diff --git a/plat/arm/board/fvp_r/platform.mk b/plat/arm/board/fvp_r/platform.mk index f14ea544b..71cb9e2d3 100644 --- a/plat/arm/board/fvp_r/platform.mk +++ b/plat/arm/board/fvp_r/platform.mk @@ -1,5 +1,5 @@ # -# Copyright (c) 2021, ARM Limited and Contributors. All rights reserved. +# Copyright (c) 2021-2024, Arm Limited and Contributors. All rights reserved. # # SPDX-License-Identifier: BSD-3-Clause # @@ -25,7 +25,7 @@ FVP_R_INTERCONNECT_SOURCES := drivers/arm/cci/cci.c include plat/arm/board/common/board_common.mk include plat/arm/common/arm_common.mk -PLAT_INCLUDES := -Iplat/arm/board/fvp_r/include +PLAT_INCLUDES += -Iplat/arm/board/fvp_r/include FVP_R_BL_COMMON_SOURCES := plat/arm/board/fvp_r/fvp_r_common.c \ plat/arm/board/fvp_r/fvp_r_context_mgmt.c \ diff --git a/plat/arm/board/tc/plat_tc_mbedtls_config.h b/plat/arm/board/tc/plat_tc_mbedtls_config.h index de7b1aab5..4fd8b6beb 100644 --- a/plat/arm/board/tc/plat_tc_mbedtls_config.h +++ b/plat/arm/board/tc/plat_tc_mbedtls_config.h @@ -21,6 +21,20 @@ #endif #endif /* TF_MBEDTLS_HEAP_SIZE */ +/** + * On Arm TC platforms, the ROTPK is always hashed using the SHA-256 + * algorithm. + * TODO: Update to hash the ROTPK with the selected HASH_ALG to avoid + * the need for explicitly enabling the SHA-256 configuration in mbedTLS. + */ +#define MBEDTLS_SHA256_C + +/* + * Use an implementation of SHA-256 with a smaller memory footprint + * but reduced speed. + */ +#define MBEDTLS_SHA256_SMALLER + #define MBEDTLS_PSA_CRYPTO_C #define MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG #define MBEDTLS_ECP_C diff --git a/plat/arm/common/arm_common.mk b/plat/arm/common/arm_common.mk index 660a3a57f..859791dc1 100644 --- a/plat/arm/common/arm_common.mk +++ b/plat/arm/common/arm_common.mk @@ -119,10 +119,6 @@ ifeq (${ARM_LINUX_KERNEL_AS_BL33},1) endif endif -# Use an implementation of SHA-256 with a smaller memory footprint but reduced -# speed. -$(eval $(call add_define,MBEDTLS_SHA256_SMALLER)) - # Add the build options to pack Trusted OS Extra1 and Trusted OS Extra2 images # in the FIP if the platform requires. ifneq ($(BL32_EXTRA1),) @@ -364,6 +360,17 @@ ifeq (${DRTM_SUPPORT},1) BL31_SOURCES += plat/arm/common/arm_err.c endif +ifneq ($(filter 1,${MEASURED_BOOT} ${TRUSTED_BOARD_BOOT} ${DRTM_SUPPORT}),) + PLAT_INCLUDES += -Iplat/arm/common \ + -Iinclude/drivers/auth/mbedtls + # Specify mbed TLS configuration file + ifeq (${PSA_CRYPTO},1) + MBEDTLS_CONFIG_FILE ?= "" + else + MBEDTLS_CONFIG_FILE ?= "" + endif +endif + ifneq (${TRUSTED_BOARD_BOOT},0) # Include common TBB sources diff --git a/plat/arm/common/plat_arm_mbedtls_config.h b/plat/arm/common/plat_arm_mbedtls_config.h new file mode 100644 index 000000000..a5d0ec40d --- /dev/null +++ b/plat/arm/common/plat_arm_mbedtls_config.h @@ -0,0 +1,26 @@ +/* + * Copyright (c) 2024, Arm Ltd. All rights reserved. + * + * SPDX-License-Identifier: BSD-3-Clause + */ + +#ifndef PLAT_ARM_MBEDTLS_CONFIG_H +#define PLAT_ARM_MBEDTLS_CONFIG_H + +#include + +/** + * On Arm platforms, the ROTPK is always hashed using the SHA-256 + * algorithm. + * TODO: Update to hash the ROTPK with the selected HASH_ALG to avoid + * the need for explicitly enabling the SHA-256 configuration in mbedTLS. + */ +#define MBEDTLS_SHA256_C + +/* + * Use an implementation of SHA-256 with a smaller memory footprint + * but reduced speed. + */ +#define MBEDTLS_SHA256_SMALLER + +#endif /* PLAT_ARM_MBEDTLS_CONFIG_H */ diff --git a/plat/arm/common/plat_arm_psa_mbedtls_config.h b/plat/arm/common/plat_arm_psa_mbedtls_config.h new file mode 100644 index 000000000..fd434c982 --- /dev/null +++ b/plat/arm/common/plat_arm_psa_mbedtls_config.h @@ -0,0 +1,29 @@ +/* + * Copyright (c) 2024, Arm Ltd. All rights reserved. + * + * SPDX-License-Identifier: BSD-3-Clause + */ + +#ifndef PLAT_ARM_PSA_MBEDTLS_CONFIG_H +#define PLAT_ARM_PSA_MBEDTLS_CONFIG_H + +#include "plat_arm_mbedtls_config.h" + +#define MBEDTLS_PSA_CRYPTO_C +#define MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS + +/* + * Using PSA crypto API requires an RNG right now. If we don't define the macro + * below then we get build errors. + * + * This is a functionality gap in mbedTLS. The technical limitation is that + * psa_crypto_init() is all-or-nothing, and fixing that would require separate + * initialization of the keystore, the RNG, etc. + * + * By defining MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG, we pretend using an external + * RNG. As a result, the PSA crypto init code does nothing when it comes to + * initializing the RNG, as we are supposed to take care of that ourselves. + */ +#define MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG + +#endif /* PLAT_ARM_PSA_MBEDTLS_CONFIG_H */