diff options
| author | Justin Chadwell <justin.chadwell@arm.com> | 2019-07-29 17:13:10 +0100 |
|---|---|---|
| committer | Justin Chadwell <justin.chadwell@arm.com> | 2019-09-12 15:27:39 +0100 |
| commit | aacff7498c7241696f55a9b80473e59b72d4d095 (patch) | |
| tree | 01615f4f69293ad2d89108796fc9c8d3f4b2e302 /include | |
| parent | 2fc6ffc451c9af16e03eff51e779c33828e9ab07 (diff) | |
Support larger RSA key sizes when using MBEDTLS
Previously, TF-A could not support large RSA key sizes as the
configuration options passed to MBEDTLS prevented storing and performing
calculations with the larger, higher-precision numbers required. With
these changes to the arguments passed to MBEDTLS, TF-A now supports
using 3072 (3K) and 4096 (4K) keys in certificates.
Change-Id: Ib73a6773145d2faa25c28d04f9a42e86f2fd555f
Signed-off-by: Justin Chadwell <justin.chadwell@arm.com>
Diffstat (limited to 'include')
| -rw-r--r-- | include/drivers/auth/mbedtls/mbedtls_config.h | 45 |
1 files changed, 29 insertions, 16 deletions
diff --git a/include/drivers/auth/mbedtls/mbedtls_config.h b/include/drivers/auth/mbedtls/mbedtls_config.h index f7248f98..6e179bbd 100644 --- a/include/drivers/auth/mbedtls/mbedtls_config.h +++ b/include/drivers/auth/mbedtls/mbedtls_config.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 2015-2018, ARM Limited and Contributors. All rights reserved. + * Copyright (c) 2015-2019, ARM Limited and Contributors. All rights reserved. * * SPDX-License-Identifier: BSD-3-Clause */ @@ -13,6 +13,11 @@ #define TF_MBEDTLS_ECDSA 2 #define TF_MBEDTLS_RSA_AND_ECDSA 3 +#define TF_MBEDTLS_USE_RSA (TF_MBEDTLS_KEY_ALG_ID == TF_MBEDTLS_RSA \ + || TF_MBEDTLS_KEY_ALG_ID == TF_MBEDTLS_RSA_AND_ECDSA) +#define TF_MBEDTLS_USE_ECDSA (TF_MBEDTLS_KEY_ALG_ID == TF_MBEDTLS_ECDSA \ + || TF_MBEDTLS_KEY_ALG_ID == TF_MBEDTLS_RSA_AND_ECDSA) + /* * Hash algorithms currently supported on mbed TLS libraries */ @@ -54,19 +59,14 @@ #define MBEDTLS_PLATFORM_C -#if (TF_MBEDTLS_KEY_ALG_ID == TF_MBEDTLS_ECDSA) +#if TF_MBEDTLS_USE_ECDSA #define MBEDTLS_ECDSA_C #define MBEDTLS_ECP_C #define MBEDTLS_ECP_DP_SECP256R1_ENABLED -#elif (TF_MBEDTLS_KEY_ALG_ID == TF_MBEDTLS_RSA) -#define MBEDTLS_RSA_C -#define MBEDTLS_X509_RSASSA_PSS_SUPPORT -#elif (TF_MBEDTLS_KEY_ALG_ID == TF_MBEDTLS_RSA_AND_ECDSA) +#endif +#if TF_MBEDTLS_USE_RSA #define MBEDTLS_RSA_C #define MBEDTLS_X509_RSASSA_PSS_SUPPORT -#define MBEDTLS_ECDSA_C -#define MBEDTLS_ECP_C -#define MBEDTLS_ECP_DP_SECP256R1_ENABLED #endif #define MBEDTLS_SHA256_C @@ -80,11 +80,20 @@ #define MBEDTLS_X509_CRT_PARSE_C /* MPI / BIGNUM options */ -#define MBEDTLS_MPI_WINDOW_SIZE 2 -#define MBEDTLS_MPI_MAX_SIZE 256 +#define MBEDTLS_MPI_WINDOW_SIZE 2 + +#if TF_MBEDTLS_USE_RSA +#if TF_MBEDTLS_KEY_SIZE <= 2048 +#define MBEDTLS_MPI_MAX_SIZE 256 +#else +#define MBEDTLS_MPI_MAX_SIZE 512 +#endif +#else +#define MBEDTLS_MPI_MAX_SIZE 256 +#endif /* Memory buffer allocator options */ -#define MBEDTLS_MEMORY_ALIGN_MULTIPLE 8 +#define MBEDTLS_MEMORY_ALIGN_MULTIPLE 8 #ifndef __ASSEMBLER__ /* System headers required to build mbed TLS with the current configuration */ @@ -95,13 +104,17 @@ /* * Determine Mbed TLS heap size * 13312 = 13*1024 - * 7168 = 7*1024 + * 11264 = 11*1024 + * 7168 = 7*1024 */ -#if (TF_MBEDTLS_KEY_ALG_ID == TF_MBEDTLS_ECDSA) \ - || (TF_MBEDTLS_KEY_ALG_ID == TF_MBEDTLS_RSA_AND_ECDSA) +#if TF_MBEDTLS_USE_ECDSA #define TF_MBEDTLS_HEAP_SIZE U(13312) -#elif (TF_MBEDTLS_KEY_ALG_ID == TF_MBEDTLS_RSA) +#elif TF_MBEDTLS_USE_RSA +#if TF_MBEDTLS_KEY_SIZE <= 2048 #define TF_MBEDTLS_HEAP_SIZE U(7168) +#else +#define TF_MBEDTLS_HEAP_SIZE U(11264) +#endif #endif #endif /* MBEDTLS_CONFIG_H */ |