aboutsummaryrefslogtreecommitdiff
path: root/drivers/auth/mbedtls/mbedtls_common.mk
AgeCommit message (Collapse)Author
2024-03-13refactor(mbedtls): remove mbedtls 2.x supportlaurenw-arm
Deprecation notice was sent to the community and no objection was raised, so removing mbedtls 2.x support. Change-Id: Id3eb98b55692df98aabe6a7c5a5ec910222c8abd Signed-off-by: Lauren Wehrmeister <lauren.wehrmeister@arm.com>
2023-11-13build(mbedtls): add deprecation noticeGovindraj Raja
Add a deprecation notice for building TF-A with mbedtls-2.x This was notified earlier in TF-A mailing list: https://lists.trustedfirmware.org/archives/list/tf-a@lists.trustedfirmware.org/message/YDPOPASMGEQBCOI5TKUSD3V3J75NAT7A/ We will be removing support to build TF-A with mbedtls-2.x after TF-A 2.10 release. Change-Id: I669b423ee9af9f5c5255fce370413fffaf38e8eb Signed-off-by: Govindraj Raja <govindraj.raja@arm.com>
2023-10-13feat(auth): ecdsa p384 key supportlaurenw-arm
Use KEY_SIZE 384 to enable ECDSA P384 key support by setting MBEDTLS_ECP_DP_SECP384R1_ENABLED. Selected by setting KEY_ALG=ecdsa and KEY_SIZE=384. Change-Id: I382f34fc4da98f166a2aada5d16fdf44632b47f5 Signed-off-by: Lauren Wehrmeister <lauren.wehrmeister@arm.com>
2023-10-04feat(mbedtls-psa): introduce PSA_CRYPTO build optionManish V Badarkhe
This is a preparatory patch to provide MbedTLS PSA Crypto API support, with below changes - 1. Added a build macro PSA_CRYPTO to enable the MbedTLS PSA Crypto API support in the subsequent patches. 2. Compile necessary PSA crypto files from MbedTLS source code when PSA_CRYPTO=1. Also, marked PSA_CRYPTO as an experimental feature. Change-Id: I45188f56c5c98b169b2e21e365150b1825c6c450 Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
2023-02-21feat(mbedtls): add support for mbedtls-3.3Govindraj Raja
TF-A support for mbedtls3.x has been overdue by number of releases. As per mbedtls support it was advised to use latest and greatest mbedtls-3.3. But mbedtls-3.x breaks API compatibility with mbedtls-2.x To maintain comptability for mbedtls-2.x and enable mbedtls-3.x support add a functionality into makefile to determine the major version of mbedtls and use that to selective include or compile files that are present. With mbedtls-3.x numerous other config changes have been done. Some of the config options deprecated or enabled by default. Thus we decided to introduce a new 3.x config file part of this change for building TF-A with mbedtls-3.3. For futher information on migrating to mbedtls 3.x refer to: https://github.com/Mbed-TLS/mbedtls/blob/development/docs/3.0-migration-guide.md Change-Id: Ia8106d6f526809df927d608db27fe149623258ed Signed-off-by: Govindraj Raja <govindraj.raja@arm.com>
2022-11-25build: enable adding MbedTLS files for platformMate Toth-Pal
The platform.mk can add extra MbedTLS source files to LIBMBEDTLS_SRC. Change-Id: Ida9abfd59d8b02eae23ec0a7f326db060b42bf49 Signed-off-by: Mate Toth-Pal <mate.toth-pal@arm.com>
2022-06-16refactor(measured-boot): mb algorithm selectionlaurenw-arm
With RSS now introduced, we have 2 Measured Boot backends. Both backends can be used in the same firmware build with potentially different hash algorithms, so now there can be more than one hash algorithm in a build. Therefore the logic for selecting the measured boot hash algorithm needs to be updated and the coordination of algorithm selection added. This is done by: - Adding MBOOT_EL_HASH_ALG for Event Log to define the hash algorithm to replace TPM_HASH_ALG, removing reference to TPM. - Adding MBOOT_RSS_HASH_ALG for RSS to define the hash algorithm to replace TPM_HASH_ALG. - Coordinating MBOOT_EL_HASH_ALG and MBOOT_RSS_HASH_ALG to define the Measured Boot configuration macros through defining TF_MBEDTLS_MBOOT_USE_SHA512 to pull in SHA-512 support if either backend requires a stronger algorithm than SHA-256. Signed-off-by: Lauren Wehrmeister <lauren.wehrmeister@arm.com> Change-Id: I4ddf06ebdc3835beb4d1b6c7bab5a257ffc5c71a
2022-04-25build(deps): upgrade to mbed TLS 2.28.0Sandrine Bailleux
Upgrade to the latest and greatest 2.x release of Mbed TLS library (i.e. v2.28.0) to take advantage of their bug fixes. Note that the Mbed TLS project published version 3.x some time ago. However, as this is a major release with API breakages, upgrading to 3.x might require some more involved changes in TF-A, which we are not ready to do. We shall upgrade to mbed TLS 3.x after the v2.7 release of TF-A. Actually, the upgrade this time simply boils down to including the new source code module 'constant_time.c' into the firmware. To quote mbed TLS v2.28.0 release notes [1]: The mbedcrypto library includes a new source code module constant_time.c, containing various functions meant to resist timing side channel attacks. This module does not have a separate configuration option, and functions from this module will be included in the build as required. As a matter of fact, if one is attempting to link TF-A against mbed TLS v2.28.0 without the present patch, one gets some linker errors due to missing symbols from this new module. Apart from this, none of the items listed in mbed TLS release notes [1] directly affect TF-A. Special note on the following one: Fix a bug in mbedtls_gcm_starts() when the bit length of the iv exceeds 2^32. In TF-A, we do use mbedtls_gcm_starts() when the firmware decryption feature is enabled with AES-GCM as the authenticated decryption algorithm (DECRYPTION_SUPPORT=aes_gcm). However, the iv_len variable which gets passed to mbedtls_gcm_starts() is an unsigned int, i.e. a 32-bit value which by definition is always less than 2**32. Therefore, we are immune to this bug. With this upgrade, the size of BL1 and BL2 binaries does not appear to change on a standard sample test build (with trusted boot and measured boot enabled). [1] https://github.com/Mbed-TLS/mbedtls/releases/tag/v2.28.0 Change-Id: Icd5dbf527395e9e22c8fd6b77427188bd7237fd6 Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
2022-03-01refactor(mbedtls): allow platform to specify their config fileManish V Badarkhe
Common mbedTLS implementation include the fixed configuration file of mbedTLS and that does not gives flexilibility to the platform to include their own mbedTLS configuration. Hence changes are done so that platform can include their own mbedTLS configuration file. Signed-off-by: Lucian Paul-Trifu <lucian.paul-trifu@arm.com> Signed-off-by: Manish V Badarkhe <manish.badarkhe@arm.com> Change-Id: I04546589f67299e26b0a6a6e151cdf1fdb302607
2021-12-08refactor(measured-boot): add generic macros for using Crypto libraryManish V Badarkhe
It doesn't look correct to use mbed TLS defines directly in the Event Log driver as this driver may use another Crypto library in future. Hence mbed TLS Crypto dependency on Event Log driver is removed by introducing generic Crypto defines and uses those in the Event Log driver to call Crypto functions. Also, updated mbed TLS glue layer to map these generic Crypto defines to mbed TLS library defines. Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com> Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com> Change-Id: Ibc9c751f60cbce4d3f3cf049b7c53b3d05cc6735
2020-10-01Crypto library: Migrate support to MbedTLS v2.24.0Alexei Fedorov
This patch migrates the mbedcrypto dependency for TF-A to mbedTLS repo v2.24.0 which is the latest release tag. The relevant documentation is updated to reflect the use of new version. Change-Id: I116f44242e8c98e856416ea871d11abd3234dac1 Signed-off-by: Alexei Fedorov <Alexei.Fedorov@arm.com>
2020-09-14build_macros.mk: include assert and define loop macrosLeonardo Sandoval
Loop macros make it easier for developers to include new variables to assert or define and also help code code readability on makefiles. Change-Id: I0d21d6e67b3eca8976c4d856ac8ccc02c8bb5ffa Signed-off-by: Leonardo Sandoval <leonardo.sandoval@linaro.org>
2020-07-21TF-A: Add Event Log for Measured BootAlexei Fedorov
This patch adds support for Event Log generation required for Measured Boot functionality. Change-Id: I34f05a33565e6659e78499d62cc6fb00b7d6c2dc Signed-off-by: Alexei Fedorov <Alexei.Fedorov@arm.com>
2020-03-25FVP: Add BL2 hash calculation in BL1Alexei Fedorov
This patch provides support for measured boot by adding calculation of BL2 image hash in BL1 and writing these data in TB_FW_CONFIG DTB. Change-Id: Ic074a7ed19b14956719c271c805b35d147b7cec1 Signed-off-by: Alexei Fedorov <Alexei.Fedorov@arm.com>
2020-03-06drivers: crypto: Add authenticated decryption frameworkSumit Garg
Add framework for autheticated decryption of data. Currently this patch optionally imports mbedtls library as a backend if build option "DECRYPTION_SUPPORT = aes_gcm" is set to perform authenticated decryption using AES-GCM algorithm. Signed-off-by: Sumit Garg <sumit.garg@linaro.org> Change-Id: I2966f0e79033151012bf4ffc66f484cd949e7271
2019-09-12Remove RSA PKCS#1 v1.5 support from cert_toolJustin Chadwell
Support for PKCS#1 v1.5 was deprecated in SHA 1001202 and fully removed in SHA fe199e3, however, cert_tool is still able to generate certificates in that form. This patch fully removes the ability for cert_tool to generate these certificates. Additionally, this patch also fixes a bug where the issuing certificate was a RSA and the issued certificate was EcDSA. In this case, the issued certificate would be signed using PKCS#1 v1.5 instead of RSAPSS per PKCS#1 v2.1, preventing TF-A from verifying the image signatures. Now that PKCS#1 v1.5 support is removed, all certificates that are signed with RSA now use the more modern padding scheme. Change-Id: Id87d7d915be594a1876a73080528d968e65c4e9a Signed-off-by: Justin Chadwell <justin.chadwell@arm.com>
2019-09-12Support larger RSA key sizes when using MBEDTLSJustin Chadwell
Previously, TF-A could not support large RSA key sizes as the configuration options passed to MBEDTLS prevented storing and performing calculations with the larger, higher-precision numbers required. With these changes to the arguments passed to MBEDTLS, TF-A now supports using 3072 (3K) and 4096 (4K) keys in certificates. Change-Id: Ib73a6773145d2faa25c28d04f9a42e86f2fd555f Signed-off-by: Justin Chadwell <justin.chadwell@arm.com>
2019-01-04Sanitise includes across codebaseAntonio Nino Diaz
Enforce full include path for includes. Deprecate old paths. The following folders inside include/lib have been left unchanged: - include/lib/cpus/${ARCH} - include/lib/el3_runtime/${ARCH} The reason for this change is that having a global namespace for includes isn't a good idea. It defeats one of the advantages of having folders and it introduces problems that are sometimes subtle (because you may not know the header you are actually including if there are two of them). For example, this patch had to be created because two headers were called the same way: e0ea0928d5b7 ("Fix gpio includes of mt8173 platform to avoid collision."). More recently, this patch has had similar problems: 46f9b2c3a282 ("drivers: add tzc380 support"). This problem was introduced in commit 4ecca33988b9 ("Move include and source files to logical locations"). At that time, there weren't too many headers so it wasn't a real issue. However, time has shown that this creates problems. Platforms that want to preserve the way they include headers may add the removed paths to PLAT_INCLUDES, but this is discouraged. Change-Id: I39dc53ed98f9e297a5966e723d1936d6ccf2fc8f Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
2018-09-28Remove all other deprecated interfaces and filesAntonio Nino Diaz
Change-Id: Icd1cdd42afdc78895a9be6c46b414b0a155cfa63 Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
2018-08-03Don't include mbebtls include paths in INCLUDESRoberto Vargas
Mbebtls include paths are controlled by the user using the variable MBEDTLS_DIR and they are out of the TF source tree. Since these includes have a different origin it is better to move them to a different variable. This change makes easier for the romlib Makefile to parse the include paths. Change-Id: I3e4c99300f1012bc7f88c6b9f5bc0ec1f7b5aa8d Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
2018-08-03Create a library file for libmbedtlsRoberto Vargas
TF Makefile was linking all the objects files generated for the Mbed TLS library instead of creating a static library that could be used in the linking stage. Change-Id: I8e4cd843ef56033c9d3faeee71601d110b7e4c12 Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
2018-06-18Move to mbedtls-2.10.0 tagJeenu Viswambharan
To build with the new release, we pick couple of more files from mbedTLS library. Change-Id: I77dfe5723284cb26d4e5c717fb0e6f6dd803cb6b Signed-off-by: Jeenu Viswambharan <jeenu.viswambharan@arm.com>
2018-01-18bl2-el3: Don't compile BL1 when BL2_AT_EL3 is defined in FVPRoberto Vargas
This patch modifies the makefiles to avoid the definition of BL1_SOURCES and BL2_SOURCES in the tbbr makefiles, and it lets to the platform makefiles to define them if they actually need these images. In the case of BL2_AT_EL3 BL1 will not be needed usually because the Boot ROM will jump directly to BL2. Change-Id: Ib6845a260633a22a646088629bcd7387fe35dcf9 Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
2017-05-03Use SPDX license identifiersdp-arm
To make software license auditing simpler, use SPDX[0] license identifiers instead of duplicating the license text in every file. NOTE: Files that have been imported by FreeBSD have not been modified. [0]: https://spdx.org/ Change-Id: I80a00e1f641b8cc075ca5a95b10607ed9ed8761a Signed-off-by: dp-arm <dimitris.papastamos@arm.com>
2016-01-05Always build with '-pedantic'Sandrine Bailleux
By default ARM TF is built with the '-pedantic' compiler flag, which helps detecting violations of the C standard. However, the mbed TLS library and its associated authentication module in TF used to fail building with this compiler flag. As a workaround, the mbed TLS authentication module makefile used to set the 'DISABLE_PEDANTIC' TF build flag. The compiler errors flagged by '-pedantic' in the mbed TLS library have been fixed between versions 1.3.9 and 2.2.0 and the library now properly builds with this compiler flag. This patch fixes the remaining compiler errors in the mbed TLS authentication module in TF and unsets the 'DISABLE_PEDANTIC' TF build flag. This means that TF is now always built with '-pedantic'. In particular, this patch: * Removes the final semi-colon in REGISTER_COT() macro. This semi-colon was causing the following error message: drivers/auth/tbbr/tbbr_cot.c:544:23: error: ISO C does not allow extra ';' outside of a function [-Werror=pedantic] This has been fixed both in the mbed TLS authentication module as well as in the certificate generation tool. Note that the latter code didn't need fixing since it is not built with '-pedantic' but the change has been propagated for consistency. Also fixed the REGISTER_KEYS() and REGISTER_EXTENSIONS() macros, which were suffering from the same issue. * Fixes a pointer type. It was causing the following error message: drivers/auth/mbedtls/mbedtls_crypto.c: In function 'verify_hash': drivers/auth/mbedtls/mbedtls_crypto.c:177:42: error: pointer of type 'void *' used in arithmetic [-Werror=pointer-arith] Change-Id: I7b7a04ef711efd65e17b5be26990d1a0d940257d
2015-12-10Move up to mbed TLS 2.xJuan Castillo
The mbed TLS library has introduced some changes in the API from the 1.3.x to the 2.x releases. Using the 2.x releases requires some changes to the crypto and transport modules. This patch updates both modules to the mbed TLS 2.x API. All references to the mbed TLS library in the code or documentation have been updated to 'mbed TLS'. Old references to PolarSSL have been updated to 'mbed TLS'. User guide updated to use mbed TLS 2.2.0. NOTE: moving up to mbed TLS 2.x from 1.3.x is not backward compatible. Applying this patch will require an mbed TLS 2.x release to be used. Also note that the mbed TLS license changed to Apache version 2.0. Change-Id: Iba4584408653cf153091f2ca2ee23bc9add7fda4
2015-06-25TBB: add mbedTLS authentication related librariesJuan Castillo
This patch adds the following mbedTLS based libraries: * Cryptographic library It is used by the crypto module to verify a digital signature and a hash. This library relies on mbedTLS to perform the cryptographic operations. mbedTLS sources must be obtained separately. Two key algorithms are currently supported: * RSA-2048 * ECDSA-SECP256R1 The platform is responsible for picking up the required algorithm by defining the 'MBEDTLS_KEY_ALG' variable in the platform makefile. Available options are: * 'rsa' (for RSA-2048) (default option) * 'ecdsa' (for ECDSA-SECP256R1) Hash algorithm currently supported is SHA-256. * Image parser library Used by the image parser module to extract the authentication parameters stored in X509v3 certificates. Change-Id: I597c4be3d29287f2f18b82846973afc142ee0bf0