Update mbedtls to version 3.6.2
This new update to the LTS branch of MbedTLS provides
the fix for a buffer underrun vulnerability. TF-A does
not use the previously vulnerable functions
`mbedtls_pk_write_key_der` or `mbedtls_pk_write_key_pem`.
Full patch notes to this MbedTLS update can be found at
https://github.com/Mbed-TLS/mbedtls/releases/tag/mbedtls-3.6.2.
Signed-off-by: Ryan Everett <ryan.everett@arm.com>
Change-Id: I3496fbe54c3d85f7a5330b49cd77ccd16f7cb7fa
(cherry picked from commit f3eb26844acefd8e78e1b69e99eeecca9b21ac08)
diff --git a/script/tf-coverity/common-def.sh b/script/tf-coverity/common-def.sh
index b1b71e5..a165980 100644
--- a/script/tf-coverity/common-def.sh
+++ b/script/tf-coverity/common-def.sh
@@ -79,7 +79,7 @@
# mbed TLS source tag to checkout when building Trusted Firmware with
# cryptography support (e.g. for Trusted Board Boot feature).
-MBED_TLS_SOURCES_TAG="mbedtls-3.6.1"
+MBED_TLS_SOURCES_TAG="mbedtls-3.6.2"
ARMCLANG_PATH="$(set_armclang_toolchain)"
diff --git a/tf_config/fvp-tbb-mbedtls b/tf_config/fvp-tbb-mbedtls
index 129bc9a..82098c3 100644
--- a/tf_config/fvp-tbb-mbedtls
+++ b/tf_config/fvp-tbb-mbedtls
@@ -1,7 +1,7 @@
ARM_ROTPK_LOCATION=devel_rsa
CROSS_COMPILE=aarch64-none-elf-
GENERATE_COT=1
-MBEDTLS_CONFIG_FILE=\"${tf_root}/include/drivers/auth/mbedtls/mbedtls_config-3.h\"
+MBEDTLS_CONFIG_FILE=\"${tf_root}/include/drivers/auth/mbedtls/default_mbedtls_config.h\"
PLAT=fvp
ROT_KEY=plat/arm/board/common/rotpk/arm_rotprivk_rsa.pem
TRUSTED_BOARD_BOOT=1
diff --git a/utils.sh b/utils.sh
index 464fc1e..0cf0915 100644
--- a/utils.sh
+++ b/utils.sh
@@ -630,7 +630,7 @@
linaro_2001_release="${linaro_2001_release:-$tfa_downloads/linaro/20.01}"
linaro_release="${linaro_release:-$linaro_2001_release}"
-mbedtls_version="${mbedtls_version:-3.6.1}"
+mbedtls_version="${mbedtls_version:-3.6.2}"
# mbedTLS archive public hosting available at github.com
mbedtls_archive="${mbedtls_archive:-https://github.com/Mbed-TLS/mbedtls/archive/refs/tags/v${mbedtls_version}.tar.gz}"