Gilles,

 

Thank you.

I added #include "common.h" to the top of psa_crypto_core.h as suggested, but the build error persists that private members do not exist. I am still able to avoid the build error if I add MBEDTLS_PRIVATE() to the necessary private members referred in psa_crypto_core.h.

 

I have included /tfm/interface/include path in my build for path to psa/error.h in header psa/internal_trusted_storage.h

 

 

Regards,
Archanaa

 

From: Gilles Peskine via mbed-tls <mbed-tls@lists.trustedfirmware.org>
Sent: Sunday, May 7, 2023 2:22 PM
To: mbed-tls@lists.trustedfirmware.org
Subject: [EXTERNAL] [mbed-tls] Re: PSA key slot management functions access private structure members

 

Apologies, my analysis was wrong. With MBEDTLS_PSA_ITS_FILE_C disabled, Mbed TLS builds fine if I use a minimal version of the header psa/internal_trusted_storage.h. I can reproduce the build failure if I add https://git.trustedfirmware.org/TF-M/trusted-firmware-m.git/tree/interface/include to the compiler's include path. So the problem is an incompatibility between Mbed TLS headers and TF-M headers. I don't know yet which side(s) needs to be fixed.

Best regards,

--
Gilles Peskine

On 05/05/2023 17:47, Gilles Peskine via mbed-tls wrote:

With Archanaa's help I've analyzed the problem and filed an issue at https://github.com/Mbed-TLS/mbedtls/issues/7559 .

This problem is most likely to arise if you build with MBEDTLS_PSA_CRYPTO_STORAGE_C enabled but MBEDTLS_PSA_ITS_FILE_C disabled, relying on a native implementation of PSA ITS. As a quick fix, you can add the line
#include "common.h"
at the top of library/psa_crypto_core.h.

Best regards,

--
Gilles Peskine
Mbed TLS developer

On 05/05/2023 12:19, Gilles Peskine via mbed-tls wrote:

Hi,

Can you share your configuration and compiler (including flags and target)? This isn't happening in any of the configurations we test on our CI, but psa_crypto_core.h doesn't include the correct header directly, and maybe the indirect include that makes it work for us is omitted in some configurations.

Library and test code should define MBEDTLS_ALLOW_PRIVATE_ACCESS, but it's missing in some places. We'll fix that, but it would be good to know what configurations make it actually break.

Best regards,

--
Gilles Peskine
Mbed TLS developer

On 04/05/2023 21:56, S Krishnan, Archanaa via mbed-tls wrote:

Hello,

 

In mbedLS v3.4.0, I came across a build error that there are no members for type and flag in psa_core_keyattributes_t  structure.

 

The following functions in psa_crypto_core.h  access private members type and flag of psa_core_keyattributes_t structure without the MBEDTLS_PRIBATE() private access.

  1. psa_is_key_slot_occupied()
  2. psa_key_slot_get_flags()
  3. psa_key_slot_set_flags()
  4. psa_key_slot_set_bits_in_flags()
  5. psa_key_slot_clear_bits()

 

Updating to private access for attribute struct members in psa_crypto_core.h fixed the build errors.

 

Regards,
Archanaa