Page MenuHomePhabricator

Mbed-crypto persistent key builds fail with GNUARM when Protected Storage is disabled
Open, HighPublic


On latest master branch, crypto-mbed builds will fail with GNUARM if Protected Storage partition is disabled. The persistent key cannot find ITS module in linking.

It breaks Profile Small build since Profile Small doesn't include PS. But it can be reproduced easily with ConfigDefault.config and ConfigCoreIPC.config.

Error log

services/crypto/tfm_crypto.a(psa_crypto_storage.o): In function `psa_is_key_present_in_storage':
psa_crypto_storage.c:(.text.psa_is_key_present_in_storage+0xa): undefined reference to `psa_its_get_info'
services/crypto/tfm_crypto.a(psa_crypto_storage.o): In function `psa_destroy_persistent_key':
psa_crypto_storage.c:(.text.psa_destroy_persistent_key+0x10): undefined reference to `psa_its_get_info'
psa_crypto_storage.c:(.text.psa_destroy_persistent_key+0x1c): undefined reference to `psa_its_remove'
psa_crypto_storage.c:(.text.psa_destroy_persistent_key+0x30): undefined reference to `psa_its_get_info'
services/crypto/tfm_crypto.a(psa_crypto_storage.o): In function `psa_save_persistent_key':
psa_crypto_storage.c:(.text.psa_save_persistent_key+0x50): undefined reference to `psa_its_set'
psa_crypto_storage.c:(.text.psa_save_persistent_key+0x5c): undefined reference to `psa_its_get_info'
psa_crypto_storage.c:(.text.psa_save_persistent_key+0x72): undefined reference to `psa_its_remove'
services/crypto/tfm_crypto.a(psa_crypto_storage.o): In function `psa_load_persistent_key':
psa_crypto_storage.c:(.text.psa_load_persistent_key+0x16): undefined reference to `psa_its_get_info'
psa_crypto_storage.c:(.text.psa_load_persistent_key+0x34): undefined reference to `psa_its_get_info'
psa_crypto_storage.c:(.text.psa_load_persistent_key+0x4a): undefined reference to `psa_its_get'
collect2: error: ld returned 1 exit status
secure_fw/CMakeFiles/tfm_s.dir/build.make:145: recipe for target 'secure_fw/tfm_s.axf' failed
make[2]: *** [secure_fw/tfm_s.axf] Error 1
make[2]: Leaving directory '/home/davhu01/project/tf-m/'
CMakeFiles/Makefile2:386: recipe for target 'secure_fw/CMakeFiles/tfm_s.dir/all' failed
make[1]: *** [secure_fw/CMakeFiles/tfm_s.dir/all] Error 2
make[1]: Leaving directory '/home/davhu01/project/tf-m/'
Makefile:129: recipe for target 'all' failed
make: *** [all] Error 2

How to reproduce with ConfigDefault.config

Follow the diff below:

Remove the option() of PS in CommonConfig.cmake
Disable PS in ConfigDefault.config
 It can be also reproduced in IPC model to set PS to OFF in ConfigCoreIPC.config.

--git a/CommonConfig.cmake b/CommonConfig.cmake
index 045cb1f4..49e2c736 100644
--- a/CommonConfig.cmake
+++ b/CommonConfig.cmake
@@ -173,7 +173,7 @@ set (TFM_PSA_API OFF) option(TFM_PARTITION_AUDIT_LOG "Enable the TF-M Audit Log partition" ON)
 option(TFM_PARTITION_PLATFORM "Enable the TF-M Platform partition" ON)
-option(TFM_PARTITION_SECURE_STORAGE "Enable the TF-M secure storage partition" ON)
+#option(TFM_PARTITION_SECURE_STORAGE "Enable the TF-M secure storage partition" ON)
 option(TFM_PARTITION_INTERNAL_TRUSTED_STORAGE "Enable the TF-M internal trusted storage partition" ON)
 option(TFM_PARTITION_CRYPTO "Enable the TF-M crypto partition" ON)
 option(TFM_PARTITION_INITIAL_ATTESTATION "Enable the TF-M initial attestation partition" ON)
diff --git a/configs/ConfigDefault.cmake b/configs/ConfigDefault.cmake
index 009fa558..5f8a4368 100644
--- a/configs/ConfigDefault.cmake
+++ b/configs/ConfigDefault.cmake
@@ -45,6 +45,8 @@ set (CORE_TEST False)
 set (CORE_IPC False)
 set (PSA_API_TEST False)
 # TF-M isolation level: 1
 set (TFM_LVL 1)

A preliminary analysis

It looks like ITS partition is not eventually included in linking stage, if the dependency on it is not explicitly set.
Mbed-crypto requires ITS functionalities but the dependency is ignored during linking, probably since it is built as an external library.
May require some improvements to dependency between mbed-crypto and ITS in CMake.

Event Timeline

davidhuziji triaged this task as High priority.May 7 2020, 4:10 AM