The Mbed TLS drivers, in order to work, need a heap for internal usage.
This heap, instead of being directly referenced by the drivers, now it
is being accessed indirectly through a pointer. Also, the heap, instead
of being part of the drivers, now it is being received through the
plat_get_mbedtls_heap() function. This function requests a heap from the
current BL image which utilises the Mbed TLS drivers.
Those changes create the opportunity for the Mbed TLS heap to be shared
among different images, thus saving memory. A default heap
implementation is provided but it can be overridden by a platform
specific, optimised implemenetation.
Change-Id: I286a1f10097a9cdcbcd312201eea576c18d157fa
Signed-off-by: John Tsichritzis <john.tsichritzis@arm.com>
The flag support the following values:
- sha256 (default)
- sha384
- sha512
Change-Id: I7a49d858c361e993949cf6ada0a86575c3291066
Signed-off-by: Qixiang Xu <qixiang.xu@arm.com>
For Trusted Board Boot, BL2 needs more space to support the ECDSA
and ECDSA+RSA algorithms.
Change-Id: Ie7eda9a1315ce836dbc6d18d6588f8d17891a92d
Signed-off-by: Qixiang Xu <qixiang.xu@arm.com>
Add new option rsa+ecdsa for TF_MBEDTLS_KEY_ALG, which selects
rsa or ecdsa depending on the certificate used.
Change-Id: I08d9e99bdbba361ed2ec5624248dc382c750ad47
Signed-off-by: Qixiang Xu <qixiang.xu@arm.com>
This fix modifies the order of system includes to meet the ARM TF coding
standard. There are some exceptions in order to retain header groupings,
minimise changes to imported headers, and where there are headers within
the #if and #ifndef statements.
Change-Id: I65085a142ba6a83792b26efb47df1329153f1624
Signed-off-by: Isla Mitchell <isla.mitchell@arm.com>
This patch adds support for RSASSA-PSS Signature Algorithm for
X509 certificates in mbedtls crypto driver. Now the driver supports
RSA PKCS2_1 standard as mandated by TBBR.
NOTE: With this patch, the PKCS1_5 standard compliant RSA signature
is deprecated.
Change-Id: I9cf6d073370b710cc36a7b374a55ec96c0496461
Signed-off-by: Soby Mathew <soby.mathew@arm.com>
The Trusted Firmware uses a subset of the APIs provided by mbed TLS.
This subset internally uses `snprintf`, but the only format specifier
used is '%d', which is supported by `tf_snprintf`.
This patch makes mbed TLS use `tf_snprintf` instead of `snprintf`,
saving 3 KB in both debug and release builds when TBBR is enabled.
Change-Id: I7f992a21015930d7c0f4660e7a28ceefd60b9597
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
An earlier patch (arm-trusted-firmware#874) migrated MBEDTLS_ suffixed
macros to have a TBBR_ suffix to avoid any potential clash with future
mbedtls macros.
But on reflection the TBBR_ suffix could be confusing as the macros
are used to drive TF-specific configuration of mbedtls. As such
this patch migrates these macros from TBBR_suffix to TF_MBEDTLS_
suffix which more accurately conveys their use.
Change-Id: Ic87642b653ceeaa03d62f724976abd5e12e867d4
Signed-off-by: David Cunado <david.cunado@arm.com>
To make software license auditing simpler, use SPDX[0] license
identifiers instead of duplicating the license text in every file.
NOTE: Files that have been imported by FreeBSD have not been modified.
[0]: https://spdx.org/
Change-Id: I80a00e1f641b8cc075ca5a95b10607ed9ed8761a
Signed-off-by: dp-arm <dimitris.papastamos@arm.com>
These macros are not part of mbed TLS so they should not be prefixed
with `MBEDTLS_` to avoid potential collision in the future. Use the
`TBBR_` suffix to highlight that they only used in TF.
`MBEDTLS_KEY_ALG` was not modified because that is documented and used
by platforms to select the key algorithm.
Change-Id: Ief224681715c481691c80810501830ce16e210b0
Signed-off-by: dp-arm <dimitris.papastamos@arm.com>
The mbed TLS library has introduced some changes in the API from
the 1.3.x to the 2.x releases. Using the 2.x releases requires
some changes to the crypto and transport modules.
This patch updates both modules to the mbed TLS 2.x API.
All references to the mbed TLS library in the code or documentation
have been updated to 'mbed TLS'. Old references to PolarSSL have
been updated to 'mbed TLS'.
User guide updated to use mbed TLS 2.2.0.
NOTE: moving up to mbed TLS 2.x from 1.3.x is not backward compatible.
Applying this patch will require an mbed TLS 2.x release to be used.
Also note that the mbed TLS license changed to Apache version 2.0.
Change-Id: Iba4584408653cf153091f2ca2ee23bc9add7fda4
This patch adds the following mbedTLS based libraries:
* Cryptographic library
It is used by the crypto module to verify a digital signature
and a hash. This library relies on mbedTLS to perform the
cryptographic operations. mbedTLS sources must be obtained
separately.
Two key algorithms are currently supported:
* RSA-2048
* ECDSA-SECP256R1
The platform is responsible for picking up the required
algorithm by defining the 'MBEDTLS_KEY_ALG' variable in the
platform makefile. Available options are:
* 'rsa' (for RSA-2048) (default option)
* 'ecdsa' (for ECDSA-SECP256R1)
Hash algorithm currently supported is SHA-256.
* Image parser library
Used by the image parser module to extract the authentication
parameters stored in X509v3 certificates.
Change-Id: I597c4be3d29287f2f18b82846973afc142ee0bf0