aboutsummaryrefslogtreecommitdiff
path: root/platform/ext
diff options
context:
space:
mode:
authorSummer Qin <summer.qin@arm.com>2021-07-12 18:57:57 +0800
committerKen Liu <ken.liu@arm.com>2021-07-21 09:26:05 +0200
commit9347dc7fa2b46d55061778362173f4687c2238f9 (patch)
tree5942ead2d91b1dc6c3c998b41fd9d9c13099bbf3 /platform/ext
parent8c9efa78922916d90ecdacc7370e2369e84a93b4 (diff)
downloadtrusted-firmware-m-9347dc7fa2b46d55061778362173f4687c2238f9.tar.gz
Crypto: Use NV SEED as default entropy source
MBEDTLS_TEST_NULL_ENTROPY is removed from mbedtls 3.0.0. Change to use 'MBEDTLS_ENTROPY_NV_SEED' as the default entropy source if a platform doesn't generate entropy from hardware. Change-Id: If03c9dec3c6fb0d7bb98721963ac2142d43ed00d Signed-off-by: Summer Qin <summer.qin@arm.com>
Diffstat (limited to 'platform/ext')
-rw-r--r--platform/ext/accelerator/cc312/mbedtls_accelerator_config.h4
-rw-r--r--platform/ext/common/template/crypto_dummy_nv_seed.c9
-rw-r--r--platform/ext/common/template/crypto_nv_seed.c42
-rw-r--r--platform/ext/target/arm/mps2/an521/CMakeLists.txt18
-rw-r--r--platform/ext/target/arm/mps2/an521/config.cmake6
-rw-r--r--platform/ext/target/arm/mps2/an521/mbedtls_an521_conf.h32
-rw-r--r--platform/ext/target/arm/musca_b1/secure_enclave/config.cmake1
-rw-r--r--platform/ext/target/arm/musca_b1/sse_200/config.cmake1
-rw-r--r--platform/ext/target/arm/musca_s1/config.cmake1
-rw-r--r--platform/ext/target/stm/nucleo_l552ze_q/accelerator/mbedtls_accelerator_config.h2
-rw-r--r--platform/ext/target/stm/nucleo_l552ze_q/config.cmake3
-rw-r--r--platform/ext/target/stm/stm32l562e_dk/accelerator/mbedtls_accelerator_config.h2
-rw-r--r--platform/ext/target/stm/stm32l562e_dk/config.cmake5
13 files changed, 67 insertions, 59 deletions
diff --git a/platform/ext/accelerator/cc312/mbedtls_accelerator_config.h b/platform/ext/accelerator/cc312/mbedtls_accelerator_config.h
index fc7f00d215..beffcab029 100644
--- a/platform/ext/accelerator/cc312/mbedtls_accelerator_config.h
+++ b/platform/ext/accelerator/cc312/mbedtls_accelerator_config.h
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2019, Arm Limited. All rights reserved.
+ * Copyright (c) 2019-2021, Arm Limited. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*
@@ -13,7 +13,7 @@ extern "C" {
#endif /* __cplusplus */
/* RNG Config */
-#undef MBEDTLS_TEST_NULL_ENTROPY
+#undef MBEDTLS_ENTROPY_NV_SEED
#undef MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES
#define MBEDTLS_PLATFORM_ENTROPY
diff --git a/platform/ext/common/template/crypto_dummy_nv_seed.c b/platform/ext/common/template/crypto_dummy_nv_seed.c
index cb21fc79bb..fd6c2c768b 100644
--- a/platform/ext/common/template/crypto_dummy_nv_seed.c
+++ b/platform/ext/common/template/crypto_dummy_nv_seed.c
@@ -11,6 +11,7 @@
/* NOTE: The seed value here is only an example, please do not use it in
* production. Platform vendor should implement their own seed value.
*/
+#if defined(MBEDTLS_ENTROPY_SHA512_ACCUMULATOR)
const unsigned char seed_value[MBEDTLS_ENTROPY_BLOCK_SIZE] = {
0x12, 0x13, 0x23, 0x34, 0x0a, 0x05, 0x89, 0x78,
0xa3, 0x66, 0x8c, 0x0d, 0x97, 0x55, 0x53, 0xca,
@@ -21,6 +22,14 @@ const unsigned char seed_value[MBEDTLS_ENTROPY_BLOCK_SIZE] = {
0x58, 0xb4, 0x16, 0xc8, 0x0f, 0x38, 0x91, 0xbb,
0x28, 0x17, 0xcd, 0x8a, 0xc9, 0x53, 0x72, 0x66,
};
+#else
+const unsigned char seed_value[MBEDTLS_ENTROPY_BLOCK_SIZE] = {
+ 0x12, 0x13, 0x23, 0x34, 0x0a, 0x05, 0x89, 0x78,
+ 0xa3, 0x66, 0x8c, 0x0d, 0x97, 0x55, 0x53, 0xca,
+ 0xb5, 0x76, 0x18, 0x62, 0x29, 0xc6, 0xb6, 0x79,
+ 0x75, 0xc8, 0x5a, 0x8d, 0x9e, 0x11, 0x8f, 0x85,
+};
+#endif
int tfm_plat_crypto_create_entropy_seed(void)
{
diff --git a/platform/ext/common/template/crypto_nv_seed.c b/platform/ext/common/template/crypto_nv_seed.c
index c868d953b3..90e3d0a84f 100644
--- a/platform/ext/common/template/crypto_nv_seed.c
+++ b/platform/ext/common/template/crypto_nv_seed.c
@@ -9,8 +9,33 @@
#include "tfm_plat_crypto_nv_seed.h"
#include "psa/internal_trusted_storage.h"
+#ifndef TFM_PSA_API
+#include "mbedtls/entropy.h"
+
+static unsigned char seed_buf[MBEDTLS_ENTROPY_BLOCK_SIZE];
+
+/*
+ \brief Copy the seed to the destination buffer
+
+ \param[out] p_dst Pointer to buffer where to store the seed
+ \param[in] p_src Pointer to the seed
+ \param[in] size Length of the seed
+*/
+static inline void copy_seed(uint8_t *p_dst, const uint8_t *p_src, size_t size)
+{
+ uint32_t i;
+
+ for (i = size; i > 0; i--) {
+ *p_dst = *p_src;
+ p_src++;
+ p_dst++;
+ }
+}
+#endif
+
int tfm_plat_crypto_nv_seed_read(unsigned char *buf, size_t buf_len)
{
+#ifdef TFM_PSA_API
psa_storage_uid_t uid = NV_SEED_FILE_ID;
psa_status_t status;
size_t data_length = 0;
@@ -22,10 +47,19 @@ int tfm_plat_crypto_nv_seed_read(unsigned char *buf, size_t buf_len)
} else {
return TFM_CRYPTO_NV_SEED_FAILED;
}
+#else
+ if (buf_len != MBEDTLS_ENTROPY_BLOCK_SIZE) {
+ return TFM_CRYPTO_NV_SEED_FAILED;
+ } else {
+ copy_seed(buf, seed_buf, buf_len);
+ return TFM_CRYPTO_NV_SEED_SUCCESS;
+ }
+#endif
}
int tfm_plat_crypto_nv_seed_write(const unsigned char *buf, size_t buf_len)
{
+#ifdef TFM_PSA_API
psa_storage_uid_t uid = NV_SEED_FILE_ID;
psa_status_t status;
@@ -36,4 +70,12 @@ int tfm_plat_crypto_nv_seed_write(const unsigned char *buf, size_t buf_len)
} else {
return TFM_CRYPTO_NV_SEED_FAILED;
}
+#else
+ if (buf_len != MBEDTLS_ENTROPY_BLOCK_SIZE) {
+ return TFM_CRYPTO_NV_SEED_FAILED;
+ } else {
+ copy_seed(seed_buf, buf, buf_len);
+ return TFM_CRYPTO_NV_SEED_SUCCESS;
+ }
+#endif
}
diff --git a/platform/ext/target/arm/mps2/an521/CMakeLists.txt b/platform/ext/target/arm/mps2/an521/CMakeLists.txt
index cdd0e51c8e..c6e0e6f3db 100644
--- a/platform/ext/target/arm/mps2/an521/CMakeLists.txt
+++ b/platform/ext/target/arm/mps2/an521/CMakeLists.txt
@@ -174,21 +174,3 @@ if(BL2)
native_drivers
)
endif()
-
-#========================= Crypto =============================================#
-
-target_sources(tfm_psa_rot_partition_crypto
- PRIVATE
- $<$<BOOL:${TFM_PSA_API}>:${CMAKE_SOURCE_DIR}/platform/ext/common/template/crypto_nv_seed.c>
- $<$<AND:$<BOOL:${TFM_PSA_API}>,$<BOOL:${PLATFORM_DUMMY_NV_SEED}>>:${CMAKE_SOURCE_DIR}/platform/ext/common/template/crypto_dummy_nv_seed.c>
-)
-
-target_compile_definitions(tfm_psa_rot_partition_crypto
- PRIVATE
- $<$<AND:$<BOOL:${TFM_PSA_API}>,$<BOOL:${PLATFORM_DUMMY_NV_SEED}>>:PLATFORM_DUMMY_NV_SEED>
-)
-
-target_include_directories(crypto_service_mbedcrypto
- PUBLIC
- ${CMAKE_SOURCE_DIR}/platform/include
-)
diff --git a/platform/ext/target/arm/mps2/an521/config.cmake b/platform/ext/target/arm/mps2/an521/config.cmake
index b0dbc04c51..4e15cf4f2d 100644
--- a/platform/ext/target/arm/mps2/an521/config.cmake
+++ b/platform/ext/target/arm/mps2/an521/config.cmake
@@ -8,6 +8,8 @@
set(TFM_EXTRA_GENERATED_FILE_LIST_PATH ${CMAKE_CURRENT_SOURCE_DIR}/platform/ext/target/arm/mps2/an521/generated_file_list.yaml CACHE PATH "Path to extra generated file list. Appended to stardard TFM generated file list." FORCE)
if(TFM_PSA_API)
- set(TFM_MBEDCRYPTO_PLATFORM_EXTRA_CONFIG_PATH ${CMAKE_CURRENT_LIST_DIR}/mbedtls_an521_conf.h CACHE FILEPATH "Config to append to standard Mbed Crypto config, used by platforms to configure feature support")
- set(PLATFORM_DUMMY_NV_SEED TRUE CACHE BOOL "Use dummy NV seed implementation. Should not be used in production.")
+ if (NOT TFM_ENABLE_SLIH_TEST)
+ # FLIH and SLIH testing can not be enabled at the same time
+ set(TFM_ENABLE_FLIH_TEST ON CACHE BOOL "Enable FLIH testing")
+ endif()
endif()
diff --git a/platform/ext/target/arm/mps2/an521/mbedtls_an521_conf.h b/platform/ext/target/arm/mps2/an521/mbedtls_an521_conf.h
deleted file mode 100644
index ba37aff9eb..0000000000
--- a/platform/ext/target/arm/mps2/an521/mbedtls_an521_conf.h
+++ /dev/null
@@ -1,32 +0,0 @@
-/*
- * Copyright (c) 2021, Arm Limited. All rights reserved.
- *
- * SPDX-License-Identifier: BSD-3-Clause
- *
- */
-#ifndef __MBEDTLS_AN521_CONF_H__
-#define __MBEDTLS_AN521_CONF_H__
-
-#include "tfm_plat_crypto_nv_seed.h"
-
-#ifdef __cplusplus
-extern "C" {
-#endif /* __cplusplus */
-
-#undef MBEDTLS_TEST_NULL_ENTROPY
-#undef MBEDTLS_PLATFORM_NO_STD_FUNCTIONS
-#undef MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES
-
-#define MBEDTLS_ENTROPY_NV_SEED
-#ifndef MBEDTLS_PLATFORM_NV_SEED_READ_MACRO
-#define MBEDTLS_PLATFORM_NV_SEED_READ_MACRO tfm_plat_crypto_nv_seed_read
-#endif
-#ifndef MBEDTLS_PLATFORM_NV_SEED_WRITE_MACRO
-#define MBEDTLS_PLATFORM_NV_SEED_WRITE_MACRO tfm_plat_crypto_nv_seed_write
-#endif
-
-#ifdef __cplusplus
-}
-#endif /* __cplusplus */
-
-#endif /* __MBEDTLS_AN521_CONF_H__ */
diff --git a/platform/ext/target/arm/musca_b1/secure_enclave/config.cmake b/platform/ext/target/arm/musca_b1/secure_enclave/config.cmake
index 34c3058bb7..040daa49ec 100644
--- a/platform/ext/target/arm/musca_b1/secure_enclave/config.cmake
+++ b/platform/ext/target/arm/musca_b1/secure_enclave/config.cmake
@@ -23,5 +23,6 @@ set(TFM_ISOLATION_LEVEL 1 CACHE STRING "Isolation
# Crypto hardware accelerator is turned on by default
set(CRYPTO_HW_ACCELERATOR ON CACHE BOOL "Whether to enable the crypto hardware accelerator on supported platforms")
+set(PLATFORM_DUMMY_NV_SEED FALSE CACHE BOOL "Use dummy NV seed implementation. Should not be used in production.")
set(PSA_API_TEST_TARGET "musca_b1" CACHE STRING "Target to use when building the PSA API tests")
diff --git a/platform/ext/target/arm/musca_b1/sse_200/config.cmake b/platform/ext/target/arm/musca_b1/sse_200/config.cmake
index 15dc3005d8..86c5c5cad8 100644
--- a/platform/ext/target/arm/musca_b1/sse_200/config.cmake
+++ b/platform/ext/target/arm/musca_b1/sse_200/config.cmake
@@ -11,6 +11,7 @@ set(TFM_CRYPTO_TEST_ALG_CFB OFF CACHE BOOL "Test CFB cr
if (NOT FORWARD_PROT_MSG)
set(CRYPTO_HW_ACCELERATOR ON CACHE BOOL "Whether to enable the crypto hardware accelerator on supported platforms")
+ set(PLATFORM_DUMMY_NV_SEED FALSE CACHE BOOL "Use dummy NV seed implementation. Should not be used in production.")
if(CRYPTO_HW_ACCELERATOR_OTP_STATE STREQUAL "ENABLED")
set(PLATFORM_DUMMY_CRYPTO_KEYS FALSE CACHE BOOL "Use dummy crypto keys. Should not be used in production.")
# Musca-B1 with OTP enabled is provisioned with a random Initial
diff --git a/platform/ext/target/arm/musca_s1/config.cmake b/platform/ext/target/arm/musca_s1/config.cmake
index 443f9ce78b..523264b96d 100644
--- a/platform/ext/target/arm/musca_s1/config.cmake
+++ b/platform/ext/target/arm/musca_s1/config.cmake
@@ -6,6 +6,7 @@
#-------------------------------------------------------------------------------
set(CRYPTO_HW_ACCELERATOR ON CACHE BOOL "Whether to enable the crypto hardware accelerator on supported platforms")
+set(PLATFORM_DUMMY_NV_SEED FALSE CACHE BOOL "Use dummy NV seed implementation. Should not be used in production.")
set(TFM_CRYPTO_TEST_ALG_CFB OFF CACHE BOOL "Test CFB cryptography mode")
if(CRYPTO_HW_ACCELERATOR_OTP_STATE STREQUAL "ENABLED")
diff --git a/platform/ext/target/stm/nucleo_l552ze_q/accelerator/mbedtls_accelerator_config.h b/platform/ext/target/stm/nucleo_l552ze_q/accelerator/mbedtls_accelerator_config.h
index fe13fc6b55..97c8e2b316 100644
--- a/platform/ext/target/stm/nucleo_l552ze_q/accelerator/mbedtls_accelerator_config.h
+++ b/platform/ext/target/stm/nucleo_l552ze_q/accelerator/mbedtls_accelerator_config.h
@@ -15,7 +15,7 @@ extern "C" {
/* RNG Config */
-#undef MBEDTLS_TEST_NULL_ENTROPY
+#undef MBEDTLS_ENTROPY_NV_SEED
#undef MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES
#define MBEDTLS_PLATFORM_ENTROPY
#define MBEDTLS_ENTROPY_C
diff --git a/platform/ext/target/stm/nucleo_l552ze_q/config.cmake b/platform/ext/target/stm/nucleo_l552ze_q/config.cmake
index 74c5a801e1..a1158cedfa 100644
--- a/platform/ext/target/stm/nucleo_l552ze_q/config.cmake
+++ b/platform/ext/target/stm/nucleo_l552ze_q/config.cmake
@@ -1,5 +1,5 @@
#-------------------------------------------------------------------------------
-# Copyright (c) 2020, Arm Limited. All rights reserved.
+# Copyright (c) 2020-2021, Arm Limited. All rights reserved.
# Copyright (c) 2021 STMicroelectronics. All rights reserved.
#
# SPDX-License-Identifier: BSD-3-Clause
@@ -12,4 +12,5 @@ set(MCUBOOT_IMAGE_NUMBER 2 CACHE STRING "Whether to
################################## Dependencies ################################
set(CRYPTO_HW_ACCELERATOR ON CACHE BOOL "Whether to enable the crypto hardware accelerator on supported platforms")
+set(PLATFORM_DUMMY_NV_SEED FALSE CACHE BOOL "Use dummy NV seed implementation. Should not be used in production.")
set(MBEDCRYPTO_BUILD_TYPE minsizerel CACHE STRING "Build type of Mbed Crypto library")
diff --git a/platform/ext/target/stm/stm32l562e_dk/accelerator/mbedtls_accelerator_config.h b/platform/ext/target/stm/stm32l562e_dk/accelerator/mbedtls_accelerator_config.h
index c93f90a446..58d5c8acde 100644
--- a/platform/ext/target/stm/stm32l562e_dk/accelerator/mbedtls_accelerator_config.h
+++ b/platform/ext/target/stm/stm32l562e_dk/accelerator/mbedtls_accelerator_config.h
@@ -15,7 +15,7 @@ extern "C" {
/* RNG Config */
-#undef MBEDTLS_TEST_NULL_ENTROPY
+#undef MBEDTLS_ENTROPY_NV_SEED
#undef MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES
#undef MBEDTLS_ECP_NIST_OPTIM
#define MBEDTLS_PLATFORM_ENTROPY
diff --git a/platform/ext/target/stm/stm32l562e_dk/config.cmake b/platform/ext/target/stm/stm32l562e_dk/config.cmake
index 1f43c2100b..5e98476d64 100644
--- a/platform/ext/target/stm/stm32l562e_dk/config.cmake
+++ b/platform/ext/target/stm/stm32l562e_dk/config.cmake
@@ -1,5 +1,5 @@
#-------------------------------------------------------------------------------
-# Copyright (c) 2020, Arm Limited. All rights reserved.
+# Copyright (c) 2020-2021, Arm Limited. All rights reserved.
# Copyright (c) 2021 STMicroelectronics. All rights reserved.
#
# SPDX-License-Identifier: BSD-3-Clause
@@ -12,5 +12,6 @@ set(MCUBOOT_IMAGE_NUMBER 2 CACHE STRING "Whether to
################################## Dependencies ################################
set(CRYPTO_HW_ACCELERATOR ON CACHE BOOL "Whether to enable the crypto hardware accelerator on supported platforms")
+set(PLATFORM_DUMMY_NV_SEED FALSE CACHE BOOL "Use dummy NV seed implementation. Should not be used in production.")
set(MBEDCRYPTO_BUILD_TYPE minsizerel CACHE STRING "Build type of Mbed Crypto library")
-set(TFM_EXTRA_GENERATED_FILE_LIST_PATH ${CMAKE_CURRENT_SOURCE_DIR}/platform/ext/target/stm/common/generated_file_list.yaml CACHE PATH "Path to extra generated file list. Appended to stardard TFM generated file list." FORCE) \ No newline at end of file
+set(TFM_EXTRA_GENERATED_FILE_LIST_PATH ${CMAKE_CURRENT_SOURCE_DIR}/platform/ext/target/stm/common/generated_file_list.yaml CACHE PATH "Path to extra generated file list. Appended to stardard TFM generated file list." FORCE)