1. 05 Jun, 2017 2 commits
  2. 31 May, 2017 1 commit
    • Antonio Nino Diaz's avatar
      mbedtls: Define optimized mbed TLS heap size · 05fd893e
      Antonio Nino Diaz authored
      
      
      mbed TLS provides the debug API `mbedtls_memory_buffer_alloc_status()`
      to analyse the RAM usage of the library.
      
      When RSA is selected as algorithm, the maximum heap usage in FVP and
      Juno has been determined empirically to be approximately 5.5 KiB.
      However, The default heap size used when RSA is selected is 8 KiB.
      
      This patch reduces the buffer from 8 KiB to 6 KiB so that the BSS
      sections of both BL1 and BL2 are 2 KiB smaller when the firmware is
      compiled with TBB support.
      
      Change-Id: I43878a4e7af50c97be9c8d027c728c8483f24fbf
      Signed-off-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      05fd893e
  3. 24 May, 2017 1 commit
    • Antonio Nino Diaz's avatar
      mbedtls: Use `tf_snprintf` instead of `snprintf` · ab1794f5
      Antonio Nino Diaz authored
      
      
      The Trusted Firmware uses a subset of the APIs provided by mbed TLS.
      This subset internally uses `snprintf`, but the only format specifier
      used is '%d', which is supported by `tf_snprintf`.
      
      This patch makes mbed TLS use `tf_snprintf` instead of `snprintf`,
      saving 3 KB in both debug and release builds when TBBR is enabled.
      
      Change-Id: I7f992a21015930d7c0f4660e7a28ceefd60b9597
      Signed-off-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      ab1794f5
  4. 12 May, 2017 2 commits
    • David Cunado's avatar
      mbedtls: Complete namespace for TF specific macros · 0aff7ad2
      David Cunado authored
      
      
      This patch renames MBEDTLS_KEY_ALG to TF_MBEDTLS_KEY_ALG. This
      completes the migration of TF specific macros so that they do not
      have the MBEDTLS_ suffix (see arm-trusted-firmware#874).
      
      Change-Id: Iad7632477e220b0af987c4db3cf52229fb127d00
      Signed-off-by: default avatarDavid Cunado <david.cunado@arm.com>
      0aff7ad2
    • David Cunado's avatar
      mbedtls: Namespace for TF specific macros · b1883510
      David Cunado authored
      
      
      An earlier patch (arm-trusted-firmware#874) migrated MBEDTLS_ suffixed
      macros to have a TBBR_ suffix to avoid any potential clash with future
      mbedtls macros.
      
      But on reflection the TBBR_ suffix could be confusing as the macros
      are used to drive TF-specific configuration of mbedtls. As such
      this patch migrates these macros from TBBR_suffix to TF_MBEDTLS_
      suffix which more accurately conveys their use.
      
      Change-Id: Ic87642b653ceeaa03d62f724976abd5e12e867d4
      Signed-off-by: default avatarDavid Cunado <david.cunado@arm.com>
      b1883510
  5. 03 May, 2017 1 commit
  6. 22 Mar, 2017 1 commit
    • dp-arm's avatar
      mbedtls: Namespace TF specific macros · 66b4c166
      dp-arm authored
      
      
      These macros are not part of mbed TLS so they should not be prefixed
      with `MBEDTLS_` to avoid potential collision in the future. Use the
      `TBBR_` suffix to highlight that they only used in TF.
      
      `MBEDTLS_KEY_ALG` was not modified because that is documented and used
      by platforms to select the key algorithm.
      
      Change-Id: Ief224681715c481691c80810501830ce16e210b0
      Signed-off-by: default avatardp-arm <dimitris.papastamos@arm.com>
      66b4c166
  7. 16 Feb, 2017 1 commit
    • Antonio Nino Diaz's avatar
      Revert "tbbr: Use constant-time bcmp() to compare hashes" · fabd21ad
      Antonio Nino Diaz authored
      This reverts commit b621fb50
      
      .
      
      Because of the Trusted Firmware design, timing-safe functions are not
      needed. Using them may be misleading as it could be interpreted as being
      a protection against private data leakage, which isn't the case here.
      
      For each image, the SHA-256 hash is calculated. Some padding is appended
      and the result is encrypted with a private key using RSA-2048. This is
      the signature of the image. The public key is stored along with BL1 in
      read-only memory and the encrypted hash is stored in the FIP.
      
      When authenticating an image, the TF decrypts the hash stored in the FIP
      and recalculates the hash of the image. If they don't match, the boot
      sequence won't continue.
      
      A constant-time comparison does not provide additional security as all
      the data involved in this process is already known to any attacker.
      There is no private data that can leaked through a timing attack when
      authenticating an image.
      
      `timingsafe_bcmp()` is kept in the codebase because it could be useful
      in the future.
      
      Change-Id: I44bdcd58faa586a050cc89447e38c142508c9888
      Signed-off-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      fabd21ad
  8. 06 Feb, 2017 1 commit
    • Douglas Raillard's avatar
      Replace some memset call by zeromem · 32f0d3c6
      Douglas Raillard authored
      
      
      Replace all use of memset by zeromem when zeroing moderately-sized
      structure by applying the following transformation:
      memset(x, 0, sizeof(x)) => zeromem(x, sizeof(x))
      
      As the Trusted Firmware is compiled with -ffreestanding, it forbids the
      compiler from using __builtin_memset and forces it to generate calls to
      the slow memset implementation. Zeromem is a near drop in replacement
      for this use case, with a more efficient implementation on both AArch32
      and AArch64.
      
      Change-Id: Ia7f3a90e888b96d056881be09f0b4d65b41aa79e
      Signed-off-by: default avatarDouglas Raillard <douglas.raillard@arm.com>
      32f0d3c6
  9. 24 Jan, 2017 1 commit
    • Antonio Nino Diaz's avatar
      tbbr: Use constant-time bcmp() to compare hashes · b621fb50
      Antonio Nino Diaz authored
      
      
      To avoid timing side-channel attacks, it is needed to use a constant
      time memory comparison function when comparing hashes. The affected
      code only cheks for equality so it isn't needed to use any variant of
      memcmp(), bcmp() is enough.
      
      Also, timingsafe_bcmp() is as fast as memcmp() when the two compared
      regions are equal, so this change incurrs no performance hit in said
      case. In case they are unequal, the boot sequence wouldn't continue as
      normal, so performance is not an issue.
      
      Change-Id: I1c7c70ddfa4438e6031c8814411fef79fd3bb4df
      Signed-off-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      b621fb50
  10. 19 Jan, 2017 1 commit
    • Antonio Nino Diaz's avatar
      Clear static variables in X509 parser on error · 51c5e1a2
      Antonio Nino Diaz authored
      
      
      In mbedtls_x509_parser.c there are some static arrays that are filled
      during the integrity check and then read whenever an authentication
      parameter is requested. However, they aren't cleared in case of an
      integrity check failure, which can be problematic from a security
      point of view. This patch clears these arrays in the case of failure.
      
      Change-Id: I9d48f5bc71fa13e5a75d6c45b5e34796ef13aaa2
      Signed-off-by: default avatarAntonio Nino Diaz <antonio.ninodiaz@arm.com>
      51c5e1a2
  11. 06 Jan, 2017 1 commit
    • Masahiro Yamada's avatar
      TBB: fix comment about MBEDTLS_KEY_ALG default · a56f87c8
      Masahiro Yamada authored
      This comment block says the default algorithm is ESDSA, while the
      code obviously sets the default to RSA:
      
        ifeq (${MBEDTLS_KEY_ALG},)
            MBEDTLS_KEY_ALG            :=      rsa
        endif
      
      The git log of commit 7d37aa17
      
       ("TBB: add mbedTLS authentication
      related libraries") states available options are:
      
        * 'rsa' (for RSA-2048) (default option)
        * 'ecdsa' (for ECDSA-SECP256R1)
      
      So, my best guess is the comment block is wrong.
      
      The mismatch between the code and the comment is confusing. Fix it.
      Signed-off-by: default avatarMasahiro Yamada <yamada.masahiro@socionext.com>
      a56f87c8
  12. 31 Mar, 2016 1 commit
    • Juan Castillo's avatar
      TBB: add non-volatile counter support · 48279d52
      Juan Castillo authored
      This patch adds support for non-volatile counter authentication to
      the Authentication Module. This method consists of matching the
      counter values provided in the certificates with the ones stored
      in the platform. If the value from the certificate is lower than
      the platform, the boot process is aborted. This mechanism protects
      the system against rollback.
      
      The TBBR CoT has been updated to include this method as part of the
      authentication process. Two counters are used: one for the trusted
      world images and another for the non trusted world images.
      
      ** NEW PLATFORM APIs (mandatory when TBB is enabled) **
      
      int plat_get_nv_ctr(void *cookie, unsigned int *nv_ctr);
      
          This API returns the non-volatile counter value stored
          in the platform. The cookie in the first argument may be
          used to select the counter in case the platform provides
          more than one (i.e. TBSA compliant platforms must provide
          trusted and non-trusted counters). This cookie is specified
          in the CoT.
      
      int plat_set_nv_ctr(void *cookie, unsigned int nv_ctr);
      
          This API sets a new counter value. The cookie may be
          used to select the counter to be updated.
      
      An implementation of these new APIs for ARM platforms is also
      provided. The values are obtained from the Trusted Non-Volatile
      Counters peripheral. The cookie is used to pass the extension OID.
      This OID may be interpreted by the platform to know which counter
      must return. On Juno, The trusted and non-trusted counter values
      have been tied to 31 and 223, respectively, and cannot be modified.
      
      ** IMPORTANT **
      
      THIS PATCH BREAKS THE BUILD WHEN TRUSTED_BOARD_BOOT IS ENABLED. THE
      NEW PLATFORM APIs INTRODUCED IN THIS PATCH MUST BE IMPLEMENTED IN
      ORDER TO SUCCESSFULLY BUILD TF.
      
      Change-Id: Ic943b76b25f2a37f490eaaab6d87b4a8b3cbc89a
      48279d52
  13. 05 Jan, 2016 1 commit
    • Sandrine Bailleux's avatar
      Always build with '-pedantic' · aa856917
      Sandrine Bailleux authored
      By default ARM TF is built with the '-pedantic' compiler flag, which
      helps detecting violations of the C standard. However, the mbed TLS
      library and its associated authentication module in TF used to fail
      building with this compiler flag. As a workaround, the mbed TLS
      authentication module makefile used to set the 'DISABLE_PEDANTIC'
      TF build flag.
      
      The compiler errors flagged by '-pedantic' in the mbed TLS library
      have been fixed between versions 1.3.9 and 2.2.0 and the library now
      properly builds with this compiler flag.
      
      This patch fixes the remaining compiler errors in the mbed TLS
      authentication module in TF and unsets the 'DISABLE_PEDANTIC' TF
      build flag. This means that TF is now always built with '-pedantic'.
      
      In particular, this patch:
      
       * Removes the final semi-colon in REGISTER_COT() macro.
      
         This semi-colon was causing the following error message:
      
         drivers/auth/tbbr/tbbr_cot.c:544:23: error: ISO C does not allow
         extra ';' outside of a function [-Werror=pedantic]
      
         This has been fixed both in the mbed TLS authentication module
         as well as in the certificate generation tool. Note that the latter
         code didn't need fixing since it is not built with '-pedantic' but
         the change has been propagated for consistency.
      
         Also fixed the REGISTER_KEYS() and REGISTER_EXTENSIONS() macros,
         which were suffering from the same issue.
      
       * Fixes a pointer type.
      
         It was causing the following error message:
      
         drivers/auth/mbedtls/mbedtls_crypto.c: In function 'verify_hash':
         drivers/auth/mbedtls/mbedtls_crypto.c:177:42: error: pointer of
         type 'void *' used in arithmetic [-Werror=pointer-arith]
      
      Change-Id: I7b7a04ef711efd65e17b5be26990d1a0d940257d
      aa856917
  14. 10 Dec, 2015 1 commit
    • Juan Castillo's avatar
      Move up to mbed TLS 2.x · 649dbf6f
      Juan Castillo authored
      The mbed TLS library has introduced some changes in the API from
      the 1.3.x to the 2.x releases. Using the 2.x releases requires
      some changes to the crypto and transport modules.
      
      This patch updates both modules to the mbed TLS 2.x API.
      
      All references to the mbed TLS library in the code or documentation
      have been updated to 'mbed TLS'. Old references to PolarSSL have
      been updated to 'mbed TLS'.
      
      User guide updated to use mbed TLS 2.2.0.
      
      NOTE: moving up to mbed TLS 2.x from 1.3.x is not backward compatible.
      Applying this patch will require an mbed TLS 2.x release to be used.
      Also note that the mbed TLS license changed to Apache version 2.0.
      
      Change-Id: Iba4584408653cf153091f2ca2ee23bc9add7fda4
      649dbf6f
  15. 25 Jun, 2015 1 commit
    • Juan Castillo's avatar
      TBB: add mbedTLS authentication related libraries · 7d37aa17
      Juan Castillo authored
      This patch adds the following mbedTLS based libraries:
      
      * Cryptographic library
      
      It is used by the crypto module to verify a digital signature
      and a hash. This library relies on mbedTLS to perform the
      cryptographic operations. mbedTLS sources must be obtained
      separately.
      
      Two key algorithms are currently supported:
      
          * RSA-2048
          * ECDSA-SECP256R1
      
      The platform is responsible for picking up the required
      algorithm by defining the 'MBEDTLS_KEY_ALG' variable in the
      platform makefile. Available options are:
      
          * 'rsa' (for RSA-2048) (default option)
          * 'ecdsa' (for ECDSA-SECP256R1)
      
      Hash algorithm currently supported is SHA-256.
      
      * Image parser library
      
      Used by the image parser module to extract the authentication
      parameters stored in X509v3 certificates.
      
      Change-Id: I597c4be3d29287f2f18b82846973afc142ee0bf0
      7d37aa17