From 588e1c0061a02e3b47bb64d90b0dc1c0d5de55f2 Mon Sep 17 00:00:00 2001
From: Gilles Peskine <Gilles.Peskine@arm.com>
Date: Thu, 28 May 2026 15:07:09 +0200
Subject: [PATCH 1/2] Use regex to classify functions that do not need buffer
 copying

No behavior change.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
---
 .../code_wrapper/psa_wrapper.py                | 18 ++++++++++--------
 1 file changed, 10 insertions(+), 8 deletions(-)

diff --git a/scripts/mbedtls_framework/code_wrapper/psa_wrapper.py b/scripts/mbedtls_framework/code_wrapper/psa_wrapper.py
index 53ab2f5af..4e3476f67 100644
--- a/scripts/mbedtls_framework/code_wrapper/psa_wrapper.py
+++ b/scripts/mbedtls_framework/code_wrapper/psa_wrapper.py
@@ -6,6 +6,7 @@
 
 import itertools
 import os
+import re
 from typing import Iterable, Iterator, List, Optional, Tuple
 
 from .. import build_tree
@@ -145,18 +146,19 @@ def _detect_buffer_parameters(arguments: List[c_parsing_helper.ArgumentInfo],
                 yield BufferParameter(i, not t01[0].startswith('const '),
                                       argument_names[i], argument_names[i+1])
 
-    @staticmethod
-    def _parameter_should_be_copied(function_name: str,
+    # These operations are low-risk and do not need buffer copying.
+    FUNCTIONS_NOT_REQUIRING_BUFFER_COPYING_RE = \
+        re.compile('|'.join([
+            'mbedtls_psa_inject_entropy', # privileged
+            'psa_crypto_driver_pake_get_.*', # no risk from simple getters
+        ]))
+    def _parameter_should_be_copied(self, function_name: str,
                                     _buffer_name: Optional[str]) -> bool:
         """Whether the specified buffer argument to a PSA function should be copied.
         """
-        # False-positives that do not need buffer copying
-        if function_name in ('mbedtls_psa_inject_entropy',
-                             'psa_crypto_driver_pake_get_password',
-                             'psa_crypto_driver_pake_get_user',
-                             'psa_crypto_driver_pake_get_peer'):
+        if re.fullmatch(self.FUNCTIONS_NOT_REQUIRING_BUFFER_COPYING_RE,
+                        function_name):
             return False
-
         return True
 
     @staticmethod

From c07786043f8251eaa77a03ee6d77b2c1933b77d9 Mon Sep 17 00:00:00 2001
From: Gilles Peskine <Gilles.Peskine@arm.com>
Date: Thu, 28 May 2026 15:07:50 +0200
Subject: [PATCH 2/2] Declare more functions that do not need buffer copying

`psa_random_reseed()` is privileged. Hash, MAC and XOF are low-risk
per https://github.com/Mbed-TLS/TF-PSA-Crypto/issues/795 .

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
---
 scripts/mbedtls_framework/code_wrapper/psa_wrapper.py | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/scripts/mbedtls_framework/code_wrapper/psa_wrapper.py b/scripts/mbedtls_framework/code_wrapper/psa_wrapper.py
index 4e3476f67..2164f6259 100644
--- a/scripts/mbedtls_framework/code_wrapper/psa_wrapper.py
+++ b/scripts/mbedtls_framework/code_wrapper/psa_wrapper.py
@@ -150,7 +150,9 @@ def _detect_buffer_parameters(arguments: List[c_parsing_helper.ArgumentInfo],
     FUNCTIONS_NOT_REQUIRING_BUFFER_COPYING_RE = \
         re.compile('|'.join([
             'mbedtls_psa_inject_entropy', # privileged
+            'psa_(hash|mac|xof)_.*', # https://github.com/Mbed-TLS/TF-PSA-Crypto/issues/795
             'psa_crypto_driver_pake_get_.*', # no risk from simple getters
+            'psa_random_reseed', # privileged
         ]))
     def _parameter_should_be_copied(self, function_name: str,
                                     _buffer_name: Optional[str]) -> bool: