Merge pull request #353 from ARM-software/release

Release

.gitmodules

@@ -0,0 +1,7 @@
+
+[submodule "secure-debug/psa-adac"]
+	path = secure-debug/psa-adac
+	url = https://git.trustedfirmware.org/shared/psa-adac.git
+[submodule "secure-debug/external/mbedtls"]
+	path = secure-debug/external/mbedtls
+	url = https://github.com/Mbed-TLS/mbedtls.git

README.md

@@ -13,12 +13,12 @@ For more information, visit the [PSA webpage](https://developer.arm.com/products
 API specifications are placed in [PSA API github site](https://github.com/ARM-software/psa-api/).
 
 ### PSA Certified API Compliance
-The [PSA Certified API tests](api-tests/dev_apis) are the basis for validating compliance with PSA Certified APIs. For more information on the certification program, see [psacertified.org](https://www.psacertified.org/functional-api-certification/) 
+The [PSA Certified API tests](api-tests/dev_apis) are the basis for validating compliance with PSA Certified APIs. For more information on the certification program, see [psacertified.org](https://www.psacertified.org/functional-api-certification/)
 
 ## GitHub branch
   - For API certification, use the release branch and pick the appropriate release tag.
   - To get the latest version of the code with bug fixes and new features, use the master branch.
-  
+
 ## Architecture test suite
 
 The current implementation of the Architecture test suite contains tests for following PSA Certified specifications. Arm licensees may contact their partner manager to obtain a copy of this specification. <br />
@@ -46,7 +46,7 @@ Arm PSA test suite is distributed under Apache v2.0 License.
  - For feedback, use the GitHub Issue Tracker that is associated with this repository.
  - For support, send an email to [email protected] with details.
  - Arm licensees can contact Arm directly through their partner managers.
- - Arm welcomes code contributions through GitHub pull requests. 
+ - Arm welcomes code contributions through GitHub pull requests.
 
 --------------
 

api-tests/dev_apis/crypto/common/test_crypto_common.c

@@ -1,5 +1,5 @@
 /** @file
- * Copyright (c) 2020-2022, Arm Limited or its affiliates. All rights reserved.
+ * Copyright (c) 2020-2023, Arm Limited or its affiliates. All rights reserved.
  * SPDX-License-Identifier : Apache-2.0
  *
  * Licensed under the Apache License, Version 2.0 (the "License");

secure-debug/CMakeLists.txt

@@ -1,18 +1,19 @@
-#/** @file
-# * Copyright (c) 2021-2022, Arm Limited or its affiliates. All rights reserved.
-# * SPDX-License-Identifier : Apache-2.0
-# *
-# * Licensed under the Apache License, Version 2.0 (the "License");
-# * you may not use this file except in compliance with the License.
-# * You may obtain a copy of the License at
-# *
-# *  http://www.apache.org/licenses/LICENSE-2.0
-# *
-# * Unless required by applicable law or agreed to in writing, software
-# * distributed under the License is distributed on an "AS IS" BASIS,
-# * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# * See the License for the specific language governing permissions and
-# * limitations under the License.
+# @file
+# Copyright (c) 2021-2023, Arm Limited or its affiliates. All rights reserved.
+# SPDX-License-Identifier : Apache-2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
 
 # Set the minimum required version of CMake for the project
 cmake_minimum_required(VERSION 3.10)
@@ -39,6 +40,11 @@ if (NOT EXISTS ${DEPENDS_INC_PATH})
     Message(FATAL_ERROR "Link layer ${LINK_LAYER_COMM} not supported for target ${TARGET}.")
 endif()
 
+set(PSA_ADAC_MBEDTLS_INCLUDE ${PSA_ROOT_DIR}/external/mbedtls/include)
+if (NOT EXISTS ${PSA_ADAC_MBEDTLS_INCLUDE})
+    Message(FATAL_ERROR "Does not exist: ${PSA_ADAC_MBEDTLS_INCLUDE}")
+endif()
+
 if(NOT DEFINED PSA_ADAC_ROOT)
     get_filename_component(PSA_ADAC_ROOT ${CMAKE_SOURCE_DIR}/psa-adac ABSOLUTE)
 endif()
@@ -49,10 +55,10 @@ include_directories (
     ${DEPENDS_INC_PATH}
     ${CMAKE_BINARY_DIR}
     ${PSA_ADAC_ROOT}/psa-adac/core/include
-    ${PSA_ADAC_ROOT}/ports/include
+    ${PSA_ADAC_MBEDTLS_INCLUDE}
     )
 
-set(MBEDTLS_CONFIG_FILE "${PSA_ADAC_ROOT}/ports/crypto/manager-crypto-config.h")
+set(MBEDTLS_CONFIG_FILE "${CMAKE_SOURCE_DIR}/crypto/manager-crypto-config.h")
 add_compile_options(-DMBEDTLS_CONFIG_FILE="${MBEDTLS_CONFIG_FILE}")
 if (UNIX)
     add_compile_options(-fPIC -fpic)
@@ -64,7 +70,7 @@ endif ()
 # Generate ADAC LIB
 add_subdirectory(${PSA_ADAC_ROOT}/psa-adac/core adac_core)
 add_subdirectory(${PSA_ADAC_ROOT}/psa-adac/sdm adac_sdm)
-add_subdirectory(${PSA_ADAC_ROOT}/ports/crypto/psa-crypto psa_adac_psa_crypto)
+add_subdirectory(${CMAKE_SOURCE_DIR}/crypto/psa-crypto psa_adac_psa_crypto)
 
 set(ADAC_LIBS psa_adac_sdm psa_adac_core psa_adac_psa_crypto mbedcrypto)
 

secure-debug/README.md

@@ -5,7 +5,7 @@
 
 ### ADAC Specification
 
-The [ADAC specification](https://developer.arm.com/documentation/den0101/0001) defines the protocol that allows a target to securely authenticate a debug host. The specification targets software-only layers that are above the physical debug link.
+The [ADAC specification](https://developer.arm.com/documentation/den0101/1) defines the protocol that allows a target to securely authenticate a debug host. The specification targets software-only layers that are above the physical debug link.
 
 ### ADAC test suite
 
@@ -17,10 +17,10 @@ The ADAC test suite checks if a device-side implementation conforms to the behav
  - And the corresponding abstraction layers are available with an Apache v2.0 license allowing for external contribution.
 
 ## Release details
- - Release Version - 0.8
- - Code Quality: Beta <br/>
+ - Release Version - 1.0
+ - Code Quality: EAC <br/>
 
- - The ADAC tests are written for version beta of the ADAC specification.
+ - The ADAC tests are written for EAC version of the ADAC specification.
  - This test suite is not a substitute for design verification.
 
 ## Layers
@@ -34,7 +34,7 @@ These tests are written on top of VAL and PAL.
 
 The abstraction layers provide platform information and runtime environment to enable execution of the tests.
 
-In this release, PAL implementation for the 'emulation' target uses Unix sockets as the link layer to send commands and receive responses. Arm also provides support for executing the test suite on the 'Musca-b1' hardware board by adding a 'musca_b1' target which uses memory window protocol as the link layer.
+In this release, Arm provides support for executing the test suite on the 'Musca-b1' hardware board by adding a 'musca_b1' target which uses memory window protocol as the link layer.
 
 You can also write your own abstraction layer implementations to allow ADAC tests to run on other host platforms and support the debug link layer.
 
@@ -46,7 +46,7 @@ The mapping of the rules to the test cases and the steps followed in the tests a
 
 
 Follow the instructions in the subsequent sections to get a copy of the source code on your local machine and build the tests. <br/>
-See [Arm Authenticated Debug Access Control Test Suite User guide](docs/Arm_Authenticated_Debug_Access_Control_Test_Suite_User_Guide.pdf) to get details on the steps involved in porting the test suite to your platform.
+See [Arm Authenticated Debug Access Control Test Suite User guide](docs/Arm_Authenticated_Debug_Access_Control_Test_Suite_User_Guide.pdf) to get details on the steps involved in running the test suite on your platform.
 This test suite is provided as a separate directory within the psa-arch-tests repository.
 
 ### Prerequisites
@@ -60,18 +60,11 @@ Before starting the test suite build, ensure that the following requirements are
 
 
 ## Download source
+This repository uses git submodules. Either add the --recurse-submodules argument when running git clone, or run git submodule update --init after cloning.
 To download the main branch of the repository, type the following command:
 
 	git clone https://github.com/ARM-software/psa-arch-tests.git
 
-To download the main branch of the psa-adac repository, navigate to the secure debug directory and type the following command:
-
-	git clone [email protected]:ARMmbed/psa-adac.git
-
-Note:
-    To receive access to the psa-adac repository and some of its dependent submodules, Arm licensees may contact Arm through their partner managers.
-
-
 ## Porting steps
 
 See the [Porting Guide](docs/porting_guide_adac_host.md) for porting steps for your host platform.
@@ -82,10 +75,9 @@ See the [User Guide](docs/Arm_Authenticated_Debug_Access_Control_Test_Suite_User
 To build ADAC test suite for a given host platform, execute the following commands: <br/>
 ~~~
     cd psa-arch-tests/secure-debug
-    git clone [email protected]:ARMmbed/psa-adac.git --recurse-submodules
-    cp psa_adac_ats.patch psa-adac/.
+    cp psa_adac_acs_host.patch psa-adac/.
     cd psa-adac/
-    git apply psa_adac_ats.patch
+    git apply psa_adac_acs_host.patch
     cd ..
     mkdir <host_build_dir>
     cd <host_build_dir>
@@ -95,7 +87,7 @@ To build ADAC test suite for a given host platform, execute the following comman
                                     "MinGW Makefiles" - to generate Makefiles for cmd.exe on Windows
         - <target-name>             target to build, as created in the platform/hosts directory
         - <suite-selection>         ADAC              - specify the ADAC suite
-        - <link-layer>              link layer for the host platform, optional for emulation target
+        - <link-layer>              "memw_pyocd"      - link layer protocol used by host, more options can be specified if supported by host platform
 
 	To build project
 	   cmake --build .
@@ -113,12 +105,9 @@ The following ADAC test suite build outputs are available under host build direc
 	- psa_adac_test executable
 	- val and platform layer libraries
 
-For running the test suite on the emulation platform, see the [Readme](platform/hosts/emulation/unix_socket/README.md).<br/>
 For running the test suite on the Musca-b1 hardware platform, see the [Readme](platform/hosts/musca_b1/memw_pyocd/README.md).<br/>
 
 Note:
- - See the psa-adac directory for information on other target platforms.
- - The keys and the certificate credentials for a supported cryptosystem can be generated using the tools provided in the psa-adac repository.
  - The test suite is designed to run once per supported cryptosystem. Ensure that the device must be provisioned with the correct certificates installed in the device's RoT.
 
 ## Security implication
@@ -129,6 +118,7 @@ ADAC test suite may run at higher privilege level. An attacker can utilize these
 
 Arm ADAC Architecture test suite is distributed under Apache v2.0 license.
 The psa-adac code repository is distributed under BSD-3-Clause license.
+The mbedtls code repository is distributed under Apache v2.0 license.
 
 ## Feedback, contributions, and support
 
@@ -139,4 +129,4 @@ The psa-adac code repository is distributed under BSD-3-Clause license.
 
 --------------
 
-*Copyright (c) 2021-2022, Arm Limited and Contributors. All rights reserved.*
+*Copyright (c) 2021-2023, Arm Limited and Contributors. All rights reserved.*

secure-debug/crypto/manager-crypto-config.h

@@ -0,0 +1,96 @@
+/** @file
+ * Copyright (c) 2023, Arm Limited or its affiliates. All rights reserved.
+ * SPDX-License-Identifier : Apache-2.0
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+**/
+
+#ifndef MANAGER_CRYPTO_CONFIG_H
+#define MANAGER_CRYPTO_CONFIG_H
+
+#include <psa_adac_config.h>
+
+#define MBEDTLS_PSA_CRYPTO_C
+
+/* System support */
+#define MBEDTLS_PLATFORM_C
+#define MBEDTLS_PLATFORM_MEMORY
+#define MBEDTLS_MEMORY_BUFFER_ALLOC_C
+
+#if defined(PSA_ADAC_RSA3072) || defined(PSA_ADAC_RSA4096)
+#define MBEDTLS_RSA_C
+#define MBEDTLS_PKCS1_V21
+#define MBEDTLS_OID_C
+#define MBEDTLS_BIGNUM_C
+#define MBEDTLS_GENPRIME
+
+/* Support RSA key sizes up to 4096 bit */
+#define MBEDTLS_MPI_MAX_SIZE 512
+#endif
+
+/* PSA ADAC */
+#if defined(PSA_ADAC_EC_P256) || defined(PSA_ADAC_EC_P521)
+#define MBEDTLS_ECDSA_C
+#define MBEDTLS_ECDSA_DETERMINISTIC
+#define MBEDTLS_ECP_C
+#define MBEDTLS_ASN1_PARSE_C
+#define MBEDTLS_ASN1_WRITE_C
+#define MBEDTLS_HMAC_DRBG_C
+#if defined(PSA_ADAC_EC_P256)
+#define MBEDTLS_ECP_DP_SECP256R1_ENABLED
+#endif
+#if defined(PSA_ADAC_EC_P521)
+#define MBEDTLS_ECP_DP_SECP521R1_ENABLED
+#endif
+#endif
+
+#ifdef PSA_ADAC_CMAC
+#define MBEDTLS_CMAC_C
+#endif
+
+#ifdef PSA_ADAC_HMAC
+#define MBEDTLS_HKDF_C
+#endif
+
+/* Needed by PSA Crypto API Implementation */
+#define MBEDTLS_CTR_DRBG_C
+#define MBEDTLS_ENTROPY_C
+#define MBEDTLS_AES_C
+
+#define MBEDTLS_MD_C
+#define MBEDTLS_SHA256_C
+#define MBEDTLS_SHA512_C
+
+/* Add CCM on Windows */
+#if defined(_MSC_VER)
+#define MBEDTLS_CCM_C
+#endif
+
+/* Needed by manager */
+#define MBEDTLS_ASN1_PARSE_C
+#define MBEDTLS_ASN1_WRITE_C
+#define MBEDTLS_PK_WRITE_C
+#define MBEDTLS_PK_PARSE_C
+#define MBEDTLS_PK_C
+#define MBEDTLS_PEM_PARSE_C
+#define MBEDTLS_BASE64_C
+#define MBEDTLS_CIPHER_C
+#define MBEDTLS_FS_IO
+
+/* Optimizations */
+#define MBEDTLS_AESNI_C
+#define MBEDTLS_HAVE_ASM
+
+#include "mbedtls/check_config.h"
+
+#endif /* MBEDTLS_CONFIG_BOOT_H */

secure-debug/crypto/mbedcrypto.cmake

@@ -0,0 +1,31 @@
+#/** @file
+# * Copyright (c) 2023, Arm Limited or its affiliates. All rights reserved.
+# * SPDX-License-Identifier : Apache-2.0
+# *
+# * Licensed under the Apache License, Version 2.0 (the "License");
+# * you may not use this file except in compliance with the License.
+# * You may obtain a copy of the License at
+# *
+# *  http://www.apache.org/licenses/LICENSE-2.0
+# *
+# * Unless required by applicable law or agreed to in writing, software
+# * distributed under the License is distributed on an "AS IS" BASIS,
+# * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# * See the License for the specific language governing permissions and
+# * limitations under the License.
+#**/
+
+if(NOT DEFINED SECURE_DEBUG_ROOT)
+    get_filename_component(SECURE_DEBUG_ROOT ${CMAKE_CURRENT_SOURCE_DIR}/.. ABSOLUTE)
+endif()
+
+include_directories(${SECURE_DEBUG_ROOT}/external/mbedtls/include)
+
+set(MBEDTLS_FATAL_WARNINGS OFF CACHE BOOL "Disable fatal warnings" FORCE)
+set(ENABLE_PROGRAMS OFF CACHE BOOL "Disable PROGRAMS" FORCE)
+set(ENABLE_TESTING OFF CACHE BOOL "Disable TESTING" FORCE)
+add_subdirectory(${SECURE_DEBUG_ROOT}/external/mbedtls mbedcrypto)
+
+set_target_properties(mbedtls mbedx509 PROPERTIES
+        EXCLUDE_FROM_ALL 1
+        EXCLUDE_FROM_DEFAULT_BUILD 1)

secure-debug/crypto/psa-crypto/CMakeLists.txt

@@ -0,0 +1,37 @@
+# @file
+# Copyright (c) 2021-2023, Arm Limited or its affiliates. All rights reserved.
+# SPDX-License-Identifier : Apache-2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+if(NOT DEFINED SECURE_DEBUG_ROOT)
+    get_filename_component(SECURE_DEBUG_ROOT ${CMAKE_CURRENT_SOURCE_DIR}/../.. ABSOLUTE)
+endif()
+
+if(NOT DEFINED PSA_ADAC_ROOT)
+    get_filename_component(PSA_ADAC_ROOT ${SECURE_DEBUG_ROOT}/psa-adac ABSOLUTE)
+endif()
+
+include_directories(${PSA_ADAC_ROOT}/psa-adac/core/include)
+include(${SECURE_DEBUG_ROOT}/crypto/mbedcrypto.cmake)
+
+add_library(psa_adac_psa_crypto STATIC)
+
+set(PSA_CRYPTO_SRC
+        ${SECURE_DEBUG_ROOT}/crypto/psa-crypto/adac_crypto_psa.c
+        ${SECURE_DEBUG_ROOT}/crypto/psa-crypto/adac_crypto_psa_hash.c
+        ${SECURE_DEBUG_ROOT}/crypto/psa-crypto/adac_crypto_psa_mac.c
+        ${SECURE_DEBUG_ROOT}/crypto/psa-crypto/adac_crypto_psa_pk.c)
+
+target_sources(psa_adac_psa_crypto PUBLIC ${PSA_CRYPTO_SRC})