Commit dcbf3932 authored by Qixiang Xu's avatar Qixiang Xu
Browse files

Dynamic selection of ECDSA or RSA



Add new option rsa+ecdsa for TF_MBEDTLS_KEY_ALG, which selects
rsa or ecdsa depending on the certificate used.

Change-Id: I08d9e99bdbba361ed2ec5624248dc382c750ad47
Signed-off-by: default avatarQixiang Xu <qixiang.xu@arm.com>
parent 9db9c65a
...@@ -921,9 +921,12 @@ three functions: ...@@ -921,9 +921,12 @@ three functions:
int verify_hash(void *data_ptr, unsigned int data_len, int verify_hash(void *data_ptr, unsigned int data_len,
void *digest_info_ptr, unsigned int digest_info_len); void *digest_info_ptr, unsigned int digest_info_len);
The key algorithm (rsa, ecdsa) must be specified in the build system using the The mbedTLS library algorithm support is configured by the
``TF_MBEDTLS_KEY_ALG`` variable, so the Makefile can include the corresponding ``TF_MBEDTLS_KEY_ALG`` variable which can take in 3 values: `rsa`, `ecdsa` or
sources in the build. `rsa+ecdsa`. This variable allows the Makefile to include the corresponding
sources in the build for the various algorthms. Setting the variable to
`rsa+ecdsa` enables support for both rsa and ecdsa algorithms in the mbedTLS
library.
Note: If code size is a concern, the build option ``MBEDTLS_SHA256_SMALLER`` can Note: If code size is a concern, the build option ``MBEDTLS_SHA256_SMALLER`` can
be defined in the platform Makefile. It will make mbed TLS use an implementation be defined in the platform Makefile. It will make mbed TLS use an implementation
...@@ -931,7 +934,7 @@ of SHA-256 with smaller memory footprint (~1.5 KB less) but slower (~30%). ...@@ -931,7 +934,7 @@ of SHA-256 with smaller memory footprint (~1.5 KB less) but slower (~30%).
-------------- --------------
*Copyright (c) 2015, ARM Limited and Contributors. All rights reserved.* *Copyright (c) 2017, ARM Limited and Contributors. All rights reserved.*
.. _Trusted Board Boot: ./trusted-board-boot.rst .. _Trusted Board Boot: ./trusted-board-boot.rst
.. _Platform Porting Guide: ./porting-guide.rst .. _Platform Porting Guide: ./porting-guide.rst
...@@ -14,7 +14,8 @@ ...@@ -14,7 +14,8 @@
/* /*
* mbed TLS heap * mbed TLS heap
*/ */
#if (TF_MBEDTLS_KEY_ALG_ID == TF_MBEDTLS_ECDSA) #if (TF_MBEDTLS_KEY_ALG_ID == TF_MBEDTLS_ECDSA) \
|| (TF_MBEDTLS_KEY_ALG_ID == TF_MBEDTLS_RSA_AND_ECDSA)
#define MBEDTLS_HEAP_SIZE (13*1024) #define MBEDTLS_HEAP_SIZE (13*1024)
#elif (TF_MBEDTLS_KEY_ALG_ID == TF_MBEDTLS_RSA) #elif (TF_MBEDTLS_KEY_ALG_ID == TF_MBEDTLS_RSA)
#define MBEDTLS_HEAP_SIZE (7*1024) #define MBEDTLS_HEAP_SIZE (7*1024)
......
...@@ -41,18 +41,26 @@ MBEDTLS_CRYPTO_SOURCES := drivers/auth/mbedtls/mbedtls_crypto.c \ ...@@ -41,18 +41,26 @@ MBEDTLS_CRYPTO_SOURCES := drivers/auth/mbedtls/mbedtls_crypto.c \
) )
# Key algorithm specific files # Key algorithm specific files
MBEDTLS_ECDSA_CRYPTO_SOURCES += $(addprefix ${MBEDTLS_DIR}/library/, \
ecdsa.c \
ecp_curves.c \
ecp.c \
)
MBEDTLS_RSA_CRYPTO_SOURCES += $(addprefix ${MBEDTLS_DIR}/library/, \
rsa.c \
)
ifeq (${TF_MBEDTLS_KEY_ALG},ecdsa) ifeq (${TF_MBEDTLS_KEY_ALG},ecdsa)
MBEDTLS_CRYPTO_SOURCES += $(addprefix ${MBEDTLS_DIR}/library/, \ MBEDTLS_CRYPTO_SOURCES += $(MBEDTLS_ECDSA_CRYPTO_SOURCES)
ecdsa.c \
ecp_curves.c \
ecp.c \
)
TF_MBEDTLS_KEY_ALG_ID := TF_MBEDTLS_ECDSA TF_MBEDTLS_KEY_ALG_ID := TF_MBEDTLS_ECDSA
else ifeq (${TF_MBEDTLS_KEY_ALG},rsa) else ifeq (${TF_MBEDTLS_KEY_ALG},rsa)
MBEDTLS_CRYPTO_SOURCES += $(addprefix ${MBEDTLS_DIR}/library/, \ MBEDTLS_CRYPTO_SOURCES += $(MBEDTLS_RSA_CRYPTO_SOURCES)
rsa.c \
)
TF_MBEDTLS_KEY_ALG_ID := TF_MBEDTLS_RSA TF_MBEDTLS_KEY_ALG_ID := TF_MBEDTLS_RSA
else ifeq (${TF_MBEDTLS_KEY_ALG},rsa+ecdsa)
MBEDTLS_CRYPTO_SOURCES += $(MBEDTLS_ECDSA_CRYPTO_SOURCES)
MBEDTLS_CRYPTO_SOURCES += $(MBEDTLS_RSA_CRYPTO_SOURCES)
TF_MBEDTLS_KEY_ALG_ID := TF_MBEDTLS_RSA_AND_ECDSA
else else
$(error "TF_MBEDTLS_KEY_ALG=${TF_MBEDTLS_KEY_ALG} not supported on mbed TLS") $(error "TF_MBEDTLS_KEY_ALG=${TF_MBEDTLS_KEY_ALG} not supported on mbed TLS")
endif endif
......
...@@ -11,6 +11,7 @@ ...@@ -11,6 +11,7 @@
*/ */
#define TF_MBEDTLS_RSA 1 #define TF_MBEDTLS_RSA 1
#define TF_MBEDTLS_ECDSA 2 #define TF_MBEDTLS_ECDSA 2
#define TF_MBEDTLS_RSA_AND_ECDSA 3
/* /*
* Configuration file to build mbed TLS with the required features for * Configuration file to build mbed TLS with the required features for
...@@ -56,6 +57,12 @@ ...@@ -56,6 +57,12 @@
#elif (TF_MBEDTLS_KEY_ALG_ID == TF_MBEDTLS_RSA) #elif (TF_MBEDTLS_KEY_ALG_ID == TF_MBEDTLS_RSA)
#define MBEDTLS_RSA_C #define MBEDTLS_RSA_C
#define MBEDTLS_X509_RSASSA_PSS_SUPPORT #define MBEDTLS_X509_RSASSA_PSS_SUPPORT
#elif (TF_MBEDTLS_KEY_ALG_ID == TF_MBEDTLS_RSA_AND_ECDSA)
#define MBEDTLS_RSA_C
#define MBEDTLS_X509_RSASSA_PSS_SUPPORT
#define MBEDTLS_ECDSA_C
#define MBEDTLS_ECP_C
#define MBEDTLS_ECP_DP_SECP256R1_ENABLED
#endif #endif
#define MBEDTLS_SHA256_C #define MBEDTLS_SHA256_C
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment