From 702d75a2f98ed9909bb8591f4dfca3590d469544 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Thu, 19 Sep 2024 19:49:20 +0200 Subject: [PATCH 1/5] Pass the setting's value to adapters Signed-off-by: Gilles Peskine --- framework | 2 +- scripts/config.py | 34 +++++++++++++++++----------------- 2 files changed, 18 insertions(+), 18 deletions(-) diff --git a/framework b/framework index 8c488b1b8..745122dc1 160000 --- a/framework +++ b/framework @@ -1 +1 @@ -Subproject commit 8c488b1b8f86384450c922f22cd1bee0b996be13 +Subproject commit 745122dc172a77897df15d9e61fcb8d2dd51230b diff --git a/scripts/config.py b/scripts/config.py index 50889fc9a..c518b3bb4 100755 --- a/scripts/config.py +++ b/scripts/config.py @@ -27,7 +27,7 @@ def is_full_section(section): """ return section is None or section.endswith('support') or section.endswith('modules') -def realfull_adapter(_name, active, section): +def realfull_adapter(_name, _value, active, section): """Activate all symbols found in the global and boolean feature sections. This is intended for building the documentation, including the @@ -138,7 +138,7 @@ def include_in_full(name): return is_seamless_alt(name) return True -def full_adapter(name, active, section): +def full_adapter(name, _value, active, section): """Config adapter for "full".""" if not is_full_section(section): return active @@ -176,7 +176,7 @@ def keep_in_baremetal(name): return False return True -def baremetal_adapter(name, active, section): +def baremetal_adapter(name, _value, active, section): """Config adapter for "baremetal".""" if not is_full_section(section): return active @@ -195,10 +195,10 @@ EXCLUDE_FOR_SIZE = frozenset([ 'MBEDTLS_TEST_HOOKS', # only useful with the hosted test framework, increases code size ]) -def baremetal_size_adapter(name, active, section): +def baremetal_size_adapter(name, value, active, section): if name in EXCLUDE_FOR_SIZE: return False - return baremetal_adapter(name, active, section) + return baremetal_adapter(name, value, active, section) def include_in_crypto(name): """Rules for symbols in a crypto configuration.""" @@ -219,15 +219,15 @@ def include_in_crypto(name): def crypto_adapter(adapter): """Modify an adapter to disable non-crypto symbols. - ``crypto_adapter(adapter)(name, active, section)`` is like - ``adapter(name, active, section)``, but unsets all X.509 and TLS symbols. + ``crypto_adapter(adapter)(name, value, active, section)`` is like + ``adapter(name, value, active, section)``, but unsets all X.509 and TLS symbols. """ - def continuation(name, active, section): + def continuation(name, value, active, section): if not include_in_crypto(name): return False if adapter is None: return active - return adapter(name, active, section) + return adapter(name, value, active, section) return continuation DEPRECATED = frozenset([ @@ -237,34 +237,34 @@ DEPRECATED = frozenset([ def no_deprecated_adapter(adapter): """Modify an adapter to disable deprecated symbols. - ``no_deprecated_adapter(adapter)(name, active, section)`` is like - ``adapter(name, active, section)``, but unsets all deprecated symbols + ``no_deprecated_adapter(adapter)(name, value, active, section)`` is like + ``adapter(name, value, active, section)``, but unsets all deprecated symbols and sets ``MBEDTLS_DEPRECATED_REMOVED``. """ - def continuation(name, active, section): + def continuation(name, value, active, section): if name == 'MBEDTLS_DEPRECATED_REMOVED': return True if name in DEPRECATED: return False if adapter is None: return active - return adapter(name, active, section) + return adapter(name, value, active, section) return continuation def no_platform_adapter(adapter): """Modify an adapter to disable platform symbols. - ``no_platform_adapter(adapter)(name, active, section)`` is like - ``adapter(name, active, section)``, but unsets all platform symbols other + ``no_platform_adapter(adapter)(name, value, active, section)`` is like + ``adapter(name, value, active, section)``, but unsets all platform symbols other ``than MBEDTLS_PLATFORM_C. """ - def continuation(name, active, section): + def continuation(name, value, active, section): # Allow MBEDTLS_PLATFORM_C but remove all other platform symbols. if name.startswith('MBEDTLS_PLATFORM_') and name != 'MBEDTLS_PLATFORM_C': return False if adapter is None: return active - return adapter(name, active, section) + return adapter(name, value, active, section) return continuation From e4c6955e43cc997a530095e8a6408cb1de257d85 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Thu, 19 Sep 2024 19:57:58 +0200 Subject: [PATCH 2/5] Change "full" to affect boolean settings rather than use sections To get rid on the reliance on sections, change "full" and friends to enable settings based on whether the setting is boolean, rather than based on the section it contains. Signed-off-by: Gilles Peskine --- scripts/config.py | 29 ++++++++++++++++++++--------- 1 file changed, 20 insertions(+), 9 deletions(-) diff --git a/scripts/config.py b/scripts/config.py index c518b3bb4..8b6aa9a24 100755 --- a/scripts/config.py +++ b/scripts/config.py @@ -19,13 +19,24 @@ import framework_scripts_path # pylint: disable=unused-import from mbedtls_framework import config_common -def is_full_section(section): - """Is this section affected by "config.py full" and friends? +def is_boolean_setting(name, value): + """Is this a boolean setting? - In a config file where the sections are not used the whole config file - is an empty section (with value None) and the whole file is affected. + Mbed TLS boolean settings are enabled if the preprocessor macro is + defined, and disabled if the preprocessor macro is not defined. The + macro definition line in the configuration file has an empty expansion. + + PSA_WANT_xxx settings are also boolean, but when they are enabled, + they expand to a nonzero value. We leave them undefined when they + are disabled. (Setting them to 0 currently means to enable them, but + this might change to mean disabling them. Currently we just never set + them to 0.) """ - return section is None or section.endswith('support') or section.endswith('modules') + if name.startswith('PSA_WANT_'): + return True + if not value: + return True + return False def realfull_adapter(_name, _value, active, section): """Activate all symbols found in the global and boolean feature sections. @@ -138,9 +149,9 @@ def include_in_full(name): return is_seamless_alt(name) return True -def full_adapter(name, _value, active, section): +def full_adapter(name, value, active, _section): """Config adapter for "full".""" - if not is_full_section(section): + if not is_boolean_setting(name, value): return active return include_in_full(name) @@ -176,9 +187,9 @@ def keep_in_baremetal(name): return False return True -def baremetal_adapter(name, _value, active, section): +def baremetal_adapter(name, value, active, _section): """Config adapter for "baremetal".""" - if not is_full_section(section): + if not is_boolean_setting(name, value): return active if name == 'MBEDTLS_NO_PLATFORM_ENTROPY': # No OS-provided entropy source From 36571d6d8a99a41c9ddf8827210f796b85b01a08 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Thu, 19 Sep 2024 19:58:56 +0200 Subject: [PATCH 3/5] Change "realfull" to activate everything Change "realfull" to activate everything. After investigation, it seems that having "realfull" not activate everything was a historical oddity due to proximity with "full", not a goal in itself. https://github.com/Mbed-TLS/mbedtls/issues/520#issuecomment-727190862 https://github.com/Mbed-TLS/mbedtls/pull/965/files#r523409092 This changes the output of `scripts/config.py realfull`: now all non-boolean options are uncommented. Signed-off-by: Gilles Peskine --- scripts/config.py | 12 ++++-------- 1 file changed, 4 insertions(+), 8 deletions(-) diff --git a/scripts/config.py b/scripts/config.py index 8b6aa9a24..82f1ec912 100755 --- a/scripts/config.py +++ b/scripts/config.py @@ -38,18 +38,14 @@ def is_boolean_setting(name, value): return True return False -def realfull_adapter(_name, _value, active, section): - """Activate all symbols found in the global and boolean feature sections. +def realfull_adapter(_name, _value, _active, _section): + """Activate all symbols. This is intended for building the documentation, including the documentation of settings that are activated by defining an optional - preprocessor macro. - - Do not activate definitions in the section containing symbols that are - supposed to be defined and documented in their own module. + preprocessor macro. There is no expectation that the resulting + configuration can be built. """ - if section == 'Module configuration options': - return active return True PSA_UNSUPPORTED_FEATURE = frozenset([ From 00b914460885841cf0291a00755201c7438bdf28 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Thu, 19 Sep 2024 20:13:49 +0200 Subject: [PATCH 4/5] Don't pass the section name to adapters We have finished removing the reliance of named configuration on section names. Signed-off-by: Gilles Peskine --- framework | 2 +- scripts/config.py | 34 +++++++++++++++++----------------- 2 files changed, 18 insertions(+), 18 deletions(-) diff --git a/framework b/framework index 745122dc1..2f639b6bf 160000 --- a/framework +++ b/framework @@ -1 +1 @@ -Subproject commit 745122dc172a77897df15d9e61fcb8d2dd51230b +Subproject commit 2f639b6bf4bcf57c4b1b0afb23ccb657607428bc diff --git a/scripts/config.py b/scripts/config.py index 82f1ec912..95ab8333e 100755 --- a/scripts/config.py +++ b/scripts/config.py @@ -38,7 +38,7 @@ def is_boolean_setting(name, value): return True return False -def realfull_adapter(_name, _value, _active, _section): +def realfull_adapter(_name, _value, _active): """Activate all symbols. This is intended for building the documentation, including the @@ -145,7 +145,7 @@ def include_in_full(name): return is_seamless_alt(name) return True -def full_adapter(name, value, active, _section): +def full_adapter(name, value, active): """Config adapter for "full".""" if not is_boolean_setting(name, value): return active @@ -183,7 +183,7 @@ def keep_in_baremetal(name): return False return True -def baremetal_adapter(name, value, active, _section): +def baremetal_adapter(name, value, active): """Config adapter for "baremetal".""" if not is_boolean_setting(name, value): return active @@ -202,10 +202,10 @@ EXCLUDE_FOR_SIZE = frozenset([ 'MBEDTLS_TEST_HOOKS', # only useful with the hosted test framework, increases code size ]) -def baremetal_size_adapter(name, value, active, section): +def baremetal_size_adapter(name, value, active): if name in EXCLUDE_FOR_SIZE: return False - return baremetal_adapter(name, value, active, section) + return baremetal_adapter(name, value, active) def include_in_crypto(name): """Rules for symbols in a crypto configuration.""" @@ -226,15 +226,15 @@ def include_in_crypto(name): def crypto_adapter(adapter): """Modify an adapter to disable non-crypto symbols. - ``crypto_adapter(adapter)(name, value, active, section)`` is like - ``adapter(name, value, active, section)``, but unsets all X.509 and TLS symbols. + ``crypto_adapter(adapter)(name, value, active)`` is like + ``adapter(name, value, active)``, but unsets all X.509 and TLS symbols. """ - def continuation(name, value, active, section): + def continuation(name, value, active): if not include_in_crypto(name): return False if adapter is None: return active - return adapter(name, value, active, section) + return adapter(name, value, active) return continuation DEPRECATED = frozenset([ @@ -244,34 +244,34 @@ DEPRECATED = frozenset([ def no_deprecated_adapter(adapter): """Modify an adapter to disable deprecated symbols. - ``no_deprecated_adapter(adapter)(name, value, active, section)`` is like - ``adapter(name, value, active, section)``, but unsets all deprecated symbols + ``no_deprecated_adapter(adapter)(name, value, active)`` is like + ``adapter(name, value, active)``, but unsets all deprecated symbols and sets ``MBEDTLS_DEPRECATED_REMOVED``. """ - def continuation(name, value, active, section): + def continuation(name, value, active): if name == 'MBEDTLS_DEPRECATED_REMOVED': return True if name in DEPRECATED: return False if adapter is None: return active - return adapter(name, value, active, section) + return adapter(name, value, active) return continuation def no_platform_adapter(adapter): """Modify an adapter to disable platform symbols. - ``no_platform_adapter(adapter)(name, value, active, section)`` is like - ``adapter(name, value, active, section)``, but unsets all platform symbols other + ``no_platform_adapter(adapter)(name, value, active)`` is like + ``adapter(name, value, active)``, but unsets all platform symbols other ``than MBEDTLS_PLATFORM_C. """ - def continuation(name, value, active, section): + def continuation(name, value, active): # Allow MBEDTLS_PLATFORM_C but remove all other platform symbols. if name.startswith('MBEDTLS_PLATFORM_') and name != 'MBEDTLS_PLATFORM_C': return False if adapter is None: return active - return adapter(name, value, active, section) + return adapter(name, value, active) return continuation From 3c16e998e52c15af12553546d33fb887815bfabf Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Thu, 26 Sep 2024 10:19:04 +0200 Subject: [PATCH 5/5] Update framework to the main branch Signed-off-by: Gilles Peskine --- framework | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/framework b/framework index 2f639b6bf..4e9e8391c 160000 --- a/framework +++ b/framework @@ -1 +1 @@ -Subproject commit 2f639b6bf4bcf57c4b1b0afb23ccb657607428bc +Subproject commit 4e9e8391cd64974d16234160532ef2d6dec9ced6