diff --git a/Makefile b/Makefile
index bede21a10..1edf3b80a 100644
--- a/Makefile
+++ b/Makefile
@@ -730,7 +730,17 @@ ifeq ($(DYN_DISABLE_AUTH), 1)
endif
endif
-ifneq ($(filter 1,${MEASURED_BOOT} ${TRUSTED_BOARD_BOOT} ${DRTM_SUPPORT}),)
+ifeq ($(MEASURED_BOOT)-$(TRUSTED_BOARD_BOOT),1-1)
+# Support authentication verification and hash calculation
+ CRYPTO_SUPPORT := 3
+else ifeq ($(DRTM_SUPPORT)-$(TRUSTED_BOARD_BOOT),1-1)
+# Support authentication verification and hash calculation
+ CRYPTO_SUPPORT := 3
+else ifneq ($(filter 1,${MEASURED_BOOT} ${DRTM_SUPPORT}),)
+# Support hash calculation only
+ CRYPTO_SUPPORT := 2
+else ifeq (${TRUSTED_BOARD_BOOT},1)
+# Support authentication verification only
CRYPTO_SUPPORT := 1
else
CRYPTO_SUPPORT := 0
@@ -1035,7 +1045,6 @@ $(eval $(call assert_booleans,\
SPMC_AT_EL3 \
SPMD_SPM_AT_SEL2 \
TRUSTED_BOARD_BOOT \
- CRYPTO_SUPPORT \
USE_COHERENT_MEM \
USE_DEBUGFS \
ARM_IO_IN_DTB \
@@ -1070,6 +1079,7 @@ $(eval $(call assert_numerics,\
CTX_INCLUDE_PAUTH_REGS \
CTX_INCLUDE_MTE_REGS \
CTX_INCLUDE_NEVE_REGS \
+ CRYPTO_SUPPORT \
ENABLE_BRBE_FOR_NS \
ENABLE_TRBE_FOR_NS \
ENABLE_BTI \
diff --git a/drivers/auth/crypto_mod.c b/drivers/auth/crypto_mod.c
index 2028d53d8..fa1adb4f7 100644
--- a/drivers/auth/crypto_mod.c
+++ b/drivers/auth/crypto_mod.c
@@ -46,19 +46,26 @@ void crypto_mod_init(void)
{
assert(crypto_lib_desc.name != NULL);
assert(crypto_lib_desc.init != NULL);
-#if TRUSTED_BOARD_BOOT
+#if CRYPTO_SUPPORT == CRYPTO_AUTH_VERIFY_ONLY || \
+CRYPTO_SUPPORT == CRYPTO_AUTH_VERIFY_AND_HASH_CALC
assert(crypto_lib_desc.verify_signature != NULL);
assert(crypto_lib_desc.verify_hash != NULL);
-#endif /* TRUSTED_BOARD_BOOT */
-#if MEASURED_BOOT || DRTM_SUPPORT
+#endif /* CRYPTO_SUPPORT == CRYPTO_AUTH_VERIFY_ONLY || \
+ CRYPTO_SUPPORT == CRYPTO_AUTH_VERIFY_AND_HASH_CALC */
+
+#if CRYPTO_SUPPORT == CRYPTO_HASH_CALC_ONLY || \
+CRYPTO_SUPPORT == CRYPTO_AUTH_VERIFY_AND_HASH_CALC
assert(crypto_lib_desc.calc_hash != NULL);
-#endif /* MEASURED_BOOT || DRTM_SUPPORT */
+#endif /* CRYPTO_SUPPORT == CRYPTO_HASH_CALC_ONLY || \
+ CRYPTO_SUPPORT == CRYPTO_AUTH_VERIFY_AND_HASH_CALC */
/* Initialize the cryptographic library */
crypto_lib_desc.init();
INFO("Using crypto library '%s'\n", crypto_lib_desc.name);
}
+#if CRYPTO_SUPPORT == CRYPTO_AUTH_VERIFY_ONLY || \
+CRYPTO_SUPPORT == CRYPTO_AUTH_VERIFY_AND_HASH_CALC
/*
* Function to verify a digital signature
*
@@ -108,8 +115,11 @@ int crypto_mod_verify_hash(void *data_ptr, unsigned int data_len,
return crypto_lib_desc.verify_hash(data_ptr, data_len,
digest_info_ptr, digest_info_len);
}
+#endif /* CRYPTO_SUPPORT == CRYPTO_AUTH_VERIFY_ONLY || \
+ CRYPTO_SUPPORT == CRYPTO_AUTH_VERIFY_AND_HASH_CALC */
-#if MEASURED_BOOT || DRTM_SUPPORT
+#if CRYPTO_SUPPORT == CRYPTO_HASH_CALC_ONLY || \
+CRYPTO_SUPPORT == CRYPTO_AUTH_VERIFY_AND_HASH_CALC
/*
* Calculate a hash
*
@@ -129,7 +139,8 @@ int crypto_mod_calc_hash(enum crypto_md_algo alg, void *data_ptr,
return crypto_lib_desc.calc_hash(alg, data_ptr, data_len, output);
}
-#endif /* MEASURED_BOOT || DRTM_SUPPORT */
+#endif /* CRYPTO_SUPPORT == CRYPTO_HASH_CALC_ONLY || \
+ CRYPTO_SUPPORT == CRYPTO_AUTH_VERIFY_AND_HASH_CALC */
/*
* Authenticated decryption of data
diff --git a/drivers/auth/mbedtls/mbedtls_crypto.c b/drivers/auth/mbedtls/mbedtls_crypto.c
index e83225c32..d231179f5 100644
--- a/drivers/auth/mbedtls/mbedtls_crypto.c
+++ b/drivers/auth/mbedtls/mbedtls_crypto.c
@@ -24,7 +24,8 @@
#define LIB_NAME "mbed TLS"
-#if MEASURED_BOOT || DRTM_SUPPORT
+#if CRYPTO_SUPPORT == CRYPTO_HASH_CALC_ONLY || \
+CRYPTO_SUPPORT == CRYPTO_AUTH_VERIFY_AND_HASH_CALC
/*
* CRYPTO_MD_MAX_SIZE value is as per current stronger algorithm available
* so make sure that mbed TLS MD maximum size must be lesser than this.
@@ -32,7 +33,8 @@
CASSERT(CRYPTO_MD_MAX_SIZE >= MBEDTLS_MD_MAX_SIZE,
assert_mbedtls_md_size_overflow);
-#endif /* MEASURED_BOOT || DRTM_SUPPORT */
+#endif /* CRYPTO_SUPPORT == CRYPTO_HASH_CALC_ONLY || \
+ CRYPTO_SUPPORT == CRYPTO_AUTH_VERIFY_AND_HASH_CALC */
/*
* AlgorithmIdentifier ::= SEQUENCE {
@@ -60,7 +62,8 @@ static void init(void)
mbedtls_init();
}
-#if TRUSTED_BOARD_BOOT
+#if CRYPTO_SUPPORT == CRYPTO_AUTH_VERIFY_ONLY || \
+CRYPTO_SUPPORT == CRYPTO_AUTH_VERIFY_AND_HASH_CALC
/*
* Verify a signature.
*
@@ -219,9 +222,11 @@ static int verify_hash(void *data_ptr, unsigned int data_len,
return CRYPTO_SUCCESS;
}
-#endif /* TRUSTED_BOARD_BOOT */
+#endif /* CRYPTO_SUPPORT == CRYPTO_AUTH_VERIFY_ONLY || \
+ CRYPTO_SUPPORT == CRYPTO_AUTH_VERIFY_AND_HASH_CALC */
-#if MEASURED_BOOT || DRTM_SUPPORT
+#if CRYPTO_SUPPORT == CRYPTO_HASH_CALC_ONLY || \
+CRYPTO_SUPPORT == CRYPTO_AUTH_VERIFY_AND_HASH_CALC
/*
* Map a generic crypto message digest algorithm to the corresponding macro used
* by Mbed TLS.
@@ -264,7 +269,8 @@ static int calc_hash(enum crypto_md_algo md_algo, void *data_ptr,
*/
return mbedtls_md(md_info, data_ptr, data_len, output);
}
-#endif /* MEASURED_BOOT || DRTM_SUPPORT */
+#endif /* CRYPTO_SUPPORT == CRYPTO_HASH_CALC_ONLY || \
+ CRYPTO_SUPPORT == CRYPTO_AUTH_VERIFY_AND_HASH_CALC */
#if TF_MBEDTLS_USE_AES_GCM
/*
@@ -368,7 +374,7 @@ static int auth_decrypt(enum crypto_dec_algo dec_algo, void *data_ptr,
/*
* Register crypto library descriptor
*/
-#if (MEASURED_BOOT || DRTM_SUPPORT) && TRUSTED_BOARD_BOOT
+#if CRYPTO_SUPPORT == CRYPTO_AUTH_VERIFY_AND_HASH_CALC
#if TF_MBEDTLS_USE_AES_GCM
REGISTER_CRYPTO_LIB(LIB_NAME, init, verify_signature, verify_hash, calc_hash,
auth_decrypt);
@@ -376,13 +382,13 @@ REGISTER_CRYPTO_LIB(LIB_NAME, init, verify_signature, verify_hash, calc_hash,
REGISTER_CRYPTO_LIB(LIB_NAME, init, verify_signature, verify_hash, calc_hash,
NULL);
#endif
-#elif TRUSTED_BOARD_BOOT
+#elif CRYPTO_SUPPORT == CRYPTO_AUTH_VERIFY_ONLY
#if TF_MBEDTLS_USE_AES_GCM
REGISTER_CRYPTO_LIB(LIB_NAME, init, verify_signature, verify_hash,
auth_decrypt);
#else
REGISTER_CRYPTO_LIB(LIB_NAME, init, verify_signature, verify_hash, NULL);
#endif
-#elif MEASURED_BOOT || DRTM_SUPPORT
+#elif CRYPTO_SUPPORT == CRYPTO_HASH_CALC_ONLY
REGISTER_CRYPTO_LIB(LIB_NAME, init, calc_hash);
-#endif /* (MEASURED_BOOT || DRTM_SUPPORT) && TRUSTED_BOARD_BOOT */
+#endif /* CRYPTO_SUPPORT == CRYPTO_AUTH_VERIFY_AND_HASH_CALC */
diff --git a/include/drivers/auth/crypto_mod.h b/include/drivers/auth/crypto_mod.h
index 103f08500..3a23df4b7 100644
--- a/include/drivers/auth/crypto_mod.h
+++ b/include/drivers/auth/crypto_mod.h
@@ -7,6 +7,10 @@
#ifndef CRYPTO_MOD_H
#define CRYPTO_MOD_H
+#define CRYPTO_AUTH_VERIFY_ONLY 1
+#define CRYPTO_HASH_CALC_ONLY 2
+#define CRYPTO_AUTH_VERIFY_AND_HASH_CALC 3
+
/* Return values */
enum crypto_ret_value {
CRYPTO_SUCCESS = 0,
@@ -48,6 +52,8 @@ typedef struct crypto_lib_desc_s {
/* Verify a digital signature. Return one of the
* 'enum crypto_ret_value' options */
+#if CRYPTO_SUPPORT == CRYPTO_AUTH_VERIFY_ONLY || \
+CRYPTO_SUPPORT == CRYPTO_AUTH_VERIFY_AND_HASH_CALC
int (*verify_signature)(void *data_ptr, unsigned int data_len,
void *sig_ptr, unsigned int sig_len,
void *sig_alg, unsigned int sig_alg_len,
@@ -56,13 +62,17 @@ typedef struct crypto_lib_desc_s {
/* Verify a hash. Return one of the 'enum crypto_ret_value' options */
int (*verify_hash)(void *data_ptr, unsigned int data_len,
void *digest_info_ptr, unsigned int digest_info_len);
+#endif /* CRYPTO_SUPPORT == CRYPTO_AUTH_VERIFY_ONLY || \
+ CRYPTO_SUPPORT == CRYPTO_AUTH_VERIFY_AND_HASH_CALC */
-#if MEASURED_BOOT || DRTM_SUPPORT
+#if CRYPTO_SUPPORT == CRYPTO_HASH_CALC_ONLY || \
+CRYPTO_SUPPORT == CRYPTO_AUTH_VERIFY_AND_HASH_CALC
/* Calculate a hash. Return hash value */
int (*calc_hash)(enum crypto_md_algo md_alg, void *data_ptr,
unsigned int data_len,
unsigned char output[CRYPTO_MD_MAX_SIZE]);
-#endif /* MEASURED_BOOT || DRTM_SUPPORT */
+#endif /* CRYPTO_SUPPORT == CRYPTO_HASH_CALC_ONLY || \
+ CRYPTO_SUPPORT == CRYPTO_AUTH_VERIFY_AND_HASH_CALC */
/*
* Authenticated decryption. Return one of the
@@ -84,25 +94,32 @@ static inline void crypto_mod_init(void)
}
#endif /* CRYPTO_SUPPORT */
+#if CRYPTO_SUPPORT == CRYPTO_AUTH_VERIFY_ONLY || \
+CRYPTO_SUPPORT == CRYPTO_AUTH_VERIFY_AND_HASH_CALC
int crypto_mod_verify_signature(void *data_ptr, unsigned int data_len,
void *sig_ptr, unsigned int sig_len,
void *sig_alg_ptr, unsigned int sig_alg_len,
void *pk_ptr, unsigned int pk_len);
int crypto_mod_verify_hash(void *data_ptr, unsigned int data_len,
void *digest_info_ptr, unsigned int digest_info_len);
+#endif /* CRYPTO_SUPPORT == CRYPTO_AUTH_VERIFY_ONLY || \
+ CRYPTO_SUPPORT == CRYPTO_AUTH_VERIFY_AND_HASH_CALC */
+
int crypto_mod_auth_decrypt(enum crypto_dec_algo dec_algo, void *data_ptr,
size_t len, const void *key, unsigned int key_len,
unsigned int key_flags, const void *iv,
unsigned int iv_len, const void *tag,
unsigned int tag_len);
-#if MEASURED_BOOT || DRTM_SUPPORT
+#if CRYPTO_SUPPORT == CRYPTO_HASH_CALC_ONLY || \
+CRYPTO_SUPPORT == CRYPTO_AUTH_VERIFY_AND_HASH_CALC
int crypto_mod_calc_hash(enum crypto_md_algo alg, void *data_ptr,
unsigned int data_len,
unsigned char output[CRYPTO_MD_MAX_SIZE]);
-#endif /* MEASURED_BOOT || DRTM_SUPPORT */
+#endif /* CRYPTO_SUPPORT == CRYPTO_HASH_CALC_ONLY || \
+ CRYPTO_SUPPORT == CRYPTO_AUTH_VERIFY_AND_HASH_CALC */
-#if (MEASURED_BOOT || DRTM_SUPPORT) && TRUSTED_BOARD_BOOT
+#if CRYPTO_SUPPORT == CRYPTO_AUTH_VERIFY_AND_HASH_CALC
/* Macro to register a cryptographic library */
#define REGISTER_CRYPTO_LIB(_name, _init, _verify_signature, _verify_hash, \
_calc_hash, _auth_decrypt) \
@@ -114,7 +131,7 @@ int crypto_mod_calc_hash(enum crypto_md_algo alg, void *data_ptr,
.calc_hash = _calc_hash, \
.auth_decrypt = _auth_decrypt \
}
-#elif TRUSTED_BOARD_BOOT
+#elif CRYPTO_SUPPORT == CRYPTO_AUTH_VERIFY_ONLY
#define REGISTER_CRYPTO_LIB(_name, _init, _verify_signature, _verify_hash, \
_auth_decrypt) \
const crypto_lib_desc_t crypto_lib_desc = { \
@@ -124,14 +141,14 @@ int crypto_mod_calc_hash(enum crypto_md_algo alg, void *data_ptr,
.verify_hash = _verify_hash, \
.auth_decrypt = _auth_decrypt \
}
-#elif MEASURED_BOOT || DRTM_SUPPORT
+#elif CRYPTO_SUPPORT == CRYPTO_HASH_CALC_ONLY
#define REGISTER_CRYPTO_LIB(_name, _init, _calc_hash) \
const crypto_lib_desc_t crypto_lib_desc = { \
.name = _name, \
.init = _init, \
.calc_hash = _calc_hash, \
}
-#endif /* (MEASURED_BOOT || DRTM_SUPPORT) && TRUSTED_BOARD_BOOT */
+#endif /* CRYPTO_SUPPORT == CRYPTO_AUTH_VERIFY_AND_HASH_CALC */
extern const crypto_lib_desc_t crypto_lib_desc;