Skip to content

Cleanup: Introduce MBEDTLS_PSA_CRYPTO_RNG_HASH (4/4) #10353

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 7 commits into from
Aug 26, 2025
Merged

Cleanup: Introduce MBEDTLS_PSA_CRYPTO_RNG_HASH (4/4) #10353

merged 7 commits into from
Aug 26, 2025

Conversation

minosgalanakis
Copy link
Contributor

@minosgalanakis minosgalanakis commented Aug 11, 2025
edited by ronald-cron-arm
Loading

Description

Last of the pr's required by Mbed-TLS/TF-PSA-Crypto#328

It is meant to be merged after Mbed-TLS/TF-PSA-Crypto#396.

PR checklist

Please remove the segment/s on either side of the | symbol as appropriate, and add any relevant link/s to the end of the line.
If the provided content is part of the present PR remove the # symbol.

  • changelog ot required because: This is a cleanup PR removing intermediate commits
  • development PR provided This is it
  • TF-PSA-Crypto PR provided Introduce MBEDTLS_PSA_CRYPTO_RNG_HASH (3/4) TF-PSA-Crypto#396
  • framework PR not required
  • 3.6 PR not required because: API breaking changes that will not be backported
  • tests not required because: Covered by current tests

This was referenced Aug 11, 2025
Merged
Merged
@minosgalanakis
Copy link
Contributor Author

Only need to review the last two commit's range

The scope is to undo the intermediate changes that needed to bring in the TF-PSA-Commit in and remove MBEDTLS_ENTROPY_FORCE_SHA256 calls from the mbedtls side.

@minosgalanakis minosgalanakis added needs-review Every commit must be reviewed by at least two team members, needs-ci Needs to pass CI tests needs-preceding-pr Requires another PR to be merged first needs-reviewer This PR needs someone to pick it up for review priority-high High priority - will be reviewed soon labels Aug 11, 2025
@minosgalanakis minosgalanakis changed the title Feature/introduce crypto rng hash cleanup Cleanup: Introduce MBEDTLS_PSA_CRYPTO_RNG_HASH (4/4) Aug 11, 2025
@minosgalanakis
Copy link
Contributor Author

minosgalanakis commented Aug 11, 2025
edited
Loading

Parameterised test job -> 569 (Running)

@minosgalanakis minosgalanakis force-pushed the feature/introduce_crypto_rng_hash_cleanup branch 2 times, most recently from 894317a to 70d3108 Compare August 13, 2025 13:57
@minosgalanakis minosgalanakis mentioned this pull request Aug 13, 2025
Merged
4 tasks
@minosgalanakis minosgalanakis removed the needs-ci Needs to pass CI tests label Aug 14, 2025
@minosgalanakis minosgalanakis force-pushed the feature/introduce_crypto_rng_hash_cleanup branch 3 times, most recently from d96e224 to 14b7bfd Compare August 18, 2025 13:28
@minosgalanakis minosgalanakis added the size-s Estimated task size: small (~2d) label Aug 18, 2025
@minosgalanakis minosgalanakis force-pushed the feature/introduce_crypto_rng_hash_cleanup branch 3 times, most recently from fc5f6d0 to 4c66f05 Compare August 19, 2025 23:05
@minosgalanakis
components-configuration-crypto: Removed legacy options.
5dbc24a 
Removed setters for `MBEDTLS_CTR_DRBG_USE_128_BIT_KEY`
and `MBEDTLS_ENTROPY_FORCE_SHA256`

Signed-off-by: Minos Galanakis <[email protected]>
@minosgalanakis
config/depends.py: Removed legacy options.
906950d 
Signed-off-by: Minos Galanakis <[email protected]>
@minosgalanakis
ssl-opt.sh: Adjust dependency to MBEDTLS_PSA_CRYPTO_C
a1e8679 
Signed-off-by: Minos Galanakis <[email protected]>
@minosgalanakis minosgalanakis force-pushed the feature/introduce_crypto_rng_hash_cleanup branch from 4c66f05 to 6cc9c66 Compare August 21, 2025 14:57
davidhorstmann-arm
davidhorstmann-arm previously approved these changes Aug 21, 2025
View reviewed changes
Copy link
Contributor

@davidhorstmann-arm davidhorstmann-arm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM and verified that the crypto update points to the head of Mbed-TLS/TF-PSA-Crypto#396. Obviously this is waiting for the merge of that PR.

@minosgalanakis minosgalanakis removed needs-preceding-pr Requires another PR to be merged first size-s Estimated task size: small (~2d) labels Aug 21, 2025
@minosgalanakis minosgalanakis added the size-xs Estimated task size: extra small (a few hours at most) label Aug 21, 2025
ronald-cron-arm
ronald-cron-arm reviewed Aug 25, 2025
View reviewed changes
tests/ssl-opt.sh
*"programs/ssl/ssl_client1 "*)
requires_config_enabled MBEDTLS_CTR_DRBG_C
requires_config_enabled MBEDTLS_ENTROPY_C
requires_config_enabled MBEDTLS_PSA_CRYPTO_C
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
requires_config_enabled MBEDTLS_PSA_CRYPTO_C
requires_config_enabled MBEDTLS_PSA_CRYPTO_C
requires_config_disabled MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG

minosgalanakis and others added 3 commits August 25, 2025 15:17
@minosgalanakis @ronald-cron-arm
Updated tf-psa-crypto pointer
1eda748 
Signed-off-by: Minos Galanakis <[email protected]>
Signed-off-by: Ronald Cron <[email protected]>
@ronald-cron-arm
ssl-opt.sh: Fix MBEDTLS_ENTROPY_C dependency adjustment
8fc000e 
Signed-off-by: Ronald Cron <[email protected]>
@ronald-cron-arm
tests: Prepare to switch to SHA-256 as the default CTR_DRBG hash
aad5f1b 
Ensure that when we switch from SHA-512 to SHA-256
as the default CTR_DRBG hash, we still properly
test CTR_DRBG with SHA-512.

Signed-off-by: Ronald Cron <[email protected]>
@ronald-cron-arm ronald-cron-arm force-pushed the feature/introduce_crypto_rng_hash_cleanup branch from 6cc9c66 to aad5f1b Compare August 25, 2025 13:41
ronald-cron-arm
ronald-cron-arm previously requested changes Aug 25, 2025
View reviewed changes
Copy link
Contributor

@ronald-cron-arm ronald-cron-arm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks good to me but #10353 (comment).

@ronald-cron-arm
Copy link
Contributor

I've updated the "Updated tf-psa-crypto pointer" commit with the merge of Mbed-TLS/TF-PSA-Crypto#396. Otherwise I've added two commits, the first one to address #10353 (comment) and the second to prepare for the switch to SHA-256 as the CTR_DRBG default hash.

gilles-peskine-arm
gilles-peskine-arm reviewed Aug 25, 2025
View reviewed changes
Copy link
Contributor

@gilles-peskine-arm gilles-peskine-arm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The changes look correct to me, but they seem incomplete. (Although I'm not sure about the exact intended scope of this PR in the chain — I haven't fully absorbed what each step is supposed to do.)

tests/scripts/components-configuration-crypto.sh
not grep aesce_decrypt_block ${BUILTIN_SRC_PATH}/aesce.o
}

component_test_ctr_drbg_aes_256_sha_512 () {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Isn't this component using exactly the full config?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Currently yes but not when we will switch to SHA-256 as the default hash for CTR_DRBG when both SHA-256 and SHA-512 are enabled.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

But then component_test_ctr_drbg_aes_256_sha_256 will become identical to full. I don't understand why both components are present.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, it is just to ensure that we always test both SHA-256 and SHA-512 as CTR_DRBG hashes while we are doing changes in tf-psa-crypto. I will remove component_test_ctr_drbg_aes_256_sha_256 in a later PR when Mbed-TLS/TF-PSA-Crypto#419 is merged. We will need another mbedtls PR anyway for some further clean-up related to the removal of MBEDTLS_ENTROPY_C in Mbed-TLS/TF-PSA-Crypto#419.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok, thanks for the explanation.

@ronald-cron-arm ronald-cron-arm force-pushed the feature/introduce_crypto_rng_hash_cleanup branch from f971548 to a0b1c8c Compare August 26, 2025 07:35
gilles-peskine-arm
gilles-peskine-arm approved these changes Aug 26, 2025
View reviewed changes
Copy link
Contributor

@gilles-peskine-arm gilles-peskine-arm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

tests/scripts/components-configuration-crypto.sh
not grep aesce_decrypt_block ${BUILTIN_SRC_PATH}/aesce.o
}

component_test_ctr_drbg_aes_256_sha_512 () {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok, thanks for the explanation.

@gilles-peskine-arm gilles-peskine-arm removed the needs-reviewer This PR needs someone to pick it up for review label Aug 26, 2025
davidhorstmann-arm
davidhorstmann-arm approved these changes Aug 26, 2025
View reviewed changes
Copy link
Contributor

@davidhorstmann-arm davidhorstmann-arm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks!

@davidhorstmann-arm davidhorstmann-arm dismissed ronald-cron-arm’s stale review August 26, 2025 10:27

Corrections made by the very person who requested them.

@davidhorstmann-arm davidhorstmann-arm added this pull request to the merge queue Aug 26, 2025
@davidhorstmann-arm davidhorstmann-arm added approved Design and code approved - may be waiting for CI or backports and removed needs-review Every commit must be reviewed by at least two team members, labels Aug 26, 2025
Merged via the queue into Mbed-TLS:development with commit 22e810f Aug 26, 2025
8 checks passed
@github-project-automation github-project-automation bot moved this from In Development to Done in Roadmap pull requests (new board) Aug 26, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ronald-cron-arm ronald-cron-arm ronald-cron-arm left review comments

@gilles-peskine-arm gilles-peskine-arm gilles-peskine-arm approved these changes

@davidhorstmann-arm davidhorstmann-arm davidhorstmann-arm approved these changes

Assignees
No one assigned
Labels
approved Design and code approved - may be waiting for CI or backports priority-high High priority - will be reviewed soon size-xs Estimated task size: extra small (a few hours at most)
Projects
Roadmap pull requests (new board)
Status: Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@minosgalanakis @ronald-cron-arm @gilles-peskine-arm @davidhorstmann-arm