minos Galanakis Date: Tue, 2 Dec 2025 11:42:40 +0000 Subject: [PATCH 10/15] component-configuration-crypto: Added consistent cmake commands. Update the previously modified component to use consistent syntax: * make -> cmake --build . * make test -> ctest * Removed redudant CC=$ASAN_CC for BUILD_TYPE:String=Asan Signed-off-by: Minos Galanakis --- .../components-configuration-crypto.sh | 98 +++++++++---------- 1 file changed, 49 insertions(+), 49 deletions(-) diff --git a/tests/scripts/components-configuration-crypto.sh b/tests/scripts/components-configuration-crypto.sh index ac2a1713ce5..8b7e9b4ba2a 100644 --- a/tests/scripts/components-configuration-crypto.sh +++ b/tests/scripts/components-configuration-crypto.sh @@ -48,8 +48,8 @@ component_test_crypto_with_static_key_slots() { msg "test: crypto full + MBEDTLS_PSA_STATIC_KEY_SLOTS" cmake -D CMAKE_BUILD_TYPE:String=Asan . - make - make test + cmake --build . + ctest } # check_renamed_symbols HEADER LIB @@ -144,7 +144,7 @@ component_test_no_rsa_key_pair_generation () { cmake --build . msg "test: default config minus PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE" - make test + ctest } component_test_no_pem_no_fs () { @@ -238,11 +238,11 @@ component_test_psa_external_rng_no_drbg_use_psa () { scripts/config.py unset MBEDTLS_CTR_DRBG_C scripts/config.py unset MBEDTLS_HMAC_DRBG_C scripts/config.py unset PSA_WANT_ALG_DETERMINISTIC_ECDSA # Requires HMAC_DRBG - CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . + cmake -D CMAKE_BUILD_TYPE:String=Asan . cmake --build . msg "test: PSA_CRYPTO_EXTERNAL_RNG minus *_DRBG, PSA crypto - main suites" - make test + ctest msg "test: PSA_CRYPTO_EXTERNAL_RNG minus *_DRBG, PSA crypto - ssl-opt.sh (subset)" tests/ssl-opt.sh -f 'Default\|opaque' @@ -255,11 +255,11 @@ component_test_psa_external_rng_use_psa_crypto () { scripts/config.py unset MBEDTLS_CTR_DRBG_C scripts/config.py unset MBEDTLS_ENTROPY_NV_SEED scripts/config.py unset MBEDTLS_PLATFORM_NV_SEED_ALT - CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . + cmake -D CMAKE_BUILD_TYPE:String=Asan . cmake --build . msg "test: full + PSA_CRYPTO_EXTERNAL_RNG + USE_PSA_CRYPTO minus CTR_DRBG/NV_SEED" - make test + ctest msg "test: full + PSA_CRYPTO_EXTERNAL_RNG + USE_PSA_CRYPTO minus CTR_DRBG/NV_SEED" tests/ssl-opt.sh -f 'Default\|opaque' @@ -272,7 +272,7 @@ component_full_no_pkparse_pkwrite () { scripts/config.py unset MBEDTLS_PK_PARSE_C scripts/config.py unset MBEDTLS_PK_WRITE_C - CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . + cmake -D CMAKE_BUILD_TYPE:String=Asan . cmake --build . # Ensure that PK_[PARSE|WRITE]_C were not re-enabled accidentally (additive config). @@ -280,7 +280,7 @@ component_full_no_pkparse_pkwrite () { not grep mbedtls_pk_write_key_der ${BUILTIN_SRC_PATH}/pkwrite.o msg "test: full without pkparse and pkwrite" - make test + ctest } component_test_crypto_full_md_light_only () { @@ -305,7 +305,7 @@ component_test_crypto_full_md_light_only () { # Note: MD-light is auto-enabled in build_info.h by modules that need it, # which we haven't disabled, so no need to explicitly enable it. - CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan ../ + cmake -D CMAKE_BUILD_TYPE:String=Asan ../ cmake --build . # Make sure we don't have the HMAC functions, but the hashing functions @@ -313,7 +313,7 @@ component_test_crypto_full_md_light_only () { grep mbedtls_md ${MD_OBJECT_PATH}/md.c.o msg "test: crypto_full with only the light subset of MD" - make test + ctest cd .. && rm -r mdtest } @@ -346,7 +346,7 @@ component_test_full_no_cipher () { not grep mbedtls_cipher_init ${BUILTIN_SRC_PATH}/cipher.o msg "test: full no CIPHER" - make test + ctest } component_test_full_no_ccm () { @@ -369,7 +369,7 @@ component_test_full_no_ccm () { cmake --build . msg "test: full no PSA_WANT_ALG_CCM" - make test + ctest } component_test_full_no_ccm_star_no_tag () { @@ -404,7 +404,7 @@ component_test_full_no_ccm_star_no_tag () { not grep mbedtls_psa_cipher ${PSA_CORE_PATH}/psa_crypto_cipher.o msg "test: full no PSA_WANT_ALG_CCM_STAR_NO_TAG" - make test + ctest } component_test_config_symmetric_only () { @@ -452,11 +452,11 @@ component_test_everest_curve25519_only () { scripts/config.py unset-all "PSA_WANT_ECC_[0-9A-Z_a-z]*$" scripts/config.py set PSA_WANT_ECC_MONTGOMERY_255 - CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . + cmake -D CMAKE_BUILD_TYPE:String=Asan . cmake --build . msg "test: Everest ECDH context, only Curve25519" # ~ 50s - make test + ctest } component_test_psa_collect_statuses () { @@ -502,7 +502,7 @@ component_test_crypto_for_psa_service () { scripts/config.py unset MBEDTLS_PK_WRITE_C CFLAGS="-O1" cmake -D CMAKE_BUILD_TYPE:String=None . cmake --build . - make test + ctest are_empty_libraries library/libmbedx509.* library/libmbedtls.* } @@ -511,7 +511,7 @@ component_build_crypto_baremetal () { scripts/config.py crypto_baremetal CFLAGS="-O1 -I$PWD/framework/tests/include/baremetal-override/" cmake -D CMAKE_BUILD_TYPE:String=None . cmake --build . - make test + ctest are_empty_libraries library/libmbedx509.* library/libmbedtls.* } @@ -556,11 +556,11 @@ component_test_psa_crypto_config_ffdh_2048_only () { scripts/config.py unset PSA_WANT_DH_RFC7919_6144 scripts/config.py unset PSA_WANT_DH_RFC7919_8192 - CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . + cmake -D CMAKE_BUILD_TYPE:String=Asan . cmake --build . msg "test: full config - only DH 2048" - make test + ctest msg "ssl-opt: full config - only DH 2048" tests/ssl-opt.sh -f "ffdh" @@ -969,7 +969,7 @@ component_test_psa_crypto_config_reference_ecc_ecp_light_only () { cmake --build . msg "test suites: full with non-accelerated EC algs" - make test + ctest msg "ssl-opt: full with non-accelerated EC algs" tests/ssl-opt.sh @@ -1068,7 +1068,7 @@ component_test_psa_crypto_config_reference_ecc_no_ecp_at_all () { cmake --build . msg "test: full + non accelerated EC algs" - make test + ctest msg "ssl-opt: full + non accelerated EC algs" tests/ssl-opt.sh @@ -1235,7 +1235,7 @@ common_test_psa_crypto_config_reference_ecc_ffdh_no_bignum () { cmake --build . msg "test suites: full + non accelerated EC algs + USE_PSA" - make test + ctest msg "ssl-opt: full + non accelerated $accel_text algs + USE_PSA" tests/ssl-opt.sh @@ -1291,7 +1291,7 @@ component_test_tfm_config_p256m_driver_accel_ec () { common_tfm_config # Build crypto library - CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -I$PWD/framework/tests/include/spe" cmake -D CMAKE_BUILD_TYPE:String=Asan . + CFLAGS="$ASAN_CFLAGS -I$PWD/framework/tests/include/spe" cmake -D CMAKE_BUILD_TYPE:String=Asan . cmake --build . # Make sure any built-in EC alg was not re-enabled by accident (additive config) @@ -1311,7 +1311,7 @@ component_test_tfm_config_p256m_driver_accel_ec () { # Run the tests msg "test: TF-M config + p256m driver + accel ECDH(E)/ECDSA" - make test + ctest } # Keep this in sync with component_test_tfm_config_p256m_driver_accel_ec() as @@ -1335,7 +1335,7 @@ component_test_tfm_config_no_p256m () { not grep mbedtls_cipher ${BUILTIN_SRC_PATH}/cipher.o msg "test: TF-M config without p256m" - make test + ctest } # This is an helper used by: @@ -1359,11 +1359,11 @@ build_and_test_psa_want_key_pair_partial () { # crypto_config.h so we just disable the one we don't want. scripts/config.py unset "$disabled_psa_want" - CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . + cmake -D CMAKE_BUILD_TYPE:String=Asan . cmake --build . msg "test: $base_config - ${disabled_psa_want}" - make test + ctest } component_test_psa_ecc_key_pair_no_derive () { @@ -1443,7 +1443,7 @@ component_test_psa_crypto_config_reference_rsa_crypto () { # Run the tests # ------------- msg "test: crypto_full with non-accelerated RSA" - make test + ctest } # This is a temporary test to verify that full RSA support is present even when @@ -1477,7 +1477,7 @@ component_test_new_psa_want_key_pair_symbol () { cmake --build . msg "Test: crypto config - PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC" - make test + ctest # Parse only 1 relevant line from the outcome file, i.e. a test which is # performing RSA signature. @@ -1597,7 +1597,7 @@ component_test_psa_crypto_config_reference_hash_use_psa () { cmake --build . msg "test: full without accelerated hashes" - make test + ctest msg "test: ssl-opt.sh, full without accelerated hashes" tests/ssl-opt.sh @@ -1667,7 +1667,7 @@ component_test_psa_crypto_config_reference_hmac () { cmake --build . msg "test: full without accelerated hmac" - make test + ctest } component_test_psa_crypto_config_accel_aead () { @@ -1772,7 +1772,7 @@ component_test_psa_crypto_config_reference_cipher_aead_cmac () { cmake --build . msg "test: full config with non-accelerated cipher inc. AEAD and CMAC" - make test + ctest msg "ssl-opt: full config with non-accelerated cipher inc. AEAD and CMAC" # Exclude password-protected key tests as in test_psa_crypto_config_accel_cipher_aead_cmac. @@ -1887,18 +1887,18 @@ component_test_full_block_cipher_legacy_dispatch () { cmake --build . msg "test: full + legacy dispatch in block_cipher" - make test + ctest } component_test_aead_chachapoly_disabled () { msg "build: full minus CHACHAPOLY" scripts/config.py full scripts/config.py unset PSA_WANT_ALG_CHACHA20_POLY1305 - CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . + cmake -D CMAKE_BUILD_TYPE:String=Asan . cmake --build . msg "test: full minus CHACHAPOLY" - make test + ctest } component_test_aead_only_ccm () { @@ -1906,11 +1906,11 @@ component_test_aead_only_ccm () { scripts/config.py full scripts/config.py unset PSA_WANT_ALG_CHACHA20_POLY1305 scripts/config.py unset PSA_WANT_ALG_GCM - CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . + cmake -D CMAKE_BUILD_TYPE:String=Asan . cmake --build . msg "test: full minus CHACHAPOLY and GCM" - make test + ctest } component_test_ccm_aes_sha256 () { @@ -1923,7 +1923,7 @@ component_test_ccm_aes_sha256 () { cmake -D CMAKE_BUILD_TYPE:String=Release . cmake --build . msg "test: CCM + AES + SHA256 configuration" - make test + ctest } # Test that the given .o file builds with all (valid) combinations of the given options. @@ -2118,7 +2118,7 @@ component_test_aes_only_128_bit_keys () { cmake --build . msg "test: default config + AES_ONLY_128_BIT_KEY_LENGTH" - make test + ctest } component_test_no_ctr_drbg_aes_only_128_bit_keys () { @@ -2131,7 +2131,7 @@ component_test_no_ctr_drbg_aes_only_128_bit_keys () { cmake --build . msg "test: default config + AES_ONLY_128_BIT_KEY_LENGTH - CTR_DRBG_C" - make test + ctest } component_test_aes_only_128_bit_keys_have_builtins () { @@ -2145,7 +2145,7 @@ component_test_aes_only_128_bit_keys_have_builtins () { cmake --build . msg "test: default config + AES_ONLY_128_BIT_KEY_LENGTH - AESNI_C - AESCE_C" - make test + ctest msg "selftest: default config + AES_ONLY_128_BIT_KEY_LENGTH - AESNI_C - AESCE_C" programs/test/selftest @@ -2161,7 +2161,7 @@ component_test_gcm_largetable () { cmake --build . msg "test: default config - GCM_LARGE_TABLE - AESNI_C - AESCE_C" - make test + ctest } component_test_aes_fewer_tables () { @@ -2171,7 +2171,7 @@ component_test_aes_fewer_tables () { cmake --build . msg "test: AES_FEWER_TABLES" - make test + ctest } component_test_aes_rom_tables () { @@ -2181,7 +2181,7 @@ component_test_aes_rom_tables () { cmake --build . msg "test: AES_ROM_TABLES" - make test + ctest } component_test_aes_fewer_tables_and_rom_tables () { @@ -2192,7 +2192,7 @@ component_test_aes_fewer_tables_and_rom_tables () { cmake --build . msg "test: AES_FEWER_TABLES + AES_ROM_TABLES" - make test + ctest } # helper for component_test_block_cipher_no_decrypt_aesni() which: @@ -2245,7 +2245,7 @@ helper_block_cipher_no_decrypt_build_test () { not grep mbedtls_aesni_inverse_key ${BUILTIN_SRC_PATH}/aesni.o msg "test: default config + BLOCK_CIPHER_NO_DECRYPT${set_opts:+ + $set_opts}${unset_opts:+ - $unset_opts} with $cflags${ldflags:+, $ldflags}" - make test + ctest msg "selftest: default config + BLOCK_CIPHER_NO_DECRYPT${set_opts:+ + $set_opts}${unset_opts:+ - $unset_opts} with $cflags${ldflags:+, $ldflags}" programs/test/selftest @@ -2383,10 +2383,10 @@ component_test_full_static_keystore () { msg "build: full config - MBEDTLS_PSA_KEY_STORE_DYNAMIC" scripts/config.py full scripts/config.py unset MBEDTLS_PSA_KEY_STORE_DYNAMIC - CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -Os" LDFLAGS="$ASAN_CFLAGS" cmake -D CMAKE_BUILD_TYPE:String=None . + CFLAGS="$ASAN_CFLAGS -Os" LDFLAGS="$ASAN_CFLAGS" cmake -D CMAKE_BUILD_TYPE:String=None . cmake --build . msg "test: full config - MBEDTLS_PSA_KEY_STORE_DYNAMIC" - make test + ctest } component_test_psa_crypto_drivers () { From 8610e01f9b5877d18625216b22d5f3a40ede88cd Mon Sep 17 00:00:00 2001 From: Minos Galanakis Date: Mon, 15 Dec 2025 11:04:42 +0000 Subject: [PATCH 11/15] components-configuration-crypto: Minor fixes/rework Signed-off-by: Minos Galanakis --- tests/scripts/components-configuration-crypto.sh | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/tests/scripts/components-configuration-crypto.sh b/tests/scripts/components-configuration-crypto.sh index 8b7e9b4ba2a..02c4c76a4c1 100644 --- a/tests/scripts/components-configuration-crypto.sh +++ b/tests/scripts/components-configuration-crypto.sh @@ -300,7 +300,7 @@ component_test_crypto_full_md_light_only () { # Note: Creating a directory, ensures cmake will not use a random name to # place the compilation object files. - mkdir mdtest && cd mdtest + cd $OUT_OF_SOURCE_DIR MD_OBJECT_PATH="tf-psa-crypto/drivers/builtin/CMakeFiles/builtin.dir/src" # Note: MD-light is auto-enabled in build_info.h by modules that need it, @@ -314,7 +314,6 @@ component_test_crypto_full_md_light_only () { msg "test: crypto_full with only the light subset of MD" ctest - cd .. && rm -r mdtest } component_test_full_no_cipher () { @@ -500,7 +499,7 @@ component_test_crypto_for_psa_service () { scripts/config.py unset MBEDTLS_PK_C scripts/config.py unset MBEDTLS_PK_PARSE_C scripts/config.py unset MBEDTLS_PK_WRITE_C - CFLAGS="-O1" cmake -D CMAKE_BUILD_TYPE:String=None . + CFLAGS="-O1" cmake . cmake --build . ctest are_empty_libraries library/libmbedx509.* library/libmbedtls.* @@ -509,7 +508,7 @@ component_test_crypto_for_psa_service () { component_build_crypto_baremetal () { msg "build: make, crypto only, baremetal config" scripts/config.py crypto_baremetal - CFLAGS="-O1 -I$PWD/framework/tests/include/baremetal-override/" cmake -D CMAKE_BUILD_TYPE:String=None . + CFLAGS="-O1 -I$PWD/framework/tests/include/baremetal-override/" cmake . cmake --build . ctest are_empty_libraries library/libmbedx509.* library/libmbedtls.* @@ -1291,7 +1290,7 @@ component_test_tfm_config_p256m_driver_accel_ec () { common_tfm_config # Build crypto library - CFLAGS="$ASAN_CFLAGS -I$PWD/framework/tests/include/spe" cmake -D CMAKE_BUILD_TYPE:String=Asan . + CC=$ASAN_CC CFLAGS="-I$PWD/framework/tests/include/spe" cmake -D CMAKE_BUILD_TYPE:String=Asan . cmake --build . # Make sure any built-in EC alg was not re-enabled by accident (additive config) @@ -2231,8 +2230,8 @@ helper_block_cipher_no_decrypt_build_test () { msg "build: default config + BLOCK_CIPHER_NO_DECRYPT${set_opts:+ + $set_opts}${unset_opts:+ - $unset_opts} with $cflags${ldflags:+, $ldflags}" - make -f ./scripts/legacy.make clean CFLAGS="-O2 $cflags" LDFLAGS="$ldflags" cmake -D CMAKE_BUILD_TYPE:String=None . + cmake --build . --target clean cmake --build . # Make sure we don't have mbedtls_xxx_setkey_dec in AES/ARIA/CAMELLIA @@ -2383,7 +2382,7 @@ component_test_full_static_keystore () { msg "build: full config - MBEDTLS_PSA_KEY_STORE_DYNAMIC" scripts/config.py full scripts/config.py unset MBEDTLS_PSA_KEY_STORE_DYNAMIC - CFLAGS="$ASAN_CFLAGS -Os" LDFLAGS="$ASAN_CFLAGS" cmake -D CMAKE_BUILD_TYPE:String=None . + CFLAGS="$ASAN_CFLAGS -Os" LDFLAGS="$ASAN_CFLAGS" cmake . cmake --build . msg "test: full config - MBEDTLS_PSA_KEY_STORE_DYNAMIC" ctest @@ -2434,7 +2433,7 @@ component_build_psa_config_file () { component_build_psa_alt_headers () { msg "build: make with PSA alt headers" # ~20s - PSA_ALT_HDRS="$PWD/framework/tests/include/alt-extra" + PSA_ALT_HEADERS_PATH="$PWD/framework/tests/include/alt-extra" # Generate alternative versions of the substitutable headers with the # same content except different include guards. sed -E 's/^(# *(define|ifndef) +[A-Za-z0-9_]+)_H\b/\1_ALT_H/' \ From a3a5464dd15525b48ca402caebf4d9cacb843dd7 Mon Sep 17 00:00:00 2001 From: Minos Galanakis Date: Mon, 15 Dec 2025 12:26:59 +0000 Subject: [PATCH 12/15] components-configuration-crypto: Added the ASAN_CC compiler flags as needed. Signed-off-by: Minos Galanakis --- .../components-configuration-crypto.sh | 20 +++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/tests/scripts/components-configuration-crypto.sh b/tests/scripts/components-configuration-crypto.sh index 02c4c76a4c1..c7858492495 100644 --- a/tests/scripts/components-configuration-crypto.sh +++ b/tests/scripts/components-configuration-crypto.sh @@ -47,7 +47,7 @@ component_test_crypto_with_static_key_slots() { scripts/config.py unset MBEDTLS_PSA_KEY_STORE_DYNAMIC msg "test: crypto full + MBEDTLS_PSA_STATIC_KEY_SLOTS" - cmake -D CMAKE_BUILD_TYPE:String=Asan . + CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . cmake --build . ctest } @@ -238,7 +238,7 @@ component_test_psa_external_rng_no_drbg_use_psa () { scripts/config.py unset MBEDTLS_CTR_DRBG_C scripts/config.py unset MBEDTLS_HMAC_DRBG_C scripts/config.py unset PSA_WANT_ALG_DETERMINISTIC_ECDSA # Requires HMAC_DRBG - cmake -D CMAKE_BUILD_TYPE:String=Asan . + CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . cmake --build . msg "test: PSA_CRYPTO_EXTERNAL_RNG minus *_DRBG, PSA crypto - main suites" @@ -255,7 +255,7 @@ component_test_psa_external_rng_use_psa_crypto () { scripts/config.py unset MBEDTLS_CTR_DRBG_C scripts/config.py unset MBEDTLS_ENTROPY_NV_SEED scripts/config.py unset MBEDTLS_PLATFORM_NV_SEED_ALT - cmake -D CMAKE_BUILD_TYPE:String=Asan . + CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . cmake --build . msg "test: full + PSA_CRYPTO_EXTERNAL_RNG + USE_PSA_CRYPTO minus CTR_DRBG/NV_SEED" @@ -272,7 +272,7 @@ component_full_no_pkparse_pkwrite () { scripts/config.py unset MBEDTLS_PK_PARSE_C scripts/config.py unset MBEDTLS_PK_WRITE_C - cmake -D CMAKE_BUILD_TYPE:String=Asan . + CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . cmake --build . # Ensure that PK_[PARSE|WRITE]_C were not re-enabled accidentally (additive config). @@ -305,7 +305,7 @@ component_test_crypto_full_md_light_only () { # Note: MD-light is auto-enabled in build_info.h by modules that need it, # which we haven't disabled, so no need to explicitly enable it. - cmake -D CMAKE_BUILD_TYPE:String=Asan ../ + CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan ../ cmake --build . # Make sure we don't have the HMAC functions, but the hashing functions @@ -451,7 +451,7 @@ component_test_everest_curve25519_only () { scripts/config.py unset-all "PSA_WANT_ECC_[0-9A-Z_a-z]*$" scripts/config.py set PSA_WANT_ECC_MONTGOMERY_255 - cmake -D CMAKE_BUILD_TYPE:String=Asan . + CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . cmake --build . msg "test: Everest ECDH context, only Curve25519" # ~ 50s @@ -555,7 +555,7 @@ component_test_psa_crypto_config_ffdh_2048_only () { scripts/config.py unset PSA_WANT_DH_RFC7919_6144 scripts/config.py unset PSA_WANT_DH_RFC7919_8192 - cmake -D CMAKE_BUILD_TYPE:String=Asan . + CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . cmake --build . msg "test: full config - only DH 2048" @@ -1358,7 +1358,7 @@ build_and_test_psa_want_key_pair_partial () { # crypto_config.h so we just disable the one we don't want. scripts/config.py unset "$disabled_psa_want" - cmake -D CMAKE_BUILD_TYPE:String=Asan . + CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . cmake --build . msg "test: $base_config - ${disabled_psa_want}" @@ -1893,7 +1893,7 @@ component_test_aead_chachapoly_disabled () { msg "build: full minus CHACHAPOLY" scripts/config.py full scripts/config.py unset PSA_WANT_ALG_CHACHA20_POLY1305 - cmake -D CMAKE_BUILD_TYPE:String=Asan . + CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . cmake --build . msg "test: full minus CHACHAPOLY" @@ -1905,7 +1905,7 @@ component_test_aead_only_ccm () { scripts/config.py full scripts/config.py unset PSA_WANT_ALG_CHACHA20_POLY1305 scripts/config.py unset PSA_WANT_ALG_GCM - cmake -D CMAKE_BUILD_TYPE:String=Asan . + CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . cmake --build . msg "test: full minus CHACHAPOLY and GCM" From 867fa3317576fa5e6760da4df43f83f4a8c5e4e8 Mon Sep 17 00:00:00 2001 From: Minos Galanakis Date: Mon, 15 Dec 2025 14:38:01 +0000 Subject: [PATCH 13/15] component-configuration-crypto: Changed location of psa-alt-header build_psa_alt_headers will now generate the headers at ./tests/include/alt-dummy instead of ./framework/tests/include/alt-extra. Signed-off-by: Minos Galanakis --- tests/scripts/components-configuration-crypto.sh | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/tests/scripts/components-configuration-crypto.sh b/tests/scripts/components-configuration-crypto.sh index c7858492495..cca4d40248c 100644 --- a/tests/scripts/components-configuration-crypto.sh +++ b/tests/scripts/components-configuration-crypto.sh @@ -2433,16 +2433,17 @@ component_build_psa_config_file () { component_build_psa_alt_headers () { msg "build: make with PSA alt headers" # ~20s - PSA_ALT_HEADERS_PATH="$PWD/framework/tests/include/alt-extra" + PSA_ALT_HDRS="$PWD/tests/include/alt-dummy" + mkdir -p "$PSA_ALT_HDRS/psa" # Generate alternative versions of the substitutable headers with the # same content except different include guards. sed -E 's/^(# *(define|ifndef) +[A-Za-z0-9_]+)_H\b/\1_ALT_H/' \ tf-psa-crypto/include/psa/crypto_platform.h \ - > $PSA_ALT_HDRS/psa/crypto_platform_alt.h + > "$PSA_ALT_HDRS/psa/crypto_platform_alt.h" sed -E 's/^(# *(define|ifndef) +[A-Za-z0-9_]+)_H\b/\1_ALT_H/' \ tf-psa-crypto/include/psa/crypto_struct.h \ - > $PSA_ALT_HDRS/psa/crypto_struct_alt.h + > "$PSA_ALT_HDRS/psa/crypto_struct_alt.h" # Build the library and some programs. CFLAGS="-I$PSA_ALT_HDRS -DMBEDTLS_PSA_CRYPTO_PLATFORM_FILE='\"psa/crypto_platform_alt.h\"' -DMBEDTLS_PSA_CRYPTO_STRUCT_FILE='\"psa/crypto_struct_alt.h\"'" cmake -D CMAKE_BUILD_TYPE:String=Release . @@ -2455,6 +2456,9 @@ component_build_psa_alt_headers () { programs/test/query_included_headers | grep -x PSA_CRYPTO_STRUCT_ALT_H programs/test/query_included_headers | not grep -x PSA_CRYPTO_PLATFORM_H programs/test/query_included_headers | not grep -x PSA_CRYPTO_STRUCT_H + + # Explicitly clean up generated alt headers + rm -f "$PSA_ALT_HDRS/psa/crypto_platform_alt.h" "$PSA_ALT_HDRS/psa/crypto_struct_alt.h" } component_test_min_mpi_window_size () { From 82cd977af88db6a62658e03392eb6ef4276a9da7 Mon Sep 17 00:00:00 2001 From: Minos Galanakis Date: Mon, 15 Dec 2025 14:54:47 +0000 Subject: [PATCH 14/15] components-configuration-crypto: Added pre_create_tf_psa_crypto_out_of_source_directory for test_crypto_full_md_light_only Signed-off-by: Minos Galanakis --- tests/scripts/components-configuration-crypto.sh | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/tests/scripts/components-configuration-crypto.sh b/tests/scripts/components-configuration-crypto.sh index cca4d40248c..c10f274b1ce 100644 --- a/tests/scripts/components-configuration-crypto.sh +++ b/tests/scripts/components-configuration-crypto.sh @@ -298,8 +298,7 @@ component_test_crypto_full_md_light_only () { # Disable things that would auto-enable MD_C scripts/config.py unset MBEDTLS_PKCS5_C - # Note: Creating a directory, ensures cmake will not use a random name to - # place the compilation object files. + pre_create_tf_psa_crypto_out_of_source_directory cd $OUT_OF_SOURCE_DIR MD_OBJECT_PATH="tf-psa-crypto/drivers/builtin/CMakeFiles/builtin.dir/src" From c0fbb167d42548edc682645f10d21a751ddf70f7 Mon Sep 17 00:00:00 2001 From: Minos Galanakis Date: Thu, 18 Dec 2025 17:18:44 +0000 Subject: [PATCH 15/15] components-configuration-crypto: Minor rework Signed-off-by: Minos Galanakis --- tests/scripts/components-configuration-crypto.sh | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/tests/scripts/components-configuration-crypto.sh b/tests/scripts/components-configuration-crypto.sh index c10f274b1ce..c48061e86ae 100644 --- a/tests/scripts/components-configuration-crypto.sh +++ b/tests/scripts/components-configuration-crypto.sh @@ -2048,6 +2048,9 @@ component_test_sha3_variations () { cat > include/mbedtls/mbedtls_config.h << END END + # psa_crypto.c requires at least one algorithm to be enabled to avoid unreachable code errors. + # With CMake, the -Wunreachable-code flag is propagated globally, unlike with Make. + # PSA_WANT_ALG_HKDF is enabled here to satisfy this dependency and allow psa_crypto.c to build. cat > tf-psa-crypto/include/psa/crypto_config.h << END #define PSA_WANT_ALG_SHA_256 1 #define PSA_WANT_ALG_SHA3_224 1 @@ -2055,7 +2058,6 @@ END #define PSA_WANT_ALG_SHA3_384 1 #define PSA_WANT_ALG_SHA3_512 1 #define PSA_WANT_KEY_TYPE_AES 1 - #define PSA_WANT_ALG_GCM 1 #define PSA_WANT_ALG_HKDF 1 #define MBEDTLS_PSA_CRYPTO_C #define MBEDTLS_CTR_DRBG_C @@ -2230,7 +2232,6 @@ helper_block_cipher_no_decrypt_build_test () { msg "build: default config + BLOCK_CIPHER_NO_DECRYPT${set_opts:+ + $set_opts}${unset_opts:+ - $unset_opts} with $cflags${ldflags:+, $ldflags}" CFLAGS="-O2 $cflags" LDFLAGS="$ldflags" cmake -D CMAKE_BUILD_TYPE:String=None . - cmake --build . --target clean cmake --build . # Make sure we don't have mbedtls_xxx_setkey_dec in AES/ARIA/CAMELLIA @@ -2247,6 +2248,8 @@ helper_block_cipher_no_decrypt_build_test () { msg "selftest: default config + BLOCK_CIPHER_NO_DECRYPT${set_opts:+ + $set_opts}${unset_opts:+ - $unset_opts} with $cflags${ldflags:+, $ldflags}" programs/test/selftest + + cmake --build . --target clean } # This is a configuration function used in component_test_block_cipher_no_decrypt_xxx: