1*91f16700Schasinglulu /* 2*91f16700Schasinglulu * Copyright (c) 2015-2022, Arm Limited. All rights reserved. 3*91f16700Schasinglulu * 4*91f16700Schasinglulu * SPDX-License-Identifier: BSD-3-Clause 5*91f16700Schasinglulu */ 6*91f16700Schasinglulu #ifndef MBEDTLS_CONFIG_H 7*91f16700Schasinglulu #define MBEDTLS_CONFIG_H 8*91f16700Schasinglulu 9*91f16700Schasinglulu /* 10*91f16700Schasinglulu * Key algorithms currently supported on mbed TLS libraries 11*91f16700Schasinglulu */ 12*91f16700Schasinglulu #define TF_MBEDTLS_RSA 1 13*91f16700Schasinglulu #define TF_MBEDTLS_ECDSA 2 14*91f16700Schasinglulu #define TF_MBEDTLS_RSA_AND_ECDSA 3 15*91f16700Schasinglulu 16*91f16700Schasinglulu #define TF_MBEDTLS_USE_RSA (TF_MBEDTLS_KEY_ALG_ID == TF_MBEDTLS_RSA \ 17*91f16700Schasinglulu || TF_MBEDTLS_KEY_ALG_ID == TF_MBEDTLS_RSA_AND_ECDSA) 18*91f16700Schasinglulu #define TF_MBEDTLS_USE_ECDSA (TF_MBEDTLS_KEY_ALG_ID == TF_MBEDTLS_ECDSA \ 19*91f16700Schasinglulu || TF_MBEDTLS_KEY_ALG_ID == TF_MBEDTLS_RSA_AND_ECDSA) 20*91f16700Schasinglulu 21*91f16700Schasinglulu /* 22*91f16700Schasinglulu * Hash algorithms currently supported on mbed TLS libraries 23*91f16700Schasinglulu */ 24*91f16700Schasinglulu #define TF_MBEDTLS_SHA256 1 25*91f16700Schasinglulu #define TF_MBEDTLS_SHA384 2 26*91f16700Schasinglulu #define TF_MBEDTLS_SHA512 3 27*91f16700Schasinglulu 28*91f16700Schasinglulu /* 29*91f16700Schasinglulu * Configuration file to build mbed TLS with the required features for 30*91f16700Schasinglulu * Trusted Boot 31*91f16700Schasinglulu */ 32*91f16700Schasinglulu 33*91f16700Schasinglulu #define MBEDTLS_PLATFORM_MEMORY 34*91f16700Schasinglulu #define MBEDTLS_PLATFORM_NO_STD_FUNCTIONS 35*91f16700Schasinglulu /* Prevent mbed TLS from using snprintf so that it can use tf_snprintf. */ 36*91f16700Schasinglulu #define MBEDTLS_PLATFORM_SNPRINTF_ALT 37*91f16700Schasinglulu 38*91f16700Schasinglulu #define MBEDTLS_PKCS1_V21 39*91f16700Schasinglulu 40*91f16700Schasinglulu #define MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION 41*91f16700Schasinglulu #define MBEDTLS_X509_CHECK_KEY_USAGE 42*91f16700Schasinglulu #define MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE 43*91f16700Schasinglulu 44*91f16700Schasinglulu #define MBEDTLS_ASN1_PARSE_C 45*91f16700Schasinglulu #define MBEDTLS_ASN1_WRITE_C 46*91f16700Schasinglulu 47*91f16700Schasinglulu #define MBEDTLS_BASE64_C 48*91f16700Schasinglulu #define MBEDTLS_BIGNUM_C 49*91f16700Schasinglulu 50*91f16700Schasinglulu #define MBEDTLS_ERROR_C 51*91f16700Schasinglulu #define MBEDTLS_MD_C 52*91f16700Schasinglulu 53*91f16700Schasinglulu #define MBEDTLS_MEMORY_BUFFER_ALLOC_C 54*91f16700Schasinglulu #define MBEDTLS_OID_C 55*91f16700Schasinglulu 56*91f16700Schasinglulu #define MBEDTLS_PK_C 57*91f16700Schasinglulu #define MBEDTLS_PK_PARSE_C 58*91f16700Schasinglulu #define MBEDTLS_PK_WRITE_C 59*91f16700Schasinglulu 60*91f16700Schasinglulu #define MBEDTLS_PLATFORM_C 61*91f16700Schasinglulu 62*91f16700Schasinglulu #if TF_MBEDTLS_USE_ECDSA 63*91f16700Schasinglulu #define MBEDTLS_ECDSA_C 64*91f16700Schasinglulu #define MBEDTLS_ECP_C 65*91f16700Schasinglulu #define MBEDTLS_ECP_DP_SECP256R1_ENABLED 66*91f16700Schasinglulu #define MBEDTLS_ECP_NO_INTERNAL_RNG 67*91f16700Schasinglulu #endif 68*91f16700Schasinglulu #if TF_MBEDTLS_USE_RSA 69*91f16700Schasinglulu #define MBEDTLS_RSA_C 70*91f16700Schasinglulu #define MBEDTLS_X509_RSASSA_PSS_SUPPORT 71*91f16700Schasinglulu #endif 72*91f16700Schasinglulu 73*91f16700Schasinglulu #define MBEDTLS_SHA256_C 74*91f16700Schasinglulu 75*91f16700Schasinglulu /* 76*91f16700Schasinglulu * If either Trusted Boot or Measured Boot require a stronger algorithm than 77*91f16700Schasinglulu * SHA-256, pull in SHA-512 support. 78*91f16700Schasinglulu */ 79*91f16700Schasinglulu #if (TF_MBEDTLS_HASH_ALG_ID != TF_MBEDTLS_SHA256) /* TBB hash algo */ 80*91f16700Schasinglulu #define MBEDTLS_SHA512_C 81*91f16700Schasinglulu #else 82*91f16700Schasinglulu /* TBB uses SHA-256, what about measured boot? */ 83*91f16700Schasinglulu #if defined(TF_MBEDTLS_MBOOT_USE_SHA512) 84*91f16700Schasinglulu #define MBEDTLS_SHA512_C 85*91f16700Schasinglulu #endif 86*91f16700Schasinglulu #endif 87*91f16700Schasinglulu 88*91f16700Schasinglulu #define MBEDTLS_VERSION_C 89*91f16700Schasinglulu 90*91f16700Schasinglulu #define MBEDTLS_X509_USE_C 91*91f16700Schasinglulu #define MBEDTLS_X509_CRT_PARSE_C 92*91f16700Schasinglulu 93*91f16700Schasinglulu #if TF_MBEDTLS_USE_AES_GCM 94*91f16700Schasinglulu #define MBEDTLS_AES_C 95*91f16700Schasinglulu #define MBEDTLS_CIPHER_C 96*91f16700Schasinglulu #define MBEDTLS_GCM_C 97*91f16700Schasinglulu #endif 98*91f16700Schasinglulu 99*91f16700Schasinglulu /* MPI / BIGNUM options */ 100*91f16700Schasinglulu #define MBEDTLS_MPI_WINDOW_SIZE 2 101*91f16700Schasinglulu 102*91f16700Schasinglulu #if TF_MBEDTLS_USE_RSA 103*91f16700Schasinglulu #if TF_MBEDTLS_KEY_SIZE <= 2048 104*91f16700Schasinglulu #define MBEDTLS_MPI_MAX_SIZE 256 105*91f16700Schasinglulu #else 106*91f16700Schasinglulu #define MBEDTLS_MPI_MAX_SIZE 512 107*91f16700Schasinglulu #endif 108*91f16700Schasinglulu #else 109*91f16700Schasinglulu #define MBEDTLS_MPI_MAX_SIZE 256 110*91f16700Schasinglulu #endif 111*91f16700Schasinglulu 112*91f16700Schasinglulu /* Memory buffer allocator options */ 113*91f16700Schasinglulu #define MBEDTLS_MEMORY_ALIGN_MULTIPLE 8 114*91f16700Schasinglulu 115*91f16700Schasinglulu /* 116*91f16700Schasinglulu * Prevent the use of 128-bit division which 117*91f16700Schasinglulu * creates dependency on external libraries. 118*91f16700Schasinglulu */ 119*91f16700Schasinglulu #define MBEDTLS_NO_UDBL_DIVISION 120*91f16700Schasinglulu 121*91f16700Schasinglulu #ifndef __ASSEMBLER__ 122*91f16700Schasinglulu /* System headers required to build mbed TLS with the current configuration */ 123*91f16700Schasinglulu #include <stdlib.h> 124*91f16700Schasinglulu #include <mbedtls/check_config.h> 125*91f16700Schasinglulu #endif 126*91f16700Schasinglulu 127*91f16700Schasinglulu /* 128*91f16700Schasinglulu * Determine Mbed TLS heap size 129*91f16700Schasinglulu * 13312 = 13*1024 130*91f16700Schasinglulu * 11264 = 11*1024 131*91f16700Schasinglulu * 7168 = 7*1024 132*91f16700Schasinglulu */ 133*91f16700Schasinglulu #if TF_MBEDTLS_USE_ECDSA 134*91f16700Schasinglulu #define TF_MBEDTLS_HEAP_SIZE U(13312) 135*91f16700Schasinglulu #elif TF_MBEDTLS_USE_RSA 136*91f16700Schasinglulu #if TF_MBEDTLS_KEY_SIZE <= 2048 137*91f16700Schasinglulu #define TF_MBEDTLS_HEAP_SIZE U(7168) 138*91f16700Schasinglulu #else 139*91f16700Schasinglulu #define TF_MBEDTLS_HEAP_SIZE U(11264) 140*91f16700Schasinglulu #endif 141*91f16700Schasinglulu #endif 142*91f16700Schasinglulu 143*91f16700Schasinglulu /* 144*91f16700Schasinglulu * Warn if errors from certain functions are ignored. 145*91f16700Schasinglulu * 146*91f16700Schasinglulu * The warnings are always enabled (where supported) for critical functions 147*91f16700Schasinglulu * where ignoring the return value is almost always a bug. This macro extends 148*91f16700Schasinglulu * the warnings to more functions. 149*91f16700Schasinglulu */ 150*91f16700Schasinglulu #define MBEDTLS_CHECK_RETURN_WARNING 151*91f16700Schasinglulu 152*91f16700Schasinglulu #endif /* MBEDTLS_CONFIG_H */ 153