aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorlaurenw-arm <lauren.wehrmeister@arm.com>2022-05-31 16:39:09 -0500
committerlaurenw-arm <lauren.wehrmeister@arm.com>2022-06-16 13:42:19 -0500
commit78da42a5f1f33ca55019dddf0890c0db1c2fa05f (patch)
tree337bf94c98a1444e93aadab9a493dd7ad3c41e38
parent100da90ca84a3265d6312f24df16f920929234a6 (diff)
downloadtrusted-firmware-a-78da42a5f1f33ca55019dddf0890c0db1c2fa05f.tar.gz
refactor(measured-boot): mb algorithm selection
With RSS now introduced, we have 2 Measured Boot backends. Both backends can be used in the same firmware build with potentially different hash algorithms, so now there can be more than one hash algorithm in a build. Therefore the logic for selecting the measured boot hash algorithm needs to be updated and the coordination of algorithm selection added. This is done by: - Adding MBOOT_EL_HASH_ALG for Event Log to define the hash algorithm to replace TPM_HASH_ALG, removing reference to TPM. - Adding MBOOT_RSS_HASH_ALG for RSS to define the hash algorithm to replace TPM_HASH_ALG. - Coordinating MBOOT_EL_HASH_ALG and MBOOT_RSS_HASH_ALG to define the Measured Boot configuration macros through defining TF_MBEDTLS_MBOOT_USE_SHA512 to pull in SHA-512 support if either backend requires a stronger algorithm than SHA-256. Signed-off-by: Lauren Wehrmeister <lauren.wehrmeister@arm.com> Change-Id: I4ddf06ebdc3835beb4d1b6c7bab5a257ffc5c71a
-rw-r--r--drivers/auth/mbedtls/mbedtls_common.mk16
-rw-r--r--drivers/measured_boot/event_log/event_log.mk15
-rw-r--r--drivers/measured_boot/rss/rss_measured_boot.mk11
-rw-r--r--include/drivers/auth/mbedtls/mbedtls_config.h5
-rw-r--r--plat/arm/board/fvp/platform.mk4
-rw-r--r--plat/arm/common/arm_common.mk4
6 files changed, 24 insertions, 31 deletions
diff --git a/drivers/auth/mbedtls/mbedtls_common.mk b/drivers/auth/mbedtls/mbedtls_common.mk
index 3eb41617fa..16ce65ffe6 100644
--- a/drivers/auth/mbedtls/mbedtls_common.mk
+++ b/drivers/auth/mbedtls/mbedtls_common.mk
@@ -97,18 +97,6 @@ else
TF_MBEDTLS_USE_AES_GCM := 0
endif
-ifeq ($(MEASURED_BOOT),1)
- ifeq (${TPM_HASH_ALG}, sha256)
- TF_MBEDTLS_TPM_HASH_ALG_ID := TF_MBEDTLS_SHA256
- else ifeq (${TPM_HASH_ALG}, sha384)
- TF_MBEDTLS_TPM_HASH_ALG_ID := TF_MBEDTLS_SHA384
- else ifeq (${TPM_HASH_ALG}, sha512)
- TF_MBEDTLS_TPM_HASH_ALG_ID := TF_MBEDTLS_SHA512
- else
- $(error "TPM_HASH_ALG not defined.")
- endif
-endif
-
# Needs to be set to drive mbed TLS configuration correctly
$(eval $(call add_defines,\
$(sort \
@@ -118,10 +106,6 @@ $(eval $(call add_defines,\
TF_MBEDTLS_USE_AES_GCM \
)))
-ifeq ($(MEASURED_BOOT),1)
- $(eval $(call add_define,TF_MBEDTLS_TPM_HASH_ALG_ID))
-endif
-
$(eval $(call MAKE_LIB,mbedtls))
endif
diff --git a/drivers/measured_boot/event_log/event_log.mk b/drivers/measured_boot/event_log/event_log.mk
index 1ff4aa81c2..5ea4c554a0 100644
--- a/drivers/measured_boot/event_log/event_log.mk
+++ b/drivers/measured_boot/event_log/event_log.mk
@@ -7,20 +7,25 @@
# Default log level to dump the event log (LOG_LEVEL_INFO)
EVENT_LOG_LEVEL ?= 40
-# TPM hash algorithm.
+# Measured Boot hash algorithm.
# SHA-256 (or stronger) is required for all devices that are TPM 2.0 compliant.
-TPM_HASH_ALG := sha256
+ifdef TPM_HASH_ALG
+ $(warning "TPM_HASH_ALG is deprecated. Please use MBOOT_EL_HASH_ALG instead.")
+ MBOOT_EL_HASH_ALG := ${TPM_HASH_ALG}
+else
+ MBOOT_EL_HASH_ALG := sha256
+endif
-ifeq (${TPM_HASH_ALG}, sha512)
+ifeq (${MBOOT_EL_HASH_ALG}, sha512)
TPM_ALG_ID := TPM_ALG_SHA512
TCG_DIGEST_SIZE := 64U
-else ifeq (${TPM_HASH_ALG}, sha384)
+else ifeq (${MBOOT_EL_HASH_ALG}, sha384)
TPM_ALG_ID := TPM_ALG_SHA384
TCG_DIGEST_SIZE := 48U
else
TPM_ALG_ID := TPM_ALG_SHA256
TCG_DIGEST_SIZE := 32U
-endif #TPM_HASH_ALG
+endif #MBOOT_EL_HASH_ALG
# Set definitions for Measured Boot driver.
$(eval $(call add_defines,\
diff --git a/drivers/measured_boot/rss/rss_measured_boot.mk b/drivers/measured_boot/rss/rss_measured_boot.mk
index 01545afeb3..18ee836184 100644
--- a/drivers/measured_boot/rss/rss_measured_boot.mk
+++ b/drivers/measured_boot/rss/rss_measured_boot.mk
@@ -6,21 +6,18 @@
# Hash algorithm for measured boot
# SHA-256 (or stronger) is required.
-# TODO: The measurement algorithm incorrectly suggests that the TPM backend
-# is used which may not be the case. It is currently being worked on and
-# soon TPM_HASH_ALG will be replaced by a more generic name.
-TPM_HASH_ALG := sha256
+MBOOT_RSS_HASH_ALG := sha256
-ifeq (${TPM_HASH_ALG}, sha512)
+ifeq (${MBOOT_RSS_HASH_ALG}, sha512)
MBOOT_ALG_ID := MBOOT_ALG_SHA512
MBOOT_DIGEST_SIZE := 64U
-else ifeq (${TPM_HASH_ALG}, sha384)
+else ifeq (${MBOOT_RSS_HASH_ALG}, sha384)
MBOOT_ALG_ID := MBOOT_ALG_SHA384
MBOOT_DIGEST_SIZE := 48U
else
MBOOT_ALG_ID := MBOOT_ALG_SHA256
MBOOT_DIGEST_SIZE := 32U
-endif #TPM_HASH_ALG
+endif #MBOOT_RSS_HASH_ALG
# Set definitions for Measured Boot driver.
$(eval $(call add_defines,\
diff --git a/include/drivers/auth/mbedtls/mbedtls_config.h b/include/drivers/auth/mbedtls/mbedtls_config.h
index 8ad6d7a424..92188a2e1f 100644
--- a/include/drivers/auth/mbedtls/mbedtls_config.h
+++ b/include/drivers/auth/mbedtls/mbedtls_config.h
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2015-2021, Arm Limited. All rights reserved.
+ * Copyright (c) 2015-2022, Arm Limited. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*/
@@ -80,8 +80,7 @@
#define MBEDTLS_SHA512_C
#else
/* TBB uses SHA-256, what about measured boot? */
-#if defined(TF_MBEDTLS_TPM_HASH_ALG_ID) && \
- (TF_MBEDTLS_TPM_HASH_ALG_ID != TF_MBEDTLS_SHA256)
+#if defined(TF_MBEDTLS_MBOOT_USE_SHA512)
#define MBEDTLS_SHA512_C
#endif
#endif
diff --git a/plat/arm/board/fvp/platform.mk b/plat/arm/board/fvp/platform.mk
index 54c5e75450..f9053a8704 100644
--- a/plat/arm/board/fvp/platform.mk
+++ b/plat/arm/board/fvp/platform.mk
@@ -375,6 +375,10 @@ ifeq (${MEASURED_BOOT},1)
$(info Including ${RSS_MEASURED_BOOT_MK})
include ${RSS_MEASURED_BOOT_MK}
+ ifneq (${MBOOT_RSS_HASH_ALG}, sha256)
+ $(eval $(call add_define,TF_MBEDTLS_MBOOT_USE_SHA512))
+ endif
+
BL1_SOURCES += ${MEASURED_BOOT_SOURCES}
BL2_SOURCES += ${MEASURED_BOOT_SOURCES}
endif
diff --git a/plat/arm/common/arm_common.mk b/plat/arm/common/arm_common.mk
index 6d7aa2df55..ad4829793f 100644
--- a/plat/arm/common/arm_common.mk
+++ b/plat/arm/common/arm_common.mk
@@ -401,6 +401,10 @@ ifeq (${MEASURED_BOOT},1)
$(info Including ${MEASURED_BOOT_MK})
include ${MEASURED_BOOT_MK}
+ ifneq (${MBOOT_EL_HASH_ALG}, sha256)
+ $(eval $(call add_define,TF_MBEDTLS_MBOOT_USE_SHA512))
+ endif
+
BL1_SOURCES += ${EVENT_LOG_SOURCES}
BL2_SOURCES += ${EVENT_LOG_SOURCES}
endif