Move public legacy headers to /include/mbedtls

[felixc-arm]

Moves public headers from /drivers/builtin/include/mbedtls to /include/mbedtls to make it clear that they are public.
Resolves #223, although there may be further work to move these headers somewhere else, e.g. /include/tf-psa-crypto.

List of files moved for reference:

asn1.h
asn1write.h
base64.h
constant_time.h
lms.h
memory_buffer_alloc.h
nist_kw.h
pem.h
pk.h
platform.h
platform_time.h
platform_util.h
psa_util.h
threading.h

PR checklist

• changelog not required because: no change in user-facing functionality
• framework PR provided: Adjust scripts to accommodate public header move mbedtls-framework#156
• mbedtls development PR provided: Adjust build scripts to accommodate public header move mbedtls#10122
• mbedtls 3.6 PR not required because: work for 4.0/1.0
• tests not required because: no functional changes

[gilles-peskine-arm]

There are probably build scripts that need to be updated. For example include/CMakeLists.txt has

    file(GLOB tf-psa-crypto_headers "tf-psa-crypto/*.h")
    file(GLOB mbedtls_crypto_headers "../drivers/builtin/include/mbedtls/*.h")

and presumably there needs to be a line for "mbedtls/*.h". I don't know whether it should be one of these variables or yet another one: I don't know what the difference is between those variables.

[felixc-arm]

The companion PR Mbed-TLS/mbedtls#10122 has now passed the CI

[valeriosetti]

The PR looks mostly OK to me. I only left 1 question

[gilles-peskine-arm]

The CI is unhappy here. Is the companion mbedtls pull request needed to make it happy?

[felixc-arm]

Yep, there's Mbed-TLS/mbedtls#10122 & Mbed-TLS/mbedtls-framework#156. Both of those should be merge-able without any dependencies, so I guess the process would be merge framework -> update mbedtls PR's tf-psa-crypto pointer to development head rather than this patch & update framework pointer to the merge commit -> wait for mbedtls to pass CI without this tf-psa-crypto commit -> merge mbedtls PR -> update framework pointer to the merge commit for this tf-psa-crypto PR which should then make this CI green -> merge this PR.

Does this seem right?

[gilles-peskine-arm]

@felixc-arm The framework PR can be merged on its own. But the mbedtls PR updates the crypto submodule, so it can't be merged until the crypto PR is merged. Is there a reasonable intermediate step where we can update mbedtls and crypto independently?

[felixc-arm]

@gilles-peskine-arm If I change the crypto pointer in the mbedtls PR back to development rather than this PR, then it should still be green and be able to be merged.

Then this crypto PR can be merged as the CI will use the new mbedtls from the now-merged mbedtls PR.

I guess after that is done then we can do a new patch that just updates mbedtls' crypto pointer to use the merge commit from this crypto PR, although that might not be needed if we don't care about the change being picked up immediately (although it would probably be better to do this so that tf-psa-crypto from the mbedtls repo is the same as TF-PSA-Crypto from the TF-PSA-Crypto repo)

This is the only way I can see to get stuff merged without (temporarily) breaking things for other people.

[gilles-peskine-arm]

@felixc-arm That's great! Please do this then. When it's just a matter of splitting PR like this, it's less disruptive than requiring branch updates to be synchronized — that tends to break many pull requests for unrelated work in progress.

[gilles-peskine-arm]

There's a merge conflict in the framework submodule, please update it.

There are also CI failures which look like they might be related to this change.

[felixc-arm]

@gilles-peskine-arm Yep, just waiting on Mbed-TLS/mbedtls#10122 to go in so that the mbedtls changes are in place, then this patch should be green. (+ I'll update the framework pointer at that point as well)