crypto: Update to Mbed Crypto 1.0.0d1

[Patater]

Description

Update Mbed Crypto to development version mbedcrypto-1.0.0d1 to facilitate rest-of-Mbed-OS integration with PSA Crypto API changes sooner.

In order to do this, we needed to break out the Mbed Crypto importing code from the Mbed TLS importer. This, in effect, adds a separate importer script for Mbed Crypto which can be used to directly import Mbed Crypto into Mbed OS.

Pull request type

[ ] Fix
[x] Refactor
[ ] Target update
[ ] Functionality change
[ ] Docs update
[ ] Test update
[ ] Breaking change

Reviewers

CC @avolinski @alzix @sbutcher-arm

[ciarmcom]

@Patater, thank you for your changes.
@avolinski @sbutcher-arm @alzix @ARMmbed/mbed-os-crypto @ARMmbed/mbed-os-tls @ARMmbed/mbed-os-maintainers please review.

[Patater]

Rebased to correct explanation of NSPE and SPE.

[Patater]

Rebased to remove stray period.

[yanesca]

Looks good to me.

[Patater]

Rebased to update to Mbed Crypto 1.0.0d1. Added new commits from @itayzafrir to update the Mbed OS crypto tests.

[simonbutcher]

@mpg - Could you please review this PR and check it's consistent with your architecture proposal?

[mpg]

@Patater I'm not that familiar with the importer, so I think it would help my review if you could describe at a high level what this does. Since you selected "refactor" as a PR type, I'm assuming the goal of this PR is to ensure that Mbed Crypto can be fetched from a different source (ie directly from the mbed-crypto repo rather than indirectly via the mbedtls repo and its submodule), but still be placed the same way in the Mbed OS source tree (ie still as a subdirectory of the mbedtls feature) and still built the same way (ie using config.h from the Mbed TLS tree and so on).

Can you confirm if that is the case, or clarify if I made wrong assumptions?

On an unrelated front, I'm getting the impression that updating to mbedcrypto 1.0.0d1 will break Mbed TLS, due to API changes that we haven't adapted to yet (and even if we had, we'd still need to import the relevant development version of Mbed TLS in Mbed OS for it to work). It looks like the CI isn't finding that issue so far, so perhaps it should be expanded as well?

[NirSonnenschein]

because of interdependency issues with PR#9192 (#9192) they will need to go through CI together (each will fail on it's own, but both should pass together). If they can be unified into a single PR this might make this easier.

[Patater]

@mpg

Can you confirm if that is the case, or clarify if I made wrong assumptions?

Yes, that's the case. At a high level, this PR essentially reverts the Mbed TLS importer to how it was before Mbed OS 5.11. It takes the changes we added to the Mbed TLS importer in Mbed OS 5.11 to import Mbed Crypto and places those changes into their own Makefile which solely imports Mbed Crypto. This enables us to do development releases of Mbed Crypto into Mbed OS to help give others time to integrate with it well ahead of the next major Mbed OS release.

I'm getting the impression that updating to mbedcrypto 1.0.0d1 will break Mbed TLS, due to API changes that we haven't adapted to yet.

Yes, that's also the case for when the disabled-by-default option MBEDTLS_USE_PSA_CRYPTO is set. After the API is stable, we will avoid breaking this configuration by further imports into Mbed OS. Any API breakage will become obvious when Mbed OS CI tests with the MBEDTLS_USE_PSA_CRYPTO option set begin failing.

[Patater]

@NirSonnenschein This PR doesn't depend on #9192 as it doesn't bring in ITS changes yet. I'll raise a new PR for both the ITS changes from #9192 as well as ARMmbed/mbed-crypto#23, so that the review and merge process is simpler for this PR.

[NirSonnenschein]

@Patater as long as there is no interdependency then this sounds like a good way forward.

[NirSonnenschein]

@Patater : I'm not sure if this requires final approval from the TLS team, but started CI in the mean time.

[mikisch81]

@Patater looks like the PSA targets fail in compilation

[mbed-ci]

Test run: FAILED

Summary: 4 of 8 test jobs failed
Build number : 1
Build artifacts

Failed test jobs:

• jenkins-ci/mbed-os-ci_build-ARMC6
• jenkins-ci/mbed-os-ci_build-ARM
• jenkins-ci/mbed-os-ci_build-GCC_ARM
• jenkins-ci/mbed-os-ci_build-IAR

[NirSonnenschein]

Hi @Patater : FYI , CI ran into 2 failures at the build stage:

1. on sequana board compilation there were multiple build errors:
   10:14:47 [FUTURE_SEQUANA_PSA:ARM] [DEBUG] Output: "./components/TARGET_PSA/services/crypto/COMPONENT_PSA_SRV_IPC/crypto_platform_spe.h", line 105: Error: CAN-Related Pull Request #20: identifier "psa_key_slot_t" is undefined

2. on K64F there was also an error:
   10:18:58 [K64F:ARM] ################################################################################
   10:18:58 [K64F:ARM] # Failed example combinations
   10:18:58 [K64F:ARM] ################################################################################
   10:18:58 [K64F:ARM] # mbed-os-example-mbed-crypto K64F ARM
   10:18:58 [K64F:ARM] #
   10:18:58 [K64F:ARM] ################################################################################
   10:18:58 [K64F:ARM] Number of failures = 1

[itayzafrir]

@Patater compilation failed for target FUTURE_SEQUANA_PSA, this PR need additional commits from my PR #9409. We can cherry-pick all the commits from #9409 (except for 563701d which is the same as bd0037f from this PR) or only cherry-pick 3c10e5d.
If only cherry-pick 3c10e5d then function psa_hash_clone will return PSA_ERROR_NOT_SUPPORTED when doing crypto IPC.

[mikisch81]

@Patater compilation failed for target FUTURE_SEQUANA_PSA, this PR need additional commits from my PR #9409. We can cherry-pick all the commits from #9409 (except for 563701d which is the same as bd0037f from this PR) or only cherry-pick 3c10e5d.
If only cherry-pick 3c10e5d then function psa_hash_clone will return PSA_ERROR_NOT_SUPPORTED when doing crypto IPC.

#9529 should have all the dependent PRs inside and tests should pass.

Individually it's not possible as all the PRs are mutually dependent.

[Patater]

Closing in favor of #9529