Merge changes from topic "lts-v2.8.28" into lts-v2.8
* changes:
feat(mbedtls): mbedtls config update for v3.6.2
docs(prerequisites): update mbedtls to version 3.6.2
refactor(mbedtls): rename default mbedtls confs
fix(arm): add extra hash config to validate ROTPK
diff --git a/docs/getting_started/prerequisites.rst b/docs/getting_started/prerequisites.rst
index ffdc3e2..ff39539 100644
--- a/docs/getting_started/prerequisites.rst
+++ b/docs/getting_started/prerequisites.rst
@@ -71,7 +71,7 @@
The following libraries are required for Trusted Board Boot and Measured Boot
support:
-- mbed TLS == 3.6.1 (tag: ``mbedtls-3.6.1``)
+- mbed TLS == 3.6.2 (tag: ``mbedtls-3.6.2``)
These tools are optional:
@@ -178,7 +178,7 @@
--------------
-*Copyright (c) 2021-2024, Arm Limited. All rights reserved.*
+*Copyright (c) 2021-2025, Arm Limited. All rights reserved.*
.. _Arm Developer website: https://developer.arm.com/tools-and-software/open-source-software/developer-tools/gnu-toolchain/downloads
.. _Gerrit Code Review: https://www.gerritcodereview.com/
diff --git a/drivers/auth/mbedtls/mbedtls_common.mk b/drivers/auth/mbedtls/mbedtls_common.mk
index 656acab..fc22211 100644
--- a/drivers/auth/mbedtls/mbedtls_common.mk
+++ b/drivers/auth/mbedtls/mbedtls_common.mk
@@ -24,7 +24,7 @@
endif
# Specify mbed TLS configuration file
- MBEDTLS_CONFIG_FILE ?= "<drivers/auth/mbedtls/mbedtls_config-3.h>"
+ MBEDTLS_CONFIG_FILE ?= "<drivers/auth/mbedtls/default_mbedtls_config.h>"
$(eval $(call add_define,MBEDTLS_CONFIG_FILE))
diff --git a/include/drivers/auth/mbedtls/mbedtls_config-3.h b/include/drivers/auth/mbedtls/default_mbedtls_config.h
similarity index 96%
rename from include/drivers/auth/mbedtls/mbedtls_config-3.h
rename to include/drivers/auth/mbedtls/default_mbedtls_config.h
index 0be4b5d..a309479 100644
--- a/include/drivers/auth/mbedtls/mbedtls_config-3.h
+++ b/include/drivers/auth/mbedtls/default_mbedtls_config.h
@@ -11,6 +11,11 @@
*/
/*
+ * This file is compatible with versions >= 3.6.2
+ */
+#define MBEDTLS_CONFIG_VERSION 0x03060200
+
+/*
* Key algorithms currently supported on mbed TLS libraries
*/
#define TF_MBEDTLS_RSA 1
diff --git a/plat/arm/board/fvp_r/platform.mk b/plat/arm/board/fvp_r/platform.mk
index fb9676b..30fcb38 100644
--- a/plat/arm/board/fvp_r/platform.mk
+++ b/plat/arm/board/fvp_r/platform.mk
@@ -1,5 +1,5 @@
#
-# Copyright (c) 2021, ARM Limited and Contributors. All rights reserved.
+# Copyright (c) 2021-2024, Arm Limited and Contributors. All rights reserved.
#
# SPDX-License-Identifier: BSD-3-Clause
#
@@ -25,7 +25,7 @@
include plat/arm/board/common/board_common.mk
include plat/arm/common/arm_common.mk
-PLAT_INCLUDES := -Iplat/arm/board/fvp_r/include
+PLAT_INCLUDES += -Iplat/arm/board/fvp_r/include
FVP_R_BL_COMMON_SOURCES := plat/arm/board/fvp_r/fvp_r_common.c \
plat/arm/board/fvp_r/fvp_r_context_mgmt.c \
diff --git a/plat/arm/common/arm_common.mk b/plat/arm/common/arm_common.mk
index e9b9ebe..f55f5d1 100644
--- a/plat/arm/common/arm_common.mk
+++ b/plat/arm/common/arm_common.mk
@@ -119,10 +119,6 @@
$(eval $(call assert_boolean,ARM_ETHOSN_NPU_DRIVER))
$(eval $(call add_define,ARM_ETHOSN_NPU_DRIVER))
-# Use an implementation of SHA-256 with a smaller memory footprint but reduced
-# speed.
-$(eval $(call add_define,MBEDTLS_SHA256_SMALLER))
-
# Add the build options to pack Trusted OS Extra1 and Trusted OS Extra2 images
# in the FIP if the platform requires.
ifneq ($(BL32_EXTRA1),)
@@ -356,6 +352,17 @@
BL31_SOURCES += plat/arm/common/arm_err.c
endif
+ifneq ($(filter 1,${MEASURED_BOOT} ${TRUSTED_BOARD_BOOT} ${DRTM_SUPPORT}),)
+ PLAT_INCLUDES += -Iplat/arm/common \
+ -Iinclude/drivers/auth/mbedtls
+ # Specify mbed TLS configuration file
+ ifeq (${PSA_CRYPTO},1)
+ MBEDTLS_CONFIG_FILE ?= "<plat_arm_psa_mbedtls_config.h>"
+ else
+ MBEDTLS_CONFIG_FILE ?= "<plat_arm_mbedtls_config.h>"
+ endif
+endif
+
ifneq (${TRUSTED_BOARD_BOOT},0)
# Include common TBB sources
diff --git a/plat/arm/common/plat_arm_mbedtls_config.h b/plat/arm/common/plat_arm_mbedtls_config.h
new file mode 100644
index 0000000..c2db595
--- /dev/null
+++ b/plat/arm/common/plat_arm_mbedtls_config.h
@@ -0,0 +1,26 @@
+/*
+ * Copyright (c) 2024, Arm Ltd. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#ifndef PLAT_ARM_MBEDTLS_CONFIG_H
+#define PLAT_ARM_MBEDTLS_CONFIG_H
+
+#include <default_mbedtls_config.h>
+
+/**
+ * On Arm platforms, the ROTPK is always hashed using the SHA-256
+ * algorithm.
+ * TODO: Update to hash the ROTPK with the selected HASH_ALG to avoid
+ * the need for explicitly enabling the SHA-256 configuration in mbedTLS.
+ */
+#define MBEDTLS_SHA256_C
+
+/*
+ * Use an implementation of SHA-256 with a smaller memory footprint
+ * but reduced speed.
+ */
+#define MBEDTLS_SHA256_SMALLER
+
+#endif /* PLAT_ARM_MBEDTLS_CONFIG_H */
diff --git a/plat/arm/common/plat_arm_psa_mbedtls_config.h b/plat/arm/common/plat_arm_psa_mbedtls_config.h
new file mode 100644
index 0000000..fd434c9
--- /dev/null
+++ b/plat/arm/common/plat_arm_psa_mbedtls_config.h
@@ -0,0 +1,29 @@
+/*
+ * Copyright (c) 2024, Arm Ltd. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#ifndef PLAT_ARM_PSA_MBEDTLS_CONFIG_H
+#define PLAT_ARM_PSA_MBEDTLS_CONFIG_H
+
+#include "plat_arm_mbedtls_config.h"
+
+#define MBEDTLS_PSA_CRYPTO_C
+#define MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS
+
+/*
+ * Using PSA crypto API requires an RNG right now. If we don't define the macro
+ * below then we get build errors.
+ *
+ * This is a functionality gap in mbedTLS. The technical limitation is that
+ * psa_crypto_init() is all-or-nothing, and fixing that would require separate
+ * initialization of the keystore, the RNG, etc.
+ *
+ * By defining MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG, we pretend using an external
+ * RNG. As a result, the PSA crypto init code does nothing when it comes to
+ * initializing the RNG, as we are supposed to take care of that ourselves.
+ */
+#define MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG
+
+#endif /* PLAT_ARM_PSA_MBEDTLS_CONFIG_H */