Commit 9a3088a5 authored by Qixiang Xu's avatar Qixiang Xu
Browse files

tbbr: Add build flag HASH_ALG to let the user to select the SHA



The flag support the following values:
    - sha256 (default)
    - sha384
    - sha512

Change-Id: I7a49d858c361e993949cf6ada0a86575c3291066
Signed-off-by: default avatarQixiang Xu <qixiang.xu@arm.com>
parent 2972247c
......@@ -425,11 +425,15 @@ Common build options
- ``KEY_ALG``: This build flag enables the user to select the algorithm to be
used for generating the PKCS keys and subsequent signing of the certificate.
It accepts 3 values viz ``rsa``, ``rsa_1_5``, ``ecdsa``. The ``rsa_1_5`` is
It accepts 3 values viz. ``rsa``, ``rsa_1_5``, ``ecdsa``. The ``rsa_1_5`` is
the legacy PKCS#1 RSA 1.5 algorithm which is not TBBR compliant and is
retained only for compatibility. The default value of this flag is ``rsa``
which is the TBBR compliant PKCS#1 RSA 2.1 scheme.
- ``HASH_ALG``: This build flag enables the user to select the secure hash
algorithm. It accepts 3 values viz. ``sha256``, ``sha384``, ``sha512``.
The default value of this flag is ``sha256``.
- ``LDFLAGS``: Extra user options appended to the linkers' command line in
addition to the one set by the build system.
......
/*
* Copyright (c) 2015, ARM Limited and Contributors. All rights reserved.
* Copyright (c) 2015-2017, ARM Limited and Contributors. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*/
......@@ -7,6 +7,7 @@
#include <crypto_mod.h>
#include <debug.h>
#include <mbedtls_common.h>
#include <mbedtls_config.h>
#include <stddef.h>
#include <string.h>
......
......@@ -37,8 +37,29 @@ MBEDTLS_CRYPTO_SOURCES := drivers/auth/mbedtls/mbedtls_crypto.c \
pk_wrap.c \
pkparse.c \
pkwrite.c \
)
ifeq (${HASH_ALG}, sha384)
MBEDTLS_CRYPTO_SOURCES += \
$(addprefix ${MBEDTLS_DIR}/library/, \
sha256.c \
sha512.c \
)
TF_MBEDTLS_HASH_ALG_ID := TF_MBEDTLS_SHA384
else ifeq (${HASH_ALG}, sha512)
MBEDTLS_CRYPTO_SOURCES += \
$(addprefix ${MBEDTLS_DIR}/library/, \
sha256.c \
sha512.c \
)
TF_MBEDTLS_HASH_ALG_ID := TF_MBEDTLS_SHA512
else
MBEDTLS_CRYPTO_SOURCES += \
$(addprefix ${MBEDTLS_DIR}/library/, \
sha256.c \
)
TF_MBEDTLS_HASH_ALG_ID := TF_MBEDTLS_SHA256
endif
# Key algorithm specific files
MBEDTLS_ECDSA_CRYPTO_SOURCES += $(addprefix ${MBEDTLS_DIR}/library/, \
......@@ -67,6 +88,7 @@ endif
# Needs to be set to drive mbed TLS configuration correctly
$(eval $(call add_define,TF_MBEDTLS_KEY_ALG_ID))
$(eval $(call add_define,TF_MBEDTLS_HASH_ALG_ID))
BL1_SOURCES += ${MBEDTLS_CRYPTO_SOURCES}
BL2_SOURCES += ${MBEDTLS_CRYPTO_SOURCES}
......@@ -19,7 +19,7 @@
* Maximum key and hash sizes (in DER format)
*/
#define PK_DER_LEN 294
#define HASH_DER_LEN 51
#define HASH_DER_LEN 83
/*
* The platform must allocate buffers to store the authentication parameters
......
......@@ -13,6 +13,13 @@
#define TF_MBEDTLS_ECDSA 2
#define TF_MBEDTLS_RSA_AND_ECDSA 3
/*
* Hash algorithms currently supported on mbed TLS libraries
*/
#define TF_MBEDTLS_SHA256 1
#define TF_MBEDTLS_SHA384 2
#define TF_MBEDTLS_SHA512 3
/*
* Configuration file to build mbed TLS with the required features for
* Trusted Boot
......@@ -66,6 +73,9 @@
#endif
#define MBEDTLS_SHA256_C
#if (TF_MBEDTLS_HASH_ALG_ID != TF_MBEDTLS_SHA256)
#define MBEDTLS_SHA512_C
#endif
#define MBEDTLS_VERSION_C
......
......@@ -54,6 +54,7 @@ $(eval $(call FWU_CERT_ADD_CMD_OPT,${FWU_CERT},--fwu-cert))
# packed in the FIP). Developers can use their own keys by specifying the proper
# build option in the command line when building the Trusted Firmware
$(if ${KEY_ALG},$(eval $(call CERT_ADD_CMD_OPT,${KEY_ALG},--key-alg)))
$(if ${HASH_ALG},$(eval $(call CERT_ADD_CMD_OPT,${HASH_ALG},--hash-alg)))
$(if ${ROT_KEY},$(eval $(call CERT_ADD_CMD_OPT,${ROT_KEY},--rot-key)))
$(if ${ROT_KEY},$(eval $(call FWU_CERT_ADD_CMD_OPT,${ROT_KEY},--rot-key)))
$(if ${TRUSTED_WORLD_KEY},$(eval $(call CERT_ADD_CMD_OPT,${TRUSTED_WORLD_KEY},--trusted-world-key)))
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment