refactor(measured-boot): mb algorithm selection

With RSS now introduced, we have 2 Measured Boot backends. Both backends can be used in the same firmware build with potentially different hash algorithms, so now there can be more than one hash algorithm in a build. Therefore the logic for selecting the measured boot hash algorithm needs to be updated and the coordination of algorithm selection added. This is done by: - Adding MBOOT_EL_HASH_ALG for Event Log to define the hash algorithm to replace TPM_HASH_ALG, removing reference to TPM. - Adding MBOOT_RSS_HASH_ALG for RSS to define the hash algorithm to replace TPM_HASH_ALG. - Coordinating MBOOT_EL_HASH_ALG and MBOOT_RSS_HASH_ALG to define the Measured Boot configuration macros through defining TF_MBEDTLS_MBOOT_USE_SHA512 to pull in SHA-512 support if either backend requires a stronger algorithm than SHA-256. Signed-off-by: Lauren Wehrmeister <lauren.wehrmeister@arm.com> Change-Id: I4ddf06ebdc3835beb4d1b6c7bab5a257ffc5c71a
2025-05-02 08:49:28 +00:00 · 2022-05-31 16:39:09 -05:00 · 2022-05-31 16:39:09 -05:00 · 78da42a5f1
commit 78da42a5f1
parent 100da90ca8
6 changed files with 24 additions and 31 deletions
--- a/drivers/auth/mbedtls/mbedtls_common.mk
+++ b/drivers/auth/mbedtls/mbedtls_common.mk
@ -97,18 +97,6 @@ else
    TF_MBEDTLS_USE_AES_GCM	:=	0
 endif
 ifeq ($(MEASURED_BOOT),1)
    ifeq (${TPM_HASH_ALG}, sha256)
        TF_MBEDTLS_TPM_HASH_ALG_ID	:=	TF_MBEDTLS_SHA256
    else ifeq (${TPM_HASH_ALG}, sha384)
        TF_MBEDTLS_TPM_HASH_ALG_ID	:=	TF_MBEDTLS_SHA384
    else ifeq (${TPM_HASH_ALG}, sha512)
        TF_MBEDTLS_TPM_HASH_ALG_ID	:=	TF_MBEDTLS_SHA512
    else
        $(error "TPM_HASH_ALG not defined.")
    endif
 endif
 # Needs to be set to drive mbed TLS configuration correctly
 $(eval $(call add_defines,\
    $(sort \
@ -118,10 +106,6 @@ $(eval $(call add_defines,\
        TF_MBEDTLS_USE_AES_GCM \
 )))
 ifeq ($(MEASURED_BOOT),1)
  $(eval $(call add_define,TF_MBEDTLS_TPM_HASH_ALG_ID))
 endif
 $(eval $(call MAKE_LIB,mbedtls))
 endif
--- a/drivers/measured_boot/event_log/event_log.mk
+++ b/drivers/measured_boot/event_log/event_log.mk
@ -7,20 +7,25 @@
 # Default log level to dump the event log (LOG_LEVEL_INFO)
 EVENT_LOG_LEVEL         ?= 40
-# TPM hash algorithm.
+# Measured Boot hash algorithm.
 # SHA-256 (or stronger) is required for all devices that are TPM 2.0 compliant.
-TPM_HASH_ALG			:=	sha256
+ifdef TPM_HASH_ALG
    $(warning "TPM_HASH_ALG is deprecated. Please use MBOOT_EL_HASH_ALG instead.")
    MBOOT_EL_HASH_ALG		:=	${TPM_HASH_ALG}
 else
    MBOOT_EL_HASH_ALG		:=	sha256
 endif
-ifeq (${TPM_HASH_ALG}, sha512)
+ifeq (${MBOOT_EL_HASH_ALG}, sha512)
    TPM_ALG_ID			:=	TPM_ALG_SHA512
    TCG_DIGEST_SIZE		:=	64U
-else ifeq (${TPM_HASH_ALG}, sha384)
+else ifeq (${MBOOT_EL_HASH_ALG}, sha384)
    TPM_ALG_ID			:=	TPM_ALG_SHA384
    TCG_DIGEST_SIZE		:=	48U
 else
    TPM_ALG_ID			:=	TPM_ALG_SHA256
    TCG_DIGEST_SIZE		:=	32U
-endif #TPM_HASH_ALG
+endif #MBOOT_EL_HASH_ALG
 # Set definitions for Measured Boot driver.
 $(eval $(call add_defines,\
--- a/drivers/measured_boot/rss/rss_measured_boot.mk
+++ b/drivers/measured_boot/rss/rss_measured_boot.mk
@ -6,21 +6,18 @@
 # Hash algorithm for measured boot
 # SHA-256 (or stronger) is required.
-# TODO: The measurement algorithm incorrectly suggests that the TPM backend
+MBOOT_RSS_HASH_ALG		:=	sha256
 #       is used which may not be the case. It is currently being worked on and
 #       soon TPM_HASH_ALG will be replaced by a more generic name.
 TPM_HASH_ALG			:=	sha256
-ifeq (${TPM_HASH_ALG}, sha512)
+ifeq (${MBOOT_RSS_HASH_ALG}, sha512)
    MBOOT_ALG_ID		:=	MBOOT_ALG_SHA512
    MBOOT_DIGEST_SIZE		:=	64U
-else ifeq (${TPM_HASH_ALG}, sha384)
+else ifeq (${MBOOT_RSS_HASH_ALG}, sha384)
    MBOOT_ALG_ID		:=	MBOOT_ALG_SHA384
    MBOOT_DIGEST_SIZE		:=	48U
 else
    MBOOT_ALG_ID		:=	MBOOT_ALG_SHA256
    MBOOT_DIGEST_SIZE		:=	32U
-endif #TPM_HASH_ALG
+endif #MBOOT_RSS_HASH_ALG
 # Set definitions for Measured Boot driver.
 $(eval $(call add_defines,\
--- a/include/drivers/auth/mbedtls/mbedtls_config.h
+++ b/include/drivers/auth/mbedtls/mbedtls_config.h
@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2015-2021, Arm Limited. All rights reserved.
+ * Copyright (c) 2015-2022, Arm Limited. All rights reserved.
 *
 * SPDX-License-Identifier: BSD-3-Clause
 */
@ -80,8 +80,7 @@
 #define	MBEDTLS_SHA512_C
 #else
   /* TBB uses SHA-256, what about measured boot? */
-#if defined(TF_MBEDTLS_TPM_HASH_ALG_ID) && \
+#if defined(TF_MBEDTLS_MBOOT_USE_SHA512)
 	(TF_MBEDTLS_TPM_HASH_ALG_ID != TF_MBEDTLS_SHA256)
 #define MBEDTLS_SHA512_C
 #endif
 #endif
--- a/plat/arm/board/fvp/platform.mk
+++ b/plat/arm/board/fvp/platform.mk
@ -375,6 +375,10 @@ ifeq (${MEASURED_BOOT},1)
    $(info Including ${RSS_MEASURED_BOOT_MK})
    include ${RSS_MEASURED_BOOT_MK}
    ifneq (${MBOOT_RSS_HASH_ALG}, sha256)
        $(eval $(call add_define,TF_MBEDTLS_MBOOT_USE_SHA512))
    endif
    BL1_SOURCES		+=	${MEASURED_BOOT_SOURCES}
    BL2_SOURCES		+=	${MEASURED_BOOT_SOURCES}
 endif
--- a/plat/arm/common/arm_common.mk
+++ b/plat/arm/common/arm_common.mk
@ -401,6 +401,10 @@ ifeq (${MEASURED_BOOT},1)
    $(info Including ${MEASURED_BOOT_MK})
    include ${MEASURED_BOOT_MK}
    ifneq (${MBOOT_EL_HASH_ALG}, sha256)
        $(eval $(call add_define,TF_MBEDTLS_MBOOT_USE_SHA512))
    endif
    BL1_SOURCES		+= 	${EVENT_LOG_SOURCES}
    BL2_SOURCES		+= 	${EVENT_LOG_SOURCES}
 endif