diff options
| author | Qixiang Xu <qixiang.xu@arm.com> | 2017-11-09 13:56:29 +0800 |
|---|---|---|
| committer | Qixiang Xu <qixiang.xu@arm.com> | 2017-11-21 14:16:18 +0800 |
| commit | 9a3088a5f509084e60d9c55bf53985c5ec4ca821 (patch) | |
| tree | b3e7af650e56d8ab6df9a04c0253000dc20b7160 | |
| parent | 2972247cb4ae84ed660532cac426259a4f17c816 (diff) | |
tbbr: Add build flag HASH_ALG to let the user to select the SHA
The flag support the following values:
- sha256 (default)
- sha384
- sha512
Change-Id: I7a49d858c361e993949cf6ada0a86575c3291066
Signed-off-by: Qixiang Xu <qixiang.xu@arm.com>
| -rw-r--r-- | docs/user-guide.rst | 6 | ||||
| -rw-r--r-- | drivers/auth/mbedtls/mbedtls_crypto.c | 3 | ||||
| -rw-r--r-- | drivers/auth/mbedtls/mbedtls_crypto.mk | 24 | ||||
| -rw-r--r-- | drivers/auth/tbbr/tbbr_cot.c | 2 | ||||
| -rw-r--r-- | include/drivers/auth/mbedtls/mbedtls_config.h | 10 | ||||
| -rw-r--r-- | make_helpers/tbbr/tbbr_tools.mk | 1 |
6 files changed, 42 insertions, 4 deletions
diff --git a/docs/user-guide.rst b/docs/user-guide.rst index 172e7932..0eecde90 100644 --- a/docs/user-guide.rst +++ b/docs/user-guide.rst @@ -425,11 +425,15 @@ Common build options - ``KEY_ALG``: This build flag enables the user to select the algorithm to be used for generating the PKCS keys and subsequent signing of the certificate. - It accepts 3 values viz ``rsa``, ``rsa_1_5``, ``ecdsa``. The ``rsa_1_5`` is + It accepts 3 values viz. ``rsa``, ``rsa_1_5``, ``ecdsa``. The ``rsa_1_5`` is the legacy PKCS#1 RSA 1.5 algorithm which is not TBBR compliant and is retained only for compatibility. The default value of this flag is ``rsa`` which is the TBBR compliant PKCS#1 RSA 2.1 scheme. +- ``HASH_ALG``: This build flag enables the user to select the secure hash + algorithm. It accepts 3 values viz. ``sha256``, ``sha384``, ``sha512``. + The default value of this flag is ``sha256``. + - ``LDFLAGS``: Extra user options appended to the linkers' command line in addition to the one set by the build system. diff --git a/drivers/auth/mbedtls/mbedtls_crypto.c b/drivers/auth/mbedtls/mbedtls_crypto.c index d8810d6d..bc9ed3a8 100644 --- a/drivers/auth/mbedtls/mbedtls_crypto.c +++ b/drivers/auth/mbedtls/mbedtls_crypto.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2015, ARM Limited and Contributors. All rights reserved. + * Copyright (c) 2015-2017, ARM Limited and Contributors. All rights reserved. * * SPDX-License-Identifier: BSD-3-Clause */ @@ -7,6 +7,7 @@ #include <crypto_mod.h> #include <debug.h> #include <mbedtls_common.h> +#include <mbedtls_config.h> #include <stddef.h> #include <string.h> diff --git a/drivers/auth/mbedtls/mbedtls_crypto.mk b/drivers/auth/mbedtls/mbedtls_crypto.mk index d6fc7eb5..8eb4873d 100644 --- a/drivers/auth/mbedtls/mbedtls_crypto.mk +++ b/drivers/auth/mbedtls/mbedtls_crypto.mk @@ -37,9 +37,30 @@ MBEDTLS_CRYPTO_SOURCES := drivers/auth/mbedtls/mbedtls_crypto.c \ pk_wrap.c \ pkparse.c \ pkwrite.c \ - sha256.c \ ) +ifeq (${HASH_ALG}, sha384) + MBEDTLS_CRYPTO_SOURCES += \ + $(addprefix ${MBEDTLS_DIR}/library/, \ + sha256.c \ + sha512.c \ + ) + TF_MBEDTLS_HASH_ALG_ID := TF_MBEDTLS_SHA384 +else ifeq (${HASH_ALG}, sha512) + MBEDTLS_CRYPTO_SOURCES += \ + $(addprefix ${MBEDTLS_DIR}/library/, \ + sha256.c \ + sha512.c \ + ) + TF_MBEDTLS_HASH_ALG_ID := TF_MBEDTLS_SHA512 +else + MBEDTLS_CRYPTO_SOURCES += \ + $(addprefix ${MBEDTLS_DIR}/library/, \ + sha256.c \ + ) + TF_MBEDTLS_HASH_ALG_ID := TF_MBEDTLS_SHA256 +endif + # Key algorithm specific files MBEDTLS_ECDSA_CRYPTO_SOURCES += $(addprefix ${MBEDTLS_DIR}/library/, \ ecdsa.c \ @@ -67,6 +88,7 @@ endif # Needs to be set to drive mbed TLS configuration correctly $(eval $(call add_define,TF_MBEDTLS_KEY_ALG_ID)) +$(eval $(call add_define,TF_MBEDTLS_HASH_ALG_ID)) BL1_SOURCES += ${MBEDTLS_CRYPTO_SOURCES} BL2_SOURCES += ${MBEDTLS_CRYPTO_SOURCES} diff --git a/drivers/auth/tbbr/tbbr_cot.c b/drivers/auth/tbbr/tbbr_cot.c index 4aaab390..01d6fb5a 100644 --- a/drivers/auth/tbbr/tbbr_cot.c +++ b/drivers/auth/tbbr/tbbr_cot.c @@ -19,7 +19,7 @@ * Maximum key and hash sizes (in DER format) */ #define PK_DER_LEN 294 -#define HASH_DER_LEN 51 +#define HASH_DER_LEN 83 /* * The platform must allocate buffers to store the authentication parameters diff --git a/include/drivers/auth/mbedtls/mbedtls_config.h b/include/drivers/auth/mbedtls/mbedtls_config.h index 96587aca..f8f26080 100644 --- a/include/drivers/auth/mbedtls/mbedtls_config.h +++ b/include/drivers/auth/mbedtls/mbedtls_config.h @@ -14,6 +14,13 @@ #define TF_MBEDTLS_RSA_AND_ECDSA 3 /* + * Hash algorithms currently supported on mbed TLS libraries + */ +#define TF_MBEDTLS_SHA256 1 +#define TF_MBEDTLS_SHA384 2 +#define TF_MBEDTLS_SHA512 3 + +/* * Configuration file to build mbed TLS with the required features for * Trusted Boot */ @@ -66,6 +73,9 @@ #endif #define MBEDTLS_SHA256_C +#if (TF_MBEDTLS_HASH_ALG_ID != TF_MBEDTLS_SHA256) +#define MBEDTLS_SHA512_C +#endif #define MBEDTLS_VERSION_C diff --git a/make_helpers/tbbr/tbbr_tools.mk b/make_helpers/tbbr/tbbr_tools.mk index 712fa6f6..b13afe48 100644 --- a/make_helpers/tbbr/tbbr_tools.mk +++ b/make_helpers/tbbr/tbbr_tools.mk @@ -54,6 +54,7 @@ $(eval $(call FWU_CERT_ADD_CMD_OPT,${FWU_CERT},--fwu-cert)) # packed in the FIP). Developers can use their own keys by specifying the proper # build option in the command line when building the Trusted Firmware $(if ${KEY_ALG},$(eval $(call CERT_ADD_CMD_OPT,${KEY_ALG},--key-alg))) +$(if ${HASH_ALG},$(eval $(call CERT_ADD_CMD_OPT,${HASH_ALG},--hash-alg))) $(if ${ROT_KEY},$(eval $(call CERT_ADD_CMD_OPT,${ROT_KEY},--rot-key))) $(if ${ROT_KEY},$(eval $(call FWU_CERT_ADD_CMD_OPT,${ROT_KEY},--rot-key))) $(if ${TRUSTED_WORLD_KEY},$(eval $(call CERT_ADD_CMD_OPT,${TRUSTED_WORLD_KEY},--trusted-world-key))) |