TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / TF-M / trusted-firmware-m.git / 00cefb030aca3dfb5d629e87b37f449d8070383b / . / bl2 / ext / mcuboot / config / mcuboot-mbedtls-cfg.h
blob: 327ba5f33b4d7c302eaf2811969d9bc0dcfadf55 [file] [log] [blame]
Tamas Banf70ef8c2017-12-19 15:35:09 +0000[diff] [blame]1/*
2 * Minimal configuration for using TLS in the bootloader
3 *
Roland Mikhel00cefb02023-06-05 14:38:02 +0200[diff] [blame^]4 * Copyright (C) 2006-2023, Arm Limited. All rights reserved.
Tamas Banf70ef8c2017-12-19 15:35:09 +0000[diff] [blame]5 * Copyright (C) 2016, Linaro Ltd
Tamas Ban81daed02019-05-20 15:05:22 +0100[diff] [blame]6 *
Tamas Banf70ef8c2017-12-19 15:35:09 +0000[diff] [blame]7 * SPDX-License-Identifier: Apache-2.0
8 *
9 * Licensed under the Apache License, Version 2.0 (the "License"); you may
10 * not use this file except in compliance with the License.
11 * You may obtain a copy of the License at
12 *
13 * http://www.apache.org/licenses/LICENSE-2.0
14 *
15 * Unless required by applicable law or agreed to in writing, software
16 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
17 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
18 * See the License for the specific language governing permissions and
19 * limitations under the License.
20 *
21 * This file is part of mbed TLS (https://tls.mbed.org)
22 */
23
24/*
David Vinczecea8b592019-10-29 16:09:51 +0100[diff] [blame]25 * Original code taken from mcuboot project at:
Tamas Banc5b2f2b2020-11-12 09:47:05 +0000[diff] [blame]26 * https://github.com/mcu-tools/mcuboot
David Vincze2ddc1372019-10-25 11:10:08 +0200[diff] [blame]27 * Git SHA of the original version: ac55554059147fff718015be9f4bd3108123f50a
David Vinczecea8b592019-10-29 16:09:51 +0100[diff] [blame]28 */
29
30/*
Antonio de Angelisa3843cd2022-10-06 15:50:59 +0100[diff] [blame]31 * Minimal configuration for using mbed TLS in the bootloader
Tamas Banf70ef8c2017-12-19 15:35:09 +0000[diff] [blame]32 *
Tamas Ban581034a2017-12-19 19:54:37 +0000[diff] [blame]33 * - RSA signature verification
Roland Mikhel00cefb02023-06-05 14:38:02 +0200[diff] [blame^]34 * - ECDSA signature verification
Antonio de Angelisa3843cd2022-10-06 15:50:59 +0100[diff] [blame]35 * - Optionally, enable support for PSA Crypto APIs
Tamas Banf70ef8c2017-12-19 15:35:09 +0000[diff] [blame]36 */
37
Balint Matyi69e2d2e2020-07-08 10:53:54 +0100[diff] [blame]38#ifndef __MCUBOOT_MBEDTLS_CFG__
39#define __MCUBOOT_MBEDTLS_CFG__
Tamas Banf70ef8c2017-12-19 15:35:09 +0000[diff] [blame]40
Antonio de Angelisa3843cd2022-10-06 15:50:59 +0100[diff] [blame]41#if defined(MCUBOOT_USE_PSA_CRYPTO)
42/* Enable PSA Crypto Core without support for the permanent storage
43 * Don't define MBEDTLS_PSA_CRYPTO_STORAGE_C to make sure that support
44 * for permanent keys is not enabled, as it is not available during boot
45 */
46#define MBEDTLS_PSA_CRYPTO_C
47#define MBEDTLS_PK_PARSE_C
48#define MBEDTLS_PK_WRITE_C
49#define MBEDTLS_PK_C
50#define MBEDTLS_CTR_DRBG_C
51#define MBEDTLS_CIPHER_C
52#define MBEDTLS_ENTROPY_C
53#define MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG
54#endif /* MCUBOOT_USE_PSA_CRYPTO */
55
Roland Mikhel00cefb02023-06-05 14:38:02 +0200[diff] [blame^]56#if defined(MCUBOOT_SIGN_RSA)
57#define MBEDTLS_RSA_C
58#define MBEDTLS_PKCS1_V21
59/* Save RAM by adjusting to our exact needs */
60#if MCUBOOT_SIGN_RSA_LEN == 3072
61#define MBEDTLS_MPI_MAX_SIZE 384
62#else /* RSA2048 */
63#define MBEDTLS_MPI_MAX_SIZE 256
64#endif
65#endif /* MCUBOOT_SIGN_RSA */
66
67#if defined(MCUBOOT_SIGN_EC384)
68#define MBEDTLS_ECP_DP_SECP384R1_ENABLED
69/* When the image is signed with EC-P384 the image hash
70 * is calculated using SHA-384
71 */
72#define MBEDTLS_SHA512_C
73#define MBEDTLS_SHA384_C
74#else
75/* All the other supported signing algorithms use SHA-256 to compute the image hash */
76#define MBEDTLS_SHA256_C
77#define MBEDTLS_SHA224_C
78#endif /* MCUBOOT_SIGN_EC384 */
79
80#ifdef MCUBOOT_SIGN_EC256
81#define MBEDTLS_ECP_DP_SECP256R1_ENABLED
82#endif /* MCUBOOT_SIGN_EC256 */
83
Tamas Banf70ef8c2017-12-19 15:35:09 +0000[diff] [blame]84/* System support */
85#define MBEDTLS_PLATFORM_C
86#define MBEDTLS_PLATFORM_MEMORY
87#define MBEDTLS_MEMORY_BUFFER_ALLOC_C
Tamas Banf70ef8c2017-12-19 15:35:09 +0000[diff] [blame]88#define MBEDTLS_NO_PLATFORM_ENTROPY
89#define MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES
Tamas Ban81daed02019-05-20 15:05:22 +0100[diff] [blame]90
91#define MBEDTLS_PLATFORM_EXIT_ALT
Tamas Banf70ef8c2017-12-19 15:35:09 +0000[diff] [blame]92#define MBEDTLS_PLATFORM_PRINTF_ALT
93
Tamas Banf70ef8c2017-12-19 15:35:09 +0000[diff] [blame]94
95/* mbed TLS modules */
96#define MBEDTLS_ASN1_PARSE_C
97#define MBEDTLS_ASN1_WRITE_C
98#define MBEDTLS_BIGNUM_C
99#define MBEDTLS_MD_C
100#define MBEDTLS_OID_C
Balint Matyi5c476312020-03-31 13:15:39 +0100[diff] [blame]101#define MBEDTLS_AES_C
Raef Coles95e527c2020-10-28 08:20:29 +0000[diff] [blame]102#define MBEDTLS_CIPHER_MODE_CTR
Roland Mikhel00cefb02023-06-05 14:38:02 +0200[diff] [blame^]103#if defined(MCUBOOT_SIGN_EC256) || \
104 defined(MCUBOOT_SIGN_EC384)
105#define MBEDTLS_ECP_C
106#define MBEDTLS_ECP_NIST_OPTIM
107#define MBEDTLS_ECDSA_C
Tamas Banf70ef8c2017-12-19 15:35:09 +0000[diff] [blame]108#endif
109
110#define MBEDTLS_SSL_MAX_CONTENT_LEN 1024
111
112/* Save ROM and a few bytes of RAM by specifying our own ciphersuite list */
113#define MBEDTLS_SSL_CIPHERSUITES MBEDTLS_TLS_ECJPAKE_WITH_AES_128_CCM_8
114
Tamas Banf824e742019-10-25 21:22:26 +0100[diff] [blame]115#ifdef CRYPTO_HW_ACCELERATOR_OTP_PROVISIONING
Antonio de Angelisa3843cd2022-10-06 15:50:59 +0100[diff] [blame]116#ifndef MBEDTLS_CIPHER_C
Tamas Banf824e742019-10-25 21:22:26 +0100[diff] [blame]117#define MBEDTLS_CIPHER_C
Antonio de Angelisa3843cd2022-10-06 15:50:59 +0100[diff] [blame]118#endif
Tamas Banf824e742019-10-25 21:22:26 +0100[diff] [blame]119#define MBEDTLS_CCM_C
Xu Yong9830d482019-11-01 14:28:34 +0800[diff] [blame]120#define MBEDTLS_ECDSA_C
121#define MBEDTLS_ECP_C
122#define MBEDTLS_ECP_DP_SECP256R1_ENABLED
123#define MBEDTLS_ECP_DP_CURVE25519_ENABLED
Tamas Banf824e742019-10-25 21:22:26 +0100[diff] [blame]124#endif /* CRYPTO_HW_ACCELERATOR_OTP_PROVISIONING */
125
Raef Coles0e82adc2019-10-17 15:06:26 +0100[diff] [blame]126#ifdef CRYPTO_HW_ACCELERATOR
Michel Jaouene991ffb2023-02-20 12:08:43 +0100[diff] [blame]127#ifndef LEGACY_DRIVER_API_ENABLED
Summer Qin36f79f72022-07-05 14:53:35 +0800[diff] [blame]128/*
129 * Forcing the legacy driver API enabled all the time regardless of
130 * cmake configuration in BL2.
131 */
Michel Jaouene991ffb2023-02-20 12:08:43 +0100[diff] [blame]132#define LEGACY_DRIVER_API_ENABLED
133#warning "Use legacy driver API for BL2"
Raef Coles0e82adc2019-10-17 15:06:26 +0100[diff] [blame]134#include "mbedtls_accelerator_config.h"
Michel Jaouene991ffb2023-02-20 12:08:43 +0100[diff] [blame]135#undef LEGACY_DRIVER_API_ENABLED
Summer Qin36f79f72022-07-05 14:53:35 +0800[diff] [blame]136#else
137#include "mbedtls_accelerator_config.h"
Michel Jaouene991ffb2023-02-20 12:08:43 +0100[diff] [blame]138#endif /* !LEGACY_DRIVER_API_ENABLED */
Raef Coles0e82adc2019-10-17 15:06:26 +0100[diff] [blame]139#endif
140
Balint Matyi69e2d2e2020-07-08 10:53:54 +0100[diff] [blame]141#endif /* __MCUBOOT_MBEDTLS_CFG__ */