Mbed-TLS · davidhorstmann-arm · Jan 23, 2026 · Jul 29, 2025 · Jul 29, 2025 · Aug 11, 2025
diff --git a/psasim/Makefile b/psasim/Makefile
@@ -1,64 +1,81 @@
-CFLAGS ?=  -Wall -std=c99
-INCLUDE := -I./include/
-DESTDIR ?= /usr/local
-PREFIX := libpsaff
-BUILDDIR ?= bin
+CFLAGS += -Wall -Werror -std=c99 -D_XOPEN_SOURCE=1 -D_POSIX_C_SOURCE=200809L
 
-.PHONY: all install test uninstall run docker ci
+ifeq ($(DEBUG),1)
+override CFLAGS += -DDEBUG -O0 -g
+endif
 
-all: libpsaff.so
+CLIENT_LIBS := -Lclient_libs -lpsaclient -lmbedtls -lmbedx509 -lmbedcrypto
+SERVER_LIBS := -Lserver_libs -lmbedcrypto
 
-libpsaff.so:
-	$(CC) $(INCLUDE) $(CFLAGS) -c -fpic src/common.c -o common.o
-	$(CC) $(INCLUDE) $(CFLAGS) -c -fpic src/client.c -o client.o
-	$(CC) $(INCLUDE) $(CFLAGS) -c -fpic src/service.c -o server.o
-	$(CC) -shared -o libpsaff.so common.o client.o server.o
+MBEDTLS_ROOT_PATH = ../..
+COMMON_INCLUDE := -I./include -I$(MBEDTLS_ROOT_PATH)/include \
+                  -I$(MBEDTLS_ROOT_PATH)/tf-psa-crypto/include \
+                  -I$(MBEDTLS_ROOT_PATH)/tf-psa-crypto/drivers/builtin/include
 
-ifeq ($(DEBUG),1)
-  CFLAGS += -DDEBUG -g
-endif
+GENERATED_H_FILES =	include/psa_manifest/manifest.h \
+					include/psa_manifest/pid.h \
+					include/psa_manifest/sid.h
+
+LIBPSACLIENT_SRC = src/psa_ff_client.c \
+		 		src/psa_sim_crypto_client.c \
+		 		src/psa_sim_serialise.c
+LIBPSACLIENT_OBJS=$(LIBPSACLIENT_SRC:.c=.o)
+
+PSA_CLIENT_BASE_SRC = $(LIBPSACLIENT_SRC) src/client.c
+
+PSA_CLIENT_FULL_SRC = $(LIBPSACLIENT_SRC) \
+				$(wildcard src/aut_*.c)
+
+PARTITION_SERVER_BOOTSTRAP = src/psa_ff_bootstrap_TEST_PARTITION.c
+
+PSA_SERVER_SRC = $(PARTITION_SERVER_BOOTSTRAP) \
+				 src/psa_ff_server.c \
+				 src/psa_sim_crypto_server.c \
+				 src/psa_sim_serialise.c
+
+.PHONY: all clean client_libs server_libs
+
+all:
+
+test/seedfile:
+	dd if=/dev/urandom of=./test/seedfile bs=64 count=1
+
+src/%.o: src/%.c $(GENERATED_H_FILES)
+	$(CC) $(COMMON_INCLUDE) $(CFLAGS) -c $< $(LDFLAGS) -o $@
+
+client_libs/libpsaclient: $(LIBPSACLIENT_OBJS)
+	mkdir -p client_libs
+	$(AR) -src client_libs/libpsaclient.a $(LIBPSACLIENT_OBJS)
+
+test/psa_client_base: $(PSA_CLIENT_BASE_SRC) $(GENERATED_H_FILES) test/seedfile
+	$(CC) $(COMMON_INCLUDE) $(CFLAGS) $(PSA_CLIENT_BASE_SRC) $(CLIENT_LIBS) $(LDFLAGS) -o $@
+
+test/psa_client_full: $(PSA_CLIENT_FULL_SRC) $(GENERATED_H_FILES) test/seedfile
+	$(CC) $(COMMON_INCLUDE) $(CFLAGS) $(PSA_CLIENT_FULL_SRC) $(CLIENT_LIBS) $(LDFLAGS) -o $@
+
+test/psa_server: $(PSA_SERVER_SRC) $(GENERATED_H_FILES)
+	$(CC) $(COMMON_INCLUDE) $(CFLAGS) $(PSA_SERVER_SRC) $(SERVER_LIBS) $(LDFLAGS) -o $@
+
+$(PARTITION_SERVER_BOOTSTRAP) $(GENERATED_H_FILES): src/manifest.json src/server.c
+	tools/psa_autogen.py src/manifest.json
+
+# Build MbedTLS libraries (crypto, x509 and tls) and copy them locally to
+# build client/server applications.
+#
+# Note: these rules assume that mbedtls_config.h is already configured by all.sh.
+# If not using all.sh then the user must do it manually.
+client_libs: client_libs/libpsaclient
+client_libs server_libs:
+	$(MAKE) -C $(MBEDTLS_ROOT_PATH)/library CFLAGS="$(CFLAGS)" LDFLAGS="$(LDFLAGS)" libmbedcrypto.a libmbedx509.a libmbedtls.a
+	mkdir -p $@
+	cp $(MBEDTLS_ROOT_PATH)/library/libmbed*.a $@/
 
-clean:
-	rm -rf $(BUILDDIR)
-	rm -f *.so *.o
-	rm -rf test/*dSYM
-	cd test && make clean
-
-test:
-	cd test && make
-
-test/partition:
-	cd test && make
-
-run: test/partition
-	pkill partition || true
-	pkill client || true
-	ipcs | grep q | awk '{ printf " -q " $$2 }' | xargs ipcrm > /dev/null 2>&1 || true
-	(sleep 3 && ./test/client)&
-	./test/partition
-
-ci:
-	pkill client || true
-	ipcs | grep q | awk '{ printf " -q " $$2 }' | xargs ipcrm > /dev/null 2>&1 || true
-	./test/partition 2>&1  &
-	sleep 3 && ./test/client
-	pkill partition || true
-
-docker:
-	@docker run --rm -ti -v $$PWD:/opt --entrypoint /bin/bash ubuntu \
-		-c "cd /opt && ls && apt-get update -qq && apt install \
-		-y gcc make gdb python -qq && make clean && make install && make test && ldconfig && make run"
-
-install: libpsaff.so
-	mkdir -p $(DESTDIR)/lib
-	mkdir -p $(DESTDIR)/include
-	cp libpsaff.so $(DESTDIR)/lib/
-	cp -r include/* $(DESTDIR)/include/
-	cp tools/psa_autogen /usr/local/bin/
-
-uninstall:
-	rm $(DESTDIR)/lib/libpsaff.so
-	rm -rf $(DESTDIR)/include/psa
-	rm -rf $(DESTDIR)/include/psasim
-	rm -f /usr/local/bin/psa_autogen
+clean_server_intermediate_files:
+	rm -f $(PARTITION_SERVER_BOOTSTRAP)
+	rm -rf include/psa_manifest
 
+clean: clean_server_intermediate_files
+	rm -f test/psa_client_base test/psa_client_full test/psa_server
+	rm -rf client_libs server_libs
+	rm -f test/psa_service_* test/psa_notify_* test/*.log
+	rm -f test/seedfile
diff --git a/psasim/README.md b/psasim/README.md
@@ -1,60 +1,42 @@
 # psasim
 
-This tool simulates a PSA Firmware Framework implementation.
-It allows you to develop secure partitions and their clients on a desktop computer.
-It should be able to run on all systems that support POSIX and System V IPC:
-e.g. macOS, Linux, FreeBSD, and perhaps Windows 10 WSL2.
+PSASIM holds necessary C source and header files which allows to test Mbed TLS in a "pure crypto client" scenario, i.e `MBEDTLS_PSA_CRYPTO_CLIENT && !MBEDTLS_PSA_CRYPTO_C`.
+In practical terms it means that this allow to build PSASIM with Mbed TLS sources and get 2 Linux applications, a client and a server, which are connected through Linux's shared memeory, and in which the client relies on the server to perform all PSA Crypto operations.
 
-Please note that the code in this directory is maintained by the Mbed TLS / PSA Crypto project solely for the purpose of testing the use of Mbed TLS with client/service separation. We do not recommend using this code for any other purpose. In particular:
+The goal of PSASIM is _not_ to provide a ready-to-use solution for anyone looking to implement the pure crypto client structure (see [Limitations](#limitations) for details), but to provide an example of TF-PSA-Crypto RPC (Remote Procedure Call) implementation using Mbed TLS.
+## Limitations
 
-* This simulator is not intended to pass or demonstrate compliance.
-* This code is only intended for simulation and does not have any security goals. It does not isolate services from clients.
+In the current implementation:
 
-## Building
+- Only Linux PC is supported.
+- There can be only 1 client connected to 1 server.
+- Shared memory is the only communication medium allowed. Others can be implemented (ex: net sockets), but in terms of simulation speed shared memory proved to be the fastest.
+- Server is not secure at all: keys and operation structs are stored on the RAM, so they can easily be dumped.
 
-To build and run the test program make sure you have `make`, `python` and a
-C compiler installed and then enter the following commands:
+## Testing
 
-```sh
-make install
-make run
-```
+Please refer to `tests/scripts/components-psasim.sh` for guidance on how to build & test PSASIM:
 
-On Linux you may need to run `ldconfig` to ensure the library is properly installed.
+- `component_test_psasim()`: builds the server and a couple of test clients which are used to evaluate some basic PSA Crypto API commands.
+- `component_test_suite_with_psasim()`: builds the server and _all_ the usual test suites (those found under the `<mbedtls-root>/tests/suites/*` folder) which are used by the CI and runs them. A small subset of test suites (`test_suite_constant_time_hmac`,`test_suite_lmots`,`test_suite_lms`) are being skipped, for CI turnover time optimization. They can be run locally if required.
 
-An example pair of programs is included in the `test` directory.
+## How to update automatically generated files
 
-## Features
+A significant portion of the intermediate code of PSASIM is auto-generated using Perl. In particular:
 
-The implemented API is intended to be compliant with PSA-FF 1.0.0 with the exception of a couple of things that are a work in progress:
+- `psa_sim_serialise.[c|h]`:
+    - Generated by `psa_sim_serialise.pl`.
+    - These files provide the serialisation/deserialisation support that is required to pass functions' parameters between client and server.
+- `psa_sim_crypto_[client|server].c` and `psa_functions_codes.h`:
+    - Generated by `psa_sim_generate.pl`.
+    - `psa_sim_crypto_[client|server].c` provide interfaces for PSA Crypto APIs on client and server sides, while `psa_functions_codes.h` simply enumerates all PSA Crypto APIs.
 
-* `psa_notify` support
-* "strict" policy in manifest
+These files need to be regenerated whenever some PSA Crypto API is added/deleted/modified. The procedure is as follows:
 
-The only supported "interrupts" are POSIX signals, which act
-as a "virtual interrupt".
-
-The standard PSA RoT APIs are not included (e.g. cryptography, attestation, lifecycle etc).
-
-## Design
-
-The code is designed to be readable rather than fast or secure.
-In this implementation only one message is delivered to a
-RoT service at a time.
-The code is not thread-safe.
-
-To debug the simulator enable the debug flag:
-
-```sh
-make DEBUG=1 install
-```
-
-## Unsupported features
-
-Because this is a simulator there are a few things that
-can't be reasonably emulated:
-
-* Manifest MMIO regions are unsupported
-* Manifest priority field is ignored
-* Partition IDs are in fact POSIX `pid_t`, which are only assigned at runtime,
-  making it infeasible to populate pid.h with correct values.
+- `psa_sim_serialise.[c|h]`:
+    - go to `<mbedtls-root>/tests/psa-client-server/psasim/src/`
+    - run `./psa_sim_serialise.pl h > psa_sim_serialise.h`
+    - run `./psa_sim_serialise.pl c > psa_sim_serialise.c`
+- `psa_sim_crypto_[client|server].c` and `psa_functions_codes.h`:
+    - go to Mbed TLS' root folder
+    - run `./tests/psa-client-server/psasim/src/psa_sim_generate.pl`
diff --git a/psasim/include/psa/client.h → psasim/include/client.h b/psasim/include/psa/client.h → psasim/include/client.h
@@ -14,7 +14,10 @@ extern "C" {
 
 #include <stdint.h>
 #include <stddef.h>
-#include <psa/error.h>
+
+#include "psa/crypto.h"
+
+#include "error_ext.h"
 /*********************** PSA Client Macros and Types *************************/
 
 #define PSA_FRAMEWORK_VERSION  (0x0100)
@@ -32,12 +35,6 @@ extern "C" {
 #define PSA_HANDLE_IS_VALID(handle) ((psa_handle_t) (handle) > 0)
 #define PSA_HANDLE_TO_ERROR(handle) ((psa_status_t) (handle))
 
-#define PSA_MAX_IOVEC (4u)
-
-#define PSA_IPC_CALL (0)
-
-typedef int32_t psa_handle_t;
-
 /**
  * A read-only input memory region provided to an RoT Service.
  */

diff --git a/psasim/include/common.h b/psasim/include/common.h
@@ -0,0 +1,52 @@
+/* Common definitions used for clients and services */
+
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#ifndef _COMMON_H_
+#define _COMMON_H_
+
+#include <stdint.h>
+#include <stddef.h>
+
+/* Increasing this might break on some platforms */
+#define MAX_FRAGMENT_SIZE 200
+
+#define CONNECT_REQUEST 1
+#define CALL_REQUEST 2
+#define CLOSE_REQUEST 3
+#define VERSION_REQUEST 4
+#define READ_REQUEST    5
+#define READ_RESPONSE   6
+#define WRITE_REQUEST   7
+#define WRITE_RESPONSE  8
+#define SKIP_REQUEST    9
+#define PSA_REPLY       10
+
+#define NON_SECURE (1 << 30)
+
+typedef int32_t psa_handle_t;
+
+#define PSA_MAX_IOVEC (4u)
+
+#define PSA_IPC_CALL (0)
+
+struct message_text {
+    int qid;
+    int32_t psa_type;
+    char buf[MAX_FRAGMENT_SIZE];
+};
+
+struct message {
+    long message_type;
+    struct message_text message_text;
+};
+
+typedef struct vector_sizes {
+    size_t invec_sizes[PSA_MAX_IOVEC];
+    size_t outvec_sizes[PSA_MAX_IOVEC];
+} vector_sizes_t;
+
+#endif /* _COMMON_H_ */
diff --git a/psasim/include/error_ext.h b/psasim/include/error_ext.h
@@ -0,0 +1,19 @@
+/* PSA status codes used by psasim. */
+
+/*
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ */
+
+#ifndef PSA_ERROR_H
+#define PSA_ERROR_H
+
+#include <stdint.h>
+
+#include "common.h"
+
+#define PSA_ERROR_PROGRAMMER_ERROR      ((psa_status_t) -129)
+#define PSA_ERROR_CONNECTION_REFUSED    ((psa_status_t) -130)
+#define PSA_ERROR_CONNECTION_BUSY       ((psa_status_t) -131)
+
+#endif
diff --git a/psasim/include/psasim/init.h → psasim/include/init.h b/psasim/include/psasim/init.h → psasim/include/init.h
@@ -6,7 +6,7 @@
  */
 
 #include <stdint.h>
-#include <psa/service.h>
+#include <service.h>
 void raise_signal(psa_signal_t signal);
 void __init_psasim(const char **array,
                    int size,

diff --git a/psasim/include/psa/lifecycle.h → psasim/include/lifecycle.h b/psasim/include/psa/lifecycle.h → psasim/include/lifecycle.h
diff --git a/psasim/include/psa/error.h b/psasim/include/psa/error.h
diff --git a/psasim/include/psa/service.h → psasim/include/service.h b/psasim/include/psa/service.h → psasim/include/service.h
@@ -14,7 +14,11 @@ extern "C" {
 #include <stdlib.h>
 #include <stdint.h>
 #include <stddef.h>
-#include <psa/client.h>
+
+#include "common.h"
+
+#include "psa/crypto.h"
+
 /********************** PSA Secure Partition Macros and Types ****************/
 
 /* PSA wait timeouts */