From 76fe5edd98fd37c9002cdd6a6f6c6a0d0ec55cca Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Mon, 10 Nov 2025 20:17:25 +0100 Subject: [PATCH 1/8] Use scripts/generate_config_checks.py unconditionally `scripts/generate_config_checks.py` had to be included conditionally so that consuming branches could transition from it not existing to it existing. Now that both TF-PSA-Crypto/development and mbedtls/development have this script, include it unconditionally. Signed-off-by: Gilles Peskine --- scripts/make_generated_files.py | 12 +++--------- 1 file changed, 3 insertions(+), 9 deletions(-) diff --git a/scripts/make_generated_files.py b/scripts/make_generated_files.py index a2d04d355..73570fb28 100755 --- a/scripts/make_generated_files.py +++ b/scripts/make_generated_files.py @@ -10,7 +10,6 @@ Generate the TF-PSA-Crypto generated files """ import argparse import filecmp -import os import shutil import subprocess import sys @@ -75,17 +74,12 @@ def get_generation_script_files(generation_script: str): return files COMMON_GENERATION_SCRIPTS = [ -] - -# Once the script has been added to both Mbed TLS and TF-PSA-Crypto, -# we can include this unconditionally. -# https://github.com/Mbed-TLS/mbedtls/issues/10305 -if os.path.exists("scripts/generate_config_checks.py"): - COMMON_GENERATION_SCRIPTS.append(GenerationScript( + GenerationScript( Path("scripts/generate_config_checks.py"), get_generation_script_files("scripts/generate_config_checks.py"), output_dir_option="", - optional=True)) + optional=True) +] if build_tree.looks_like_tf_psa_crypto_root("."): TF_PSA_CRYPTO_GENERATION_SCRIPTS = [ From 203ff5e1651b8df9de49ad55e7f0d3d152221efe Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Fri, 31 Oct 2025 22:11:00 +0100 Subject: [PATCH 2/8] Support new location of crypto_adjust_config_synonyms.h in TF-PSA-Crypto >1.0.0 Signed-off-by: Gilles Peskine --- scripts/mbedtls_framework/psa_test_case.py | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/scripts/mbedtls_framework/psa_test_case.py b/scripts/mbedtls_framework/psa_test_case.py index 5964cad33..430f76353 100644 --- a/scripts/mbedtls_framework/psa_test_case.py +++ b/scripts/mbedtls_framework/psa_test_case.py @@ -47,10 +47,15 @@ def find_dependencies_not_implemented(dependencies: List[str]) -> List[str]: acc = set() #type: Set[str] for filename in [ - os.path.join(include_dir, 'psa/crypto_config.h'), - os.path.join(include_dir, 'psa/crypto_adjust_config_synonyms.h'), + 'psa/crypto_config.h', + 'psa/crypto_adjust_config_synonyms.h', + 'tf-psa-crypto/private/crypto_adjust_config_synonyms.h', ]: - read_implemented_dependencies(acc, filename) + path = os.path.join(build_tree.guess_project_root(), + include_dir, + filename) + if os.path.exists(path): + read_implemented_dependencies(acc, path) _implemented_dependencies = frozenset(acc) return [dep for dep in dependencies From 02eef2a48b5bd2162e01fdd176f54f3d2deb88d7 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Fri, 14 Nov 2025 14:35:01 +0100 Subject: [PATCH 3/8] Update config information about TF-PSA-Crypto 1.0 and Mbed TLS 4.0 Update data collected a few weeks before the release to the actual releases. This fixes `check_names.py` failing on `MBEDTLS_DES_C` in `tf_psa_crypto_config_check_user.h` when generated files are present in the source tree. ``` scripts/save_config_history.sh mbedtls-4.0.0 4.0 scripts/save_config_history.sh tf-psa-crypto-1.0.0 1.0 ``` Signed-off-by: Gilles Peskine --- history/config-adjust-tfpsacrypto-1.0.txt | 26 ---------------------- history/config-options-mbedtls-4.0.txt | 1 + history/config-options-tfpsacrypto-1.0.txt | 25 ++------------------- 3 files changed, 3 insertions(+), 49 deletions(-) diff --git a/history/config-adjust-tfpsacrypto-1.0.txt b/history/config-adjust-tfpsacrypto-1.0.txt index 09766414d..7725ff775 100644 --- a/history/config-adjust-tfpsacrypto-1.0.txt +++ b/history/config-adjust-tfpsacrypto-1.0.txt @@ -32,9 +32,7 @@ MBEDTLS_CIPHER_PADDING_PKCS7 MBEDTLS_CMAC_C MBEDTLS_CONFIG_ADJUST_LEGACY_CRYPTO_H MBEDTLS_CONFIG_ADJUST_LEGACY_FROM_PSA_H -MBEDTLS_CONFIG_ADJUST_PSA_SUPERSET_LEGACY_H MBEDTLS_CONFIG_ADJUST_TEST_ACCELERATORS_H -MBEDTLS_DES_C MBEDTLS_ECDH_C MBEDTLS_ECDSA_C MBEDTLS_ECDSA_DETERMINISTIC @@ -127,7 +125,6 @@ MBEDTLS_PSA_ACCEL_KEY_TYPE_ARIA MBEDTLS_PSA_ACCEL_KEY_TYPE_CAMELLIA MBEDTLS_PSA_ACCEL_KEY_TYPE_CHACHA20 MBEDTLS_PSA_ACCEL_KEY_TYPE_DERIVE -MBEDTLS_PSA_ACCEL_KEY_TYPE_DES MBEDTLS_PSA_ACCEL_KEY_TYPE_DH_KEY_PAIR_BASIC MBEDTLS_PSA_ACCEL_KEY_TYPE_DH_KEY_PAIR_EXPORT MBEDTLS_PSA_ACCEL_KEY_TYPE_DH_KEY_PAIR_GENERATE @@ -211,7 +208,6 @@ MBEDTLS_PSA_BUILTIN_KEY_TYPE_AES MBEDTLS_PSA_BUILTIN_KEY_TYPE_ARIA MBEDTLS_PSA_BUILTIN_KEY_TYPE_CAMELLIA MBEDTLS_PSA_BUILTIN_KEY_TYPE_CHACHA20 -MBEDTLS_PSA_BUILTIN_KEY_TYPE_DES MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_BASIC MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_EXPORT MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_GENERATE @@ -235,7 +231,6 @@ MBEDTLS_PSA_CRYPTO_RNG_STRENGTH MBEDTLS_PSA_DH_ACCEL_INCOMPLETE_ALGS MBEDTLS_PSA_DH_ACCEL_INCOMPLETE_GROUPS MBEDTLS_PSA_DH_ACCEL_INCOMPLETE_KEY_TYPES -MBEDTLS_PSA_DRIVER_GET_ENTROPY MBEDTLS_PSA_DRIVER_GET_ENTROPY_DEFINED MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_ALGS MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_CURVES @@ -247,8 +242,6 @@ MBEDTLS_RSA_C MBEDTLS_SHA1_C MBEDTLS_SHA224_C MBEDTLS_SHA256_C -MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT -MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY MBEDTLS_SHA384_C MBEDTLS_SHA512_C MBEDTLS_SSL_HAVE_AEAD @@ -266,7 +259,6 @@ PSA_HAVE_SOFT_BLOCK_MODE PSA_HAVE_SOFT_KEY_TYPE_AES PSA_HAVE_SOFT_KEY_TYPE_ARIA PSA_HAVE_SOFT_KEY_TYPE_CAMELLIA -PSA_HAVE_SOFT_KEY_TYPE_DES PSA_HAVE_SOFT_PBKDF2 PSA_HAVE_SOFT_PBKDF2_CMAC PSA_HAVE_SOFT_PBKDF2_HMAC @@ -275,29 +267,11 @@ PSA_WANT_ALG_ECB_NO_PADDING PSA_WANT_ALG_ECDSA PSA_WANT_ALG_ECDSA_ANY PSA_WANT_ALG_HMAC -PSA_WANT_ALG_MD5 -PSA_WANT_ALG_RIPEMD160 PSA_WANT_ALG_RSA_PKCS1V15_SIGN PSA_WANT_ALG_RSA_PKCS1V15_SIGN_RAW PSA_WANT_ALG_RSA_PSS PSA_WANT_ALG_RSA_PSS_ANY_SALT -PSA_WANT_ALG_SHA_1 -PSA_WANT_ALG_SHA_224 -PSA_WANT_ALG_SHA_256 -PSA_WANT_ALG_SHA_384 -PSA_WANT_ALG_SHA_512 PSA_WANT_ALG_SOME_PAKE -PSA_WANT_ECC_BRAINPOOL_P_R1_256 -PSA_WANT_ECC_BRAINPOOL_P_R1_384 -PSA_WANT_ECC_BRAINPOOL_P_R1_512 -PSA_WANT_ECC_MONTGOMERY_255 -PSA_WANT_ECC_MONTGOMERY_448 -PSA_WANT_ECC_SECP_K1_192 -PSA_WANT_ECC_SECP_K1_256 -PSA_WANT_ECC_SECP_R1_192 -PSA_WANT_ECC_SECP_R1_256 -PSA_WANT_ECC_SECP_R1_384 -PSA_WANT_ECC_SECP_R1_521 PSA_WANT_KEY_TYPE_AES PSA_WANT_KEY_TYPE_DERIVE PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC diff --git a/history/config-options-mbedtls-4.0.txt b/history/config-options-mbedtls-4.0.txt index cadd768dc..81b233804 100644 --- a/history/config-options-mbedtls-4.0.txt +++ b/history/config-options-mbedtls-4.0.txt @@ -40,6 +40,7 @@ MBEDTLS_SSL_KEEP_PEER_CERTIFICATE MBEDTLS_SSL_KEYING_MATERIAL_EXPORT MBEDTLS_SSL_MAX_EARLY_DATA_SIZE MBEDTLS_SSL_MAX_FRAGMENT_LENGTH +MBEDTLS_SSL_NULL_CIPHERSUITES MBEDTLS_SSL_OUT_CONTENT_LEN MBEDTLS_SSL_PROTO_DTLS MBEDTLS_SSL_PROTO_TLS1_2 diff --git a/history/config-options-tfpsacrypto-1.0.txt b/history/config-options-tfpsacrypto-1.0.txt index d8458a8ff..db99c299b 100644 --- a/history/config-options-tfpsacrypto-1.0.txt +++ b/history/config-options-tfpsacrypto-1.0.txt @@ -7,31 +7,14 @@ MBEDTLS_AES_USE_HARDWARE_ONLY MBEDTLS_ASN1_PARSE_C MBEDTLS_ASN1_WRITE_C MBEDTLS_BASE64_C -MBEDTLS_BIGNUM_C MBEDTLS_BLOCK_CIPHER_NO_DECRYPT MBEDTLS_CAMELLIA_SMALL_MEMORY MBEDTLS_CHECK_RETURN MBEDTLS_CHECK_RETURN_WARNING -MBEDTLS_CIPHER_NULL_CIPHER MBEDTLS_CTR_DRBG_C MBEDTLS_DEPRECATED_REMOVED MBEDTLS_DEPRECATED_WARNING -MBEDTLS_ECDH_C MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED -MBEDTLS_ECDSA_C -MBEDTLS_ECJPAKE_C -MBEDTLS_ECP_C -MBEDTLS_ECP_DP_BP256R1_ENABLED -MBEDTLS_ECP_DP_BP384R1_ENABLED -MBEDTLS_ECP_DP_BP512R1_ENABLED -MBEDTLS_ECP_DP_CURVE25519_ENABLED -MBEDTLS_ECP_DP_CURVE448_ENABLED -MBEDTLS_ECP_DP_SECP192K1_ENABLED -MBEDTLS_ECP_DP_SECP192R1_ENABLED -MBEDTLS_ECP_DP_SECP256K1_ENABLED -MBEDTLS_ECP_DP_SECP256R1_ENABLED -MBEDTLS_ECP_DP_SECP384R1_ENABLED -MBEDTLS_ECP_DP_SECP521R1_ENABLED MBEDTLS_ECP_FIXED_POINT_OPTIM MBEDTLS_ECP_NIST_OPTIM MBEDTLS_ECP_RESTARTABLE @@ -74,7 +57,6 @@ MBEDTLS_PLATFORM_EXIT_MACRO MBEDTLS_PLATFORM_FPRINTF_ALT MBEDTLS_PLATFORM_FPRINTF_MACRO MBEDTLS_PLATFORM_FREE_MACRO -MBEDTLS_PLATFORM_GET_ENTROPY_ALT MBEDTLS_PLATFORM_GMTIME_R_ALT MBEDTLS_PLATFORM_MEMORY MBEDTLS_PLATFORM_MS_TIME_ALT @@ -136,8 +118,6 @@ MBEDTLS_RSA_GEN_KEY_MIN_BITS MBEDTLS_RSA_NO_CRT MBEDTLS_SELF_TEST MBEDTLS_SHA256_SMALLER -MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT -MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY MBEDTLS_SHA512_SMALLER @@ -212,14 +192,12 @@ PSA_WANT_KEY_TYPE_ARIA PSA_WANT_KEY_TYPE_CAMELLIA PSA_WANT_KEY_TYPE_CHACHA20 PSA_WANT_KEY_TYPE_DERIVE -PSA_WANT_KEY_TYPE_DES PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC PSA_WANT_KEY_TYPE_DH_KEY_PAIR_DERIVE PSA_WANT_KEY_TYPE_DH_KEY_PAIR_EXPORT PSA_WANT_KEY_TYPE_DH_KEY_PAIR_GENERATE PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT PSA_WANT_KEY_TYPE_DH_PUBLIC_KEY -PSA_WANT_KEY_TYPE_ECC_KEY_PAIR PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT @@ -230,13 +208,14 @@ PSA_WANT_KEY_TYPE_HMAC PSA_WANT_KEY_TYPE_PASSWORD PSA_WANT_KEY_TYPE_PASSWORD_HASH PSA_WANT_KEY_TYPE_RAW_DATA -PSA_WANT_KEY_TYPE_RSA_KEY_PAIR PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_DERIVE PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY +TF_PSA_CRYPTO_ALLOW_REMOVED_MECHANISMS TF_PSA_CRYPTO_CONFIG_FILE +TF_PSA_CRYPTO_CONFIG_VERSION TF_PSA_CRYPTO_USER_CONFIG_FILE TF_PSA_CRYPTO_VERSION From fbb7e523045d94ea8bb46984cfb7afde8f82dba8 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Fri, 14 Nov 2025 14:46:50 +0100 Subject: [PATCH 4/8] Avoid splitting file names across lines in problem reports Signed-off-by: Gilles Peskine --- scripts/check_names.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/scripts/check_names.py b/scripts/check_names.py index d8605f689..3d2ce1b42 100755 --- a/scripts/check_names.py +++ b/scripts/check_names.py @@ -99,7 +99,8 @@ class Problem(abc.ABC): # pylint: disable=too-few-public-methods # Class variable to control the quietness of all problems quiet = False def __init__(self): - self.textwrapper = textwrap.TextWrapper() + self.textwrapper = textwrap.TextWrapper(break_on_hyphens=False, + break_long_words=False) self.textwrapper.width = 80 self.textwrapper.initial_indent = " > " self.textwrapper.subsequent_indent = " " From 26adfccaaa05b7e1a04cd0abf1a53fe0e976b683 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Fri, 14 Nov 2025 14:47:50 +0100 Subject: [PATCH 5/8] Log which files get parsed Signed-off-by: Gilles Peskine --- scripts/check_names.py | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/scripts/check_names.py b/scripts/check_names.py index 3d2ce1b42..34fcc0023 100755 --- a/scripts/check_names.py +++ b/scripts/check_names.py @@ -307,7 +307,7 @@ class CodeParser(): exc_files.append(path) else: inc_files.append(path) - return (inc_files, exc_files) + return (sorted(inc_files), sorted(exc_files)) def get_included_files(self, include_wildcards, exclude_wildcards): """ @@ -327,8 +327,8 @@ class CodeParser(): for include_wildcard in include_wildcards: accumulator = accumulator.union(glob.iglob(include_wildcard)) - return list(path for path in accumulator - if not self.is_file_excluded(path, exclude_wildcards)) + return sorted(path for path in accumulator + if not self.is_file_excluded(path, exclude_wildcards)) def parse_macros(self, include, exclude=None): """ @@ -350,6 +350,7 @@ class CodeParser(): macros = [] for header_file in files: + self.log.debug("Parsing macros in " + header_file) with open(header_file, "r", encoding="utf-8") as header: for line_no, line in enumerate(header): for macro in macro_regex.finditer(line): @@ -388,6 +389,7 @@ class CodeParser(): mbed_psa_words = [] for filename in files: + self.log.debug("Parsing words in " + filename) with open(filename, "r", encoding="utf-8") as fp: for line_no, line in enumerate(fp): if exclusions.search(line): @@ -424,6 +426,7 @@ class CodeParser(): enum_consts = [] for header_file in files: state = states.OUTSIDE_KEYWORD + self.log.debug("Parsing enums in " + header_file) with open(header_file, "r", encoding="utf-8") as header: for line_no, line in enumerate(header): # Match typedefs and brackets only when they are at the @@ -540,6 +543,7 @@ class CodeParser(): Append found matches to the list ``identifiers``. """ + self.log.debug("Parsing identifier declarations in " + header_file) with open(header_file, "r", encoding="utf-8") as header: in_block_comment = False # The previous line variable is used for concatenating lines @@ -615,11 +619,13 @@ class CodeParser(): self.log.debug("Looking for included identifiers in {} files".format \ (len(included_files))) - included_identifiers = [] - excluded_identifiers = [] for header_file in included_files: self.parse_identifiers_in_file(header_file, included_identifiers) + + self.log.debug("Looking for excluded identifiers in {} files".format \ + (len(excluded_files))) + excluded_identifiers = [] for header_file in excluded_files: self.parse_identifiers_in_file(header_file, excluded_identifiers) From 30bea3d76744b71030f8f525d8ab34c3f8bad67a Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Fri, 14 Nov 2025 15:17:08 +0100 Subject: [PATCH 6/8] Be more robust about exact paths Don't insist so much on exact directory and file names. In particular, be tolerant to new subdirectories of `include` directories. The resulting list of files is almost the same, except that a few more Everest files are getting parsed, which is harmless (and perhaps technically a bug fix). Signed-off-by: Gilles Peskine --- scripts/check_names.py | 114 ++++++++++++++++------------------------- 1 file changed, 43 insertions(+), 71 deletions(-) diff --git a/scripts/check_names.py b/scripts/check_names.py index 34fcc0023..d1a2bcc22 100755 --- a/scripts/check_names.py +++ b/scripts/check_names.py @@ -298,7 +298,7 @@ class CodeParser(): accumulator = set() all_wildcards = include_wildcards + (exclude_wildcards or []) for wildcard in all_wildcards: - accumulator = accumulator.union(glob.iglob(wildcard)) + accumulator = accumulator.union(glob.iglob(wildcard, recursive=True)) inc_files = [] exc_files = [] @@ -325,7 +325,8 @@ class CodeParser(): accumulator = set() for include_wildcard in include_wildcards: - accumulator = accumulator.union(glob.iglob(include_wildcard)) + accumulator = accumulator.union(glob.iglob(include_wildcard, + recursive=True)) return sorted(path for path in accumulator if not self.is_file_excluded(path, exclude_wildcards)) @@ -697,6 +698,32 @@ class TFPSACryptoCodeParser(CodeParser): if not build_tree.looks_like_tf_psa_crypto_root(os.getcwd()): raise Exception("This script must be run from TF-PSA-Crypto root.") + H_PUBLIC = [ + "include/**/*.h", + "drivers/*/include/**/*.h", + "include/mbedtls/private/*.h", + ] + H_PUBLIC_EXCLUDE = [ + 'drivers/everest/include/tf-psa-crypto/private/everest/[HhKk]*.h', + 'drivers/everest/include/tf-psa-crypto/private/everest/k*/*.h', + 'drivers/everest/include/tf-psa-crypto/private/everest/vs*/*.h', + ] + + H_INTERNAL = [ + "core/*.h", + "drivers/*/src/*.h", + ] + + H_TEST_DRIVERS = [ + "framework/tests/include/test/drivers/*.h", + ] + + C_INTERNAL = [ + "core/*.c", + "drivers/*/library/*.c", + "drivers/*/src/*.c", + ] + def comprehensive_parse(self): """ Comprehensive ("default") function to call each parsing function and @@ -705,75 +732,20 @@ class TFPSACryptoCodeParser(CodeParser): Returns a dict of parsed item key to the corresponding List of Matches. """ all_macros = {"public": [], "internal": [], "private":[]} - all_macros["public"] = self.parse_macros([ - "include/psa/*.h", - "include/tf-psa-crypto/*.h", - "include/mbedtls/*.h", - "drivers/builtin/include/mbedtls/*.h", - "include/mbedtls/private/*.h", - "drivers/builtin/include/mbedtls/private/*.h", - "drivers/everest/include/everest/everest.h", - "drivers/everest/include/everest/x25519.h", - "drivers/everest/include/tf-psa-crypto/private/everest/everest.h", - "drivers/everest/include/tf-psa-crypto/private/everest/x25519.h" - ]) - all_macros["internal"] = self.parse_macros([ - "core/*.h", - "drivers/builtin/src/*.h", - "framework/tests/include/test/drivers/*.h", - ]) - all_macros["private"] = self.parse_macros([ - "core/*.c", - "drivers/builtin/src/*.c", - ]) - enum_consts = self.parse_enum_consts([ - "include/psa/*.h", - "include/tf-psa-crypto/*.h", - "include/mbedtls/*.h", - "drivers/builtin/include/mbedtls/*.h", - "include/mbedtls/private/*.h", - "drivers/builtin/include/mbedtls/private/*.h", - "core/*.h", - "drivers/builtin/src/*.h", - "core/*.c", - "drivers/builtin/src/*.c", - "drivers/everest/include/everest/everest.h", - "drivers/everest/include/everest/x25519.h", - "drivers/everest/include/tf-psa-crypto/private/everest/everest.h", - "drivers/everest/include/tf-psa-crypto/private/everest/x25519.h" - ]) - identifiers, excluded_identifiers = self.parse_identifiers([ - "include/psa/*.h", - "include/tf-psa-crypto/*.h", - "include/mbedtls/*.h", - "drivers/builtin/include/mbedtls/*.h", - "include/mbedtls/private/*.h", - "drivers/builtin/include/mbedtls/private/*.h", - "core/*.h", - "drivers/builtin/src/*.h", - "drivers/everest/include/everest/everest.h", - "drivers/everest/include/everest/x25519.h", - "drivers/everest/include/tf-psa-crypto/private/everest/everest.h", - "drivers/everest/include/tf-psa-crypto/private/everest/x25519.h" - ], ["drivers/p256-m/p256-m/p256-m.h"]) - mbed_psa_words = self.parse_mbed_psa_words([ - "include/psa/*.h", - "include/tf-psa-crypto/*.h", - "include/mbedtls/*.h", - "drivers/builtin/include/mbedtls/*.h", - "include/mbedtls/private/*.h", - "drivers/builtin/include/mbedtls/private/*.h", - "core/*.h", - "drivers/builtin/src/*.h", - "drivers/everest/include/everest/everest.h", - "drivers/everest/include/everest/x25519.h", - "drivers/everest/include/tf-psa-crypto/private/everest/everest.h", - "drivers/everest/include/tf-psa-crypto/private/everest/x25519.h", - "core/*.c", - "drivers/builtin/src/*.c", - "drivers/everest/library/everest.c", - "drivers/everest/library/x25519.c" - ], ["core/psa_crypto_driver_wrappers.h"]) + all_macros["public"] = self.parse_macros(self.H_PUBLIC, + self.H_PUBLIC_EXCLUDE) + all_macros["internal"] = self.parse_macros(self.H_INTERNAL + + self.H_TEST_DRIVERS) + all_macros["private"] = self.parse_macros(self.C_INTERNAL) + enum_consts = self.parse_enum_consts( + self.H_PUBLIC + self.H_INTERNAL + self.C_INTERNAL, + self.H_PUBLIC_EXCLUDE) + identifiers, excluded_identifiers = self.parse_identifiers( + self.H_PUBLIC + self.H_INTERNAL, + self.H_PUBLIC_EXCLUDE + ["drivers/p256-m/p256-m/p256-m.h"]) + mbed_psa_words = self.parse_mbed_psa_words( + self.H_PUBLIC + self.H_INTERNAL + self.C_INTERNAL, + self.H_PUBLIC_EXCLUDE + ["core/psa_crypto_driver_wrappers.h"]) symbols = self.parse_symbols() return self._parse(all_macros, enum_consts, identifiers, From 16236cb8a2abf13f9255206edd30695f673f3a98 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Wed, 19 Nov 2025 19:47:02 +0100 Subject: [PATCH 7/8] Remove redundant entry in glob list Signed-off-by: Gilles Peskine --- scripts/check_names.py | 1 - 1 file changed, 1 deletion(-) diff --git a/scripts/check_names.py b/scripts/check_names.py index d1a2bcc22..9c0221281 100755 --- a/scripts/check_names.py +++ b/scripts/check_names.py @@ -701,7 +701,6 @@ class TFPSACryptoCodeParser(CodeParser): H_PUBLIC = [ "include/**/*.h", "drivers/*/include/**/*.h", - "include/mbedtls/private/*.h", ] H_PUBLIC_EXCLUDE = [ 'drivers/everest/include/tf-psa-crypto/private/everest/[HhKk]*.h', From d6f03a43290afb3236674dba709611febdeb6da3 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Wed, 19 Nov 2025 19:52:05 +0100 Subject: [PATCH 8/8] Document wildcard matching The include and exclude lists use different library functions which have different semantics for wildcards. Signed-off-by: Gilles Peskine --- scripts/check_names.py | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/scripts/check_names.py b/scripts/check_names.py index 9c0221281..1afbb8a13 100755 --- a/scripts/check_names.py +++ b/scripts/check_names.py @@ -289,7 +289,16 @@ class CodeParser(): Args: * include_wildcards: a List of shell-style wildcards to match filepaths. + - "*" does not match a directory separator, e.g. "*/a.h" + matches "somedir/a.h" but not "somedir/subdir/a.h". + - "**" matches zero or more directory levels, e.g. "**/a.h" + matches "a.h", "somedir/a.h", "somedir/subdir/a.h", etc. + - The matching is case-insensitive. * exclude_wildcards: a List of shell-style wildcards to exclude. + - "*" matches every character including separators, e.g. "*/a.h" + matches "somedir/a.h" and "somedir/subdir/a.h" but not "a.h". + - "**" is equivalent to "*". + - The matching is case-sensitive. Returns: * inc_files: A List of relative filepaths for included files.