commit aacff7498c7241696f55a9b80473e59b72d4d095
author Justin Chadwell <justin.chadwell@arm.com> Mon Jul 29 17:13:10 2019 +0100
committer Justin Chadwell <justin.chadwell@arm.com> Thu Sep 12 15:27:39 2019 +0100
tree 01615f4f69293ad2d89108796fc9c8d3f4b2e302
parent 2fc6ffc451c9af16e03eff51e779c33828e9ab07

Support larger RSA key sizes when using MBEDTLS

Previously, TF-A could not support large RSA key sizes as the
configuration options passed to MBEDTLS prevented storing and performing
calculations with the larger, higher-precision numbers required. With
these changes to the arguments passed to MBEDTLS, TF-A now supports
using 3072 (3K) and 4096 (4K) keys in certificates.

Change-Id: Ib73a6773145d2faa25c28d04f9a42e86f2fd555f
Signed-off-by: Justin Chadwell <justin.chadwell@arm.com>

include/drivers/auth/mbedtls/mbedtls_config.h

diff --git a/include/drivers/auth/mbedtls/mbedtls_config.h b/include/drivers/auth/mbedtls/mbedtls_config.h
index f7248f9..6e179bb 100644
--- a/include/drivers/auth/mbedtls/mbedtls_config.h
+++ b/include/drivers/auth/mbedtls/mbedtls_config.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2015-2018, ARM Limited and Contributors. All rights reserved.
+ * Copyright (c) 2015-2019, ARM Limited and Contributors. All rights reserved.
  *
  * SPDX-License-Identifier: BSD-3-Clause
  */
@@ -13,6 +13,11 @@
 #define TF_MBEDTLS_ECDSA		2
 #define TF_MBEDTLS_RSA_AND_ECDSA	3
 
+#define TF_MBEDTLS_USE_RSA (TF_MBEDTLS_KEY_ALG_ID == TF_MBEDTLS_RSA \
+		|| TF_MBEDTLS_KEY_ALG_ID == TF_MBEDTLS_RSA_AND_ECDSA)
+#define TF_MBEDTLS_USE_ECDSA (TF_MBEDTLS_KEY_ALG_ID == TF_MBEDTLS_ECDSA \
+		|| TF_MBEDTLS_KEY_ALG_ID == TF_MBEDTLS_RSA_AND_ECDSA)
+
 /*
  * Hash algorithms currently supported on mbed TLS libraries
  */
@@ -54,19 +59,14 @@
 
 #define MBEDTLS_PLATFORM_C
 
-#if (TF_MBEDTLS_KEY_ALG_ID == TF_MBEDTLS_ECDSA)
+#if TF_MBEDTLS_USE_ECDSA
 #define MBEDTLS_ECDSA_C
 #define MBEDTLS_ECP_C
 #define MBEDTLS_ECP_DP_SECP256R1_ENABLED
-#elif (TF_MBEDTLS_KEY_ALG_ID == TF_MBEDTLS_RSA)
+#endif
+#if TF_MBEDTLS_USE_RSA
 #define MBEDTLS_RSA_C
 #define MBEDTLS_X509_RSASSA_PSS_SUPPORT
-#elif (TF_MBEDTLS_KEY_ALG_ID == TF_MBEDTLS_RSA_AND_ECDSA)
-#define MBEDTLS_RSA_C
-#define MBEDTLS_X509_RSASSA_PSS_SUPPORT
-#define MBEDTLS_ECDSA_C
-#define MBEDTLS_ECP_C
-#define MBEDTLS_ECP_DP_SECP256R1_ENABLED
 #endif
 
 #define MBEDTLS_SHA256_C
@@ -80,11 +80,20 @@
 #define MBEDTLS_X509_CRT_PARSE_C
 
 /* MPI / BIGNUM options */
-#define MBEDTLS_MPI_WINDOW_SIZE              2
-#define MBEDTLS_MPI_MAX_SIZE               256
+#define MBEDTLS_MPI_WINDOW_SIZE			2
+
+#if TF_MBEDTLS_USE_RSA
+#if TF_MBEDTLS_KEY_SIZE <= 2048
+#define MBEDTLS_MPI_MAX_SIZE			256
+#else
+#define MBEDTLS_MPI_MAX_SIZE			512
+#endif
+#else
+#define MBEDTLS_MPI_MAX_SIZE			256
+#endif
 
 /* Memory buffer allocator options */
-#define MBEDTLS_MEMORY_ALIGN_MULTIPLE        8
+#define MBEDTLS_MEMORY_ALIGN_MULTIPLE		8
 
 #ifndef __ASSEMBLER__
 /* System headers required to build mbed TLS with the current configuration */
@@ -95,13 +104,17 @@
 /*
  * Determine Mbed TLS heap size
  * 13312 = 13*1024
- * 7168 = 7*1024
+ * 11264 = 11*1024
+ * 7168  = 7*1024
  */
-#if (TF_MBEDTLS_KEY_ALG_ID == TF_MBEDTLS_ECDSA) \
-	|| (TF_MBEDTLS_KEY_ALG_ID == TF_MBEDTLS_RSA_AND_ECDSA)
+#if TF_MBEDTLS_USE_ECDSA
 #define TF_MBEDTLS_HEAP_SIZE		U(13312)
-#elif (TF_MBEDTLS_KEY_ALG_ID == TF_MBEDTLS_RSA)
+#elif TF_MBEDTLS_USE_RSA
+#if TF_MBEDTLS_KEY_SIZE <= 2048
 #define TF_MBEDTLS_HEAP_SIZE		U(7168)
+#else
+#define TF_MBEDTLS_HEAP_SIZE		U(11264)
+#endif
 #endif
 
 #endif /* MBEDTLS_CONFIG_H */