Djam/arm-trusted-firmware
1
0
Fork 0
mirror of https://github.com/ARM-software/arm-trusted-firmware.git synced 2025-04-17 01:54:22 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge changes from topic "mbedtls3_support" into integration

Browse source 
* changes:
  feat(stm32mp1): add mbedtls-3.3 support config
  refactor(fvp): minor cleanup with TRUSTED_BOARD_BOOT
  style(crypto): add braces for if statement
  feat(fvp): increase BL1_RW and BL2 size
  feat(mbedtls): add support for mbedtls-3.3
  refactor(crypto): avoid using struct mbedtls_pk_rsassa_pss_options
  refactor(mbedtls): avoid including MBEDTLS_CONFIG_FILE
This commit is contained in:
Manish V Badarkhe 2023-02-27 16:32:21 +01:00 committed by TrustedFirmware Code Review
commit 766d78b1cf
23 changed files with 544 additions and 148 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
drivers/auth/cca/cot.c
View file

@ -1,13 +1,15 @@
/*
* Copyright (c) 2022, Arm Limited. All rights reserved.
* Copyright (c) 2022-2023, Arm Limited. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*/
#include <stddef.h>
#include <mbedtls/version.h>
#include <common/tbbr/cot_def.h>
#include <drivers/auth/auth_mod.h>
#include MBEDTLS_CONFIG_FILE
#include <tools_share/cca_oid.h>
#include <platform_def.h>

100
drivers/auth/cryptocell/712/cryptocell_crypto.c
View file

@ -1,5 +1,5 @@
/*
* Copyright (c) 2017-2020, ARM Limited and Contributors. All rights reserved.
* Copyright (c) 2017-2023, ARM Limited and Contributors. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*/
@ -7,7 +7,8 @@
#include <stddef.h>
#include <string.h>
#include <platform_def.h>
#include <mbedtls/oid.h>
#include <mbedtls/x509.h>
#include <arch_helpers.h>
#include <common/debug.h>
@ -21,8 +22,7 @@
#include <drivers/auth/mbedtls/mbedtls_common.h>
#include <lib/utils.h>
#include <mbedtls/oid.h>
#include <mbedtls/x509.h>
#include <platform_def.h>
#define LIB_NAME "CryptoCell 712 SBROM"
#define RSA_SALT_LEN 32
@ -95,11 +95,10 @@ static int verify_signature(void *data_ptr, unsigned int data_len,
CCError_t error;
CCSbNParams_t pk;
CCSbSignature_t signature;
int rc, exp;
int rc, exp, expected_salt_len;
mbedtls_asn1_buf sig_oid, alg_oid, params;
mbedtls_md_type_t md_alg;
mbedtls_md_type_t md_alg, mgf1_hash_id;
mbedtls_pk_type_t pk_alg;
mbedtls_pk_rsassa_pss_options pss_opts;
size_t len;
uint8_t *p, *end;
/* Temp buf to store the public key modulo (N) in LE format */
@ -110,70 +109,85 @@ static int verify_signature(void *data_ptr, unsigned int data_len,
p = sig_alg;
end = p + sig_alg_len;
rc = mbedtls_asn1_get_alg(&p, end, &sig_oid, &params);
if (rc != 0)
if (rc != 0) {
return CRYPTO_ERR_SIGNATURE;
}
/* Get the actual signature algorithm (MD + PK) */
rc = mbedtls_oid_get_sig_alg(&sig_oid, &md_alg, &pk_alg);
if (rc != 0)
if (rc != 0) {
return CRYPTO_ERR_SIGNATURE;
}
/* The CryptoCell only supports RSASSA-PSS signature */
if (pk_alg != MBEDTLS_PK_RSASSA_PSS || md_alg != MBEDTLS_MD_NONE)
if ((pk_alg != MBEDTLS_PK_RSASSA_PSS) || (md_alg != MBEDTLS_MD_NONE)) {
return CRYPTO_ERR_SIGNATURE;
}
/* Verify the RSASSA-PSS params */
/* The trailer field is verified to be 0xBC internally by this API */
rc = mbedtls_x509_get_rsassa_pss_params(&params, &md_alg,
&pss_opts.mgf1_hash_id,
&pss_opts.expected_salt_len);
if (rc != 0)
&mgf1_hash_id,
&expected_salt_len);
if (rc != 0) {
return CRYPTO_ERR_SIGNATURE;
}
/* The CryptoCell only supports SHA256 as hash algorithm */
if (md_alg != MBEDTLS_MD_SHA256 || pss_opts.mgf1_hash_id != MBEDTLS_MD_SHA256)
if ((md_alg != MBEDTLS_MD_SHA256) || (mgf1_hash_id != MBEDTLS_MD_SHA256)) {
return CRYPTO_ERR_SIGNATURE;
}
if (pss_opts.expected_salt_len != RSA_SALT_LEN)
if (expected_salt_len != RSA_SALT_LEN) {
return CRYPTO_ERR_SIGNATURE;
}
/* Parse the public key */
p = pk_ptr;
end = p + pk_len;
rc = mbedtls_asn1_get_tag(&p, end, &len,
MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE);
if (rc != 0)
if (rc != 0) {
return CRYPTO_ERR_SIGNATURE;
}
end = p + len;
rc = mbedtls_asn1_get_alg_null(&p, end, &alg_oid);
if (rc != 0)
if (rc != 0) {
return CRYPTO_ERR_SIGNATURE;
}
if (mbedtls_oid_get_pk_alg(&alg_oid, &pk_alg) != 0)
if (mbedtls_oid_get_pk_alg(&alg_oid, &pk_alg) != 0) {
return CRYPTO_ERR_SIGNATURE;
}
if (pk_alg != MBEDTLS_PK_RSA)
if (pk_alg != MBEDTLS_PK_RSA) {
return CRYPTO_ERR_SIGNATURE;
}
rc = mbedtls_asn1_get_bitstring_null(&p, end, &len);
if (rc != 0)
if (rc != 0) {
return CRYPTO_ERR_SIGNATURE;
}
rc = mbedtls_asn1_get_tag(&p, end, &len,
MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE);
if (rc != 0)
if (rc != 0) {
return CRYPTO_ERR_SIGNATURE;
}
rc = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_INTEGER);
if (rc != 0)
if (rc != 0) {
return CRYPTO_ERR_SIGNATURE;
}
if (*p == 0) {
p++; len--;
}
if (len != RSA_MOD_SIZE_IN_BYTES || ((p + len) > end))
if (len != RSA_MOD_SIZE_IN_BYTES || ((p + len) > end)) {
return CRYPTO_ERR_SIGNATURE;
}
/*
* The CCSbVerifySignature() API expects N and Np in BE format and
@ -184,11 +198,13 @@ static int verify_signature(void *data_ptr, unsigned int data_len,
/* Verify the RSA exponent */
p += len;
rc = mbedtls_asn1_get_int(&p, end, &exp);
if (rc != 0)
if (rc != 0) {
return CRYPTO_ERR_SIGNATURE;
}
if (exp != RSA_EXPONENT)
if (exp != RSA_EXPONENT) {
return CRYPTO_ERR_SIGNATURE;
}
/*
* Calculate the Np (Barrett n' value). The RSA_CalcNp() API expects
@ -205,11 +221,13 @@ static int verify_signature(void *data_ptr, unsigned int data_len,
p = sig_ptr;
end = p + sig_len;
rc = mbedtls_asn1_get_bitstring_null(&p, end, &len);
if (rc != 0)
if (rc != 0) {
return CRYPTO_ERR_SIGNATURE;
}
if (len != RSA_MOD_SIZE_IN_BYTES || ((p + len) > end))
if (len != RSA_MOD_SIZE_IN_BYTES || ((p + len) > end)) {
return CRYPTO_ERR_SIGNATURE;
}
/*
* The signature is BE format. Convert it to LE before calling
@ -227,8 +245,9 @@ static int verify_signature(void *data_ptr, unsigned int data_len,
error = CCSbVerifySignature((uintptr_t)PLAT_CRYPTOCELL_BASE,
(uint32_t *)data_ptr, &pk, &signature,
data_len, RSA_PSS);
if (error != CC_OK)
if (error != CC_OK) {
return CRYPTO_ERR_SIGNATURE;
}
/* Signature verification success */
return CRYPTO_SUCCESS;
@ -256,29 +275,36 @@ static int verify_hash(void *data_ptr, unsigned int data_len,
end = p + digest_info_len;
rc = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONSTRUCTED |
MBEDTLS_ASN1_SEQUENCE);
if (rc != 0)
if (rc != 0) {
return CRYPTO_ERR_HASH;
}
/* Get the hash algorithm */
rc = mbedtls_asn1_get_alg(&p, end, &hash_oid, &params);
if (rc != 0)
if (rc != 0) {
return CRYPTO_ERR_HASH;
}
rc = mbedtls_oid_get_md_alg(&hash_oid, &md_alg);
if (rc != 0)
if (rc != 0) {
return CRYPTO_ERR_HASH;
}
/* Verify that hash algorithm is SHA256 */
if (md_alg != MBEDTLS_MD_SHA256)
if (md_alg != MBEDTLS_MD_SHA256) {
return CRYPTO_ERR_HASH;
}
/* Hash should be octet string type */
rc = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_OCTET_STRING);
if (rc != 0)
if (rc != 0) {
return CRYPTO_ERR_HASH;
}
/* Length of hash must match the algorithm's size */
if (len != HASH_RESULT_SIZE_IN_BYTES)
if (len != HASH_RESULT_SIZE_IN_BYTES) {
return CRYPTO_ERR_HASH;
}
/*
* CryptoCell utilises DMA internally to transfer data. Flush the data
@ -289,12 +315,14 @@ static int verify_hash(void *data_ptr, unsigned int data_len,
hash = p;
error = SBROM_CryptoHash((uintptr_t)PLAT_CRYPTOCELL_BASE,
(uintptr_t)data_ptr, data_len, pubKeyHash);
if (error != CC_OK)
if (error != CC_OK) {
return CRYPTO_ERR_HASH;
}
rc = memcmp(pubKeyHash, hash, HASH_RESULT_SIZE_IN_BYTES);
if (rc != 0)
if (rc != 0) {
return CRYPTO_ERR_HASH;
}
return CRYPTO_SUCCESS;
}

103
drivers/auth/cryptocell/713/cryptocell_crypto.c
View file

@ -1,5 +1,5 @@
/*
* Copyright (c) 2017-2020 ARM Limited and Contributors. All rights reserved.
* Copyright (c) 2017-2023 ARM Limited and Contributors. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*/
@ -8,14 +8,14 @@
#include <stddef.h>
#include <string.h>
#include <platform_def.h>
#include <mbedtls/oid.h>
#include <mbedtls/x509.h>
#include <drivers/arm/cryptocell/713/bsv_api.h>
#include <drivers/arm/cryptocell/713/bsv_crypto_asym_api.h>
#include <drivers/auth/crypto_mod.h>
#include <mbedtls/oid.h>
#include <mbedtls/x509.h>
#include <platform_def.h>
#define LIB_NAME "CryptoCell 713 SBROM"
#define RSA_SALT_LEN 32
@ -82,11 +82,11 @@ static int verify_signature(void *data_ptr, unsigned int data_len,
CCError_t error;
CCBsvNBuff_t NBuff;
CCBsvSignature_t signature;
int rc, exp;
int rc, exp, expected_salt_len;
mbedtls_asn1_buf sig_oid, alg_oid, params;
mbedtls_md_type_t md_alg;
mbedtls_md_type_t md_alg, mgf1_hash_id;
mbedtls_pk_type_t pk_alg;
mbedtls_pk_rsassa_pss_options pss_opts;
size_t len;
uint8_t *p, *end;
CCHashResult_t digest;
@ -99,72 +99,86 @@ static int verify_signature(void *data_ptr, unsigned int data_len,
p = sig_alg;
end = p + sig_alg_len;
rc = mbedtls_asn1_get_alg(&p, end, &sig_oid, &params);
if (rc != 0)
if (rc != 0) {
return CRYPTO_ERR_SIGNATURE;
}
/* Get the actual signature algorithm (MD + PK) */
rc = mbedtls_oid_get_sig_alg(&sig_oid, &md_alg, &pk_alg);
if (rc != 0)
if (rc != 0) {
return CRYPTO_ERR_SIGNATURE;
}
/* The CryptoCell only supports RSASSA-PSS signature */
if (pk_alg != MBEDTLS_PK_RSASSA_PSS || md_alg != MBEDTLS_MD_NONE)
if (pk_alg != MBEDTLS_PK_RSASSA_PSS || md_alg != MBEDTLS_MD_NONE) {
return CRYPTO_ERR_SIGNATURE;
}
/* Verify the RSASSA-PSS params */
/* The trailer field is verified to be 0xBC internally by this API */
rc = mbedtls_x509_get_rsassa_pss_params(&params, &md_alg,
&pss_opts.mgf1_hash_id,
&pss_opts.expected_salt_len);
if (rc != 0)
&mgf1_hash_id,
&expected_salt_len);
if (rc != 0) {
return CRYPTO_ERR_SIGNATURE;
}
/* The CryptoCell only supports SHA256 as hash algorithm */
if (md_alg != MBEDTLS_MD_SHA256 ||
pss_opts.mgf1_hash_id != MBEDTLS_MD_SHA256)
mgf1_hash_id != MBEDTLS_MD_SHA256) {
return CRYPTO_ERR_SIGNATURE;
}
if (pss_opts.expected_salt_len != RSA_SALT_LEN)
if (expected_salt_len != RSA_SALT_LEN) {
return CRYPTO_ERR_SIGNATURE;
}
/* Parse the public key */
p = pk_ptr;
end = p + pk_len;
rc = mbedtls_asn1_get_tag(&p, end, &len,
MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE);
if (rc != 0)
if (rc != 0) {
return CRYPTO_ERR_SIGNATURE;
}
end = p + len;
rc = mbedtls_asn1_get_alg_null(&p, end, &alg_oid);
if (rc != 0)
if (rc != 0) {
return CRYPTO_ERR_SIGNATURE;
}
if (mbedtls_oid_get_pk_alg(&alg_oid, &pk_alg) != 0)
if (mbedtls_oid_get_pk_alg(&alg_oid, &pk_alg) != 0) {
return CRYPTO_ERR_SIGNATURE;
}
if (pk_alg != MBEDTLS_PK_RSA)
if (pk_alg != MBEDTLS_PK_RSA) {
return CRYPTO_ERR_SIGNATURE;
}
rc = mbedtls_asn1_get_bitstring_null(&p, end, &len);
if (rc != 0)
if (rc != 0) {
return CRYPTO_ERR_SIGNATURE;
}
rc = mbedtls_asn1_get_tag(&p, end, &len,
MBEDTLS_ASN1_CONSTRUCTED |
MBEDTLS_ASN1_SEQUENCE);
if (rc != 0)
if (rc != 0) {
return CRYPTO_ERR_SIGNATURE;
}
rc = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_INTEGER);
if (rc != 0)
if (rc != 0) {
return CRYPTO_ERR_SIGNATURE;
}
if (*p == 0) {
p++; len--;
}
if (len != BSV_CERT_RSA_KEY_SIZE_IN_BYTES || ((p + len) > end))
if (len != BSV_CERT_RSA_KEY_SIZE_IN_BYTES || ((p + len) > end)) {
return CRYPTO_ERR_SIGNATURE;
}
/*
* Copy N from certificate.
@ -174,21 +188,25 @@ static int verify_signature(void *data_ptr, unsigned int data_len,
/* Verify the RSA exponent */
p += len;
rc = mbedtls_asn1_get_int(&p, end, &exp);
if (rc != 0)
if (rc != 0) {
return CRYPTO_ERR_SIGNATURE;
}
if (exp != RSA_EXPONENT)
if (exp != RSA_EXPONENT) {
return CRYPTO_ERR_SIGNATURE;
}
/* Get the signature (bitstring) */
p = sig_ptr;
end = p + sig_len;
rc = mbedtls_asn1_get_bitstring_null(&p, end, &len);
if (rc != 0)
if (rc != 0) {
return CRYPTO_ERR_SIGNATURE;
}
if (len != BSV_CERT_RSA_KEY_SIZE_IN_BYTES || ((p + len) > end))
if (len != BSV_CERT_RSA_KEY_SIZE_IN_BYTES || ((p + len) > end)) {
return CRYPTO_ERR_SIGNATURE;
}
/*
* Copy the signature (in BE format)
@ -197,15 +215,17 @@ static int verify_signature(void *data_ptr, unsigned int data_len,
error = CC_BsvSha256((uintptr_t)PLAT_CRYPTOCELL_BASE,
data_ptr, data_len, digest);
if (error != CC_OK)
if (error != CC_OK) {
return CRYPTO_ERR_SIGNATURE;
}
/* Verify the signature */
error = CC_BsvRsaPssVerify((uintptr_t)PLAT_CRYPTOCELL_BASE, NBuff,
NULL, signature, digest, workspace,
BSV_RSA_WORKSPACE_MIN_SIZE, &is_verified);
if ((error != CC_OK) || (is_verified != CC_TRUE))
if ((error != CC_OK) || (is_verified != CC_TRUE)) {
return CRYPTO_ERR_SIGNATURE;
}
/* Signature verification success */
return CRYPTO_SUCCESS;
@ -233,39 +253,48 @@ static int verify_hash(void *data_ptr, unsigned int data_len,
end = p + digest_info_len;
rc = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONSTRUCTED |
MBEDTLS_ASN1_SEQUENCE);
if (rc != 0)
if (rc != 0) {
return CRYPTO_ERR_HASH;
}
/* Get the hash algorithm */
rc = mbedtls_asn1_get_alg(&p, end, &hash_oid, &params);
if (rc != 0)
if (rc != 0) {
return CRYPTO_ERR_HASH;
}
rc = mbedtls_oid_get_md_alg(&hash_oid, &md_alg);
if (rc != 0)
if (rc != 0) {
return CRYPTO_ERR_HASH;
}
/* Verify that hash algorithm is SHA256 */
if (md_alg != MBEDTLS_MD_SHA256)
if (md_alg != MBEDTLS_MD_SHA256) {
return CRYPTO_ERR_HASH;
}
/* Hash should be octet string type */
rc = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_OCTET_STRING);
if (rc != 0)
if (rc != 0) {
return CRYPTO_ERR_HASH;
}
/* Length of hash must match the algorithm's size */
if (len != HASH_RESULT_SIZE_IN_BYTES)
if (len != HASH_RESULT_SIZE_IN_BYTES) {
return CRYPTO_ERR_HASH;
}
hash = p;
error = CC_BsvSha256((uintptr_t)PLAT_CRYPTOCELL_BASE, data_ptr,
data_len, pubKeyHash);
if (error != CC_OK)
if (error != CC_OK) {
return CRYPTO_ERR_HASH;
}
rc = memcmp(pubKeyHash, hash, HASH_RESULT_SIZE_IN_BYTES);
if (rc != 0)
if (rc != 0) {
return CRYPTO_ERR_HASH;
}
return CRYPTO_SUCCESS;
}

9
drivers/auth/dualroot/cot.c
View file

@ -1,17 +1,20 @@
/*
* Copyright (c) 2020-2022, Arm Limited. All rights reserved.
* Copyright (c) 2020-2023, Arm Limited. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*/
#include <stddef.h>
#include <platform_def.h>
#include <mbedtls/version.h>
#include MBEDTLS_CONFIG_FILE
#include <common/tbbr/cot_def.h>
#include <drivers/auth/auth_mod.h>
#include <tools_share/dualroot_oid.h>
#include <platform_def.h>
/*
* Allocate static buffers to store the authentication parameters extracted from
* the certificates.

5
drivers/auth/mbedtls/mbedtls_common.c
View file

@ -1,5 +1,5 @@
/*
* Copyright (c) 2015-2022, Arm Limited and Contributors. All rights reserved.
* Copyright (c) 2015-2023, Arm Limited and Contributors. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*/
@ -10,10 +10,11 @@
/* mbed TLS headers */
#include <mbedtls/memory_buffer_alloc.h>
#include <mbedtls/platform.h>
#include <mbedtls/version.h>
#include <common/debug.h>
#include <drivers/auth/mbedtls/mbedtls_common.h>
#include MBEDTLS_CONFIG_FILE
#include <plat/common/platform.h>
static void cleanup(void)

86
drivers/auth/mbedtls/mbedtls_common.mk
View file

@ -1,5 +1,5 @@
#
# Copyright (c) 2015-2022, Arm Limited. All rights reserved.
# Copyright (c) 2015-2023, Arm Limited. All rights reserved.
#
# SPDX-License-Identifier: BSD-3-Clause
#
@ -15,42 +15,68 @@ endif
MBEDTLS_INC = -I${MBEDTLS_DIR}/include
MBEDTLS_MAJOR=$(shell grep -hP "define MBEDTLS_VERSION_MAJOR" ${MBEDTLS_DIR}/include/mbedtls/*.h | grep -oe '\([0-9.]*\)')
MBEDTLS_MINOR=$(shell grep -hP "define MBEDTLS_VERSION_MINOR" ${MBEDTLS_DIR}/include/mbedtls/*.h | grep -oe '\([0-9.]*\)')
$(info MBEDTLS_VERSION_MAJOR is [${MBEDTLS_MAJOR}] MBEDTLS_VERSION_MINOR is [${MBEDTLS_MINOR}])
# Specify mbed TLS configuration file
MBEDTLS_CONFIG_FILE ?= "<drivers/auth/mbedtls/mbedtls_config.h>"
ifeq (${MBEDTLS_MAJOR}, 2)
MBEDTLS_CONFIG_FILE ?= "<drivers/auth/mbedtls/mbedtls_config-2.h>"
else ifeq (${MBEDTLS_MAJOR}, 3)
MBEDTLS_CONFIG_FILE ?= "<drivers/auth/mbedtls/mbedtls_config-3.h>"
endif
$(eval $(call add_define,MBEDTLS_CONFIG_FILE))
MBEDTLS_SOURCES += drivers/auth/mbedtls/mbedtls_common.c
LIBMBEDTLS_SRCS += $(addprefix ${MBEDTLS_DIR}/library/, \
aes.c \
asn1parse.c \
asn1write.c \
cipher.c \
cipher_wrap.c \
memory_buffer_alloc.c \
oid.c \
platform.c \
platform_util.c \
bignum.c \
gcm.c \
md.c \
pk.c \
pk_wrap.c \
pkparse.c \
pkwrite.c \
sha256.c \
sha512.c \
ecdsa.c \
ecp_curves.c \
ecp.c \
rsa.c \
rsa_internal.c \
x509.c \
x509_crt.c \
constant_time.c \
LIBMBEDTLS_SRCS += $(addprefix ${MBEDTLS_DIR}/library/, \
aes.c \
asn1parse.c \
asn1write.c \
cipher.c \
cipher_wrap.c \
constant_time.c \
memory_buffer_alloc.c \
oid.c \
platform.c \
platform_util.c \
bignum.c \
gcm.c \
md.c \
pk.c \
pk_wrap.c \
pkparse.c \
pkwrite.c \
sha256.c \
sha512.c \
ecdsa.c \
ecp_curves.c \
ecp.c \
rsa.c \
x509.c \
x509_crt.c \
)
ifeq (${MBEDTLS_MAJOR}, 2)
LIBMBEDTLS_SRCS += $(addprefix ${MBEDTLS_DIR}/library/, \
rsa_internal.c \
)
else ifeq (${MBEDTLS_MAJOR}, 3)
LIBMBEDTLS_SRCS += $(addprefix ${MBEDTLS_DIR}/library/, \
bignum_core.c \
rsa_alt_helpers.c \
hash_info.c \
)
# Currently on Mbedtls-3 there is outstanding bug due to usage
# of redundant declaration[1], So disable redundant-decls
# compilation flag to avoid compilation error when compiling with
# Mbedtls-3.
# [1]: https://github.com/Mbed-TLS/mbedtls/issues/6910
LIBMBEDTLS_CFLAGS += -Wno-error=redundant-decls
endif
# The platform may define the variable 'TF_MBEDTLS_KEY_ALG' to select the key
# algorithm to use. If the variable is not defined, select it based on
# algorithm used for key generation `KEY_ALG`. If `KEY_ALG` is not defined,

20
drivers/auth/mbedtls/mbedtls_crypto.c
View file

@ -1,5 +1,5 @@
/*
* Copyright (c) 2015-2022, Arm Limited and Contributors. All rights reserved.
* Copyright (c) 2015-2023, Arm Limited and Contributors. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*/
@ -14,12 +14,13 @@
#include <mbedtls/memory_buffer_alloc.h>
#include <mbedtls/oid.h>
#include <mbedtls/platform.h>
#include <mbedtls/version.h>
#include <mbedtls/x509.h>
#include <common/debug.h>
#include <drivers/auth/crypto_mod.h>
#include <drivers/auth/mbedtls/mbedtls_common.h>
#include <drivers/auth/mbedtls/mbedtls_config.h>
#include <plat/common/platform.h>
#define LIB_NAME "mbed TLS"
@ -294,6 +295,7 @@ static int aes_gcm_decrypt(void *data_ptr, size_t len, const void *key,
unsigned char *pt = data_ptr;
size_t dec_len;
int diff, i, rc;
size_t output_length __unused;
mbedtls_gcm_init(&ctx);
@ -303,7 +305,11 @@ static int aes_gcm_decrypt(void *data_ptr, size_t len, const void *key,
goto exit_gcm;
}
#if (MBEDTLS_VERSION_MAJOR < 3)
rc = mbedtls_gcm_starts(&ctx, MBEDTLS_GCM_DECRYPT, iv, iv_len, NULL, 0);
#else
rc = mbedtls_gcm_starts(&ctx, MBEDTLS_GCM_DECRYPT, iv, iv_len);
#endif
if (rc != 0) {
rc = CRYPTO_ERR_DECRYPTION;
goto exit_gcm;
@ -312,7 +318,12 @@ static int aes_gcm_decrypt(void *data_ptr, size_t len, const void *key,
while (len > 0) {
dec_len = MIN(sizeof(buf), len);
#if (MBEDTLS_VERSION_MAJOR < 3)
rc = mbedtls_gcm_update(&ctx, dec_len, pt, buf);
#else
rc = mbedtls_gcm_update(&ctx, pt, dec_len, buf, sizeof(buf), &output_length);
#endif
if (rc != 0) {
rc = CRYPTO_ERR_DECRYPTION;
goto exit_gcm;
@ -323,7 +334,12 @@ static int aes_gcm_decrypt(void *data_ptr, size_t len, const void *key,
len -= dec_len;
}
#if (MBEDTLS_VERSION_MAJOR < 3)
rc = mbedtls_gcm_finish(&ctx, tag_buf, sizeof(tag_buf));
#else
rc = mbedtls_gcm_finish(&ctx, NULL, 0, &output_length, tag_buf, sizeof(tag_buf));
#endif
if (rc != 0) {
rc = CRYPTO_ERR_DECRYPTION;
goto exit_gcm;

8
drivers/auth/tbbr/tbbr_cot_bl1.c
View file

@ -1,22 +1,24 @@
/*
* Copyright (c) 2015-2022, Arm Limited and Contributors. All rights reserved.
* Copyright (c) 2015-2023, Arm Limited and Contributors. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*/
#include <stddef.h>
#include <platform_def.h>
#include MBEDTLS_CONFIG_FILE
#include <mbedtls/version.h>
#include <drivers/auth/auth_mod.h>
#include <drivers/auth/tbbr_cot_common.h>
#if USE_TBBR_DEFS
#include <tools_share/tbbr_oid.h>
#else
#include <platform_oid.h>
#endif
#include <platform_def.h>
static auth_param_type_desc_t scp_bl2u_hash = AUTH_PARAM_TYPE_DESC(
AUTH_PARAM_HASH, SCP_FWU_CFG_HASH_OID);
static auth_param_type_desc_t bl2u_hash = AUTH_PARAM_TYPE_DESC(

7
drivers/auth/tbbr/tbbr_cot_bl1_r64.c
View file

@ -1,13 +1,14 @@
/*
* Copyright (c) 2021-2022, Arm Limited and Contributors. All rights reserved.
* Copyright (c) 2021-2023, Arm Limited and Contributors. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*/
#include <stddef.h>
#include <mbedtls/version.h>
#include <drivers/auth/auth_mod.h>
#include MBEDTLS_CONFIG_FILE
#include <drivers/auth/tbbr_cot_common.h>
#if USE_TBBR_DEFS
@ -15,8 +16,8 @@
#else
#include <platform_oid.h>
#endif
#include <platform_def.h>
#include <platform_def.h>
static unsigned char trusted_world_pk_buf[PK_DER_LEN];
static unsigned char non_trusted_world_pk_buf[PK_DER_LEN];

8
drivers/auth/tbbr/tbbr_cot_bl2.c
View file

@ -1,22 +1,24 @@
/*
* Copyright (c) 2015-2022, Arm Limited and Contributors. All rights reserved.
* Copyright (c) 2015-2023, Arm Limited and Contributors. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*/
#include <stddef.h>
#include <platform_def.h>
#include MBEDTLS_CONFIG_FILE
#include <mbedtls/version.h>
#include <drivers/auth/auth_mod.h>
#include <drivers/auth/tbbr_cot_common.h>
#if USE_TBBR_DEFS
#include <tools_share/tbbr_oid.h>
#else
#include <platform_oid.h>
#endif
#include <platform_def.h>
static unsigned char soc_fw_hash_buf[HASH_DER_LEN];
static unsigned char tos_fw_hash_buf[HASH_DER_LEN];
static unsigned char tos_fw_extra1_hash_buf[HASH_DER_LEN];

7
drivers/auth/tbbr/tbbr_cot_common.c
View file

@ -1,22 +1,23 @@
/*
* Copyright (c) 2015-2022, Arm Limited and Contributors. All rights reserved.
* Copyright (c) 2015-2023, Arm Limited and Contributors. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*/
#include <stddef.h>
#include <platform_def.h>
#include MBEDTLS_CONFIG_FILE
#include <mbedtls/version.h>
#include <drivers/auth/auth_mod.h>
#include <drivers/auth/tbbr_cot_common.h>
#if USE_TBBR_DEFS
#include <tools_share/tbbr_oid.h>
#else
#include <platform_oid.h>
#endif
#include <platform_def.h>
/*
* The platform must allocate buffers to store the authentication parameters
* extracted from the certificates. In this case, because of the way the CoT is

6
include/common/tbbr/cot_def.h
View file

@ -1,5 +1,5 @@
/*
* Copyright (c) 2015-2022, ARM Limited and Contributors. All rights reserved.
* Copyright (c) 2015-2023, ARM Limited and Contributors. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*/
@ -7,9 +7,7 @@
#ifndef COT_DEF_H
#define COT_DEF_H
#ifdef MBEDTLS_CONFIG_FILE
#include MBEDTLS_CONFIG_FILE
#endif
#include <mbedtls/version.h>
/* TBBR CoT definitions */
#if defined(SPD_spmd)

3
include/drivers/auth/auth_mod.h
View file

@ -1,5 +1,5 @@
/*
* Copyright (c) 2015-2022, ARM Limited and Contributors. All rights reserved.
* Copyright (c) 2015-2023, ARM Limited and Contributors. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*/
@ -7,7 +7,6 @@
#ifndef AUTH_MOD_H
#define AUTH_MOD_H
#include <common/tbbr/cot_def.h>
#include <common/tbbr/tbbr_img_def.h>
#include <drivers/auth/auth_common.h>
#include <drivers/auth/img_parser_mod.h>

0
include/drivers/auth/mbedtls/mbedtls_config.h → include/drivers/auth/mbedtls/mbedtls_config-2.h
View file

153
include/drivers/auth/mbedtls/mbedtls_config-3.h Normal file
View file

@ -0,0 +1,153 @@
/*
* Copyright (c) 2023, Arm Limited. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*/
/**
* This set of compile-time options may be used to enable
* or disable features selectively, and reduce the global
* memory footprint.
*/
/*
* Key algorithms currently supported on mbed TLS libraries
*/
#define TF_MBEDTLS_RSA 1
#define TF_MBEDTLS_ECDSA 2
#define TF_MBEDTLS_RSA_AND_ECDSA 3
#define TF_MBEDTLS_USE_RSA (TF_MBEDTLS_KEY_ALG_ID == TF_MBEDTLS_RSA \
|| TF_MBEDTLS_KEY_ALG_ID == TF_MBEDTLS_RSA_AND_ECDSA)
#define TF_MBEDTLS_USE_ECDSA (TF_MBEDTLS_KEY_ALG_ID == TF_MBEDTLS_ECDSA \
|| TF_MBEDTLS_KEY_ALG_ID == TF_MBEDTLS_RSA_AND_ECDSA)
/*
* Hash algorithms currently supported on mbed TLS libraries
*/
#define TF_MBEDTLS_SHA256 1
#define TF_MBEDTLS_SHA384 2
#define TF_MBEDTLS_SHA512 3
/*
* Configuration file to build mbed TLS with the required features for
* Trusted Boot
*/
#define MBEDTLS_PLATFORM_MEMORY
#define MBEDTLS_PLATFORM_NO_STD_FUNCTIONS
/* Prevent mbed TLS from using snprintf so that it can use tf_snprintf. */
#define MBEDTLS_PLATFORM_SNPRINTF_ALT
#define MBEDTLS_PKCS1_V21
#define MBEDTLS_ASN1_PARSE_C
#define MBEDTLS_ASN1_WRITE_C
#define MBEDTLS_BASE64_C
#define MBEDTLS_BIGNUM_C
#define MBEDTLS_ERROR_C
#define MBEDTLS_MD_C
#define MBEDTLS_MEMORY_BUFFER_ALLOC_C
#define MBEDTLS_OID_C
#define MBEDTLS_PK_C
#define MBEDTLS_PK_PARSE_C
#define MBEDTLS_PK_WRITE_C
#define MBEDTLS_PLATFORM_C
#if TF_MBEDTLS_USE_ECDSA
#define MBEDTLS_ECDSA_C
#define MBEDTLS_ECP_C
#define MBEDTLS_ECP_DP_SECP256R1_ENABLED
#endif
#if TF_MBEDTLS_USE_RSA
#define MBEDTLS_RSA_C
#define MBEDTLS_X509_RSASSA_PSS_SUPPORT
#endif
/* The library does not currently support enabling SHA-256 without SHA-224. */
#define MBEDTLS_SHA224_C
#define MBEDTLS_SHA256_C
/*
* If either Trusted Boot or Measured Boot require a stronger algorithm than
* SHA-256, pull in SHA-512 support. Library currently needs to have SHA_384
* support when enabling SHA-512.
*/
#if (TF_MBEDTLS_HASH_ALG_ID != TF_MBEDTLS_SHA256) /* TBB hash algo */
#define MBEDTLS_SHA384_C
#define MBEDTLS_SHA512_C
#else
/* TBB uses SHA-256, what about measured boot? */
#if defined(TF_MBEDTLS_MBOOT_USE_SHA512)
#define MBEDTLS_SHA384_C
#define MBEDTLS_SHA512_C
#endif
#endif
#define MBEDTLS_VERSION_C
#define MBEDTLS_X509_USE_C
#define MBEDTLS_X509_CRT_PARSE_C
#if TF_MBEDTLS_USE_AES_GCM
#define MBEDTLS_AES_C
#define MBEDTLS_CIPHER_C
#define MBEDTLS_GCM_C
#endif
/* MPI / BIGNUM options */
#define MBEDTLS_MPI_WINDOW_SIZE 2
#if TF_MBEDTLS_USE_RSA
#if TF_MBEDTLS_KEY_SIZE <= 2048
#define MBEDTLS_MPI_MAX_SIZE 256
#else
#define MBEDTLS_MPI_MAX_SIZE 512
#endif
#else
#define MBEDTLS_MPI_MAX_SIZE 256
#endif
/* Memory buffer allocator options */
#define MBEDTLS_MEMORY_ALIGN_MULTIPLE 8
/*
* Prevent the use of 128-bit division which
* creates dependency on external libraries.
*/
#define MBEDTLS_NO_UDBL_DIVISION
#ifndef __ASSEMBLER__
/* System headers required to build mbed TLS with the current configuration */
#include <stdlib.h>
#include <mbedtls/check_config.h>
#endif
/*
* Determine Mbed TLS heap size
* 13312 = 13*1024
* 11264 = 11*1024
* 7168 = 7*1024
*/
#if TF_MBEDTLS_USE_ECDSA
#define TF_MBEDTLS_HEAP_SIZE U(13312)
#elif TF_MBEDTLS_USE_RSA
#if TF_MBEDTLS_KEY_SIZE <= 2048
#define TF_MBEDTLS_HEAP_SIZE U(7168)
#else
#define TF_MBEDTLS_HEAP_SIZE U(11264)
#endif
#endif
/*
* Warn if errors from certain functions are ignored.
*
* The warnings are always enabled (where supported) for critical functions
* where ignoring the return value is almost always a bug. This macro extends
* the warnings to more functions.
*/
#define MBEDTLS_CHECK_RETURN_WARNING

3
include/drivers/auth/tbbr_cot_common.h
View file

@ -1,5 +1,5 @@
/*
* Copyright (c) 2020, ARM Limited and Contributors. All rights reserved.
* Copyright (c) 2020,2023, ARM Limited and Contributors. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*/
@ -7,6 +7,7 @@
#ifndef TBBR_COT_COMMON_H
#define TBBR_COT_COMMON_H
#include <common/tbbr/cot_def.h>
#include <drivers/auth/auth_mod.h>
extern unsigned char tb_fw_hash_buf[HASH_DER_LEN];

6
lib/fconf/fconf_cot_getter.c
View file

@ -1,5 +1,5 @@
/*
* Copyright (c) 2020-2022, Arm Limited. All rights reserved.
* Copyright (c) 2020-2023, Arm Limited. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*/
@ -7,8 +7,10 @@
#include <assert.h>
#include <stddef.h>
#include <mbedtls/version.h>
#include <common/fdt_wrappers.h>
#include MBEDTLS_CONFIG_FILE
#include <common/tbbr/cot_def.h>
#include <drivers/auth/auth_mod.h>
#include <lib/fconf/fconf.h>
#include <lib/object_pool.h>

14
plat/arm/board/fvp/include/platform_def.h
View file

@ -16,6 +16,10 @@
#include "../fvp_def.h"
#if TRUSTED_BOARD_BOOT
#include MBEDTLS_CONFIG_FILE
#endif
/* Required platform porting definitions */
#define PLATFORM_CORE_COUNT (U(FVP_CLUSTER_COUNT) * \
U(FVP_MAX_CPUS_PER_CLUSTER) * \
@ -171,7 +175,11 @@
* PLAT_ARM_MAX_BL1_RW_SIZE is calculated using the current BL1 RW debug size
* plus a little space for growth.
*/
#if TF_MBEDTLS_KEY_ALG_ID == TF_MBEDTLS_RSA_AND_ECDSA
#define PLAT_ARM_MAX_BL1_RW_SIZE UL(0xC000)
#else
#define PLAT_ARM_MAX_BL1_RW_SIZE UL(0xB000)
#endif
/*
* PLAT_ARM_MAX_ROMLIB_RW_SIZE is define to use a full page
@ -191,10 +199,12 @@
* PLAT_ARM_MAX_BL2_SIZE is calculated using the current BL2 debug size plus a
* little space for growth.
*/
#if TRUSTED_BOARD_BOOT && COT_DESC_IN_DTB
#if CRYPTO_SUPPORT
#if (TF_MBEDTLS_KEY_ALG_ID == TF_MBEDTLS_RSA_AND_ECDSA) || COT_DESC_IN_DTB
# define PLAT_ARM_MAX_BL2_SIZE (UL(0x1E000) - FVP_BL2_ROMLIB_OPTIMIZATION)
#elif CRYPTO_SUPPORT
#else
# define PLAT_ARM_MAX_BL2_SIZE (UL(0x1D000) - FVP_BL2_ROMLIB_OPTIMIZATION)
#endif
#elif ARM_BL31_IN_DRAM
/* When ARM_BL31_IN_DRAM is set, BL2 can use almost all of Trusted SRAM. */
# define PLAT_ARM_MAX_BL2_SIZE (UL(0x1F000) - FVP_BL2_ROMLIB_OPTIMIZATION)

10
plat/arm/common/arm_dyn_cfg.c
View file

@ -1,5 +1,5 @@
/*
* Copyright (c) 2018-2022, Arm Limited and Contributors. All rights reserved.
* Copyright (c) 2018-2023, Arm Limited and Contributors. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*/
@ -8,20 +8,20 @@
#include <string.h>
#include <libfdt.h>
#include <platform_def.h>
#if CRYPTO_SUPPORT
#include <mbedtls/version.h>
#endif /* CRYPTO_SUPPORT */
#include <common/debug.h>
#include <common/desc_image_load.h>
#include <common/tbbr/tbbr_img_def.h>
#if CRYPTO_SUPPORT
#include MBEDTLS_CONFIG_FILE
#endif /* CRYPTO_SUPPORT */
#include <lib/fconf/fconf.h>
#include <lib/fconf/fconf_dyn_cfg_getter.h>
#include <lib/fconf/fconf_tbbr_getter.h>
#include <plat/arm/common/arm_dyn_cfg_helpers.h>
#include <plat/arm/common/plat_arm.h>
#include <platform_def.h>
#if CRYPTO_SUPPORT

0
plat/st/stm32mp1/include/stm32mp1_mbedtls_config.h → plat/st/stm32mp1/include/stm32mp1_mbedtls_config-2.h
View file

115
plat/st/stm32mp1/include/stm32mp1_mbedtls_config-3.h Normal file
View file

@ -0,0 +1,115 @@
/*
* Copyright (c) 2022, STMicroelectronics - All Rights Reserved
*
* SPDX-License-Identifier: BSD-3-Clause
*/
/*
* Key algorithms currently supported on mbed TLS libraries
*/
#define TF_MBEDTLS_USE_RSA 0
#define TF_MBEDTLS_USE_ECDSA 1
/*
* Hash algorithms currently supported on mbed TLS libraries
*/
#define TF_MBEDTLS_SHA256 1
#define TF_MBEDTLS_SHA384 2
#define TF_MBEDTLS_SHA512 3
/*
* Configuration file to build mbed TLS with the required features for
* Trusted Boot
*/
#define MBEDTLS_PLATFORM_MEMORY
#define MBEDTLS_PLATFORM_NO_STD_FUNCTIONS
/* Prevent mbed TLS from using snprintf so that it can use tf_snprintf. */
#define MBEDTLS_PLATFORM_SNPRINTF_ALT
#define MBEDTLS_PKCS1_V21
#define MBEDTLS_ASN1_PARSE_C
#define MBEDTLS_ASN1_WRITE_C
#define MBEDTLS_BASE64_C
#define MBEDTLS_BIGNUM_C
#define MBEDTLS_ERROR_C
#define MBEDTLS_MD_C
#define MBEDTLS_MEMORY_BUFFER_ALLOC_C
#define MBEDTLS_OID_C
#define MBEDTLS_PK_C
#define MBEDTLS_PK_PARSE_C
#define MBEDTLS_PK_WRITE_C
#define MBEDTLS_PLATFORM_C
#if TF_MBEDTLS_USE_ECDSA
#define MBEDTLS_ECDSA_C
#define MBEDTLS_ECP_C
#define MBEDTLS_ECP_DP_SECP256R1_ENABLED
#endif
#if TF_MBEDTLS_USE_RSA
#define MBEDTLS_RSA_C
#define MBEDTLS_X509_RSASSA_PSS_SUPPORT
#endif
/* The library does not currently support enabling SHA-256 without SHA-224. */
#define MBEDTLS_SHA224_C
#define MBEDTLS_SHA256_C
#if (TF_MBEDTLS_HASH_ALG_ID != TF_MBEDTLS_SHA256)
#define MBEDTLS_SHA384_C
#define MBEDTLS_SHA512_C
#endif
#define MBEDTLS_VERSION_C
#define MBEDTLS_X509_USE_C
#define MBEDTLS_X509_CRT_PARSE_C
#if TF_MBEDTLS_USE_AES_GCM
#define MBEDTLS_AES_C
#define MBEDTLS_CIPHER_C
#define MBEDTLS_GCM_C
#endif
/* MPI / BIGNUM options */
#define MBEDTLS_MPI_WINDOW_SIZE 2
#if TF_MBEDTLS_USE_RSA
#if TF_MBEDTLS_KEY_SIZE <= 2048
#define MBEDTLS_MPI_MAX_SIZE 256
#else
#define MBEDTLS_MPI_MAX_SIZE 512
#endif
#else
#define MBEDTLS_MPI_MAX_SIZE 256
#endif
/* Memory buffer allocator options */
#define MBEDTLS_MEMORY_ALIGN_MULTIPLE 8
/*
* Prevent the use of 128-bit division which
* creates dependency on external libraries.
*/
#define MBEDTLS_NO_UDBL_DIVISION
#ifndef __ASSEMBLER__
/* System headers required to build mbed TLS with the current configuration */
#include <stdlib.h>
#include <mbedtls/check_config.h>
#endif
/*
* Mbed TLS heap size is smal as we only use the asn1
* parsing functions
* digest, signature and crypto algorithm are done by
* other library.
*/
#define TF_MBEDTLS_HEAP_SIZE U(5120)

16
plat/st/stm32mp1/platform.mk
View file

@ -1,5 +1,5 @@
#
# Copyright (c) 2015-2022, ARM Limited and Contributors. All rights reserved.
# Copyright (c) 2015-2023, ARM Limited and Contributors. All rights reserved.
#
# SPDX-License-Identifier: BSD-3-Clause
#
@ -381,7 +381,19 @@ endif
endif
TF_MBEDTLS_KEY_ALG := ecdsa
MBEDTLS_CONFIG_FILE ?= "<stm32mp1_mbedtls_config.h>"
ifneq (${MBEDTLS_DIR},)
MBEDTLS_MAJOR=$(shell grep -hP "define MBEDTLS_VERSION_MAJOR" \
${MBEDTLS_DIR}/include/mbedtls/*.h | grep -oe '\([0-9.]*\)')
ifeq (${MBEDTLS_MAJOR}, 2)
MBEDTLS_CONFIG_FILE ?= "<stm32mp1_mbedtls_config-2.h>"
endif
ifeq (${MBEDTLS_MAJOR}, 3)
MBEDTLS_CONFIG_FILE ?= "<stm32mp1_mbedtls_config-3.h>"
endif
endif
include drivers/auth/mbedtls/mbedtls_x509.mk

7
tools/marvell/doimage/doimage.c
View file

@ -17,12 +17,6 @@
#ifdef CONFIG_MVEBU_SECURE_BOOT
#include <libconfig.h> /* for parsing config file */
#if !defined(MBEDTLS_CONFIG_FILE)
#include "mbedtls/config.h"
#else
#include MBEDTLS_CONFIG_FILE
#endif
/* mbedTLS stuff */
#if defined(MBEDTLS_BIGNUM_C) && defined(MBEDTLS_ENTROPY_C) && \
defined(MBEDTLS_SHA256_C) && \
@ -34,6 +28,7 @@
#include <mbedtls/md.h>
#include <mbedtls/pk.h>
#include <mbedtls/sha256.h>
#include <mbedtls/version.h>
#include <mbedtls/x509.h>
#else
#error "Bad mbedTLS configuration!"