Allow Mbed CE to be built as an Arduino core (#206)

* Various changes for Arduino core support

* Apply Arduino Mbed TLS patches

* Apply linker script patch, add missing CXX standard

* Fix SDBlockDevice compile error, fix "no rule to make mbed-target-config.h"

* Fix missing source file for RPi Pico

* Fix missing licenses

Author: Jamie Smith

CMakeLists.txt

@@ -228,8 +228,10 @@ endif()
 
 # Generate target config header and include it in all files
 if(NOT MBED_IS_NATIVE_BUILD)
-    mbed_write_target_config_header(${CMAKE_CURRENT_BINARY_DIR}/mbed-target-config.h MBED_TARGET_DEFINITIONS MBED_CONFIG_DEFINITIONS)
-    target_compile_options(mbed-core-flags INTERFACE -include ${CMAKE_CURRENT_BINARY_DIR}/mbed-target-config.h)
+    file(MAKE_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}/generated-headers)
+    mbed_write_target_config_header(${CMAKE_CURRENT_BINARY_DIR}/generated-headers/mbed-target-config.h MBED_TARGET_DEFINITIONS MBED_CONFIG_DEFINITIONS)
+    target_compile_options(mbed-core-flags INTERFACE -include ${CMAKE_CURRENT_BINARY_DIR}/generated-headers/mbed-target-config.h)
+    target_include_directories(mbed-core-flags INTERFACE ${CMAKE_CURRENT_BINARY_DIR}/generated-headers)
 endif()
 
 # Include mbed.h and config from generate folder
@@ -283,7 +285,7 @@ if(NOT MBED_IS_NATIVE_BUILD)
     mbed_create_distro(mbed-os ${MBED_TARGET_CMAKE_NAME} mbed-core-flags mbed-core-sources mbed-rtos-flags mbed-rtos-sources)
 
     # Set up the linker script and hook it up to the top-level OS targets
-    mbed_setup_linker_script(mbed-baremetal mbed-os ${CMAKE_CURRENT_BINARY_DIR}/mbed-target-config.h)
+    mbed_setup_linker_script(mbed-baremetal mbed-os ${CMAKE_CURRENT_BINARY_DIR}/generated-headers/mbed-target-config.h)
 
     # Make sure that things linking mbed-core-flags can also get the target-specific include dirs and flags.
     mbed_extract_flags(${MBED_TARGET_CMAKE_NAME}-flags ${MBED_TARGET_CMAKE_NAME})

connectivity/mbedtls/include/mbedtls/config.h

@@ -1204,7 +1204,7 @@
  *
  * Enable functions that use the filesystem.
  */
-//#define MBEDTLS_FS_IO
+#define MBEDTLS_FS_IO
 
 /**
  * \def MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES
@@ -3227,7 +3227,7 @@
  *            on it, and considering stronger message digests instead.
  *
  */
-//#define MBEDTLS_SHA1_C
+#define MBEDTLS_SHA1_C
 
 /**
  * \def MBEDTLS_SHA256_C

connectivity/mbedtls/mbed_lib.json

@@ -0,0 +1,11 @@
+{
+    "name": "mbedtls",
+    "config": {
+        "entropy-nv-seed": {
+            "macro_name": "MBEDTLS_ENTROPY_NV_SEED",
+            "help": "Set to 1 to enable Mbed TLS's Non-Volatile Storage entropy source.  This source allows usage of Mbed TLS on devices which do not have a cryptographic RNG.",
+            "value": null,
+            // Note: see here for details on how to implement the seed I/O: https://os.mbed.com/docs/mbed-os/v6.16/porting/entropy-sources.html
+        }
+    }
+}

connectivity/mbedtls/mbed_lib.json5

@@ -31,6 +31,10 @@
  * \ingroup public-crypto
  */
 
+#if CONFIG_MBEDTLS_ENTROPY_NV_SEED
+#define MBEDTLS_ENTROPY_NV_SEED
+#endif
+
 #if defined(FEATURE_EXPERIMENTAL_API) && defined(FEATURE_PSA)
 
 #if defined(MBEDTLS_ENTROPY_NV_SEED)
@@ -72,9 +76,6 @@
 #include "mbedtls_device.h"
 #endif
 
-// Include SHA1 certificate support.  Used for a lot of root CAs.
-#define MBEDTLS_SHA1_C 1
-
 /*
  * MBEDTLS_ERR_PLATFORM_HW_FAILED is deprecated and should not be used.
  */

connectivity/mbedtls/platform/inc/platform_mbed.h

@@ -74,7 +74,11 @@
 #if !defined(_WIN32) || defined(EFIX64) || defined(EFI32)
 #include <sys/types.h>
 #include <sys/stat.h>
+#if defined(__MBED__)
+#include <platform/mbed_retarget.h>
+#else
 #include <dirent.h>
+#endif /* __MBED__ */
 #endif /* !_WIN32 || EFIX64 || EFI32 */
 #endif
 

connectivity/mbedtls/source/x509_crt.c

@@ -2,7 +2,20 @@
 #
 # This file is part of mbed TLS (https://tls.mbed.org)
 #
-# Copyright (c) 2015-2016, ARM Limited, All Rights Reserved
+# Copyright (c) 2023, Arm Limited, All Rights Reserved
+#
+# SPDX-License-Identifier: Apache-2.0
+# Licensed under the Apache License, Version 2.0 (the License); you may
+# not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# * http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an AS IS BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
 #
 # Purpose
 #
@@ -53,7 +66,6 @@ conf unset MBEDTLS_TIMING_C
 
 # not supported on all targets with mbed OS, nor used by mbed Client
 conf unset MBEDTLS_HAVE_TIME_DATE
-conf unset MBEDTLS_FS_IO
 conf unset MBEDTLS_PSA_ITS_FILE_C
 conf unset MBEDTLS_PSA_CRYPTO_STORAGE_C
 conf set MBEDTLS_NO_PLATFORM_ENTROPY
@@ -89,7 +101,6 @@ conf unset MBEDTLS_PEM_WRITE_C
 conf unset MBEDTLS_PKCS5_C
 conf unset MBEDTLS_PKCS12_C
 conf unset MBEDTLS_RIPEMD160_C
-conf unset MBEDTLS_SHA1_C
 conf unset MBEDTLS_XTEA_C
 
 conf set MBEDTLS_CMAC_C

connectivity/mbedtls/tools/importer/adjust-config.sh

@@ -2,7 +2,20 @@
 #
 # This file is part of mbed TLS (https://tls.mbed.org)
 #
-# Copyright (c) 2018, ARM Limited, All Rights Reserved
+# Copyright (c) 2018, Arm Limited, All Rights Reserved
+#
+# SPDX-License-Identifier: Apache-2.0
+# Licensed under the Apache License, Version 2.0 (the License); you may
+# not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# * http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an AS IS BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
 #
 # Purpose
 #

connectivity/mbedtls/tools/importer/adjust-no-entropy-config.sh

@@ -303,6 +303,12 @@ int mbedtls_x509_crt_parse(mbedtls_x509_crt *a, const unsigned char *b, size_t c
     return mbedtls_stub.expected_int;
 }
 
+int mbedtls_x509_crt_parse_path(mbedtls_x509_crt *a, const char *b)
+{
+    // means 5 valid certificates found
+    return 5;
+}
+
 int mbedtls_x509_crt_info(char *buf, size_t size, const char *prefix,
                           const mbedtls_x509_crt *crt)
 {

connectivity/nanostack/coap-service/test/coap-service/unittest/stub/mbedtls_stub.c

@@ -116,6 +116,46 @@ class TLSSocketWrapper : public Socket {
      */
     nsapi_error_t set_root_ca_cert(const char *root_ca_pem);
 
+    /**
+     * @brief Sets the Root CA certificate to a collection of files on the filesystem.
+     *
+     * All files in the supplied directory will be scanned.  Note that to set up a filesystem,
+     * you must mount one or more block devices before calling this function.
+     *
+     * @note Must be called before calling connect()
+     *
+     * @param root_ca_path Path containing Root CA Certificate files in any Mbed TLS-supported format.
+     *     This can point to a directory on any mounted filesystem.
+     * @retval NSAPI_ERROR_OK on success.
+     * @retval NSAPI_ERROR_NO_MEMORY in case there is not enough memory to allocate certificate.
+     * @retval NSAPI_ERROR_PARAMETER in case the provided root_ca parameter failed parsing.
+     *
+     */
+    nsapi_error_t set_root_ca_cert_path(const char *root_ca_path);
+
+    /** Appends the certificate to an existing CA chain.
+     *
+     * @note Must be called before calling connect()
+     *
+     * @param root_ca Root CA Certificate in any Mbed TLS-supported format.
+     * @param len     Length of certificate (including terminating 0 for PEM).
+     * @retval NSAPI_ERROR_OK on success.
+     * @retval NSAPI_ERROR_NO_MEMORY in case there is not enough memory to allocate certificate.
+     * @retval NSAPI_ERROR_PARAMETER in case the provided root_ca parameter failed parsing.
+     */
+    nsapi_error_t append_root_ca_cert(const void *root_ca, size_t len);
+
+    /** Appends the certificate to an existing CA chain.
+     *
+     * @note Must be called before calling connect()
+     *
+     * @param root_ca_pem Root CA Certificate in PEM format.
+     * @retval NSAPI_ERROR_OK on success.
+     * @retval NSAPI_ERROR_NO_MEMORY in case there is not enough memory to allocate certificate.
+     * @retval NSAPI_ERROR_PARAMETER in case the provided root_ca parameter failed parsing.
+     */
+    nsapi_error_t append_root_ca_cert(const char *root_ca_pem);
+
     /** Sets client certificate, and client private key.
      *
      * @param client_cert Client certification in PEM or DER format.