aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorManish V Badarkhe <manish.badarkhe@arm.com>2024-03-18 10:23:55 +0100
committerTrustedFirmware Code Review <review@review.trustedfirmware.org>2024-03-18 10:23:55 +0100
commit19e273e6700ba173a7ba8ade4c48872757175d87 (patch)
tree6ac5ceb0d1a46d0388f0d732540efbf18776aaa4
parente3ecd73116eb66c18f5d999d23b99995f9636502 (diff)
parentf7c5ec1eb94b24baadd2aa0708aadf3646cc0aaf (diff)
downloadtrusted-firmware-a-master.tar.gz
Merge "refactor(mbedtls): remove mbedtls 2.x support" into integrationHEADmasterintegration
-rw-r--r--docs/about/release-information.rst4
-rw-r--r--drivers/auth/mbedtls/mbedtls_common.mk46
-rw-r--r--include/drivers/auth/mbedtls/mbedtls_config-2.h152
-rw-r--r--plat/st/common/common.mk8
-rw-r--r--plat/st/common/include/stm32mp_mbedtls_config-2.h119
5 files changed, 22 insertions, 307 deletions
diff --git a/docs/about/release-information.rst b/docs/about/release-information.rst
index 654d65fd16..d81410458c 100644
--- a/docs/about/release-information.rst
+++ b/docs/about/release-information.rst
@@ -81,8 +81,6 @@ after which it will be removed.
| | Date | after | |
| | | Release | |
+================================+=============+=========+=========================================================+
-| Mbedtls-2.x | 2.10 | 2.10 | Support for TF-A builds with Mbedtls-2.x will be removed|
-+--------------------------------+-------------+---------+---------------------------------------------------------+
| STM32MP15_OPTEE_RSV_SHM | 2.10 | 3.0 | OP-TEE manages its own memory on STM32MP15 |
+--------------------------------+-------------+---------+---------------------------------------------------------+
@@ -103,4 +101,4 @@ after which it will be removed.
--------------
-*Copyright (c) 2018-2023, Arm Limited and Contributors. All rights reserved.*
+*Copyright (c) 2018-2024, Arm Limited and Contributors. All rights reserved.*
diff --git a/drivers/auth/mbedtls/mbedtls_common.mk b/drivers/auth/mbedtls/mbedtls_common.mk
index a2c6430390..2bb23f961e 100644
--- a/drivers/auth/mbedtls/mbedtls_common.mk
+++ b/drivers/auth/mbedtls/mbedtls_common.mk
@@ -1,5 +1,5 @@
#
-# Copyright (c) 2015-2023, Arm Limited. All rights reserved.
+# Copyright (c) 2015-2024, Arm Limited. All rights reserved.
#
# SPDX-License-Identifier: BSD-3-Clause
#
@@ -19,16 +19,15 @@ MBEDTLS_MAJOR=$(shell grep -hP "define MBEDTLS_VERSION_MAJOR" ${MBEDTLS_DIR}/inc
MBEDTLS_MINOR=$(shell grep -hP "define MBEDTLS_VERSION_MINOR" ${MBEDTLS_DIR}/include/mbedtls/*.h | grep -oe '\([0-9.]*\)')
$(info MBEDTLS_VERSION_MAJOR is [${MBEDTLS_MAJOR}] MBEDTLS_VERSION_MINOR is [${MBEDTLS_MINOR}])
+ifneq (${MBEDTLS_MAJOR}, 3)
+ $(error Error: TF-A only supports MbedTLS versions > 3.x)
+endif
+
# Specify mbed TLS configuration file
-ifeq (${MBEDTLS_MAJOR}, 2)
- $(info Deprecation Notice: Please migrate to Mbedtls version 3.x (refer to TF-A documentation for the exact version number))
- MBEDTLS_CONFIG_FILE ?= "<drivers/auth/mbedtls/mbedtls_config-2.h>"
-else ifeq (${MBEDTLS_MAJOR}, 3)
- ifeq (${PSA_CRYPTO},1)
- MBEDTLS_CONFIG_FILE ?= "<drivers/auth/mbedtls/psa_mbedtls_config.h>"
- else
- MBEDTLS_CONFIG_FILE ?= "<drivers/auth/mbedtls/mbedtls_config-3.h>"
- endif
+ifeq (${PSA_CRYPTO},1)
+ MBEDTLS_CONFIG_FILE ?= "<drivers/auth/mbedtls/psa_mbedtls_config.h>"
+else
+ MBEDTLS_CONFIG_FILE ?= "<drivers/auth/mbedtls/mbedtls_config-3.h>"
endif
$(eval $(call add_define,MBEDTLS_CONFIG_FILE))
@@ -42,11 +41,13 @@ LIBMBEDTLS_SRCS += $(addprefix ${MBEDTLS_DIR}/library/, \
cipher.c \
cipher_wrap.c \
constant_time.c \
+ hash_info.c \
memory_buffer_alloc.c \
oid.c \
platform.c \
platform_util.c \
bignum.c \
+ bignum_core.c \
gcm.c \
md.c \
pk.c \
@@ -59,28 +60,17 @@ LIBMBEDTLS_SRCS += $(addprefix ${MBEDTLS_DIR}/library/, \
ecp_curves.c \
ecp.c \
rsa.c \
+ rsa_alt_helpers.c \
x509.c \
x509_crt.c \
)
-ifeq (${MBEDTLS_MAJOR}, 2)
- LIBMBEDTLS_SRCS += $(addprefix ${MBEDTLS_DIR}/library/, \
- rsa_internal.c \
- )
-else ifeq (${MBEDTLS_MAJOR}, 3)
- LIBMBEDTLS_SRCS += $(addprefix ${MBEDTLS_DIR}/library/, \
- bignum_core.c \
- rsa_alt_helpers.c \
- hash_info.c \
- )
-
- # Currently on Mbedtls-3 there is outstanding bug due to usage
- # of redundant declaration[1], So disable redundant-decls
- # compilation flag to avoid compilation error when compiling with
- # Mbedtls-3.
- # [1]: https://github.com/Mbed-TLS/mbedtls/issues/6910
- LIBMBEDTLS_CFLAGS += -Wno-error=redundant-decls
-endif
+# Currently on Mbedtls-3 there is outstanding bug due to usage
+# of redundant declaration[1], So disable redundant-decls
+# compilation flag to avoid compilation error when compiling with
+# Mbedtls-3.
+# [1]: https://github.com/Mbed-TLS/mbedtls/issues/6910
+LIBMBEDTLS_CFLAGS += -Wno-error=redundant-decls
ifeq (${PSA_CRYPTO},1)
LIBMBEDTLS_SRCS += $(addprefix ${MBEDTLS_DIR}/library/, \
diff --git a/include/drivers/auth/mbedtls/mbedtls_config-2.h b/include/drivers/auth/mbedtls/mbedtls_config-2.h
deleted file mode 100644
index 01e261a96f..0000000000
--- a/include/drivers/auth/mbedtls/mbedtls_config-2.h
+++ /dev/null
@@ -1,152 +0,0 @@
-/*
- * Copyright (c) 2015-2022, Arm Limited. All rights reserved.
- *
- * SPDX-License-Identifier: BSD-3-Clause
- */
-#ifndef MBEDTLS_CONFIG_H
-#define MBEDTLS_CONFIG_H
-
-/*
- * Key algorithms currently supported on mbed TLS libraries
- */
-#define TF_MBEDTLS_RSA 1
-#define TF_MBEDTLS_ECDSA 2
-#define TF_MBEDTLS_RSA_AND_ECDSA 3
-
-#define TF_MBEDTLS_USE_RSA (TF_MBEDTLS_KEY_ALG_ID == TF_MBEDTLS_RSA \
- || TF_MBEDTLS_KEY_ALG_ID == TF_MBEDTLS_RSA_AND_ECDSA)
-#define TF_MBEDTLS_USE_ECDSA (TF_MBEDTLS_KEY_ALG_ID == TF_MBEDTLS_ECDSA \
- || TF_MBEDTLS_KEY_ALG_ID == TF_MBEDTLS_RSA_AND_ECDSA)
-
-/*
- * Hash algorithms currently supported on mbed TLS libraries
- */
-#define TF_MBEDTLS_SHA256 1
-#define TF_MBEDTLS_SHA384 2
-#define TF_MBEDTLS_SHA512 3
-
-/*
- * Configuration file to build mbed TLS with the required features for
- * Trusted Boot
- */
-
-#define MBEDTLS_PLATFORM_MEMORY
-#define MBEDTLS_PLATFORM_NO_STD_FUNCTIONS
-/* Prevent mbed TLS from using snprintf so that it can use tf_snprintf. */
-#define MBEDTLS_PLATFORM_SNPRINTF_ALT
-
-#define MBEDTLS_PKCS1_V21
-
-#define MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION
-#define MBEDTLS_X509_CHECK_KEY_USAGE
-#define MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE
-
-#define MBEDTLS_ASN1_PARSE_C
-#define MBEDTLS_ASN1_WRITE_C
-
-#define MBEDTLS_BASE64_C
-#define MBEDTLS_BIGNUM_C
-
-#define MBEDTLS_ERROR_C
-#define MBEDTLS_MD_C
-
-#define MBEDTLS_MEMORY_BUFFER_ALLOC_C
-#define MBEDTLS_OID_C
-
-#define MBEDTLS_PK_C
-#define MBEDTLS_PK_PARSE_C
-#define MBEDTLS_PK_WRITE_C
-
-#define MBEDTLS_PLATFORM_C
-
-#if TF_MBEDTLS_USE_ECDSA
-#define MBEDTLS_ECDSA_C
-#define MBEDTLS_ECP_C
-#define MBEDTLS_ECP_DP_SECP256R1_ENABLED
-#define MBEDTLS_ECP_NO_INTERNAL_RNG
-#endif
-#if TF_MBEDTLS_USE_RSA
-#define MBEDTLS_RSA_C
-#define MBEDTLS_X509_RSASSA_PSS_SUPPORT
-#endif
-
-#define MBEDTLS_SHA256_C
-
-/*
- * If either Trusted Boot or Measured Boot require a stronger algorithm than
- * SHA-256, pull in SHA-512 support.
- */
-#if (TF_MBEDTLS_HASH_ALG_ID != TF_MBEDTLS_SHA256) /* TBB hash algo */
-#define MBEDTLS_SHA512_C
-#else
- /* TBB uses SHA-256, what about measured boot? */
-#if defined(TF_MBEDTLS_MBOOT_USE_SHA512)
-#define MBEDTLS_SHA512_C
-#endif
-#endif
-
-#define MBEDTLS_VERSION_C
-
-#define MBEDTLS_X509_USE_C
-#define MBEDTLS_X509_CRT_PARSE_C
-
-#if TF_MBEDTLS_USE_AES_GCM
-#define MBEDTLS_AES_C
-#define MBEDTLS_CIPHER_C
-#define MBEDTLS_GCM_C
-#endif
-
-/* MPI / BIGNUM options */
-#define MBEDTLS_MPI_WINDOW_SIZE 2
-
-#if TF_MBEDTLS_USE_RSA
-#if TF_MBEDTLS_KEY_SIZE <= 2048
-#define MBEDTLS_MPI_MAX_SIZE 256
-#else
-#define MBEDTLS_MPI_MAX_SIZE 512
-#endif
-#else
-#define MBEDTLS_MPI_MAX_SIZE 256
-#endif
-
-/* Memory buffer allocator options */
-#define MBEDTLS_MEMORY_ALIGN_MULTIPLE 8
-
-/*
- * Prevent the use of 128-bit division which
- * creates dependency on external libraries.
- */
-#define MBEDTLS_NO_UDBL_DIVISION
-
-#ifndef __ASSEMBLER__
-/* System headers required to build mbed TLS with the current configuration */
-#include <stdlib.h>
-#include <mbedtls/check_config.h>
-#endif
-
-/*
- * Determine Mbed TLS heap size
- * 13312 = 13*1024
- * 11264 = 11*1024
- * 7168 = 7*1024
- */
-#if TF_MBEDTLS_USE_ECDSA
-#define TF_MBEDTLS_HEAP_SIZE U(13312)
-#elif TF_MBEDTLS_USE_RSA
-#if TF_MBEDTLS_KEY_SIZE <= 2048
-#define TF_MBEDTLS_HEAP_SIZE U(7168)
-#else
-#define TF_MBEDTLS_HEAP_SIZE U(11264)
-#endif
-#endif
-
-/*
- * Warn if errors from certain functions are ignored.
- *
- * The warnings are always enabled (where supported) for critical functions
- * where ignoring the return value is almost always a bug. This macro extends
- * the warnings to more functions.
- */
-#define MBEDTLS_CHECK_RETURN_WARNING
-
-#endif /* MBEDTLS_CONFIG_H */
diff --git a/plat/st/common/common.mk b/plat/st/common/common.mk
index f49112dcb3..b9b62c03f7 100644
--- a/plat/st/common/common.mk
+++ b/plat/st/common/common.mk
@@ -1,5 +1,5 @@
#
-# Copyright (c) 2023, STMicroelectronics - All Rights Reserved
+# Copyright (c) 2023-2024, STMicroelectronics - All Rights Reserved
#
# SPDX-License-Identifier: BSD-3-Clause
#
@@ -183,12 +183,10 @@ ifneq (${MBEDTLS_DIR},)
MBEDTLS_MAJOR=$(shell grep -hP "define MBEDTLS_VERSION_MAJOR" \
${MBEDTLS_DIR}/include/mbedtls/*.h | grep -oe '\([0-9.]*\)')
-ifeq (${MBEDTLS_MAJOR}, 2)
-MBEDTLS_CONFIG_FILE ?= "<stm32mp_mbedtls_config-2.h>"
-endif
-
ifeq (${MBEDTLS_MAJOR}, 3)
MBEDTLS_CONFIG_FILE ?= "<stm32mp_mbedtls_config-3.h>"
+else
+$(error Error: TF-A only supports MbedTLS versions > 3.x)
endif
endif
diff --git a/plat/st/common/include/stm32mp_mbedtls_config-2.h b/plat/st/common/include/stm32mp_mbedtls_config-2.h
deleted file mode 100644
index 66ff3465a4..0000000000
--- a/plat/st/common/include/stm32mp_mbedtls_config-2.h
+++ /dev/null
@@ -1,119 +0,0 @@
-/*
- * Copyright (c) 2022-2023, STMicroelectronics - All Rights Reserved
- *
- * SPDX-License-Identifier: BSD-3-Clause
- */
-#ifndef MBEDTLS_CONFIG_H
-#define MBEDTLS_CONFIG_H
-
-/*
- * Key algorithms currently supported on mbed TLS libraries
- */
-#define TF_MBEDTLS_USE_RSA 0
-#define TF_MBEDTLS_USE_ECDSA 1
-
-/*
- * Hash algorithms currently supported on mbed TLS libraries
- */
-#define TF_MBEDTLS_SHA256 1
-#define TF_MBEDTLS_SHA384 2
-#define TF_MBEDTLS_SHA512 3
-
-/*
- * Configuration file to build mbed TLS with the required features for
- * Trusted Boot
- */
-
-#define MBEDTLS_PLATFORM_MEMORY
-#define MBEDTLS_PLATFORM_NO_STD_FUNCTIONS
-/* Prevent mbed TLS from using snprintf so that it can use tf_snprintf. */
-#define MBEDTLS_PLATFORM_SNPRINTF_ALT
-
-#define MBEDTLS_PKCS1_V21
-
-#define MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION
-#define MBEDTLS_X509_CHECK_KEY_USAGE
-#define MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE
-
-#define MBEDTLS_ASN1_PARSE_C
-#define MBEDTLS_ASN1_WRITE_C
-
-#define MBEDTLS_BASE64_C
-#define MBEDTLS_BIGNUM_C
-
-#define MBEDTLS_ERROR_C
-#define MBEDTLS_MD_C
-
-#define MBEDTLS_MEMORY_BUFFER_ALLOC_C
-#define MBEDTLS_OID_C
-
-#define MBEDTLS_PK_C
-#define MBEDTLS_PK_PARSE_C
-#define MBEDTLS_PK_WRITE_C
-
-#define MBEDTLS_PLATFORM_C
-
-#if TF_MBEDTLS_USE_ECDSA
-#define MBEDTLS_ECDSA_C
-#define MBEDTLS_ECP_C
-#define MBEDTLS_ECP_DP_SECP256R1_ENABLED
-#define MBEDTLS_ECP_NO_INTERNAL_RNG
-#endif
-#if TF_MBEDTLS_USE_RSA
-#define MBEDTLS_RSA_C
-#define MBEDTLS_X509_RSASSA_PSS_SUPPORT
-#endif
-
-#define MBEDTLS_SHA256_C
-#if (TF_MBEDTLS_HASH_ALG_ID != TF_MBEDTLS_SHA256)
-#define MBEDTLS_SHA512_C
-#endif
-
-#define MBEDTLS_VERSION_C
-
-#define MBEDTLS_X509_USE_C
-#define MBEDTLS_X509_CRT_PARSE_C
-
-#if TF_MBEDTLS_USE_AES_GCM
-#define MBEDTLS_AES_C
-#define MBEDTLS_CIPHER_C
-#define MBEDTLS_GCM_C
-#endif
-
-/* MPI / BIGNUM options */
-#define MBEDTLS_MPI_WINDOW_SIZE 2
-
-#if TF_MBEDTLS_USE_RSA
-#if TF_MBEDTLS_KEY_SIZE <= 2048
-#define MBEDTLS_MPI_MAX_SIZE 256
-#else
-#define MBEDTLS_MPI_MAX_SIZE 512
-#endif
-#else
-#define MBEDTLS_MPI_MAX_SIZE 256
-#endif
-
-/* Memory buffer allocator options */
-#define MBEDTLS_MEMORY_ALIGN_MULTIPLE 8
-
-/*
- * Prevent the use of 128-bit division which
- * creates dependency on external libraries.
- */
-#define MBEDTLS_NO_UDBL_DIVISION
-
-#ifndef __ASSEMBLER__
-/* System headers required to build mbed TLS with the current configuration */
-#include <stdlib.h>
-#include <mbedtls/check_config.h>
-#endif
-
-/*
- * Mbed TLS heap size is smal as we only use the asn1
- * parsing functions
- * digest, signature and crypto algorithm are done by
- * other library.
- */
-
-#define TF_MBEDTLS_HEAP_SIZE U(5120)
-#endif /* MBEDTLS_CONFIG_H */