-
Notifications
You must be signed in to change notification settings - Fork 6.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Linking order when using both TF-M and Mbed TLS #35305
Comments
@tejlmand Any suggestions on forcing the right order for linking here? |
unfortunately not. That said, having the same APIs provided by two libraries and relying on correct linking order is in general a bad habit, and in high risk of suddenly fail if other changes / dependencies causes the link order to change. In this case, the best thing would be to ensure that the mbed TLS does not provide the PSA APIs, which could be done if the granularity of mbedTLS Kconfig is fine enough so we could specify something like:
|
Given that the PSA API support in mbedtls 2.26.0 is still incomplete, and a (likely) LTS release of mbedtls will happen during the Zephyr 2.7.0 dev cycle, my vote is to disable use of the PSA backend for now in mbedtls, and reference mbedtls as a purely stand-alone module with no dependencies on TF-M. We can revisit mbedtls + PSA integration in the 2.7.0 dev cycle, with an improved release of mbedtls for PSA support, but we still have access to features in mbedtls today such as the X.509 functions, etc., that aren't exposed by TF-M. |
@urutva Does disabling these two defines result in the PSA APIs not being included in the mbedtls build:
@galak No samples in Zephyr 2.6.0 currently use this combination, and it will only be a requirement in 2.7.0, so can we document this as a known issue ("mbedtls 2.26.0 PSA Crypto APIs can not be used when CONFIG_BUILD_WITH_TFM is enabled.") and punt to 2.7.0 where we'll have more time to improve the integration of mbedtls and TF-M? I think this combination needs more testing. |
Test ResultsWith
|
I've been trying to find a solution to the PSA config issue to not allow menu "PSA configuration"
depends on MBEDTLS_BUILTIN && MBEDTLS_CFG_FILE = "config-psa.h"
config MBEDTLS_USE_PSA_CRYPTO
bool "Enable PSA for X.509 and TLS cryptographic operations"
depends on !BUILD_WITH_TFM
help
The mbedtls library will use Platform Security Architecture (PSA)
API for the X.509 and TLS cryptographic operations. This option is
not enabled by default, and can not be used when TF-M is enabled.
...
endmenu This will only prevent potential linker issues when using this config file, though, not against users defining their own config file (as happens in this issue) and enabling the PSA APIs plus TF-M there. The ideal solution here is to expose all PSA settings via Kconfig to avoid the need for a custom mbedtls config file, but given that no samples currently use this functionality it's a new feature that should be tackled in Zephyr 2.7.0. IMO, we should note this as a known issue that PSA APIs can not be used together with TF-M in mbedtls 2.26.0 and Zephyr 2.6.0 (since we can't reasonably prevent this at present without sacrificing mbedtls entirely), and integrate PSA config into the next release along with a new sample that makes use of that functionality, with proper testing of the various flags involved. This will also allow for a newer release of mbedtls to be used with better PSA API support. |
As per a conversation with @urutva, the problem is as follows:
Unfortunately, both configs are tied to each other, so one cannot enable only |
@microbuilder this is going to be addressed in the mbedtls 3.0, is that correct? If so, I think we will have time until the Zephyr LTS 2 release to fix this problem. |
Closing this as unable to fix with the current limitations of the build system and mbedtls 2.26.0, but will be addressed in the 2.7.0 dev cycle, coordinating with the upstream mbedtls project for any required changes there. Enhancement can be tracked via #35552 |
Describe the bug
When both TF-M and Mbed TLS (on NS side) modules are enabled, all the PSA crypto API calls are linked against Mbed TLS library instead of TF-M. This is caused by incorrect linking order of modules where Mbed TLS comes before TF-M.
Please note that this is not a linking failure but incorrect linking of APIs.
To Reproduce
Steps to reproduce the behavior:
samples/tfm_integration/psa_level_1/prj.conf
zephyr/samples/tfm_integration/psa_level_1/CMakeLists.txt
zephyr/samples/tfm_integration/psa_level_1/src/tls_config/user-tls.conf
psa_generate_random
) in samples/tfm_integration/psa_level_1/src/main.c.Expected behavior
PSA APIs are linked against TF-M library.
Impact
showstopper
Logs and console output
Linking order:
build/build.ninja
The library
modules/mbedtls/libmodules__mbedtls.a
comes beforetfm/app/libtfm_api_ns.a
which is causing all the PSA crypto APIs to be linked against Mbed TLSEnvironment (please complete the following information):
Additional context
Add any other context about the problem here.
The text was updated successfully, but these errors were encountered: