Hi Alex,

Yes, test 244 is still failed because Mbed TLS library returns an incorrect value for psa_copy_key() when an invalid key identifier or lifetime is passed. We report this issue to Mbed TLS team. Issue link is here: https://github.com/ARMmbed/mbedtls/issues/4271

And the latest psa arch crypto test analysis is updated: https://developer.trustedfirmware.org/w/tf_m/release/psa_arch_crypto_test_failure_analysis_in_tf-m_v1.3_release/


Thanks,
Summer




From: Alexander.Moore@infineon.com <Alexander.Moore@infineon.com>
Sent: Tuesday, March 30, 2021 1:36 AM
To: Summer Qin <Summer.Qin@arm.com>; David Hu <David.Hu@arm.com>
Cc: nd <nd@arm.com>; tf-m@lists.trustedfirmware.org <tf-m@lists.trustedfirmware.org>
Subject: RE: [TF-M] Regression observed in PSA Crypto after Mbed TLS upgrade to 2.25
 

Hi Summer,

 

Thanks for the information! I wanted to report that after “b11b0675 Crypto: Fix psa arch test failures” was merged in, we are still seeing PSA Crypto test 244 failing on PSoC64.

 

TEST: 244 | DESCRIPTION: Testing crypto key management APIs

[Info] Executing tests from non-secure

[Check 1] Test psa_copy_key - 16 Byte AES

[Check 2] Test psa_copy_key - without copy usage

[Check 3] Test psa_copy_key - invalid lifetime

      Failed at Checkpoint: 4

      Actual: -136

      Expected: -135

TEST RESULT: FAILED (Error Code=0x1)

 

Our 6 other tests which regressed are back to passing now (206, 207, 208, 211, 237, 243).

 

Thanks,

Alex

 

From: Summer Qin <Summer.Qin@arm.com>
Sent: Wednesday, March 24, 2021 7:48 PM
To: David Hu <David.Hu@arm.com>; Moore Alexander (CSCA CSS ICW SW PSW 1) <Alexander.Moore@infineon.com>
Cc: nd <nd@arm.com>; tf-m@lists.trustedfirmware.org
Subject: Re: [TF-M] Regression observed in PSA Crypto after Mbed TLS upgrade to 2.25

 

Caution: This e-mail originated outside Infineon Technologies. Do not click on links or open attachments unless you validate it is safe.

 

Hi Alexander,

 

Thanks for your information.

For current TF-Mv1.3.0-RC1, yes, we have some extra failed test cases for crypto psa arch tests. They are 208, 211, 237, 243, and 244. We are now trying to fix them.

206 and 207 are our know issues. Details can be found in our tfm release failure analysis: 

https://developer.trustedfirmware.org/w/tf_m/release/psa_arch_crypto_test_failure_analysis_in_tf-m_v1.3_release/

https://developer.trustedfirmware.org/w/tf_m/release/psa_arch_crypto_test_failure_analysis_in_tf-m_v1.2_release/

 

Thanks,

Summer

 


From: TF-M <tf-m-bounces@lists.trustedfirmware.org> on behalf of Alexander.Moore--- via TF-M <tf-m@lists.trustedfirmware.org>
Sent: Wednesday, March 24, 2021 3:55 PM
To: David Hu <
David.Hu@arm.com>
Cc: nd <
nd@arm.com>; tf-m@lists.trustedfirmware.org <tf-m@lists.trustedfirmware.org>
Subject: Re: [TF-M] Regression observed in PSA Crypto after Mbed TLS upgrade to 2.25

 

What’s the build configuration on PSoC 64 with PSA Arch test:

+ BUILD_OPTS='-DTEST_PSA_API=CRYPTO -DTFM_PSA_API=ON -DTFM_ISOLATION_LEVEL=2'

+ cmake -S . -B build_clang_psoc64 -DTFM_PLATFORM=cypress/psoc64 -DTFM_TOOLCHAIN_FILE=toolchain_ARMCLANG.cmake -DCMAKE_BUILD_TYPE=Release -DTEST_PSA_API=CRYPTO -DTFM_PSA_API=ON -DTFM_ISOLATION_LEVEL=2

-- The C compiler identification is ARMClang 6.12.1

-- The ASM compiler identification is ARMCC

 

We build both debug/release, and also use gcc/armclang, all four combinations give the same PSA Crypto test results.

 

What’s the version of TF-M? Have you tried the latest one in master branch:

  • We are using the latest master (v1.2.0) and isolated the problem commit to be 28659c498c3bdbbc610959e7518bece5aaf72a19.

 

What’s the version of PSA Arch test:

  • We are using the default tagged version associated with TF-M master branch, which is “8644bd0 musca_s1 support”

 

Can you share more log of the failure test case:

 

TEST: 206 | DESCRIPTION: Testing crypto hash functions APIs

[Info] Executing tests from non-secure

[Check 1] Test psa_hash_compute with SHA224 algorithm

[Check 2] Test psa_hash_compute with SHA256 algorithm

[Check 3] Test psa_hash_compute with SHA384 algorithm

[Check 4] Test psa_hash_compute with SHA512 algorithm

[Check 5] Test psa_hash_compute with small buffer size

[Check 6] Test psa_hash_compute with invalid algorithm

      Failed at Checkpoint: 3

      Actual: -135

      Expected: -134

TEST RESULT: FAILED (Error Code=0x1)

 

TEST: 207 | DESCRIPTION: Testing crypto hash functions APIs

[Info] Executing tests from non-secure

[Check 1] Test psa_hash_compare - SHA224 algorithm

[Check 2] Test psa_hash_compare - SHA256 algorithm

[Check 3] Test psa_hash_compare - SHA384 algorithm

[Check 4] Test psa_hash_compare - SHA512 algorithm

[Check 5] Test psa_hash_compare - incorrect hash

[Check 6] Test psa_hash_compare - incorrect hash length

[Check 7] Test psa_hash_compare - invalid algorithm

      Failed at Checkpoint: 3

      Actual: -135

      Expected: -134

TEST RESULT: FAILED (Error Code=0x1)

 

TEST: 208 | DESCRIPTION: Testing crypto key derivation APIs

[Info] Executing tests from non-secure

[Check 1] Test psa_key_derivation_setup - ECDH + HKDF-SHA-256

[Check 2] Test psa_key_derivation_setup - ECDH, unknown KDF

[Check 3] Test psa_key_derivation_setup - bad key derivation algorithm

      Failed at Checkpoint: 3

      Actual: -134

      Expected: -135

TEST RESULT: FAILED (Error Code=0x1)

 

TEST: 211 | DESCRIPTION: Testing crypto hash functions APIs

[Info] Executing tests from non-secure

[Check 1] Test psa_hash_setup with SHA224 algorithm

[Check 2] Test psa_hash_setup with SHA256 algorithm

[Check 3] Test psa_hash_setup with SHA384 algorithm

[Check 4] Test psa_hash_setup with SHA512 algorithm

[Check 5] Test psa_hash_setup with Invalid hash algorithm

      Failed at Checkpoint: 3

      Actual: -135

      Expected: -134

TEST RESULT: FAILED (Error Code=0x1)

 

TEST: 237 | DESCRIPTION: Testing crypto symmetric cipher APIs

[Info] Executing tests from non-secure

[Check 1] Test psa_cipher_finish - Encrypt - AES CBC_NO_PADDING

[Check 2] Test psa_cipher_finish - Encrypt - AES CBC_NO_PADDING (Short in)

[Check 3] Test psa_cipher_finish - Encrypt - AES CBC_PKCS7

[Check 4] Test psa_cipher_finish - Encrypt - AES CBC_PKCS7 (Short input)

[Check 5] Test psa_cipher_finish - Encrypt - AES CTR

[Check 6] Test psa_cipher_finish - Encrypt - AES CTR (short input)

[Check 7] Test psa_cipher_finish - Encrypt - small output buffer size

[Check 8] Test psa_cipher_finish - Decrypt - AES CBC_NO_PADDING

[Check 9] Test psa_cipher_finish - Decrypt - AES CBC_NO_PADDING (Short in)

      Failed at Checkpoint: 8

      Actual: -135

      Expected: -137

TEST RESULT: FAILED (Error Code=0x1)

 

TEST: 243 | DESCRIPTION: Testing crypto key derivation APIs

[Info] Executing tests from non-secure

[Check 1] Test psa_raw_key_agreement - ECDH SECP256R1

[Check 2] Test psa_raw_key_agreement - Small buffer size

[Check 3] Test psa_raw_key_agreement - ECDH SECP384R1

[Check 4] Test psa_raw_key_agreement - Invalid usage

[Check 5] Test psa_raw_key_agreement - Unknown KDF

      Failed at Checkpoint: 4

      Actual: -134

      Expected: -135

TEST RESULT: FAILED (Error Code=0x1)

 

TEST: 244 | DESCRIPTION: Testing crypto key management APIs

[Info] Executing tests from non-secure

[Check 1] Test psa_copy_key - 16 Byte AES

[Check 2] Test psa_copy_key - without copy usage

[Check 3] Test psa_copy_key - invalid lifetime

      Failed at Checkpoint: 4

      Actual: -136

      Expected: -135

TEST RESULT: FAILED (Error Code=0x1)

 

 

Thanks,

Alex

 

From: David Hu <David.Hu@arm.com>
Sent: Monday, March 22, 2021 7:56 PM
To: Moore Alexander (CSCA CSS ICW SW PSW 1) <Alexander.Moore@infineon.com>
Cc: tf-m@lists.trustedfirmware.org; nd <nd@arm.com>
Subject: RE: [TF-M] Regression observed in PSA Crypto after Mbed TLS upgrade to 2.25

 

Caution: This e-mail originated outside Infineon Technologies. Do not click on links or open attachments unless you validate it is safe.

 

Hi Alexander,

 

Thanks for reporting this issue.

Can I ask for more details of the failures?

  • What’s the build configuration on PSoC 64 with PSA Arch test?
  • What’s the version of TF-M? Have you tried the latest one in master branch?
  • What’s the version of PSA Arch test?
  • Can you share more log of the failure test case?

 

Thanks.

 

Best regards,

Hu Ziji

 

From: TF-M <tf-m-bounces@lists.trustedfirmware.org> On Behalf Of Alexander.Moore--- via TF-M
Sent: Tuesday, March 23, 2021 6:42 AM
To: tf-m@lists.trustedfirmware.org
Subject: [TF-M] Regression observed in PSA Crypto after Mbed TLS upgrade to 2.25

 

Hello,

 

After “28659c49 Crypto: Upgrade Mbed TLS to 2.25” we see the following 7 PSA Crypto test failures on PSoC64 which were passing before this commit:

 

TEST: 206

TEST: 207

TEST: 208

TEST: 211

TEST: 237

TEST: 243

TEST: 244

 

Are these failures expected? As far as we can tell, there is nothing else to be done associated with the 2.25 upgrade, i.e. the build automatically pulls 2.25 down, and there are no corresponding commits to psa-arch-tests to support the upgrade or any other changes necessary.

 

Thanks,

Alex