refactor(measured-boot): add generic macros for using Crypto library
It doesn't look correct to use mbed TLS defines directly in the Event Log driver as this driver may use another Crypto library in future. Hence mbed TLS Crypto dependency on Event Log driver is removed by introducing generic Crypto defines and uses those in the Event Log driver to call Crypto functions. Also, updated mbed TLS glue layer to map these generic Crypto defines to mbed TLS library defines. Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com> Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com> Change-Id: Ibc9c751f60cbce4d3f3cf049b7c53b3d05cc6735
This commit is contained in:
parent
0628fe3fff
commit
14db963fd3
|
@ -1,5 +1,5 @@
|
|||
/*
|
||||
* Copyright (c) 2015-2020, ARM Limited and Contributors. All rights reserved.
|
||||
* Copyright (c) 2015-2021, Arm Limited and Contributors. All rights reserved.
|
||||
*
|
||||
* SPDX-License-Identifier: BSD-3-Clause
|
||||
*/
|
||||
|
@ -114,8 +114,9 @@ int crypto_mod_verify_hash(void *data_ptr, unsigned int data_len,
|
|||
* data_ptr, data_len: data to be hashed
|
||||
* output: resulting hash
|
||||
*/
|
||||
int crypto_mod_calc_hash(unsigned int alg, void *data_ptr,
|
||||
unsigned int data_len, unsigned char *output)
|
||||
int crypto_mod_calc_hash(enum crypto_md_algo alg, void *data_ptr,
|
||||
unsigned int data_len,
|
||||
unsigned char output[CRYPTO_MD_MAX_SIZE])
|
||||
{
|
||||
assert(data_ptr != NULL);
|
||||
assert(data_len != 0);
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
#
|
||||
# Copyright (c) 2015-2020, Arm Limited. All rights reserved.
|
||||
# Copyright (c) 2015-2021, Arm Limited. All rights reserved.
|
||||
#
|
||||
# SPDX-License-Identifier: BSD-3-Clause
|
||||
#
|
||||
|
@ -96,6 +96,18 @@ else
|
|||
TF_MBEDTLS_USE_AES_GCM := 0
|
||||
endif
|
||||
|
||||
ifeq ($(MEASURED_BOOT),1)
|
||||
ifeq (${TPM_HASH_ALG}, sha256)
|
||||
TF_MBEDTLS_TPM_HASH_ALG_ID := TF_MBEDTLS_SHA256
|
||||
else ifeq (${TPM_HASH_ALG}, sha384)
|
||||
TF_MBEDTLS_TPM_HASH_ALG_ID := TF_MBEDTLS_SHA384
|
||||
else ifeq (${TPM_HASH_ALG}, sha512)
|
||||
TF_MBEDTLS_TPM_HASH_ALG_ID := TF_MBEDTLS_SHA512
|
||||
else
|
||||
$(error "TPM_HASH_ALG not defined.")
|
||||
endif
|
||||
endif
|
||||
|
||||
# Needs to be set to drive mbed TLS configuration correctly
|
||||
$(eval $(call add_defines,\
|
||||
$(sort \
|
||||
|
@ -105,6 +117,10 @@ $(eval $(call add_defines,\
|
|||
TF_MBEDTLS_USE_AES_GCM \
|
||||
)))
|
||||
|
||||
ifeq ($(MEASURED_BOOT),1)
|
||||
$(eval $(call add_define,TF_MBEDTLS_TPM_HASH_ALG_ID))
|
||||
endif
|
||||
|
||||
$(eval $(call MAKE_LIB,mbedtls))
|
||||
|
||||
endif
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
/*
|
||||
* Copyright (c) 2015-2020, ARM Limited and Contributors. All rights reserved.
|
||||
* Copyright (c) 2015-2021, Arm Limited and Contributors. All rights reserved.
|
||||
*
|
||||
* SPDX-License-Identifier: BSD-3-Clause
|
||||
*/
|
||||
|
@ -24,6 +24,16 @@
|
|||
|
||||
#define LIB_NAME "mbed TLS"
|
||||
|
||||
#if MEASURED_BOOT
|
||||
/*
|
||||
* CRYPTO_MD_MAX_SIZE value is as per current stronger algorithm available
|
||||
* so make sure that mbed TLS MD maximum size must be lesser than this.
|
||||
*/
|
||||
CASSERT(CRYPTO_MD_MAX_SIZE >= MBEDTLS_MD_MAX_SIZE,
|
||||
assert_mbedtls_md_size_overflow);
|
||||
|
||||
#endif /* MEASURED_BOOT */
|
||||
|
||||
/*
|
||||
* AlgorithmIdentifier ::= SEQUENCE {
|
||||
* algorithm OBJECT IDENTIFIER,
|
||||
|
@ -210,22 +220,46 @@ static int verify_hash(void *data_ptr, unsigned int data_len,
|
|||
}
|
||||
|
||||
#if MEASURED_BOOT
|
||||
/*
|
||||
* Map a generic crypto message digest algorithm to the corresponding macro used
|
||||
* by Mbed TLS.
|
||||
*/
|
||||
static inline mbedtls_md_type_t md_type(enum crypto_md_algo algo)
|
||||
{
|
||||
switch (algo) {
|
||||
case CRYPTO_MD_SHA512:
|
||||
return MBEDTLS_MD_SHA512;
|
||||
case CRYPTO_MD_SHA384:
|
||||
return MBEDTLS_MD_SHA384;
|
||||
case CRYPTO_MD_SHA256:
|
||||
return MBEDTLS_MD_SHA256;
|
||||
default:
|
||||
/* Invalid hash algorithm. */
|
||||
return MBEDTLS_MD_NONE;
|
||||
}
|
||||
}
|
||||
|
||||
/*
|
||||
* Calculate a hash
|
||||
*
|
||||
* output points to the computed hash
|
||||
*/
|
||||
int calc_hash(unsigned int alg, void *data_ptr,
|
||||
unsigned int data_len, unsigned char *output)
|
||||
static int calc_hash(enum crypto_md_algo md_algo, void *data_ptr,
|
||||
unsigned int data_len,
|
||||
unsigned char output[CRYPTO_MD_MAX_SIZE])
|
||||
{
|
||||
const mbedtls_md_info_t *md_info;
|
||||
|
||||
md_info = mbedtls_md_info_from_type((mbedtls_md_type_t)alg);
|
||||
md_info = mbedtls_md_info_from_type(md_type(md_algo));
|
||||
if (md_info == NULL) {
|
||||
return CRYPTO_ERR_HASH;
|
||||
}
|
||||
|
||||
/* Calculate the hash of the data */
|
||||
/*
|
||||
* Calculate the hash of the data, it is safe to pass the
|
||||
* 'output' hash buffer pointer considering its size is always
|
||||
* bigger than or equal to MBEDTLS_MD_MAX_SIZE.
|
||||
*/
|
||||
return mbedtls_md(md_info, data_ptr, data_len, output);
|
||||
}
|
||||
#endif /* MEASURED_BOOT */
|
||||
|
|
|
@ -13,10 +13,19 @@
|
|||
#include <common/debug.h>
|
||||
#include <drivers/auth/crypto_mod.h>
|
||||
#include <drivers/measured_boot/event_log/event_log.h>
|
||||
#include <mbedtls/md.h>
|
||||
|
||||
#include <plat/common/platform.h>
|
||||
|
||||
#if TPM_ALG_ID == TPM_ALG_SHA512
|
||||
#define CRYPTO_MD_ID CRYPTO_MD_SHA512
|
||||
#elif TPM_ALG_ID == TPM_ALG_SHA384
|
||||
#define CRYPTO_MD_ID CRYPTO_MD_SHA384
|
||||
#elif TPM_ALG_ID == TPM_ALG_SHA256
|
||||
#define CRYPTO_MD_ID CRYPTO_MD_SHA256
|
||||
#else
|
||||
# error Invalid TPM algorithm.
|
||||
#endif /* TPM_ALG_ID */
|
||||
|
||||
/* Running Event Log Pointer */
|
||||
static uint8_t *log_ptr;
|
||||
|
||||
|
@ -245,7 +254,7 @@ void event_log_write_header(void)
|
|||
int event_log_measure_and_record(uintptr_t data_base, uint32_t data_size,
|
||||
uint32_t data_id)
|
||||
{
|
||||
unsigned char hash_data[MBEDTLS_MD_MAX_SIZE];
|
||||
unsigned char hash_data[CRYPTO_MD_MAX_SIZE];
|
||||
int rc;
|
||||
const event_log_metadata_t *metadata_ptr = plat_metadata_ptr;
|
||||
|
||||
|
@ -257,8 +266,8 @@ int event_log_measure_and_record(uintptr_t data_base, uint32_t data_size,
|
|||
assert(metadata_ptr->id != EVLOG_INVALID_ID);
|
||||
|
||||
/* Calculate hash */
|
||||
rc = crypto_mod_calc_hash((unsigned int)MBEDTLS_MD_ID,
|
||||
(void *)data_base, data_size, hash_data);
|
||||
rc = crypto_mod_calc_hash(CRYPTO_MD_ID,
|
||||
(void *)data_base, data_size, hash_data);
|
||||
if (rc != 0) {
|
||||
return rc;
|
||||
}
|
||||
|
|
|
@ -12,35 +12,24 @@ EVENT_LOG_LEVEL ?= 40
|
|||
TPM_HASH_ALG := sha256
|
||||
|
||||
ifeq (${TPM_HASH_ALG}, sha512)
|
||||
MBEDTLS_MD_ID := MBEDTLS_MD_SHA512
|
||||
TPM_ALG_ID := TPM_ALG_SHA512
|
||||
TCG_DIGEST_SIZE := 64U
|
||||
else ifeq (${TPM_HASH_ALG}, sha384)
|
||||
MBEDTLS_MD_ID := MBEDTLS_MD_SHA384
|
||||
TPM_ALG_ID := TPM_ALG_SHA384
|
||||
TCG_DIGEST_SIZE := 48U
|
||||
else
|
||||
MBEDTLS_MD_ID := MBEDTLS_MD_SHA256
|
||||
TPM_ALG_ID := TPM_ALG_SHA256
|
||||
TCG_DIGEST_SIZE := 32U
|
||||
endif
|
||||
endif #TPM_HASH_ALG
|
||||
|
||||
|
||||
# Set definitions for mbed TLS library and Measured Boot driver
|
||||
# Set definitions for Measured Boot driver.
|
||||
$(eval $(call add_defines,\
|
||||
$(sort \
|
||||
MBEDTLS_MD_ID \
|
||||
TPM_ALG_ID \
|
||||
TCG_DIGEST_SIZE \
|
||||
EVENT_LOG_LEVEL \
|
||||
)))
|
||||
|
||||
ifeq (${HASH_ALG}, sha256)
|
||||
ifneq (${TPM_HASH_ALG}, sha256)
|
||||
$(eval $(call add_define,MBEDTLS_SHA512_C))
|
||||
endif
|
||||
endif
|
||||
|
||||
MEASURED_BOOT_SRC_DIR := drivers/measured_boot/event_log/
|
||||
|
||||
MEASURED_BOOT_SOURCES := ${MEASURED_BOOT_SRC_DIR}event_log.c \
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
/*
|
||||
* Copyright (c) 2015-2020, ARM Limited and Contributors. All rights reserved.
|
||||
* Copyright (c) 2015-2021, Arm Limited and Contributors. All rights reserved.
|
||||
*
|
||||
* SPDX-License-Identifier: BSD-3-Clause
|
||||
*/
|
||||
|
@ -25,6 +25,16 @@ enum crypto_dec_algo {
|
|||
CRYPTO_GCM_DECRYPT = 0
|
||||
};
|
||||
|
||||
/* Message digest algorithm */
|
||||
enum crypto_md_algo {
|
||||
CRYPTO_MD_SHA256,
|
||||
CRYPTO_MD_SHA384,
|
||||
CRYPTO_MD_SHA512,
|
||||
};
|
||||
|
||||
/* Maximum size as per the known stronger hash algorithm i.e.SHA512 */
|
||||
#define CRYPTO_MD_MAX_SIZE 64U
|
||||
|
||||
/*
|
||||
* Cryptographic library descriptor
|
||||
*/
|
||||
|
@ -49,8 +59,9 @@ typedef struct crypto_lib_desc_s {
|
|||
|
||||
#if MEASURED_BOOT
|
||||
/* Calculate a hash. Return hash value */
|
||||
int (*calc_hash)(unsigned int alg, void *data_ptr,
|
||||
unsigned int data_len, unsigned char *output);
|
||||
int (*calc_hash)(enum crypto_md_algo md_alg, void *data_ptr,
|
||||
unsigned int data_len,
|
||||
unsigned char output[CRYPTO_MD_MAX_SIZE]);
|
||||
#endif /* MEASURED_BOOT */
|
||||
|
||||
/*
|
||||
|
@ -79,8 +90,9 @@ int crypto_mod_auth_decrypt(enum crypto_dec_algo dec_algo, void *data_ptr,
|
|||
unsigned int tag_len);
|
||||
|
||||
#if MEASURED_BOOT
|
||||
int crypto_mod_calc_hash(unsigned int alg, void *data_ptr,
|
||||
unsigned int data_len, unsigned char *output);
|
||||
int crypto_mod_calc_hash(enum crypto_md_algo alg, void *data_ptr,
|
||||
unsigned int data_len,
|
||||
unsigned char output[CRYPTO_MD_MAX_SIZE]);
|
||||
|
||||
/* Macro to register a cryptographic library */
|
||||
#define REGISTER_CRYPTO_LIB(_name, _init, _verify_signature, _verify_hash, \
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
/*
|
||||
* Copyright (c) 2015-2020, Arm Limited. All rights reserved.
|
||||
* Copyright (c) 2015-2021, Arm Limited. All rights reserved.
|
||||
*
|
||||
* SPDX-License-Identifier: BSD-3-Clause
|
||||
*/
|
||||
|
@ -71,9 +71,20 @@
|
|||
#endif
|
||||
|
||||
#define MBEDTLS_SHA256_C
|
||||
#if (TF_MBEDTLS_HASH_ALG_ID != TF_MBEDTLS_SHA256)
|
||||
|
||||
/*
|
||||
* If either Trusted Boot or Measured Boot require a stronger algorithm than
|
||||
* SHA-256, pull in SHA-512 support.
|
||||
*/
|
||||
#if (TF_MBEDTLS_HASH_ALG_ID != TF_MBEDTLS_SHA256) /* TBB hash algo */
|
||||
#define MBEDTLS_SHA512_C
|
||||
#else
|
||||
/* TBB uses SHA-256, what about measured boot? */
|
||||
#if defined(TF_MBEDTLS_TPM_HASH_ALG_ID) && \
|
||||
(TF_MBEDTLS_TPM_HASH_ALG_ID != TF_MBEDTLS_SHA256)
|
||||
#define MBEDTLS_SHA512_C
|
||||
#endif
|
||||
#endif
|
||||
|
||||
#define MBEDTLS_VERSION_C
|
||||
|
||||
|
|
|
@ -389,6 +389,15 @@ ifneq (${TRUSTED_BOARD_BOOT},0)
|
|||
|
||||
$(eval $(call TOOL_ADD_IMG,ns_bl2u,--fwu,FWU_))
|
||||
|
||||
# Include Measured Boot makefile before any Crypto library makefile.
|
||||
# Crypto library makefile may need default definitions of Measured Boot build
|
||||
# flags present in Measured Boot makefile.
|
||||
ifeq (${MEASURED_BOOT},1)
|
||||
MEASURED_BOOT_MK := drivers/measured_boot/event_log/event_log.mk
|
||||
$(info Including ${MEASURED_BOOT_MK})
|
||||
include ${MEASURED_BOOT_MK}
|
||||
endif
|
||||
|
||||
# We expect to locate the *.mk files under the directories specified below
|
||||
ifeq (${ARM_CRYPTOCELL_INTEG},0)
|
||||
CRYPTO_LIB_MK := drivers/auth/mbedtls/mbedtls_crypto.mk
|
||||
|
@ -411,8 +420,3 @@ ifeq (${RECLAIM_INIT_CODE}, 1)
|
|||
endif
|
||||
endif
|
||||
|
||||
ifeq (${MEASURED_BOOT},1)
|
||||
MEASURED_BOOT_MK := drivers/measured_boot/event_log/event_log.mk
|
||||
$(info Including ${MEASURED_BOOT_MK})
|
||||
include ${MEASURED_BOOT_MK}
|
||||
endif
|
||||
|
|
Loading…
Reference in New Issue