On 02/03/2020 12:00, Andrej Butok via TF-M wrote:
Hi,
So, I have submitted the mbedCrypto� issue https://github.com/ARMmbed/mbed-crypto/issues/380
Several missed functions were implemented in the latest mbedCrypto. Please read the comment.
Hi Andrej, I will try to answer some of the questions. TF-M currently uses 3.0.1 tag of mbed-crypto and it has all the functions implemented in that version.
We certainly need to be able to migrate to newer versions of mbed-crypto quicker and more easily. This is one of the things I will be looking into as part of the improving the crypto service implementation in TF-M.
My current thoughts are that once mbed-crypto implements more of the other PSA crypto APIs, we could sync up TF-M to expose those APIs.
They also need clarification about the PSA failed test:
1)�psa_asymmetric_encrypt does not have support for ECC keys� � that's true, the specification currently does not define any algorithm for psa_asymmetric_encrypt�that uses ECC keys. What's the problem there?
The PSA-ACK test need to fix this. I will highlight this issue to them.
- For the incorrect key derivation error codes, what are the
problematic inputs?
There is an issue raised with mbed-crypto team discussing this issue here : https://github.com/ARMmbed/mbed-crypto/issues/175
As I understand, this needs to be fixed by mbed-crypto.
- For �psa_generate_key generates incorrect key length for RSA�, what
are the problematic inputs?
Could you clarify or this is the PSA-Test-Suite task?
The problematic input can be seen here : https://github.com/ARM-software/psa-arch-tests/blob/master/api-tests/dev_api...
This is a mismatch between the test and the crypto implementation. PSA ACK test project had been notified. I will be following up with them.
BTW:
- �mbedCrypto does not use the PSA test suite for testing (they have
own tests).
Yes, that is true.
- PSA Test Suite does not inform mbedCrypto about found PSA issues.
There is some communication as seen by the issues referenced above, but can be better
- TFM updates to the latest mbedCrypto have to be more often (ideally
after each mbedCrypto release).
- Better synchronization between the PSA Projects is needed.
Yes, certainly. Although syncing to every mbed-crypto release is too much of an overhead for TF-M and the current plan is to sync up once mbed-crypto has resolved a sizeable amount of unimplemented APIs. We are open to contributions in this regard.
Currently, all of them are moving targets, the PSA ACK tests, TF-M, mbed-crypto and the PSA specification. The mbed-crypto is moving towards PSA 1.0 whereas the PSA-ACK tests are targeting PSA 1.0 Beta3. This creates some of the mismatches.
Once the APIs have stabilized, it should be a matter of picking up the latest mbed-crypto tag and everything should work as expected.
Best Regards Soby Mathew
Thanks,
Andrej Butok
*From:* TF-M tf-m-bounces@lists.trustedfirmware.org *On Behalf Of *Andrej Butok via TF-M *Sent:* Friday, February 28, 2020 1:20 PM *To:* Anton Komlev Anton.Komlev@arm.com *Cc:* tf-m@lists.trustedfirmware.org *Subject:* Re: [TF-M] PSA-Test Suite, 23 Crypto Tests failed
Hi Anton,
OK. So this is the known issue. Is there any plan when it should be implemented?
As the test-log is used for a PSA certification, may we disable the failed tests?
BTW: As this is known issue, I did not notice it here https://github.com/ARMmbed/mbed-crypto/issues?page=1&q=is%3Aissue+is%3Ao... https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FARMmbed%2Fmbed-crypto%2Fissues%3Fpage%3D1%26q%3Dis%3Aissue%2Bis%3Aopen%2Bpsa%26utf8%3D%25E2%259C%2593&data=02%7C01%7Candrey.butok%40nxp.com%7Ccef7c65d60ad471a41a208d7bc48863f%7C686ea1d3bc2b4c6fa92cd99c5c301635%7C0%7C0%7C637184892098850312&sdata=Oaqhsl6rEBNEsrii6jDnTd18I37HqBP%2FzmaBtjarbwY%3D&reserved=0
Thanks,
Andrej
*From:* TF-M <tf-m-bounces@lists.trustedfirmware.org mailto:tf-m-bounces@lists.trustedfirmware.org> *On Behalf Of *Anton Komlev via TF-M *Sent:* Friday, February 28, 2020 12:14 PM *To:* tf-m@lists.trustedfirmware.org mailto:tf-m@lists.trustedfirmware.org *Cc:* nd <nd@arm.com mailto:nd@arm.com> *Subject:* Re: [TF-M] PSA-Test Suite, 23 Crypto Tests failed
Hello Andrej,
As you noted, the main reason of test failures is unimplemented PSA functions. Those functions are directly dependent on Embed-Crypto library where they are missed or API is not adjusted.
Recently TF-M was upgraded Embed-Crypto library from v1.0.0 to v3.0.1 and will continue so, increasing test suite coverage.
Best regards,
Anton
*From:* TF-M <tf-m-bounces@lists.trustedfirmware.org mailto:tf-m-bounces@lists.trustedfirmware.org> *On Behalf Of *Andrej Butok via TF-M *Sent:* 28 February 2020 09:46 *To:* tf-m@lists.trustedfirmware.org mailto:tf-m@lists.trustedfirmware.org *Subject:* [TF-M] PSA-Test Suite, 23 Crypto Tests failed
Hello,
After update to the latest TFM and to the latest PSA-Test Suite, 23 Crypto Tests are failed:
************ Crypto Suite Report **********
TOTAL TESTS���� : 61
TOTAL PASSED��� : 37
TOTAL SIM ERROR : 0
TOTAL FAILED��� : 23
TOTAL SKIPPED�� : 1
The main reason is that many of PSA Crypto functions are not implemented by TFM.
Is there a plan to fix it?
Thanks,
Andrej
FYI: After today PSA-Test-Suite fix, number of failed TFM PSA-Crypto tests has been reduced from 23 to 21. - some tests should be fixed after TFM is updated to Mbed-Crypto v3.1.0 https://github.com/ARMmbed/mbed-crypto/issues/381 - 2 tests, related to persistent key storage, should be implemented by TFM (not Mbed-Crypto). Please look at it https://github.com/ARMmbed/mbed-crypto/issues/382 - 3 tests confirmed as the Mbed-Crypto issue https://github.com/ARMmbed/mbed-crypto/issues/175
Thanks, Andrej Butok
-----Original Message----- From: Soby Mathew soby.mathew@arm.com Sent: Monday, March 2, 2020 4:03 PM To: Andrej Butok andrey.butok@nxp.com; tf-m@lists.trustedfirmware.org; Parameshwaran.Hariharan@arm.com Cc: nd@arm.com Subject: Re: [TF-M] PSA-Test Suite, 23 Crypto Tests failed
On 02/03/2020 12:00, Andrej Butok via TF-M wrote:
Hi,
So, I have submitted the mbedCrypto� issue https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgith ub.com%2FARMmbed%2Fmbed-crypto%2Fissues%2F380&data=02%7C01%7Candre y.butok%40nxp.com%7C53dbcc21b5b549021a3908d7bebad35a%7C686ea1d3bc2b4c6 fa92cd99c5c301635%7C0%7C1%7C637187581930659738&sdata=3p6kBF2xnpuJs KHj7WjjGVzbEdyABYlslev75WKFt%2Bo%3D&reserved=0
Several missed functions were implemented in the latest mbedCrypto. Please read the comment.
Hi Andrej, I will try to answer some of the questions. TF-M currently uses 3.0.1 tag of mbed-crypto and it has all the functions implemented in that version.
We certainly need to be able to migrate to newer versions of mbed-crypto quicker and more easily. This is one of the things I will be looking into as part of the improving the crypto service implementation in TF-M.
My current thoughts are that once mbed-crypto implements more of the other PSA crypto APIs, we could sync up TF-M to expose those APIs.
They also need clarification about the PSA failed test:
1)�psa_asymmetric_encrypt does not have support for ECC keys� � that's true, the specification currently does not define any algorithm for psa_asymmetric_encrypt�that uses ECC keys. What's the problem there?
The PSA-ACK test need to fix this. I will highlight this issue to them.
- For the incorrect key derivation error codes, what are the
problematic inputs?
There is an issue raised with mbed-crypto team discussing this issue here : https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com...
As I understand, this needs to be fixed by mbed-crypto.
- For �psa_generate_key generates incorrect key length for RSA�,
what are the problematic inputs?
Could you clarify or this is the PSA-Test-Suite task?
The problematic input can be seen here : https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com...
This is a mismatch between the test and the crypto implementation. PSA ACK test project had been notified. I will be following up with them.
BTW:
- �mbedCrypto does not use the PSA test suite for testing (they
have own tests).
Yes, that is true.
- PSA Test Suite does not inform mbedCrypto about found PSA issues.
There is some communication as seen by the issues referenced above, but can be better
- TFM updates to the latest mbedCrypto have to be more often (ideally
after each mbedCrypto release).
- Better synchronization between the PSA Projects is needed.
Yes, certainly. Although syncing to every mbed-crypto release is too much of an overhead for TF-M and the current plan is to sync up once mbed-crypto has resolved a sizeable amount of unimplemented APIs. We are open to contributions in this regard.
Currently, all of them are moving targets, the PSA ACK tests, TF-M, mbed-crypto and the PSA specification. The mbed-crypto is moving towards PSA 1.0 whereas the PSA-ACK tests are targeting PSA 1.0 Beta3. This creates some of the mismatches.
Once the APIs have stabilized, it should be a matter of picking up the latest mbed-crypto tag and everything should work as expected.
Best Regards Soby Mathew
Thanks,
Andrej Butok
*From:* TF-M tf-m-bounces@lists.trustedfirmware.org *On Behalf Of *Andrej Butok via TF-M *Sent:* Friday, February 28, 2020 1:20 PM *To:* Anton Komlev Anton.Komlev@arm.com *Cc:* tf-m@lists.trustedfirmware.org *Subject:* Re: [TF-M] PSA-Test Suite, 23 Crypto Tests failed
Hi Anton,
OK. So this is the known issue. Is there any plan when it should be implemented?
As the test-log is used for a PSA certification, may we disable the failed tests?
BTW: As this is known issue, I did not notice it here https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com... https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FARMmbed%2Fmbed-crypto%2Fissues%3Fpage%3D1%26q%3Dis%3Aissue%2Bis%3Aopen%2Bpsa%26utf8%3D%25E2%259C%2593&data=02%7C01%7Candrey.butok%40nxp.com%7C53dbcc21b5b549021a3908d7bebad35a%7C686ea1d3bc2b4c6fa92cd99c5c301635%7C0%7C1%7C637187581930669743&sdata=oN8DyxAo0Q4%2BI1j3b9ruz3Krp4RAavtkFU2FYjaCf90%3D&reserved=0
Thanks,
Andrej
*From:* TF-M <tf-m-bounces@lists.trustedfirmware.org mailto:tf-m-bounces@lists.trustedfirmware.org> *On Behalf Of *Anton Komlev via TF-M *Sent:* Friday, February 28, 2020 12:14 PM *To:* tf-m@lists.trustedfirmware.org mailto:tf-m@lists.trustedfirmware.org *Cc:* nd <nd@arm.com mailto:nd@arm.com> *Subject:* Re: [TF-M] PSA-Test Suite, 23 Crypto Tests failed
Hello Andrej,
As you noted, the main reason of test failures is unimplemented PSA functions. Those functions are directly dependent on Embed-Crypto library where they are missed or API is not adjusted.
Recently TF-M was upgraded Embed-Crypto library from v1.0.0 to v3.0.1 and will continue so, increasing test suite coverage.
Best regards,
Anton
*From:* TF-M <tf-m-bounces@lists.trustedfirmware.org mailto:tf-m-bounces@lists.trustedfirmware.org> *On Behalf Of *Andrej Butok via TF-M *Sent:* 28 February 2020 09:46 *To:* tf-m@lists.trustedfirmware.org mailto:tf-m@lists.trustedfirmware.org *Subject:* [TF-M] PSA-Test Suite, 23 Crypto Tests failed
Hello,
After update to the latest TFM and to the latest PSA-Test Suite, 23 Crypto Tests are failed:
************ Crypto Suite Report **********
TOTAL TESTS���� : 61
TOTAL PASSED��� : 37
TOTAL SIM ERROR : 0
TOTAL FAILED��� : 23
TOTAL SKIPPED�� : 1
The main reason is that many of PSA Crypto functions are not implemented by TFM.
Is there a plan to fix it?
Thanks,
Andrej
Thanks for the update. Yes, your analysis is correct and I have the same understanding as well. A new issue will be raised in TF-M related to persistent key storage.
Best Regards Soby Mathew
-----Original Message----- From: Andrej Butok andrey.butok@nxp.com Sent: 03 March 2020 12:58 To: Soby Mathew Soby.Mathew@arm.com Cc: tf-m@lists.trustedfirmware.org; Parameshwaran Hariharan Parameshwaran.Hariharan@arm.com Subject: RE: [TF-M] PSA-Test Suite, 23 Crypto Tests failed
FYI: After today PSA-Test-Suite fix, number of failed TFM PSA-Crypto tests has been reduced from 23 to 21.
- some tests should be fixed after TFM is updated to Mbed-Crypto v3.1.0
https://github.com/ARMmbed/mbed-crypto/issues/381
- 2 tests, related to persistent key storage, should be implemented by TFM (not
Mbed-Crypto). Please look at it https://github.com/ARMmbed/mbed-crypto/issues/382
- 3 tests confirmed as the Mbed-Crypto issue
https://github.com/ARMmbed/mbed-crypto/issues/175
Thanks, Andrej Butok
-----Original Message----- From: Soby Mathew soby.mathew@arm.com Sent: Monday, March 2, 2020 4:03 PM To: Andrej Butok andrey.butok@nxp.com; tf-m@lists.trustedfirmware.org; Parameshwaran.Hariharan@arm.com Cc: nd@arm.com Subject: Re: [TF-M] PSA-Test Suite, 23 Crypto Tests failed
On 02/03/2020 12:00, Andrej Butok via TF-M wrote:
Hi,
So, I have submitted the mbedCrypto� issue https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgith ub.com%2FARMmbed%2Fmbed-
crypto%2Fissues%2F380&data=02%7C01%7Candre
y.butok%40nxp.com%7C53dbcc21b5b549021a3908d7bebad35a%7C686ea1d3bc 2b4c6
fa92cd99c5c301635%7C0%7C1%7C637187581930659738&sdata=3p6kBF2 xnpuJs
KHj7WjjGVzbEdyABYlslev75WKFt%2Bo%3D&reserved=0
Several missed functions were implemented in the latest mbedCrypto. Please read the comment.
Hi Andrej, I will try to answer some of the questions. TF-M currently uses 3.0.1 tag of mbed-crypto and it has all the functions implemented in that version.
We certainly need to be able to migrate to newer versions of mbed-crypto quicker and more easily. This is one of the things I will be looking into as part of the improving the crypto service implementation in TF-M.
My current thoughts are that once mbed-crypto implements more of the other PSA crypto APIs, we could sync up TF-M to expose those APIs.
They also need clarification about the PSA failed test:
1)�psa_asymmetric_encrypt does not have support for ECC keys� � that's true, the specification currently does not define any algorithm for psa_asymmetric_encrypt�that uses ECC keys. What's the problem there?
The PSA-ACK test need to fix this. I will highlight this issue to them.
- For the incorrect key derivation error codes, what are the
problematic inputs?
There is an issue raised with mbed-crypto team discussing this issue here : https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.co m%2FARMmbed%2Fmbed- crypto%2Fissues%2F175&data=02%7C01%7Candrey.butok%40nxp.com%7C 53dbcc21b5b549021a3908d7bebad35a%7C686ea1d3bc2b4c6fa92cd99c5c3016 35%7C0%7C1%7C637187581930659738&sdata=4gFvjPJ5sQ0icY1K6vLaTTi Zig11S68%2FWolkoy2rcxg%3D&reserved=0
As I understand, this needs to be fixed by mbed-crypto.
- For �psa_generate_key generates incorrect key length for RSA�,
what are the problematic inputs?
Could you clarify or this is the PSA-Test-Suite task?
The problematic input can be seen here : https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.co m%2FARM-software%2Fpsa-arch-tests%2Fblob%2Fmaster%2Fapi- tests%2Fdev_apis%2Fcrypto%2Ftest_c016%2Ftest_data.h%23L78&data=02 %7C01%7Candrey.butok%40nxp.com%7C53dbcc21b5b549021a3908d7bebad35 a%7C686ea1d3bc2b4c6fa92cd99c5c301635%7C0%7C1%7C6371875819306597 38&sdata=%2B2ilDbDeb1MbCSlY%2BgsIGq3qTJix0dXxy5ChBHZee1s%3D& amp;reserved=0
This is a mismatch between the test and the crypto implementation. PSA ACK test project had been notified. I will be following up with them.
BTW:
- �mbedCrypto does not use the PSA test suite for testing (they
have own tests).
Yes, that is true.
- PSA Test Suite does not inform mbedCrypto about found PSA issues.
There is some communication as seen by the issues referenced above, but can be better
- TFM updates to the latest mbedCrypto have to be more often (ideally
after each mbedCrypto release).
- Better synchronization between the PSA Projects is needed.
Yes, certainly. Although syncing to every mbed-crypto release is too much of an overhead for TF-M and the current plan is to sync up once mbed-crypto has resolved a sizeable amount of unimplemented APIs. We are open to contributions in this regard.
Currently, all of them are moving targets, the PSA ACK tests, TF-M, mbed- crypto and the PSA specification. The mbed-crypto is moving towards PSA 1.0 whereas the PSA-ACK tests are targeting PSA 1.0 Beta3. This creates some of the mismatches.
Once the APIs have stabilized, it should be a matter of picking up the latest mbed-crypto tag and everything should work as expected.
Best Regards Soby Mathew
Thanks,
Andrej Butok
*From:* TF-M tf-m-bounces@lists.trustedfirmware.org *On Behalf Of *Andrej Butok via TF-M *Sent:* Friday, February 28, 2020 1:20 PM *To:* Anton Komlev Anton.Komlev@arm.com *Cc:* tf-m@lists.trustedfirmware.org *Subject:* Re: [TF-M] PSA-Test Suite, 23 Crypto Tests failed
Hi Anton,
OK. So this is the known issue. Is there any plan when it should be implemented?
As the test-log is used for a PSA certification, may we disable the failed tests?
BTW: As this is known issue, I did not notice it here https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgith ub.com%2FARMmbed%2Fmbed-
crypto%2Fissues%3Fpage%3D1%26q%3Dis%253Aissue%
2Bis%253Aopen%2Bpsa%26utf8%3D%25E2%259C%2593&data=02%7C01% 7Candrey
.butok%40nxp.com%7C53dbcc21b5b549021a3908d7bebad35a%7C686ea1d3b
c2b4c6f
a92cd99c5c301635%7C0%7C1%7C637187581930659738&sdata=OwFCQs CrliOYqX
ADluUvOC%2FFJEfT49qdlePCrvW0Utc%3D&reserved=0 <https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgit hub.com%2FARMmbed%2Fmbed-
crypto%2Fissues%3Fpage%3D1%26q%3Dis%3Aissue%2
Bis%3Aopen%2Bpsa%26utf8%3D%25E2%259C%2593&data=02%7C01%7Ca ndrey.bu
tok%40nxp.com%7C53dbcc21b5b549021a3908d7bebad35a%7C686ea1d3bc2b4 c6fa92
cd99c5c301635%7C0%7C1%7C637187581930669743&sdata=oN8DyxAo0Q 4%2BI1j
3b9ruz3Krp4RAavtkFU2FYjaCf90%3D&reserved=0>
Thanks,
Andrej
*From:* TF-M <tf-m-bounces@lists.trustedfirmware.org mailto:tf-m-bounces@lists.trustedfirmware.org> *On Behalf Of *Anton Komlev via TF-M *Sent:* Friday, February 28, 2020 12:14 PM *To:* tf-m@lists.trustedfirmware.org mailto:tf-m@lists.trustedfirmware.org *Cc:* nd <nd@arm.com mailto:nd@arm.com> *Subject:* Re: [TF-M] PSA-Test Suite, 23 Crypto Tests failed
Hello Andrej,
As you noted, the main reason of test failures is unimplemented PSA functions. Those functions are directly dependent on Embed-Crypto library where they are missed or API is not adjusted.
Recently TF-M was upgraded Embed-Crypto library from v1.0.0 to v3.0.1 and will continue so, increasing test suite coverage.
Best regards,
Anton
*From:* TF-M <tf-m-bounces@lists.trustedfirmware.org mailto:tf-m-bounces@lists.trustedfirmware.org> *On Behalf Of *Andrej Butok via TF-M *Sent:* 28 February 2020 09:46 *To:* tf-m@lists.trustedfirmware.org mailto:tf-m@lists.trustedfirmware.org *Subject:* [TF-M] PSA-Test Suite, 23 Crypto Tests failed
Hello,
After update to the latest TFM and to the latest PSA-Test Suite, 23 Crypto Tests are failed:
************ Crypto Suite Report **********
TOTAL TESTS���� : 61
TOTAL PASSED��� : 37
TOTAL SIM ERROR : 0
TOTAL FAILED��� : 23
TOTAL SKIPPED�� : 1
The main reason is that many of PSA Crypto functions are not implemented by TFM.
Is there a plan to fix it?
Thanks,
Andrej
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
tf-m@lists.trustedfirmware.org