diff --git a/Makefile b/Makefile index 8e8fba901..1e6dd9071 100644 --- a/Makefile +++ b/Makefile @@ -1036,6 +1036,10 @@ ENABLE_FEAT_RNG = $(if $(findstring rng,${arch-features}),1,0) # Determine if FEAT_SB is supported ENABLE_FEAT_SB = $(if $(findstring sb,${arch-features}),1,0) +ifeq ($(PSA_CRYPTO),1) + $(info PSA_CRYPTO is an experimental feature) +endif + ################################################################################ # Process platform overrideable behaviour ################################################################################ @@ -1217,6 +1221,7 @@ $(eval $(call assert_booleans,\ ERRATA_NON_ARM_INTERCONNECT \ CONDITIONAL_CMO \ RAS_FFH_SUPPORT \ + PSA_CRYPTO \ ))) # Numeric_Flags @@ -1407,6 +1412,7 @@ $(eval $(call add_defines,\ IMPDEF_SYSREG_TRAP \ SVE_VECTOR_LEN \ ENABLE_SPMD_LP \ + PSA_CRYPTO \ ))) ifeq (${SANITIZE_UB},trap) diff --git a/docs/getting_started/build-options.rst b/docs/getting_started/build-options.rst index 7c84ef163..34d83f255 100644 --- a/docs/getting_started/build-options.rst +++ b/docs/getting_started/build-options.rst @@ -1185,6 +1185,12 @@ Common build options errata mitigation for platforms with a non-arm interconnect using the errata ABI. By default its disabled (``0``). +- ``PSA_CRYPTO``: Boolean option for enabling MbedTLS PSA crypto APIs support. + The platform will use PSA compliant Crypto APIs during authentication and + image measurement process by enabling this option. It uses APIs defined as + per the `PSA Crypto API specification`_. This feature is only supported if + using MbedTLS 3.x version. By default it is disabled (``0``). + GICv3 driver options -------------------- @@ -1306,3 +1312,4 @@ Firmware update options .. _GCC: https://gcc.gnu.org/onlinedocs/gcc/Warning-Options.html .. _Clang: https://clang.llvm.org/docs/DiagnosticsReference.html .. _Firmware Handoff specification: https://github.com/FirmwareHandoff/firmware_handoff/releases/tag/v0.9 +.. _PSA Crypto API specification: https://armmbed.github.io/mbed-crypto/html/ diff --git a/drivers/auth/mbedtls/mbedtls_common.mk b/drivers/auth/mbedtls/mbedtls_common.mk index 79c45126a..376b6b7ca 100644 --- a/drivers/auth/mbedtls/mbedtls_common.mk +++ b/drivers/auth/mbedtls/mbedtls_common.mk @@ -23,7 +23,11 @@ $(info MBEDTLS_VERSION_MAJOR is [${MBEDTLS_MAJOR}] MBEDTLS_VERSION_MINOR is [${M ifeq (${MBEDTLS_MAJOR}, 2) MBEDTLS_CONFIG_FILE ?= "" else ifeq (${MBEDTLS_MAJOR}, 3) - MBEDTLS_CONFIG_FILE ?= "" + ifeq (${PSA_CRYPTO},1) + MBEDTLS_CONFIG_FILE ?= "" + else + MBEDTLS_CONFIG_FILE ?= "" + endif endif $(eval $(call add_define,MBEDTLS_CONFIG_FILE)) @@ -77,6 +81,18 @@ else ifeq (${MBEDTLS_MAJOR}, 3) LIBMBEDTLS_CFLAGS += -Wno-error=redundant-decls endif +ifeq (${PSA_CRYPTO},1) +LIBMBEDTLS_SRCS += $(addprefix ${MBEDTLS_DIR}/library/, \ + psa_crypto.c \ + psa_crypto_client.c \ + psa_crypto_driver_wrappers.c \ + psa_crypto_hash.c \ + psa_crypto_rsa.c \ + psa_crypto_ecp.c \ + psa_crypto_slot_management.c \ + ) +endif + # The platform may define the variable 'TF_MBEDTLS_KEY_ALG' to select the key # algorithm to use. If the variable is not defined, select it based on # algorithm used for key generation `KEY_ALG`. If `KEY_ALG` is not defined, diff --git a/include/drivers/auth/mbedtls/psa_mbedtls_config.h b/include/drivers/auth/mbedtls/psa_mbedtls_config.h new file mode 100644 index 000000000..65df2d4da --- /dev/null +++ b/include/drivers/auth/mbedtls/psa_mbedtls_config.h @@ -0,0 +1,14 @@ +/* + * Copyright (c) 2023, Arm Ltd. All rights reserved. + * + * SPDX-License-Identifier: BSD-3-Clause + */ + +#ifndef PSA_MBEDTLS_CONFIG_H +#define PSA_MBEDTLS_CONFIG_H + +#include "mbedtls_config-3.h" + +#define MBEDTLS_PSA_CRYPTO_C + +#endif /* PSA_MBEDTLS_CONFIG_H */ diff --git a/make_helpers/defaults.mk b/make_helpers/defaults.mk index b7e6f9917..321ae9fd1 100644 --- a/make_helpers/defaults.mk +++ b/make_helpers/defaults.mk @@ -359,3 +359,6 @@ CONDITIONAL_CMO := 0 # By default, disable SPMD Logical partitions ENABLE_SPMD_LP := 0 + +# By default, disable PSA crypto (use MbedTLS legacy crypto API). +PSA_CRYPTO := 0