Djam/arm-trusted-firmware
1
0
Fork 0
mirror of https://github.com/ARM-software/arm-trusted-firmware.git synced 2025-04-18 02:24:18 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge "refactor(security): add OpenSSL 1.x compatibility" into integration

Browse source
This commit is contained in:
Manish V Badarkhe 2022-11-11 19:59:58 +01:00 committed by TrustedFirmware Code Review
commit 797d7446a0
15 changed files with 264 additions and 57 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
Makefile
View file

@ -1470,7 +1470,7 @@ checkpatch: locate-checkpatch
certtool: ${CRTTOOL} certtool: ${CRTTOOL}
${CRTTOOL}: FORCE ${CRTTOOL}: FORCE
${Q}${MAKE} PLAT=${PLAT} USE_TBBR_DEFS=${USE_TBBR_DEFS} COT=${COT} OPENSSL_DIR=${OPENSSL_DIR} CRTTOOL=${CRTTOOL} --no-print-directory -C ${CRTTOOLPATH} ${Q}${MAKE} PLAT=${PLAT} USE_TBBR_DEFS=${USE_TBBR_DEFS} COT=${COT} OPENSSL_DIR=${OPENSSL_DIR} CRTTOOL=${CRTTOOL} DEBUG=${DEBUG} V=${V} --no-print-directory -C ${CRTTOOLPATH}
@${ECHO_BLANK_LINE} @${ECHO_BLANK_LINE}
@echo "Built $@ successfully" @echo "Built $@ successfully"
@${ECHO_BLANK_LINE} @${ECHO_BLANK_LINE}
@ -1515,7 +1515,7 @@ fwu_fip: ${BUILD_PLAT}/${FWU_FIP_NAME}
${FIPTOOL}: FORCE ${FIPTOOL}: FORCE
ifdef UNIX_MK ifdef UNIX_MK
${Q}${MAKE} CPPFLAGS="-DVERSION='\"${VERSION_STRING}\"'" FIPTOOL=${FIPTOOL} OPENSSL_DIR=${OPENSSL_DIR} --no-print-directory -C ${FIPTOOLPATH} ${Q}${MAKE} CPPFLAGS="-DVERSION='\"${VERSION_STRING}\"'" FIPTOOL=${FIPTOOL} OPENSSL_DIR=${OPENSSL_DIR} DEBUG=${DEBUG} V=${V} --no-print-directory -C ${FIPTOOLPATH}
else else
# Clear the MAKEFLAGS as we do not want # Clear the MAKEFLAGS as we do not want
# to pass the gnumake flags to nmake. # to pass the gnumake flags to nmake.
@ -1536,7 +1536,7 @@ doc:
enctool: ${ENCTOOL} enctool: ${ENCTOOL}
${ENCTOOL}: FORCE ${ENCTOOL}: FORCE
${Q}${MAKE} PLAT=${PLAT} BUILD_INFO=0 OPENSSL_DIR=${OPENSSL_DIR} ENCTOOL=${ENCTOOL} --no-print-directory -C ${ENCTOOLPATH} ${Q}${MAKE} PLAT=${PLAT} BUILD_INFO=0 OPENSSL_DIR=${OPENSSL_DIR} ENCTOOL=${ENCTOOL} DEBUG=${DEBUG} V=${V} --no-print-directory -C ${ENCTOOLPATH}
@${ECHO_BLANK_LINE} @${ECHO_BLANK_LINE}
@echo "Built $@ successfully" @echo "Built $@ successfully"
@${ECHO_BLANK_LINE} @${ECHO_BLANK_LINE}

10
docs/getting_started/prerequisites.rst
View file

@ -54,15 +54,15 @@ The following tools are required to obtain and build |TF-A|:
The following libraries must be available to build one or more components or The following libraries must be available to build one or more components or
supporting tools: supporting tools:
- OpenSSL >= 3.0 - OpenSSL >= 1.1.1 (v3.0.0 to v3.0.6 highly discouraged due to security issues)
Required to build the cert_create tool. Required to build the cert_create, encrypt_fw, and fiptool tools.
.. note:: .. note::
OpenSSL 3.0 has to be built from source code, as it's not available in If using OpenSSL 3, older Linux versions may require it to be built from
the default package repositories in recent Ubuntu versions. Please refer source code, as it may not be available in the default package repositories.
to the OpenSSL project documentation for more information. Please refer to the OpenSSL project documentation for more information.
The following libraries are required for Trusted Board Boot and Measured Boot The following libraries are required for Trusted Board Boot and Measured Boot
support: support:

16
make_helpers/build_macros.mk
View file

@ -1,5 +1,5 @@
# #
# Copyright (c) 2015-2022, ARM Limited and Contributors. All rights reserved. # Copyright (c) 2015-2022, Arm Limited and Contributors. All rights reserved.
# #
# SPDX-License-Identifier: BSD-3-Clause # SPDX-License-Identifier: BSD-3-Clause
# #
@ -238,6 +238,20 @@ check_$(1):
$(check_$(1)_cmd) $(check_$(1)_cmd)
endef endef
# SELECT_OPENSSL_API_VERSION selects the OpenSSL API version to be used to
# build the host tools by checking the version of OpenSSL located under
# the path defined by the OPENSSL_DIR variable. It receives no parameters.
define SELECT_OPENSSL_API_VERSION
# Set default value for USING_OPENSSL3 macro to 0
$(eval USING_OPENSSL3 = 0)
# Obtain the OpenSSL version for the build located under OPENSSL_DIR
$(eval OPENSSL_INFO := $(shell LD_LIBRARY_PATH=${OPENSSL_DIR}:${OPENSSL_DIR}/lib ${OPENSSL_BIN_PATH}/openssl version))
$(eval OPENSSL_CURRENT_VER = $(word 2, ${OPENSSL_INFO}))
$(eval OPENSSL_CURRENT_VER_MAJOR = $(firstword $(subst ., ,$(OPENSSL_CURRENT_VER))))
# If OpenSSL version is 3.x, then set USING_OPENSSL3 flag to 1
$(if $(filter 3,$(OPENSSL_CURRENT_VER_MAJOR)), $(eval USING_OPENSSL3 = 1))
endef
################################################################################ ################################################################################
# Generic image processing filters # Generic image processing filters
################################################################################ ################################################################################

2
make_helpers/defaults.mk
View file

@ -419,7 +419,7 @@ RAS_TRAP_NS_ERR_REC_ACCESS := 0
# Build option to create cot descriptors using fconf # Build option to create cot descriptors using fconf
COT_DESC_IN_DTB := 0 COT_DESC_IN_DTB := 0
# Build option to provide openssl directory path # Build option to provide OpenSSL directory path
OPENSSL_DIR := /usr OPENSSL_DIR := /usr
# Select the openssl binary provided in OPENSSL_DIR variable # Select the openssl binary provided in OPENSSL_DIR variable

20
tools/cert_create/Makefile
View file

@ -1,5 +1,5 @@
# #
# Copyright (c) 2015-2022, ARM Limited and Contributors. All rights reserved. # Copyright (c) 2015-2022, Arm Limited and Contributors. All rights reserved.
# #
# SPDX-License-Identifier: BSD-3-Clause # SPDX-License-Identifier: BSD-3-Clause
# #
@ -9,12 +9,12 @@ V ?= 0
DEBUG := 0 DEBUG := 0
CRTTOOL ?= cert_create${BIN_EXT} CRTTOOL ?= cert_create${BIN_EXT}
BINARY := $(notdir ${CRTTOOL}) BINARY := $(notdir ${CRTTOOL})
OPENSSL_DIR := /usr
COT := tbbr COT := tbbr
MAKE_HELPERS_DIRECTORY := ../../make_helpers/ MAKE_HELPERS_DIRECTORY := ../../make_helpers/
include ${MAKE_HELPERS_DIRECTORY}build_macros.mk include ${MAKE_HELPERS_DIRECTORY}build_macros.mk
include ${MAKE_HELPERS_DIRECTORY}build_env.mk include ${MAKE_HELPERS_DIRECTORY}build_env.mk
include ${MAKE_HELPERS_DIRECTORY}defaults.mk
ifneq (${PLAT},none) ifneq (${PLAT},none)
TF_PLATFORM_ROOT := ../../plat/ TF_PLATFORM_ROOT := ../../plat/
@ -45,6 +45,10 @@ ifneq (,$(wildcard ${PLAT_CERT_CREATE_HELPER_MK}))
include ${PLAT_CERT_CREATE_HELPER_MK} include ${PLAT_CERT_CREATE_HELPER_MK}
endif endif
# Select OpenSSL version flag according to the OpenSSL build selected
# from setting the OPENSSL_DIR path.
$(eval $(call SELECT_OPENSSL_API_VERSION))
HOSTCCFLAGS := -Wall -std=c99 HOSTCCFLAGS := -Wall -std=c99
ifeq (${DEBUG},1) ifeq (${DEBUG},1)
@ -60,6 +64,9 @@ else
endif endif
HOSTCCFLAGS += ${DEFINES} HOSTCCFLAGS += ${DEFINES}
# USING_OPENSSL3 flag will be added to the HOSTCCFLAGS variable with the proper
# computed value.
HOSTCCFLAGS += -DUSING_OPENSSL3=$(USING_OPENSSL3)
# Make soft links and include from local directory otherwise wrong headers # Make soft links and include from local directory otherwise wrong headers
# could get pulled in from firmware tree. # could get pulled in from firmware tree.
@ -76,11 +83,11 @@ LIB := -lssl -lcrypto
HOSTCC ?= gcc HOSTCC ?= gcc
.PHONY: all clean realclean .PHONY: all clean realclean --openssl
all: ${BINARY} all: ${BINARY}
${BINARY}: ${OBJECTS} Makefile ${BINARY}: --openssl ${OBJECTS} Makefile
@echo " HOSTLD $@" @echo " HOSTLD $@"
@echo 'const char build_msg[] = "Built : "__TIME__", "__DATE__; \ @echo 'const char build_msg[] = "Built : "__TIME__", "__DATE__; \
const char platform_msg[] = "${PLAT_MSG}";' | \ const char platform_msg[] = "${PLAT_MSG}";' | \
@ -91,6 +98,11 @@ ${BINARY}: ${OBJECTS} Makefile
@echo " HOSTCC $<" @echo " HOSTCC $<"
${Q}${HOSTCC} -c ${HOSTCCFLAGS} ${INC_DIR} $< -o $@ ${Q}${HOSTCC} -c ${HOSTCCFLAGS} ${INC_DIR} $< -o $@
--openssl:
ifeq ($(DEBUG),1)
@echo "Selected OpenSSL version: ${OPENSSL_CURRENT_VER}"
endif
clean: clean:
$(call SHELL_DELETE_ALL, src/build_msg.o ${OBJECTS}) $(call SHELL_DELETE_ALL, src/build_msg.o ${OBJECTS})

3
tools/cert_create/include/cert.h
View file

@ -1,5 +1,5 @@
/* /*
* Copyright (c) 2015-2021, ARM Limited and Contributors. All rights reserved. * Copyright (c) 2015-2022, ARM Limited and Contributors. All rights reserved.
* *
* SPDX-License-Identifier: BSD-3-Clause * SPDX-License-Identifier: BSD-3-Clause
*/ */
@ -54,6 +54,7 @@ int cert_new(
int days, int days,
int ca, int ca,
STACK_OF(X509_EXTENSION) * sk); STACK_OF(X509_EXTENSION) * sk);
void cert_cleanup(void);
/* Macro to register the certificates used in the CoT */ /* Macro to register the certificates used in the CoT */
#define REGISTER_COT(_certs) \ #define REGISTER_COT(_certs) \

3
tools/cert_create/include/ext.h
View file

@ -1,5 +1,5 @@
/* /*
* Copyright (c) 2015-2021, ARM Limited and Contributors. All rights reserved. * Copyright (c) 2015-2022, ARM Limited and Contributors. All rights reserved.
* *
* SPDX-License-Identifier: BSD-3-Clause * SPDX-License-Identifier: BSD-3-Clause
*/ */
@ -72,6 +72,7 @@ X509_EXTENSION *ext_new_hash(int nid, int crit, const EVP_MD *md,
unsigned char *buf, size_t len); unsigned char *buf, size_t len);
X509_EXTENSION *ext_new_nvcounter(int nid, int crit, int value); X509_EXTENSION *ext_new_nvcounter(int nid, int crit, int value);
X509_EXTENSION *ext_new_key(int nid, int crit, EVP_PKEY *k); X509_EXTENSION *ext_new_key(int nid, int crit, EVP_PKEY *k);
void ext_cleanup(void);
/* Macro to register the extensions used in the CoT */ /* Macro to register the extensions used in the CoT */
#define REGISTER_EXTENSIONS(_ext) \ #define REGISTER_EXTENSIONS(_ext) \

5
tools/cert_create/include/key.h
View file

@ -1,5 +1,5 @@
/* /*
* Copyright (c) 2015-2021, ARM Limited and Contributors. All rights reserved. * Copyright (c) 2015-2022, Arm Limited and Contributors. All rights reserved.
* *
* SPDX-License-Identifier: BSD-3-Clause * SPDX-License-Identifier: BSD-3-Clause
*/ */
@ -66,10 +66,13 @@ typedef struct key_s {
/* Exported API */ /* Exported API */
int key_init(void); int key_init(void);
key_t *key_get_by_opt(const char *opt); key_t *key_get_by_opt(const char *opt);
#if !USING_OPENSSL3
int key_new(key_t *key); int key_new(key_t *key);
#endif
int key_create(key_t *key, int type, int key_bits); int key_create(key_t *key, int type, int key_bits);
int key_load(key_t *key, unsigned int *err_code); int key_load(key_t *key, unsigned int *err_code);
int key_store(key_t *key); int key_store(key_t *key);
void key_cleanup(void);
/* Macro to register the keys used in the CoT */ /* Macro to register the keys used in the CoT */
#define REGISTER_KEYS(_keys) \ #define REGISTER_KEYS(_keys) \

22
tools/cert_create/src/cert.c
View file

@ -1,5 +1,5 @@
/* /*
* Copyright (c) 2015-2022, ARM Limited and Contributors. All rights reserved. * Copyright (c) 2015-2022, Arm Limited and Contributors. All rights reserved.
* *
* SPDX-License-Identifier: BSD-3-Clause * SPDX-License-Identifier: BSD-3-Clause
*/ */
@ -39,7 +39,11 @@ int rand_serial(BIGNUM *b, ASN1_INTEGER *ai)
if (!btmp) if (!btmp)
return 0; return 0;
#if USING_OPENSSL3
if (!BN_rand(btmp, SERIAL_RAND_BITS, 0, 0)) if (!BN_rand(btmp, SERIAL_RAND_BITS, 0, 0))
#else
if (!BN_pseudo_rand(btmp, SERIAL_RAND_BITS, 0, 0))
#endif
goto error; goto error;
if (ai && !BN_to_ASN1_INTEGER(btmp, ai)) if (ai && !BN_to_ASN1_INTEGER(btmp, ai))
goto error; goto error;
@ -272,3 +276,19 @@ cert_t *cert_get_by_opt(const char *opt)
return NULL; return NULL;
} }
void cert_cleanup(void)
{
unsigned int i;
for (i = 0; i < num_certs; i++) {
if (certs[i].fn != NULL) {
void *ptr = (void *)certs[i].fn;
certs[i].fn = NULL;
free(ptr);
}
}
free(certs);
}

19
tools/cert_create/src/ext.c
View file

@ -1,5 +1,5 @@
/* /*
* Copyright (c) 2015-2021, ARM Limited and Contributors. All rights reserved. * Copyright (c) 2015-2022, ARM Limited and Contributors. All rights reserved.
* *
* SPDX-License-Identifier: BSD-3-Clause * SPDX-License-Identifier: BSD-3-Clause
*/ */
@ -315,3 +315,20 @@ ext_t *ext_get_by_opt(const char *opt)
return NULL; return NULL;
} }
void ext_cleanup(void)
{
unsigned int i;
for (i = 0; i < num_extensions; i++) {
if (extensions[i].arg != NULL) {
void *ptr = (void *)extensions[i].arg;
extensions[i].arg = NULL;
free(ptr);
}
}
free(extensions);
X509V3_EXT_cleanup();
}

88
tools/cert_create/src/key.c
View file

@ -1,5 +1,5 @@
/* /*
* Copyright (c) 2015-2022, ARM Limited and Contributors. All rights reserved. * Copyright (c) 2015-2022, Arm Limited and Contributors. All rights reserved.
* *
* SPDX-License-Identifier: BSD-3-Clause * SPDX-License-Identifier: BSD-3-Clause
*/ */
@ -24,6 +24,7 @@
key_t *keys; key_t *keys;
unsigned int num_keys; unsigned int num_keys;
#if !USING_OPENSSL3
/* /*
* Create a new key container * Create a new key container
*/ */
@ -37,9 +38,11 @@ int key_new(key_t *key)
return 1; return 1;
} }
#endif
static int key_create_rsa(key_t *key, int key_bits) static int key_create_rsa(key_t *key, int key_bits)
{ {
#if USING_OPENSSL3
EVP_PKEY *rsa = EVP_RSA_gen(key_bits); EVP_PKEY *rsa = EVP_RSA_gen(key_bits);
if (rsa == NULL) { if (rsa == NULL) {
printf("Cannot generate RSA key\n"); printf("Cannot generate RSA key\n");
@ -47,11 +50,52 @@ static int key_create_rsa(key_t *key, int key_bits)
} }
key->key = rsa; key->key = rsa;
return 1; return 1;
#else
BIGNUM *e;
RSA *rsa = NULL;
e = BN_new();
if (e == NULL) {
printf("Cannot create RSA exponent\n");
return 0;
}
if (!BN_set_word(e, RSA_F4)) {
printf("Cannot assign RSA exponent\n");
goto err2;
}
rsa = RSA_new();
if (rsa == NULL) {
printf("Cannot create RSA key\n");
goto err2;
}
if (!RSA_generate_key_ex(rsa, key_bits, e, NULL)) {
printf("Cannot generate RSA key\n");
goto err;
}
if (!EVP_PKEY_assign_RSA(key->key, rsa)) {
printf("Cannot assign RSA key\n");
goto err;
}
BN_free(e);
return 1;
err:
RSA_free(rsa);
err2:
BN_free(e);
return 0;
#endif
} }
#ifndef OPENSSL_NO_EC #ifndef OPENSSL_NO_EC
static int key_create_ecdsa(key_t *key, int key_bits) static int key_create_ecdsa(key_t *key, int key_bits)
{ {
#if USING_OPENSSL3
EVP_PKEY *ec = EVP_EC_gen("prime256v1"); EVP_PKEY *ec = EVP_EC_gen("prime256v1");
if (ec == NULL) { if (ec == NULL) {
printf("Cannot generate EC key\n"); printf("Cannot generate EC key\n");
@ -59,6 +103,31 @@ static int key_create_ecdsa(key_t *key, int key_bits)
} }
key->key = ec; key->key = ec;
return 1; return 1;
#else
EC_KEY *ec;
ec = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
if (ec == NULL) {
printf("Cannot create EC key\n");
return 0;
}
if (!EC_KEY_generate_key(ec)) {
printf("Cannot generate EC key\n");
goto err;
}
EC_KEY_set_flags(ec, EC_PKEY_NO_PARAMETERS);
EC_KEY_set_asn1_flag(ec, OPENSSL_EC_NAMED_CURVE);
if (!EVP_PKEY_assign_EC_KEY(key->key, ec)) {
printf("Cannot assign EC key\n");
goto err;
}
return 1;
err:
EC_KEY_free(ec);
return 0;
#endif
} }
#endif /* OPENSSL_NO_EC */ #endif /* OPENSSL_NO_EC */
@ -194,3 +263,20 @@ key_t *key_get_by_opt(const char *opt)
return NULL; return NULL;
} }
void key_cleanup(void)
{
unsigned int i;
for (i = 0; i < num_keys; i++) {
EVP_PKEY_free(keys[i].key);
if (keys[i].fn != NULL) {
void *ptr = keys[i].fn;
free(ptr);
keys[i].fn = NULL;
}
}
free(keys);
}

32
tools/cert_create/src/main.c
View file

@ -1,5 +1,5 @@
/* /*
* Copyright (c) 2015-2021, ARM Limited and Contributors. All rights reserved. * Copyright (c) 2015-2022, Arm Limited and Contributors. All rights reserved.
* *
* SPDX-License-Identifier: BSD-3-Clause * SPDX-License-Identifier: BSD-3-Clause
*/ */
@ -430,10 +430,12 @@ int main(int argc, char *argv[])
/* Load private keys from files (or generate new ones) */ /* Load private keys from files (or generate new ones) */
for (i = 0 ; i < num_keys ; i++) { for (i = 0 ; i < num_keys ; i++) {
#if !USING_OPENSSL3
if (!key_new(&keys[i])) { if (!key_new(&keys[i])) {
ERROR("Failed to allocate key container\n"); ERROR("Failed to allocate key container\n");
exit(1); exit(1);
} }
#endif
/* First try to load the key from disk */ /* First try to load the key from disk */
if (key_load(&keys[i], &err_code)) { if (key_load(&keys[i], &err_code)) {
@ -594,9 +596,7 @@ int main(int argc, char *argv[])
/* If we got here, then we must have filled the key array completely. /* If we got here, then we must have filled the key array completely.
* We can then safely call free on all of the keys in the array * We can then safely call free on all of the keys in the array
*/ */
for (i = 0; i < num_keys; i++) { key_cleanup();
EVP_PKEY_free(keys[i].key);
}
#ifndef OPENSSL_NO_ENGINE #ifndef OPENSSL_NO_ENGINE
ENGINE_cleanup(); ENGINE_cleanup();
@ -605,30 +605,10 @@ int main(int argc, char *argv[])
/* We allocated strings through strdup, so now we have to free them */ /* We allocated strings through strdup, so now we have to free them */
for (i = 0; i < num_keys; i++) {
if (keys[i].fn != NULL) {
void *ptr = keys[i].fn;
keys[i].fn = NULL; ext_cleanup();
free(ptr);
}
}
for (i = 0; i < num_extensions; i++) {
if (extensions[i].arg != NULL) {
void *ptr = (void *)extensions[i].arg;
extensions[i].arg = NULL; cert_cleanup();
free(ptr);
}
}
for (i = 0; i < num_certs; i++) {
if (certs[i].fn != NULL) {
void *ptr = (void *)certs[i].fn;
certs[i].fn = NULL;
free(ptr);
}
}
return 0; return 0;
} }

46
tools/cert_create/src/sha.c
View file

@ -1,5 +1,5 @@
/* /*
* Copyright (c) 2015-2022, ARM Limited and Contributors. All rights reserved. * Copyright (c) 2015-2022, Arm Limited and Contributors. All rights reserved.
* *
* SPDX-License-Identifier: BSD-3-Clause * SPDX-License-Identifier: BSD-3-Clause
*/ */
@ -7,11 +7,16 @@
#include <stdio.h> #include <stdio.h>
#include "debug.h" #include "debug.h"
#include "key.h" #include "key.h"
#if USING_OPENSSL3
#include <openssl/evp.h> #include <openssl/evp.h>
#include <openssl/obj_mac.h> #include <openssl/obj_mac.h>
#else
#include <openssl/sha.h>
#endif
#define BUFFER_SIZE 256 #define BUFFER_SIZE 256
#if USING_OPENSSL3
static int get_algorithm_nid(int hash_alg) static int get_algorithm_nid(int hash_alg)
{ {
int nids[] = {NID_sha256, NID_sha384, NID_sha512}; int nids[] = {NID_sha256, NID_sha384, NID_sha512};
@ -20,16 +25,22 @@ static int get_algorithm_nid(int hash_alg)
} }
return nids[hash_alg]; return nids[hash_alg];
} }
#endif
int sha_file(int md_alg, const char *filename, unsigned char *md) int sha_file(int md_alg, const char *filename, unsigned char *md)
{ {
FILE *inFile; FILE *inFile;
int bytes;
unsigned char data[BUFFER_SIZE];
#if USING_OPENSSL3
EVP_MD_CTX *mdctx; EVP_MD_CTX *mdctx;
const EVP_MD *md_type; const EVP_MD *md_type;
int bytes;
int alg_nid; int alg_nid;
unsigned int total_bytes; unsigned int total_bytes;
unsigned char data[BUFFER_SIZE]; #else
SHA256_CTX shaContext;
SHA512_CTX sha512Context;
#endif
if ((filename == NULL) || (md == NULL)) { if ((filename == NULL) || (md == NULL)) {
ERROR("%s(): NULL argument\n", __func__); ERROR("%s(): NULL argument\n", __func__);
@ -42,6 +53,8 @@ int sha_file(int md_alg, const char *filename, unsigned char *md)
return 0; return 0;
} }
#if USING_OPENSSL3
mdctx = EVP_MD_CTX_new(); mdctx = EVP_MD_CTX_new();
if (mdctx == NULL) { if (mdctx == NULL) {
fclose(inFile); fclose(inFile);
@ -74,5 +87,32 @@ err:
fclose(inFile); fclose(inFile);
EVP_MD_CTX_free(mdctx); EVP_MD_CTX_free(mdctx);
return 0; return 0;
#else
if (md_alg == HASH_ALG_SHA384) {
SHA384_Init(&sha512Context);
while ((bytes = fread(data, 1, BUFFER_SIZE, inFile)) != 0) {
SHA384_Update(&sha512Context, data, bytes);
}
SHA384_Final(md, &sha512Context);
} else if (md_alg == HASH_ALG_SHA512) {
SHA512_Init(&sha512Context);
while ((bytes = fread(data, 1, BUFFER_SIZE, inFile)) != 0) {
SHA512_Update(&sha512Context, data, bytes);
}
SHA512_Final(md, &sha512Context);
} else {
SHA256_Init(&shaContext);
while ((bytes = fread(data, 1, BUFFER_SIZE, inFile)) != 0) {
SHA256_Update(&shaContext, data, bytes);
}
SHA256_Final(md, &shaContext);
}
fclose(inFile);
return 1;
#endif
} }

27
tools/encrypt_fw/Makefile
View file

@ -11,15 +11,21 @@ ENCTOOL ?= encrypt_fw${BIN_EXT}
BINARY := $(notdir ${ENCTOOL}) BINARY := $(notdir ${ENCTOOL})
OPENSSL_DIR := /usr OPENSSL_DIR := /usr
MAKE_HELPERS_DIRECTORY := ../../make_helpers/
include ${MAKE_HELPERS_DIRECTORY}build_macros.mk
include ${MAKE_HELPERS_DIRECTORY}build_env.mk
include ${MAKE_HELPERS_DIRECTORY}defaults.mk
OBJECTS := src/encrypt.o \ OBJECTS := src/encrypt.o \
src/cmd_opt.o \ src/cmd_opt.o \
src/main.o src/main.o
HOSTCCFLAGS := -Wall -std=c99 HOSTCCFLAGS := -Wall -std=c99
MAKE_HELPERS_DIRECTORY := ../../make_helpers/ # Select OpenSSL version flag according to the OpenSSL build selected
include ${MAKE_HELPERS_DIRECTORY}build_macros.mk # from setting the OPENSSL_DIR path.
include ${MAKE_HELPERS_DIRECTORY}build_env.mk $(eval $(call SELECT_OPENSSL_API_VERSION))
ifeq (${DEBUG},1) ifeq (${DEBUG},1)
HOSTCCFLAGS += -g -O0 -DDEBUG -DLOG_LEVEL=40 HOSTCCFLAGS += -g -O0 -DDEBUG -DLOG_LEVEL=40
@ -36,6 +42,12 @@ else
Q := Q :=
endif endif
HOSTCCFLAGS += ${DEFINES}
# USING_OPENSSL3 flag will be added to the HOSTCCFLAGS variable with the proper
# computed value.
HOSTCCFLAGS += -DUSING_OPENSSL3=$(USING_OPENSSL3)
# Make soft links and include from local directory otherwise wrong headers # Make soft links and include from local directory otherwise wrong headers
# could get pulled in from firmware tree. # could get pulled in from firmware tree.
INC_DIR := -I ./include -I ../../include/tools_share -I ${OPENSSL_DIR}/include INC_DIR := -I ./include -I ../../include/tools_share -I ${OPENSSL_DIR}/include
@ -51,11 +63,11 @@ LIB := -lssl -lcrypto
HOSTCC ?= gcc HOSTCC ?= gcc
.PHONY: all clean realclean .PHONY: all clean realclean --openssl
all: ${BINARY} all: ${BINARY}
${BINARY}: ${OBJECTS} Makefile ${BINARY}: --openssl ${OBJECTS} Makefile
@echo " HOSTLD $@" @echo " HOSTLD $@"
@echo 'const char build_msg[] = "Built : "__TIME__", "__DATE__;' | \ @echo 'const char build_msg[] = "Built : "__TIME__", "__DATE__;' | \
${HOSTCC} -c ${HOSTCCFLAGS} -xc - -o src/build_msg.o ${HOSTCC} -c ${HOSTCCFLAGS} -xc - -o src/build_msg.o
@ -65,6 +77,11 @@ ${BINARY}: ${OBJECTS} Makefile
@echo " HOSTCC $<" @echo " HOSTCC $<"
${Q}${HOSTCC} -c ${HOSTCCFLAGS} ${INC_DIR} $< -o $@ ${Q}${HOSTCC} -c ${HOSTCCFLAGS} ${INC_DIR} $< -o $@
--openssl:
ifeq ($(DEBUG),1)
@echo "Selected OpenSSL version: ${OPENSSL_CURRENT_VER}"
endif
clean: clean:
$(call SHELL_DELETE_ALL, src/build_msg.o ${OBJECTS}) $(call SHELL_DELETE_ALL, src/build_msg.o ${OBJECTS})

22
tools/fiptool/Makefile
View file

@ -1,5 +1,5 @@
# #
# Copyright (c) 2014-2022, ARM Limited and Contributors. All rights reserved. # Copyright (c) 2014-2022, Arm Limited and Contributors. All rights reserved.
# #
# SPDX-License-Identifier: BSD-3-Clause # SPDX-License-Identifier: BSD-3-Clause
# #
@ -7,6 +7,7 @@
MAKE_HELPERS_DIRECTORY := ../../make_helpers/ MAKE_HELPERS_DIRECTORY := ../../make_helpers/
include ${MAKE_HELPERS_DIRECTORY}build_macros.mk include ${MAKE_HELPERS_DIRECTORY}build_macros.mk
include ${MAKE_HELPERS_DIRECTORY}build_env.mk include ${MAKE_HELPERS_DIRECTORY}build_env.mk
include ${MAKE_HELPERS_DIRECTORY}defaults.mk
FIPTOOL ?= fiptool${BIN_EXT} FIPTOOL ?= fiptool${BIN_EXT}
PROJECT := $(notdir ${FIPTOOL}) PROJECT := $(notdir ${FIPTOOL})
@ -23,6 +24,15 @@ else
HOSTCCFLAGS += -O2 HOSTCCFLAGS += -O2
endif endif
# Select OpenSSL version flag according to the OpenSSL build selected
# from setting the OPENSSL_DIR path.
$(eval $(call SELECT_OPENSSL_API_VERSION))
HOSTCCFLAGS += ${DEFINES}
# USING_OPENSSL3 flag will be added to the HOSTCCFLAGS variable with the proper
# computed value.
HOSTCCFLAGS += -DUSING_OPENSSL3=$(USING_OPENSSL3)
# Include library directories where OpenSSL library files are located. # Include library directories where OpenSSL library files are located.
# For a normal installation (i.e.: when ${OPENSSL_DIR} = /usr or # For a normal installation (i.e.: when ${OPENSSL_DIR} = /usr or
# /usr/local), binaries are located under the ${OPENSSL_DIR}/lib/ # /usr/local), binaries are located under the ${OPENSSL_DIR}/lib/
@ -51,11 +61,11 @@ ifneq (,$(wildcard ${PLAT_FIPTOOL_HELPER_MK}))
include ${PLAT_FIPTOOL_HELPER_MK} include ${PLAT_FIPTOOL_HELPER_MK}
endif endif
.PHONY: all clean distclean .PHONY: all clean distclean --openssl
all: ${PROJECT} all: ${PROJECT}
${PROJECT}: ${OBJECTS} Makefile ${PROJECT}: --openssl ${OBJECTS} Makefile
@echo " HOSTLD $@" @echo " HOSTLD $@"
${Q}${HOSTCC} ${OBJECTS} -o $@ ${LDLIBS} ${Q}${HOSTCC} ${OBJECTS} -o $@ ${LDLIBS}
@${ECHO_BLANK_LINE} @${ECHO_BLANK_LINE}
@ -66,5 +76,11 @@ ${PROJECT}: ${OBJECTS} Makefile
@echo " HOSTCC $<" @echo " HOSTCC $<"
${Q}${HOSTCC} -c ${CPPFLAGS} ${HOSTCCFLAGS} ${INCLUDE_PATHS} $< -o $@ ${Q}${HOSTCC} -c ${CPPFLAGS} ${HOSTCCFLAGS} ${INCLUDE_PATHS} $< -o $@
--openssl:
ifeq ($(DEBUG),1)
@echo "Selected OpenSSL version: ${OPENSSL_CURRENT_VER}"
endif
clean: clean:
$(call SHELL_DELETE_ALL, ${PROJECT} ${OBJECTS}) $(call SHELL_DELETE_ALL, ${PROJECT} ${OBJECTS})