psa: add Trusted Firmware-M example

psa/README.md

@@ -4,6 +4,7 @@
 ## Example lists
 
     - client/server TLS1.3 ECC example
+    - Trusted Firmware-M TLS1.3 on Nucleo-l552ZE-Q board
 
 ## client/server TLS1.3 ECDH-ECC example
 
@@ -30,9 +31,9 @@ used to compile the examples.
 
 You can test these examples with mbedTLS PSA implementation. For this task the
 helper script `build_with_mbedtls_psa.sh` is provided. It must run from the
-wolfSSL source root directory. It will download `mbedtls` and compile it. It
-will also build WolfSSL with correct PSA headers and options. To use the script
-and then compile the examples use these commands:
+wolfSSL source root directory and it compiles the mbedTLS library in
+`/tmp/mbedtls` . To use the script and then compile the examples use these
+commands:
 
 ```
 cd /path/to/wolfSSL/src;
@@ -44,4 +45,55 @@ export PSA_LIB_PATH=/tmp/mbedtls/build/library/libmbedcrypto.a
 make
 ```
 
+## Trusted Firmware-M TLS1.3
 
+TLS1.3 client/server exchange a small message over memory in PSA enabled
+Trusted Firmware-M (TF-M) on Nucleo-l552ZE-Q board.
+
+This example is provided as a patch to the TF-M test repo, which is normally
+used as the default Non Secure app in the TF-M repo.  This way the example
+integrates smoothly inside the TF-M build system.
+
+The general requirements to build TF-M are listed here
+[TF-M doc](https://tf-m-user-guide.trustedfirmware.org/docs/getting_started/tfm_getting_started.html)
+
+To compile TF-M on Nucleo-l552ZE-Q board you additionally need:
+    - GNU Arm compiler v7.3.1+ [toolchain](https://developer.arm.com/tools-and-software/open-source-software/developer-tools/gnu-toolchain/gnu-rm/downloads)
+    - STM32_Programmer_CLI see [here](https://www.st.com/en/development-tools/stm32cubeprog.html)
+
+To have all the needed binary artifacts to flash on the board you need three
+interacting parts: the main TF-M repo (for bootloader and Secure world), wolfSSL
+PSA-enabled library, and the modified TF-M test repo (for Non-Secure world). The
+provided script `build_tfm_example.sh` automatically downloads and compile all
+the needed components and produces the final build artifacts. The toolchain
+needs to be available on the default path for the script to work.
+
+CAVEATS:
+The example only works with TF-M commit ID f07cc31545bbba3bad1806ed078c3aee3a09dc52
+
+After running `build_tfm_example.sh` you can flash the binaries artifacts from
+the TF-M build directory (defaults to `/tmp/wolfssl_tfm/tfm/build`) and run:
+
+```
+./regression.sh && ./TFM_UPDATE.sh
+```
+
+to flash on the nucelo board. Remember that this step needs
+`STM32_Programmer_CLI`installed and on the default PATH.
+
+After that you will see client and server interacting on the UART of the board:
+
+```
+[Sec Thread] Secure image initializing!
+TF-M FP mode: Software
+Booting TFM v1.5.0
+Non-Secure system starting...
+wolfSSL demo
+wolfSSL_Init Success
+wolfSSL provisioning server secret key
+Server is starting
+Client is starting
+Overriding cert date error as example for bad clock testing
+Received message from client:
+hello wolfssl!
+```

psa/trusted-firwmare/build_tfm_example.sh

@@ -0,0 +1,127 @@
+#!/bin/bash
+
+set -e
+
+WOLFSSL_TFM_WORKDIR=${WOLFSSL_TFM_WORKDIR:="/tmp"}
+TFM_GIT_URL=https://git.trustedfirmware.org/TF-M/trusted-firmware-m.git
+TFM_COMMIT_ID=f07cc31545bbba3bad1806ed078c3aee3a09dc52
+TRUSTED_FIRMWARE_DIR=${TRUSTED_FIRMWARE_DIR:="${WOLFSSL_TFM_WORKDIR}/wolfssl_tfm/tfm"}
+
+WOLFSSL_DIR=${WOLFSSL_DIR:="${WOLFSSL_TFM_WORKDIR}/wolfssl_tfm/wolfssl"}
+
+TEST_REPO_GIT_URL=https://git.trustedfirmware.org/TF-M/tf-m-tests.git
+TEST_REPO_TAG=TF-Mv1.5.0
+TEST_REPO_DIR=${TEST_REPO_DIR:="${WOLFSSL_TFM_WORKDIR}/wolfssl_tfm/wolfssl_test_repo"}
+
+download_trusted_firmware_m() {
+    echo "downloading trusted firmware-m source in ${TRUSTED_FIRMWARE_DIR}..."
+    if [ -d "${TRUSTED_FIRMWARE_DIR}" ]
+    then
+        echo "${TRUSTED_FIRMWARE_DIR} exists, skipping src dowload.."
+        return
+    fi
+
+    mkdir -p "${TRUSTED_FIRMWARE_DIR}"
+    git clone "${TFM_GIT_URL}" "${TRUSTED_FIRMWARE_DIR}"
+    (cd "${TRUSTED_FIRMWARE_DIR}" && git checkout "${TFM_COMMIT_ID}")
+}
+
+download_wolfssl_src() {
+    echo "downloading WolfSSL source in ${WOLFSSL_DIR}..."
+    if [ -d "${WOLFSSL_DIR}" ]
+    then
+        echo "${WOLFSSL_DIR} exists, skipping src dowload.."
+        return
+    fi
+    mkdir -p "${WOLFSSL_DIR}"
+    curl --location https://api.github.com/repos/wolfssl/wolfssl/tarball/master | \
+    tar --directory="${WOLFSSL_DIR}" --strip-components=1 -x -z
+}
+
+download_tfm_repo_test_src() {
+    echo "downloading tfm_test_repo in ${TEST_REPO_DIR}..."
+    if [ -d "${TEST_REPO_DIR}" ]
+    then
+        echo "${TEST_REPO_DIR} exists, skipping src dowload.."
+        return
+    fi
+
+    mkdir -p "${TEST_REPO_DIR}"
+    git clone --depth 1 --branch "${TEST_REPO_TAG}"\
+        "${TEST_REPO_GIT_URL}" "${TEST_REPO_DIR}"
+
+    echo "applying wolfssl_patch to ${TEST_REPO_DIR}..."
+    cp ./0001-WolfSSL-TLS-1.3-client-server-PSA-demo.patch "${TEST_REPO_DIR}"
+    (cd "${TEST_REPO_DIR}" && \
+         git apply ./0001-WolfSSL-TLS-1.3-client-server-PSA-demo.patch)
+}
+
+compile_tfm() {
+    # restart from scratch if build dir already exists
+    if [ -d "${TRUSTED_FIRMWARE_DIR}/build" ]
+    then
+        rm -rf "${TRUSTED_FIRMWARE_DIR}/build"
+    fi
+
+    (cd "${TRUSTED_FIRMWARE_DIR}" && \
+         mkdir build && \
+         cd build && \
+         cmake .. -DTFM_PLATFORM=stm/nucleo_l552ze_q \
+               -DTFM_TOOLCHAIN_FILE=../toolchain_GNUARM.cmake \
+               -G"Unix Makefiles" \
+               -DNS=ON \
+               -DCMAKE_BUILD_TYPE=RelWithDebInfo \
+               -DTEST_S=OFF \
+               -DTEST_NS=OFF \
+               -DTFM_TEST_REPO_PATH="${TEST_REPO_DIR}" \
+               -DWOLFSSL_DEMO=ON \
+               -DWOLFSSL_ROOT_PATH="${WOLFSSL_DIR}"\
+               -DTFM_NS_REG_TEST=ON)
+    (cd "${TRUSTED_FIRMWARE_DIR}/build" && cmake --build . -- install && ./postbuild.sh)
+}
+
+compile_wolfssl() {
+    (cd "${WOLFSSL_DIR}" && \
+         ./autogen.sh && \
+         CFLAGS="-mcpu=cortex-m33 -Os --specs=nano.specs -fdata-sections -ffunction-sections -fno-builtin -fshort-enums -funsigned-char -mthumb -nostdlib -Wno-error=redundant-decls -Wno-error=switch-enum \
+         -DNO_WOLFSSL_DIR -DWOLFSSL_NO_SOCK -DNO_WRITEV -DWOLFSSL_USER_IO -DNO_SHA512 -DNO_SHA224 -DNO_SHA -DNO_ERROR_STRINGS -DNO_FILESYSTEM -DBENCH_EMBEDDED -DWOLFSSL_SMALL_STACK" \
+               ./configure \
+               --host=arm-none-eabi \
+               --disable-examples \
+               --disable-rsa \
+               --disable-chacha \
+               --disable-poly1305 \
+               --disable-dh \
+               --disable-md5 \
+               --disable-sha512 \
+               --disable-sha224 \
+               --disable-sha \
+               --disable-sha384 \
+               --disable-pwdbased \
+               --disable-pkcs12 \
+               --disable-tlsv12 \
+               --disable-crypttests \
+               --disable-benchmark \
+               --enable-pkcallbacks \
+               --enable-psa \
+               --with-psa-include="${TRUSTED_FIRMWARE_DIR}/interface/include" && \
+         make)
+}
+
+flash_tfm() {
+    (cd "${TRUSTED_FIRMWARE_DIR}/build" && \
+         ./regression.sh && \
+         ./TFM_UPDATE.sh )
+}
+
+download_trusted_firmware_m
+download_wolfssl_src
+download_tfm_repo_test_src
+compile_wolfssl
+compile_tfm
+
+echo "WolfSSL TF-M example built."
+echo "To flash on the board run:"
+echo "cd ${TRUSTED_FIRMWARE_DIR}/build && ./regression.sh && ./TFM_UPDATE.sh"
+
+# flash_tfm