Add option for internal mbedtls in smm-gateway
Update the component to support the usage of internal mbedtls
instance for signature verification instead of crypto SP.
Change-Id: I24ae5e08930accbd61c2333caf31333db3560c98
Signed-off-by: Gabor Toth <gabor.toth2@arm.com>
diff --git a/deployments/smm-gateway/common/smm_gateway.c b/deployments/smm-gateway/common/smm_gateway.c
index db089a0..fdc1b8c 100644
--- a/deployments/smm-gateway/common/smm_gateway.c
+++ b/deployments/smm-gateway/common/smm_gateway.c
@@ -18,7 +18,7 @@
#define SMM_GATEWAY_NV_STORE_SN "sn:ffa:751bf801-3dde-4768-a514-0f10aeed1790:0"
#endif
-#if defined(UEFI_AUTH_VAR)
+#if defined(UEFI_AUTH_VAR) && !defined(UEFI_INTERNAL_CRYPTO)
/* Default to using the Crypto SP */
#ifndef SMM_GATEWAY_CRYPTO_SN
#define SMM_GATEWAY_CRYPTO_SN "sn:ffa:d9df52d5-16a2-4bb2-9aa4-d26d3b84e8c0:0"
@@ -38,14 +38,14 @@
struct mock_store volatile_store;
struct service_context *nv_storage_service_context;
struct rpc_caller_session *nv_storage_session;
-#if defined(UEFI_AUTH_VAR)
+#if defined(UEFI_AUTH_VAR) && !defined(UEFI_INTERNAL_CRYPTO)
struct service_context *crypto_service_context;
struct rpc_caller_session *crypto_session;
#endif
} smm_gateway_instance;
-#if defined(UEFI_AUTH_VAR)
+#if defined(UEFI_AUTH_VAR) && !defined(UEFI_INTERNAL_CRYPTO)
bool create_crypto_binding(void)
{
psa_status_t psa_status = PSA_ERROR_GENERIC_ERROR;
diff --git a/deployments/smm-gateway/smm-gateway.cmake b/deployments/smm-gateway/smm-gateway.cmake
index 6c41abe..e5ee03b 100644
--- a/deployments/smm-gateway/smm-gateway.cmake
+++ b/deployments/smm-gateway/smm-gateway.cmake
@@ -5,6 +5,40 @@
#
#-------------------------------------------------------------------------------
+option(UEFI_INTERNAL_CRYPTO "Use internal mbedtls instance" OFF)
+
+if (UEFI_AUTH_VAR)
+
+# If enabled an internal mbedtls instance will be used instead of the crypto SP
+if (UEFI_INTERNAL_CRYPTO)
+set(MBEDTLS_USER_CONFIG_FILE "${TS_ROOT}/external/MbedTLS/config/x509_only.h"
+ CACHE STRING "Configuration file for Mbed TLS" FORCE)
+include(${TS_ROOT}/external/MbedTLS/MbedTLS.cmake)
+target_link_libraries(smm-gateway PRIVATE MbedTLS::mbedcrypto)
+target_link_libraries(smm-gateway PRIVATE MbedTLS::mbedx509)
+
+target_compile_definitions(smm-gateway PRIVATE
+ -DUEFI_INTERNAL_CRYPTO
+)
+
+add_components(TARGET "smm-gateway"
+ BASE_DIR ${TS_ROOT}
+ COMPONENTS
+ "components/service/uefi/smm_variable/backend/direct"
+)
+
+else()
+add_components(TARGET "smm-gateway"
+ BASE_DIR ${TS_ROOT}
+ COMPONENTS
+ "components/common/tlv"
+ "components/service/crypto/include"
+ "components/service/crypto/client/psa"
+)
+endif()
+
+endif()
+
add_components(TARGET "smm-gateway"
BASE_DIR ${TS_ROOT}
COMPONENTS
@@ -21,16 +55,6 @@
"protocols/rpc/common/packed-c"
)
-if (UEFI_AUTH_VAR)
-add_components(TARGET "smm-gateway"
- BASE_DIR ${TS_ROOT}
- COMPONENTS
- "components/common/tlv"
- "components/service/crypto/include"
- "components/service/crypto/client/psa"
-)
-endif()
-
target_include_directories(smm-gateway PRIVATE
${TS_ROOT}
${TS_ROOT}/components
diff --git a/external/MbedTLS/config/x509_only.h b/external/MbedTLS/config/x509_only.h
new file mode 100644
index 0000000..5c615fa
--- /dev/null
+++ b/external/MbedTLS/config/x509_only.h
@@ -0,0 +1,32 @@
+/*
+ * Copyright (c) 2023, Arm Limited and Contributors. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#ifndef CONFIG_X509_ONLY_H
+#define CONFIG_X509_ONLY_H
+
+#undef MBEDTLS_LMS_C
+#undef MBEDTLS_HAVE_TIME
+#undef MBEDTLS_HAVE_TIME_DATE
+#undef MBEDTLS_FS_IO
+#undef MBEDTLS_SELF_TEST
+#undef MBEDTLS_AESNI_C
+#undef MBEDTLS_AESCE_C
+#undef MBEDTLS_PADLOCK_C
+#undef MBEDTLS_PLATFORM_C
+#undef MBEDTLS_PSA_CRYPTO_STORAGE_C
+#undef MBEDTLS_PSA_ITS_FILE_C
+#undef MBEDTLS_TIMING_C
+
+#define MBEDTLS_BIGNUM_C
+#define MBEDTLS_X509_USE_C
+#define MBEDTLS_X509_CRL_PARSE_C
+#define MBEDTLS_X509_CRT_PARSE_C
+#define MBEDTLS_PK_PARSE_C
+#define MBEDTLS_OID_C
+#define MBEDTLS_ASN1_PARSE_C
+#define MBEDTLS_PKCS7_C
+
+#endif /* CONFIG_X509_ONLY_H */