Hi, Raef,
The combination that worked was the most-recent commit and gnu tools (-G option). Using VS it fails at lib/ext/CMSIS_5/CMakeLists.txt:25 for lack of CMSIS RTX static libraries.
...this command worked....
$ cmake -S . -B cmake_build -DTFM_PLATFORM=mps2/an521 -DCMAKE_TOOLCHAIN_FILE=toolchain_GNUARM.cmake -G"Unix Makefiles"
-- The C compiler identification is GNU 9.3.1
-- The ASM compiler identification is GNU
-- Found assembler: C:/Program Files (x86)/GNU Arm Embedded Toolchain/9 2020-q2-update/bin/arm-none-eabi-gcc.exe
-- Detecting C compiler ABI info
-- Detecting C compiler ABI info - done
-- Check for working C compiler: C:/Program Files (x86)/GNU Arm Embedded Toolchain/9 2020-q2-update/bin/arm-none-eabi-gcc.exe - skipped
-- Detecting C compile features
-- Detecting C compile features - done
Thanks. I'm interested if you've managed to build TFM using the visual studio generator? That check was actually added because we had a problem with at least one of the visual studio generators (VS10) setting the C compiler to `MSVC`. If you've managed to get it to build with VS16, then we can look in to adding that as a known good generator.
Raef
________________________________________
From: TF-M <tf-m-bounces(a)lists.trustedfirmware.org> on behalf of Kevin Kilzer via TF-M <tf-m(a)lists.trustedfirmware.org>
Sent: 13 October 2020 15:30
To: tf-m(a)lists.trustedfirmware.org
Subject: Re: [TF-M] Following the TF-M build example
Hi, Raef,
I added to the generator qualifier in CMakeLists.txt line 17. Since cmake is not my native language, I put in the full string, as you see. The string comes from the display of CMAKE_GENERATOR in the error message.
if(NOT ${CMAKE_GENERATOR} STREQUAL "Unix Makefiles" AND
NOT ${CMAKE_GENERATOR} STREQUAL "Visual Studio 16 2019" AND
NOT ${CMAKE_GENERATOR} STREQUAL "Ninja")
Message(FATAL_ERROR "Unsupported generator ${CMAKE_GENERATOR}. Hint: Try -G\"Unix Makefiles\"")
endif()
Hi, Raef,
I added to the generator qualifier in CMakeLists.txt line 17. Since cmake is not my native language, I put in the full string, as you see. The string comes from the display of CMAKE_GENERATOR in the error message.
if(NOT ${CMAKE_GENERATOR} STREQUAL "Unix Makefiles" AND
NOT ${CMAKE_GENERATOR} STREQUAL "Visual Studio 16 2019" AND
NOT ${CMAKE_GENERATOR} STREQUAL "Ninja")
Message(FATAL_ERROR "Unsupported generator ${CMAKE_GENERATOR}. Hint: Try -G\"Unix Makefiles\"")
endif()
Note that the aforementioned patch has now been merged - windows build should now be working again on master
Raef
________________________________________
From: TF-M <tf-m-bounces(a)lists.trustedfirmware.org> on behalf of Raef Coles via TF-M <tf-m(a)lists.trustedfirmware.org>
Sent: 13 October 2020 10:24
To: tf-m(a)lists.trustedfirmware.org; Kevin.Kilzer(a)microchip.com
Subject: Re: [TF-M] Following the TF-M build example
Hi,
I'm interested in the changes that you made to the validity checks, would you mind sending a patch / outlining what you had to change. The windows generator checks are still not working exactly as they should and I'd like to know what your experience was.
For the build failure, I believe this might be related to an issue with the windows PSA file generation. We've got a patch in review for this at https://review.trustedfirmware.org/c/TF-M/trusted-firmware-m/+/6386, can you test and see if that fixes the problem.
Raef
________________________________________
From: TF-M <tf-m-bounces(a)lists.trustedfirmware.org> on behalf of Kevin Kilzer via TF-M <tf-m(a)lists.trustedfirmware.org>
Sent: 13 October 2020 00:20
To: tf-m(a)lists.trustedfirmware.org
Subject: Re: [TF-M] Following the TF-M build example
Thanks for the notes. Since last week I’ve now:
1. downloaded today’s latest repo (12 October, commit 8bebd05745a8b27dccc6403f0215fa6e39de3bc1, and
2. added the VS compiler to the “valid” checks at CmakeLists.txt line 17.
Using the -G option allows the make to complete (apparently), but the install script fails (in both GitBash and CMD).
Thanks for any help.
==========
-- Build files have been written to: C:/Users/cXXXXX/Git/arm/TF-M/trusted-firmware-m/cmake_build
cXXXXX@LT-cXXXXXA MINGW64 ~/Git/arm/TF-M/trusted-firmware-m (master)
$ cmake --build cmake_build -- install
tools/CMakeFiles/tfm_generated_files.dir/build.make:93: *** target pattern contains no '%'. Stop.
CMakeFiles/Makefile2:944: recipe for target 'tools/CMakeFiles/tfm_generated_files.dir/all' failed
make.exe[1]: *** [tools/CMakeFiles/tfm_generated_files.dir/all] Error 2
Makefile:148: recipe for target 'all' failed
make.exe: *** [all] Error 2==========
--
TF-M mailing list
TF-M(a)lists.trustedfirmware.org
https://lists.trustedfirmware.org/mailman/listinfo/tf-m
Hi,
I'm interested in the changes that you made to the validity checks, would you mind sending a patch / outlining what you had to change. The windows generator checks are still not working exactly as they should and I'd like to know what your experience was.
For the build failure, I believe this might be related to an issue with the windows PSA file generation. We've got a patch in review for this at https://review.trustedfirmware.org/c/TF-M/trusted-firmware-m/+/6386, can you test and see if that fixes the problem.
Raef
________________________________________
From: TF-M <tf-m-bounces(a)lists.trustedfirmware.org> on behalf of Kevin Kilzer via TF-M <tf-m(a)lists.trustedfirmware.org>
Sent: 13 October 2020 00:20
To: tf-m(a)lists.trustedfirmware.org
Subject: Re: [TF-M] Following the TF-M build example
Thanks for the notes. Since last week I’ve now:
1. downloaded today’s latest repo (12 October, commit 8bebd05745a8b27dccc6403f0215fa6e39de3bc1, and
2. added the VS compiler to the “valid” checks at CmakeLists.txt line 17.
Using the -G option allows the make to complete (apparently), but the install script fails (in both GitBash and CMD).
Thanks for any help.
==========
-- Build files have been written to: C:/Users/cXXXXX/Git/arm/TF-M/trusted-firmware-m/cmake_build
cXXXXX@LT-cXXXXXA MINGW64 ~/Git/arm/TF-M/trusted-firmware-m (master)
$ cmake --build cmake_build -- install
tools/CMakeFiles/tfm_generated_files.dir/build.make:93: *** target pattern contains no '%'. Stop.
CMakeFiles/Makefile2:944: recipe for target 'tools/CMakeFiles/tfm_generated_files.dir/all' failed
make.exe[1]: *** [tools/CMakeFiles/tfm_generated_files.dir/all] Error 2
Makefile:148: recipe for target 'all' failed
make.exe: *** [all] Error 2==========
Hi,
While digging the clean issue brought up by Soby, I started wondering if external dependency handling would be better in a slightly different way. There is a lot of hack in the build system around including the psa-arch test project, mostly to work around cmake limitations on namespaces and symbol separation. A stronger barrier could eliminate the mess. In TS we use the following pattern (let's call it "Internal Project"):
* External dependencies are fetched with fetch_content()
* Right after the fetch, execute_process() is called to start the build of the component. So external component builds configuration time.
* The project get's installed into a directory and the main project is using the installed content, possibly through find_package().
* Benefits:
* This gives a stronger separation, elimination any name clash between the main project and the external dependency. Also global settings cannot collide like when a dependency sets CMAKE_BUILD_TYPE.
* Faster main project build times, as external projects are only built once.
* Makes it more "natural" to use an externally built binary for an external component. This might be handy from QA perspective if binary releases are going to happen. (If ever of course.)
* Strong separation could allow using different version of the same tools for components. (i.e. main project is built with GCC, component with IAR.)
* Drawbacks:
* It is harder to develop the external component together with tf-m s tracking changes is more difficult. Might be a problem if debugging tf-m vs external component interaction. This should be rare and might be an acceptable issue.
* It is unnatural to run builds configuration time in cmake world.
* Configuration phase will take longer.
* Since the build happens right where the external component is added (point A), cmake execution flow might need to be different to ensure all information needed to configure the external component is present at point A.
* Since external component is built by a separated cmake run, tool detection happens separate. This means the same tools will be searched for multiple times. Initial cache files can be a workaround.
This is very similar to how external projects work in cmake, but makes better integration possible. The main project can use information from the dependency as it's source and output files become available configuration time. In turn external project changes are harder to track.
/George
Hi,
I tried to dig deeper into this, but the cmake command used by Soby fails for me.
"
[ 33%] Performing patch step for 'psa_arch_tests-populate'
error: patch failed: api-tests/platform/targets/tgt_dev_apis_tfm_an521/nspe/pal_driver_intf.c:128
...
"
It would be nice to understand why cmake fails to clean properly, but well, I cannot deep-dive due to the above. What I wanted to check is if https://cmake.org/cmake/help/v3.15/prop_tgt/ADDITIONAL_CLEAN_FILES.html could be used to get "make clean" remove the psa-arch test binary directory. But:
* I am not sure which build directory is used. I have the feeling we use ${CMAKE_CURRENT_BINARY_DIR}/psa_api_tests and not psa_arch_tests_BINARY_DIR, which would be build\lib\ext\psa_arch_tests-build. Strange.
* ADDITIONAL_CLEAN_FILES was introduced in cmake v3.15 and if my memories are correct tf-m allows an older version if not using IAR.
Soby: can you please test if ADDITIONAL_CLEAN_FILES works? This solution would give a more streamlined.
/George
From: TF-M <tf-m-bounces(a)lists.trustedfirmware.org> On Behalf Of Anton Komlev via TF-M
Sent: 12 October 2020 23:00
To: tf-m(a)lists.trustedfirmware.org
Cc: nd <nd(a)arm.com>
Subject: Re: [TF-M] New TF-M Build doesn't track config changes
Hi,
Thanks Soby for sorting it out.
Sounds like a right way to go and cleanall shall do that job.
For me it looks like an exceptional case while the main scenario for a daily development shall be the one, described by Karl : downloaded dependencies explicitly specified by paths outside of TF-M tree via command line, or via project config file (suggested).
And true, both cases shall be explicitly documented.
Hope it helps,
Anton
From: TF-M <tf-m-bounces(a)lists.trustedfirmware.org<mailto:tf-m-bounces@lists.trustedfirmware.org>> On Behalf Of Soby Mathew via TF-M
Sent: 12 October 2020 17:29
To: Gyorgy Szing <Gyorgy.Szing(a)arm.com<mailto:Gyorgy.Szing@arm.com>>
Cc: nd <nd(a)arm.com<mailto:nd@arm.com>>; tf-m(a)lists.trustedfirmware.org<mailto:tf-m@lists.trustedfirmware.org>
Subject: Re: [TF-M] New TF-M Build doesn't track config changes
Thanks Karl, Gyorgy for your inputs.
I agree with the principle that `BUILD` shall be only folder the cmake modifies. The trouble is, after a `make clean`, there are still artefacts from the previous configuration which affects the new build and gives the wrong output. Hence the suggestion to introduce a `cleanall` custom target which endeavours to clean the all the remnant config information from previous build and leave auto cloned dependant repositories untouched (or maybe print some status info).
Does that sound like a good plan then ?
Best Regards
Soby Mathew
From: TF-M <tf-m-bounces(a)lists.trustedfirmware.org<mailto:tf-m-bounces@lists.trustedfirmware.org>> On Behalf Of Gyorgy Szing via TF-M
Sent: 12 October 2020 06:29
To: tf-m(a)lists.trustedfirmware.org<mailto:tf-m@lists.trustedfirmware.org>
Cc: nd <nd(a)arm.com<mailto:nd@arm.com>>
Subject: Re: [TF-M] New TF-M Build doesn't track config changes
Hi,
I think the build directory is owned by cmake and the same rules shall apply to all files there. Also the only directory cmake does modify without the users consent shall be the build directory. As long as cmake is owning the external dependencies it is the responsibility of the build system to keep the dependencies in a healthy state and to ensure the correct version is built. To do this safely the "clean" operation, which is used to get out of a "non-operational" state, shall fix the dependencies too.
So the correct operation (in my opinion) is to make the dependency download work in the following way:
* If the dependency is already present at the target location, cmake shall use it as is. Possibly some status information should be printed (i.e. version number, if the git working copy is dirty etc...)
* If not cmake shall do the fetch.
This way if the user specify an external location (one not in the build directory), cmake will "export" the dependency when the first fetch is done, and do no modifications after. This gives us a well-defined act of handing over the responsibility of keeping the dependency clean.
As far as I can see (was not digging into the details) this more or less matches how the current implementation works, and what is missing is more details in the documentation.
/George
From: TF-M <tf-m-bounces(a)lists.trustedfirmware.org<mailto:tf-m-bounces@lists.trustedfirmware.org>> On Behalf Of Karl Zhang via TF-M
Sent: 10 October 2020 08:14
To: tf-m(a)lists.trustedfirmware.org<mailto:tf-m@lists.trustedfirmware.org>; Soby Mathew <Soby.Mathew(a)arm.com<mailto:Soby.Mathew@arm.com>>
Cc: nd <nd(a)arm.com<mailto:nd@arm.com>>
Subject: Re: [TF-M] New TF-M Build doesn't track config changes
Hi Soby,
I met the same problem before, and I think your suggestions are helpful. There might be more check needed if the 'make clean' does not delete the auto cloned repos. Because the dependencies may update by a new TFM commit.
The new build system supports to specify the patch of each dependency, which can avoid clone automatically to the build folder each time. Hope it can mitigate the inconvenient scenario.
-DMBEDCRYPTO_PATH=
-DTFM_TEST_REPO_PATH=
-DMCUBOOT_PATH=
-DPSA_ARCH_TESTS_PATH=
There is an example from CI for build command:
https://ci.trustedfirmware.org/view/TF-M/job/tf-m-build-config/lastStableBu…
cmake -DTFM_PLATFORM=mps2/an519 -DCMAKE_TOOLCHAIN_FILE=/home/buildslave/workspace/tf-m-build-config/trusted-firmware-m/toolchain_GNUARM.cmake -DTFM_PSA_API=True -DTFM_ISOLATION_LEVEL=1 -DTEST_NS=False -DTEST_S=False -DTEST_PSA_API=OFF -DCMAKE_BUILD_TYPE=Debug -DCRYPTO_HW_ACCELERATOR_OTP_STATE=False -DBL2=False -DNS=False -DTFM_TEST_REPO_PATH=/home/buildslave/workspace/tf-m-build-config/trusted-firmware-m/../tf-m-tests -DMBEDCRYPTO_PATH=/home/buildslave/workspace/tf-m-build-config/trusted-firmware-m/../mbedtls -DPSA_ARCH_TESTS_PATH=/home/buildslave/workspace/tf-m-build-config/trusted-firmware-m/../psa-arch-tests -DMCUBOOT_PATH=/home/buildslave/workspace/tf-m-build-config/trusted-firmware-m/../mcuboot -DTFM_PROFILE= /home/buildslave/workspace/tf-m-build-config/trusted-firmware-m
BR
Karl
________________________________
From: TF-M <tf-m-bounces(a)lists.trustedfirmware.org<mailto:tf-m-bounces@lists.trustedfirmware.org>> on behalf of Soby Mathew via TF-M <tf-m(a)lists.trustedfirmware.org<mailto:tf-m@lists.trustedfirmware.org>>
Sent: Friday, October 2, 2020 8:40 PM
To: tf-m(a)lists.trustedfirmware.org<mailto:tf-m@lists.trustedfirmware.org> <tf-m(a)lists.trustedfirmware.org<mailto:tf-m@lists.trustedfirmware.org>>
Cc: nd <nd(a)arm.com<mailto:nd@arm.com>>
Subject: [TF-M] New TF-M Build doesn't track config changes
Hi,
With the new build system, TF-M downloads all dependant repositories to the BUILD folder as part of CMAKE configuration. CMake does provide `make clean` target to clean the build and rebuild but this doesn't track any config changes between the builds. Previously, the CMake workflow was to delete all contents in the BUILD folder before re-configuring for a new build but now this means the developer has to re-download all the dependant git repositories before the project can be build again. This can be a slow and cumbersome process for developers. Deleting the CMakecache.txt doesn't seem to solve the problem either.
The most obvious solution is to move the cloned repositories outside the BUILD/ folder , so we can follow the previous workflow of deleting the BUILD folder before re-build. The sample test sequence to reproduce the problem is given below:
/* Build secure regressions test suite */
$ make clean; cmake .. -DTFM_PLATFORM=mps2/an521 -DCMAKE_TOOLCHAIN_FILE=../toolchain_GNUARM.cmake -DTEST_S=ON -DCMAKE_BUILD_TYPE=Debug; make install
/* reconfigure and build PSA Crypto API test suite */
$ make clean; cmake .. -DTFM_PLATFORM=mps2/an521 -DCMAKE_TOOLCHAIN_FILE=../toolchain_GNUARM.cmake -DCMAKE_BUILD_TYPE=Debug -DTEST_PSA_API=CRYPTO; make install
Built binary is still for regression test suite.
There are multiple suggestions to solve the problem, One is to move the clone repositories outside the BUILD/ folder, or introduce a build target like `make cleanall` which does the equivalent of rm -rf !(lib) within the BUILD folder (i.e the build target will remove all folders except the lib folder which has the cloned repositories). Please let us know of your suggestions on this.
Best Regards
Soby Mathew
Thanks for the notes. Since last week I've now:
1. downloaded today's latest repo (12 October, commit 8bebd05745a8b27dccc6403f0215fa6e39de3bc1, and
2. added the VS compiler to the "valid" checks at CmakeLists.txt line 17.
Using the -G option allows the make to complete (apparently), but the install script fails (in both GitBash and CMD).
Thanks for any help.
==========
-- Build files have been written to: C:/Users/cXXXXX/Git/arm/TF-M/trusted-firmware-m/cmake_build
cXXXXX@LT-cXXXXXA MINGW64 ~/Git/arm/TF-M/trusted-firmware-m (master)
$ cmake --build cmake_build -- install
tools/CMakeFiles/tfm_generated_files.dir/build.make:93: *** target pattern contains no '%'. Stop.
CMakeFiles/Makefile2:944: recipe for target 'tools/CMakeFiles/tfm_generated_files.dir/all' failed
make.exe[1]: *** [tools/CMakeFiles/tfm_generated_files.dir/all] Error 2
Makefile:148: recipe for target 'all' failed
make.exe: *** [all] Error 2==========
Hi,
Thanks Soby for sorting it out.
Sounds like a right way to go and cleanall shall do that job.
For me it looks like an exceptional case while the main scenario for a daily development shall be the one, described by Karl : downloaded dependencies explicitly specified by paths outside of TF-M tree via command line, or via project config file (suggested).
And true, both cases shall be explicitly documented.
Hope it helps,
Anton
From: TF-M <tf-m-bounces(a)lists.trustedfirmware.org> On Behalf Of Soby Mathew via TF-M
Sent: 12 October 2020 17:29
To: Gyorgy Szing <Gyorgy.Szing(a)arm.com>
Cc: nd <nd(a)arm.com>; tf-m(a)lists.trustedfirmware.org
Subject: Re: [TF-M] New TF-M Build doesn't track config changes
Thanks Karl, Gyorgy for your inputs.
I agree with the principle that `BUILD` shall be only folder the cmake modifies. The trouble is, after a `make clean`, there are still artefacts from the previous configuration which affects the new build and gives the wrong output. Hence the suggestion to introduce a `cleanall` custom target which endeavours to clean the all the remnant config information from previous build and leave auto cloned dependant repositories untouched (or maybe print some status info).
Does that sound like a good plan then ?
Best Regards
Soby Mathew
From: TF-M <tf-m-bounces(a)lists.trustedfirmware.org<mailto:tf-m-bounces@lists.trustedfirmware.org>> On Behalf Of Gyorgy Szing via TF-M
Sent: 12 October 2020 06:29
To: tf-m(a)lists.trustedfirmware.org<mailto:tf-m@lists.trustedfirmware.org>
Cc: nd <nd(a)arm.com<mailto:nd@arm.com>>
Subject: Re: [TF-M] New TF-M Build doesn't track config changes
Hi,
I think the build directory is owned by cmake and the same rules shall apply to all files there. Also the only directory cmake does modify without the users consent shall be the build directory. As long as cmake is owning the external dependencies it is the responsibility of the build system to keep the dependencies in a healthy state and to ensure the correct version is built. To do this safely the "clean" operation, which is used to get out of a "non-operational" state, shall fix the dependencies too.
So the correct operation (in my opinion) is to make the dependency download work in the following way:
* If the dependency is already present at the target location, cmake shall use it as is. Possibly some status information should be printed (i.e. version number, if the git working copy is dirty etc...)
* If not cmake shall do the fetch.
This way if the user specify an external location (one not in the build directory), cmake will "export" the dependency when the first fetch is done, and do no modifications after. This gives us a well-defined act of handing over the responsibility of keeping the dependency clean.
As far as I can see (was not digging into the details) this more or less matches how the current implementation works, and what is missing is more details in the documentation.
/George
From: TF-M <tf-m-bounces(a)lists.trustedfirmware.org<mailto:tf-m-bounces@lists.trustedfirmware.org>> On Behalf Of Karl Zhang via TF-M
Sent: 10 October 2020 08:14
To: tf-m(a)lists.trustedfirmware.org<mailto:tf-m@lists.trustedfirmware.org>; Soby Mathew <Soby.Mathew(a)arm.com<mailto:Soby.Mathew@arm.com>>
Cc: nd <nd(a)arm.com<mailto:nd@arm.com>>
Subject: Re: [TF-M] New TF-M Build doesn't track config changes
Hi Soby,
I met the same problem before, and I think your suggestions are helpful. There might be more check needed if the 'make clean' does not delete the auto cloned repos. Because the dependencies may update by a new TFM commit.
The new build system supports to specify the patch of each dependency, which can avoid clone automatically to the build folder each time. Hope it can mitigate the inconvenient scenario.
-DMBEDCRYPTO_PATH=
-DTFM_TEST_REPO_PATH=
-DMCUBOOT_PATH=
-DPSA_ARCH_TESTS_PATH=
There is an example from CI for build command:
https://ci.trustedfirmware.org/view/TF-M/job/tf-m-build-config/lastStableBu…
cmake -DTFM_PLATFORM=mps2/an519 -DCMAKE_TOOLCHAIN_FILE=/home/buildslave/workspace/tf-m-build-config/trusted-firmware-m/toolchain_GNUARM.cmake -DTFM_PSA_API=True -DTFM_ISOLATION_LEVEL=1 -DTEST_NS=False -DTEST_S=False -DTEST_PSA_API=OFF -DCMAKE_BUILD_TYPE=Debug -DCRYPTO_HW_ACCELERATOR_OTP_STATE=False -DBL2=False -DNS=False -DTFM_TEST_REPO_PATH=/home/buildslave/workspace/tf-m-build-config/trusted-firmware-m/../tf-m-tests -DMBEDCRYPTO_PATH=/home/buildslave/workspace/tf-m-build-config/trusted-firmware-m/../mbedtls -DPSA_ARCH_TESTS_PATH=/home/buildslave/workspace/tf-m-build-config/trusted-firmware-m/../psa-arch-tests -DMCUBOOT_PATH=/home/buildslave/workspace/tf-m-build-config/trusted-firmware-m/../mcuboot -DTFM_PROFILE= /home/buildslave/workspace/tf-m-build-config/trusted-firmware-m
BR
Karl
________________________________
From: TF-M <tf-m-bounces(a)lists.trustedfirmware.org<mailto:tf-m-bounces@lists.trustedfirmware.org>> on behalf of Soby Mathew via TF-M <tf-m(a)lists.trustedfirmware.org<mailto:tf-m@lists.trustedfirmware.org>>
Sent: Friday, October 2, 2020 8:40 PM
To: tf-m(a)lists.trustedfirmware.org<mailto:tf-m@lists.trustedfirmware.org> <tf-m(a)lists.trustedfirmware.org<mailto:tf-m@lists.trustedfirmware.org>>
Cc: nd <nd(a)arm.com<mailto:nd@arm.com>>
Subject: [TF-M] New TF-M Build doesn't track config changes
Hi,
With the new build system, TF-M downloads all dependant repositories to the BUILD folder as part of CMAKE configuration. CMake does provide `make clean` target to clean the build and rebuild but this doesn't track any config changes between the builds. Previously, the CMake workflow was to delete all contents in the BUILD folder before re-configuring for a new build but now this means the developer has to re-download all the dependant git repositories before the project can be build again. This can be a slow and cumbersome process for developers. Deleting the CMakecache.txt doesn't seem to solve the problem either.
The most obvious solution is to move the cloned repositories outside the BUILD/ folder , so we can follow the previous workflow of deleting the BUILD folder before re-build. The sample test sequence to reproduce the problem is given below:
/* Build secure regressions test suite */
$ make clean; cmake .. -DTFM_PLATFORM=mps2/an521 -DCMAKE_TOOLCHAIN_FILE=../toolchain_GNUARM.cmake -DTEST_S=ON -DCMAKE_BUILD_TYPE=Debug; make install
/* reconfigure and build PSA Crypto API test suite */
$ make clean; cmake .. -DTFM_PLATFORM=mps2/an521 -DCMAKE_TOOLCHAIN_FILE=../toolchain_GNUARM.cmake -DCMAKE_BUILD_TYPE=Debug -DTEST_PSA_API=CRYPTO; make install
Built binary is still for regression test suite.
There are multiple suggestions to solve the problem, One is to move the clone repositories outside the BUILD/ folder, or introduce a build target like `make cleanall` which does the equivalent of rm -rf !(lib) within the BUILD folder (i.e the build target will remove all folders except the lib folder which has the cloned repositories). Please let us know of your suggestions on this.
Best Regards
Soby Mathew
Thanks Karl, Gyorgy for your inputs.
I agree with the principle that `BUILD` shall be only folder the cmake modifies. The trouble is, after a `make clean`, there are still artefacts from the previous configuration which affects the new build and gives the wrong output. Hence the suggestion to introduce a `cleanall` custom target which endeavours to clean the all the remnant config information from previous build and leave auto cloned dependant repositories untouched (or maybe print some status info).
Does that sound like a good plan then ?
Best Regards
Soby Mathew
From: TF-M <tf-m-bounces(a)lists.trustedfirmware.org> On Behalf Of Gyorgy Szing via TF-M
Sent: 12 October 2020 06:29
To: tf-m(a)lists.trustedfirmware.org
Cc: nd <nd(a)arm.com>
Subject: Re: [TF-M] New TF-M Build doesn't track config changes
Hi,
I think the build directory is owned by cmake and the same rules shall apply to all files there. Also the only directory cmake does modify without the users consent shall be the build directory. As long as cmake is owning the external dependencies it is the responsibility of the build system to keep the dependencies in a healthy state and to ensure the correct version is built. To do this safely the "clean" operation, which is used to get out of a "non-operational" state, shall fix the dependencies too.
So the correct operation (in my opinion) is to make the dependency download work in the following way:
* If the dependency is already present at the target location, cmake shall use it as is. Possibly some status information should be printed (i.e. version number, if the git working copy is dirty etc...)
* If not cmake shall do the fetch.
This way if the user specify an external location (one not in the build directory), cmake will "export" the dependency when the first fetch is done, and do no modifications after. This gives us a well-defined act of handing over the responsibility of keeping the dependency clean.
As far as I can see (was not digging into the details) this more or less matches how the current implementation works, and what is missing is more details in the documentation.
/George
From: TF-M <tf-m-bounces(a)lists.trustedfirmware.org<mailto:tf-m-bounces@lists.trustedfirmware.org>> On Behalf Of Karl Zhang via TF-M
Sent: 10 October 2020 08:14
To: tf-m(a)lists.trustedfirmware.org<mailto:tf-m@lists.trustedfirmware.org>; Soby Mathew <Soby.Mathew(a)arm.com<mailto:Soby.Mathew@arm.com>>
Cc: nd <nd(a)arm.com<mailto:nd@arm.com>>
Subject: Re: [TF-M] New TF-M Build doesn't track config changes
Hi Soby,
I met the same problem before, and I think your suggestions are helpful. There might be more check needed if the 'make clean' does not delete the auto cloned repos. Because the dependencies may update by a new TFM commit.
The new build system supports to specify the patch of each dependency, which can avoid clone automatically to the build folder each time. Hope it can mitigate the inconvenient scenario.
-DMBEDCRYPTO_PATH=
-DTFM_TEST_REPO_PATH=
-DMCUBOOT_PATH=
-DPSA_ARCH_TESTS_PATH=
There is an example from CI for build command:
https://ci.trustedfirmware.org/view/TF-M/job/tf-m-build-config/lastStableBu…
cmake -DTFM_PLATFORM=mps2/an519 -DCMAKE_TOOLCHAIN_FILE=/home/buildslave/workspace/tf-m-build-config/trusted-firmware-m/toolchain_GNUARM.cmake -DTFM_PSA_API=True -DTFM_ISOLATION_LEVEL=1 -DTEST_NS=False -DTEST_S=False -DTEST_PSA_API=OFF -DCMAKE_BUILD_TYPE=Debug -DCRYPTO_HW_ACCELERATOR_OTP_STATE=False -DBL2=False -DNS=False -DTFM_TEST_REPO_PATH=/home/buildslave/workspace/tf-m-build-config/trusted-firmware-m/../tf-m-tests -DMBEDCRYPTO_PATH=/home/buildslave/workspace/tf-m-build-config/trusted-firmware-m/../mbedtls -DPSA_ARCH_TESTS_PATH=/home/buildslave/workspace/tf-m-build-config/trusted-firmware-m/../psa-arch-tests -DMCUBOOT_PATH=/home/buildslave/workspace/tf-m-build-config/trusted-firmware-m/../mcuboot -DTFM_PROFILE= /home/buildslave/workspace/tf-m-build-config/trusted-firmware-m
BR
Karl
________________________________
From: TF-M <tf-m-bounces(a)lists.trustedfirmware.org<mailto:tf-m-bounces@lists.trustedfirmware.org>> on behalf of Soby Mathew via TF-M <tf-m(a)lists.trustedfirmware.org<mailto:tf-m@lists.trustedfirmware.org>>
Sent: Friday, October 2, 2020 8:40 PM
To: tf-m(a)lists.trustedfirmware.org<mailto:tf-m@lists.trustedfirmware.org> <tf-m(a)lists.trustedfirmware.org<mailto:tf-m@lists.trustedfirmware.org>>
Cc: nd <nd(a)arm.com<mailto:nd@arm.com>>
Subject: [TF-M] New TF-M Build doesn't track config changes
Hi,
With the new build system, TF-M downloads all dependant repositories to the BUILD folder as part of CMAKE configuration. CMake does provide `make clean` target to clean the build and rebuild but this doesn't track any config changes between the builds. Previously, the CMake workflow was to delete all contents in the BUILD folder before re-configuring for a new build but now this means the developer has to re-download all the dependant git repositories before the project can be build again. This can be a slow and cumbersome process for developers. Deleting the CMakecache.txt doesn't seem to solve the problem either.
The most obvious solution is to move the cloned repositories outside the BUILD/ folder , so we can follow the previous workflow of deleting the BUILD folder before re-build. The sample test sequence to reproduce the problem is given below:
/* Build secure regressions test suite */
$ make clean; cmake .. -DTFM_PLATFORM=mps2/an521 -DCMAKE_TOOLCHAIN_FILE=../toolchain_GNUARM.cmake -DTEST_S=ON -DCMAKE_BUILD_TYPE=Debug; make install
/* reconfigure and build PSA Crypto API test suite */
$ make clean; cmake .. -DTFM_PLATFORM=mps2/an521 -DCMAKE_TOOLCHAIN_FILE=../toolchain_GNUARM.cmake -DCMAKE_BUILD_TYPE=Debug -DTEST_PSA_API=CRYPTO; make install
Built binary is still for regression test suite.
There are multiple suggestions to solve the problem, One is to move the clone repositories outside the BUILD/ folder, or introduce a build target like `make cleanall` which does the equivalent of rm -rf !(lib) within the BUILD folder (i.e the build target will remove all folders except the lib folder which has the cloned repositories). Please let us know of your suggestions on this.
Best Regards
Soby Mathew
Hi All,
Trustedfirmware.org community project would like to invite you to the Mbed TLS Virtual Workshop on November 3rd (Tuesday) from 2pm to 6pm GMT.
The purpose of the workshop is to bring together the Mbed TLS community including maintainers, contributors and users to discuss
* The future direction of the project and
* Ways to improve community collaboration
The workshop will be hosted in Zoom open to all. The invitation with the zoom link will be send in the Mbed TLS, PSA Crypto* mailing lists in the coming days.
Here are some of the proposed agenda topics. Please reply if there is anything else you would like us or you to present during the workshop that will be interesting to the community
* Constant-time code
* How to be an effective Mbed TLS reviewer
* Processes - how does work get scheduled?
* Roadmap, Mbed TLS3.0
* PSA Crypto APIs
* How Do I contribute my first review.
Thanks,
Shebu
(TrustedFirmware.org Co-Chair,
Mbed TLS Technology Manager)
* https://lists.trustedfirmware.org/mailman/listinfo/mbed-tlshttps://lists.trustedfirmware.org/mailman/listinfo/psa-crypto
Hi Raymond
Thanks for the detailed report. This issue was reported here https://developer.trustedfirmware.org/T822 previously but I didn't get time to look into it further due to other priorities. Your analysis seems right and I will look further into this.
Best Regards
Soby Mathew
From: TF-M <tf-m-bounces(a)lists.trustedfirmware.org> On Behalf Of Raymond Ngun via TF-M
Sent: 10 October 2020 00:59
To: tf-m(a)lists.trustedfirmware.org
Subject: [TF-M] Behavior difference in Crypto IPC vs Library modes
Hi all,
I'm seeking some assistance in determining the correct fix for a difference in behavior between IPC and Library modes that cause the Crypto PSA Arch Tests to fail when using IPC. Specifically, I've been testing on a PSoC64 for IPC mode and Musca-B1 for Library mode. The problem I am encountering is related to this check in crypto (e.g. crypto_aead.c in secure_fw/partitions/crypto).
if ( !((in_len == 2) || (in_len == 3)) || (out_len > 1)) {
return PSA_ERROR_CONNECTION_REFUSED;
}
This is true for direct function call since in_len and out_len are sizes of in_vec[] and out_vec[]. However, in library mode, in_len and out_len is not based on the size of in_vec[] and out_vec[] but based on the contents. Specifically, out_len is determined via the following in tfm_crypto_call_sfn().
/* Check the number of out_vec filled */
while ((out_len > 0) && (msg->out_size[out_len - 1] == 0)) {
out_len--;
}
>From the above, if out_size (which is passed in by the user) is 0, the resultant out_len will be 0. The out_len is passed into the crypto function and PSA_ERROR_CONNECTION_REFUSED is returned due to the check above. PSA, on the other hand, expects PSA_ERROR_NOT_SUPPORTED to be returned. Btw, in_len suffers from the same issue.
I'm not sure if the check above is valid for IPC mode. I've removed the check temporarily to avoid the problem. However, if the check still makes sense, possibly it should return PSA_ERROR_NOT_SUPPORTED instead of PSA_ERROR_CONNECTION_REFUSED.
Thank you. I look forward to comments.
Ray
This message and any attachments may contain confidential information from Cypress or its subsidiaries. If it has been received in error, please advise the sender and immediately delete this message.
Hi,
There is a patch that should allow better configuration of the IRQ tests / other platform-related tests, as well as clarifying the documentation.
https://review.trustedfirmware.org/c/TF-M/trusted-firmware-m/+/6350https://review.trustedfirmware.org/c/TF-M/tf-m-tests/+/6351
Any reviews would be appreciated
Raef
________________________________________
From: TF-M <tf-m-bounces(a)lists.trustedfirmware.org> on behalf of David Hu via TF-M <tf-m(a)lists.trustedfirmware.org>
Sent: 12 October 2020 08:55
To: Christopher Brand; tf-m(a)lists.trustedfirmware.org
Cc: nd
Subject: Re: [TF-M] Disabling IRQ test with new build system
Hi Chris,
Thanks a lot for reporting this.
It looks like the IRQ test case is enabled on NS side as long as the Platform service is enabled. The IRQ test service in SPE is controlled by `TFM_ENABLE_IRQ_TEST`, which, however, is neither explicitly configured in CMake nor exported for manual configuration. Therefore IRQ test service is not enabled by default.
Thus the IRQ test case will hang the execution and configuration of IRQ test in command line won’t take effect.
I’ve been looking for the solution. Just need some time to sort out the dependencies of those test control flags in the new build system. 😊
Sorry for any inconvenience.
Best regards,
Hu Ziji
From: TF-M <tf-m-bounces(a)lists.trustedfirmware.org> On Behalf Of Christopher Brand via TF-M
Sent: Saturday, October 10, 2020 4:32 AM
To: tf-m(a)lists.trustedfirmware.org
Subject: [TF-M] Disabling IRQ test with new build system
Hi,
The IRQ test part of the CORE_TEST is all conditioned on TFM_ENABLE_IRQ_TEST, and docs/reference/services/core_test_services_integration_guide.rst states that “A platform can skip IRQ handling test by setting ``TFM_ENABLE_IRQ_TEST`` to ``OFF`` in its cmake configuration file.”, but doing so doesn’t seem to actually work. I tried a number of options to the cmake command (including -DTFM_ENABLE_IRQ_TES=OFF, -U TFM_ENABLE_IRQ_TEST), too, but I can’t figure out how to avoid that test.
Chris Brand
Sr Prin Software Engr, MCD: WIRELESS
Cypress Semiconductor Corp.
An Infineon Technologies Company
#320-13700 International Place, Richmond, British Columbia V6V 2X8 Canada
www.infineon.com<http://www.infineon.com> www.cypress.com<http://www.cypress.com>
This message and any attachments may contain confidential information from Cypress or its subsidiaries. If it has been received in error, please advise the sender and immediately delete this message.
Hi Chris,
Thanks a lot for reporting this.
It looks like the IRQ test case is enabled on NS side as long as the Platform service is enabled. The IRQ test service in SPE is controlled by `TFM_ENABLE_IRQ_TEST`, which, however, is neither explicitly configured in CMake nor exported for manual configuration. Therefore IRQ test service is not enabled by default.
Thus the IRQ test case will hang the execution and configuration of IRQ test in command line won’t take effect.
I’ve been looking for the solution. Just need some time to sort out the dependencies of those test control flags in the new build system. 😊
Sorry for any inconvenience.
Best regards,
Hu Ziji
From: TF-M <tf-m-bounces(a)lists.trustedfirmware.org> On Behalf Of Christopher Brand via TF-M
Sent: Saturday, October 10, 2020 4:32 AM
To: tf-m(a)lists.trustedfirmware.org
Subject: [TF-M] Disabling IRQ test with new build system
Hi,
The IRQ test part of the CORE_TEST is all conditioned on TFM_ENABLE_IRQ_TEST, and docs/reference/services/core_test_services_integration_guide.rst states that “A platform can skip IRQ handling test by setting ``TFM_ENABLE_IRQ_TEST`` to ``OFF`` in its cmake configuration file.”, but doing so doesn’t seem to actually work. I tried a number of options to the cmake command (including -DTFM_ENABLE_IRQ_TES=OFF, -U TFM_ENABLE_IRQ_TEST), too, but I can’t figure out how to avoid that test.
Chris Brand
Sr Prin Software Engr, MCD: WIRELESS
Cypress Semiconductor Corp.
An Infineon Technologies Company
#320-13700 International Place, Richmond, British Columbia V6V 2X8 Canada
www.infineon.com<http://www.infineon.com> www.cypress.com<http://www.cypress.com>
This message and any attachments may contain confidential information from Cypress or its subsidiaries. If it has been received in error, please advise the sender and immediately delete this message.
Hi,
I think the build directory is owned by cmake and the same rules shall apply to all files there. Also the only directory cmake does modify without the users consent shall be the build directory. As long as cmake is owning the external dependencies it is the responsibility of the build system to keep the dependencies in a healthy state and to ensure the correct version is built. To do this safely the "clean" operation, which is used to get out of a "non-operational" state, shall fix the dependencies too.
So the correct operation (in my opinion) is to make the dependency download work in the following way:
* If the dependency is already present at the target location, cmake shall use it as is. Possibly some status information should be printed (i.e. version number, if the git working copy is dirty etc...)
* If not cmake shall do the fetch.
This way if the user specify an external location (one not in the build directory), cmake will "export" the dependency when the first fetch is done, and do no modifications after. This gives us a well-defined act of handing over the responsibility of keeping the dependency clean.
As far as I can see (was not digging into the details) this more or less matches how the current implementation works, and what is missing is more details in the documentation.
/George
From: TF-M <tf-m-bounces(a)lists.trustedfirmware.org> On Behalf Of Karl Zhang via TF-M
Sent: 10 October 2020 08:14
To: tf-m(a)lists.trustedfirmware.org; Soby Mathew <Soby.Mathew(a)arm.com>
Cc: nd <nd(a)arm.com>
Subject: Re: [TF-M] New TF-M Build doesn't track config changes
Hi Soby,
I met the same problem before, and I think your suggestions are helpful. There might be more check needed if the 'make clean' does not delete the auto cloned repos. Because the dependencies may update by a new TFM commit.
The new build system supports to specify the patch of each dependency, which can avoid clone automatically to the build folder each time. Hope it can mitigate the inconvenient scenario.
-DMBEDCRYPTO_PATH=
-DTFM_TEST_REPO_PATH=
-DMCUBOOT_PATH=
-DPSA_ARCH_TESTS_PATH=
There is an example from CI for build command:
https://ci.trustedfirmware.org/view/TF-M/job/tf-m-build-config/lastStableBu…
cmake -DTFM_PLATFORM=mps2/an519 -DCMAKE_TOOLCHAIN_FILE=/home/buildslave/workspace/tf-m-build-config/trusted-firmware-m/toolchain_GNUARM.cmake -DTFM_PSA_API=True -DTFM_ISOLATION_LEVEL=1 -DTEST_NS=False -DTEST_S=False -DTEST_PSA_API=OFF -DCMAKE_BUILD_TYPE=Debug -DCRYPTO_HW_ACCELERATOR_OTP_STATE=False -DBL2=False -DNS=False -DTFM_TEST_REPO_PATH=/home/buildslave/workspace/tf-m-build-config/trusted-firmware-m/../tf-m-tests -DMBEDCRYPTO_PATH=/home/buildslave/workspace/tf-m-build-config/trusted-firmware-m/../mbedtls -DPSA_ARCH_TESTS_PATH=/home/buildslave/workspace/tf-m-build-config/trusted-firmware-m/../psa-arch-tests -DMCUBOOT_PATH=/home/buildslave/workspace/tf-m-build-config/trusted-firmware-m/../mcuboot -DTFM_PROFILE= /home/buildslave/workspace/tf-m-build-config/trusted-firmware-m
BR
Karl
________________________________
From: TF-M <tf-m-bounces(a)lists.trustedfirmware.org<mailto:tf-m-bounces@lists.trustedfirmware.org>> on behalf of Soby Mathew via TF-M <tf-m(a)lists.trustedfirmware.org<mailto:tf-m@lists.trustedfirmware.org>>
Sent: Friday, October 2, 2020 8:40 PM
To: tf-m(a)lists.trustedfirmware.org<mailto:tf-m@lists.trustedfirmware.org> <tf-m(a)lists.trustedfirmware.org<mailto:tf-m@lists.trustedfirmware.org>>
Cc: nd <nd(a)arm.com<mailto:nd@arm.com>>
Subject: [TF-M] New TF-M Build doesn't track config changes
Hi,
With the new build system, TF-M downloads all dependant repositories to the BUILD folder as part of CMAKE configuration. CMake does provide `make clean` target to clean the build and rebuild but this doesn't track any config changes between the builds. Previously, the CMake workflow was to delete all contents in the BUILD folder before re-configuring for a new build but now this means the developer has to re-download all the dependant git repositories before the project can be build again. This can be a slow and cumbersome process for developers. Deleting the CMakecache.txt doesn't seem to solve the problem either.
The most obvious solution is to move the cloned repositories outside the BUILD/ folder , so we can follow the previous workflow of deleting the BUILD folder before re-build. The sample test sequence to reproduce the problem is given below:
/* Build secure regressions test suite */
$ make clean; cmake .. -DTFM_PLATFORM=mps2/an521 -DCMAKE_TOOLCHAIN_FILE=../toolchain_GNUARM.cmake -DTEST_S=ON -DCMAKE_BUILD_TYPE=Debug; make install
/* reconfigure and build PSA Crypto API test suite */
$ make clean; cmake .. -DTFM_PLATFORM=mps2/an521 -DCMAKE_TOOLCHAIN_FILE=../toolchain_GNUARM.cmake -DCMAKE_BUILD_TYPE=Debug -DTEST_PSA_API=CRYPTO; make install
Built binary is still for regression test suite.
There are multiple suggestions to solve the problem, One is to move the clone repositories outside the BUILD/ folder, or introduce a build target like `make cleanall` which does the equivalent of rm -rf !(lib) within the BUILD folder (i.e the build target will remove all folders except the lib folder which has the cloned repositories). Please let us know of your suggestions on this.
Best Regards
Soby Mathew
Hi Soby,
I met the same problem before, and I think your suggestions are helpful. There might be more check needed if the 'make clean' does not delete the auto cloned repos. Because the dependencies may update by a new TFM commit.
The new build system supports to specify the patch of each dependency, which can avoid clone automatically to the build folder each time. Hope it can mitigate the inconvenient scenario.
-DMBEDCRYPTO_PATH=
-DTFM_TEST_REPO_PATH=
-DMCUBOOT_PATH=
-DPSA_ARCH_TESTS_PATH=
There is an example from CI for build command:
https://ci.trustedfirmware.org/view/TF-M/job/tf-m-build-config/lastStableBu…
cmake -DTFM_PLATFORM=mps2/an519 -DCMAKE_TOOLCHAIN_FILE=/home/buildslave/workspace/tf-m-build-config/trusted-firmware-m/toolchain_GNUARM.cmake -DTFM_PSA_API=True -DTFM_ISOLATION_LEVEL=1 -DTEST_NS=False -DTEST_S=False -DTEST_PSA_API=OFF -DCMAKE_BUILD_TYPE=Debug -DCRYPTO_HW_ACCELERATOR_OTP_STATE=False -DBL2=False -DNS=False -DTFM_TEST_REPO_PATH=/home/buildslave/workspace/tf-m-build-config/trusted-firmware-m/../tf-m-tests -DMBEDCRYPTO_PATH=/home/buildslave/workspace/tf-m-build-config/trusted-firmware-m/../mbedtls -DPSA_ARCH_TESTS_PATH=/home/buildslave/workspace/tf-m-build-config/trusted-firmware-m/../psa-arch-tests -DMCUBOOT_PATH=/home/buildslave/workspace/tf-m-build-config/trusted-firmware-m/../mcuboot -DTFM_PROFILE= /home/buildslave/workspace/tf-m-build-config/trusted-firmware-m
BR
Karl
________________________________
From: TF-M <tf-m-bounces(a)lists.trustedfirmware.org> on behalf of Soby Mathew via TF-M <tf-m(a)lists.trustedfirmware.org>
Sent: Friday, October 2, 2020 8:40 PM
To: tf-m(a)lists.trustedfirmware.org <tf-m(a)lists.trustedfirmware.org>
Cc: nd <nd(a)arm.com>
Subject: [TF-M] New TF-M Build doesn't track config changes
Hi,
With the new build system, TF-M downloads all dependant repositories to the BUILD folder as part of CMAKE configuration. CMake does provide `make clean` target to clean the build and rebuild but this doesn't track any config changes between the builds. Previously, the CMake workflow was to delete all contents in the BUILD folder before re-configuring for a new build but now this means the developer has to re-download all the dependant git repositories before the project can be build again. This can be a slow and cumbersome process for developers. Deleting the CMakecache.txt doesn't seem to solve the problem either.
The most obvious solution is to move the cloned repositories outside the BUILD/ folder , so we can follow the previous workflow of deleting the BUILD folder before re-build. The sample test sequence to reproduce the problem is given below:
/* Build secure regressions test suite */
$ make clean; cmake .. -DTFM_PLATFORM=mps2/an521 -DCMAKE_TOOLCHAIN_FILE=../toolchain_GNUARM.cmake -DTEST_S=ON -DCMAKE_BUILD_TYPE=Debug; make install
/* reconfigure and build PSA Crypto API test suite */
$ make clean; cmake .. -DTFM_PLATFORM=mps2/an521 -DCMAKE_TOOLCHAIN_FILE=../toolchain_GNUARM.cmake -DCMAKE_BUILD_TYPE=Debug -DTEST_PSA_API=CRYPTO; make install
Built binary is still for regression test suite.
There are multiple suggestions to solve the problem, One is to move the clone repositories outside the BUILD/ folder, or introduce a build target like `make cleanall` which does the equivalent of rm -rf !(lib) within the BUILD folder (i.e the build target will remove all folders except the lib folder which has the cloned repositories). Please let us know of your suggestions on this.
Best Regards
Soby Mathew
Hi all,
I'm seeking some assistance in determining the correct fix for a difference in behavior between IPC and Library modes that cause the Crypto PSA Arch Tests to fail when using IPC. Specifically, I've been testing on a PSoC64 for IPC mode and Musca-B1 for Library mode. The problem I am encountering is related to this check in crypto (e.g. crypto_aead.c in secure_fw/partitions/crypto).
if ( !((in_len == 2) || (in_len == 3)) || (out_len > 1)) {
return PSA_ERROR_CONNECTION_REFUSED;
}
This is true for direct function call since in_len and out_len are sizes of in_vec[] and out_vec[]. However, in library mode, in_len and out_len is not based on the size of in_vec[] and out_vec[] but based on the contents. Specifically, out_len is determined via the following in tfm_crypto_call_sfn().
/* Check the number of out_vec filled */
while ((out_len > 0) && (msg->out_size[out_len - 1] == 0)) {
out_len--;
}
>From the above, if out_size (which is passed in by the user) is 0, the resultant out_len will be 0. The out_len is passed into the crypto function and PSA_ERROR_CONNECTION_REFUSED is returned due to the check above. PSA, on the other hand, expects PSA_ERROR_NOT_SUPPORTED to be returned. Btw, in_len suffers from the same issue.
I'm not sure if the check above is valid for IPC mode. I've removed the check temporarily to avoid the problem. However, if the check still makes sense, possibly it should return PSA_ERROR_NOT_SUPPORTED instead of PSA_ERROR_CONNECTION_REFUSED.
Thank you. I look forward to comments.
Ray
This message and any attachments may contain confidential information from Cypress or its subsidiaries. If it has been received in error, please advise the sender and immediately delete this message.
Hi,
The IRQ test part of the CORE_TEST is all conditioned on TFM_ENABLE_IRQ_TEST, and docs/reference/services/core_test_services_integration_guide.rst states that "A platform can skip IRQ handling test by setting ``TFM_ENABLE_IRQ_TEST`` to ``OFF`` in its cmake configuration file.", but doing so doesn't seem to actually work. I tried a number of options to the cmake command (including -DTFM_ENABLE_IRQ_TES=OFF, -U TFM_ENABLE_IRQ_TEST), too, but I can't figure out how to avoid that test.
Chris Brand
Sr Prin Software Engr, MCD: WIRELESS
Cypress Semiconductor Corp.
An Infineon Technologies Company
#320-13700 International Place, Richmond, British Columbia V6V 2X8 Canada
www.infineon.com<http://www.infineon.com> www.cypress.com<http://www.cypress.com>
This message and any attachments may contain confidential information from Cypress or its subsidiaries. If it has been received in error, please advise the sender and immediately delete this message.
Hello,
The next Technical Forum is planned on Thursday, October 15 at 6:00-07:00 UTC (Asia time zone).
Please reply on this email with your proposals for agenda topics.
Recording and slides of previous meetings are here:
https://www.trustedfirmware.org/meetings/tf-m-technical-forum/
Best regards,
Anton
Hi Raymond,
Could you test this fix, it worked for me:
https://review.trustedfirmware.org/c/TF-M/trusted-firmware-m/+/6274
BR,
Tamas
From: TF-M <tf-m-bounces(a)lists.trustedfirmware.org> On Behalf Of Tamas Ban via TF-M
Sent: 07 October 2020 09:26
To: Raymond Ngun <Raymond.Ngun(a)cypress.com>; tf-m(a)lists.trustedfirmware.org
Cc: nd <nd(a)arm.com>
Subject: Re: [TF-M] Musca-B1 and new build system
Hi Raymond,
I propose the following way to debug:
* I will build and send you a Musca-B1 image based on current master (fc8d2f7 Build: Remove PSA arch tests patch) for testing on your board.
* Please send me both of your images, and if you have the corresponding *.axf files, and if you know the commit-id when they were built.
* I would like to test and debug in my environment.
* By the way do you have a debugger? Can you identify actually what does return an error during security counter init?
BR,
Tamas
From: Raymond Ngun <Raymond.Ngun(a)cypress.com<mailto:Raymond.Ngun@cypress.com>>
Sent: 06 October 2020 23:53
To: Tamas Ban <Tamas.Ban(a)arm.com<mailto:Tamas.Ban@arm.com>>; tf-m(a)lists.trustedfirmware.org<mailto:tf-m@lists.trustedfirmware.org>
Cc: nd <nd(a)arm.com<mailto:nd@arm.com>>
Subject: RE: Musca-B1 and new build system
Hi Tamas,
It didn't make a difference. I have an old muscb1 image around and that continues to work fine but the new images do not work.
I wrote 2MB of 0xFF btw.
Thanks,
Ray
From: Tamas Ban <Tamas.Ban(a)arm.com<mailto:Tamas.Ban@arm.com>>
Sent: Tuesday, October 6, 2020 8:40 AM
To: Raymond Ngun <Raymond.Ngun(a)cypress.com<mailto:Raymond.Ngun@cypress.com>>; tf-m(a)lists.trustedfirmware.org<mailto:tf-m@lists.trustedfirmware.org>
Cc: nd <nd(a)arm.com<mailto:nd@arm.com>>
Subject: RE: Musca-B1 and new build system
Hi Raymond,
The build command and the hex creation are correct.
Could you try to erase the entire eFlash before programming it?
It can be done with Keil MDK, or you can create a hex file with srec_cat which only contains 0xFF bytes and program that one to the board.
Let me know whether does it solved the issue.
Tamas
From: Raymond Ngun <Raymond.Ngun(a)cypress.com<mailto:Raymond.Ngun@cypress.com>>
Sent: 05 October 2020 23:07
To: Tamas Ban <Tamas.Ban(a)arm.com<mailto:Tamas.Ban@arm.com>>; tf-m(a)lists.trustedfirmware.org<mailto:tf-m@lists.trustedfirmware.org>
Cc: nd <nd(a)arm.com<mailto:nd@arm.com>>
Subject: RE: Musca-B1 and new build system
Thanks Tamas.
Unfortunately, this did not work for me. Here is what I did to build. Let me know if I did something wrong.
cmake -DTFM_PLATFORM=musca_b1 -DCMAKE_TOOLCHAIN_FILE=../toolchain_GNUARM.cmake -DCMAKE_BUILD_TYPE=Debug -DTEST_NS=ON -DTEST_S=ON ../
cmake --build . --target install
srec_cat install/outputs/MUSCA_B1/bl2.bin -Binary -offset 0xA000000 install/outputs/MUSCA_B1/tfm_s_ns_signed.bin -Binary -offset 0xA020000 -o tfm.hex -Intel
The resultant output is the following.
Entering standby..
[INF] Starting bootloader
[ERR] Error while initializing the security counter
Thank you,
Ray
From: Tamas Ban <Tamas.Ban(a)arm.com<mailto:Tamas.Ban@arm.com>>
Sent: Thursday, October 1, 2020 3:05 AM
To: tf-m(a)lists.trustedfirmware.org<mailto:tf-m@lists.trustedfirmware.org>; Raymond Ngun <Raymond.Ngun(a)cypress.com<mailto:Raymond.Ngun@cypress.com>>
Cc: nd <nd(a)arm.com<mailto:nd@arm.com>>
Subject: RE: Musca-B1 and new build system
Hi Raymond,
Here is the proposed fix:
https://review.trustedfirmware.org/c/TF-M/trusted-firmware-m/+/6028
Could you verify on your board? Pls use at build -DCMAKE_BUILD_TYPE=Debug for full logging in bootloader.
Tamas
From: TF-M <tf-m-bounces(a)lists.trustedfirmware.org<mailto:tf-m-bounces@lists.trustedfirmware.org>> On Behalf Of Tamas Ban via TF-M
Sent: 01 October 2020 10:37
To: Raymond Ngun <Raymond.Ngun(a)cypress.com<mailto:Raymond.Ngun@cypress.com>>; tf-m(a)lists.trustedfirmware.org<mailto:tf-m@lists.trustedfirmware.org>
Cc: nd <nd(a)arm.com<mailto:nd@arm.com>>
Subject: Re: [TF-M] Musca-B1 and new build system
Hi Raymond,
Thanks for reporting the issue!
The observed behaviour has two reason:
- In the new build system the default CMAKE_BUILD_TYPE=Release. In this case the logging is disabled in MCUboot to get smaller binary. You can set manualy to Debug in the command line to enable logging from bootloader
* This commit 7d591a684b4abb0f61fbba8668dd6ea7b4b68698 introduced a crash in Musca S1/B1. Fix is ongoing.
Tamas
From: TF-M <tf-m-bounces(a)lists.trustedfirmware.org<mailto:tf-m-bounces@lists.trustedfirmware.org>> On Behalf Of Raymond Ngun via TF-M
Sent: 30 September 2020 17:44
To: David Hu via TF-M <tf-m(a)lists.trustedfirmware.org<mailto:tf-m@lists.trustedfirmware.org>>
Subject: [TF-M] Musca-B1 and new build system
Hi all,
I am attempting to build Musca-B1 with the latest in master but I'm not able to get it to run (nothing shows on the UART). At a minimum, the User Guide is out of date in terms of how the final hex is created. So, I have a couple questions.
1. Is the latest tested with Musca-B1?
2. Can I obtain some updated information on how to build and create an image for Musca-B1?
Thank you,
Ray
This message and any attachments may contain confidential information from Cypress or its subsidiaries. If it has been received in error, please advise the sender and immediately delete this message.
This message and any attachments may contain confidential information from Cypress or its subsidiaries. If it has been received in error, please advise the sender and immediately delete this message.
This message and any attachments may contain confidential information from Cypress or its subsidiaries. If it has been received in error, please advise the sender and immediately delete this message.
Hi,
FIY this variable in the Linux world used to be called "CROSS_COMPILE" and both TF-A and OP-TEE is using the same convention. Would it be possible to align with this and rename the variable? For backwards compatibility it could be possible to use both for a while, and issue a warning when the with a deprecation message when the old one is sued.
/George
-----Original Message-----
From: TF-M <tf-m-bounces(a)lists.trustedfirmware.org> On Behalf Of Raef Coles via TF-M
Sent: 08 October 2020 11:03
To: tf-m(a)lists.trustedfirmware.org; Kumar Gala (kumar.gala(a)linaro.org) <kumar.gala(a)linaro.org>
Subject: Re: [TF-M] New build system missing GNUARM_PREFIX support
Hi, yes apologies that seems to have been lost. I was doing my best to track changes in the original cmake but it seems this one got missed.
Can I ask - for the vendor triplet compilers (arm-etc-eabi-gcc), is it a compiler that the vendor is developing? In the new buildsystem, it might make sense to create a new compiler toolchain file that is almost identical to the GNU one, which would allow the two compilers to diverge slightly (in command-line options etc) if necessary.
Raef
________________________________________
From: TF-M <tf-m-bounces(a)lists.trustedfirmware.org> on behalf of Kumar Gala via TF-M <tf-m(a)lists.trustedfirmware.org>
Sent: 07 October 2020 17:26
To: tf-m(a)lists.trustedfirmware.org
Subject: [TF-M] New build system missing GNUARM_PREFIX support
It looks like the GNUARM_PREFIX changes got dropped as part of the new build system.
Can someone look at restoring those changes?
- k
--
TF-M mailing list
TF-M(a)lists.trustedfirmware.org
https://lists.trustedfirmware.org/mailman/listinfo/tf-m
--
TF-M mailing list
TF-M(a)lists.trustedfirmware.org
https://lists.trustedfirmware.org/mailman/listinfo/tf-m
Hi Raymond,
Here is the proposed fix:
https://review.trustedfirmware.org/c/TF-M/trusted-firmware-m/+/6028
Could you verify on your board? Pls use at build -DCMAKE_BUILD_TYPE=Debug for full logging in bootloader.
Tamas
From: TF-M <tf-m-bounces(a)lists.trustedfirmware.org> On Behalf Of Tamas Ban via TF-M
Sent: 01 October 2020 10:37
To: Raymond Ngun <Raymond.Ngun(a)cypress.com>; tf-m(a)lists.trustedfirmware.org
Cc: nd <nd(a)arm.com>
Subject: Re: [TF-M] Musca-B1 and new build system
Hi Raymond,
Thanks for reporting the issue!
The observed behaviour has two reason:
- In the new build system the default CMAKE_BUILD_TYPE=Release. In this case the logging is disabled in MCUboot to get smaller binary. You can set manualy to Debug in the command line to enable logging from bootloader
* This commit 7d591a684b4abb0f61fbba8668dd6ea7b4b68698 introduced a crash in Musca S1/B1. Fix is ongoing.
Tamas
From: TF-M <tf-m-bounces(a)lists.trustedfirmware.org<mailto:tf-m-bounces@lists.trustedfirmware.org>> On Behalf Of Raymond Ngun via TF-M
Sent: 30 September 2020 17:44
To: David Hu via TF-M <tf-m(a)lists.trustedfirmware.org<mailto:tf-m@lists.trustedfirmware.org>>
Subject: [TF-M] Musca-B1 and new build system
Hi all,
I am attempting to build Musca-B1 with the latest in master but I'm not able to get it to run (nothing shows on the UART). At a minimum, the User Guide is out of date in terms of how the final hex is created. So, I have a couple questions.
1. Is the latest tested with Musca-B1?
2. Can I obtain some updated information on how to build and create an image for Musca-B1?
Thank you,
Ray
This message and any attachments may contain confidential information from Cypress or its subsidiaries. If it has been received in error, please advise the sender and immediately delete this message.
