tbbr: Add build flag HASH_ALG to let the user to select the SHA

The flag support the following values: - sha256 (default) - sha384 - sha512 Change-Id: I7a49d858c361e993949cf6ada0a86575c3291066 Signed-off-by: Qixiang Xu <qixiang.xu@arm.com>

tbbr: Add build flag HASH_ALG to let the user to select the SHA
The flag support the following values: - sha256 (default) - sha384 - sha512 Change-Id: I7a49d858c361e993949cf6ada0a86575c3291066 Signed-off-by: Qixiang Xu <qixiang.xu@arm.com>
9a3088a5 · Qixiang Xu · 2972247c · 9a3088a5 · 9a3088a5 · 9a3088a5
Commit 9a3088a5 authored Nov 09, 2017 by Qixiang Xu
--- a/docs/user-guide.rst
+++ b/docs/user-guide.rst
@@ -425,11 +425,15 @@ Common build options
 -  ``KEY_ALG``: This build flag enables the user to select the algorithm to be
   used for generating the PKCS keys and subsequent signing of the certificate.
-   It accepts 3 values viz ``rsa``, ``rsa_1_5``, ``ecdsa``. The ``rsa_1_5`` is
+   It accepts 3 values viz. ``rsa``, ``rsa_1_5``, ``ecdsa``. The ``rsa_1_5`` is
   the legacy PKCS#1 RSA 1.5 algorithm which is not TBBR compliant and is
   retained only for compatibility. The default value of this flag is ``rsa``
   which is the TBBR compliant PKCS#1 RSA 2.1 scheme.
+-  ``HASH_ALG``: This build flag enables the user to select the secure hash
+   algorithm. It accepts 3 values viz. ``sha256``, ``sha384``, ``sha512``.
+   The default value of this flag is ``sha256``.
 -  ``LDFLAGS``: Extra user options appended to the linkers' command line in
   addition to the one set by the build system.

--- a/drivers/auth/mbedtls/mbedtls_crypto.c
+++ b/drivers/auth/mbedtls/mbedtls_crypto.c
 /*
- * Copyright (c) 2015, ARM Limited and Contributors. All rights reserved.
+ * Copyright (c) 2015-2017, ARM Limited and Contributors. All rights reserved.
 *
 * SPDX-License-Identifier: BSD-3-Clause
 */
@@ -7,6 +7,7 @@
 #include <crypto_mod.h>
 #include <debug.h>
 #include <mbedtls_common.h>
+#include <mbedtls_config.h>
 #include <stddef.h>
 #include <string.h>

--- a/drivers/auth/mbedtls/mbedtls_crypto.mk
+++ b/drivers/auth/mbedtls/mbedtls_crypto.mk
@@ -37,8 +37,29 @@ MBEDTLS_CRYPTO_SOURCES		:=	drivers/auth/mbedtls/mbedtls_crypto.c	\
 					pk_wrap.c 				\
 					pkparse.c 				\
 					pkwrite.c 				\
+					)
+ifeq (${HASH_ALG}, sha384)
+    MBEDTLS_CRYPTO_SOURCES  += \
+					$(addprefix ${MBEDTLS_DIR}/library/,	\
+						sha256.c            \
+						sha512.c            \
+					)
+    TF_MBEDTLS_HASH_ALG_ID	:=	TF_MBEDTLS_SHA384
+else ifeq (${HASH_ALG}, sha512)
+    MBEDTLS_CRYPTO_SOURCES  += \
+					$(addprefix ${MBEDTLS_DIR}/library/,	\
 						sha256.c            \
+						sha512.c            \
 					)
+    TF_MBEDTLS_HASH_ALG_ID	:=	TF_MBEDTLS_SHA512
+else
+    MBEDTLS_CRYPTO_SOURCES  += \
+					$(addprefix ${MBEDTLS_DIR}/library/,	\
+						sha256.c            \
+					)
+    TF_MBEDTLS_HASH_ALG_ID	:=	TF_MBEDTLS_SHA256
+endif
 # Key algorithm specific files
 MBEDTLS_ECDSA_CRYPTO_SOURCES	+=	$(addprefix ${MBEDTLS_DIR}/library/,	\
@@ -67,6 +88,7 @@ endif
 # Needs to be set to drive mbed TLS configuration correctly
 $(eval $(call add_define,TF_MBEDTLS_KEY_ALG_ID))
+$(eval $(call add_define,TF_MBEDTLS_HASH_ALG_ID))
 BL1_SOURCES			+=	${MBEDTLS_CRYPTO_SOURCES}
 BL2_SOURCES			+=	${MBEDTLS_CRYPTO_SOURCES}
--- a/drivers/auth/tbbr/tbbr_cot.c
+++ b/drivers/auth/tbbr/tbbr_cot.c
@@ -19,7 +19,7 @@
 * Maximum key and hash sizes (in DER format)
 */
 #define PK_DER_LEN			294
-#define HASH_DER_LEN			51
+#define HASH_DER_LEN			83
 /*
 * The platform must allocate buffers to store the authentication parameters

--- a/include/drivers/auth/mbedtls/mbedtls_config.h
+++ b/include/drivers/auth/mbedtls/mbedtls_config.h
@@ -13,6 +13,13 @@
 #define TF_MBEDTLS_ECDSA		2
 #define TF_MBEDTLS_RSA_AND_ECDSA	3
+/*
+ * Hash algorithms currently supported on mbed TLS libraries
+ */
+#define TF_MBEDTLS_SHA256		1
+#define TF_MBEDTLS_SHA384		2
+#define TF_MBEDTLS_SHA512		3
 /*
 * Configuration file to build mbed TLS with the required features for
 * Trusted Boot
@@ -66,6 +73,9 @@
 #endif
 #define MBEDTLS_SHA256_C
+#if (TF_MBEDTLS_HASH_ALG_ID != TF_MBEDTLS_SHA256)
+#define MBEDTLS_SHA512_C
+#endif
 #define MBEDTLS_VERSION_C

--- a/make_helpers/tbbr/tbbr_tools.mk
+++ b/make_helpers/tbbr/tbbr_tools.mk
@@ -54,6 +54,7 @@ $(eval $(call FWU_CERT_ADD_CMD_OPT,${FWU_CERT},--fwu-cert))
 # packed in the FIP). Developers can use their own keys by specifying the proper
 # build option in the command line when building the Trusted Firmware
 $(if ${KEY_ALG},$(eval $(call CERT_ADD_CMD_OPT,${KEY_ALG},--key-alg)))
+$(if ${HASH_ALG},$(eval $(call CERT_ADD_CMD_OPT,${HASH_ALG},--hash-alg)))
 $(if ${ROT_KEY},$(eval $(call CERT_ADD_CMD_OPT,${ROT_KEY},--rot-key)))
 $(if ${ROT_KEY},$(eval $(call FWU_CERT_ADD_CMD_OPT,${ROT_KEY},--rot-key)))
 $(if ${TRUSTED_WORLD_KEY},$(eval $(call CERT_ADD_CMD_OPT,${TRUSTED_WORLD_KEY},--trusted-world-key)))