Merge "refactor(measured-boot): add generic macros for using Crypto library" into integration
diff --git a/drivers/auth/crypto_mod.c b/drivers/auth/crypto_mod.c
index c63ff08..127eb0d 100644
--- a/drivers/auth/crypto_mod.c
+++ b/drivers/auth/crypto_mod.c
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2015-2020, ARM Limited and Contributors. All rights reserved.
+ * Copyright (c) 2015-2021, Arm Limited and Contributors. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*/
@@ -114,8 +114,9 @@
* data_ptr, data_len: data to be hashed
* output: resulting hash
*/
-int crypto_mod_calc_hash(unsigned int alg, void *data_ptr,
- unsigned int data_len, unsigned char *output)
+int crypto_mod_calc_hash(enum crypto_md_algo alg, void *data_ptr,
+ unsigned int data_len,
+ unsigned char output[CRYPTO_MD_MAX_SIZE])
{
assert(data_ptr != NULL);
assert(data_len != 0);
diff --git a/drivers/auth/mbedtls/mbedtls_common.mk b/drivers/auth/mbedtls/mbedtls_common.mk
index 53ebe30..54c819c 100644
--- a/drivers/auth/mbedtls/mbedtls_common.mk
+++ b/drivers/auth/mbedtls/mbedtls_common.mk
@@ -1,5 +1,5 @@
#
-# Copyright (c) 2015-2020, Arm Limited. All rights reserved.
+# Copyright (c) 2015-2021, Arm Limited. All rights reserved.
#
# SPDX-License-Identifier: BSD-3-Clause
#
@@ -96,6 +96,18 @@
TF_MBEDTLS_USE_AES_GCM := 0
endif
+ifeq ($(MEASURED_BOOT),1)
+ ifeq (${TPM_HASH_ALG}, sha256)
+ TF_MBEDTLS_TPM_HASH_ALG_ID := TF_MBEDTLS_SHA256
+ else ifeq (${TPM_HASH_ALG}, sha384)
+ TF_MBEDTLS_TPM_HASH_ALG_ID := TF_MBEDTLS_SHA384
+ else ifeq (${TPM_HASH_ALG}, sha512)
+ TF_MBEDTLS_TPM_HASH_ALG_ID := TF_MBEDTLS_SHA512
+ else
+ $(error "TPM_HASH_ALG not defined.")
+ endif
+endif
+
# Needs to be set to drive mbed TLS configuration correctly
$(eval $(call add_defines,\
$(sort \
@@ -105,6 +117,10 @@
TF_MBEDTLS_USE_AES_GCM \
)))
+ifeq ($(MEASURED_BOOT),1)
+ $(eval $(call add_define,TF_MBEDTLS_TPM_HASH_ALG_ID))
+endif
+
$(eval $(call MAKE_LIB,mbedtls))
endif
diff --git a/drivers/auth/mbedtls/mbedtls_crypto.c b/drivers/auth/mbedtls/mbedtls_crypto.c
index 6d6efb5..114e6ad 100644
--- a/drivers/auth/mbedtls/mbedtls_crypto.c
+++ b/drivers/auth/mbedtls/mbedtls_crypto.c
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2015-2020, ARM Limited and Contributors. All rights reserved.
+ * Copyright (c) 2015-2021, Arm Limited and Contributors. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*/
@@ -24,6 +24,16 @@
#define LIB_NAME "mbed TLS"
+#if MEASURED_BOOT
+/*
+ * CRYPTO_MD_MAX_SIZE value is as per current stronger algorithm available
+ * so make sure that mbed TLS MD maximum size must be lesser than this.
+ */
+CASSERT(CRYPTO_MD_MAX_SIZE >= MBEDTLS_MD_MAX_SIZE,
+ assert_mbedtls_md_size_overflow);
+
+#endif /* MEASURED_BOOT */
+
/*
* AlgorithmIdentifier ::= SEQUENCE {
* algorithm OBJECT IDENTIFIER,
@@ -211,21 +221,45 @@
#if MEASURED_BOOT
/*
+ * Map a generic crypto message digest algorithm to the corresponding macro used
+ * by Mbed TLS.
+ */
+static inline mbedtls_md_type_t md_type(enum crypto_md_algo algo)
+{
+ switch (algo) {
+ case CRYPTO_MD_SHA512:
+ return MBEDTLS_MD_SHA512;
+ case CRYPTO_MD_SHA384:
+ return MBEDTLS_MD_SHA384;
+ case CRYPTO_MD_SHA256:
+ return MBEDTLS_MD_SHA256;
+ default:
+ /* Invalid hash algorithm. */
+ return MBEDTLS_MD_NONE;
+ }
+}
+
+/*
* Calculate a hash
*
* output points to the computed hash
*/
-int calc_hash(unsigned int alg, void *data_ptr,
- unsigned int data_len, unsigned char *output)
+static int calc_hash(enum crypto_md_algo md_algo, void *data_ptr,
+ unsigned int data_len,
+ unsigned char output[CRYPTO_MD_MAX_SIZE])
{
const mbedtls_md_info_t *md_info;
- md_info = mbedtls_md_info_from_type((mbedtls_md_type_t)alg);
+ md_info = mbedtls_md_info_from_type(md_type(md_algo));
if (md_info == NULL) {
return CRYPTO_ERR_HASH;
}
- /* Calculate the hash of the data */
+ /*
+ * Calculate the hash of the data, it is safe to pass the
+ * 'output' hash buffer pointer considering its size is always
+ * bigger than or equal to MBEDTLS_MD_MAX_SIZE.
+ */
return mbedtls_md(md_info, data_ptr, data_len, output);
}
#endif /* MEASURED_BOOT */
diff --git a/drivers/measured_boot/event_log/event_log.c b/drivers/measured_boot/event_log/event_log.c
index 52ed278..792f235 100644
--- a/drivers/measured_boot/event_log/event_log.c
+++ b/drivers/measured_boot/event_log/event_log.c
@@ -13,10 +13,19 @@
#include <common/debug.h>
#include <drivers/auth/crypto_mod.h>
#include <drivers/measured_boot/event_log/event_log.h>
-#include <mbedtls/md.h>
#include <plat/common/platform.h>
+#if TPM_ALG_ID == TPM_ALG_SHA512
+#define CRYPTO_MD_ID CRYPTO_MD_SHA512
+#elif TPM_ALG_ID == TPM_ALG_SHA384
+#define CRYPTO_MD_ID CRYPTO_MD_SHA384
+#elif TPM_ALG_ID == TPM_ALG_SHA256
+#define CRYPTO_MD_ID CRYPTO_MD_SHA256
+#else
+# error Invalid TPM algorithm.
+#endif /* TPM_ALG_ID */
+
/* Running Event Log Pointer */
static uint8_t *log_ptr;
@@ -245,7 +254,7 @@
int event_log_measure_and_record(uintptr_t data_base, uint32_t data_size,
uint32_t data_id)
{
- unsigned char hash_data[MBEDTLS_MD_MAX_SIZE];
+ unsigned char hash_data[CRYPTO_MD_MAX_SIZE];
int rc;
const event_log_metadata_t *metadata_ptr = plat_metadata_ptr;
@@ -257,8 +266,8 @@
assert(metadata_ptr->id != EVLOG_INVALID_ID);
/* Calculate hash */
- rc = crypto_mod_calc_hash((unsigned int)MBEDTLS_MD_ID,
- (void *)data_base, data_size, hash_data);
+ rc = crypto_mod_calc_hash(CRYPTO_MD_ID,
+ (void *)data_base, data_size, hash_data);
if (rc != 0) {
return rc;
}
diff --git a/drivers/measured_boot/event_log/event_log.mk b/drivers/measured_boot/event_log/event_log.mk
index 37e5e29..d3fbbb5 100644
--- a/drivers/measured_boot/event_log/event_log.mk
+++ b/drivers/measured_boot/event_log/event_log.mk
@@ -12,35 +12,24 @@
TPM_HASH_ALG := sha256
ifeq (${TPM_HASH_ALG}, sha512)
- MBEDTLS_MD_ID := MBEDTLS_MD_SHA512
TPM_ALG_ID := TPM_ALG_SHA512
TCG_DIGEST_SIZE := 64U
else ifeq (${TPM_HASH_ALG}, sha384)
- MBEDTLS_MD_ID := MBEDTLS_MD_SHA384
TPM_ALG_ID := TPM_ALG_SHA384
TCG_DIGEST_SIZE := 48U
else
- MBEDTLS_MD_ID := MBEDTLS_MD_SHA256
TPM_ALG_ID := TPM_ALG_SHA256
TCG_DIGEST_SIZE := 32U
-endif
+endif #TPM_HASH_ALG
-
-# Set definitions for mbed TLS library and Measured Boot driver
+# Set definitions for Measured Boot driver.
$(eval $(call add_defines,\
$(sort \
- MBEDTLS_MD_ID \
TPM_ALG_ID \
TCG_DIGEST_SIZE \
EVENT_LOG_LEVEL \
)))
-ifeq (${HASH_ALG}, sha256)
- ifneq (${TPM_HASH_ALG}, sha256)
- $(eval $(call add_define,MBEDTLS_SHA512_C))
- endif
-endif
-
MEASURED_BOOT_SRC_DIR := drivers/measured_boot/event_log/
MEASURED_BOOT_SOURCES := ${MEASURED_BOOT_SRC_DIR}event_log.c \
diff --git a/include/drivers/auth/crypto_mod.h b/include/drivers/auth/crypto_mod.h
index 71cf673..cdcf504 100644
--- a/include/drivers/auth/crypto_mod.h
+++ b/include/drivers/auth/crypto_mod.h
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2015-2020, ARM Limited and Contributors. All rights reserved.
+ * Copyright (c) 2015-2021, Arm Limited and Contributors. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*/
@@ -25,6 +25,16 @@
CRYPTO_GCM_DECRYPT = 0
};
+/* Message digest algorithm */
+enum crypto_md_algo {
+ CRYPTO_MD_SHA256,
+ CRYPTO_MD_SHA384,
+ CRYPTO_MD_SHA512,
+};
+
+/* Maximum size as per the known stronger hash algorithm i.e.SHA512 */
+#define CRYPTO_MD_MAX_SIZE 64U
+
/*
* Cryptographic library descriptor
*/
@@ -49,8 +59,9 @@
#if MEASURED_BOOT
/* Calculate a hash. Return hash value */
- int (*calc_hash)(unsigned int alg, void *data_ptr,
- unsigned int data_len, unsigned char *output);
+ int (*calc_hash)(enum crypto_md_algo md_alg, void *data_ptr,
+ unsigned int data_len,
+ unsigned char output[CRYPTO_MD_MAX_SIZE]);
#endif /* MEASURED_BOOT */
/*
@@ -79,8 +90,9 @@
unsigned int tag_len);
#if MEASURED_BOOT
-int crypto_mod_calc_hash(unsigned int alg, void *data_ptr,
- unsigned int data_len, unsigned char *output);
+int crypto_mod_calc_hash(enum crypto_md_algo alg, void *data_ptr,
+ unsigned int data_len,
+ unsigned char output[CRYPTO_MD_MAX_SIZE]);
/* Macro to register a cryptographic library */
#define REGISTER_CRYPTO_LIB(_name, _init, _verify_signature, _verify_hash, \
diff --git a/include/drivers/auth/mbedtls/mbedtls_config.h b/include/drivers/auth/mbedtls/mbedtls_config.h
index ad39fa9..8ad6d7a 100644
--- a/include/drivers/auth/mbedtls/mbedtls_config.h
+++ b/include/drivers/auth/mbedtls/mbedtls_config.h
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2015-2020, Arm Limited. All rights reserved.
+ * Copyright (c) 2015-2021, Arm Limited. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*/
@@ -71,9 +71,20 @@
#endif
#define MBEDTLS_SHA256_C
-#if (TF_MBEDTLS_HASH_ALG_ID != TF_MBEDTLS_SHA256)
+
+/*
+ * If either Trusted Boot or Measured Boot require a stronger algorithm than
+ * SHA-256, pull in SHA-512 support.
+ */
+#if (TF_MBEDTLS_HASH_ALG_ID != TF_MBEDTLS_SHA256) /* TBB hash algo */
+#define MBEDTLS_SHA512_C
+#else
+ /* TBB uses SHA-256, what about measured boot? */
+#if defined(TF_MBEDTLS_TPM_HASH_ALG_ID) && \
+ (TF_MBEDTLS_TPM_HASH_ALG_ID != TF_MBEDTLS_SHA256)
#define MBEDTLS_SHA512_C
#endif
+#endif
#define MBEDTLS_VERSION_C
diff --git a/plat/arm/common/arm_common.mk b/plat/arm/common/arm_common.mk
index 78efb0f..3236596 100644
--- a/plat/arm/common/arm_common.mk
+++ b/plat/arm/common/arm_common.mk
@@ -389,6 +389,15 @@
$(eval $(call TOOL_ADD_IMG,ns_bl2u,--fwu,FWU_))
+# Include Measured Boot makefile before any Crypto library makefile.
+# Crypto library makefile may need default definitions of Measured Boot build
+# flags present in Measured Boot makefile.
+ifeq (${MEASURED_BOOT},1)
+ MEASURED_BOOT_MK := drivers/measured_boot/event_log/event_log.mk
+ $(info Including ${MEASURED_BOOT_MK})
+ include ${MEASURED_BOOT_MK}
+endif
+
# We expect to locate the *.mk files under the directories specified below
ifeq (${ARM_CRYPTOCELL_INTEG},0)
CRYPTO_LIB_MK := drivers/auth/mbedtls/mbedtls_crypto.mk
@@ -411,8 +420,3 @@
endif
endif
-ifeq (${MEASURED_BOOT},1)
- MEASURED_BOOT_MK := drivers/measured_boot/event_log/event_log.mk
- $(info Including ${MEASURED_BOOT_MK})
- include ${MEASURED_BOOT_MK}
-endif