Merge changes from topic "lts-v2.10.12" into lts-v2.10
* changes:
feat(mbedtls): mbedtls config update for v3.6.2
docs(prerequisites): update mbedtls to version 3.6.2
refactor(mbedtls): rename default mbedtls confs
fix(arm): add extra hash config to validate ROTPK
diff --git a/docs/getting_started/prerequisites.rst b/docs/getting_started/prerequisites.rst
index ab28ede..51723ea 100644
--- a/docs/getting_started/prerequisites.rst
+++ b/docs/getting_started/prerequisites.rst
@@ -77,7 +77,7 @@
The following libraries are required for Trusted Board Boot and Measured Boot
support:
-- mbed TLS == 3.6.1 (tag: ``mbedtls-3.6.1``)
+- mbed TLS == 3.6.2 (tag: ``mbedtls-3.6.2``)
These tools are optional:
@@ -184,7 +184,7 @@
--------------
-*Copyright (c) 2021-2023, Arm Limited. All rights reserved.*
+*Copyright (c) 2021-2025, Arm Limited. All rights reserved.*
.. _Arm Developer website: https://developer.arm.com/tools-and-software/open-source-software/developer-tools/gnu-toolchain/downloads
.. _Gerrit Code Review: https://www.gerritcodereview.com/
diff --git a/drivers/auth/mbedtls/mbedtls_common.mk b/drivers/auth/mbedtls/mbedtls_common.mk
index 33732db..c16abd7 100644
--- a/drivers/auth/mbedtls/mbedtls_common.mk
+++ b/drivers/auth/mbedtls/mbedtls_common.mk
@@ -25,9 +25,9 @@
# Specify mbed TLS configuration file
ifeq (${PSA_CRYPTO},1)
- MBEDTLS_CONFIG_FILE ?= "<drivers/auth/mbedtls/psa_mbedtls_config.h>"
+ MBEDTLS_CONFIG_FILE ?= "<drivers/auth/mbedtls/default_psa_mbedtls_config.h>"
else
- MBEDTLS_CONFIG_FILE ?= "<drivers/auth/mbedtls/mbedtls_config-3.h>"
+ MBEDTLS_CONFIG_FILE ?= "<drivers/auth/mbedtls/default_mbedtls_config.h>"
endif
$(eval $(call add_define,MBEDTLS_CONFIG_FILE))
diff --git a/include/drivers/auth/mbedtls/mbedtls_config-3.h b/include/drivers/auth/mbedtls/default_mbedtls_config.h
similarity index 96%
rename from include/drivers/auth/mbedtls/mbedtls_config-3.h
rename to include/drivers/auth/mbedtls/default_mbedtls_config.h
index 37a9288..f071f65 100644
--- a/include/drivers/auth/mbedtls/mbedtls_config-3.h
+++ b/include/drivers/auth/mbedtls/default_mbedtls_config.h
@@ -11,6 +11,11 @@
*/
/*
+ * This file is compatible with versions >= 3.6.2
+ */
+#define MBEDTLS_CONFIG_VERSION 0x03060200
+
+/*
* Key algorithms currently supported on mbed TLS libraries
*/
#define TF_MBEDTLS_RSA 1
diff --git a/include/drivers/auth/mbedtls/psa_mbedtls_config.h b/include/drivers/auth/mbedtls/default_psa_mbedtls_config.h
similarity index 95%
rename from include/drivers/auth/mbedtls/psa_mbedtls_config.h
rename to include/drivers/auth/mbedtls/default_psa_mbedtls_config.h
index 1001d89..8926051 100644
--- a/include/drivers/auth/mbedtls/psa_mbedtls_config.h
+++ b/include/drivers/auth/mbedtls/default_psa_mbedtls_config.h
@@ -7,7 +7,7 @@
#ifndef PSA_MBEDTLS_CONFIG_H
#define PSA_MBEDTLS_CONFIG_H
-#include "mbedtls_config-3.h"
+#include "default_mbedtls_config.h"
#define MBEDTLS_PSA_CRYPTO_C
#define MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS
diff --git a/plat/arm/board/fvp_r/platform.mk b/plat/arm/board/fvp_r/platform.mk
index f14ea54..71cb9e2 100644
--- a/plat/arm/board/fvp_r/platform.mk
+++ b/plat/arm/board/fvp_r/platform.mk
@@ -1,5 +1,5 @@
#
-# Copyright (c) 2021, ARM Limited and Contributors. All rights reserved.
+# Copyright (c) 2021-2024, Arm Limited and Contributors. All rights reserved.
#
# SPDX-License-Identifier: BSD-3-Clause
#
@@ -25,7 +25,7 @@
include plat/arm/board/common/board_common.mk
include plat/arm/common/arm_common.mk
-PLAT_INCLUDES := -Iplat/arm/board/fvp_r/include
+PLAT_INCLUDES += -Iplat/arm/board/fvp_r/include
FVP_R_BL_COMMON_SOURCES := plat/arm/board/fvp_r/fvp_r_common.c \
plat/arm/board/fvp_r/fvp_r_context_mgmt.c \
diff --git a/plat/arm/board/tc/plat_tc_mbedtls_config.h b/plat/arm/board/tc/plat_tc_mbedtls_config.h
index f0aa60b..73c9d3a 100644
--- a/plat/arm/board/tc/plat_tc_mbedtls_config.h
+++ b/plat/arm/board/tc/plat_tc_mbedtls_config.h
@@ -8,7 +8,7 @@
#define PLAT_TC_MBEDTLS_CONFIG_H
#include <export/lib/utils_def_exp.h>
-#include <mbedtls_config-3.h>
+#include <default_mbedtls_config.h>
#ifndef TF_MBEDTLS_HEAP_SIZE
#error TF_MBEDTLS_HEAP_SIZE is not defined
@@ -21,6 +21,20 @@
#endif
#endif
+/**
+ * On Arm TC platforms, the ROTPK is always hashed using the SHA-256
+ * algorithm.
+ * TODO: Update to hash the ROTPK with the selected HASH_ALG to avoid
+ * the need for explicitly enabling the SHA-256 configuration in mbedTLS.
+ */
+#define MBEDTLS_SHA256_C
+
+/*
+ * Use an implementation of SHA-256 with a smaller memory footprint
+ * but reduced speed.
+ */
+#define MBEDTLS_SHA256_SMALLER
+
#define MBEDTLS_PSA_CRYPTO_C
#define MBEDTLS_HMAC_DRBG_C
#define MBEDTLS_ENTROPY_C
diff --git a/plat/arm/common/arm_common.mk b/plat/arm/common/arm_common.mk
index ae0d85d..58cd4d9 100644
--- a/plat/arm/common/arm_common.mk
+++ b/plat/arm/common/arm_common.mk
@@ -120,10 +120,6 @@
endif
endif
-# Use an implementation of SHA-256 with a smaller memory footprint but reduced
-# speed.
-$(eval $(call add_define,MBEDTLS_SHA256_SMALLER))
-
# Add the build options to pack Trusted OS Extra1 and Trusted OS Extra2 images
# in the FIP if the platform requires.
ifneq ($(BL32_EXTRA1),)
@@ -361,6 +357,17 @@
BL31_SOURCES += plat/arm/common/arm_err.c
endif
+ifneq ($(filter 1,${MEASURED_BOOT} ${TRUSTED_BOARD_BOOT} ${DRTM_SUPPORT}),)
+ PLAT_INCLUDES += -Iplat/arm/common \
+ -Iinclude/drivers/auth/mbedtls
+ # Specify mbed TLS configuration file
+ ifeq (${PSA_CRYPTO},1)
+ MBEDTLS_CONFIG_FILE ?= "<plat_arm_psa_mbedtls_config.h>"
+ else
+ MBEDTLS_CONFIG_FILE ?= "<plat_arm_mbedtls_config.h>"
+ endif
+endif
+
ifneq (${TRUSTED_BOARD_BOOT},0)
# Include common TBB sources
diff --git a/plat/arm/common/plat_arm_mbedtls_config.h b/plat/arm/common/plat_arm_mbedtls_config.h
new file mode 100644
index 0000000..c2db595
--- /dev/null
+++ b/plat/arm/common/plat_arm_mbedtls_config.h
@@ -0,0 +1,26 @@
+/*
+ * Copyright (c) 2024, Arm Ltd. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#ifndef PLAT_ARM_MBEDTLS_CONFIG_H
+#define PLAT_ARM_MBEDTLS_CONFIG_H
+
+#include <default_mbedtls_config.h>
+
+/**
+ * On Arm platforms, the ROTPK is always hashed using the SHA-256
+ * algorithm.
+ * TODO: Update to hash the ROTPK with the selected HASH_ALG to avoid
+ * the need for explicitly enabling the SHA-256 configuration in mbedTLS.
+ */
+#define MBEDTLS_SHA256_C
+
+/*
+ * Use an implementation of SHA-256 with a smaller memory footprint
+ * but reduced speed.
+ */
+#define MBEDTLS_SHA256_SMALLER
+
+#endif /* PLAT_ARM_MBEDTLS_CONFIG_H */
diff --git a/include/drivers/auth/mbedtls/psa_mbedtls_config.h b/plat/arm/common/plat_arm_psa_mbedtls_config.h
similarity index 77%
copy from include/drivers/auth/mbedtls/psa_mbedtls_config.h
copy to plat/arm/common/plat_arm_psa_mbedtls_config.h
index 1001d89..fd434c9 100644
--- a/include/drivers/auth/mbedtls/psa_mbedtls_config.h
+++ b/plat/arm/common/plat_arm_psa_mbedtls_config.h
@@ -1,13 +1,13 @@
/*
- * Copyright (c) 2023-2024, Arm Ltd. All rights reserved.
+ * Copyright (c) 2024, Arm Ltd. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*/
-#ifndef PSA_MBEDTLS_CONFIG_H
-#define PSA_MBEDTLS_CONFIG_H
+#ifndef PLAT_ARM_PSA_MBEDTLS_CONFIG_H
+#define PLAT_ARM_PSA_MBEDTLS_CONFIG_H
-#include "mbedtls_config-3.h"
+#include "plat_arm_mbedtls_config.h"
#define MBEDTLS_PSA_CRYPTO_C
#define MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS
@@ -26,4 +26,4 @@
*/
#define MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG
-#endif /* PSA_MBEDTLS_CONFIG_H */
+#endif /* PLAT_ARM_PSA_MBEDTLS_CONFIG_H */