From 29a3bf5373187540d4ae9abf1eadf22cafbcb2a2 Mon Sep 17 00:00:00 2001 From: Aleksandr Khromykh Date: Thu, 28 Nov 2024 15:30:11 +0100 Subject: [PATCH] Bluetooth: Mesh: use secure storage in ble mesh Commit: - adds dependency of the mbedtls psa usage on secure storage - removes PSA ITS emulator and enables usage of the secure storage in ble mesh bsim tests - enables secure storage in all ble mesh and related samples Signed-off-by: Aleksandr Khromykh --- modules/mbedtls/configs/config-tls-generic.h | 6 - .../boards/nrf5340dk_nrf5340_cpuapp_ns.conf | 1 + samples/bluetooth/mesh/prj.conf | 1 + .../boards/nrf5340dk_nrf5340_cpuapp_ns.conf | 1 + samples/bluetooth/mesh_demo/prj.conf | 1 + .../boards/nrf5340dk_nrf5340_cpuapp_ns.conf | 1 + samples/bluetooth/mesh_provisioner/prj.conf | 1 + samples/boards/nordic/mesh/onoff-app/prj.conf | 2 + .../onoff_level_lighting_vnd_app/prj.conf | 1 + .../phytec/reel_board/mesh_badge/prj.conf | 1 + subsys/bluetooth/mesh/Kconfig | 5 + tests/bluetooth/mesh_shell/prj.conf | 1 + tests/bsim/bluetooth/mesh/CMakeLists.txt | 13 -- tests/bsim/bluetooth/mesh/overlay_pst.conf | 1 + tests/bsim/bluetooth/mesh/src/psa_its_emul.c | 209 ------------------ 15 files changed, 17 insertions(+), 228 deletions(-) create mode 100644 samples/bluetooth/mesh/boards/nrf5340dk_nrf5340_cpuapp_ns.conf create mode 100644 samples/bluetooth/mesh_demo/boards/nrf5340dk_nrf5340_cpuapp_ns.conf create mode 100644 samples/bluetooth/mesh_provisioner/boards/nrf5340dk_nrf5340_cpuapp_ns.conf delete mode 100644 tests/bsim/bluetooth/mesh/src/psa_its_emul.c diff --git a/modules/mbedtls/configs/config-tls-generic.h b/modules/mbedtls/configs/config-tls-generic.h index f3b0e96afcb3eb..eb3f943a458786 100644 --- a/modules/mbedtls/configs/config-tls-generic.h +++ b/modules/mbedtls/configs/config-tls-generic.h @@ -482,12 +482,6 @@ #define MBEDTLS_PSA_P256M_DRIVER_ENABLED #endif -#if defined(CONFIG_ARCH_POSIX) && !defined(CONFIG_PICOLIBC) && !defined(CONFIG_SECURE_STORAGE) -#define MBEDTLS_PSA_ITS_FILE_C -#define MBEDTLS_PSA_CRYPTO_STORAGE_C -#define MBEDTLS_FS_IO -#endif - #if defined(CONFIG_SECURE_STORAGE) #define MBEDTLS_PSA_CRYPTO_STORAGE_C #endif diff --git a/samples/bluetooth/mesh/boards/nrf5340dk_nrf5340_cpuapp_ns.conf b/samples/bluetooth/mesh/boards/nrf5340dk_nrf5340_cpuapp_ns.conf new file mode 100644 index 00000000000000..2c00cdba0819c5 --- /dev/null +++ b/samples/bluetooth/mesh/boards/nrf5340dk_nrf5340_cpuapp_ns.conf @@ -0,0 +1 @@ +CONFIG_SECURE_STORAGE=n diff --git a/samples/bluetooth/mesh/prj.conf b/samples/bluetooth/mesh/prj.conf index 9c8daad91316c3..14b19316a86699 100644 --- a/samples/bluetooth/mesh/prj.conf +++ b/samples/bluetooth/mesh/prj.conf @@ -5,6 +5,7 @@ CONFIG_FLASH=y CONFIG_FLASH_MAP=y CONFIG_NVS=y CONFIG_SETTINGS=y +CONFIG_SECURE_STORAGE=y CONFIG_HWINFO=y CONFIG_BT=y diff --git a/samples/bluetooth/mesh_demo/boards/nrf5340dk_nrf5340_cpuapp_ns.conf b/samples/bluetooth/mesh_demo/boards/nrf5340dk_nrf5340_cpuapp_ns.conf new file mode 100644 index 00000000000000..2c00cdba0819c5 --- /dev/null +++ b/samples/bluetooth/mesh_demo/boards/nrf5340dk_nrf5340_cpuapp_ns.conf @@ -0,0 +1 @@ +CONFIG_SECURE_STORAGE=n diff --git a/samples/bluetooth/mesh_demo/prj.conf b/samples/bluetooth/mesh_demo/prj.conf index c8c52aaffce3b0..bcb738ae5bd1da 100644 --- a/samples/bluetooth/mesh_demo/prj.conf +++ b/samples/bluetooth/mesh_demo/prj.conf @@ -31,6 +31,7 @@ CONFIG_FLASH_MAP=y CONFIG_NVS=y CONFIG_SETTINGS=y CONFIG_BT_MESH_RPL_STORE_TIMEOUT=600 +CONFIG_SECURE_STORAGE=y # Limit the number of key slots in PSA Crypto core to reduce # RAM footprint diff --git a/samples/bluetooth/mesh_provisioner/boards/nrf5340dk_nrf5340_cpuapp_ns.conf b/samples/bluetooth/mesh_provisioner/boards/nrf5340dk_nrf5340_cpuapp_ns.conf new file mode 100644 index 00000000000000..2c00cdba0819c5 --- /dev/null +++ b/samples/bluetooth/mesh_provisioner/boards/nrf5340dk_nrf5340_cpuapp_ns.conf @@ -0,0 +1 @@ +CONFIG_SECURE_STORAGE=n diff --git a/samples/bluetooth/mesh_provisioner/prj.conf b/samples/bluetooth/mesh_provisioner/prj.conf index 8055e388df1418..10949c5480dbcc 100644 --- a/samples/bluetooth/mesh_provisioner/prj.conf +++ b/samples/bluetooth/mesh_provisioner/prj.conf @@ -45,6 +45,7 @@ CONFIG_FLASH_MAP=y CONFIG_NVS=y CONFIG_SETTINGS=y CONFIG_BT_MESH_RPL_STORE_TIMEOUT=600 +CONFIG_SECURE_STORAGE=y #CONFIG_BT_MESH_LOG_LEVEL_DBG=y #CONFIG_BT_MESH_SETTINGS_LOG_LEVEL_DBG=y diff --git a/samples/boards/nordic/mesh/onoff-app/prj.conf b/samples/boards/nordic/mesh/onoff-app/prj.conf index 4c65164456452c..193e50205fb751 100644 --- a/samples/boards/nordic/mesh/onoff-app/prj.conf +++ b/samples/boards/nordic/mesh/onoff-app/prj.conf @@ -9,6 +9,8 @@ CONFIG_FLASH=y CONFIG_FLASH_MAP=y CONFIG_NVS=y CONFIG_SETTINGS=y +CONFIG_SECURE_STORAGE=y + CONFIG_BT_MESH_RPL_STORE_TIMEOUT=600 CONFIG_BOOT_BANNER=y diff --git a/samples/boards/nordic/mesh/onoff_level_lighting_vnd_app/prj.conf b/samples/boards/nordic/mesh/onoff_level_lighting_vnd_app/prj.conf index b9ce470b9eb6ef..653e7e1649e6e9 100644 --- a/samples/boards/nordic/mesh/onoff_level_lighting_vnd_app/prj.conf +++ b/samples/boards/nordic/mesh/onoff_level_lighting_vnd_app/prj.conf @@ -7,6 +7,7 @@ CONFIG_FLASH=y CONFIG_FLASH_MAP=y CONFIG_NVS=y CONFIG_SETTINGS=y +CONFIG_SECURE_STORAGE=y CONFIG_BT_OBSERVER=y CONFIG_BT_BROADCASTER=y diff --git a/samples/boards/phytec/reel_board/mesh_badge/prj.conf b/samples/boards/phytec/reel_board/mesh_badge/prj.conf index ad6f656f30154a..5367f4d1e9a6a4 100644 --- a/samples/boards/phytec/reel_board/mesh_badge/prj.conf +++ b/samples/boards/phytec/reel_board/mesh_badge/prj.conf @@ -66,4 +66,5 @@ CONFIG_FLASH=y CONFIG_FLASH_MAP=y CONFIG_NVS=y CONFIG_SETTINGS=y +CONFIG_SECURE_STORAGE=y CONFIG_CBPRINTF_FP_SUPPORT=y diff --git a/subsys/bluetooth/mesh/Kconfig b/subsys/bluetooth/mesh/Kconfig index 395284e80fac0b..b7521689634f5a 100644 --- a/subsys/bluetooth/mesh/Kconfig +++ b/subsys/bluetooth/mesh/Kconfig @@ -1452,6 +1452,10 @@ config BT_MESH_SOL_ADV_XMIT endmenu # Proxy +config BT_MESH_SECURE_STORAGE + bool + depends on SECURE_STORAGE + choice BT_MESH_CRYPTO_LIB prompt "Crypto library:" default BT_MESH_USES_TFM_PSA if BUILD_WITH_TFM @@ -1491,6 +1495,7 @@ config BT_MESH_USES_MBEDTLS_PSA select PSA_WANT_ALG_SHA_256 select PSA_WANT_ALG_ECDH select PSA_WANT_ECC_SECP_R1_256 + select BT_MESH_SECURE_STORAGE if BT_SETTINGS help Use Mbed TLS as PSA Crypto API provider. This is useful on platforms that do not support TF-M. diff --git a/tests/bluetooth/mesh_shell/prj.conf b/tests/bluetooth/mesh_shell/prj.conf index 043428e06a240b..2af6002956808e 100644 --- a/tests/bluetooth/mesh_shell/prj.conf +++ b/tests/bluetooth/mesh_shell/prj.conf @@ -14,6 +14,7 @@ CONFIG_FLASH=y CONFIG_FLASH_MAP=y CONFIG_NVS=y CONFIG_SETTINGS=y +CONFIG_SECURE_STORAGE=y CONFIG_BT=y CONFIG_BT_OBSERVER=y diff --git a/tests/bsim/bluetooth/mesh/CMakeLists.txt b/tests/bsim/bluetooth/mesh/CMakeLists.txt index c907e8c036be88..6ce6dbfbf10f46 100644 --- a/tests/bsim/bluetooth/mesh/CMakeLists.txt +++ b/tests/bsim/bluetooth/mesh/CMakeLists.txt @@ -29,7 +29,6 @@ if(CONFIG_SETTINGS) if(CONFIG_BT_MESH_USES_MBEDTLS_PSA) target_sources(app PRIVATE src/distribute_keyid.c - src/psa_its_emul.c ) endif() @@ -82,15 +81,3 @@ zephyr_include_directories( ${BSIM_COMPONENTS_PATH}/libUtilv1/src/ ${BSIM_COMPONENTS_PATH}/libPhyComv1/src/ ) - -# The mbedTLS PSA ITS is not thread safe. -# The issue: https://github.com/zephyrproject-rtos/zephyr/issues/59362 -# Also, it isn't possible to use "native" ITS implementation since -# mbedTLS includes headers that do not exist. -# This linker option allows linking custom ITS implementation instead of -# precompiled objects from the mbedTLS library to run it in parallel. -if(CONFIG_BT_MESH_USES_MBEDTLS_PSA) - zephyr_ld_options( - ${LINKERFLAGPREFIX},--allow-multiple-definition - ) -endif() diff --git a/tests/bsim/bluetooth/mesh/overlay_pst.conf b/tests/bsim/bluetooth/mesh/overlay_pst.conf index 37b9f2b9969271..52856866819d28 100644 --- a/tests/bsim/bluetooth/mesh/overlay_pst.conf +++ b/tests/bsim/bluetooth/mesh/overlay_pst.conf @@ -3,6 +3,7 @@ CONFIG_BT_SETTINGS=y CONFIG_FLASH=y CONFIG_FLASH_MAP=y CONFIG_NVS=y +CONFIG_SECURE_STORAGE=y CONFIG_BT_PERIPHERAL=y CONFIG_BT_MESH_GATT_PROXY=y diff --git a/tests/bsim/bluetooth/mesh/src/psa_its_emul.c b/tests/bsim/bluetooth/mesh/src/psa_its_emul.c deleted file mode 100644 index 0598b40a3892c9..00000000000000 --- a/tests/bsim/bluetooth/mesh/src/psa_its_emul.c +++ /dev/null @@ -1,209 +0,0 @@ -/* - * Copyright (c) 2023 Nordic Semiconductor ASA - * - * SPDX-License-Identifier: Apache-2.0 - */ -/* - * PSA ITS emulator over settings. - */ - -#include - -#include -#include <../library/psa_crypto_its.h> - -#define LOG_MODULE_NAME pts_its_emu - -#include -#include "mesh/net.h" -#include "mesh/settings.h" - -LOG_MODULE_REGISTER(LOG_MODULE_NAME, LOG_LEVEL_INF); - -/* The value of 52 bytes was measured practically in the mbedTLS psa security storage. */ -#define MAX_ITEM_LENGTH 52 -#define MAX_ITEM_NUMBER MBEDTLS_PSA_KEY_SLOT_COUNT - -typedef struct { - uint32_t size; - psa_storage_create_flags_t flags; - uint8_t data[MAX_ITEM_LENGTH]; -} psa_its_pst_item_t; - -typedef struct { - psa_storage_uid_t uid; - psa_its_pst_item_t pst_item; -} psa_its_item_t; - -static psa_its_item_t item[MAX_ITEM_NUMBER]; - -static psa_its_item_t *get_item_by_uid(psa_storage_uid_t uid) -{ - for (int i = 0; i < MAX_ITEM_NUMBER; i++) { - if (uid == item[i].uid) { - return &item[i]; - } - } - - return NULL; -} - -static int itsemul_set(const char *name, size_t len_rd, settings_read_cb read_cb, void *cb_arg) -{ - ssize_t len; - uint64_t uid; - psa_its_item_t *p_item; - - LOG_DBG("read out uid: %s", name); - - if (!name) { - LOG_ERR("Insufficient number of arguments"); - return -ENOENT; - } - - uid = strtoull(name, NULL, 10); - if (uid == ULLONG_MAX) { - LOG_ERR("Invalid format for uid"); - return -EINVAL; - } - - p_item = get_item_by_uid(uid); - if (p_item == NULL) { - p_item = get_item_by_uid(0ull); - } - - if (p_item == NULL) { - LOG_ERR("Insufficient sources for %llu", uid); - return -EINVAL; - } - - p_item->uid = uid; - - len = read_cb(cb_arg, &p_item->pst_item, len_rd); - if (len < 0) { - LOG_ERR("Failed to read value (err %zd)", len); - return -EINVAL; - } - - LOG_HEXDUMP_DBG(&p_item->pst_item, len, "pst_item:"); - - if (len != len_rd) { - LOG_ERR("Unexpected length (%zd != %zu)", len, len_rd); - return -EINVAL; - } - - return 0; -} - -SETTINGS_STATIC_HANDLER_DEFINE(psa_its_emu, "itsemul", NULL, itsemul_set, NULL, NULL); - -psa_status_t psa_its_get_info(psa_storage_uid_t uid, struct psa_storage_info_t *p_info) -{ - psa_its_item_t *p_item; - - LOG_DBG("get info uid: %llu", uid); - - p_item = get_item_by_uid(uid); - if (p_item == NULL) { - return PSA_ERROR_DOES_NOT_EXIST; - } - - p_info->flags = p_item->pst_item.flags; - p_info->size = p_item->pst_item.size; - - LOG_DBG("flags: %lu, size: %lu", p_info->flags, p_info->size); - - return PSA_SUCCESS; -} - -psa_status_t psa_its_get(psa_storage_uid_t uid, uint32_t data_offset, uint32_t data_length, - void *p_data, size_t *p_data_length) -{ - psa_its_item_t *p_item; - psa_its_pst_item_t *p_pst_item; - - LOG_DBG("get uid: %llu", uid); - - p_item = get_item_by_uid(uid); - if (p_item == NULL) { - return PSA_ERROR_DOES_NOT_EXIST; - } - - p_pst_item = &p_item->pst_item; - - if (data_offset > p_pst_item->size) { - return PSA_ERROR_DATA_CORRUPT; - } - - *p_data_length = MIN(p_pst_item->size - data_offset, data_length); - memcpy(p_data, p_pst_item->data + data_offset, *p_data_length); - - return PSA_SUCCESS; -} - -psa_status_t psa_its_set(psa_storage_uid_t uid, uint32_t data_length, const void *p_data, - psa_storage_create_flags_t create_flags) -{ - char path[40]; - psa_its_item_t *p_item; - psa_its_pst_item_t *p_pst_item; - psa_status_t status = PSA_SUCCESS; - - LOG_DBG("Set uid: %llu, len: %lu", uid, data_length); - - if (data_length > MAX_ITEM_LENGTH) { - LOG_ERR("Too long item data: %lu > " STRINGIFY(MAX_ITEM_LENGTH), data_length); - } - - p_item = get_item_by_uid(uid); - if (p_item == NULL) { - p_item = get_item_by_uid(0ull); - } - - if (p_item == NULL) { - return PSA_ERROR_STORAGE_FAILURE; - } - - snprintk(path, sizeof(path), "itsemul/%llu", uid); - - p_item->uid = uid; - p_pst_item = &p_item->pst_item; - p_pst_item->size = data_length; - p_pst_item->flags = create_flags; - memcpy(p_pst_item->data, p_data, data_length); - - if (settings_save_one(path, p_pst_item, sizeof(psa_its_pst_item_t))) { - LOG_ERR("Failed to store its item: %s", path); - status = PSA_ERROR_STORAGE_FAILURE; - } else { - LOG_DBG("Stored its item: %s", path); - } - - return status; -} - -psa_status_t psa_its_remove(psa_storage_uid_t uid) -{ - char path[40]; - psa_status_t status = PSA_SUCCESS; - psa_its_item_t *p_item; - - LOG_DBG("remove uid: %llu", uid); - - p_item = get_item_by_uid(uid); - if (p_item == NULL) { - return status; - } - memset(p_item, 0, sizeof(psa_its_item_t)); - - snprintk(path, sizeof(path), "itsemul/%llu", uid); - - if (settings_delete(path)) { - LOG_ERR("Failed to remove its item: %s", path); - status = PSA_ERROR_STORAGE_FAILURE; - } else { - LOG_DBG("Removed its item: %s", path); - } - - return status; -}