Bump to v3.6.5 #79
Bump to v3.6.5 #79
Conversation
valeriosetti
requested review from
ceolin,
d3zd3z,
dleach02,
ithinuel,
tbursztyka,
tomi-font and
wearyzen
and removed request for
tbursztyka
tomi-font
left a comment
tomi-font
left a comment
There was a problem hiding this comment.
Indeed with this strategy the GitHub interface doesn't play out too well. It would look prettier if the base branch (in this case) was based on 3.6.5 instead, in which case in this PR we would only see the additional Zephyr-specific patches on top of 3.6.5.
But if doing what I just said, after merging update PRs we would probably need to move branches, for example replacing the default branch with the one that was just updated.
I think in any case this requires some manual force push.
Unless if we did for every release a new branch and that we stuck to it (without renaming it) until the next release, but in that case we wouldn't necessarily know what is the current living branch. At the very least we would probably need to mark it as the default branch so that it's the branch that show up by default in GitHub.
valeriosetti
force-pushed
the
zephyr-mbedtls-3.6
branch
2 times, most recently
from
e224037 to
99aca8b
Compare
… static key slots Take also MAC's key types into account when computing the size of the buffer to store key material in static key slot configuration. Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no> (cherry picked from commit 45574797e7c66dcd99cfeb0e0be5feb291271d1a)
…_STATIC_KEY_SLOT_BUFFER_SIZE Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no> (cherry picked from commit 5306324015b9db29969dff1ba592f6675a6dedf5)
valeriosetti
force-pushed
the
bump-v3.6.5
branch
from
b1471eb to
9ed933f
Compare
tomi-font
left a comment
tomi-font
left a comment
There was a problem hiding this comment.
Following commits are fromtrees:
- [zep noup] fix: remove superfluous BEFORE_COLON in x509_crl.c
- [zep noup] fix: rename BEFORE_COLON and BC to avoid conflicts
[zep noup] zephyr: Bump security SBOM info now doesn't just bump the info, it adds it. So update the commit title?
[zep noup] zephyr/module.yml: add module name could be combined and squashed with the previous commit I mentioned?
[zep noup] Avoid invalid gcc 14.3 warning about array bounds in mbedtls_xor was a fromlist, and can now be a fromtree.
valeriosetti
changed the base branch from
zephyr-mbedtls-3.6
to
zephyr-mbedtls-v3.6.5
Unless I'm missing something, these commits were cherry-picked from this repo and not from the upstream one (I cannot find them upstream) so they are still
Sure I'll do
|
…bedtls_xor The combination of the multi-byte loop with the single byte loop confuses GCC 14.3's array bounds checker. When the loop size is constant, check to see if it is a multiple of the multi-byte size and bail early. As this will be evaluated at compile time, there should be no run-time cost. This change uses the __builtin_constant_p compile-time operation. To check if that is supported, the change uses the existing MBEDTLS_HAS_BUILTIN macro. That macro was defined later in library/common.h than is needed for this change, so it was moved up to join some other macros that looked similar. Signed-off-by: Keith Packard <keithp@keithp.com> (cherry picked from commit 292b96c0a69016a6d99ce324837a9e96d59e21f6)
valeriosetti
force-pushed
the
bump-v3.6.5
branch
from
9ed933f to
4529718
Compare
No, they were cherry picked from upstream, the hashes in their commit messages point to upstream: |
I found the reason for which I didn't find those commits upstream: because they were merged on |
valeriosetti
force-pushed
the
bump-v3.6.5
branch
from
4529718 to
50557cb
Compare
Right. I would argue it's still a |
tomi-font
left a comment
tomi-font
left a comment
There was a problem hiding this comment.
- Remove
(cherry picked from commit [...])from [zep noup] Enable sources when MCUBOOT_USE_PSA_CRYPTO and not MBEDTLS_PSA_CRYPTO_C as well for consistency. - Update commit [zep noup] zephyr: Add security SBOM info and add module name: Remove second
addin title and replaceChangewithAddin message? - Can you also move the fromtrees to be the first commits? will be cleaner that way
BEFORE_COLON and BC defines with the accompanying comment are only required in x509_crt and x509_csr, but not used in x509_crl.c. Signed-off-by: Stefan Gloor <stefan.gloor@siemens.com> (cherry picked from commit 6a9cf11)
Namespace BEFORE_COLON and BC defines by prepending MBEDTLS_ and expanding BC to BEFORE_COLON_STR. This is to avoid naming conflicts with third-party code. No functional change. Signed-off-by: Stefan Gloor <stefan.gloor@siemens.com> (cherry picked from commit b5c079b)
TF-M requires a mechanism to leverage the drivers and builtin keys at the same time to allow for "transparent builtin keys". More details are in the TF-M design doc. Provide directly the wrappers instead of modifying the autogen scripts, for the time being. Signed-off-by: Raef Coles <raef.coles@arm.com> Co-authored-by: Antonio de Angelis <antonio.deangelis@arm.com> applied using: git am modules/tee/tf-m/trusted-firmware-m/lib/ext/mbedcrypto/\ 0001-Add-TF-M-Builtin-Key-Loader-driver-entry-points.patch Signed-off-by: Tomi Fontanilles <tomi.fontanilles@nordicsemi.no>
Signed-off-by: Tamas Ban <tamas.ban@arm.com> applied using: git am modules/tee/tf-m/trusted-firmware-m/lib/ext/mbedcrypto/\ 0002-Enable-crypto-code-sharing-between-independent-binar.patch Signed-off-by: Tomi Fontanilles <tomi.fontanilles@nordicsemi.no>
Signed-off-by: Benjamin Baratte <benjamin.baratte@st.com> applied using: git am modules/tee/tf-m/trusted-firmware-m/lib/ext/mbedcrypto/\ 0003-Allow-SE-key-to-use-key-vendor-id-within-PSA-crypto.patch Signed-off-by: Tomi Fontanilles <tomi.fontanilles@nordicsemi.no>
This patch amends the order of initialisations performed in psa_crypto_init() to make sure that the driver wrappers based on the PSA driver API are initialised just after the key slots in memory, both of them at the beginning of the initialisation sequence. Signed-off-by: Antonio de Angelis <antonio.deangelis@arm.com> applied using: git am modules/tee/tf-m/trusted-firmware-m/lib/ext/mbedcrypto/\ 0004-Initialise-driver-wrappers-as-first-step-in-psa_cryp.patch Signed-off-by: Tomi Fontanilles <tomi.fontanilles@nordicsemi.no>
Manually hardcode PSA driver entry points for the CC3XX driver into psa crypto driver wrappers file (and provide missing entry point definitions if any). This is a temporary solution until the codegen framework is available for automatic integration. Signed-off-by: Antonio de Angelis <antonio.deangelis@arm.com> applied using: git am modules/tee/tf-m/trusted-firmware-m/lib/ext/mbedcrypto/\ 0005-Hardcode-CC3XX-entry-points.patch Signed-off-by: Tomi Fontanilles <tomi.fontanilles@nordicsemi.no>
CC312 driver want to use hash in md for entropy operations. Enable psa_can_do_hash by directly returning 1. This is a workaround for current cc312 driver. After switching to new driver, this workaround is not needed. Signed-off-by: Summer Qin <summer.qin@arm.com> applied using: git am modules/tee/tf-m/trusted-firmware-m/lib/ext/mbedcrypto/\ 0006-Enable-psa_can_do_hash.patch Signed-off-by: Tomi Fontanilles <tomi.fontanilles@nordicsemi.no>
…_PSA_CRYPTO_C Gate relevant files for the thin PSA crypto core on MCUBOOT_USE_PSA_CRYPTO during BL2 build instead of MBEDTLS_PSA_CRYPTO_C which is not defined in such case. A full solution might require a change in config strategy of Mbed TLS with the definition Signed-off-by: Antonio de Angelis <antonio.deangelis@arm.com> applied using: git am modules/tee/tf-m/trusted-firmware-m/lib/ext/mbedcrypto/\ 0007-Enable-sources-when-MCUBOOT_USE_PSA_CRYPTO-and-not-M.patch Signed-off-by: Tomi Fontanilles <tomi.fontanilles@nordicsemi.no>
MCUboot has its own version of the PSA Crypto core, named "thin_psa_crypto_core.c" which is included in MCUboot's build process when the MCUBOOT_USE_PSA_CRYPTO build symbol is set. MCUBOOT_USE_PSA_CRYPTO mimics what MBEDTLS_PSA_CRYPTO_C does for the official Mbed TLS, so we need to replicate this symbol in "config_psa.h" in order to get the proper PSA builtin support. Signed-off-by: Valerio Setti <vsetti@baylibre.com>
Add PURL and CPE information in the module package for 3.6.5. The module name is now explicitly set in module.yml, this ensures that building with e.g. cmake does not fail when the directory name is different (default name if unset is directory name). Signed-off-by: Valerio Setti <vsetti@baylibre.com>
Zephyr uses cmake 3.20.0 as the minimum version for a long time. Set the same requirement here to avoid possible issues in future. Fixes zephyrproject-rtos/zephyr#92679 Signed-off-by: Flavio Ceolin <flavio@hubblenetwork.com> Signed-off-by: Tomi Fontanilles <tomi.fontanilles@nordicsemi.no>
Here's the procedure that has been followed. Starting from the upstream v3.6.5 tag I run: $ git submodule init $ git submodule update The checked out version of framework subrepo is 457996474728cb8e968ed21953b72f74d2f536b2 which corresponds to the upstream one at the v3.6.5 tag. I then run: $ git rm --cached framework $ rm -rf .git/modules/framework $ rm -rf framework/.git* Signed-off-by: Valerio Setti <vsetti@baylibre.com>
Re-add the content of the framework subrepo Signed-off-by: Valerio Setti <vsetti@baylibre.com>
valeriosetti
force-pushed
the
bump-v3.6.5
branch
from
50557cb to
622da34
Compare
valeriosetti
changed the base branch from
zephyr-mbedtls-v3.6.5
to
zephyr_mbedtls_v3.6.5
Replace the upstream README with guidelines for the additional patches. Signed-off-by: Tomi Fontanilles <tomi.fontanilles@nordicsemi.no>
8 participants
Proposed bump strategy
Full details are in #78 in this document.
Preparation for this PR
I created a new branch named
zephyr_mbedtls_v.3.6.5and pushed it to this repo.v3.6.5release tag.defaultbranch of this repo until the next Mbed TLS release.This approach has already been tried before for version bumping in TF-M.
What's done in this PR
I cherry-picked all the Zephyr's custom commits from the current
zephyrbranch and created this PR. Please note that the target merging branch is the above mentionedzephyr_mbedtls_v3.6.5, that's why you will only see relatively few commits in this version bumping PR.Following a suggestion from @tomi-font I also moved all the
[fromtree/fromlist]patches at the beginning of the list and kept all the others[noup]later.