Add no-std and baremetal features

psa-crypto-sys/Cargo.toml

@@ -24,3 +24,5 @@ static = []
 interface = ["bindgen"]
 operations = ["interface"]
 prefix = []
+no-std = []
+baremetal = ["no-std"]

psa-crypto-sys/build.rs

@@ -63,10 +63,11 @@ mod common {
     use std::env;
     use std::io::{Error, ErrorKind, Result};
     use std::path::{Path, PathBuf};
+    use std::process::Command;
 
     pub fn configure_mbed_crypto() -> Result<()> {
         let mbedtls_dir = String::from("./vendor");
-        let mbedtls_config = mbedtls_dir + "/scripts/config.py";
+        let mbedtls_config = mbedtls_dir.clone() + "/scripts/config.py";
 
         println!("cargo:rerun-if-changed=src/c/shim.c");
         println!("cargo:rerun-if-changed=src/c/shim.h");
@@ -81,11 +82,30 @@ mod common {
             ));
         }
 
+        let mbedtls_mode = if cfg!(feature = "baremetal") {
+            "crypto_baremetal"
+        } else {
+            "crypto"
+        };
+
+        if mbedtls_mode == "crypto_baremetal" {
+            // Apply patch to MbedTLS
+            let patch_path = Path::new("../patches/0001-Update-config-for-baremetal-targets.patch"); // relative to ./vendor folder
+            let status = Command::new("git")
+                .current_dir(&mbedtls_dir)
+                .args(&["apply", patch_path.to_str().unwrap()])
+                .status()?;
+
+            if !status.success() {
+                println!("cargo:warning=Could not apply patch to mbedtls: {:?}", patch_path);
+            }
+        }
+
         // Configure the MbedTLS build for making Mbed Crypto
         if !::std::process::Command::new(mbedtls_config)
             .arg("--write")
             .arg(&(out_dir + "/config.h"))
-            .arg("crypto")
+            .arg(mbedtls_mode)
             .status()
             .map_err(|_| Error::new(ErrorKind::Other, "configuring mbedtls failed"))?
             .success()
@@ -136,6 +156,8 @@ mod common {
             .blocklist_type("max_align_t")
             .generate_comments(false)
             .size_t_is_usize(true)
+            .use_core()
+            .ctypes_prefix("::core::ffi")
             .generate()
             .map_err(|_| {
                 Error::new(
@@ -251,12 +273,17 @@ mod operations {
         }
 
         // Build the MbedTLS libraries
-        let mbed_build_path = Config::new(&mbedtls_dir)
+        let mut mbed_build = Config::new(&mbedtls_dir);
+        let mbed_build = mbed_build
             .cflag(format!("-I{}", out_dir))
             .cflag("-DMBEDTLS_CONFIG_FILE='<config.h>'")
             .define("ENABLE_PROGRAMS", "OFF")
-            .define("ENABLE_TESTING", "OFF")
-            .build();
+            .define("ENABLE_TESTING", "OFF");
+
+        #[cfg(feature = "baremetal")]
+        let mbed_build = mbed_build.define("CMAKE_TRY_COMPILE_TARGET_TYPE", "STATIC_LIBRARY");
+
+        let mbed_build_path = mbed_build.build();
 
         Ok(mbed_build_path)
     }

psa-crypto-sys/patches/0001-Update-config-for-baremetal-targets.patch

@@ -0,0 +1,46 @@
+From 035aca2948c136e76ec7acfa739e4f0264d55c39 Mon Sep 17 00:00:00 2001
+From: Geovane Fedrecheski <[email protected]>
+Date: Wed, 29 Nov 2023 11:09:44 +0100
+Subject: [PATCH] Update config for baremetal targets
+
+Signed-off-by: Geovane Fedrecheski <[email protected]>
+---
+ scripts/config.py | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+diff --git a/scripts/config.py b/scripts/config.py
+index 6d5edc7c0..36312df04 100755
+--- a/scripts/config.py
++++ b/scripts/config.py
+@@ -241,6 +241,7 @@ def full_adapter(name, active, section):
+ # need to be repeated here.
+ EXCLUDE_FROM_BAREMETAL = frozenset([
+     #pylint: disable=line-too-long
++    'MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS',
+     'MBEDTLS_ENTROPY_NV_SEED', # requires a filesystem and FS_IO or alternate NV seed hooks
+     'MBEDTLS_FS_IO', # requires a filesystem
+     'MBEDTLS_HAVE_TIME', # requires a clock
+@@ -270,6 +271,20 @@ def baremetal_adapter(name, active, section):
+     if name == 'MBEDTLS_NO_PLATFORM_ENTROPY':
+         # No OS-provided entropy source
+         return True
++    if name == 'MBEDTLS_ENTROPY_HARDWARE_ALT':
++        # Custom entropy source provided
++        return True
++    if name == 'MBEDTLS_ENTROPY_FORCE_SHA256':
++        # Force SHA-256 accumulator
++        return True
++    if name == 'MBEDTLS_MEMORY_BUFFER_ALLOC_C':
++        return True
++    if name == 'MBEDTLS_PLATFORM_C':
++        return True
++    if name == 'MBEDTLS_PLATFORM_MEMORY':
++        return True
++    if name == 'MBEDTLS_PLATFORM_NO_STD_FUNCTIONS':
++        return True
+     return include_in_full(name) and keep_in_baremetal(name)
+
+ def include_in_crypto(name):
+-- 
+2.34.1
+

psa-crypto-sys/src/lib.rs

@@ -7,6 +7,7 @@
 //! You can find the API
 //! [here](https://developer.arm.com/architectures/security-architectures/platform-security-architecture/documentation).
 
+#![cfg_attr(feature = "no-std", no_std)]
 // This one is hard to avoid.
 #![allow(clippy::multiple_crate_versions)]
 #![allow(clippy::missing_safety_doc)]

psa-crypto/Cargo.toml

@@ -28,3 +28,5 @@ operations = ["psa-crypto-sys/operations", "interface"]
 interface = ["psa-crypto-sys/interface"]
 prefix = ["psa-crypto-sys/prefix"]
 std = []
+no-std = ["psa-crypto-sys/no-std"]
+baremetal = ["no-std", "psa-crypto-sys/baremetal"]