Driver-only ECC: auto-enable ECP_LIGHT when needed

[valeriosetti]

This PR resolves #7442 (please refer to the original issue because the goals are described pretty well there).

Depends on #7641 (merged)
Resolves #7442

PR checklist

• changelog deferred, see ChangeLog for driver-only work #7413
• backport not required
• tests not required

[mpg]

I had a quick look, and almost everything looks good to me, except for all.sh components that are not as I expected. Before this PR (but after 7682) we have:

1. test_psa_crypto_config_accel_all_ec_algs_use_psa with all top-level ECC modules (ECDH, ECDSA, ECJPAKE) accelerated, plus !ECP_C && EPC_LIGHT, and support for compressed points, specifiedECDomain (PK_PARSE_EXTENDED) and ECC key derivation. Builds everything (X.509, TLS) and runs all tests including ssl-opt.sh. So far it uses a bit of a hack (-D in CFLAGS) to enabled ECP_LIGHT without ECP_C.
2. component_test_psa_crypto_full_accel_all_ec_algs_no_ecp_use_psa with all top-level modules accelerated and no ecp.c at all, not even light. Hence, no support for compressed points, SpecifiedECDomain or ECC key derivation. So far, only builds crypto including PK (since 7682), but no X.509 or TLS.

IMO we need to keep the two: one with ECP_LIGHT for the extra features it gives (to make sure those work without the full ECP_C), and one with no ECP at all but without the associated goodies (to make sure the rest works with no ECP at all).

The goal of this issue is only to remove the "So far it uses a bit of a hack" part of (1), by instead just leaving PK_PARSE_EXTENDED and PK_PARSE_COMPRESSED enabled in this component, so we no longer need to explicitly enable ECP_LIGHT via CFLAGS. (And conversely, we need to explicitly disable them in (2) in order to keep it free of any ECP at all.)

Removing the "So far, only builds crypto" part of (2) is out of scope here: it's the final goal of EPIC 2c :) (While this issue completes EPIC 2b (functionally, we'll still have some cleanup remaining).)

I think we should rename the components as follows for improved clarity:

1. test_psa_crypto_config_accel_all_ec_algs_use_psa -> test_psa_crypto_config_accel_ecc_ecp_light_only (asserts no mbedtls_ecp_mul_ in ecp.o)
2. component_test_psa_crypto_full_accel_all_ec_algs_no_ecp_use_psa -> component_test_psa_crypto_config_accel_ecc_no_ecp_at_all (asserts to mbedtls_ecp in ecp.o, meaning it's empty)
   (Or something similar.)

Note: looking further into the future, EPIC 2d will add a 3rd one component_test_psa_crypto_config_accel_ecc_no_bignum (asserts bignum.o empty) which should be the same as (2) above except without BIGNUM_C, hence without DHM_C, RSA_C and things that depend on those.

[mpg]

Note: I just updated the "Testing" part of #6839 with essentially what I wrote above :)

[valeriosetti]

Removing the "So far, only builds crypto" part of (2) is out of scope here

Yes, indeed I was having building problems with server2 and client2 since at least one of the 2 uses ECP functions to get the list of known curves and, of course, it wasn't particularly happy about the ECP_LIGHT removal

[valeriosetti]

I moved this PR from draft to normal because after this comment (in #7682) this PR is no more depending on 2 non-cascaded PRs, but it can easily be set on top of #7641.
I will update also the description accordingly

[mpg]

Looks all good to me except one backwards compatibility issue, for people using their own config file.

[mpg]

Note: in 3.4 this was not a separate option, support was automatically present in PK when ECP_C was defined. So, I think in order to preserve backward compatibility for people using a custom config we need to also auto-enable MBEDTLS_PK_PARSE_EC_COMPRESSED when PK_PARSE_C && ECP_C in build_info.h.

[valeriosetti]

@mpg even though the internal CI failed on test_psa_crypto_config_accel_hash_use_psa the Open counterpart did not, so I'm not sure what the problem is. Can you please check for me?

[gilles-peskine-arm]

The failure is in one of the ssl-opt test cases:

TLS 1.3 m->m: Session resumption failure, age outside tolerance window, too old.  FAIL
  ! pattern 'sent selected_identity:' MUST NOT be present in the Server output
  ! outputs saved to o-XXX-1587.log

This doesn't look related to this pull request. I have no idea what that test is doing so the logs don't mean anything to me. I've filed an issue about it as an intermittent failure.

[mpg]

Looks good to me, except for one thing that was missed when rebasing: the following paragraph in component_test_psa_crypto_config_accel_ecc_ecp_light_only should be removed:

    # Temporary hack to enable MBEDTLS_ECP_LIGHT
    # (will soon be auto-enabled in build_info.h)
    echo '#define MBEDTLS_ECP_LIGHT' >> include/mbedtls/mbedtls_config.h

[AndrzejKurek]

Looks good, but some things seem to be unclear.

[AndrzejKurek]

Suggested change

	* still depends on ECP_LIGHT
	* still depends on ECP_LIGHT.

Temporarily? Are there plans to change that?

[valeriosetti]

Good question indeed. TBH I didn't check if there is any task associated with this, but it looked strange to me that Montgomery curves' derivation is supported by PSA while Weierstrass is not. So mine was mostly a guess ':)
I'll check this but perhaps @mpg has a better overview of what is expected in the future.

[mpg]

Yes, the plan to change that is to add driver support for key derivation, see the dedicated EPIC.

While at it, MBEDTLS_PK_PARSE_EC_EXTENDED is temporary too, see #7779 and #7789 in the driver-only 2c EPIC, and MBEDTLS_PK_PARSE_EC_COMPRESSED should be fixed later by adding support for more formats in PSA, but this is at an early stage of investigation and doesn't have an EPIC or issues yet.

(I'll create some user-level documentation explaining the current limitations and plans about them for the future, but later in the EPICs, are things are moving too fast now, so documentation would be out-of-date very quickly. This will be done before the next release in any case.)

[AndrzejKurek]

Suggested change

	* be fixed by #7453
	* be fixed by #7453.

[AndrzejKurek]

The relation between this define and MBEDTLS_ECP_PF_COMPRESSED is not explained.

[mpg]

I'm not sure what the problem is, but just in case: MBEDTLS_ECP_PF_COMPRESSED is not a feature macro, it's a constant in ecp.h, and happens to be where the limitations for parsing are documented. Can you suggest a better wording?

[valeriosetti]

Oh, I see, so it's not a problem about the description itself as I thought initially, but it's more related to the automatic documentation generation. Am I correct?

[AndrzejKurek]

I'm not sure what the problem is, but just in case: MBEDTLS_ECP_PF_COMPRESSED is not a feature macro, it's a constant in ecp.h, and happens to be where the limitations for parsing are documented. Can you suggest a better wording?

It's not about wording, it's just that the documentation of this define mentiones another (relation unclear) place to see for more details. If there's another place that goes into more detail, It'd be great to know what's the relation between that place and this one. If there's no relation then why does it specify things important for someone considering to turn MBEDTLS_PK_PARSE_EC_COMPRESSED on?

[valeriosetti]

Ok understood. Does the last commit cover this gap or should it be reworked further?

[AndrzejKurek]

Yes, it's OK, now you're providing the full info and the source of it, regardless of the relation between the two places.

[mpg]

LGTM