CMake: fix build with 3rdparty module enabled through a custom config #8284
Conversation
Fixes Mbed-TLS#8165 Signed-off-by: Gilles Peskine <[email protected]>
gilles-peskine-arm
added
bug
component-platform
|
Should we have a build test for these two in |
These do not link directly against Mbed TLS so need their own propagation of the custom config values through CMake. Signed-off-by: David Horstmann <[email protected]>
| @@ -9,6 +9,19 @@ target_include_directories(p256m | |||
| $<INSTALL_INTERFACE:include> | |||
| PRIVATE ${MBEDTLS_DIR}/library/) | |||
|
|
|||
| # Pass-through MBEDTLS_CONFIG_FILE and MBEDTLS_USER_CONFIG_FILE | |||
There was a problem hiding this comment.
Since P256-M is a PSA driver, does it need the PSA config file(s)?
There was a problem hiding this comment.
It may do, but we currently do not support passing MBEDTLS_PSA_CRYPTO_CONFIG_FILE through CMake in general.
This would be a useful thing to have, but I think it is out of scope for this PR as it would involve adding new functionality across the whole repo rather than just the 3rdparty modules.
There was a problem hiding this comment.
The PSA config files only define PSA_WANT_xxx macros. Neither Everest nor p256-m consume those.
We have an everest test built with cmake, however its not out of tree, this would be simple enough to correct (but would require adding another test if you wanted both in and out of tree) It is notable that all of the p256m tests are make only. This should be simple enough to correct, but I do wonder if this is better suited to a follow up. |
| @@ -11,6 +11,19 @@ target_include_directories(everest | |||
| include/everest/kremlib | |||
| ${MBEDTLS_DIR}/library/) | |||
|
|
|||
| # Pass-through MBEDTLS_CONFIG_FILE and MBEDTLS_USER_CONFIG_FILE | |||
There was a problem hiding this comment.
It seems wrong and error-prone that we're doing this in each 3rdparty subdirectory. We'll need to copy-paste this whenever we add a new 3rdparty library, and it's likely we'll forget.
There was a problem hiding this comment.
There is a better solution which was implemented in the new PSA repo, but it would be a much more major change than this. I would suggest doing it this way for now, and making a ticket to port Ronald's PSA solution back to MbedTLS asap.
gilles-peskine-arm
added
needs-review
|
Labelling priority-high (should it be very-high?) because it broke the TFM integration. They'll patch it locally after our 3.5 release, but they want an official patch from us soon. |
daverodgman
added
priority-very-high
|
Just to confirm I tried it locally on my integration and it fixes the failure we were seeing. |
There was a problem hiding this comment.
Looks good.
We have consensus on the following:
- This is an intermediate fix, and a better sollution will be brough in as done in the PSA repo.
- The backports are not required now and will be done when the rework in brought in.
That's new to me. We can skip the backport for the imminent release, but I don't see why it would be affected by the psa-crypto rework, which isn't going in 2.28. I'm going to make a 2.28 backport PR, to be merged at our leisure. |
|
Actually, in 2.28, the code is pretty different, referencing |
daverodgman
added
approved
…ustom-config CMake: fix build with 3rdparty module enabled through a custom config
|
Hi! I find this change a bit nasty when it comes to Debian packaging. The MbedTLS version in Debian can't have everest integration enabled (it makes the package non-redistributable under the GPL-2.0-or-later and it requires shipping a vendored everest copy), but with this change the everest code is always built, always installed, and always required by the CMake Config files added in d259e34, making them unusable if I exclude the everest files from the I see a couple of solutions to this issue:
Should I open an issue for this? Thanks! |
With this change, the everest source tree is consumed during the build, but no everest code ends up in the build: as before, that only happens if
This is not possible because some Everest types are part of the public ABI (when the feature is enabled). So you don't need to ship the headers from I can see that it's a problem for the source package. But the mere presence of the everest files makes our complete sources not distributable under GPL. One way to resolve this could be to distribute Everest under GPL. I'm not sure if Arm has permission to do that (IIRC Everest came in around the time we stopped publishing Mbed TLS under the GPL), but if there's significant interest, we can dig into the history of the code. I would guess this would be beneficial for Debian since Everest is faster and more secure than the default implementation (at the cost, mainly, of larger code size, which is a concern for microcontrollers but not really for something that can run Linux). In any case, please do open a new issue if there is a problem for Debian. I'm replying here, but we're very unlikely to actually do anything on the basis of a comment on a closed issue. |
Fixes #8165
@adeaarm confirms that this fixes the problem for TF-M
PR checklist
Please tick as appropriate and edit the reasons (e.g.: "backport: not needed because this is a new feature")