On latest master branch, crypto-mbed builds will fail with GNUARM if Protected Storage partition is disabled. The persistent key cannot find ITS module in linking.
It breaks Profile Small build since Profile Small doesn't include PS. But it can be reproduced easily with ConfigDefault.config and ConfigCoreIPC.config.
Error log
services/crypto/tfm_crypto.a(psa_crypto_storage.o): In function `psa_is_key_present_in_storage': psa_crypto_storage.c:(.text.psa_is_key_present_in_storage+0xa): undefined reference to `psa_its_get_info' services/crypto/tfm_crypto.a(psa_crypto_storage.o): In function `psa_destroy_persistent_key': psa_crypto_storage.c:(.text.psa_destroy_persistent_key+0x10): undefined reference to `psa_its_get_info' psa_crypto_storage.c:(.text.psa_destroy_persistent_key+0x1c): undefined reference to `psa_its_remove' psa_crypto_storage.c:(.text.psa_destroy_persistent_key+0x30): undefined reference to `psa_its_get_info' services/crypto/tfm_crypto.a(psa_crypto_storage.o): In function `psa_save_persistent_key': psa_crypto_storage.c:(.text.psa_save_persistent_key+0x50): undefined reference to `psa_its_set' psa_crypto_storage.c:(.text.psa_save_persistent_key+0x5c): undefined reference to `psa_its_get_info' psa_crypto_storage.c:(.text.psa_save_persistent_key+0x72): undefined reference to `psa_its_remove' services/crypto/tfm_crypto.a(psa_crypto_storage.o): In function `psa_load_persistent_key': psa_crypto_storage.c:(.text.psa_load_persistent_key+0x16): undefined reference to `psa_its_get_info' psa_crypto_storage.c:(.text.psa_load_persistent_key+0x34): undefined reference to `psa_its_get_info' psa_crypto_storage.c:(.text.psa_load_persistent_key+0x4a): undefined reference to `psa_its_get' collect2: error: ld returned 1 exit status secure_fw/CMakeFiles/tfm_s.dir/build.make:145: recipe for target 'secure_fw/tfm_s.axf' failed make[2]: *** [secure_fw/tfm_s.axf] Error 1 make[2]: Leaving directory '/home/davhu01/project/tf-m/tf.org/profile_test/build' CMakeFiles/Makefile2:386: recipe for target 'secure_fw/CMakeFiles/tfm_s.dir/all' failed make[1]: *** [secure_fw/CMakeFiles/tfm_s.dir/all] Error 2 make[1]: Leaving directory '/home/davhu01/project/tf-m/tf.org/profile_test/build' Makefile:129: recipe for target 'all' failed make: *** [all] Error 2
How to reproduce with ConfigDefault.config
Follow the diff below:
Remove the option() of PS in CommonConfig.cmake Disable PS in ConfigDefault.config It can be also reproduced in IPC model to set PS to OFF in ConfigCoreIPC.config. --git a/CommonConfig.cmake b/CommonConfig.cmake index 045cb1f4..49e2c736 100644 --- a/CommonConfig.cmake +++ b/CommonConfig.cmake @@ -173,7 +173,7 @@ set (TFM_PSA_API OFF) option(TFM_PARTITION_AUDIT_LOG "Enable the TF-M Audit Log partition" ON) option(TFM_PARTITION_PLATFORM "Enable the TF-M Platform partition" ON) -option(TFM_PARTITION_SECURE_STORAGE "Enable the TF-M secure storage partition" ON) +#option(TFM_PARTITION_SECURE_STORAGE "Enable the TF-M secure storage partition" ON) option(TFM_PARTITION_INTERNAL_TRUSTED_STORAGE "Enable the TF-M internal trusted storage partition" ON) option(TFM_PARTITION_CRYPTO "Enable the TF-M crypto partition" ON) option(TFM_PARTITION_INITIAL_ATTESTATION "Enable the TF-M initial attestation partition" ON) diff --git a/configs/ConfigDefault.cmake b/configs/ConfigDefault.cmake index 009fa558..5f8a4368 100644 --- a/configs/ConfigDefault.cmake +++ b/configs/ConfigDefault.cmake @@ -45,6 +45,8 @@ set (CORE_TEST False) set (CORE_IPC False) set (PSA_API_TEST False) +set(TFM_PARTITION_SECURE_STORAGE OFF) + # TF-M isolation level: 1 set (TFM_LVL 1)
A preliminary analysis
It looks like ITS partition is not eventually included in linking stage, if the dependency on it is not explicitly set.
Mbed-crypto requires ITS functionalities but the dependency is ignored during linking, probably since it is built as an external library.
May require some improvements to dependency between mbed-crypto and ITS in CMake.