FYI: After today PSA-Test-Suite fix, number of failed TFM PSA-Crypto tests has been reduced from 23 to 21. - some tests should be fixed after TFM is updated to Mbed-Crypto v3.1.0 https://github.com/ARMmbed/mbed-crypto/issues/381 - 2 tests, related to persistent key storage, should be implemented by TFM (not Mbed-Crypto). Please look at it https://github.com/ARMmbed/mbed-crypto/issues/382 - 3 tests confirmed as the Mbed-Crypto issue https://github.com/ARMmbed/mbed-crypto/issues/175
Thanks, Andrej Butok
-----Original Message----- From: Soby Mathew soby.mathew@arm.com Sent: Monday, March 2, 2020 4:03 PM To: Andrej Butok andrey.butok@nxp.com; tf-m@lists.trustedfirmware.org; Parameshwaran.Hariharan@arm.com Cc: nd@arm.com Subject: Re: [TF-M] PSA-Test Suite, 23 Crypto Tests failed
On 02/03/2020 12:00, Andrej Butok via TF-M wrote:
Hi,
So, I have submitted the mbedCrypto� issue https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgith ub.com%2FARMmbed%2Fmbed-crypto%2Fissues%2F380&data=02%7C01%7Candre y.butok%40nxp.com%7C53dbcc21b5b549021a3908d7bebad35a%7C686ea1d3bc2b4c6 fa92cd99c5c301635%7C0%7C1%7C637187581930659738&sdata=3p6kBF2xnpuJs KHj7WjjGVzbEdyABYlslev75WKFt%2Bo%3D&reserved=0
Several missed functions were implemented in the latest mbedCrypto. Please read the comment.
Hi Andrej, I will try to answer some of the questions. TF-M currently uses 3.0.1 tag of mbed-crypto and it has all the functions implemented in that version.
We certainly need to be able to migrate to newer versions of mbed-crypto quicker and more easily. This is one of the things I will be looking into as part of the improving the crypto service implementation in TF-M.
My current thoughts are that once mbed-crypto implements more of the other PSA crypto APIs, we could sync up TF-M to expose those APIs.
They also need clarification about the PSA failed test:
1)�psa_asymmetric_encrypt does not have support for ECC keys� � that's true, the specification currently does not define any algorithm for psa_asymmetric_encrypt�that uses ECC keys. What's the problem there?
The PSA-ACK test need to fix this. I will highlight this issue to them.
- For the incorrect key derivation error codes, what are the
problematic inputs?
There is an issue raised with mbed-crypto team discussing this issue here : https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com...
As I understand, this needs to be fixed by mbed-crypto.
- For �psa_generate_key generates incorrect key length for RSA�,
what are the problematic inputs?
Could you clarify or this is the PSA-Test-Suite task?
The problematic input can be seen here : https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com...
This is a mismatch between the test and the crypto implementation. PSA ACK test project had been notified. I will be following up with them.
BTW:
- �mbedCrypto does not use the PSA test suite for testing (they
have own tests).
Yes, that is true.
- PSA Test Suite does not inform mbedCrypto about found PSA issues.
There is some communication as seen by the issues referenced above, but can be better
- TFM updates to the latest mbedCrypto have to be more often (ideally
after each mbedCrypto release).
- Better synchronization between the PSA Projects is needed.
Yes, certainly. Although syncing to every mbed-crypto release is too much of an overhead for TF-M and the current plan is to sync up once mbed-crypto has resolved a sizeable amount of unimplemented APIs. We are open to contributions in this regard.
Currently, all of them are moving targets, the PSA ACK tests, TF-M, mbed-crypto and the PSA specification. The mbed-crypto is moving towards PSA 1.0 whereas the PSA-ACK tests are targeting PSA 1.0 Beta3. This creates some of the mismatches.
Once the APIs have stabilized, it should be a matter of picking up the latest mbed-crypto tag and everything should work as expected.
Best Regards Soby Mathew
Thanks,
Andrej Butok
*From:* TF-M tf-m-bounces@lists.trustedfirmware.org *On Behalf Of *Andrej Butok via TF-M *Sent:* Friday, February 28, 2020 1:20 PM *To:* Anton Komlev Anton.Komlev@arm.com *Cc:* tf-m@lists.trustedfirmware.org *Subject:* Re: [TF-M] PSA-Test Suite, 23 Crypto Tests failed
Hi Anton,
OK. So this is the known issue. Is there any plan when it should be implemented?
As the test-log is used for a PSA certification, may we disable the failed tests?
BTW: As this is known issue, I did not notice it here https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com... https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FARMmbed%2Fmbed-crypto%2Fissues%3Fpage%3D1%26q%3Dis%3Aissue%2Bis%3Aopen%2Bpsa%26utf8%3D%25E2%259C%2593&data=02%7C01%7Candrey.butok%40nxp.com%7C53dbcc21b5b549021a3908d7bebad35a%7C686ea1d3bc2b4c6fa92cd99c5c301635%7C0%7C1%7C637187581930669743&sdata=oN8DyxAo0Q4%2BI1j3b9ruz3Krp4RAavtkFU2FYjaCf90%3D&reserved=0
Thanks,
Andrej
*From:* TF-M <tf-m-bounces@lists.trustedfirmware.org mailto:tf-m-bounces@lists.trustedfirmware.org> *On Behalf Of *Anton Komlev via TF-M *Sent:* Friday, February 28, 2020 12:14 PM *To:* tf-m@lists.trustedfirmware.org mailto:tf-m@lists.trustedfirmware.org *Cc:* nd <nd@arm.com mailto:nd@arm.com> *Subject:* Re: [TF-M] PSA-Test Suite, 23 Crypto Tests failed
Hello Andrej,
As you noted, the main reason of test failures is unimplemented PSA functions. Those functions are directly dependent on Embed-Crypto library where they are missed or API is not adjusted.
Recently TF-M was upgraded Embed-Crypto library from v1.0.0 to v3.0.1 and will continue so, increasing test suite coverage.
Best regards,
Anton
*From:* TF-M <tf-m-bounces@lists.trustedfirmware.org mailto:tf-m-bounces@lists.trustedfirmware.org> *On Behalf Of *Andrej Butok via TF-M *Sent:* 28 February 2020 09:46 *To:* tf-m@lists.trustedfirmware.org mailto:tf-m@lists.trustedfirmware.org *Subject:* [TF-M] PSA-Test Suite, 23 Crypto Tests failed
Hello,
After update to the latest TFM and to the latest PSA-Test Suite, 23 Crypto Tests are failed:
************ Crypto Suite Report **********
TOTAL TESTS���� : 61
TOTAL PASSED��� : 37
TOTAL SIM ERROR : 0
TOTAL FAILED��� : 23
TOTAL SKIPPED�� : 1
The main reason is that many of PSA Crypto functions are not implemented by TFM.
Is there a plan to fix it?
Thanks,
Andrej