From 9a3088a5f509084e60d9c55bf53985c5ec4ca821 Mon Sep 17 00:00:00 2001 From: Qixiang Xu Date: Thu, 9 Nov 2017 13:56:29 +0800 Subject: [PATCH] tbbr: Add build flag HASH_ALG to let the user to select the SHA The flag support the following values: - sha256 (default) - sha384 - sha512 Change-Id: I7a49d858c361e993949cf6ada0a86575c3291066 Signed-off-by: Qixiang Xu --- docs/user-guide.rst | 6 ++++- drivers/auth/mbedtls/mbedtls_crypto.c | 3 ++- drivers/auth/mbedtls/mbedtls_crypto.mk | 24 ++++++++++++++++++- drivers/auth/tbbr/tbbr_cot.c | 2 +- include/drivers/auth/mbedtls/mbedtls_config.h | 10 ++++++++ make_helpers/tbbr/tbbr_tools.mk | 1 + 6 files changed, 42 insertions(+), 4 deletions(-) diff --git a/docs/user-guide.rst b/docs/user-guide.rst index 172e7932c..0eecde90a 100644 --- a/docs/user-guide.rst +++ b/docs/user-guide.rst @@ -425,11 +425,15 @@ Common build options - ``KEY_ALG``: This build flag enables the user to select the algorithm to be used for generating the PKCS keys and subsequent signing of the certificate. - It accepts 3 values viz ``rsa``, ``rsa_1_5``, ``ecdsa``. The ``rsa_1_5`` is + It accepts 3 values viz. ``rsa``, ``rsa_1_5``, ``ecdsa``. The ``rsa_1_5`` is the legacy PKCS#1 RSA 1.5 algorithm which is not TBBR compliant and is retained only for compatibility. The default value of this flag is ``rsa`` which is the TBBR compliant PKCS#1 RSA 2.1 scheme. +- ``HASH_ALG``: This build flag enables the user to select the secure hash + algorithm. It accepts 3 values viz. ``sha256``, ``sha384``, ``sha512``. + The default value of this flag is ``sha256``. + - ``LDFLAGS``: Extra user options appended to the linkers' command line in addition to the one set by the build system. diff --git a/drivers/auth/mbedtls/mbedtls_crypto.c b/drivers/auth/mbedtls/mbedtls_crypto.c index d8810d6db..bc9ed3a85 100644 --- a/drivers/auth/mbedtls/mbedtls_crypto.c +++ b/drivers/auth/mbedtls/mbedtls_crypto.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2015, ARM Limited and Contributors. All rights reserved. + * Copyright (c) 2015-2017, ARM Limited and Contributors. All rights reserved. * * SPDX-License-Identifier: BSD-3-Clause */ @@ -7,6 +7,7 @@ #include #include #include +#include #include #include diff --git a/drivers/auth/mbedtls/mbedtls_crypto.mk b/drivers/auth/mbedtls/mbedtls_crypto.mk index d6fc7eb53..8eb4873d9 100644 --- a/drivers/auth/mbedtls/mbedtls_crypto.mk +++ b/drivers/auth/mbedtls/mbedtls_crypto.mk @@ -37,9 +37,30 @@ MBEDTLS_CRYPTO_SOURCES := drivers/auth/mbedtls/mbedtls_crypto.c \ pk_wrap.c \ pkparse.c \ pkwrite.c \ - sha256.c \ ) +ifeq (${HASH_ALG}, sha384) + MBEDTLS_CRYPTO_SOURCES += \ + $(addprefix ${MBEDTLS_DIR}/library/, \ + sha256.c \ + sha512.c \ + ) + TF_MBEDTLS_HASH_ALG_ID := TF_MBEDTLS_SHA384 +else ifeq (${HASH_ALG}, sha512) + MBEDTLS_CRYPTO_SOURCES += \ + $(addprefix ${MBEDTLS_DIR}/library/, \ + sha256.c \ + sha512.c \ + ) + TF_MBEDTLS_HASH_ALG_ID := TF_MBEDTLS_SHA512 +else + MBEDTLS_CRYPTO_SOURCES += \ + $(addprefix ${MBEDTLS_DIR}/library/, \ + sha256.c \ + ) + TF_MBEDTLS_HASH_ALG_ID := TF_MBEDTLS_SHA256 +endif + # Key algorithm specific files MBEDTLS_ECDSA_CRYPTO_SOURCES += $(addprefix ${MBEDTLS_DIR}/library/, \ ecdsa.c \ @@ -67,6 +88,7 @@ endif # Needs to be set to drive mbed TLS configuration correctly $(eval $(call add_define,TF_MBEDTLS_KEY_ALG_ID)) +$(eval $(call add_define,TF_MBEDTLS_HASH_ALG_ID)) BL1_SOURCES += ${MBEDTLS_CRYPTO_SOURCES} BL2_SOURCES += ${MBEDTLS_CRYPTO_SOURCES} diff --git a/drivers/auth/tbbr/tbbr_cot.c b/drivers/auth/tbbr/tbbr_cot.c index 4aaab390f..01d6fb5a3 100644 --- a/drivers/auth/tbbr/tbbr_cot.c +++ b/drivers/auth/tbbr/tbbr_cot.c @@ -19,7 +19,7 @@ * Maximum key and hash sizes (in DER format) */ #define PK_DER_LEN 294 -#define HASH_DER_LEN 51 +#define HASH_DER_LEN 83 /* * The platform must allocate buffers to store the authentication parameters diff --git a/include/drivers/auth/mbedtls/mbedtls_config.h b/include/drivers/auth/mbedtls/mbedtls_config.h index 96587acae..f8f260808 100644 --- a/include/drivers/auth/mbedtls/mbedtls_config.h +++ b/include/drivers/auth/mbedtls/mbedtls_config.h @@ -13,6 +13,13 @@ #define TF_MBEDTLS_ECDSA 2 #define TF_MBEDTLS_RSA_AND_ECDSA 3 +/* + * Hash algorithms currently supported on mbed TLS libraries + */ +#define TF_MBEDTLS_SHA256 1 +#define TF_MBEDTLS_SHA384 2 +#define TF_MBEDTLS_SHA512 3 + /* * Configuration file to build mbed TLS with the required features for * Trusted Boot @@ -66,6 +73,9 @@ #endif #define MBEDTLS_SHA256_C +#if (TF_MBEDTLS_HASH_ALG_ID != TF_MBEDTLS_SHA256) +#define MBEDTLS_SHA512_C +#endif #define MBEDTLS_VERSION_C diff --git a/make_helpers/tbbr/tbbr_tools.mk b/make_helpers/tbbr/tbbr_tools.mk index 712fa6f61..b13afe488 100644 --- a/make_helpers/tbbr/tbbr_tools.mk +++ b/make_helpers/tbbr/tbbr_tools.mk @@ -54,6 +54,7 @@ $(eval $(call FWU_CERT_ADD_CMD_OPT,${FWU_CERT},--fwu-cert)) # packed in the FIP). Developers can use their own keys by specifying the proper # build option in the command line when building the Trusted Firmware $(if ${KEY_ALG},$(eval $(call CERT_ADD_CMD_OPT,${KEY_ALG},--key-alg))) +$(if ${HASH_ALG},$(eval $(call CERT_ADD_CMD_OPT,${HASH_ALG},--hash-alg))) $(if ${ROT_KEY},$(eval $(call CERT_ADD_CMD_OPT,${ROT_KEY},--rot-key))) $(if ${ROT_KEY},$(eval $(call FWU_CERT_ADD_CMD_OPT,${ROT_KEY},--rot-key))) $(if ${TRUSTED_WORLD_KEY},$(eval $(call CERT_ADD_CMD_OPT,${TRUSTED_WORLD_KEY},--trusted-world-key)))