diff --git a/docs/auth-framework.rst b/docs/auth-framework.rst index 765d9f8..3a054c7 100644 --- a/docs/auth-framework.rst +++ b/docs/auth-framework.rst @@ -921,9 +921,12 @@ int verify_hash(void *data_ptr, unsigned int data_len, void *digest_info_ptr, unsigned int digest_info_len); -The key algorithm (rsa, ecdsa) must be specified in the build system using the -``TF_MBEDTLS_KEY_ALG`` variable, so the Makefile can include the corresponding -sources in the build. +The mbedTLS library algorithm support is configured by the +``TF_MBEDTLS_KEY_ALG`` variable which can take in 3 values: `rsa`, `ecdsa` or +`rsa+ecdsa`. This variable allows the Makefile to include the corresponding +sources in the build for the various algorthms. Setting the variable to +`rsa+ecdsa` enables support for both rsa and ecdsa algorithms in the mbedTLS +library. Note: If code size is a concern, the build option ``MBEDTLS_SHA256_SMALLER`` can be defined in the platform Makefile. It will make mbed TLS use an implementation @@ -931,7 +934,7 @@ -------------- -*Copyright (c) 2015, ARM Limited and Contributors. All rights reserved.* +*Copyright (c) 2017, ARM Limited and Contributors. All rights reserved.* .. _Trusted Board Boot: ./trusted-board-boot.rst .. _Platform Porting Guide: ./porting-guide.rst diff --git a/drivers/auth/mbedtls/mbedtls_common.c b/drivers/auth/mbedtls/mbedtls_common.c index cc57af3..205c243 100644 --- a/drivers/auth/mbedtls/mbedtls_common.c +++ b/drivers/auth/mbedtls/mbedtls_common.c @@ -14,7 +14,8 @@ /* * mbed TLS heap */ -#if (TF_MBEDTLS_KEY_ALG_ID == TF_MBEDTLS_ECDSA) +#if (TF_MBEDTLS_KEY_ALG_ID == TF_MBEDTLS_ECDSA) \ + || (TF_MBEDTLS_KEY_ALG_ID == TF_MBEDTLS_RSA_AND_ECDSA) #define MBEDTLS_HEAP_SIZE (13*1024) #elif (TF_MBEDTLS_KEY_ALG_ID == TF_MBEDTLS_RSA) #define MBEDTLS_HEAP_SIZE (7*1024) diff --git a/drivers/auth/mbedtls/mbedtls_crypto.mk b/drivers/auth/mbedtls/mbedtls_crypto.mk index 21b857b..d6fc7eb 100644 --- a/drivers/auth/mbedtls/mbedtls_crypto.mk +++ b/drivers/auth/mbedtls/mbedtls_crypto.mk @@ -41,18 +41,26 @@ ) # Key algorithm specific files +MBEDTLS_ECDSA_CRYPTO_SOURCES += $(addprefix ${MBEDTLS_DIR}/library/, \ + ecdsa.c \ + ecp_curves.c \ + ecp.c \ + ) + +MBEDTLS_RSA_CRYPTO_SOURCES += $(addprefix ${MBEDTLS_DIR}/library/, \ + rsa.c \ + ) + ifeq (${TF_MBEDTLS_KEY_ALG},ecdsa) - MBEDTLS_CRYPTO_SOURCES += $(addprefix ${MBEDTLS_DIR}/library/, \ - ecdsa.c \ - ecp_curves.c \ - ecp.c \ - ) + MBEDTLS_CRYPTO_SOURCES += $(MBEDTLS_ECDSA_CRYPTO_SOURCES) TF_MBEDTLS_KEY_ALG_ID := TF_MBEDTLS_ECDSA else ifeq (${TF_MBEDTLS_KEY_ALG},rsa) - MBEDTLS_CRYPTO_SOURCES += $(addprefix ${MBEDTLS_DIR}/library/, \ - rsa.c \ - ) + MBEDTLS_CRYPTO_SOURCES += $(MBEDTLS_RSA_CRYPTO_SOURCES) TF_MBEDTLS_KEY_ALG_ID := TF_MBEDTLS_RSA +else ifeq (${TF_MBEDTLS_KEY_ALG},rsa+ecdsa) + MBEDTLS_CRYPTO_SOURCES += $(MBEDTLS_ECDSA_CRYPTO_SOURCES) + MBEDTLS_CRYPTO_SOURCES += $(MBEDTLS_RSA_CRYPTO_SOURCES) + TF_MBEDTLS_KEY_ALG_ID := TF_MBEDTLS_RSA_AND_ECDSA else $(error "TF_MBEDTLS_KEY_ALG=${TF_MBEDTLS_KEY_ALG} not supported on mbed TLS") endif diff --git a/include/drivers/auth/mbedtls/mbedtls_config.h b/include/drivers/auth/mbedtls/mbedtls_config.h index 7aa4dee..ca2d9fa 100644 --- a/include/drivers/auth/mbedtls/mbedtls_config.h +++ b/include/drivers/auth/mbedtls/mbedtls_config.h @@ -11,6 +11,7 @@ */ #define TF_MBEDTLS_RSA 1 #define TF_MBEDTLS_ECDSA 2 +#define TF_MBEDTLS_RSA_AND_ECDSA 3 /* * Configuration file to build mbed TLS with the required features for @@ -56,6 +57,12 @@ #elif (TF_MBEDTLS_KEY_ALG_ID == TF_MBEDTLS_RSA) #define MBEDTLS_RSA_C #define MBEDTLS_X509_RSASSA_PSS_SUPPORT +#elif (TF_MBEDTLS_KEY_ALG_ID == TF_MBEDTLS_RSA_AND_ECDSA) +#define MBEDTLS_RSA_C +#define MBEDTLS_X509_RSASSA_PSS_SUPPORT +#define MBEDTLS_ECDSA_C +#define MBEDTLS_ECP_C +#define MBEDTLS_ECP_DP_SECP256R1_ENABLED #endif #define MBEDTLS_SHA256_C