Update abi_check.py to support standalone tf-psa-crypto #229
Conversation
Signed-off-by: Ben Taylor <[email protected]>
Signed-off-by: Ben Taylor <[email protected]>
Remove support for static ECDH cipher suites
… and MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY Signed-off-by: Ben Taylor <[email protected]>
Signed-off-by: Ben Taylor <[email protected]>
Signed-off-by: Ben Taylor <[email protected]>
Signed-off-by: Ben Taylor <[email protected]>
Update header guard use in p256m test
…n-options Remove deprecated compilation options
Signed-off-by: Ronald Cron <[email protected]>
Signed-off-by: Ronald Cron <[email protected]>
Signed-off-by: Ronald Cron <[email protected]>
Fix readthedocs build with framework head
The support for TLS ciphersuites without encryption does not rely anymore on the MBEDTLS_CIPHER_NULL_CIPHER feature of the cipher module. Introduce a specific config option to enable these ciphersuites and use it instead of MBEDTLS_CIPHER_NULL_CIPHER. Signed-off-by: Ronald Cron <[email protected]>
Signed-off-by: Ronald Cron <[email protected]>
Signed-off-by: Ronald Cron <[email protected]>
Signed-off-by: Ronald Cron <[email protected]>
Signed-off-by: Ronald Cron <[email protected]>
Signed-off-by: Ronald Cron <[email protected]>
Signed-off-by: Ronald Cron <[email protected]>
Signed-off-by: Ronald Cron <[email protected]>
Signed-off-by: Ronald Cron <[email protected]>
Signed-off-by: Valerio Setti <[email protected]>
When the key is parsed from PK it is assigned the pseudo-alg MBEDTLS_PK_ALG_ECDSA. Trying to run "mbedtls_pk_can_do_psa" with an hardcoded deterministc/randomized ECDSA can make the function to fail if the proper variant is not the one also used by PK. This commit fixes this problem. Signed-off-by: Valerio Setti <[email protected]>
Signed-off-by: Valerio Setti <[email protected]>
Signed-off-by: Valerio Setti <[email protected]>
Revert changes previously done at following test cases: - Handshake, select ECDHE-ECDSA-WITH-AES-256-CCM, opaque, PSA_ALG_ANY_HASH - Handshake, select ECDHE-ECDSA-WITH-AES-256-CCM, opaque, PSA_ALG_SHA_256 Signed-off-by: Valerio Setti <[email protected]>
…rge-public-20250916 Conflicts: * `tf-psa-crypto`: updated to the merge of `development` and `development-restricted`.
Signed-off-by: Gilles Peskine <[email protected]>
[development] Migrate from mbedtls_pk_can_do_ext to mbedtls_pk_can_do_psa (2/2)
Since crypto#308 has been merged: - replace MBEDTLS_PK_USE_PSA_RSA_DATA with PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY - remove "no-check-names" Signed-off-by: Valerio Setti <[email protected]>
Removes the temporary fixes that were introduced in order to allow crypto#308 to be merged. Signed-off-by: Valerio Setti <[email protected]>
Remove temporary fixes introduced in #10213
Remove all non ext apis
…elease Update `prepare_release.sh`
Signed-off-by: Juha-Pekka <[email protected]>
Signed-off-by: Juha-Pekka <[email protected]>
Remove lcov.sh as this will be moved to the framework
Signed-off-by: Valerio Setti <[email protected]>
[mbedtls] tests: migrate tests using secp192[k|r]1 toward secp256[r|k]1 --> EC [2/3]
Update log level for mbedtls_ssl_check_record and PSA-based ECDH computation
Signed-off-by: Bence Szépkúti <[email protected]>
bensze01
force-pushed
the
abicheck-port
branch
from
7fc3571 to
f52814f
Compare
Signed-off-by: Bence Szépkúti <[email protected]>
Argparse generally uses a return code of 2 for these situations. Signed-off-by: Bence Szépkúti <[email protected]>
This reverts commit Mbed-TLS/mbedtls@0f2a4f3 The root cause of the issue has been patched in mbedtls-test. Signed-off-by: Bence Szépkúti <[email protected]>
Signed-off-by: Bence Szépkúti <[email protected]>
Signed-off-by: Bence Szépkúti <[email protected]>
Signed-off-by: Bence Szépkúti <[email protected]>
The same library may be present in the same build tree, eg. libtfpsacrypto.so, which gets copied from the tf-psa-crypto/core/ to library/ during an Mbed TLS build. Make sure that the duplicated libraries are byte-for-byte identical, otherwise abort the test. Signed-off-by: Bence Szépkúti <[email protected]>
Signed-off-by: Bence Szépkúti <[email protected]>
bensze01
force-pushed
the
abicheck-port
branch
from
f52814f to
3d9ceef
Compare
github-project-automation
bot
moved this to In Development
in Roadmap pull requests (new board)
gilles-peskine-arm
left a comment
gilles-peskine-arm
left a comment
There was a problem hiding this comment.
Mostly LGTM apart from the early return left over from debugging and the executable-vs-library inconsistency.
In the consuming branches, please keep a tiny scripts/abi_check.py permanently.
|
|
||
| def _cleanup_worktree(self, git_worktree_path): | ||
| """Remove the specified git worktree.""" | ||
| return |
There was a problem hiding this comment.
Stray debugging bypass.
| path = version.modules.setdefault(os.path.splitext(file)[0], new_path) | ||
| if path != new_path and not filecmp.cmp(path, new_path, False): | ||
| raise Exception(f"The following libraries differ, but have the same soname:\n{path}\n{new_path}") |
There was a problem hiding this comment.
Minor: the logic is hard to follow. I'd prefer the code to follow the logical structure:
- If the new basename is already in the table:
- If the files are identical, skip the new file.
- Else error out.
- Else add the new basename to the table.
| between self.old_rev and self.new_rev.""" | ||
| try: | ||
| build_tree.check_repo_path() | ||
| build_tree.chdir_to_root() |
There was a problem hiding this comment.
If we chdir then we need to take care of relative file names passed as arguments. The AbiChecker constructor makes report_dir absolute but keeps skip_file relative.
Is it actually necessary to be at the git root? Most of the work happens in separate worktrees.
|
|
||
| @staticmethod | ||
| def check_abi_tools_are_installed(): | ||
| return |
There was a problem hiding this comment.
Stray debugging bypass.
| @@ -1 +1 @@ | |||
| #!/usr/bin/env python3 | |||
There was a problem hiding this comment.
Normally scripts has executable programs while scripts/mbedtls_framework has non-executable Python module.
I think we should continue doing it this way, and have a different name for the module and for the executable script to avoid confusion (like analyze_outcomes.py having most of its code in mbedtls_framework.outcome_analysis, etc.). I would generally suggest a verb (or verbal phrase) for an executable, and a noun (or noun phrase) for a library. Here “ABI check” is more of a noun phrase but we're stuck with it as the script name (or else we have to do a complicate migration). But “ABI check” is somewhat obsolete since the code also does other checks. How about mbedtls_framework.interface_checks?
| @@ -1 +1 @@ | |||
| #!/usr/bin/env python3 | |||
There was a problem hiding this comment.
Please keep scripts/abi_check.py in the consuming branches, even if it's just #! #copyright import foo foo.main(). It's a pain when something needs to be customized in a branch but there's no way to do this change without changing the framework. That's ok for some scripts that are pretty much independent from the project (e.g. code_style.py) but not so much for scripts that have branch-specific data. This script does have some branch-specific knowledge (at least with respect to the storage format), so we should reserve the ability to customize it. (We don't need actual customization interfaces right now, at least I don't think so (mbedtls has no storage format data files but the code is ok with that), but we should structure the files to make them possible in the future.)
gilles-peskine-arm
added
needs-work
and removed
needs-review
11 participants
Description
Move abi_check.py to the framework, and update it to support a standalone tf-psa-crypto
PR checklist