PICO_PLATFORM=host does not allow pico_mbedtls

[oyama]

I'd like to use pico_mbedtls_crypto for using on a development host.
Running tests on the host is often more convenient than on the device, especially when verifying complex behavior. However, it seems that rp2_common/pico_mbedtls is not available when building for the host, as it's not included in pico-sdk/src/host.cmake.

As a workaround, I’m currently using the following in my CMakeLists.txt to manually bring in mbedtls:

include(FetchContent)
# Import mbedtls from pico-sdk into the project directory.
FetchContent_Declare(mbedtls SOURCE_DIR ${PICO_SDK_PATH}/lib/mbedtls)
FetchContent_GetProperties(mbedtls)
if(NOT mbedtls_POPULATED)
  FetchContent_Populate(mbedtls)
  add_subdirectory(${mbedtls_SOURCE_DIR} ${mbedtls_BINARY_DIR} EXCLUDE_FROM_ALL)
endif()

target_link_libraries(unittest PRIVATE mbedcrypto)

This works, but it would be simpler if pico_mbedtls were included in host.cmake.
The following patch would make it available:

diff --git a/src/host.cmake b/src/host.cmake
index 3399866..c7366da 100644
--- a/src/host.cmake
+++ b/src/host.cmake
@@ -1,5 +1,6 @@
 set(CMAKE_DIR cmake)
 set(COMMON_DIR common)
+set(RP2_COMMON_DIR rp2_common)
 set(HOST_DIR host)
 
 include (${CMAKE_DIR}/no_hardware.cmake)
@@ -19,6 +20,9 @@ include (${CMAKE_DIR}/no_hardware.cmake)
  pico_add_subdirectory(${COMMON_DIR}/pico_util)
  pico_add_subdirectory(${COMMON_DIR}/pico_stdlib_headers)
 
+# rp2_common
+ pico_add_subdirectory(${RP2_COMMON_DIR}/pico_mbedtls)
+
 # host-specific
  pico_add_subdirectory(${HOST_DIR}/hardware_divider)
  pico_add_subdirectory(${HOST_DIR}/hardware_gpio)

Would it be possible to support this, or is there a recommended alternative approach?

[peterharperuk]

Do you have a host example that could be used to test this?

[oyama]

This is the project I am using and the unit testing is done on the host side:
https://github.com/oyama/pico-kvstore

Here is the code that uses pico_mbedtls_crypto:
https://github.com/oyama/pico-kvstore/blob/main/src/kvstore_securekvs.c

Unit tests are run in Github Actions. An example of execution is here:
https://github.com/oyama/pico-kvstore/actions/runs/14510110067/job/40706734040

Need a smaller, more focused test code?

[peterharperuk]

Need a smaller, more focused test code?

Probably. I could write a sha256 test fairly quickly. The request seems reasonable if @kilograham agrees.

[oyama]

This is a sample code to test a single SHA256 test vector.
To build it on the host side, you also need a mock of pico_rand as follows
https://github.com/raspberrypi/pico-sdk/compare/develop...oyama:pico-sdk:fix/enable-pico_mbedtls-in-host-build?expand=1

main.c

#include <stdio.h>
#include <string.h>
#include "pico/stdlib.h"
#include "pico/stdio.h"

#include "mbedtls/sha256.h"

#define IS_SHA256   0


static void test_sha256(void) {
    mbedtls_sha256_context ctx;
    // https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/secure-hashing#Testing
    const unsigned char test_vector_msg[4] = {0x74, 0xba, 0x25, 0x21};
    const unsigned char test_vector_md[32] = {0xb1, 0x6a, 0xa5, 0x6b, 0xe3, 0x88, 0x0d, 0x18, 0xcd, 0x41, 0xe6, 0x83, 0x84, 0xcf, 0x1e, 0xc8, 0xc1, 0x76, 0x80, 0xc4, 0x5a, 0x02, 0xb1, 0x57, 0x5d, 0xc1, 0x51, 0x89, 0x23, 0xae, 0x8b, 0x0e};
    unsigned char hash[32];

    mbedtls_sha256_init(&ctx);
    mbedtls_sha256_starts(&ctx, IS_SHA256);
    mbedtls_sha256_update(&ctx, test_vector_msg, sizeof(test_vector_msg));
    mbedtls_sha256_finish(&ctx, hash);
    if (memcmp(test_vector_md, hash, sizeof(hash)) == 0)
        printf("SHA256 ok\n");
    else
        printf("SHA256 ng\n");
}


int main (void) {
    stdio_init_all();

    test_sha256();

    return 0;
}

CMakeLists.txt

cmake_minimum_required(VERSION 3.13...3.27)

include(pico_sdk_import.cmake)
set(CMAKE_C_STANDARD 11)
set(CMAKE_CXX_STANDARD 17)

project(crypto-demo C CXX ASM)
pico_sdk_init()

add_executable(crypto-demo main.c)
target_include_directories(crypto-demo PRIVATE  ${CMAKE_CURRENT_LIST_DIR})
target_link_libraries(crypto-demo
    pico_stdlib
    pico_mbedtls
    )
pico_add_extra_outputs(crypto-demo)

mbedtls_config.h:

#pragma once

#define MBEDTLS_SHA256_C