BL2: Add support for MCUBOOT_USE_PSA_CRYPTO option
Add support in BL2 code to enable the cryptographic backend
to use PSA Crypto APIs through the option MCUBOOT_USE_PSA_CRYPTO
Signed-off-by: Antonio de Angelis <antonio.deangelis@arm.com>
Change-Id: I3cb48e42d1666d46ed90a47e1f857a8679dea7d9
diff --git a/bl2/ext/mcuboot/bl2_main.c b/bl2/ext/mcuboot/bl2_main.c
index 901a94e..a3fd5b7 100644
--- a/bl2/ext/mcuboot/bl2_main.c
+++ b/bl2/ext/mcuboot/bl2_main.c
@@ -35,6 +35,10 @@
#include "mcuboot_suites.h"
#endif /* TEST_BL2 */
+#if defined(MCUBOOT_USE_PSA_CRYPTO)
+#include "psa/crypto.h"
+#endif
+
/* Avoids the semihosting issue */
#if defined (__ARMCC_VERSION) && (__ARMCC_VERSION >= 6010050)
__asm(" .global __ARM_use_no_argv\n");
@@ -112,8 +116,8 @@
plat_err = tfm_plat_otp_init();
if (plat_err != TFM_PLAT_ERR_SUCCESS) {
- BOOT_LOG_ERR("OTP system initialization failed");
- FIH_PANIC;
+ BOOT_LOG_ERR("OTP system initialization failed");
+ FIH_PANIC;
}
if (tfm_plat_provisioning_is_required()) {
@@ -138,6 +142,20 @@
FIH_PANIC;
}
+#if defined(MCUBOOT_USE_PSA_CRYPTO)
+ /* If the bootloader is configured to use PSA Crypto APIs in the
+ * abstraction layer, the component needs to be explicitly initialized
+ * before MCUboot APIs, as the crypto abstraction expects that the init
+ * has already happened
+ */
+ psa_status_t status = psa_crypto_init();
+ if (status != PSA_SUCCESS) {
+ BOOT_LOG_ERR("PSA Crypto init failed with error code %d", status);
+ FIH_PANIC;
+ }
+ BOOT_LOG_INF("PSA Crypto init completed");
+#endif /* MCUBOOT_USE_PSA_CRYPTO */
+
#ifdef TEST_BL2
(void)run_mcuboot_testsuite();
#endif /* TEST_BL2 */
@@ -176,3 +194,17 @@
BOOT_LOG_ERR("Never should get here");
FIH_PANIC;
}
+
+#if defined(MCUBOOT_USE_PSA_CRYPTO)
+/* When MCUBOOT_USE_PSA_CRYPTO is set, the PSA Crypto layer is configured
+ * to use an external RNG generator through MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG.
+ * But the cryptographic APIs required by BL2 don't require access to randomness
+ * hence we can just stub this API to always return an error code
+ */
+psa_status_t mbedtls_psa_external_get_random(
+ mbedtls_psa_external_random_context_t *context,
+ uint8_t *output, size_t output_size, size_t *output_length)
+{
+ return PSA_ERROR_NOT_SUPPORTED;
+}
+#endif /* MCUBOOT_USE_PSA_CRYPTO */
diff --git a/bl2/ext/mcuboot/config/mcuboot-mbedtls-cfg.h b/bl2/ext/mcuboot/config/mcuboot-mbedtls-cfg.h
index 5e3e3ee..5eb9d59 100644
--- a/bl2/ext/mcuboot/config/mcuboot-mbedtls-cfg.h
+++ b/bl2/ext/mcuboot/config/mcuboot-mbedtls-cfg.h
@@ -28,14 +28,30 @@
*/
/*
- * Minimal configuration for using TLS in the bootloader
+ * Minimal configuration for using mbed TLS in the bootloader
*
* - RSA signature verification
+ * - Optionally, enable support for PSA Crypto APIs
*/
#ifndef __MCUBOOT_MBEDTLS_CFG__
#define __MCUBOOT_MBEDTLS_CFG__
+#if defined(MCUBOOT_USE_PSA_CRYPTO)
+/* Enable PSA Crypto Core without support for the permanent storage
+ * Don't define MBEDTLS_PSA_CRYPTO_STORAGE_C to make sure that support
+ * for permanent keys is not enabled, as it is not available during boot
+ */
+#define MBEDTLS_PSA_CRYPTO_C
+#define MBEDTLS_PK_PARSE_C
+#define MBEDTLS_PK_WRITE_C
+#define MBEDTLS_PK_C
+#define MBEDTLS_CTR_DRBG_C
+#define MBEDTLS_CIPHER_C
+#define MBEDTLS_ENTROPY_C
+#define MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG
+#endif /* MCUBOOT_USE_PSA_CRYPTO */
+
/* System support */
#define MBEDTLS_PLATFORM_C
#define MBEDTLS_PLATFORM_MEMORY
@@ -73,7 +89,9 @@
#define MBEDTLS_SSL_CIPHERSUITES MBEDTLS_TLS_ECJPAKE_WITH_AES_128_CCM_8
#ifdef CRYPTO_HW_ACCELERATOR_OTP_PROVISIONING
+#ifndef MBEDTLS_CIPHER_C
#define MBEDTLS_CIPHER_C
+#endif
#define MBEDTLS_CCM_C
#define MBEDTLS_ECDSA_C
#define MBEDTLS_ECP_C