Support larger RSA key sizes when using MBEDTLS
Previously, TF-A could not support large RSA key sizes as the configuration options passed to MBEDTLS prevented storing and performing calculations with the larger, higher-precision numbers required. With these changes to the arguments passed to MBEDTLS, TF-A now supports using 3072 (3K) and 4096 (4K) keys in certificates. Change-Id: Ib73a6773145d2faa25c28d04f9a42e86f2fd555f Signed-off-by: Justin Chadwell <justin.chadwell@arm.com>
This commit is contained in:
parent
2fc6ffc451
commit
aacff7498c
4
Makefile
4
Makefile
|
@ -694,6 +694,10 @@ $(eval $(call assert_numeric,ARM_ARCH_MAJOR))
|
|||
$(eval $(call assert_numeric,ARM_ARCH_MINOR))
|
||||
$(eval $(call assert_numeric,BRANCH_PROTECTION))
|
||||
|
||||
ifdef KEY_SIZE
|
||||
$(eval $(call assert_numeric,KEY_SIZE))
|
||||
endif
|
||||
|
||||
ifeq ($(filter $(SANITIZE_UB), on off trap),)
|
||||
$(error "Invalid value for SANITIZE_UB: can be one of on, off, trap")
|
||||
endif
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
#
|
||||
# Copyright (c) 2015-2018, ARM Limited and Contributors. All rights reserved.
|
||||
# Copyright (c) 2015-2019, ARM Limited and Contributors. All rights reserved.
|
||||
#
|
||||
# SPDX-License-Identifier: BSD-3-Clause
|
||||
#
|
||||
|
@ -59,6 +59,16 @@ ifeq (${TF_MBEDTLS_KEY_ALG},)
|
|||
endif
|
||||
endif
|
||||
|
||||
ifeq (${TF_MBEDTLS_KEY_SIZE},)
|
||||
ifneq ($(findstring rsa,${TF_MBEDTLS_KEY_ALG}),)
|
||||
ifeq (${KEY_SIZE},)
|
||||
TF_MBEDTLS_KEY_SIZE := 2048
|
||||
else
|
||||
TF_MBEDTLS_KEY_SIZE := ${KEY_SIZE}
|
||||
endif
|
||||
endif
|
||||
endif
|
||||
|
||||
ifeq (${HASH_ALG}, sha384)
|
||||
TF_MBEDTLS_HASH_ALG_ID := TF_MBEDTLS_SHA384
|
||||
else ifeq (${HASH_ALG}, sha512)
|
||||
|
@ -79,6 +89,7 @@ endif
|
|||
|
||||
# Needs to be set to drive mbed TLS configuration correctly
|
||||
$(eval $(call add_define,TF_MBEDTLS_KEY_ALG_ID))
|
||||
$(eval $(call add_define,TF_MBEDTLS_KEY_SIZE))
|
||||
$(eval $(call add_define,TF_MBEDTLS_HASH_ALG_ID))
|
||||
|
||||
|
||||
|
|
|
@ -7,6 +7,7 @@
|
|||
#include <stddef.h>
|
||||
|
||||
#include <platform_def.h>
|
||||
#include <drivers/auth/mbedtls/mbedtls_config.h>
|
||||
|
||||
#include <drivers/auth/auth_mod.h>
|
||||
#if USE_TBBR_DEFS
|
||||
|
@ -19,7 +20,22 @@
|
|||
/*
|
||||
* Maximum key and hash sizes (in DER format)
|
||||
*/
|
||||
#if TF_MBEDTLS_USE_RSA
|
||||
#if TF_MBEDTLS_KEY_SIZE == 1024
|
||||
#define PK_DER_LEN 162
|
||||
#elif TF_MBEDTLS_KEY_SIZE == 2048
|
||||
#define PK_DER_LEN 294
|
||||
#elif TF_MBEDTLS_KEY_SIZE == 3072
|
||||
#define PK_DER_LEN 422
|
||||
#elif TF_MBEDTLS_KEY_SIZE == 4096
|
||||
#define PK_DER_LEN 550
|
||||
#else
|
||||
#error "Invalid value for TF_MBEDTLS_KEY_SIZE"
|
||||
#endif
|
||||
#else
|
||||
#define PK_DER_LEN 294
|
||||
#endif
|
||||
|
||||
#define HASH_DER_LEN 83
|
||||
|
||||
/*
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
/*
|
||||
* Copyright (c) 2015-2018, ARM Limited and Contributors. All rights reserved.
|
||||
* Copyright (c) 2015-2019, ARM Limited and Contributors. All rights reserved.
|
||||
*
|
||||
* SPDX-License-Identifier: BSD-3-Clause
|
||||
*/
|
||||
|
@ -13,6 +13,11 @@
|
|||
#define TF_MBEDTLS_ECDSA 2
|
||||
#define TF_MBEDTLS_RSA_AND_ECDSA 3
|
||||
|
||||
#define TF_MBEDTLS_USE_RSA (TF_MBEDTLS_KEY_ALG_ID == TF_MBEDTLS_RSA \
|
||||
|| TF_MBEDTLS_KEY_ALG_ID == TF_MBEDTLS_RSA_AND_ECDSA)
|
||||
#define TF_MBEDTLS_USE_ECDSA (TF_MBEDTLS_KEY_ALG_ID == TF_MBEDTLS_ECDSA \
|
||||
|| TF_MBEDTLS_KEY_ALG_ID == TF_MBEDTLS_RSA_AND_ECDSA)
|
||||
|
||||
/*
|
||||
* Hash algorithms currently supported on mbed TLS libraries
|
||||
*/
|
||||
|
@ -54,19 +59,14 @@
|
|||
|
||||
#define MBEDTLS_PLATFORM_C
|
||||
|
||||
#if (TF_MBEDTLS_KEY_ALG_ID == TF_MBEDTLS_ECDSA)
|
||||
#if TF_MBEDTLS_USE_ECDSA
|
||||
#define MBEDTLS_ECDSA_C
|
||||
#define MBEDTLS_ECP_C
|
||||
#define MBEDTLS_ECP_DP_SECP256R1_ENABLED
|
||||
#elif (TF_MBEDTLS_KEY_ALG_ID == TF_MBEDTLS_RSA)
|
||||
#endif
|
||||
#if TF_MBEDTLS_USE_RSA
|
||||
#define MBEDTLS_RSA_C
|
||||
#define MBEDTLS_X509_RSASSA_PSS_SUPPORT
|
||||
#elif (TF_MBEDTLS_KEY_ALG_ID == TF_MBEDTLS_RSA_AND_ECDSA)
|
||||
#define MBEDTLS_RSA_C
|
||||
#define MBEDTLS_X509_RSASSA_PSS_SUPPORT
|
||||
#define MBEDTLS_ECDSA_C
|
||||
#define MBEDTLS_ECP_C
|
||||
#define MBEDTLS_ECP_DP_SECP256R1_ENABLED
|
||||
#endif
|
||||
|
||||
#define MBEDTLS_SHA256_C
|
||||
|
@ -80,11 +80,20 @@
|
|||
#define MBEDTLS_X509_CRT_PARSE_C
|
||||
|
||||
/* MPI / BIGNUM options */
|
||||
#define MBEDTLS_MPI_WINDOW_SIZE 2
|
||||
#define MBEDTLS_MPI_MAX_SIZE 256
|
||||
#define MBEDTLS_MPI_WINDOW_SIZE 2
|
||||
|
||||
#if TF_MBEDTLS_USE_RSA
|
||||
#if TF_MBEDTLS_KEY_SIZE <= 2048
|
||||
#define MBEDTLS_MPI_MAX_SIZE 256
|
||||
#else
|
||||
#define MBEDTLS_MPI_MAX_SIZE 512
|
||||
#endif
|
||||
#else
|
||||
#define MBEDTLS_MPI_MAX_SIZE 256
|
||||
#endif
|
||||
|
||||
/* Memory buffer allocator options */
|
||||
#define MBEDTLS_MEMORY_ALIGN_MULTIPLE 8
|
||||
#define MBEDTLS_MEMORY_ALIGN_MULTIPLE 8
|
||||
|
||||
#ifndef __ASSEMBLER__
|
||||
/* System headers required to build mbed TLS with the current configuration */
|
||||
|
@ -95,13 +104,17 @@
|
|||
/*
|
||||
* Determine Mbed TLS heap size
|
||||
* 13312 = 13*1024
|
||||
* 7168 = 7*1024
|
||||
* 11264 = 11*1024
|
||||
* 7168 = 7*1024
|
||||
*/
|
||||
#if (TF_MBEDTLS_KEY_ALG_ID == TF_MBEDTLS_ECDSA) \
|
||||
|| (TF_MBEDTLS_KEY_ALG_ID == TF_MBEDTLS_RSA_AND_ECDSA)
|
||||
#if TF_MBEDTLS_USE_ECDSA
|
||||
#define TF_MBEDTLS_HEAP_SIZE U(13312)
|
||||
#elif (TF_MBEDTLS_KEY_ALG_ID == TF_MBEDTLS_RSA)
|
||||
#elif TF_MBEDTLS_USE_RSA
|
||||
#if TF_MBEDTLS_KEY_SIZE <= 2048
|
||||
#define TF_MBEDTLS_HEAP_SIZE U(7168)
|
||||
#else
|
||||
#define TF_MBEDTLS_HEAP_SIZE U(11264)
|
||||
#endif
|
||||
#endif
|
||||
|
||||
#endif /* MBEDTLS_CONFIG_H */
|
||||
|
|
Loading…
Reference in New Issue