MbedTLS configuration rework
Instead of using config.py to modify the original MbedTLS configuration
file and then extending it with user settings, pass a custom file
which will be used instead of the default file being appended to it.
Also add a stub trng implementation, which results in error if called,
because in case of internal crypto configuration of smmgw SP, trng
shall not be used for X509 related tasks.
libmbedx509.h has been renamed to crypto_provider_x509.h
x509_only.h has been renamed to internal_crypto_smmgw.h
Signed-off-by: Gabor Toth <gabor.toth2@arm.com>
Change-Id: I6831f221d63b64422a28ab75d0faf97771dd5773
diff --git a/components/service/crypto/backend/mbedcrypto/trng_adapter/stub/component.cmake b/components/service/crypto/backend/mbedcrypto/trng_adapter/stub/component.cmake
new file mode 100644
index 0000000..8a5d8c9
--- /dev/null
+++ b/components/service/crypto/backend/mbedcrypto/trng_adapter/stub/component.cmake
@@ -0,0 +1,13 @@
+#-------------------------------------------------------------------------------
+# Copyright (c) 2024, Arm Limited and Contributors. All rights reserved.
+#
+# SPDX-License-Identifier: BSD-3-Clause
+#
+#-------------------------------------------------------------------------------
+if (NOT DEFINED TGT)
+ message(FATAL_ERROR "mandatory parameter TGT is not defined.")
+endif()
+
+target_sources(${TGT} PRIVATE
+ "${CMAKE_CURRENT_LIST_DIR}/stub_trng_adapter.c"
+ )
diff --git a/components/service/crypto/backend/mbedcrypto/trng_adapter/stub/stub_trng_adapter.c b/components/service/crypto/backend/mbedcrypto/trng_adapter/stub/stub_trng_adapter.c
new file mode 100644
index 0000000..07d0702
--- /dev/null
+++ b/components/service/crypto/backend/mbedcrypto/trng_adapter/stub/stub_trng_adapter.c
@@ -0,0 +1,19 @@
+/*
+ * Copyright (c) 2024, Arm Limited and Contributors. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+#include <mbedtls/entropy.h>
+#include <service/crypto/backend/mbedcrypto/trng_adapter/trng_adapter.h>
+#include <psa/error.h>
+#include <stddef.h>
+
+int mbedtls_hardware_poll(void *data, unsigned char *output, size_t len, size_t *olen)
+{
+ (void)data;
+ (void)output;
+ (void)len;
+ (void)olen;
+
+ return MBEDTLS_ERR_ENTROPY_SOURCE_FAILED;
+}
diff --git a/deployments/component-test/component-test.cmake b/deployments/component-test/component-test.cmake
index 8d4aaef..c20e2fe 100644
--- a/deployments/component-test/component-test.cmake
+++ b/deployments/component-test/component-test.cmake
@@ -240,7 +240,7 @@
protobuf_generate_all(TGT "component-test" NAMESPACE "protobuf" BASE_DIR "${TS_ROOT}/protocols")
# MbedTLS
-set(MBEDTLS_USER_CONFIG_FILE "${TS_ROOT}/external/MbedTLS/config/libmbedx509.h"
+set(MBEDTLS_CONFIG_FILE "${TS_ROOT}/external/MbedTLS/config/crypto_provider_x509.h"
CACHE STRING "Configuration file for Mbed TLS" FORCE)
include(${TS_ROOT}/external/MbedTLS/MbedTLS.cmake)
target_link_libraries(component-test PRIVATE MbedTLS::mbedcrypto)
@@ -248,7 +248,7 @@
# Pass the location of the mbedtls config file to C preprocessor.
target_compile_definitions(component-test PRIVATE
- MBEDTLS_USER_CONFIG_FILE="${MBEDTLS_USER_CONFIG_FILE}"
+ MBEDTLS_CONFIG_FILE="${MBEDTLS_CONFIG_FILE}"
)
# Qcbor
diff --git a/deployments/crypto/crypto.cmake b/deployments/crypto/crypto.cmake
index 963dde5..9dad507 100644
--- a/deployments/crypto/crypto.cmake
+++ b/deployments/crypto/crypto.cmake
@@ -47,7 +47,7 @@
protobuf_generate_all(TGT "crypto" NAMESPACE "protobuf" BASE_DIR "${TS_ROOT}/protocols")
# Mbed TLS provides libmbedcrypto
-set(MBEDTLS_USER_CONFIG_FILE "${TS_ROOT}/external/MbedTLS/config/libmbedx509.h"
+set(MBEDTLS_CONFIG_FILE "${TS_ROOT}/external/MbedTLS/config/crypto_provider_x509.h"
CACHE STRING "Configuration file for Mbed TLS" FORCE)
include(${TS_ROOT}/external/MbedTLS/MbedTLS.cmake)
target_link_libraries(crypto PRIVATE MbedTLS::mbedcrypto)
@@ -56,7 +56,7 @@
# Provide the config path to mbedtls
target_compile_definitions(crypto
PRIVATE
- MBEDTLS_USER_CONFIG_FILE="${MBEDTLS_USER_CONFIG_FILE}"
+ MBEDTLS_CONFIG_FILE="${MBEDTLS_CONFIG_FILE}"
)
#################################################################
diff --git a/deployments/libts/linux-pc/CMakeLists.txt b/deployments/libts/linux-pc/CMakeLists.txt
index 80ef7e4..c9f84be 100644
--- a/deployments/libts/linux-pc/CMakeLists.txt
+++ b/deployments/libts/linux-pc/CMakeLists.txt
@@ -184,7 +184,7 @@
protobuf_generate_all(TGT "ts" NAMESPACE "protobuf" BASE_DIR "${TS_ROOT}/protocols")
# MbedTLS
-set(MBEDTLS_USER_CONFIG_FILE "${TS_ROOT}/external/MbedTLS/config/libmbedx509.h"
+set(MBEDTLS_CONFIG_FILE "${TS_ROOT}/external/MbedTLS/config/crypto_provider_x509.h"
CACHE STRING "Configuration file for Mbed TLS" FORCE)
include(${TS_ROOT}/external/MbedTLS/MbedTLS.cmake)
target_link_libraries(ts PRIVATE MbedTLS::mbedcrypto)
@@ -192,7 +192,7 @@
# Pass the location of the mbedtls config file to C preprocessor.
target_compile_definitions(ts PRIVATE
- MBEDTLS_USER_CONFIG_FILE="${MBEDTLS_USER_CONFIG_FILE}"
+ MBEDTLS_CONFIG_FILE="${MBEDTLS_CONFIG_FILE}"
)
# Qcbor
diff --git a/deployments/platform-inspect/platform-inspect.cmake b/deployments/platform-inspect/platform-inspect.cmake
index d9f1ca7..f5589ff 100644
--- a/deployments/platform-inspect/platform-inspect.cmake
+++ b/deployments/platform-inspect/platform-inspect.cmake
@@ -43,7 +43,7 @@
#-------------------------------------------------------------------------------
# MbedTLS provides libmbedcrypto
-set(MBEDTLS_USER_CONFIG_FILE "${TS_ROOT}/external/MbedTLS/config/crypto_posix.h"
+set(MBEDTLS_CONFIG_FILE "${TS_ROOT}/external/MbedTLS/config/crypto_posix.h"
CACHE STRING "Configuration file for mbedcrypto")
include(${TS_ROOT}/external/MbedTLS/MbedTLS.cmake)
target_link_libraries(platform-inspect PRIVATE MbedTLS::mbedcrypto)
diff --git a/deployments/smm-gateway/smm-gateway.cmake b/deployments/smm-gateway/smm-gateway.cmake
index 562d9d1..bbeb034 100644
--- a/deployments/smm-gateway/smm-gateway.cmake
+++ b/deployments/smm-gateway/smm-gateway.cmake
@@ -11,7 +11,7 @@
# If enabled an internal mbedtls instance will be used instead of the crypto SP
if (UEFI_INTERNAL_CRYPTO)
-set(MBEDTLS_USER_CONFIG_FILE "${TS_ROOT}/external/MbedTLS/config/x509_only.h"
+set(MBEDTLS_CONFIG_FILE "${TS_ROOT}/external/MbedTLS/config/internal_crypto_smmgw.h"
CACHE STRING "Configuration file for Mbed TLS" FORCE)
include(${TS_ROOT}/external/MbedTLS/MbedTLS.cmake)
target_link_libraries(smm-gateway PRIVATE MbedTLS::mbedcrypto)
@@ -20,7 +20,7 @@
# Pass the mbedtls config file to C preprocessor so the uefi
# direct backend will access the mbedtls headers
target_compile_definitions(smm-gateway PRIVATE
- MBEDTLS_USER_CONFIG_FILE="${MBEDTLS_USER_CONFIG_FILE}"
+ MBEDTLS_CONFIG_FILE="${MBEDTLS_CONFIG_FILE}"
)
target_compile_definitions(smm-gateway PRIVATE
@@ -32,6 +32,7 @@
COMPONENTS
"components/common/mbedtls"
"components/service/uefi/smm_variable/backend/direct"
+ "components/service/crypto/backend/mbedcrypto/trng_adapter/stub"
)
else()
diff --git a/external/MbedTLS/MbedTLS.cmake b/external/MbedTLS/MbedTLS.cmake
index 06dfad2..a041a8f 100644
--- a/external/MbedTLS/MbedTLS.cmake
+++ b/external/MbedTLS/MbedTLS.cmake
@@ -32,7 +32,6 @@
COMMAND git branch -f bf-am
COMMAND git am ${CMAKE_CURRENT_LIST_DIR}/0001-Add-capability-to-selectively-build-libraries.patch
COMMAND git reset bf-am
- COMMAND ${Python3_EXECUTABLE} scripts/config.py crypto
)
# Only pass libc settings to Mbed TLS if needed. For environments where the standard
diff --git a/external/MbedTLS/config/crypto_posix.h b/external/MbedTLS/config/crypto_posix.h
index eaec37e..9c396bf 100644
--- a/external/MbedTLS/config/crypto_posix.h
+++ b/external/MbedTLS/config/crypto_posix.h
@@ -11,17 +11,30 @@
* Mbed TLS configuration for using libmbedcrypto in
* a Posix environment (normal world demo and test applications).
*/
+
+/*
+ * Enable using crypto_config.h, but do not define custom crypto header with
+ * MBEDTLS_PSA_CRYPTO_CONFIG_FILE to enable all the supported algorithms.
+ */
#define MBEDTLS_PSA_CRYPTO_CONFIG
+
+#define MBEDTLS_BASE64_C
+#define MBEDTLS_BIGNUM_C
+#define MBEDTLS_ECP_NIST_OPTIM
+#define MBEDTLS_ENTROPY_C
+#define MBEDTLS_HAVE_ASM
+#define MBEDTLS_LMS_C
+#define MBEDTLS_NIST_KW_C
#define MBEDTLS_NO_UDBL_DIVISION
-#undef MBEDTLS_HAVE_TIME
-#undef MBEDTLS_HAVE_TIME_DATE
-#undef MBEDTLS_FS_IO
-#undef MBEDTLS_SELF_TEST
-#undef MBEDTLS_AESNI_C
-#undef MBEDTLS_PADLOCK_C
-#undef MBEDTLS_PLATFORM_C
-#undef MBEDTLS_PSA_CRYPTO_STORAGE_C
-#undef MBEDTLS_PSA_ITS_FILE_C
-#undef MBEDTLS_TIMING_C
+#define MBEDTLS_OID_C
+#define MBEDTLS_PKCS12_C
+#define MBEDTLS_PKCS5_C
+#define MBEDTLS_PK_C
+#define MBEDTLS_PK_PARSE_C
+#define MBEDTLS_PK_WRITE_C
+#define MBEDTLS_PSA_CRYPTO_C
+#define MBEDTLS_X509_CRL_PARSE_C
+#define MBEDTLS_X509_CRT_PARSE_C
+#define MBEDTLS_X509_USE_C
#endif /* CONFIG_CRYPTO_POSIX_H */
diff --git a/external/MbedTLS/config/crypto_provider_x509.h b/external/MbedTLS/config/crypto_provider_x509.h
new file mode 100644
index 0000000..979afc7
--- /dev/null
+++ b/external/MbedTLS/config/crypto_provider_x509.h
@@ -0,0 +1,52 @@
+/*
+ * Copyright (c) 2020-2023, Arm Limited and Contributors. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#ifndef CONFIG_CRYPTO_PROVIDER_X509_H
+#define CONFIG_CRYPTO_PROVIDER_X509_H
+
+/*
+ * MbedTLS configuration for building libmbedcrypto and libx509 to act as a backend
+ * for the crypto service provider.
+ */
+
+/*
+ * Enable using crypto_config.h, but do not define custom crypto header with
+ * MBEDTLS_PSA_CRYPTO_CONFIG_FILE to enable all the supported algorithms.
+ */
+#define MBEDTLS_PSA_CRYPTO_CONFIG
+
+#define MBEDTLS_BASE64_C
+#define MBEDTLS_BIGNUM_C
+#define MBEDTLS_ECP_NIST_OPTIM
+#define MBEDTLS_ENTROPY_C
+#define MBEDTLS_ENTROPY_HARDWARE_ALT
+#define MBEDTLS_GENPRIME
+#define MBEDTLS_HAVE_ASM
+#define MBEDTLS_LMS_C
+#define MBEDTLS_NIST_KW_C
+#define MBEDTLS_NO_PLATFORM_ENTROPY
+#define MBEDTLS_NO_UDBL_DIVISION
+#define MBEDTLS_OID_C
+#define MBEDTLS_ASN1_PARSE_C
+#define MBEDTLS_PEM_PARSE_C
+#define MBEDTLS_PEM_WRITE_C
+#define MBEDTLS_PKCS12_C
+#define MBEDTLS_PKCS5_C
+#define MBEDTLS_PKCS7_C
+#define MBEDTLS_PK_C
+#define MBEDTLS_PK_PARSE_C
+#define MBEDTLS_PK_WRITE_C
+#define MBEDTLS_PSA_CRYPTO_C
+#define MBEDTLS_PSA_CRYPTO_STORAGE_C
+#define MBEDTLS_X509_CRL_PARSE_C
+#define MBEDTLS_X509_CRT_PARSE_C
+#define MBEDTLS_X509_USE_C
+
+#define MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER
+#define BACKEND_CRYPTO_API_ADD_PREFIX(f) __mbedtls_backend_##f
+#include "../../../components/service/crypto/backend/prefixed_crypto_api.h"
+
+#endif /* CONFIG_CRYPTO_PROVIDER_X509_H */
diff --git a/external/MbedTLS/config/internal_crypto_smmgw.h b/external/MbedTLS/config/internal_crypto_smmgw.h
new file mode 100644
index 0000000..5d85cf7
--- /dev/null
+++ b/external/MbedTLS/config/internal_crypto_smmgw.h
@@ -0,0 +1,37 @@
+/*
+ * Copyright (c) 2023, Arm Limited and Contributors. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+#ifndef CONFIG_INTERNAL_CRYPTO_SMMGW_H
+#define CONFIG_INTERNAL_CRYPTO_SMMGW_H
+
+/*
+ * Enable using crypto_config.h, but do not define custom crypto header with
+ * MBEDTLS_PSA_CRYPTO_CONFIG_FILE to enable all the supported algorithms.
+ */
+#define MBEDTLS_PSA_CRYPTO_CONFIG
+
+#define MBEDTLS_BASE64_C
+#define MBEDTLS_BIGNUM_C
+#define MBEDTLS_ENTROPY_C
+#define MBEDTLS_ENTROPY_HARDWARE_ALT
+#define MBEDTLS_HAVE_ASM
+#define MBEDTLS_NO_PLATFORM_ENTROPY
+#define MBEDTLS_NO_UDBL_DIVISION
+#define MBEDTLS_OID_C
+#define MBEDTLS_ASN1_PARSE_C
+#define MBEDTLS_PEM_PARSE_C
+#define MBEDTLS_PEM_WRITE_C
+#define MBEDTLS_PKCS12_C
+#define MBEDTLS_PKCS5_C
+#define MBEDTLS_PKCS7_C
+#define MBEDTLS_PK_C
+#define MBEDTLS_PK_PARSE_C
+#define MBEDTLS_PK_WRITE_C
+#define MBEDTLS_PSA_CRYPTO_C
+#define MBEDTLS_X509_CRL_PARSE_C
+#define MBEDTLS_X509_CRT_PARSE_C
+#define MBEDTLS_X509_USE_C
+
+#endif /* CONFIG_INTERNAL_CRYPTO_SMMGW_H */
diff --git a/external/MbedTLS/config/libmbedx509.h b/external/MbedTLS/config/libmbedx509.h
deleted file mode 100644
index 0039d3c..0000000
--- a/external/MbedTLS/config/libmbedx509.h
+++ /dev/null
@@ -1,42 +0,0 @@
-/*
- * Copyright (c) 2020-2023, Arm Limited and Contributors. All rights reserved.
- *
- * SPDX-License-Identifier: BSD-3-Clause
- */
-
-#ifndef CONFIG_LIBMBEDX509_H
-#define CONFIG_LIBMBEDX509_H
-
-/*
- * MbedTLS configuration for building libmbedcrypto and libx509 to act as a backend
- * for the crypto service provider running in an isolated secure processing environment.
- */
-#define MBEDTLS_PSA_CRYPTO_CONFIG
-#define MBEDTLS_NO_UDBL_DIVISION
-#undef MBEDTLS_HAVE_TIME
-#undef MBEDTLS_HAVE_TIME_DATE
-#undef MBEDTLS_FS_IO
-#define MBEDTLS_ENTROPY_HARDWARE_ALT
-#define MBEDTLS_NO_PLATFORM_ENTROPY
-#undef MBEDTLS_SELF_TEST
-#undef MBEDTLS_PLATFORM_C
-#undef MBEDTLS_PSA_ITS_FILE_C
-#undef MBEDTLS_TIMING_C
-#undef MBEDTLS_AESNI_C
-#undef MBEDTLS_AESCE_C
-#undef MBEDTLS_PADLOCK_C
-
-#define MBEDTLS_BIGNUM_C
-#define MBEDTLS_X509_USE_C
-#define MBEDTLS_X509_CRL_PARSE_C
-#define MBEDTLS_X509_CRT_PARSE_C
-#define MBEDTLS_PK_PARSE_C
-#define MBEDTLS_OID_C
-#define MBEDTLS_ASN1_PARSE_C
-#define MBEDTLS_PKCS7_C
-
-#define MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER
-#define BACKEND_CRYPTO_API_ADD_PREFIX(f) __mbedtls_backend_##f
-#include "../../../components/service/crypto/backend/prefixed_crypto_api.h"
-
-#endif /* CONFIG_LIBMBEDX509_H */
diff --git a/external/MbedTLS/config/x509_only.h b/external/MbedTLS/config/x509_only.h
deleted file mode 100644
index 5c615fa..0000000
--- a/external/MbedTLS/config/x509_only.h
+++ /dev/null
@@ -1,32 +0,0 @@
-/*
- * Copyright (c) 2023, Arm Limited and Contributors. All rights reserved.
- *
- * SPDX-License-Identifier: BSD-3-Clause
- */
-
-#ifndef CONFIG_X509_ONLY_H
-#define CONFIG_X509_ONLY_H
-
-#undef MBEDTLS_LMS_C
-#undef MBEDTLS_HAVE_TIME
-#undef MBEDTLS_HAVE_TIME_DATE
-#undef MBEDTLS_FS_IO
-#undef MBEDTLS_SELF_TEST
-#undef MBEDTLS_AESNI_C
-#undef MBEDTLS_AESCE_C
-#undef MBEDTLS_PADLOCK_C
-#undef MBEDTLS_PLATFORM_C
-#undef MBEDTLS_PSA_CRYPTO_STORAGE_C
-#undef MBEDTLS_PSA_ITS_FILE_C
-#undef MBEDTLS_TIMING_C
-
-#define MBEDTLS_BIGNUM_C
-#define MBEDTLS_X509_USE_C
-#define MBEDTLS_X509_CRL_PARSE_C
-#define MBEDTLS_X509_CRT_PARSE_C
-#define MBEDTLS_PK_PARSE_C
-#define MBEDTLS_OID_C
-#define MBEDTLS_ASN1_PARSE_C
-#define MBEDTLS_PKCS7_C
-
-#endif /* CONFIG_X509_ONLY_H */
diff --git a/external/MbedTLS/mbedtls-init-cache.cmake.in b/external/MbedTLS/mbedtls-init-cache.cmake.in
index bf93f1b..a633781 100644
--- a/external/MbedTLS/mbedtls-init-cache.cmake.in
+++ b/external/MbedTLS/mbedtls-init-cache.cmake.in
@@ -11,7 +11,7 @@
set(ENABLE_PROGRAMS Off CACHE BOOL "")
set(ENABLE_TESTING Off CACHE BOOL "")
set(UNSAFE_BUILD On CACHE BOOL "")
-set(EXTERNAL_DEFINITIONS -DMBEDTLS_USER_CONFIG_FILE="@MBEDTLS_USER_CONFIG_FILE@" CACHE STRING "")
+set(EXTERNAL_DEFINITIONS -DMBEDTLS_CONFIG_FILE="@MBEDTLS_CONFIG_FILE@" CACHE STRING "")
set(EXTERNAL_INCLUDE_PATHS @MBEDTLS_EXTRA_INCLUDES@ CACHE STRING "")
set(BRANCH_PROTECTION @BRANCH_PROTECTION@ CACHE STRING "")