Merge pull request #3190 from gilles-peskine-arm/config-full-clarify-development

Clarify that the full config enables everything that can be tested together
2020-05-04 12:29:09 +02:00 · 2020-05-04 12:29:09 +02:00 · d9f694960f
commit d9f694960f
parent 1d632c26a4 8386ea22b2
13 changed files with 257 additions and 130 deletions
--- a/scripts/config.py
+++ b/scripts/config.py
@ -159,45 +159,68 @@ def realfull_adapter(_name, active, section):
        return active
    return True

+# The goal of the full configuration is to have everything that can be tested
+# together. This includes deprecated or insecure options. It excludes:
+# * Options that require additional build dependencies or unusual hardware.
+# * Options that make testing less effective.
+# * Options that are incompatible with other options, or more generally that
+#   interact with other parts of the code in such a way that a bulk enabling
+#   is not a good way to test them.
+# * Options that remove features.
+EXCLUDE_FROM_FULL = frozenset([
+    #pylint: disable=line-too-long
+    'MBEDTLS_CTR_DRBG_USE_128_BIT_KEY', # interacts with ENTROPY_FORCE_SHA256
+    'MBEDTLS_DEPRECATED_REMOVED', # conflicts with deprecated options
+    'MBEDTLS_DEPRECATED_WARNING', # conflicts with deprecated options
+    'MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED', # influences the use of ECDH in TLS
+    'MBEDTLS_ECP_RESTARTABLE', # incompatible with USE_PSA_CRYPTO
+    'MBEDTLS_ENTROPY_FORCE_SHA256', # interacts with CTR_DRBG_128_BIT_KEY
+    'MBEDTLS_HAVE_SSE2', # hardware dependency
+    'MBEDTLS_MEMORY_BACKTRACE', # depends on MEMORY_BUFFER_ALLOC_C
+    'MBEDTLS_MEMORY_BUFFER_ALLOC_C', # makes sanitizers (e.g. ASan) less effective
+    'MBEDTLS_MEMORY_DEBUG', # depends on MEMORY_BUFFER_ALLOC_C
+    'MBEDTLS_NO_64BIT_MULTIPLICATION', # influences anything that uses bignum
+    'MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES', # removes a feature
+    'MBEDTLS_NO_PLATFORM_ENTROPY', # removes a feature
+    'MBEDTLS_NO_UDBL_DIVISION', # influences anything that uses bignum
+    'MBEDTLS_PKCS11_C', # build dependency (libpkcs11-helper)
+    'MBEDTLS_PLATFORM_NO_STD_FUNCTIONS', # removes a feature
+    'MBEDTLS_PSA_CRYPTO_KEY_FILE_ID_ENCODES_OWNER', # platform dependency (PSA SPM) (at this time)
+    'MBEDTLS_PSA_CRYPTO_SPM', # platform dependency (PSA SPM)
+    'MBEDTLS_PSA_INJECT_ENTROPY', # build dependency (hook functions)
+    'MBEDTLS_REMOVE_3DES_CIPHERSUITES', # removes a feature
+    'MBEDTLS_REMOVE_ARC4_CIPHERSUITES', # removes a feature
+    'MBEDTLS_RSA_NO_CRT', # influences the use of RSA in X.509 and TLS
+    'MBEDTLS_SHA512_NO_SHA384', # removes a feature
+    'MBEDTLS_SSL_HW_RECORD_ACCEL', # build dependency (hook functions)
+    'MBEDTLS_TEST_NULL_ENTROPY', # removes a feature
+    'MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION', # influences the use of X.509 in TLS
+    'MBEDTLS_ZLIB_SUPPORT', # build dependency (libz)
+])
+
+def is_seamless_alt(name):
+    """Whether the xxx_ALT symbol should be included in the full configuration.
+
+    Include alternative implementations of platform functions, which are
+    configurable function pointers that default to the built-in function.
+    This way we test that the function pointers exist and build correctly
+    without changing the behavior, and tests can verify that the function
+    pointers are used by modifying those pointers.
+
+    Exclude alternative implementations of library functions since they require
+    an implementation of the relevant functions and an xxx_alt.h header.
+    """
+    if name == 'MBEDTLS_PLATFORM_SETUP_TEARDOWN_ALT':
+        # Similar to non-platform xxx_ALT, requires platform_alt.h
+        return False
+    return name.startswith('MBEDTLS_PLATFORM_')
+
 def include_in_full(name):
    """Rules for symbols in the "full" configuration."""
-    if re.search(r'PLATFORM_[A-Z0-9]+_ALT', name):
-        return True
-    if name in [
-            'MBEDTLS_CTR_DRBG_USE_128_BIT_KEY',
-            'MBEDTLS_DEPRECATED_REMOVED',
-            'MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED',
-            'MBEDTLS_ECP_RESTARTABLE',
-            'MBEDTLS_ENTROPY_FORCE_SHA256', # Variant toggle, tested separately
-            'MBEDTLS_HAVE_SSE2',
-            'MBEDTLS_MEMORY_BACKTRACE',
-            'MBEDTLS_MEMORY_BUFFER_ALLOC_C',
-            'MBEDTLS_MEMORY_DEBUG',
-            'MBEDTLS_NO_64BIT_MULTIPLICATION',
-            'MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES',
-            'MBEDTLS_NO_PLATFORM_ENTROPY',
-            'MBEDTLS_NO_UDBL_DIVISION',
-            'MBEDTLS_PKCS11_C',
-            'MBEDTLS_PLATFORM_NO_STD_FUNCTIONS',
-            'MBEDTLS_PSA_CRYPTO_KEY_FILE_ID_ENCODES_OWNER',
-            'MBEDTLS_PSA_CRYPTO_SE_C',
-            'MBEDTLS_PSA_CRYPTO_SPM',
-            'MBEDTLS_PSA_INJECT_ENTROPY',
-            'MBEDTLS_REMOVE_3DES_CIPHERSUITES',
-            'MBEDTLS_REMOVE_ARC4_CIPHERSUITES',
-            'MBEDTLS_RSA_NO_CRT',
-            'MBEDTLS_SHA512_NO_SHA384',
-            'MBEDTLS_SSL_HW_RECORD_ACCEL',
-            'MBEDTLS_SSL_PROTO_SSL3',
-            'MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO',
-            'MBEDTLS_TEST_NULL_ENTROPY',
-            'MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3',
-            'MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION',
-            'MBEDTLS_ZLIB_SUPPORT',
-    ]:
+    if name in EXCLUDE_FROM_FULL:
        return False
    if name.endswith('_ALT'):
-        return False
+        return is_seamless_alt(name)
    return True

 def full_adapter(name, active, section):
@ -206,25 +229,33 @@ def full_adapter(name, active, section):
        return active
    return include_in_full(name)

+# The baremetal configuration excludes options that require a library or
+# operating system feature that is typically not present on bare metal
+# systems. Features that are excluded from "full" won't be in "baremetal"
+# either (unless explicitly turned on in baremetal_adapter) so they don't
+# need to be repeated here.
+EXCLUDE_FROM_BAREMETAL = frozenset([
+    #pylint: disable=line-too-long
+    'MBEDTLS_ENTROPY_NV_SEED', # requires a filesystem and FS_IO or alternate NV seed hooks
+    'MBEDTLS_FS_IO', # requires a filesystem
+    'MBEDTLS_HAVEGE_C', # requires a clock
+    'MBEDTLS_HAVE_TIME', # requires a clock
+    'MBEDTLS_HAVE_TIME_DATE', # requires a clock
+    'MBEDTLS_NET_C', # requires POSIX-like networking
+    'MBEDTLS_PLATFORM_FPRINTF_ALT', # requires FILE* from stdio.h
+    'MBEDTLS_PLATFORM_NV_SEED_ALT', # requires a filesystem and ENTROPY_NV_SEED
+    'MBEDTLS_PLATFORM_TIME_ALT', # requires a clock and HAVE_TIME
+    'MBEDTLS_PSA_CRYPTO_SE_C', # requires a filesystem and PSA_CRYPTO_STORAGE_C
+    'MBEDTLS_PSA_CRYPTO_STORAGE_C', # requires a filesystem
+    'MBEDTLS_PSA_ITS_FILE_C', # requires a filesystem
+    'MBEDTLS_THREADING_C', # requires a threading interface
+    'MBEDTLS_THREADING_PTHREAD', # requires pthread
+    'MBEDTLS_TIMING_C', # requires a clock
+])
+
 def keep_in_baremetal(name):
    """Rules for symbols in the "baremetal" configuration."""
-    if name in [
-            'MBEDTLS_DEPRECATED_WARNING',
-            'MBEDTLS_ENTROPY_NV_SEED',
-            'MBEDTLS_FS_IO',
-            'MBEDTLS_HAVEGE_C',
-            'MBEDTLS_HAVE_TIME',
-            'MBEDTLS_HAVE_TIME_DATE',
-            'MBEDTLS_NET_C',
-            'MBEDTLS_PLATFORM_FPRINTF_ALT',
-            'MBEDTLS_PLATFORM_TIME_ALT',
-            'MBEDTLS_PSA_CRYPTO_SE_C',
-            'MBEDTLS_PSA_CRYPTO_STORAGE_C',
-            'MBEDTLS_PSA_ITS_FILE_C',
-            'MBEDTLS_THREADING_C',
-            'MBEDTLS_THREADING_PTHREAD',
-            'MBEDTLS_TIMING_C',
-    ]:
+    if name in EXCLUDE_FROM_BAREMETAL:
        return False
    return True

@ -233,6 +264,7 @@ def baremetal_adapter(name, active, section):
    if not is_full_section(section):
        return active
    if name == 'MBEDTLS_NO_PLATFORM_ENTROPY':
+        # No OS-provided entropy source
        return True
    return include_in_full(name) and keep_in_baremetal(name)

@ -243,10 +275,10 @@ def include_in_crypto(name):
       name.startswith('MBEDTLS_KEY_EXCHANGE_'):
        return False
    if name in [
-            'MBEDTLS_CERTS_C',
-            'MBEDTLS_DEBUG_C',
-            'MBEDTLS_NET_C',
-            'MBEDTLS_PKCS11_C',
+            'MBEDTLS_CERTS_C', # part of libmbedx509
+            'MBEDTLS_DEBUG_C', # part of libmbedtls
+            'MBEDTLS_NET_C', # part of libmbedtls
+            'MBEDTLS_PKCS11_C', # part of libmbedx509
    ]:
        return False
    return True
@ -265,6 +297,28 @@ def crypto_adapter(adapter):
        return adapter(name, active, section)
    return continuation

+DEPRECATED = frozenset([
+    'MBEDTLS_SSL_PROTO_SSL3',
+    'MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO',
+])
+
+def no_deprecated_adapter(adapter):
+    """Modify an adapter to disable deprecated symbols.
+
+    ``no_deprecated_adapter(adapter)(name, active, section)`` is like
+    ``adapter(name, active, section)``, but unsets all deprecated symbols
+    and sets ``MBEDTLS_DEPRECATED_REMOVED``.
+    """
+    def continuation(name, active, section):
+        if name == 'MBEDTLS_DEPRECATED_REMOVED':
+            return True
+        if name in DEPRECATED:
+            return False
+        if adapter is None:
+            return active
+        return adapter(name, active, section)
+    return continuation
+
 class ConfigFile(Config):
    """Representation of the Mbed TLS configuration read for a file.

@ -430,6 +484,10 @@ if __name__ == '__main__':
                    Exclude alternative implementations and platform support
                    options, as well as some options that are awkward to test.
                    """)
+        add_adapter('full_no_deprecated', no_deprecated_adapter(full_adapter),
+                    """Uncomment most non-deprecated features.
+                    Like "full", but without deprecated features.
+                    """)
        add_adapter('realfull', realfull_adapter,
                    """Uncomment all boolean #defines.
                    Suitable for generating documentation, but not for building.""")