Merge changes from topic "decouple-tb-mb" into integration

* changes:
  refactor(renesas): disable CRYPTO_SUPPORT option
  refactor(fvp): avoid Measured-Boot dependency on Trusted-Boot
  refactor(measured-boot): avoid Measured-Boot dependency on Trusted-Boot
  build: introduce CRYPTO_SUPPORT build option

Makefile

@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2013-2021, Arm Limited and Contributors. All rights reserved.
+# Copyright (c) 2013-2022, Arm Limited and Contributors. All rights reserved.
 #
 # SPDX-License-Identifier: BSD-3-Clause
 #
@@ -736,6 +736,12 @@ ifeq ($(DYN_DISABLE_AUTH), 1)
     endif
 endif
 
+ifneq ($(filter 1,${MEASURED_BOOT} ${TRUSTED_BOARD_BOOT}),)
+    CRYPTO_SUPPORT := 1
+else
+    CRYPTO_SUPPORT := 0
+endif
+
 # SDEI_IN_FCONF is only supported when SDEI_SUPPORT is enabled.
 ifeq ($(SDEI_SUPPORT)-$(SDEI_IN_FCONF),0-1)
 $(error "SDEI_IN_FCONF is only supported when SDEI_SUPPORT is enabled")
@@ -762,15 +768,6 @@ ifeq ($(CTX_INCLUDE_MTE_REGS),1)
     endif
 endif
 
-# Trusted Boot is a prerequisite for Measured Boot. It provides trust that the
-# code taking the measurements and recording them has not been tampered
-# with. This is referred to as the Root of Trust for Measurement.
-ifeq ($(MEASURED_BOOT),1)
-    ifneq (${TRUSTED_BOARD_BOOT},1)
-        $(error MEASURED_BOOT requires TRUSTED_BOARD_BOOT=1)
-    endif
-endif
-
 ifeq ($(PSA_FWU_SUPPORT),1)
     $(info PSA_FWU_SUPPORT is an experimental feature)
 endif
@@ -1022,6 +1019,7 @@ $(eval $(call assert_booleans,\
         SPM_MM \
         SPMD_SPM_AT_SEL2 \
         TRUSTED_BOARD_BOOT \
+        CRYPTO_SUPPORT \
         USE_COHERENT_MEM \
         USE_DEBUGFS \
         ARM_IO_IN_DTB \
@@ -1136,6 +1134,7 @@ $(eval $(call add_defines,\
         SPM_MM \
         SPMD_SPM_AT_SEL2 \
         TRUSTED_BOARD_BOOT \
+        CRYPTO_SUPPORT \
         TRNG_SUPPORT \
         USE_COHERENT_MEM \
         USE_DEBUGFS \

bl1/bl1_main.c

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2013-2021, ARM Limited and Contributors. All rights reserved.
+ * Copyright (c) 2013-2022, Arm Limited and Contributors. All rights reserved.
  *
  * SPDX-License-Identifier: BSD-3-Clause
  */
@@ -15,6 +15,7 @@
 #include <common/bl_common.h>
 #include <common/debug.h>
 #include <drivers/auth/auth_mod.h>
+#include <drivers/auth/crypto_mod.h>
 #include <drivers/console.h>
 #include <lib/cpus/errata_report.h>
 #include <lib/utils.h>
@@ -121,10 +122,10 @@ void bl1_main(void)
 	/* Perform remaining generic architectural setup from EL3 */
 	bl1_arch_setup();
 
-#if TRUSTED_BOARD_BOOT
+	crypto_mod_init();
+
 	/* Initialize authentication module */
 	auth_mod_init();
-#endif /* TRUSTED_BOARD_BOOT */
 
 	/* Initialize the measured boot */
 	bl1_plat_mboot_init();

bl2/bl2_main.c

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2013-2021, ARM Limited and Contributors. All rights reserved.
+ * Copyright (c) 2013-2022, Arm Limited and Contributors. All rights reserved.
  *
  * SPDX-License-Identifier: BSD-3-Clause
  */
@@ -13,6 +13,7 @@
 #include <common/bl_common.h>
 #include <common/debug.h>
 #include <drivers/auth/auth_mod.h>
+#include <drivers/auth/crypto_mod.h>
 #include <drivers/console.h>
 #include <drivers/fwu/fwu.h>
 #include <lib/extensions/pauth.h>
@@ -89,10 +90,10 @@ void bl2_main(void)
 	fwu_init();
 #endif /* PSA_FWU_SUPPORT */
 
-#if TRUSTED_BOARD_BOOT
+	crypto_mod_init();
+
 	/* Initialize authentication module */
 	auth_mod_init();
-#endif /* TRUSTED_BOARD_BOOT */
 
 	/* Initialize the Measured Boot backend */
 	bl2_plat_mboot_init();

common/bl_common.c

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2013-2021, Arm Limited and Contributors. All rights reserved.
+ * Copyright (c) 2013-2022, Arm Limited and Contributors. All rights reserved.
  *
  * SPDX-License-Identifier: BSD-3-Clause
  */
@@ -143,25 +143,6 @@ exit:
 	return io_result;
 }
 
-/*
- * Load an image and flush it out to main memory so that it can be executed
- * later by any CPU, regardless of cache and MMU state.
- */
-static int load_image_flush(unsigned int image_id,
-			    image_info_t *image_data)
-{
-	int rc;
-
-	rc = load_image(image_id, image_data);
-	if (rc == 0) {
-		flush_dcache_range(image_data->image_base,
-				   image_data->image_size);
-	}
-
-	return rc;
-}
-
-
 #if TRUSTED_BOARD_BOOT
 /*
  * This function uses recursion to authenticate the parent images up to the root
@@ -202,30 +183,6 @@ static int load_auth_image_recursive(unsigned int image_id,
 		return -EAUTH;
 	}
 
-	if (is_parent_image == 0) {
-		/*
-		 * Measure the image.
-		 * We do not measure its parents because these only play a role
-		 * in authentication, which is orthogonal to measured boot.
-		 *
-		 * TODO: Change this code if we change our minds about measuring
-		 * certificates.
-		 */
-		rc = plat_mboot_measure_image(image_id, image_data);
-		if (rc != 0) {
-			return rc;
-		}
-
-		/*
-		 * Flush the image to main memory so that it can be executed
-		 * later by any CPU, regardless of cache and MMU state. This
-		 * is only needed for child images, not for the parents
-		 * (certificates).
-		 */
-		flush_dcache_range(image_data->image_base,
-				   image_data->image_size);
-	}
-
 	return 0;
 }
 #endif /* TRUSTED_BOARD_BOOT */
@@ -239,7 +196,7 @@ static int load_auth_image_internal(unsigned int image_id,
 	}
 #endif
 
-	return load_image_flush(image_id, image_data);
+	return load_image(image_id, image_data);
 }
 
 /*******************************************************************************
@@ -266,6 +223,25 @@ int load_auth_image(unsigned int image_id, image_info_t *image_data)
 	} while ((err != 0) && (plat_try_next_boot_source() != 0));
 #endif /* PSA_FWU_SUPPORT */
 
+	if (err == 0) {
+		/*
+		 * If loading of the image gets passed (along with its
+		 * authentication in case of Trusted-Boot flow) then measure
+		 * it (if MEASURED_BOOT flag is enabled).
+		 */
+		err = plat_mboot_measure_image(image_id, image_data);
+		if (err != 0) {
+			return err;
+		}
+
+		/*
+		 * Flush the image to main memory so that it can be executed
+		 * later by any CPU, regardless of cache and MMU state.
+		 */
+		flush_dcache_range(image_data->image_base,
+				   image_data->image_size);
+	}
+
 	return err;
 }
 

docs/getting_started/build-options.rst

@@ -529,9 +529,9 @@ Common build options
    the build. The default value is 40 in debug builds and 20 in release builds.
 
 -  ``MEASURED_BOOT``: Boolean flag to include support for the Measured Boot
-   feature. If this flag is enabled ``TRUSTED_BOARD_BOOT`` must be set as well
-   in order to provide trust that the code taking the measurements and recording
-   them has not been tampered with.
+   feature. This flag can be enabled with ``TRUSTED_BOARD_BOOT`` in order to
+   provide trust that the code taking the measurements and recording them has
+   not been tampered with.
 
    This option defaults to 0.
 

drivers/auth/auth_mod.c

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2015-2021, ARM Limited and Contributors. All rights reserved.
+ * Copyright (c) 2015-2022, Arm Limited and Contributors. All rights reserved.
  *
  * SPDX-License-Identifier: BSD-3-Clause
  */
@@ -339,9 +339,6 @@ void auth_mod_init(void)
 	/* Check we have a valid CoT registered */
 	assert(cot_desc_ptr != NULL);
 
-	/* Crypto module */
-	crypto_mod_init();
-
 	/* Image parser module */
 	img_parser_init();
 }

drivers/auth/crypto_mod.c

@@ -46,8 +46,13 @@ void crypto_mod_init(void)
 {
 	assert(crypto_lib_desc.name != NULL);
 	assert(crypto_lib_desc.init != NULL);
+#if TRUSTED_BOARD_BOOT
 	assert(crypto_lib_desc.verify_signature != NULL);
 	assert(crypto_lib_desc.verify_hash != NULL);
+#endif /* TRUSTED_BOARD_BOOT */
+#if MEASURED_BOOT
+	assert(crypto_lib_desc.calc_hash != NULL);
+#endif /* MEASURED_BOOT */
 
 	/* Initialize the cryptographic library */
 	crypto_lib_desc.init();

drivers/auth/mbedtls/mbedtls_crypto.c

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2015-2021, Arm Limited and Contributors. All rights reserved.
+ * Copyright (c) 2015-2022, Arm Limited and Contributors. All rights reserved.
  *
  * SPDX-License-Identifier: BSD-3-Clause
  */
@@ -60,6 +60,7 @@ static void init(void)
 	mbedtls_init();
 }
 
+#if TRUSTED_BOARD_BOOT
 /*
  * Verify a signature.
  *
@@ -218,6 +219,7 @@ static int verify_hash(void *data_ptr, unsigned int data_len,
 
 	return CRYPTO_SUCCESS;
 }
+#endif /* TRUSTED_BOARD_BOOT */
 
 #if MEASURED_BOOT
 /*
@@ -366,7 +368,7 @@ static int auth_decrypt(enum crypto_dec_algo dec_algo, void *data_ptr,
 /*
  * Register crypto library descriptor
  */
-#if MEASURED_BOOT
+#if MEASURED_BOOT && TRUSTED_BOARD_BOOT
 #if TF_MBEDTLS_USE_AES_GCM
 REGISTER_CRYPTO_LIB(LIB_NAME, init, verify_signature, verify_hash, calc_hash,
 		    auth_decrypt);
@@ -374,11 +376,13 @@ REGISTER_CRYPTO_LIB(LIB_NAME, init, verify_signature, verify_hash, calc_hash,
 REGISTER_CRYPTO_LIB(LIB_NAME, init, verify_signature, verify_hash, calc_hash,
 		    NULL);
 #endif
-#else /* MEASURED_BOOT */
+#elif TRUSTED_BOARD_BOOT
 #if TF_MBEDTLS_USE_AES_GCM
 REGISTER_CRYPTO_LIB(LIB_NAME, init, verify_signature, verify_hash,
 		    auth_decrypt);
 #else
 REGISTER_CRYPTO_LIB(LIB_NAME, init, verify_signature, verify_hash, NULL);
 #endif
-#endif /* MEASURED_BOOT */
+#elif MEASURED_BOOT
+REGISTER_CRYPTO_LIB(LIB_NAME, init, calc_hash);
+#endif /* MEASURED_BOOT && TRUSTED_BOARD_BOOT */

include/drivers/auth/auth_mod.h

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2015-2020, ARM Limited and Contributors. All rights reserved.
+ * Copyright (c) 2015-2022, ARM Limited and Contributors. All rights reserved.
  *
  * SPDX-License-Identifier: BSD-3-Clause
  */
@@ -7,8 +7,6 @@
 #ifndef AUTH_MOD_H
 #define AUTH_MOD_H
 
-#if TRUSTED_BOARD_BOOT
-
 #include <common/tbbr/cot_def.h>
 #include <common/tbbr/tbbr_img_def.h>
 #include <drivers/auth/auth_common.h>
@@ -46,7 +44,13 @@ typedef struct auth_img_desc_s {
 #endif /* COT_DESC_IN_DTB && !IMAGE_BL1 */
 
 /* Public functions */
+#if TRUSTED_BOARD_BOOT
 void auth_mod_init(void);
+#else
+static inline void auth_mod_init(void)
+{
+}
+#endif /* TRUSTED_BOARD_BOOT */
 int auth_mod_get_parent_id(unsigned int img_id, unsigned int *parent_id);
 int auth_mod_verify_img(unsigned int img_id,
 			void *img_ptr,
@@ -85,6 +89,4 @@ extern unsigned int auth_img_flags[MAX_NUMBER_IDS];
 
 #endif
 
-#endif /* TRUSTED_BOARD_BOOT */
-
 #endif /* AUTH_MOD_H */

include/drivers/auth/crypto_mod.h

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2015-2021, Arm Limited and Contributors. All rights reserved.
+ * Copyright (c) 2015-2022, Arm Limited and Contributors. All rights reserved.
  *
  * SPDX-License-Identifier: BSD-3-Clause
  */
@@ -76,7 +76,14 @@ typedef struct crypto_lib_desc_s {
 } crypto_lib_desc_t;
 
 /* Public functions */
+#if CRYPTO_SUPPORT
 void crypto_mod_init(void);
+#else
+static inline void crypto_mod_init(void)
+{
+}
+#endif /* CRYPTO_SUPPORT */
+
 int crypto_mod_verify_signature(void *data_ptr, unsigned int data_len,
 				void *sig_ptr, unsigned int sig_len,
 				void *sig_alg_ptr, unsigned int sig_alg_len,
@@ -93,7 +100,9 @@ int crypto_mod_auth_decrypt(enum crypto_dec_algo dec_algo, void *data_ptr,
 int crypto_mod_calc_hash(enum crypto_md_algo alg, void *data_ptr,
 			 unsigned int data_len,
 			 unsigned char output[CRYPTO_MD_MAX_SIZE]);
+#endif /* MEASURED_BOOT */
 
+#if MEASURED_BOOT && TRUSTED_BOARD_BOOT
 /* Macro to register a cryptographic library */
 #define REGISTER_CRYPTO_LIB(_name, _init, _verify_signature, _verify_hash, \
 			    _calc_hash, _auth_decrypt) \
@@ -105,7 +114,7 @@ int crypto_mod_calc_hash(enum crypto_md_algo alg, void *data_ptr,
 		.calc_hash = _calc_hash, \
 		.auth_decrypt = _auth_decrypt \
 	}
-#else
+#elif TRUSTED_BOARD_BOOT
 #define REGISTER_CRYPTO_LIB(_name, _init, _verify_signature, _verify_hash, \
 			    _auth_decrypt) \
 	const crypto_lib_desc_t crypto_lib_desc = { \
@@ -115,7 +124,14 @@ int crypto_mod_calc_hash(enum crypto_md_algo alg, void *data_ptr,
 		.verify_hash = _verify_hash, \
 		.auth_decrypt = _auth_decrypt \
 	}
-#endif	/* MEASURED_BOOT */
+#elif MEASURED_BOOT
+#define REGISTER_CRYPTO_LIB(_name, _init, _calc_hash) \
+	const crypto_lib_desc_t crypto_lib_desc = { \
+		.name = _name, \
+		.init = _init, \
+		.calc_hash = _calc_hash, \
+	}
+#endif	/* MEASURED_BOOT && TRUSTED_BOARD_BOOT */
 
 extern const crypto_lib_desc_t crypto_lib_desc;
 

plat/arm/board/fvp/fvp_bl2_measured_boot.c

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2021, Arm Limited. All rights reserved.
+ * Copyright (c) 2021-2022, Arm Limited. All rights reserved.
  *
  * SPDX-License-Identifier: BSD-3-Clause
  */
@@ -87,6 +87,7 @@ int plat_mboot_measure_critical_data(unsigned int critical_data_id,
 	return 0;
 }
 
+#if TRUSTED_BOARD_BOOT
 static int fvp_populate_critical_data(struct fvp_critical_data *critical_data)
 {
 	char *nv_ctr_oids[MAX_NV_CTR_IDS] = {
@@ -104,17 +105,26 @@ static int fvp_populate_critical_data(struct fvp_critical_data *critical_data)
 
 	return 0;
 }
+#endif /* TRUSTED_BOARD_BOOT */
 
 static int fvp_populate_and_measure_critical_data(void)
 {
+	int rc = 0;
+
+/*
+ * FVP platform only measures 'platform NV-counter' and hence its
+ * measurement makes sense during Trusted-Boot flow only.
+ */
+#if TRUSTED_BOARD_BOOT
 	struct fvp_critical_data populate_critical_data;
 
-	int rc = fvp_populate_critical_data(&populate_critical_data);
+	rc = fvp_populate_critical_data(&populate_critical_data);
 	if (rc == 0) {
 		rc = plat_mboot_measure_critical_data(CRITICAL_DATA_ID,
 						&populate_critical_data,
 						sizeof(populate_critical_data));
 	}
+#endif /* TRUSTED_BOARD_BOOT */
 
 	return rc;
 }

plat/arm/board/fvp/fvp_common.c

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2013-2021, ARM Limited and Contributors. All rights reserved.
+ * Copyright (c) 2013-2022, Arm Limited and Contributors. All rights reserved.
  *
  * SPDX-License-Identifier: BSD-3-Clause
  */
@@ -117,10 +117,15 @@ const mmap_region_t plat_arm_mmap[] = {
 #if TRUSTED_BOARD_BOOT
 	/* To access the Root of Trust Public Key registers. */
 	MAP_DEVICE2,
-#if !BL2_AT_EL3
-	ARM_MAP_BL1_RW,
-#endif
 #endif /* TRUSTED_BOARD_BOOT */
+
+#if CRYPTO_SUPPORT && !BL2_AT_EL3
+	/*
+	 * To access shared the Mbed TLS heap while booting the
+	 * system with Crypto support
+	 */
+	ARM_MAP_BL1_RW,
+#endif /* CRYPTO_SUPPORT && !BL2_AT_EL3 */
 #if SPM_MM
 	ARM_SP_IMAGE_MMAP,
 #endif
@@ -444,7 +449,7 @@ void fvp_interconnect_disable(void)
 #endif
 }
 
-#if TRUSTED_BOARD_BOOT
+#if CRYPTO_SUPPORT
 int plat_get_mbedtls_heap(void **heap_addr, size_t *heap_size)
 {
 	assert(heap_addr != NULL);
@@ -452,7 +457,7 @@ int plat_get_mbedtls_heap(void **heap_addr, size_t *heap_size)
 
 	return arm_get_mbedtls_heap(heap_addr, heap_size);
 }
-#endif
+#endif /* CRYPTO_SUPPORT */
 
 void fvp_timer_init(void)
 {

plat/arm/board/fvp/include/platform_def.h

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2014-2021, ARM Limited and Contributors. All rights reserved.
+ * Copyright (c) 2014-2022, Arm Limited and Contributors. All rights reserved.
  *
  * SPDX-License-Identifier: BSD-3-Clause
  */
@@ -144,12 +144,10 @@
  * PLAT_ARM_MAX_BL2_SIZE is calculated using the current BL2 debug size plus a
  * little space for growth.
  */
-#if TRUSTED_BOARD_BOOT
-#if COT_DESC_IN_DTB
+#if TRUSTED_BOARD_BOOT && COT_DESC_IN_DTB
 # define PLAT_ARM_MAX_BL2_SIZE	(UL(0x1E000) - FVP_BL2_ROMLIB_OPTIMIZATION)
-#else
+#elif CRYPTO_SUPPORT
 # define PLAT_ARM_MAX_BL2_SIZE	(UL(0x1D000) - FVP_BL2_ROMLIB_OPTIMIZATION)
-#endif
 #else
 # define PLAT_ARM_MAX_BL2_SIZE	(UL(0x13000) - FVP_BL2_ROMLIB_OPTIMIZATION)
 #endif
@@ -187,17 +185,17 @@
  * Size of cacheable stacks
  */
 #if defined(IMAGE_BL1)
-# if TRUSTED_BOARD_BOOT
+# if CRYPTO_SUPPORT
 #  define PLATFORM_STACK_SIZE		UL(0x1000)
 # else
 #  define PLATFORM_STACK_SIZE		UL(0x500)
-# endif
+# endif /* CRYPTO_SUPPORT */
 #elif defined(IMAGE_BL2)
-# if TRUSTED_BOARD_BOOT
+# if CRYPTO_SUPPORT
 #  define PLATFORM_STACK_SIZE		UL(0x1000)
 # else
 #  define PLATFORM_STACK_SIZE		UL(0x600)
-# endif
+# endif /* CRYPTO_SUPPORT */
 #elif defined(IMAGE_BL2U)
 # define PLATFORM_STACK_SIZE		UL(0x400)
 #elif defined(IMAGE_BL31)

plat/arm/board/fvp/platform.mk

@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2013-2021, Arm Limited and Contributors. All rights reserved.
+# Copyright (c) 2013-2022, Arm Limited and Contributors. All rights reserved.
 #
 # SPDX-License-Identifier: BSD-3-Clause
 #
@@ -376,10 +376,6 @@ endif
 include plat/arm/board/common/board_common.mk
 include plat/arm/common/arm_common.mk
 
-ifeq (${TRUSTED_BOARD_BOOT}, 1)
-BL1_SOURCES		+=	plat/arm/board/fvp/fvp_trusted_boot.c
-BL2_SOURCES		+=	plat/arm/board/fvp/fvp_trusted_boot.c
-
 ifeq (${MEASURED_BOOT},1)
 BL1_SOURCES		+=	plat/arm/board/fvp/fvp_common_measured_boot.c	\
 				plat/arm/board/fvp/fvp_bl1_measured_boot.c
@@ -387,6 +383,10 @@ BL2_SOURCES		+=	plat/arm/board/fvp/fvp_common_measured_boot.c	\
 				plat/arm/board/fvp/fvp_bl2_measured_boot.c
 endif
 
+ifeq (${TRUSTED_BOARD_BOOT}, 1)
+BL1_SOURCES		+=	plat/arm/board/fvp/fvp_trusted_boot.c
+BL2_SOURCES		+=	plat/arm/board/fvp/fvp_trusted_boot.c
+
 # FVP being a development platform, enable capability to disable Authentication
 # dynamically if TRUSTED_BOARD_BOOT is set.
 DYN_DISABLE_AUTH	:=	1

plat/arm/common/arm_bl1_setup.c

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2015-2021, ARM Limited and Contributors. All rights reserved.
+ * Copyright (c) 2015-2022, Arm Limited and Contributors. All rights reserved.
  *
  * SPDX-License-Identifier: BSD-3-Clause
  */
@@ -202,10 +202,10 @@ void arm_bl1_platform_setup(void)
 	assert(desc != NULL);
 	desc->ep_info.args.arg0 = fw_config_info->config_addr;
 
-#if TRUSTED_BOARD_BOOT
+#if CRYPTO_SUPPORT
 	/* Share the Mbed TLS heap info with other images */
 	arm_bl1_set_mbedtls_heap();
-#endif /* TRUSTED_BOARD_BOOT */
+#endif /* CRYPTO_SUPPORT */
 
 	/*
 	 * Allow access to the System counter timer module and program

plat/arm/common/arm_common.mk

@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2015-2021, ARM Limited and Contributors. All rights reserved.
+# Copyright (c) 2015-2022, Arm Limited and Contributors. All rights reserved.
 #
 # SPDX-License-Identifier: BSD-3-Clause
 #
@@ -358,10 +358,8 @@ endif
 ifneq (${TRUSTED_BOARD_BOOT},0)
 
     # Include common TBB sources
-    AUTH_SOURCES	:=	drivers/auth/auth_mod.c				\
-				drivers/auth/crypto_mod.c			\
-				drivers/auth/img_parser_mod.c			\
-				lib/fconf/fconf_tbbr_getter.c
+    AUTH_SOURCES 	:= 	drivers/auth/auth_mod.c	\
+				drivers/auth/img_parser_mod.c
 
     # Include the selected chain of trust sources.
     ifeq (${COT},tbbr)
@@ -389,6 +387,12 @@ ifneq (${TRUSTED_BOARD_BOOT},0)
 
     $(eval $(call TOOL_ADD_IMG,ns_bl2u,--fwu,FWU_))
 
+    IMG_PARSER_LIB_MK := drivers/auth/mbedtls/mbedtls_x509.mk
+
+    $(info Including ${IMG_PARSER_LIB_MK})
+    include ${IMG_PARSER_LIB_MK}
+endif
+
 # Include Measured Boot makefile before any Crypto library makefile.
 # Crypto library makefile may need default definitions of Measured Boot build
 # flags present in Measured Boot makefile.
@@ -398,20 +402,21 @@ ifeq (${MEASURED_BOOT},1)
     include ${MEASURED_BOOT_MK}
 endif
 
+ifneq ($(filter 1,${MEASURED_BOOT} ${TRUSTED_BOARD_BOOT}),)
+    CRYPTO_SOURCES	:=	drivers/auth/crypto_mod.c 	\
+				lib/fconf/fconf_tbbr_getter.c
+    BL1_SOURCES		+=	${CRYPTO_SOURCES}
+    BL2_SOURCES		+=	${CRYPTO_SOURCES}
+
     # We expect to locate the *.mk files under the directories specified below
-ifeq (${ARM_CRYPTOCELL_INTEG},0)
-    CRYPTO_LIB_MK := drivers/auth/mbedtls/mbedtls_crypto.mk
-else
-    CRYPTO_LIB_MK := drivers/auth/cryptocell/cryptocell_crypto.mk
-endif
-    IMG_PARSER_LIB_MK := drivers/auth/mbedtls/mbedtls_x509.mk
+    ifeq (${ARM_CRYPTOCELL_INTEG},0)
+        CRYPTO_LIB_MK := drivers/auth/mbedtls/mbedtls_crypto.mk
+    else
+        CRYPTO_LIB_MK := drivers/auth/cryptocell/cryptocell_crypto.mk
+    endif
 
     $(info Including ${CRYPTO_LIB_MK})
     include ${CRYPTO_LIB_MK}
-
-    $(info Including ${IMG_PARSER_LIB_MK})
-    include ${IMG_PARSER_LIB_MK}
-
 endif
 
 ifeq (${RECLAIM_INIT_CODE}, 1)
@@ -419,4 +424,3 @@ ifeq (${RECLAIM_INIT_CODE}, 1)
         $(error "To reclaim init code xlat tables v2 must be used")
     endif
 endif
-

plat/arm/common/arm_dyn_cfg.c

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2018-2021, Arm Limited and Contributors. All rights reserved.
+ * Copyright (c) 2018-2022, Arm Limited and Contributors. All rights reserved.
  *
  * SPDX-License-Identifier: BSD-3-Clause
  */
@@ -13,9 +13,9 @@
 #include <common/debug.h>
 #include <common/desc_image_load.h>
 #include <common/tbbr/tbbr_img_def.h>
-#if TRUSTED_BOARD_BOOT
+#if CRYPTO_SUPPORT
 #include <drivers/auth/mbedtls/mbedtls_config.h>
-#endif
+#endif /* CRYPTO_SUPPORT */
 #include <lib/fconf/fconf.h>
 #include <lib/fconf/fconf_dyn_cfg_getter.h>
 #include <lib/fconf/fconf_tbbr_getter.h>
@@ -23,7 +23,7 @@
 #include <plat/arm/common/arm_dyn_cfg_helpers.h>
 #include <plat/arm/common/plat_arm.h>
 
-#if TRUSTED_BOARD_BOOT
+#if CRYPTO_SUPPORT
 
 static void *mbedtls_heap_addr;
 static size_t mbedtls_heap_size;
@@ -118,7 +118,7 @@ void arm_bl1_set_mbedtls_heap(void)
 #endif /* !MEASURED_BOOT */
 	}
 }
-#endif /* TRUSTED_BOARD_BOOT */
+#endif /* CRYPTO_SUPPORT */
 
 /*
  * BL2 utility function to initialize dynamic configuration specified by

plat/renesas/common/common.mk

@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2018-2021, Renesas Electronics Corporation. All rights reserved.
+# Copyright (c) 2018-2022, Renesas Electronics Corporation. All rights reserved.
 #
 # SPDX-License-Identifier: BSD-3-Clause
 #
@@ -17,6 +17,11 @@ MULTI_CONSOLE_API		:= 1
 CRASH_REPORTING			:= 1
 HANDLE_EA_EL3_FIRST		:= 1
 
+# This option gets enabled automatically if the TRUSTED_BOARD_BOOT
+# is set via root Makefile, but Renesas support Trusted-Boot without
+# Crypto module.
+override CRYPTO_SUPPORT		:= 0
+
 $(eval $(call add_define,PLAT_EXTRA_LD_SCRIPT))
 
 ifeq (${SPD},none)