From 2091755c5e3b8d94333b9aad742e61db9d754cc5 Mon Sep 17 00:00:00 2001
From: Soby Mathew <soby.mathew@arm.com>
Date: Thu, 31 Aug 2017 11:49:32 +0100
Subject: [PATCH] Export KEY_ALG as a user build option

The `KEY_ALG` variable is used to select the algorithm for key
generation by `cert_create` tool for signing the certificates. This
variable was previously undocumented and did not have a global default
value. This patch corrects this and also adds changes to derive the
value of `TF_MBEDTLS_KEY_ALG` based on `KEY_ALG` if it not set by the
platform. The corresponding assignment of these variables are also now
removed from the `arm_common.mk` makefile.

Signed-off-by: Soby Mathew <soby.mathew@arm.com>
Change-Id: I78e2d6f4fc04ed5ad35ce2266118afb63127a5a4
---
 docs/user-guide.rst                    |  5 +++++
 drivers/auth/mbedtls/mbedtls_crypto.mk | 10 ++++++++--
 make_helpers/defaults.mk               |  3 +++
 plat/arm/common/arm_common.mk          |  5 -----
 4 files changed, 16 insertions(+), 7 deletions(-)

diff --git a/docs/user-guide.rst b/docs/user-guide.rst
index 043af63ed..1502c8c10 100644
--- a/docs/user-guide.rst
+++ b/docs/user-guide.rst
@@ -405,6 +405,11 @@ Common build options
    AArch64 and facilitates the loading of ``SP_MIN`` and BL33 as AArch32 executable
    images.
 
+-  ``KEY_ALG``: This build flag enables the user to select the algorithm to be
+   used for generating the PKCS keys and subsequent signing of the certificate.
+   It accepts 2 values viz ``rsa``, ``ecdsa``. The default value of this flag
+   is ``rsa``.
+
 -  ``LDFLAGS``: Extra user options appended to the linkers' command line in
    addition to the one set by the build system.
 
diff --git a/drivers/auth/mbedtls/mbedtls_crypto.mk b/drivers/auth/mbedtls/mbedtls_crypto.mk
index cb81d4d67..38197164c 100644
--- a/drivers/auth/mbedtls/mbedtls_crypto.mk
+++ b/drivers/auth/mbedtls/mbedtls_crypto.mk
@@ -7,9 +7,15 @@
 include drivers/auth/mbedtls/mbedtls_common.mk
 
 # The platform may define the variable 'TF_MBEDTLS_KEY_ALG' to select the key
-# algorithm to use. Default algorithm is RSA.
+# algorithm to use. If the variable is not defined, select it based on algorithm
+# used for key generation `KEY_ALG`. If `KEY_ALG` is not defined or is
+# defined to `rsa`, then set the variable to `rsa`.
 ifeq (${TF_MBEDTLS_KEY_ALG},)
-    TF_MBEDTLS_KEY_ALG		:=	rsa
+    ifeq (${KEY_ALG}, ecdsa)
+        TF_MBEDTLS_KEY_ALG		:=	ecdsa
+    else
+        TF_MBEDTLS_KEY_ALG		:=	rsa
+    endif
 endif
 
 # If MBEDTLS_KEY_ALG build flag is defined use it to set TF_MBEDTLS_KEY_ALG for
diff --git a/make_helpers/defaults.mk b/make_helpers/defaults.mk
index 302d937f3..860104605 100644
--- a/make_helpers/defaults.mk
+++ b/make_helpers/defaults.mk
@@ -81,6 +81,9 @@ GENERATE_COT			:= 0
 # operations.
 HW_ASSISTED_COHERENCY		:= 0
 
+# Set the default algorithm for the generation of Trusted Board Boot keys
+KEY_ALG				:= rsa
+
 # Flag to enable new version of image loading
 LOAD_IMAGE_V2			:= 0
 
diff --git a/plat/arm/common/arm_common.mk b/plat/arm/common/arm_common.mk
index 20372c203..af94ac2ac 100644
--- a/plat/arm/common/arm_common.mk
+++ b/plat/arm/common/arm_common.mk
@@ -174,9 +174,6 @@ endif
 
 ifneq (${TRUSTED_BOARD_BOOT},0)
 
-    # By default, ARM platforms use RSA keys
-    KEY_ALG		:=	rsa
-
     # Include common TBB sources
     AUTH_SOURCES	:=	drivers/auth/auth_mod.c				\
 				drivers/auth/crypto_mod.c			\
@@ -195,8 +192,6 @@ ifneq (${TRUSTED_BOARD_BOOT},0)
 
     $(eval $(call FWU_FIP_ADD_IMG,NS_BL2U,--fwu))
 
-    TF_MBEDTLS_KEY_ALG	:=	${KEY_ALG}
-
     # We expect to locate the *.mk files under the directories specified below
 ifeq (${ARM_CRYPTOCELL_INTEG},0)
     CRYPTO_LIB_MK := drivers/auth/mbedtls/mbedtls_crypto.mk
-- 
GitLab