diff --git a/docs/about/release-information.rst b/docs/about/release-information.rst index 654d65fd1..d81410458 100644 --- a/docs/about/release-information.rst +++ b/docs/about/release-information.rst @@ -81,8 +81,6 @@ after which it will be removed. | | Date | after | | | | | Release | | +================================+=============+=========+=========================================================+ -| Mbedtls-2.x | 2.10 | 2.10 | Support for TF-A builds with Mbedtls-2.x will be removed| -+--------------------------------+-------------+---------+---------------------------------------------------------+ | STM32MP15_OPTEE_RSV_SHM | 2.10 | 3.0 | OP-TEE manages its own memory on STM32MP15 | +--------------------------------+-------------+---------+---------------------------------------------------------+ @@ -103,4 +101,4 @@ after which it will be removed. -------------- -*Copyright (c) 2018-2023, Arm Limited and Contributors. All rights reserved.* +*Copyright (c) 2018-2024, Arm Limited and Contributors. All rights reserved.* diff --git a/drivers/auth/mbedtls/mbedtls_common.mk b/drivers/auth/mbedtls/mbedtls_common.mk index a2c643039..2bb23f961 100644 --- a/drivers/auth/mbedtls/mbedtls_common.mk +++ b/drivers/auth/mbedtls/mbedtls_common.mk @@ -1,5 +1,5 @@ # -# Copyright (c) 2015-2023, Arm Limited. All rights reserved. +# Copyright (c) 2015-2024, Arm Limited. All rights reserved. # # SPDX-License-Identifier: BSD-3-Clause # @@ -19,16 +19,15 @@ MBEDTLS_MAJOR=$(shell grep -hP "define MBEDTLS_VERSION_MAJOR" ${MBEDTLS_DIR}/inc MBEDTLS_MINOR=$(shell grep -hP "define MBEDTLS_VERSION_MINOR" ${MBEDTLS_DIR}/include/mbedtls/*.h | grep -oe '\([0-9.]*\)') $(info MBEDTLS_VERSION_MAJOR is [${MBEDTLS_MAJOR}] MBEDTLS_VERSION_MINOR is [${MBEDTLS_MINOR}]) +ifneq (${MBEDTLS_MAJOR}, 3) + $(error Error: TF-A only supports MbedTLS versions > 3.x) +endif + # Specify mbed TLS configuration file -ifeq (${MBEDTLS_MAJOR}, 2) - $(info Deprecation Notice: Please migrate to Mbedtls version 3.x (refer to TF-A documentation for the exact version number)) - MBEDTLS_CONFIG_FILE ?= "" -else ifeq (${MBEDTLS_MAJOR}, 3) - ifeq (${PSA_CRYPTO},1) - MBEDTLS_CONFIG_FILE ?= "" - else - MBEDTLS_CONFIG_FILE ?= "" - endif +ifeq (${PSA_CRYPTO},1) + MBEDTLS_CONFIG_FILE ?= "" +else + MBEDTLS_CONFIG_FILE ?= "" endif $(eval $(call add_define,MBEDTLS_CONFIG_FILE)) @@ -42,11 +41,13 @@ LIBMBEDTLS_SRCS += $(addprefix ${MBEDTLS_DIR}/library/, \ cipher.c \ cipher_wrap.c \ constant_time.c \ + hash_info.c \ memory_buffer_alloc.c \ oid.c \ platform.c \ platform_util.c \ bignum.c \ + bignum_core.c \ gcm.c \ md.c \ pk.c \ @@ -59,28 +60,17 @@ LIBMBEDTLS_SRCS += $(addprefix ${MBEDTLS_DIR}/library/, \ ecp_curves.c \ ecp.c \ rsa.c \ + rsa_alt_helpers.c \ x509.c \ x509_crt.c \ ) -ifeq (${MBEDTLS_MAJOR}, 2) - LIBMBEDTLS_SRCS += $(addprefix ${MBEDTLS_DIR}/library/, \ - rsa_internal.c \ - ) -else ifeq (${MBEDTLS_MAJOR}, 3) - LIBMBEDTLS_SRCS += $(addprefix ${MBEDTLS_DIR}/library/, \ - bignum_core.c \ - rsa_alt_helpers.c \ - hash_info.c \ - ) - - # Currently on Mbedtls-3 there is outstanding bug due to usage - # of redundant declaration[1], So disable redundant-decls - # compilation flag to avoid compilation error when compiling with - # Mbedtls-3. - # [1]: https://github.com/Mbed-TLS/mbedtls/issues/6910 - LIBMBEDTLS_CFLAGS += -Wno-error=redundant-decls -endif +# Currently on Mbedtls-3 there is outstanding bug due to usage +# of redundant declaration[1], So disable redundant-decls +# compilation flag to avoid compilation error when compiling with +# Mbedtls-3. +# [1]: https://github.com/Mbed-TLS/mbedtls/issues/6910 +LIBMBEDTLS_CFLAGS += -Wno-error=redundant-decls ifeq (${PSA_CRYPTO},1) LIBMBEDTLS_SRCS += $(addprefix ${MBEDTLS_DIR}/library/, \ diff --git a/include/drivers/auth/mbedtls/mbedtls_config-2.h b/include/drivers/auth/mbedtls/mbedtls_config-2.h deleted file mode 100644 index 01e261a96..000000000 --- a/include/drivers/auth/mbedtls/mbedtls_config-2.h +++ /dev/null @@ -1,152 +0,0 @@ -/* - * Copyright (c) 2015-2022, Arm Limited. All rights reserved. - * - * SPDX-License-Identifier: BSD-3-Clause - */ -#ifndef MBEDTLS_CONFIG_H -#define MBEDTLS_CONFIG_H - -/* - * Key algorithms currently supported on mbed TLS libraries - */ -#define TF_MBEDTLS_RSA 1 -#define TF_MBEDTLS_ECDSA 2 -#define TF_MBEDTLS_RSA_AND_ECDSA 3 - -#define TF_MBEDTLS_USE_RSA (TF_MBEDTLS_KEY_ALG_ID == TF_MBEDTLS_RSA \ - || TF_MBEDTLS_KEY_ALG_ID == TF_MBEDTLS_RSA_AND_ECDSA) -#define TF_MBEDTLS_USE_ECDSA (TF_MBEDTLS_KEY_ALG_ID == TF_MBEDTLS_ECDSA \ - || TF_MBEDTLS_KEY_ALG_ID == TF_MBEDTLS_RSA_AND_ECDSA) - -/* - * Hash algorithms currently supported on mbed TLS libraries - */ -#define TF_MBEDTLS_SHA256 1 -#define TF_MBEDTLS_SHA384 2 -#define TF_MBEDTLS_SHA512 3 - -/* - * Configuration file to build mbed TLS with the required features for - * Trusted Boot - */ - -#define MBEDTLS_PLATFORM_MEMORY -#define MBEDTLS_PLATFORM_NO_STD_FUNCTIONS -/* Prevent mbed TLS from using snprintf so that it can use tf_snprintf. */ -#define MBEDTLS_PLATFORM_SNPRINTF_ALT - -#define MBEDTLS_PKCS1_V21 - -#define MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION -#define MBEDTLS_X509_CHECK_KEY_USAGE -#define MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE - -#define MBEDTLS_ASN1_PARSE_C -#define MBEDTLS_ASN1_WRITE_C - -#define MBEDTLS_BASE64_C -#define MBEDTLS_BIGNUM_C - -#define MBEDTLS_ERROR_C -#define MBEDTLS_MD_C - -#define MBEDTLS_MEMORY_BUFFER_ALLOC_C -#define MBEDTLS_OID_C - -#define MBEDTLS_PK_C -#define MBEDTLS_PK_PARSE_C -#define MBEDTLS_PK_WRITE_C - -#define MBEDTLS_PLATFORM_C - -#if TF_MBEDTLS_USE_ECDSA -#define MBEDTLS_ECDSA_C -#define MBEDTLS_ECP_C -#define MBEDTLS_ECP_DP_SECP256R1_ENABLED -#define MBEDTLS_ECP_NO_INTERNAL_RNG -#endif -#if TF_MBEDTLS_USE_RSA -#define MBEDTLS_RSA_C -#define MBEDTLS_X509_RSASSA_PSS_SUPPORT -#endif - -#define MBEDTLS_SHA256_C - -/* - * If either Trusted Boot or Measured Boot require a stronger algorithm than - * SHA-256, pull in SHA-512 support. - */ -#if (TF_MBEDTLS_HASH_ALG_ID != TF_MBEDTLS_SHA256) /* TBB hash algo */ -#define MBEDTLS_SHA512_C -#else - /* TBB uses SHA-256, what about measured boot? */ -#if defined(TF_MBEDTLS_MBOOT_USE_SHA512) -#define MBEDTLS_SHA512_C -#endif -#endif - -#define MBEDTLS_VERSION_C - -#define MBEDTLS_X509_USE_C -#define MBEDTLS_X509_CRT_PARSE_C - -#if TF_MBEDTLS_USE_AES_GCM -#define MBEDTLS_AES_C -#define MBEDTLS_CIPHER_C -#define MBEDTLS_GCM_C -#endif - -/* MPI / BIGNUM options */ -#define MBEDTLS_MPI_WINDOW_SIZE 2 - -#if TF_MBEDTLS_USE_RSA -#if TF_MBEDTLS_KEY_SIZE <= 2048 -#define MBEDTLS_MPI_MAX_SIZE 256 -#else -#define MBEDTLS_MPI_MAX_SIZE 512 -#endif -#else -#define MBEDTLS_MPI_MAX_SIZE 256 -#endif - -/* Memory buffer allocator options */ -#define MBEDTLS_MEMORY_ALIGN_MULTIPLE 8 - -/* - * Prevent the use of 128-bit division which - * creates dependency on external libraries. - */ -#define MBEDTLS_NO_UDBL_DIVISION - -#ifndef __ASSEMBLER__ -/* System headers required to build mbed TLS with the current configuration */ -#include -#include -#endif - -/* - * Determine Mbed TLS heap size - * 13312 = 13*1024 - * 11264 = 11*1024 - * 7168 = 7*1024 - */ -#if TF_MBEDTLS_USE_ECDSA -#define TF_MBEDTLS_HEAP_SIZE U(13312) -#elif TF_MBEDTLS_USE_RSA -#if TF_MBEDTLS_KEY_SIZE <= 2048 -#define TF_MBEDTLS_HEAP_SIZE U(7168) -#else -#define TF_MBEDTLS_HEAP_SIZE U(11264) -#endif -#endif - -/* - * Warn if errors from certain functions are ignored. - * - * The warnings are always enabled (where supported) for critical functions - * where ignoring the return value is almost always a bug. This macro extends - * the warnings to more functions. - */ -#define MBEDTLS_CHECK_RETURN_WARNING - -#endif /* MBEDTLS_CONFIG_H */ diff --git a/plat/st/common/common.mk b/plat/st/common/common.mk index f49112dcb..b9b62c03f 100644 --- a/plat/st/common/common.mk +++ b/plat/st/common/common.mk @@ -1,5 +1,5 @@ # -# Copyright (c) 2023, STMicroelectronics - All Rights Reserved +# Copyright (c) 2023-2024, STMicroelectronics - All Rights Reserved # # SPDX-License-Identifier: BSD-3-Clause # @@ -183,12 +183,10 @@ ifneq (${MBEDTLS_DIR},) MBEDTLS_MAJOR=$(shell grep -hP "define MBEDTLS_VERSION_MAJOR" \ ${MBEDTLS_DIR}/include/mbedtls/*.h | grep -oe '\([0-9.]*\)') -ifeq (${MBEDTLS_MAJOR}, 2) -MBEDTLS_CONFIG_FILE ?= "" -endif - ifeq (${MBEDTLS_MAJOR}, 3) MBEDTLS_CONFIG_FILE ?= "" +else +$(error Error: TF-A only supports MbedTLS versions > 3.x) endif endif diff --git a/plat/st/common/include/stm32mp_mbedtls_config-2.h b/plat/st/common/include/stm32mp_mbedtls_config-2.h deleted file mode 100644 index 66ff3465a..000000000 --- a/plat/st/common/include/stm32mp_mbedtls_config-2.h +++ /dev/null @@ -1,119 +0,0 @@ -/* - * Copyright (c) 2022-2023, STMicroelectronics - All Rights Reserved - * - * SPDX-License-Identifier: BSD-3-Clause - */ -#ifndef MBEDTLS_CONFIG_H -#define MBEDTLS_CONFIG_H - -/* - * Key algorithms currently supported on mbed TLS libraries - */ -#define TF_MBEDTLS_USE_RSA 0 -#define TF_MBEDTLS_USE_ECDSA 1 - -/* - * Hash algorithms currently supported on mbed TLS libraries - */ -#define TF_MBEDTLS_SHA256 1 -#define TF_MBEDTLS_SHA384 2 -#define TF_MBEDTLS_SHA512 3 - -/* - * Configuration file to build mbed TLS with the required features for - * Trusted Boot - */ - -#define MBEDTLS_PLATFORM_MEMORY -#define MBEDTLS_PLATFORM_NO_STD_FUNCTIONS -/* Prevent mbed TLS from using snprintf so that it can use tf_snprintf. */ -#define MBEDTLS_PLATFORM_SNPRINTF_ALT - -#define MBEDTLS_PKCS1_V21 - -#define MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION -#define MBEDTLS_X509_CHECK_KEY_USAGE -#define MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE - -#define MBEDTLS_ASN1_PARSE_C -#define MBEDTLS_ASN1_WRITE_C - -#define MBEDTLS_BASE64_C -#define MBEDTLS_BIGNUM_C - -#define MBEDTLS_ERROR_C -#define MBEDTLS_MD_C - -#define MBEDTLS_MEMORY_BUFFER_ALLOC_C -#define MBEDTLS_OID_C - -#define MBEDTLS_PK_C -#define MBEDTLS_PK_PARSE_C -#define MBEDTLS_PK_WRITE_C - -#define MBEDTLS_PLATFORM_C - -#if TF_MBEDTLS_USE_ECDSA -#define MBEDTLS_ECDSA_C -#define MBEDTLS_ECP_C -#define MBEDTLS_ECP_DP_SECP256R1_ENABLED -#define MBEDTLS_ECP_NO_INTERNAL_RNG -#endif -#if TF_MBEDTLS_USE_RSA -#define MBEDTLS_RSA_C -#define MBEDTLS_X509_RSASSA_PSS_SUPPORT -#endif - -#define MBEDTLS_SHA256_C -#if (TF_MBEDTLS_HASH_ALG_ID != TF_MBEDTLS_SHA256) -#define MBEDTLS_SHA512_C -#endif - -#define MBEDTLS_VERSION_C - -#define MBEDTLS_X509_USE_C -#define MBEDTLS_X509_CRT_PARSE_C - -#if TF_MBEDTLS_USE_AES_GCM -#define MBEDTLS_AES_C -#define MBEDTLS_CIPHER_C -#define MBEDTLS_GCM_C -#endif - -/* MPI / BIGNUM options */ -#define MBEDTLS_MPI_WINDOW_SIZE 2 - -#if TF_MBEDTLS_USE_RSA -#if TF_MBEDTLS_KEY_SIZE <= 2048 -#define MBEDTLS_MPI_MAX_SIZE 256 -#else -#define MBEDTLS_MPI_MAX_SIZE 512 -#endif -#else -#define MBEDTLS_MPI_MAX_SIZE 256 -#endif - -/* Memory buffer allocator options */ -#define MBEDTLS_MEMORY_ALIGN_MULTIPLE 8 - -/* - * Prevent the use of 128-bit division which - * creates dependency on external libraries. - */ -#define MBEDTLS_NO_UDBL_DIVISION - -#ifndef __ASSEMBLER__ -/* System headers required to build mbed TLS with the current configuration */ -#include -#include -#endif - -/* - * Mbed TLS heap size is smal as we only use the asn1 - * parsing functions - * digest, signature and crypto algorithm are done by - * other library. - */ - -#define TF_MBEDTLS_HEAP_SIZE U(5120) -#endif /* MBEDTLS_CONFIG_H */