diff options
author | laurenw-arm <lauren.wehrmeister@arm.com> | 2022-05-31 16:39:09 -0500 |
---|---|---|
committer | laurenw-arm <lauren.wehrmeister@arm.com> | 2022-06-16 13:42:19 -0500 |
commit | 78da42a5f1f33ca55019dddf0890c0db1c2fa05f (patch) | |
tree | 337bf94c98a1444e93aadab9a493dd7ad3c41e38 | |
parent | 100da90ca84a3265d6312f24df16f920929234a6 (diff) | |
download | trusted-firmware-a-78da42a5f1f33ca55019dddf0890c0db1c2fa05f.tar.gz |
refactor(measured-boot): mb algorithm selection
With RSS now introduced, we have 2 Measured Boot backends. Both backends
can be used in the same firmware build with potentially different hash
algorithms, so now there can be more than one hash algorithm in a build.
Therefore the logic for selecting the measured boot hash algorithm needs
to be updated and the coordination of algorithm selection added. This is
done by:
- Adding MBOOT_EL_HASH_ALG for Event Log to define the hash algorithm
to replace TPM_HASH_ALG, removing reference to TPM.
- Adding MBOOT_RSS_HASH_ALG for RSS to define the hash algorithm to
replace TPM_HASH_ALG.
- Coordinating MBOOT_EL_HASH_ALG and MBOOT_RSS_HASH_ALG to define the
Measured Boot configuration macros through defining
TF_MBEDTLS_MBOOT_USE_SHA512 to pull in SHA-512 support if either
backend requires a stronger algorithm than SHA-256.
Signed-off-by: Lauren Wehrmeister <lauren.wehrmeister@arm.com>
Change-Id: I4ddf06ebdc3835beb4d1b6c7bab5a257ffc5c71a
-rw-r--r-- | drivers/auth/mbedtls/mbedtls_common.mk | 16 | ||||
-rw-r--r-- | drivers/measured_boot/event_log/event_log.mk | 15 | ||||
-rw-r--r-- | drivers/measured_boot/rss/rss_measured_boot.mk | 11 | ||||
-rw-r--r-- | include/drivers/auth/mbedtls/mbedtls_config.h | 5 | ||||
-rw-r--r-- | plat/arm/board/fvp/platform.mk | 4 | ||||
-rw-r--r-- | plat/arm/common/arm_common.mk | 4 |
6 files changed, 24 insertions, 31 deletions
diff --git a/drivers/auth/mbedtls/mbedtls_common.mk b/drivers/auth/mbedtls/mbedtls_common.mk index 3eb41617fa..16ce65ffe6 100644 --- a/drivers/auth/mbedtls/mbedtls_common.mk +++ b/drivers/auth/mbedtls/mbedtls_common.mk @@ -97,18 +97,6 @@ else TF_MBEDTLS_USE_AES_GCM := 0 endif -ifeq ($(MEASURED_BOOT),1) - ifeq (${TPM_HASH_ALG}, sha256) - TF_MBEDTLS_TPM_HASH_ALG_ID := TF_MBEDTLS_SHA256 - else ifeq (${TPM_HASH_ALG}, sha384) - TF_MBEDTLS_TPM_HASH_ALG_ID := TF_MBEDTLS_SHA384 - else ifeq (${TPM_HASH_ALG}, sha512) - TF_MBEDTLS_TPM_HASH_ALG_ID := TF_MBEDTLS_SHA512 - else - $(error "TPM_HASH_ALG not defined.") - endif -endif - # Needs to be set to drive mbed TLS configuration correctly $(eval $(call add_defines,\ $(sort \ @@ -118,10 +106,6 @@ $(eval $(call add_defines,\ TF_MBEDTLS_USE_AES_GCM \ ))) -ifeq ($(MEASURED_BOOT),1) - $(eval $(call add_define,TF_MBEDTLS_TPM_HASH_ALG_ID)) -endif - $(eval $(call MAKE_LIB,mbedtls)) endif diff --git a/drivers/measured_boot/event_log/event_log.mk b/drivers/measured_boot/event_log/event_log.mk index 1ff4aa81c2..5ea4c554a0 100644 --- a/drivers/measured_boot/event_log/event_log.mk +++ b/drivers/measured_boot/event_log/event_log.mk @@ -7,20 +7,25 @@ # Default log level to dump the event log (LOG_LEVEL_INFO) EVENT_LOG_LEVEL ?= 40 -# TPM hash algorithm. +# Measured Boot hash algorithm. # SHA-256 (or stronger) is required for all devices that are TPM 2.0 compliant. -TPM_HASH_ALG := sha256 +ifdef TPM_HASH_ALG + $(warning "TPM_HASH_ALG is deprecated. Please use MBOOT_EL_HASH_ALG instead.") + MBOOT_EL_HASH_ALG := ${TPM_HASH_ALG} +else + MBOOT_EL_HASH_ALG := sha256 +endif -ifeq (${TPM_HASH_ALG}, sha512) +ifeq (${MBOOT_EL_HASH_ALG}, sha512) TPM_ALG_ID := TPM_ALG_SHA512 TCG_DIGEST_SIZE := 64U -else ifeq (${TPM_HASH_ALG}, sha384) +else ifeq (${MBOOT_EL_HASH_ALG}, sha384) TPM_ALG_ID := TPM_ALG_SHA384 TCG_DIGEST_SIZE := 48U else TPM_ALG_ID := TPM_ALG_SHA256 TCG_DIGEST_SIZE := 32U -endif #TPM_HASH_ALG +endif #MBOOT_EL_HASH_ALG # Set definitions for Measured Boot driver. $(eval $(call add_defines,\ diff --git a/drivers/measured_boot/rss/rss_measured_boot.mk b/drivers/measured_boot/rss/rss_measured_boot.mk index 01545afeb3..18ee836184 100644 --- a/drivers/measured_boot/rss/rss_measured_boot.mk +++ b/drivers/measured_boot/rss/rss_measured_boot.mk @@ -6,21 +6,18 @@ # Hash algorithm for measured boot # SHA-256 (or stronger) is required. -# TODO: The measurement algorithm incorrectly suggests that the TPM backend -# is used which may not be the case. It is currently being worked on and -# soon TPM_HASH_ALG will be replaced by a more generic name. -TPM_HASH_ALG := sha256 +MBOOT_RSS_HASH_ALG := sha256 -ifeq (${TPM_HASH_ALG}, sha512) +ifeq (${MBOOT_RSS_HASH_ALG}, sha512) MBOOT_ALG_ID := MBOOT_ALG_SHA512 MBOOT_DIGEST_SIZE := 64U -else ifeq (${TPM_HASH_ALG}, sha384) +else ifeq (${MBOOT_RSS_HASH_ALG}, sha384) MBOOT_ALG_ID := MBOOT_ALG_SHA384 MBOOT_DIGEST_SIZE := 48U else MBOOT_ALG_ID := MBOOT_ALG_SHA256 MBOOT_DIGEST_SIZE := 32U -endif #TPM_HASH_ALG +endif #MBOOT_RSS_HASH_ALG # Set definitions for Measured Boot driver. $(eval $(call add_defines,\ diff --git a/include/drivers/auth/mbedtls/mbedtls_config.h b/include/drivers/auth/mbedtls/mbedtls_config.h index 8ad6d7a424..92188a2e1f 100644 --- a/include/drivers/auth/mbedtls/mbedtls_config.h +++ b/include/drivers/auth/mbedtls/mbedtls_config.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 2015-2021, Arm Limited. All rights reserved. + * Copyright (c) 2015-2022, Arm Limited. All rights reserved. * * SPDX-License-Identifier: BSD-3-Clause */ @@ -80,8 +80,7 @@ #define MBEDTLS_SHA512_C #else /* TBB uses SHA-256, what about measured boot? */ -#if defined(TF_MBEDTLS_TPM_HASH_ALG_ID) && \ - (TF_MBEDTLS_TPM_HASH_ALG_ID != TF_MBEDTLS_SHA256) +#if defined(TF_MBEDTLS_MBOOT_USE_SHA512) #define MBEDTLS_SHA512_C #endif #endif diff --git a/plat/arm/board/fvp/platform.mk b/plat/arm/board/fvp/platform.mk index 54c5e75450..f9053a8704 100644 --- a/plat/arm/board/fvp/platform.mk +++ b/plat/arm/board/fvp/platform.mk @@ -375,6 +375,10 @@ ifeq (${MEASURED_BOOT},1) $(info Including ${RSS_MEASURED_BOOT_MK}) include ${RSS_MEASURED_BOOT_MK} + ifneq (${MBOOT_RSS_HASH_ALG}, sha256) + $(eval $(call add_define,TF_MBEDTLS_MBOOT_USE_SHA512)) + endif + BL1_SOURCES += ${MEASURED_BOOT_SOURCES} BL2_SOURCES += ${MEASURED_BOOT_SOURCES} endif diff --git a/plat/arm/common/arm_common.mk b/plat/arm/common/arm_common.mk index 6d7aa2df55..ad4829793f 100644 --- a/plat/arm/common/arm_common.mk +++ b/plat/arm/common/arm_common.mk @@ -401,6 +401,10 @@ ifeq (${MEASURED_BOOT},1) $(info Including ${MEASURED_BOOT_MK}) include ${MEASURED_BOOT_MK} + ifneq (${MBOOT_EL_HASH_ALG}, sha256) + $(eval $(call add_define,TF_MBEDTLS_MBOOT_USE_SHA512)) + endif + BL1_SOURCES += ${EVENT_LOG_SOURCES} BL2_SOURCES += ${EVENT_LOG_SOURCES} endif |