Fix mbedtls link runtime resolution.

Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
2026-06-12 13:28:15 +02:00 · 2026-06-11 22:07:37 +02:00
parent f94c74a74c
commit 5dfc7d51d2
6 changed files with 173 additions and 170 deletions
--- a/cmake/trusted.cmake
+++ b/cmake/trusted.cmake
@@ -1,7 +1,7 @@
 include_guard(GLOBAL)

 function(picokeys_trusted_region_enabled out_var)
-    if(PICO_RP2350 OR ENABLE_EMULATION OR ESP_PLATFORM)
+    if(PICO_RP2350)
        set(${out_var} TRUE PARENT_SCOPE)
    else()
        set(${out_var} FALSE PARENT_SCOPE)
@@ -12,26 +12,26 @@ macro(picokeys_init_trusted_config)
    set(PICOKEYS_TRUSTED_REGION_FLASH_BASE "0x100B0000" CACHE STRING "Fixed flash base for the trusted measurement region on Pico firmware builds")
    set(PICOKEYS_TRUSTED_STATE_RAM_BASE "0x20070000" CACHE STRING "Fixed RAM base for trusted writable state on Pico firmware builds")

-    if(CMAKE_C_COMPILER)
+    set(TRUSTED_MBEDTLS_HELPER_SOURCES
+        ${CMAKE_CURRENT_LIST_DIR}/src/trusted/trusted_mem.c
+    )
+endmacro()
+
+macro(picokeys_resolve_trusted_toolchain)
+    if(CMAKE_C_COMPILER AND PICO_RP2350)
        set(PICOKEYS_LIBGCC_QUERY_ARGS -print-libgcc-file-name)
-        if(PICO_RP2350)
        set(PICOKEYS_LIBGCC_QUERY_ARGS
            -mthumb
            -march=armv8-m.main+fp
            -mfloat-abi=softfp
            -print-libgcc-file-name
        )
-        endif()
        execute_process(
            COMMAND ${CMAKE_C_COMPILER} ${PICOKEYS_LIBGCC_QUERY_ARGS}
            OUTPUT_VARIABLE PICOKEYS_LIBGCC
            OUTPUT_STRIP_TRAILING_WHITESPACE
        )
    endif()
-
-    set(TRUSTED_MBEDTLS_HELPER_SOURCES
-        ${CMAKE_CURRENT_LIST_DIR}/src/trusted_mem.c
-    )
 endmacro()

 function(configure_picokeys_mbedtls_target target_name)
@@ -86,9 +86,7 @@ function(configure_picokeys_trusted_mbedtls_target target_name)
 endfunction()

 macro(picokeys_setup_trusted_mbedtls)
-    if(NOT SKIP_MBEDTLS_FOR_OPENSSL_EMULATION)
-        if(NOT ESP_PLATFORM)
-            if(PICO_PLATFORM AND PICO_RP2350 AND NOT ENABLE_EMULATION)
+    if(NOT SKIP_MBEDTLS_FOR_OPENSSL_EMULATION AND PICO_PLATFORM AND PICO_RP2350 AND NOT ENABLE_EMULATION)
        add_library(trusted_mbedtls_build STATIC ${MBEDTLS_SOURCES})
        target_include_directories(trusted_mbedtls_build SYSTEM PUBLIC
            ${CMAKE_CURRENT_LIST_DIR}/third-party/mbedtls/include
@@ -150,53 +148,6 @@ macro(picokeys_setup_trusted_mbedtls)
        set_target_properties(trusted_mbedtls PROPERTIES
            IMPORTED_LOCATION ${TRUSTED_MBEDTLS_ARCHIVE}
        )
-            elseif(ENABLE_EMULATION AND NOT MSVC)
-                set(TRUSTED_REGION_EMBED_INPUT
-                    ${CMAKE_CURRENT_BINARY_DIR}/${CMAKE_STATIC_LIBRARY_PREFIX}mbedtls${CMAKE_STATIC_LIBRARY_SUFFIX}
-                )
-                if(APPLE)
-                    set(PICOKEYS_TRUSTED_SECTION_DIRECTIVE ".section __DATA,__trusted_region,regular,no_dead_strip")
-                    set(PICOKEYS_TRUSTED_START_SYM "___trusted_start")
-                    set(PICOKEYS_TRUSTED_END_SYM "___trusted_end")
-                    set(PICOKEYS_TRUSTED_LOAD_START_SYM "___trusted_load_start")
-                    set(PICOKEYS_TRUSTED_LOAD_END_SYM "___trusted_load_end")
-                else()
-                    set(PICOKEYS_TRUSTED_SECTION_DIRECTIVE ".section .trusted_region,\"a\",@progbits")
-                    set(PICOKEYS_TRUSTED_START_SYM "__trusted_start")
-                    set(PICOKEYS_TRUSTED_END_SYM "__trusted_end")
-                    set(PICOKEYS_TRUSTED_LOAD_START_SYM "__trusted_load_start")
-                    set(PICOKEYS_TRUSTED_LOAD_END_SYM "__trusted_load_end")
-                endif()
-                set(TRUSTED_REGION_EMBED_SOURCE ${CMAKE_CURRENT_BINARY_DIR}/trusted_region_embed.S)
-                configure_file(
-                    ${CMAKE_CURRENT_LIST_DIR}/src/trusted_region_embed.in.S
-                    ${TRUSTED_REGION_EMBED_SOURCE}
-                    @ONLY
-                )
-            endif()
-        elseif(ESP_PLATFORM)
-            add_library(trusted_mbedtls_payload STATIC ${MBEDTLS_SOURCES})
-            target_include_directories(trusted_mbedtls_payload
-                SYSTEM PRIVATE
-                    ${CMAKE_CURRENT_LIST_DIR}/third-party/mbedtls/include
-                    ${CMAKE_CURRENT_LIST_DIR}/third-party/mbedtls/library
-            )
-            configure_picokeys_mbedtls_target(trusted_mbedtls_payload)
-            set(TRUSTED_REGION_EMBED_INPUT
-                ${CMAKE_CURRENT_BINARY_DIR}/${CMAKE_STATIC_LIBRARY_PREFIX}trusted_mbedtls_payload${CMAKE_STATIC_LIBRARY_SUFFIX}
-            )
-            set(PICOKEYS_TRUSTED_SECTION_DIRECTIVE ".section .rodata.trusted_region,\"a\",@progbits")
-            set(PICOKEYS_TRUSTED_START_SYM "__trusted_start")
-            set(PICOKEYS_TRUSTED_END_SYM "__trusted_end")
-            set(PICOKEYS_TRUSTED_LOAD_START_SYM "__trusted_load_start")
-            set(PICOKEYS_TRUSTED_LOAD_END_SYM "__trusted_load_end")
-            set(TRUSTED_REGION_EMBED_SOURCE ${CMAKE_CURRENT_BINARY_DIR}/trusted_region_embed.S)
-            configure_file(
-                ${CMAKE_CURRENT_LIST_DIR}/src/trusted_region_embed.in.S
-                ${TRUSTED_REGION_EMBED_SOURCE}
-                @ONLY
-            )
-        endif()
    endif()
 endmacro()

@@ -204,11 +155,11 @@ macro(picokeys_configure_trusted_support_sources)
    picokeys_trusted_region_enabled(enable_trusted_region)
    if(enable_trusted_region)
        if(CMAKE_C_COMPILER_ID STREQUAL "GNU")
-            set_source_files_properties(${CMAKE_CURRENT_LIST_DIR}/src/trusted_mem.c PROPERTIES
+            set_source_files_properties(${CMAKE_CURRENT_LIST_DIR}/src/trusted/trusted_mem.c PROPERTIES
                COMPILE_OPTIONS "-fno-builtin;-fno-tree-loop-distribute-patterns"
            )
        else()
-            set_source_files_properties(${CMAKE_CURRENT_LIST_DIR}/src/trusted_mem.c PROPERTIES
+            set_source_files_properties(${CMAKE_CURRENT_LIST_DIR}/src/trusted/trusted_mem.c PROPERTIES
                COMPILE_OPTIONS "-fno-builtin"
            )
        endif()
@@ -228,9 +179,12 @@ macro(picokeys_configure_rp2350_trusted)
        target_include_directories(trusted_mbedtls_build PRIVATE
            ${CMAKE_CURRENT_LIST_DIR}/config/rp2350/alt
        )
+        target_include_directories(${CMAKE_PROJECT_NAME} PUBLIC
+            ${CMAKE_CURRENT_LIST_DIR}/src/trusted
+        )
        target_sources(trusted_mbedtls_build PRIVATE
            ${CMAKE_CURRENT_LIST_DIR}/config/rp2350/alt/sha256_alt.c
-            ${CMAKE_CURRENT_LIST_DIR}/src/trusted_pico_sha256.c
+            ${CMAKE_CURRENT_LIST_DIR}/src/trusted/trusted_pico_sha256.c
        )
        target_link_libraries(trusted_mbedtls_build PRIVATE
            pico_sha256_headers
@@ -242,7 +196,6 @@ endmacro()

 macro(picokeys_link_trusted_region target_name)
    if(TARGET trusted_mbedtls)
-        target_link_libraries(${target_name} PRIVATE trusted_mbedtls)
        target_link_options(${target_name} PRIVATE
            "LINKER:--defsym=__trusted_region_fixed_base=${PICOKEYS_TRUSTED_REGION_FLASH_BASE}"
            "LINKER:-T,${CMAKE_CURRENT_LIST_DIR}/config/rp2350/ld/trusted_region.ld"
--- a/picokeys_sdk_import.cmake
+++ b/picokeys_sdk_import.cmake
@@ -335,13 +335,6 @@ list(APPEND PICOKEYS_SOURCES
    ${CMAKE_CURRENT_LIST_DIR}/src/signal.c
 )

-if(PICO_RP2350 OR ENABLE_EMULATION OR ESP_PLATFORM)
-    add_compile_definitions(PICOKEYS_HAS_TRUSTED_REGION=1)
-    list(APPEND PICOKEYS_SOURCES
-        ${CMAKE_CURRENT_LIST_DIR}/src/trusted.c
-    )
-endif()
-
 if(ESP_PLATFORM)
    list(APPEND PICOKEYS_SOURCES
        ${CMAKE_CURRENT_LIST_DIR}/src/led/led_neopixel.c
@@ -460,35 +453,6 @@ if(UNIX AND NOT APPLE AND ENABLE_EMULATION)
    endif()
 endif()

-if(NOT ESP_PLATFORM)
-    if(NOT SKIP_MBEDTLS_FOR_OPENSSL_EMULATION)
-        add_library(mbedtls STATIC ${MBEDTLS_SOURCES})
-        target_include_directories(mbedtls SYSTEM PUBLIC
-            ${CMAKE_CURRENT_LIST_DIR}/third-party/mbedtls/include
-            ${CMAKE_CURRENT_LIST_DIR}/third-party/mbedtls/library
-        )
-        configure_picokeys_mbedtls_target(mbedtls)
-    endif()
-    if(ENABLE_LIBCVC)
-        add_library(libcvc STATIC ${LIBCVC_SOURCES})
-        target_include_directories(libcvc SYSTEM PUBLIC ${CMAKE_CURRENT_LIST_DIR}/third-party/libcvc/src ${CMAKE_CURRENT_LIST_DIR}/third-party/libcvc/include)
-        target_link_libraries(libcvc PRIVATE mbedtls)
-        list(APPEND LIBRARIES libcvc)
-    endif()
-    if(USB_ITF_HID)
-        add_library(tinycbor STATIC ${CBOR_SOURCES})
-        target_include_directories(tinycbor SYSTEM PUBLIC ${CMAKE_CURRENT_LIST_DIR}/third-party/tinycbor/src)
-        list(APPEND LIBRARIES tinycbor)
-    endif()
-    if(USB_ITF_LWIP)
-        add_library(cjson STATIC ${CJSON_SOURCES})
-        target_include_directories(cjson SYSTEM PUBLIC ${CMAKE_CURRENT_LIST_DIR}/third-party/cjson)
-        list(APPEND LIBRARIES cjson)
-    endif()
-endif()
-
-picokeys_setup_trusted_mbedtls()
-
 if(PICO_PLATFORM)
    list(APPEND LIBRARIES
        pico_stdlib
@@ -562,7 +526,6 @@ else()
        ${CMAKE_CURRENT_LIST_DIR}/src/fs/mman.c
    )
 endif()
-picokeys_configure_trusted_support_sources()

 if(ENABLE_EMULATION)
    if(APPLE)
@@ -616,6 +579,48 @@ endif()

 if(PICO_PLATFORM)
    pico_sdk_init()
+    picokeys_resolve_trusted_toolchain()
+    picokeys_setup_trusted_mbedtls()
+else()
+    picokeys_resolve_trusted_toolchain()
+    picokeys_setup_trusted_mbedtls()
+endif()
+picokeys_configure_trusted_support_sources()
+
+if(NOT ESP_PLATFORM)
+    if(NOT SKIP_MBEDTLS_FOR_OPENSSL_EMULATION)
+        if(PICO_RP2350)
+            add_library(mbedtls INTERFACE)
+            target_include_directories(mbedtls INTERFACE
+                ${CMAKE_CURRENT_LIST_DIR}/third-party/mbedtls/include
+                ${CMAKE_CURRENT_LIST_DIR}/third-party/mbedtls/library
+            )
+            target_link_libraries(mbedtls INTERFACE trusted_mbedtls)
+        else()
+            add_library(mbedtls STATIC ${MBEDTLS_SOURCES})
+            target_include_directories(mbedtls SYSTEM PUBLIC
+                ${CMAKE_CURRENT_LIST_DIR}/third-party/mbedtls/include
+                ${CMAKE_CURRENT_LIST_DIR}/third-party/mbedtls/library
+            )
+            configure_picokeys_mbedtls_target(mbedtls)
+        endif()
+    endif()
+    if(ENABLE_LIBCVC)
+        add_library(libcvc STATIC ${LIBCVC_SOURCES})
+        target_include_directories(libcvc SYSTEM PUBLIC ${CMAKE_CURRENT_LIST_DIR}/third-party/libcvc/src ${CMAKE_CURRENT_LIST_DIR}/third-party/libcvc/include)
+        target_link_libraries(libcvc PRIVATE mbedtls)
+        list(APPEND LIBRARIES libcvc)
+    endif()
+    if(USB_ITF_HID)
+        add_library(tinycbor STATIC ${CBOR_SOURCES})
+        target_include_directories(tinycbor SYSTEM PUBLIC ${CMAKE_CURRENT_LIST_DIR}/third-party/tinycbor/src)
+        list(APPEND LIBRARIES tinycbor)
+    endif()
+    if(USB_ITF_LWIP)
+        add_library(cjson STATIC ${CJSON_SOURCES})
+        target_include_directories(cjson SYSTEM PUBLIC ${CMAKE_CURRENT_LIST_DIR}/third-party/cjson)
+        list(APPEND LIBRARIES cjson)
+    endif()
 endif()

 if(ESP_PLATFORM)
@@ -680,6 +685,10 @@ if(USB_ITF_LWIP)
 endif()

 if(PICO_RP2350)
+    add_compile_definitions(PICOKEYS_HAS_TRUSTED_REGION=1)
+    list(APPEND PICOKEYS_SOURCES
+        ${CMAKE_CURRENT_LIST_DIR}/src/trusted/trusted.c
+    )
    pico_set_uf2_family(${CMAKE_PROJECT_NAME} "rp2350-arm-s")
    pico_embed_pt_in_binary(${CMAKE_PROJECT_NAME} "${CMAKE_CURRENT_LIST_DIR}/config/rp2350/pt.json")
    if(NOT IS_CYW43)
@@ -696,17 +705,24 @@ if(PICO_RP2350)
        ${CMAKE_CURRENT_LIST_DIR}/config/rp2350/alt
    )
    if(TARGET mbedtls)
-        target_include_directories(mbedtls PRIVATE
+        target_include_directories(mbedtls INTERFACE
            ${CMAKE_CURRENT_LIST_DIR}/config/rp2350/alt
        )
-        target_link_libraries(mbedtls PRIVATE pico_sha256_headers)
+        target_link_libraries(mbedtls INTERFACE pico_sha256_headers)
    endif()
    picokeys_configure_rp2350_trusted()
    list(APPEND PICOKEYS_SOURCES
        ${CMAKE_CURRENT_LIST_DIR}/config/rp2350/alt/sha256_alt.c
    )
    add_compile_definitions(MBEDTLS_SHA256_ALT=1)
+    if(NOT SKIP_MBEDTLS_FOR_OPENSSL_EMULATION)
+        list(APPEND LIBRARIES mbedtls)
+    endif()
    list(APPEND LIBRARIES pico_sha256)
+elseif(PICO_RP2040)
+    if(NOT SKIP_MBEDTLS_FOR_OPENSSL_EMULATION)
+        list(APPEND LIBRARIES mbedtls)
+    endif()
 endif()
 set(INTERNAL_SOURCES ${PICOKEYS_SOURCES})

--- a/src/trusted/trusted.c
+++ b/src/trusted/trusted.c
--- a/src/trusted/trusted.h
+++ b/src/trusted/trusted.h
--- a/src/trusted/trusted_mem.c
+++ b/src/trusted/trusted_mem.c
@@ -1,3 +1,20 @@
+/*
+ * This file is part of the Pico Keys SDK distribution (https://github.com/polhenarejos/pico-keys-sdk).
+ * Copyright (c) 2022 Pol Henarejos.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation, version 3.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see <https://www.gnu.org/licenses/>.
+ */
+
 #include "mbedtls/platform_util.h"
 #include "trusted.h"

@@ -123,8 +140,8 @@ void picokeys_trusted_free(void *ptr)

 void mbedtls_platform_zeroize(void *buf, size_t len)
 {
-    if (len > 0) {
+    if (buf != NULL && len != 0) {
        picokeys_trusted_memset(buf, 0, len);
-        asm volatile ("" : : "m" (*(char (*)[len]) buf) :);
+        __asm__ volatile ("" ::: "memory");
    }
 }
--- a/src/trusted/trusted_pico_sha256.c
+++ b/src/trusted/trusted_pico_sha256.c
@@ -1,3 +1,20 @@
+/*
+ * This file is part of the Pico Keys SDK distribution (https://github.com/polhenarejos/pico-keys-sdk).
+ * Copyright (c) 2022 Pol Henarejos.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation, version 3.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see <https://www.gnu.org/licenses/>.
+ */
+
 #include <inttypes.h>
 #include <stdint.h>
 #include <string.h>