Merge "refactor(measured-boot): add generic macros for using Crypto library" into integration
This commit is contained in:
commit
97af8baf0a
|
@ -1,5 +1,5 @@
|
|||
/*
|
||||
* Copyright (c) 2015-2020, ARM Limited and Contributors. All rights reserved.
|
||||
* Copyright (c) 2015-2021, Arm Limited and Contributors. All rights reserved.
|
||||
*
|
||||
* SPDX-License-Identifier: BSD-3-Clause
|
||||
*/
|
||||
|
@ -114,8 +114,9 @@ int crypto_mod_verify_hash(void *data_ptr, unsigned int data_len,
|
|||
* data_ptr, data_len: data to be hashed
|
||||
* output: resulting hash
|
||||
*/
|
||||
int crypto_mod_calc_hash(unsigned int alg, void *data_ptr,
|
||||
unsigned int data_len, unsigned char *output)
|
||||
int crypto_mod_calc_hash(enum crypto_md_algo alg, void *data_ptr,
|
||||
unsigned int data_len,
|
||||
unsigned char output[CRYPTO_MD_MAX_SIZE])
|
||||
{
|
||||
assert(data_ptr != NULL);
|
||||
assert(data_len != 0);
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
#
|
||||
# Copyright (c) 2015-2020, Arm Limited. All rights reserved.
|
||||
# Copyright (c) 2015-2021, Arm Limited. All rights reserved.
|
||||
#
|
||||
# SPDX-License-Identifier: BSD-3-Clause
|
||||
#
|
||||
|
@ -96,6 +96,18 @@ else
|
|||
TF_MBEDTLS_USE_AES_GCM := 0
|
||||
endif
|
||||
|
||||
ifeq ($(MEASURED_BOOT),1)
|
||||
ifeq (${TPM_HASH_ALG}, sha256)
|
||||
TF_MBEDTLS_TPM_HASH_ALG_ID := TF_MBEDTLS_SHA256
|
||||
else ifeq (${TPM_HASH_ALG}, sha384)
|
||||
TF_MBEDTLS_TPM_HASH_ALG_ID := TF_MBEDTLS_SHA384
|
||||
else ifeq (${TPM_HASH_ALG}, sha512)
|
||||
TF_MBEDTLS_TPM_HASH_ALG_ID := TF_MBEDTLS_SHA512
|
||||
else
|
||||
$(error "TPM_HASH_ALG not defined.")
|
||||
endif
|
||||
endif
|
||||
|
||||
# Needs to be set to drive mbed TLS configuration correctly
|
||||
$(eval $(call add_defines,\
|
||||
$(sort \
|
||||
|
@ -105,6 +117,10 @@ $(eval $(call add_defines,\
|
|||
TF_MBEDTLS_USE_AES_GCM \
|
||||
)))
|
||||
|
||||
ifeq ($(MEASURED_BOOT),1)
|
||||
$(eval $(call add_define,TF_MBEDTLS_TPM_HASH_ALG_ID))
|
||||
endif
|
||||
|
||||
$(eval $(call MAKE_LIB,mbedtls))
|
||||
|
||||
endif
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
/*
|
||||
* Copyright (c) 2015-2020, ARM Limited and Contributors. All rights reserved.
|
||||
* Copyright (c) 2015-2021, Arm Limited and Contributors. All rights reserved.
|
||||
*
|
||||
* SPDX-License-Identifier: BSD-3-Clause
|
||||
*/
|
||||
|
@ -24,6 +24,16 @@
|
|||
|
||||
#define LIB_NAME "mbed TLS"
|
||||
|
||||
#if MEASURED_BOOT
|
||||
/*
|
||||
* CRYPTO_MD_MAX_SIZE value is as per current stronger algorithm available
|
||||
* so make sure that mbed TLS MD maximum size must be lesser than this.
|
||||
*/
|
||||
CASSERT(CRYPTO_MD_MAX_SIZE >= MBEDTLS_MD_MAX_SIZE,
|
||||
assert_mbedtls_md_size_overflow);
|
||||
|
||||
#endif /* MEASURED_BOOT */
|
||||
|
||||
/*
|
||||
* AlgorithmIdentifier ::= SEQUENCE {
|
||||
* algorithm OBJECT IDENTIFIER,
|
||||
|
@ -210,22 +220,46 @@ static int verify_hash(void *data_ptr, unsigned int data_len,
|
|||
}
|
||||
|
||||
#if MEASURED_BOOT
|
||||
/*
|
||||
* Map a generic crypto message digest algorithm to the corresponding macro used
|
||||
* by Mbed TLS.
|
||||
*/
|
||||
static inline mbedtls_md_type_t md_type(enum crypto_md_algo algo)
|
||||
{
|
||||
switch (algo) {
|
||||
case CRYPTO_MD_SHA512:
|
||||
return MBEDTLS_MD_SHA512;
|
||||
case CRYPTO_MD_SHA384:
|
||||
return MBEDTLS_MD_SHA384;
|
||||
case CRYPTO_MD_SHA256:
|
||||
return MBEDTLS_MD_SHA256;
|
||||
default:
|
||||
/* Invalid hash algorithm. */
|
||||
return MBEDTLS_MD_NONE;
|
||||
}
|
||||
}
|
||||
|
||||
/*
|
||||
* Calculate a hash
|
||||
*
|
||||
* output points to the computed hash
|
||||
*/
|
||||
int calc_hash(unsigned int alg, void *data_ptr,
|
||||
unsigned int data_len, unsigned char *output)
|
||||
static int calc_hash(enum crypto_md_algo md_algo, void *data_ptr,
|
||||
unsigned int data_len,
|
||||
unsigned char output[CRYPTO_MD_MAX_SIZE])
|
||||
{
|
||||
const mbedtls_md_info_t *md_info;
|
||||
|
||||
md_info = mbedtls_md_info_from_type((mbedtls_md_type_t)alg);
|
||||
md_info = mbedtls_md_info_from_type(md_type(md_algo));
|
||||
if (md_info == NULL) {
|
||||
return CRYPTO_ERR_HASH;
|
||||
}
|
||||
|
||||
/* Calculate the hash of the data */
|
||||
/*
|
||||
* Calculate the hash of the data, it is safe to pass the
|
||||
* 'output' hash buffer pointer considering its size is always
|
||||
* bigger than or equal to MBEDTLS_MD_MAX_SIZE.
|
||||
*/
|
||||
return mbedtls_md(md_info, data_ptr, data_len, output);
|
||||
}
|
||||
#endif /* MEASURED_BOOT */
|
||||
|
|
|
@ -13,10 +13,19 @@
|
|||
#include <common/debug.h>
|
||||
#include <drivers/auth/crypto_mod.h>
|
||||
#include <drivers/measured_boot/event_log/event_log.h>
|
||||
#include <mbedtls/md.h>
|
||||
|
||||
#include <plat/common/platform.h>
|
||||
|
||||
#if TPM_ALG_ID == TPM_ALG_SHA512
|
||||
#define CRYPTO_MD_ID CRYPTO_MD_SHA512
|
||||
#elif TPM_ALG_ID == TPM_ALG_SHA384
|
||||
#define CRYPTO_MD_ID CRYPTO_MD_SHA384
|
||||
#elif TPM_ALG_ID == TPM_ALG_SHA256
|
||||
#define CRYPTO_MD_ID CRYPTO_MD_SHA256
|
||||
#else
|
||||
# error Invalid TPM algorithm.
|
||||
#endif /* TPM_ALG_ID */
|
||||
|
||||
/* Running Event Log Pointer */
|
||||
static uint8_t *log_ptr;
|
||||
|
||||
|
@ -245,7 +254,7 @@ void event_log_write_header(void)
|
|||
int event_log_measure_and_record(uintptr_t data_base, uint32_t data_size,
|
||||
uint32_t data_id)
|
||||
{
|
||||
unsigned char hash_data[MBEDTLS_MD_MAX_SIZE];
|
||||
unsigned char hash_data[CRYPTO_MD_MAX_SIZE];
|
||||
int rc;
|
||||
const event_log_metadata_t *metadata_ptr = plat_metadata_ptr;
|
||||
|
||||
|
@ -257,8 +266,8 @@ int event_log_measure_and_record(uintptr_t data_base, uint32_t data_size,
|
|||
assert(metadata_ptr->id != EVLOG_INVALID_ID);
|
||||
|
||||
/* Calculate hash */
|
||||
rc = crypto_mod_calc_hash((unsigned int)MBEDTLS_MD_ID,
|
||||
(void *)data_base, data_size, hash_data);
|
||||
rc = crypto_mod_calc_hash(CRYPTO_MD_ID,
|
||||
(void *)data_base, data_size, hash_data);
|
||||
if (rc != 0) {
|
||||
return rc;
|
||||
}
|
||||
|
|
|
@ -12,35 +12,24 @@ EVENT_LOG_LEVEL ?= 40
|
|||
TPM_HASH_ALG := sha256
|
||||
|
||||
ifeq (${TPM_HASH_ALG}, sha512)
|
||||
MBEDTLS_MD_ID := MBEDTLS_MD_SHA512
|
||||
TPM_ALG_ID := TPM_ALG_SHA512
|
||||
TCG_DIGEST_SIZE := 64U
|
||||
else ifeq (${TPM_HASH_ALG}, sha384)
|
||||
MBEDTLS_MD_ID := MBEDTLS_MD_SHA384
|
||||
TPM_ALG_ID := TPM_ALG_SHA384
|
||||
TCG_DIGEST_SIZE := 48U
|
||||
else
|
||||
MBEDTLS_MD_ID := MBEDTLS_MD_SHA256
|
||||
TPM_ALG_ID := TPM_ALG_SHA256
|
||||
TCG_DIGEST_SIZE := 32U
|
||||
endif
|
||||
endif #TPM_HASH_ALG
|
||||
|
||||
|
||||
# Set definitions for mbed TLS library and Measured Boot driver
|
||||
# Set definitions for Measured Boot driver.
|
||||
$(eval $(call add_defines,\
|
||||
$(sort \
|
||||
MBEDTLS_MD_ID \
|
||||
TPM_ALG_ID \
|
||||
TCG_DIGEST_SIZE \
|
||||
EVENT_LOG_LEVEL \
|
||||
)))
|
||||
|
||||
ifeq (${HASH_ALG}, sha256)
|
||||
ifneq (${TPM_HASH_ALG}, sha256)
|
||||
$(eval $(call add_define,MBEDTLS_SHA512_C))
|
||||
endif
|
||||
endif
|
||||
|
||||
MEASURED_BOOT_SRC_DIR := drivers/measured_boot/event_log/
|
||||
|
||||
MEASURED_BOOT_SOURCES := ${MEASURED_BOOT_SRC_DIR}event_log.c \
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
/*
|
||||
* Copyright (c) 2015-2020, ARM Limited and Contributors. All rights reserved.
|
||||
* Copyright (c) 2015-2021, Arm Limited and Contributors. All rights reserved.
|
||||
*
|
||||
* SPDX-License-Identifier: BSD-3-Clause
|
||||
*/
|
||||
|
@ -25,6 +25,16 @@ enum crypto_dec_algo {
|
|||
CRYPTO_GCM_DECRYPT = 0
|
||||
};
|
||||
|
||||
/* Message digest algorithm */
|
||||
enum crypto_md_algo {
|
||||
CRYPTO_MD_SHA256,
|
||||
CRYPTO_MD_SHA384,
|
||||
CRYPTO_MD_SHA512,
|
||||
};
|
||||
|
||||
/* Maximum size as per the known stronger hash algorithm i.e.SHA512 */
|
||||
#define CRYPTO_MD_MAX_SIZE 64U
|
||||
|
||||
/*
|
||||
* Cryptographic library descriptor
|
||||
*/
|
||||
|
@ -49,8 +59,9 @@ typedef struct crypto_lib_desc_s {
|
|||
|
||||
#if MEASURED_BOOT
|
||||
/* Calculate a hash. Return hash value */
|
||||
int (*calc_hash)(unsigned int alg, void *data_ptr,
|
||||
unsigned int data_len, unsigned char *output);
|
||||
int (*calc_hash)(enum crypto_md_algo md_alg, void *data_ptr,
|
||||
unsigned int data_len,
|
||||
unsigned char output[CRYPTO_MD_MAX_SIZE]);
|
||||
#endif /* MEASURED_BOOT */
|
||||
|
||||
/*
|
||||
|
@ -79,8 +90,9 @@ int crypto_mod_auth_decrypt(enum crypto_dec_algo dec_algo, void *data_ptr,
|
|||
unsigned int tag_len);
|
||||
|
||||
#if MEASURED_BOOT
|
||||
int crypto_mod_calc_hash(unsigned int alg, void *data_ptr,
|
||||
unsigned int data_len, unsigned char *output);
|
||||
int crypto_mod_calc_hash(enum crypto_md_algo alg, void *data_ptr,
|
||||
unsigned int data_len,
|
||||
unsigned char output[CRYPTO_MD_MAX_SIZE]);
|
||||
|
||||
/* Macro to register a cryptographic library */
|
||||
#define REGISTER_CRYPTO_LIB(_name, _init, _verify_signature, _verify_hash, \
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
/*
|
||||
* Copyright (c) 2015-2020, Arm Limited. All rights reserved.
|
||||
* Copyright (c) 2015-2021, Arm Limited. All rights reserved.
|
||||
*
|
||||
* SPDX-License-Identifier: BSD-3-Clause
|
||||
*/
|
||||
|
@ -71,9 +71,20 @@
|
|||
#endif
|
||||
|
||||
#define MBEDTLS_SHA256_C
|
||||
#if (TF_MBEDTLS_HASH_ALG_ID != TF_MBEDTLS_SHA256)
|
||||
|
||||
/*
|
||||
* If either Trusted Boot or Measured Boot require a stronger algorithm than
|
||||
* SHA-256, pull in SHA-512 support.
|
||||
*/
|
||||
#if (TF_MBEDTLS_HASH_ALG_ID != TF_MBEDTLS_SHA256) /* TBB hash algo */
|
||||
#define MBEDTLS_SHA512_C
|
||||
#else
|
||||
/* TBB uses SHA-256, what about measured boot? */
|
||||
#if defined(TF_MBEDTLS_TPM_HASH_ALG_ID) && \
|
||||
(TF_MBEDTLS_TPM_HASH_ALG_ID != TF_MBEDTLS_SHA256)
|
||||
#define MBEDTLS_SHA512_C
|
||||
#endif
|
||||
#endif
|
||||
|
||||
#define MBEDTLS_VERSION_C
|
||||
|
||||
|
|
|
@ -389,6 +389,15 @@ ifneq (${TRUSTED_BOARD_BOOT},0)
|
|||
|
||||
$(eval $(call TOOL_ADD_IMG,ns_bl2u,--fwu,FWU_))
|
||||
|
||||
# Include Measured Boot makefile before any Crypto library makefile.
|
||||
# Crypto library makefile may need default definitions of Measured Boot build
|
||||
# flags present in Measured Boot makefile.
|
||||
ifeq (${MEASURED_BOOT},1)
|
||||
MEASURED_BOOT_MK := drivers/measured_boot/event_log/event_log.mk
|
||||
$(info Including ${MEASURED_BOOT_MK})
|
||||
include ${MEASURED_BOOT_MK}
|
||||
endif
|
||||
|
||||
# We expect to locate the *.mk files under the directories specified below
|
||||
ifeq (${ARM_CRYPTOCELL_INTEG},0)
|
||||
CRYPTO_LIB_MK := drivers/auth/mbedtls/mbedtls_crypto.mk
|
||||
|
@ -411,8 +420,3 @@ ifeq (${RECLAIM_INIT_CODE}, 1)
|
|||
endif
|
||||
endif
|
||||
|
||||
ifeq (${MEASURED_BOOT},1)
|
||||
MEASURED_BOOT_MK := drivers/measured_boot/event_log/event_log.mk
|
||||
$(info Including ${MEASURED_BOOT_MK})
|
||||
include ${MEASURED_BOOT_MK}
|
||||
endif
|
||||
|
|
Loading…
Reference in New Issue