Merge changes from topic "for_lts_v2.8.20" into lts-v2.8
* changes:
docs(prerequisites): update mbedtls version used
feat(mbedtls): update config for 3.6.0
refactor(mbedtls): remove mbedtls 2.x support
build(mbedtls): add deprecation notice
feat(mbedtls): update to 3.4.1
docs(prerequisites): update software and libraries prerequisites
feat(stm32mp1): add mbedtls-3.3 support config
refactor(fvp): minor cleanup with TRUSTED_BOARD_BOOT
feat(fvp): increase BL1_RW and BL2 size
feat(mbedtls): add support for mbedtls-3.3
refactor(mbedtls): avoid including MBEDTLS_CONFIG_FILE
feat(build): allow additional CFLAGS for library build
chore: add encrypt_fw to gitignore
diff --git a/.gitignore b/.gitignore
index cdb6441..ac9a11d 100644
--- a/.gitignore
+++ b/.gitignore
@@ -32,6 +32,8 @@
tools/stm32image/stm32image
tools/stm32image/stm32image.exe
tools/sptool/__pycache__/
+tools/encrypt_fw/encrypt_fw
+tools/encrypt_fw/encrypt_fw.exe
# GNU GLOBAL files
GPATH
diff --git a/docs/about/release-information.rst b/docs/about/release-information.rst
index a9b5be0..0fb42b5 100644
--- a/docs/about/release-information.rst
+++ b/docs/about/release-information.rst
@@ -90,4 +90,4 @@
--------------
-*Copyright (c) 2018-2022, Arm Limited and Contributors. All rights reserved.*
+*Copyright (c) 2018-2024, Arm Limited and Contributors. All rights reserved.*
diff --git a/docs/getting_started/prerequisites.rst b/docs/getting_started/prerequisites.rst
index 8a6c58c..9180fb5 100644
--- a/docs/getting_started/prerequisites.rst
+++ b/docs/getting_started/prerequisites.rst
@@ -14,7 +14,7 @@
|TF-A| can be built using either a Linux or a Windows machine as the build host.
A relatively recent Linux distribution is recommended for building |TF-A|. We
-have performed tests using Ubuntu 20.04 LTS (64-bit) but other distributions
+have performed tests using Ubuntu 22.04 LTS (64-bit) but other distributions
should also work fine as a base, provided that the necessary tools and libraries
can be installed.
@@ -71,11 +71,11 @@
The following libraries are required for Trusted Board Boot and Measured Boot
support:
-- mbed TLS == 2.28.8 (tag: ``mbedtls-2.28.8``)
+- mbed TLS == 3.6.0 (tag: ``mbedtls-3.6.0``)
These tools are optional:
-- Device Tree Compiler (DTC) >= 1.4.6
+- Device Tree Compiler (DTC) >= 1.4.7
Needed if you want to rebuild the provided Flattened Device Tree (FDT)
source files (``.dts`` files). DTC is available for Linux through the package
diff --git a/drivers/auth/cca/cot.c b/drivers/auth/cca/cot.c
index d3f3087..e8f4d9c 100644
--- a/drivers/auth/cca/cot.c
+++ b/drivers/auth/cca/cot.c
@@ -1,13 +1,15 @@
/*
- * Copyright (c) 2022, Arm Limited. All rights reserved.
+ * Copyright (c) 2022-2023, Arm Limited. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*/
#include <stddef.h>
+#include <mbedtls/version.h>
+
+#include <common/tbbr/cot_def.h>
#include <drivers/auth/auth_mod.h>
-#include MBEDTLS_CONFIG_FILE
#include <tools_share/cca_oid.h>
#include <platform_def.h>
diff --git a/drivers/auth/dualroot/cot.c b/drivers/auth/dualroot/cot.c
index 8368503..c89930c 100644
--- a/drivers/auth/dualroot/cot.c
+++ b/drivers/auth/dualroot/cot.c
@@ -1,17 +1,20 @@
/*
- * Copyright (c) 2020-2022, Arm Limited. All rights reserved.
+ * Copyright (c) 2020-2023, Arm Limited. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*/
#include <stddef.h>
-#include <platform_def.h>
+#include <mbedtls/version.h>
-#include MBEDTLS_CONFIG_FILE
+#include <common/tbbr/cot_def.h>
#include <drivers/auth/auth_mod.h>
+
#include <tools_share/dualroot_oid.h>
+#include <platform_def.h>
+
/*
* Allocate static buffers to store the authentication parameters extracted from
* the certificates.
diff --git a/drivers/auth/mbedtls/mbedtls_common.c b/drivers/auth/mbedtls/mbedtls_common.c
index a12e49c..4f30d82 100644
--- a/drivers/auth/mbedtls/mbedtls_common.c
+++ b/drivers/auth/mbedtls/mbedtls_common.c
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2015-2022, Arm Limited and Contributors. All rights reserved.
+ * Copyright (c) 2015-2023, Arm Limited and Contributors. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*/
@@ -10,10 +10,11 @@
/* mbed TLS headers */
#include <mbedtls/memory_buffer_alloc.h>
#include <mbedtls/platform.h>
+#include <mbedtls/version.h>
#include <common/debug.h>
#include <drivers/auth/mbedtls/mbedtls_common.h>
-#include MBEDTLS_CONFIG_FILE
+
#include <plat/common/platform.h>
static void cleanup(void)
diff --git a/drivers/auth/mbedtls/mbedtls_common.mk b/drivers/auth/mbedtls/mbedtls_common.mk
index 16ce65f..656acab 100644
--- a/drivers/auth/mbedtls/mbedtls_common.mk
+++ b/drivers/auth/mbedtls/mbedtls_common.mk
@@ -1,5 +1,5 @@
#
-# Copyright (c) 2015-2022, Arm Limited. All rights reserved.
+# Copyright (c) 2015-2024, Arm Limited. All rights reserved.
#
# SPDX-License-Identifier: BSD-3-Clause
#
@@ -15,40 +15,50 @@
MBEDTLS_INC = -I${MBEDTLS_DIR}/include
+MBEDTLS_MAJOR=$(shell grep -hP "define MBEDTLS_VERSION_MAJOR" ${MBEDTLS_DIR}/include/mbedtls/*.h | grep -oe '\([0-9.]*\)')
+MBEDTLS_MINOR=$(shell grep -hP "define MBEDTLS_VERSION_MINOR" ${MBEDTLS_DIR}/include/mbedtls/*.h | grep -oe '\([0-9.]*\)')
+$(info MBEDTLS_VERSION_MAJOR is [${MBEDTLS_MAJOR}] MBEDTLS_VERSION_MINOR is [${MBEDTLS_MINOR}])
+
+ifneq (${MBEDTLS_MAJOR}, 3)
+ $(error Error: TF-A only supports MbedTLS versions > 3.x)
+endif
+
# Specify mbed TLS configuration file
-MBEDTLS_CONFIG_FILE ?= "<drivers/auth/mbedtls/mbedtls_config.h>"
+ MBEDTLS_CONFIG_FILE ?= "<drivers/auth/mbedtls/mbedtls_config-3.h>"
+
$(eval $(call add_define,MBEDTLS_CONFIG_FILE))
MBEDTLS_SOURCES += drivers/auth/mbedtls/mbedtls_common.c
-
-LIBMBEDTLS_SRCS := $(addprefix ${MBEDTLS_DIR}/library/, \
- aes.c \
- asn1parse.c \
- asn1write.c \
- cipher.c \
- cipher_wrap.c \
- memory_buffer_alloc.c \
- oid.c \
- platform.c \
- platform_util.c \
- bignum.c \
- gcm.c \
- md.c \
- pk.c \
- pk_wrap.c \
- pkparse.c \
- pkwrite.c \
- sha256.c \
- sha512.c \
- ecdsa.c \
- ecp_curves.c \
- ecp.c \
- rsa.c \
- rsa_internal.c \
- x509.c \
- x509_crt.c \
- constant_time.c \
+LIBMBEDTLS_SRCS += $(addprefix ${MBEDTLS_DIR}/library/, \
+ aes.c \
+ asn1parse.c \
+ asn1write.c \
+ cipher.c \
+ cipher_wrap.c \
+ constant_time.c \
+ memory_buffer_alloc.c \
+ oid.c \
+ platform.c \
+ platform_util.c \
+ bignum.c \
+ bignum_core.c \
+ gcm.c \
+ md.c \
+ pk.c \
+ pk_ecc.c \
+ pk_wrap.c \
+ pkparse.c \
+ pkwrite.c \
+ sha256.c \
+ sha512.c \
+ ecdsa.c \
+ ecp_curves.c \
+ ecp.c \
+ rsa.c \
+ rsa_alt_helpers.c \
+ x509.c \
+ x509_crt.c \
)
# The platform may define the variable 'TF_MBEDTLS_KEY_ALG' to select the key
diff --git a/drivers/auth/mbedtls/mbedtls_crypto.c b/drivers/auth/mbedtls/mbedtls_crypto.c
index d231179..ac67a82 100644
--- a/drivers/auth/mbedtls/mbedtls_crypto.c
+++ b/drivers/auth/mbedtls/mbedtls_crypto.c
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2015-2022, Arm Limited and Contributors. All rights reserved.
+ * Copyright (c) 2015-2024, Arm Limited and Contributors. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*/
@@ -14,12 +14,13 @@
#include <mbedtls/memory_buffer_alloc.h>
#include <mbedtls/oid.h>
#include <mbedtls/platform.h>
+#include <mbedtls/version.h>
#include <mbedtls/x509.h>
#include <common/debug.h>
#include <drivers/auth/crypto_mod.h>
#include <drivers/auth/mbedtls/mbedtls_common.h>
-#include <drivers/auth/mbedtls/mbedtls_config.h>
+
#include <plat/common/platform.h>
#define LIB_NAME "mbed TLS"
@@ -64,6 +65,18 @@
#if CRYPTO_SUPPORT == CRYPTO_AUTH_VERIFY_ONLY || \
CRYPTO_SUPPORT == CRYPTO_AUTH_VERIFY_AND_HASH_CALC
+
+
+/*
+ * NOTE: This has been made internal in mbedtls 3.6.0 and the mbedtls team has
+ * advised that it's better to copy out the declaration than it would be to
+ * update to 3.5.2, where this function is exposed.
+ */
+int mbedtls_x509_get_sig_alg(const mbedtls_x509_buf *sig_oid,
+ const mbedtls_x509_buf *sig_params,
+ mbedtls_md_type_t *md_alg,
+ mbedtls_pk_type_t *pk_alg,
+ void **sig_opts);
/*
* Verify a signature.
*
@@ -291,6 +304,7 @@
unsigned char *pt = data_ptr;
size_t dec_len;
int diff, i, rc;
+ size_t output_length __unused;
mbedtls_gcm_init(&ctx);
@@ -300,7 +314,11 @@
goto exit_gcm;
}
+#if (MBEDTLS_VERSION_MAJOR < 3)
rc = mbedtls_gcm_starts(&ctx, MBEDTLS_GCM_DECRYPT, iv, iv_len, NULL, 0);
+#else
+ rc = mbedtls_gcm_starts(&ctx, MBEDTLS_GCM_DECRYPT, iv, iv_len);
+#endif
if (rc != 0) {
rc = CRYPTO_ERR_DECRYPTION;
goto exit_gcm;
@@ -309,7 +327,12 @@
while (len > 0) {
dec_len = MIN(sizeof(buf), len);
+#if (MBEDTLS_VERSION_MAJOR < 3)
rc = mbedtls_gcm_update(&ctx, dec_len, pt, buf);
+#else
+ rc = mbedtls_gcm_update(&ctx, pt, dec_len, buf, sizeof(buf), &output_length);
+#endif
+
if (rc != 0) {
rc = CRYPTO_ERR_DECRYPTION;
goto exit_gcm;
@@ -320,7 +343,12 @@
len -= dec_len;
}
+#if (MBEDTLS_VERSION_MAJOR < 3)
rc = mbedtls_gcm_finish(&ctx, tag_buf, sizeof(tag_buf));
+#else
+ rc = mbedtls_gcm_finish(&ctx, NULL, 0, &output_length, tag_buf, sizeof(tag_buf));
+#endif
+
if (rc != 0) {
rc = CRYPTO_ERR_DECRYPTION;
goto exit_gcm;
diff --git a/drivers/auth/tbbr/tbbr_cot_bl1.c b/drivers/auth/tbbr/tbbr_cot_bl1.c
index 44f8638..21942b4 100644
--- a/drivers/auth/tbbr/tbbr_cot_bl1.c
+++ b/drivers/auth/tbbr/tbbr_cot_bl1.c
@@ -1,22 +1,24 @@
/*
- * Copyright (c) 2015-2022, Arm Limited and Contributors. All rights reserved.
+ * Copyright (c) 2015-2023, Arm Limited and Contributors. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*/
#include <stddef.h>
-#include <platform_def.h>
-#include MBEDTLS_CONFIG_FILE
+#include <mbedtls/version.h>
#include <drivers/auth/auth_mod.h>
#include <drivers/auth/tbbr_cot_common.h>
+
#if USE_TBBR_DEFS
#include <tools_share/tbbr_oid.h>
#else
#include <platform_oid.h>
#endif
+#include <platform_def.h>
+
static auth_param_type_desc_t scp_bl2u_hash = AUTH_PARAM_TYPE_DESC(
AUTH_PARAM_HASH, SCP_FWU_CFG_HASH_OID);
static auth_param_type_desc_t bl2u_hash = AUTH_PARAM_TYPE_DESC(
diff --git a/drivers/auth/tbbr/tbbr_cot_bl1_r64.c b/drivers/auth/tbbr/tbbr_cot_bl1_r64.c
index 78e38f6..236823a 100644
--- a/drivers/auth/tbbr/tbbr_cot_bl1_r64.c
+++ b/drivers/auth/tbbr/tbbr_cot_bl1_r64.c
@@ -1,13 +1,14 @@
/*
- * Copyright (c) 2021-2022, Arm Limited and Contributors. All rights reserved.
+ * Copyright (c) 2021-2023, Arm Limited and Contributors. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*/
#include <stddef.h>
+#include <mbedtls/version.h>
+
#include <drivers/auth/auth_mod.h>
-#include MBEDTLS_CONFIG_FILE
#include <drivers/auth/tbbr_cot_common.h>
#if USE_TBBR_DEFS
@@ -15,8 +16,8 @@
#else
#include <platform_oid.h>
#endif
-#include <platform_def.h>
+#include <platform_def.h>
static unsigned char trusted_world_pk_buf[PK_DER_LEN];
static unsigned char non_trusted_world_pk_buf[PK_DER_LEN];
diff --git a/drivers/auth/tbbr/tbbr_cot_bl2.c b/drivers/auth/tbbr/tbbr_cot_bl2.c
index 11e2f46..ce2aa7e 100644
--- a/drivers/auth/tbbr/tbbr_cot_bl2.c
+++ b/drivers/auth/tbbr/tbbr_cot_bl2.c
@@ -1,22 +1,24 @@
/*
- * Copyright (c) 2015-2022, Arm Limited and Contributors. All rights reserved.
+ * Copyright (c) 2015-2023, Arm Limited and Contributors. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*/
#include <stddef.h>
-#include <platform_def.h>
-#include MBEDTLS_CONFIG_FILE
+#include <mbedtls/version.h>
#include <drivers/auth/auth_mod.h>
#include <drivers/auth/tbbr_cot_common.h>
+
#if USE_TBBR_DEFS
#include <tools_share/tbbr_oid.h>
#else
#include <platform_oid.h>
#endif
+#include <platform_def.h>
+
static unsigned char soc_fw_hash_buf[HASH_DER_LEN];
static unsigned char tos_fw_hash_buf[HASH_DER_LEN];
static unsigned char tos_fw_extra1_hash_buf[HASH_DER_LEN];
diff --git a/drivers/auth/tbbr/tbbr_cot_common.c b/drivers/auth/tbbr/tbbr_cot_common.c
index 0983d42..8c37248 100644
--- a/drivers/auth/tbbr/tbbr_cot_common.c
+++ b/drivers/auth/tbbr/tbbr_cot_common.c
@@ -1,22 +1,23 @@
/*
- * Copyright (c) 2015-2022, Arm Limited and Contributors. All rights reserved.
+ * Copyright (c) 2015-2023, Arm Limited and Contributors. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*/
#include <stddef.h>
-#include <platform_def.h>
-#include MBEDTLS_CONFIG_FILE
+#include <mbedtls/version.h>
#include <drivers/auth/auth_mod.h>
#include <drivers/auth/tbbr_cot_common.h>
+
#if USE_TBBR_DEFS
#include <tools_share/tbbr_oid.h>
#else
#include <platform_oid.h>
#endif
+#include <platform_def.h>
/*
* The platform must allocate buffers to store the authentication parameters
* extracted from the certificates. In this case, because of the way the CoT is
diff --git a/include/common/tbbr/cot_def.h b/include/common/tbbr/cot_def.h
index 60dfb8a..7823ff3 100644
--- a/include/common/tbbr/cot_def.h
+++ b/include/common/tbbr/cot_def.h
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2015-2022, ARM Limited and Contributors. All rights reserved.
+ * Copyright (c) 2015-2023, ARM Limited and Contributors. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*/
@@ -7,9 +7,7 @@
#ifndef COT_DEF_H
#define COT_DEF_H
-#ifdef MBEDTLS_CONFIG_FILE
-#include MBEDTLS_CONFIG_FILE
-#endif
+#include <mbedtls/version.h>
/* TBBR CoT definitions */
#if defined(SPD_spmd)
diff --git a/include/drivers/auth/auth_mod.h b/include/drivers/auth/auth_mod.h
index 94537f6..28aa407 100644
--- a/include/drivers/auth/auth_mod.h
+++ b/include/drivers/auth/auth_mod.h
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2015-2022, ARM Limited and Contributors. All rights reserved.
+ * Copyright (c) 2015-2023, ARM Limited and Contributors. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*/
@@ -7,7 +7,6 @@
#ifndef AUTH_MOD_H
#define AUTH_MOD_H
-#include <common/tbbr/cot_def.h>
#include <common/tbbr/tbbr_img_def.h>
#include <drivers/auth/auth_common.h>
#include <drivers/auth/img_parser_mod.h>
diff --git a/include/drivers/auth/mbedtls/mbedtls_config.h b/include/drivers/auth/mbedtls/mbedtls_config-3.h
similarity index 86%
rename from include/drivers/auth/mbedtls/mbedtls_config.h
rename to include/drivers/auth/mbedtls/mbedtls_config-3.h
index 01e261a..0be4b5d 100644
--- a/include/drivers/auth/mbedtls/mbedtls_config.h
+++ b/include/drivers/auth/mbedtls/mbedtls_config-3.h
@@ -1,10 +1,14 @@
/*
- * Copyright (c) 2015-2022, Arm Limited. All rights reserved.
+ * Copyright (c) 2023-2024, Arm Limited. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*/
-#ifndef MBEDTLS_CONFIG_H
-#define MBEDTLS_CONFIG_H
+
+/**
+ * This set of compile-time options may be used to enable
+ * or disable features selectively, and reduce the global
+ * memory footprint.
+ */
/*
* Key algorithms currently supported on mbed TLS libraries
@@ -37,10 +41,6 @@
#define MBEDTLS_PKCS1_V21
-#define MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION
-#define MBEDTLS_X509_CHECK_KEY_USAGE
-#define MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE
-
#define MBEDTLS_ASN1_PARSE_C
#define MBEDTLS_ASN1_WRITE_C
@@ -63,24 +63,27 @@
#define MBEDTLS_ECDSA_C
#define MBEDTLS_ECP_C
#define MBEDTLS_ECP_DP_SECP256R1_ENABLED
-#define MBEDTLS_ECP_NO_INTERNAL_RNG
#endif
#if TF_MBEDTLS_USE_RSA
#define MBEDTLS_RSA_C
#define MBEDTLS_X509_RSASSA_PSS_SUPPORT
#endif
+/* The library does not currently support enabling SHA-256 without SHA-224. */
+#define MBEDTLS_SHA224_C
#define MBEDTLS_SHA256_C
-
/*
* If either Trusted Boot or Measured Boot require a stronger algorithm than
- * SHA-256, pull in SHA-512 support.
+ * SHA-256, pull in SHA-512 support. Library currently needs to have SHA_384
+ * support when enabling SHA-512.
*/
#if (TF_MBEDTLS_HASH_ALG_ID != TF_MBEDTLS_SHA256) /* TBB hash algo */
+#define MBEDTLS_SHA384_C
#define MBEDTLS_SHA512_C
#else
/* TBB uses SHA-256, what about measured boot? */
#if defined(TF_MBEDTLS_MBOOT_USE_SHA512)
+#define MBEDTLS_SHA384_C
#define MBEDTLS_SHA512_C
#endif
#endif
@@ -121,7 +124,6 @@
#ifndef __ASSEMBLER__
/* System headers required to build mbed TLS with the current configuration */
#include <stdlib.h>
-#include <mbedtls/check_config.h>
#endif
/*
@@ -148,5 +150,3 @@
* the warnings to more functions.
*/
#define MBEDTLS_CHECK_RETURN_WARNING
-
-#endif /* MBEDTLS_CONFIG_H */
diff --git a/include/drivers/auth/tbbr_cot_common.h b/include/drivers/auth/tbbr_cot_common.h
index a51faee..b4f2d22 100644
--- a/include/drivers/auth/tbbr_cot_common.h
+++ b/include/drivers/auth/tbbr_cot_common.h
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2020, ARM Limited and Contributors. All rights reserved.
+ * Copyright (c) 2020,2023, ARM Limited and Contributors. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*/
@@ -7,6 +7,7 @@
#ifndef TBBR_COT_COMMON_H
#define TBBR_COT_COMMON_H
+#include <common/tbbr/cot_def.h>
#include <drivers/auth/auth_mod.h>
extern unsigned char tb_fw_hash_buf[HASH_DER_LEN];
diff --git a/lib/fconf/fconf_cot_getter.c b/lib/fconf/fconf_cot_getter.c
index ae59d8c..1033018 100644
--- a/lib/fconf/fconf_cot_getter.c
+++ b/lib/fconf/fconf_cot_getter.c
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2020-2022, Arm Limited. All rights reserved.
+ * Copyright (c) 2020-2023, Arm Limited. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*/
@@ -7,8 +7,10 @@
#include <assert.h>
#include <stddef.h>
+#include <mbedtls/version.h>
+
#include <common/fdt_wrappers.h>
-#include MBEDTLS_CONFIG_FILE
+#include <common/tbbr/cot_def.h>
#include <drivers/auth/auth_mod.h>
#include <lib/fconf/fconf.h>
#include <lib/object_pool.h>
diff --git a/make_helpers/build_macros.mk b/make_helpers/build_macros.mk
index 840714d..4a62504 100644
--- a/make_helpers/build_macros.mk
+++ b/make_helpers/build_macros.mk
@@ -302,10 +302,11 @@
define MAKE_C_LIB
$(eval OBJ := $(1)/$(patsubst %.c,%.o,$(notdir $(2))))
$(eval DEP := $(patsubst %.o,%.d,$(OBJ)))
+$(eval LIB := $(call uppercase, $(notdir $(1))))
$(OBJ): $(2) $(filter-out %.d,$(MAKEFILE_LIST)) | lib$(3)_dirs
$$(ECHO) " CC $$<"
- $$(Q)$$(CC) $$(TF_CFLAGS) $$(CFLAGS) $(MAKE_DEP) -c $$< -o $$@
+ $$(Q)$$(CC) $$($(LIB)_CFLAGS) $$(TF_CFLAGS) $$(CFLAGS) $(MAKE_DEP) -c $$< -o $$@
-include $(DEP)
diff --git a/plat/arm/board/fvp/include/platform_def.h b/plat/arm/board/fvp/include/platform_def.h
index 7559fd2..4875c00 100644
--- a/plat/arm/board/fvp/include/platform_def.h
+++ b/plat/arm/board/fvp/include/platform_def.h
@@ -16,6 +16,10 @@
#include "../fvp_def.h"
+#if TRUSTED_BOARD_BOOT
+#include MBEDTLS_CONFIG_FILE
+#endif
+
/* Required platform porting definitions */
#define PLATFORM_CORE_COUNT (U(FVP_CLUSTER_COUNT) * \
U(FVP_MAX_CPUS_PER_CLUSTER) * \
@@ -171,7 +175,11 @@
* PLAT_ARM_MAX_BL1_RW_SIZE is calculated using the current BL1 RW debug size
* plus a little space for growth.
*/
+#if TF_MBEDTLS_KEY_ALG_ID == TF_MBEDTLS_RSA_AND_ECDSA
+#define PLAT_ARM_MAX_BL1_RW_SIZE UL(0xC000)
+#else
#define PLAT_ARM_MAX_BL1_RW_SIZE UL(0xB000)
+#endif
/*
* PLAT_ARM_MAX_ROMLIB_RW_SIZE is define to use a full page
@@ -194,7 +202,11 @@
#if (TRUSTED_BOARD_BOOT && COT_DESC_IN_DTB) || (CRYPTO_SUPPORT && USE_ROMLIB)
# define PLAT_ARM_MAX_BL2_SIZE (UL(0x1E000) - FVP_BL2_ROMLIB_OPTIMIZATION)
#elif CRYPTO_SUPPORT
+#if (TF_MBEDTLS_KEY_ALG_ID == TF_MBEDTLS_RSA_AND_ECDSA) || COT_DESC_IN_DTB
+# define PLAT_ARM_MAX_BL2_SIZE (UL(0x1E000) - FVP_BL2_ROMLIB_OPTIMIZATION)
+#else
# define PLAT_ARM_MAX_BL2_SIZE (UL(0x1D000) - FVP_BL2_ROMLIB_OPTIMIZATION)
+#endif
#elif ARM_BL31_IN_DRAM
/* When ARM_BL31_IN_DRAM is set, BL2 can use almost all of Trusted SRAM. */
# define PLAT_ARM_MAX_BL2_SIZE (UL(0x1F000) - FVP_BL2_ROMLIB_OPTIMIZATION)
diff --git a/plat/arm/common/arm_dyn_cfg.c b/plat/arm/common/arm_dyn_cfg.c
index c88621e..067109b 100644
--- a/plat/arm/common/arm_dyn_cfg.c
+++ b/plat/arm/common/arm_dyn_cfg.c
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2018-2022, Arm Limited and Contributors. All rights reserved.
+ * Copyright (c) 2018-2023, Arm Limited and Contributors. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*/
@@ -8,20 +8,20 @@
#include <string.h>
#include <libfdt.h>
-#include <platform_def.h>
+#if CRYPTO_SUPPORT
+#include <mbedtls/version.h>
+#endif /* CRYPTO_SUPPORT */
#include <common/debug.h>
#include <common/desc_image_load.h>
#include <common/tbbr/tbbr_img_def.h>
-#if CRYPTO_SUPPORT
-#include MBEDTLS_CONFIG_FILE
-#endif /* CRYPTO_SUPPORT */
#include <lib/fconf/fconf.h>
#include <lib/fconf/fconf_dyn_cfg_getter.h>
#include <lib/fconf/fconf_tbbr_getter.h>
#include <plat/arm/common/arm_dyn_cfg_helpers.h>
#include <plat/arm/common/plat_arm.h>
+#include <platform_def.h>
#if CRYPTO_SUPPORT
diff --git a/plat/st/stm32mp1/include/stm32mp1_mbedtls_config.h b/plat/st/stm32mp1/include/stm32mp1_mbedtls_config-3.h
similarity index 86%
rename from plat/st/stm32mp1/include/stm32mp1_mbedtls_config.h
rename to plat/st/stm32mp1/include/stm32mp1_mbedtls_config-3.h
index 2f07621..2dbf068 100644
--- a/plat/st/stm32mp1/include/stm32mp1_mbedtls_config.h
+++ b/plat/st/stm32mp1/include/stm32mp1_mbedtls_config-3.h
@@ -1,10 +1,8 @@
/*
- * Copyright (c) 2022, STMicroelectronics - All Rights Reserved
+ * Copyright (c) 2022-2024, STMicroelectronics - All Rights Reserved
*
* SPDX-License-Identifier: BSD-3-Clause
*/
-#ifndef MBEDTLS_CONFIG_H
-#define MBEDTLS_CONFIG_H
/*
* Key algorithms currently supported on mbed TLS libraries
@@ -31,10 +29,6 @@
#define MBEDTLS_PKCS1_V21
-#define MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION
-#define MBEDTLS_X509_CHECK_KEY_USAGE
-#define MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE
-
#define MBEDTLS_ASN1_PARSE_C
#define MBEDTLS_ASN1_WRITE_C
@@ -57,15 +51,18 @@
#define MBEDTLS_ECDSA_C
#define MBEDTLS_ECP_C
#define MBEDTLS_ECP_DP_SECP256R1_ENABLED
-#define MBEDTLS_ECP_NO_INTERNAL_RNG
#endif
#if TF_MBEDTLS_USE_RSA
#define MBEDTLS_RSA_C
#define MBEDTLS_X509_RSASSA_PSS_SUPPORT
#endif
+/* The library does not currently support enabling SHA-256 without SHA-224. */
+#define MBEDTLS_SHA224_C
#define MBEDTLS_SHA256_C
+
#if (TF_MBEDTLS_HASH_ALG_ID != TF_MBEDTLS_SHA256)
+#define MBEDTLS_SHA384_C
#define MBEDTLS_SHA512_C
#endif
@@ -105,7 +102,6 @@
#ifndef __ASSEMBLER__
/* System headers required to build mbed TLS with the current configuration */
#include <stdlib.h>
-#include <mbedtls/check_config.h>
#endif
/*
@@ -116,4 +112,3 @@
*/
#define TF_MBEDTLS_HEAP_SIZE U(5120)
-#endif /* MBEDTLS_CONFIG_H */
diff --git a/plat/st/stm32mp1/platform.mk b/plat/st/stm32mp1/platform.mk
index 7eecf30..e68096c 100644
--- a/plat/st/stm32mp1/platform.mk
+++ b/plat/st/stm32mp1/platform.mk
@@ -1,5 +1,5 @@
#
-# Copyright (c) 2015-2022, ARM Limited and Contributors. All rights reserved.
+# Copyright (c) 2015-2024, ARM Limited and Contributors. All rights reserved.
#
# SPDX-License-Identifier: BSD-3-Clause
#
@@ -381,7 +381,17 @@
endif
TF_MBEDTLS_KEY_ALG := ecdsa
-MBEDTLS_CONFIG_FILE ?= "<stm32mp1_mbedtls_config.h>"
+
+ifneq (${MBEDTLS_DIR},)
+MBEDTLS_MAJOR=$(shell grep -hP "define MBEDTLS_VERSION_MAJOR" \
+${MBEDTLS_DIR}/include/mbedtls/*.h | grep -oe '\([0-9.]*\)')
+
+ifeq (${MBEDTLS_MAJOR}, 3)
+MBEDTLS_CONFIG_FILE ?= "<stm32mp1_mbedtls_config-3.h>"
+else
+$(error Error: TF-A only supports MbedTLS versions > 3.x)
+endif
+endif
include drivers/auth/mbedtls/mbedtls_x509.mk
diff --git a/tools/marvell/doimage/doimage.c b/tools/marvell/doimage/doimage.c
index e08b820..513f33f 100644
--- a/tools/marvell/doimage/doimage.c
+++ b/tools/marvell/doimage/doimage.c
@@ -17,12 +17,6 @@
#ifdef CONFIG_MVEBU_SECURE_BOOT
#include <libconfig.h> /* for parsing config file */
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
-
/* mbedTLS stuff */
#if defined(MBEDTLS_BIGNUM_C) && defined(MBEDTLS_ENTROPY_C) && \
defined(MBEDTLS_SHA256_C) && \
@@ -34,6 +28,7 @@
#include <mbedtls/md.h>
#include <mbedtls/pk.h>
#include <mbedtls/sha256.h>
+#include <mbedtls/version.h>
#include <mbedtls/x509.h>
#else
#error "Bad mbedTLS configuration!"