1*91f16700Schasinglulu /* 2*91f16700Schasinglulu * Copyright (c) 2023, Arm Limited. All rights reserved. 3*91f16700Schasinglulu * 4*91f16700Schasinglulu * SPDX-License-Identifier: BSD-3-Clause 5*91f16700Schasinglulu */ 6*91f16700Schasinglulu 7*91f16700Schasinglulu /** 8*91f16700Schasinglulu * This set of compile-time options may be used to enable 9*91f16700Schasinglulu * or disable features selectively, and reduce the global 10*91f16700Schasinglulu * memory footprint. 11*91f16700Schasinglulu */ 12*91f16700Schasinglulu 13*91f16700Schasinglulu /* 14*91f16700Schasinglulu * Key algorithms currently supported on mbed TLS libraries 15*91f16700Schasinglulu */ 16*91f16700Schasinglulu #define TF_MBEDTLS_RSA 1 17*91f16700Schasinglulu #define TF_MBEDTLS_ECDSA 2 18*91f16700Schasinglulu #define TF_MBEDTLS_RSA_AND_ECDSA 3 19*91f16700Schasinglulu 20*91f16700Schasinglulu #define TF_MBEDTLS_USE_RSA (TF_MBEDTLS_KEY_ALG_ID == TF_MBEDTLS_RSA \ 21*91f16700Schasinglulu || TF_MBEDTLS_KEY_ALG_ID == TF_MBEDTLS_RSA_AND_ECDSA) 22*91f16700Schasinglulu #define TF_MBEDTLS_USE_ECDSA (TF_MBEDTLS_KEY_ALG_ID == TF_MBEDTLS_ECDSA \ 23*91f16700Schasinglulu || TF_MBEDTLS_KEY_ALG_ID == TF_MBEDTLS_RSA_AND_ECDSA) 24*91f16700Schasinglulu 25*91f16700Schasinglulu /* 26*91f16700Schasinglulu * Hash algorithms currently supported on mbed TLS libraries 27*91f16700Schasinglulu */ 28*91f16700Schasinglulu #define TF_MBEDTLS_SHA256 1 29*91f16700Schasinglulu #define TF_MBEDTLS_SHA384 2 30*91f16700Schasinglulu #define TF_MBEDTLS_SHA512 3 31*91f16700Schasinglulu 32*91f16700Schasinglulu /* 33*91f16700Schasinglulu * Configuration file to build mbed TLS with the required features for 34*91f16700Schasinglulu * Trusted Boot 35*91f16700Schasinglulu */ 36*91f16700Schasinglulu 37*91f16700Schasinglulu #define MBEDTLS_PLATFORM_MEMORY 38*91f16700Schasinglulu #define MBEDTLS_PLATFORM_NO_STD_FUNCTIONS 39*91f16700Schasinglulu /* Prevent mbed TLS from using snprintf so that it can use tf_snprintf. */ 40*91f16700Schasinglulu #define MBEDTLS_PLATFORM_SNPRINTF_ALT 41*91f16700Schasinglulu 42*91f16700Schasinglulu #define MBEDTLS_PKCS1_V21 43*91f16700Schasinglulu 44*91f16700Schasinglulu #define MBEDTLS_ASN1_PARSE_C 45*91f16700Schasinglulu #define MBEDTLS_ASN1_WRITE_C 46*91f16700Schasinglulu 47*91f16700Schasinglulu #define MBEDTLS_BASE64_C 48*91f16700Schasinglulu #define MBEDTLS_BIGNUM_C 49*91f16700Schasinglulu 50*91f16700Schasinglulu #define MBEDTLS_ERROR_C 51*91f16700Schasinglulu #define MBEDTLS_MD_C 52*91f16700Schasinglulu 53*91f16700Schasinglulu #define MBEDTLS_MEMORY_BUFFER_ALLOC_C 54*91f16700Schasinglulu #define MBEDTLS_OID_C 55*91f16700Schasinglulu 56*91f16700Schasinglulu #define MBEDTLS_PK_C 57*91f16700Schasinglulu #define MBEDTLS_PK_PARSE_C 58*91f16700Schasinglulu #define MBEDTLS_PK_WRITE_C 59*91f16700Schasinglulu 60*91f16700Schasinglulu #define MBEDTLS_PLATFORM_C 61*91f16700Schasinglulu 62*91f16700Schasinglulu #if TF_MBEDTLS_USE_ECDSA 63*91f16700Schasinglulu #define MBEDTLS_ECDSA_C 64*91f16700Schasinglulu #define MBEDTLS_ECP_C 65*91f16700Schasinglulu #if TF_MBEDTLS_KEY_SIZE == 384 66*91f16700Schasinglulu #define MBEDTLS_ECP_DP_SECP384R1_ENABLED 67*91f16700Schasinglulu #else 68*91f16700Schasinglulu #define MBEDTLS_ECP_DP_SECP256R1_ENABLED 69*91f16700Schasinglulu #endif 70*91f16700Schasinglulu #endif 71*91f16700Schasinglulu #if TF_MBEDTLS_USE_RSA 72*91f16700Schasinglulu #define MBEDTLS_RSA_C 73*91f16700Schasinglulu #define MBEDTLS_X509_RSASSA_PSS_SUPPORT 74*91f16700Schasinglulu #endif 75*91f16700Schasinglulu 76*91f16700Schasinglulu /* The library does not currently support enabling SHA-256 without SHA-224. */ 77*91f16700Schasinglulu #define MBEDTLS_SHA224_C 78*91f16700Schasinglulu #define MBEDTLS_SHA256_C 79*91f16700Schasinglulu /* 80*91f16700Schasinglulu * If either Trusted Boot or Measured Boot require a stronger algorithm than 81*91f16700Schasinglulu * SHA-256, pull in SHA-512 support. Library currently needs to have SHA_384 82*91f16700Schasinglulu * support when enabling SHA-512. 83*91f16700Schasinglulu */ 84*91f16700Schasinglulu #if (TF_MBEDTLS_HASH_ALG_ID != TF_MBEDTLS_SHA256) /* TBB hash algo */ 85*91f16700Schasinglulu #define MBEDTLS_SHA384_C 86*91f16700Schasinglulu #define MBEDTLS_SHA512_C 87*91f16700Schasinglulu #else 88*91f16700Schasinglulu /* TBB uses SHA-256, what about measured boot? */ 89*91f16700Schasinglulu #if defined(TF_MBEDTLS_MBOOT_USE_SHA512) 90*91f16700Schasinglulu #define MBEDTLS_SHA384_C 91*91f16700Schasinglulu #define MBEDTLS_SHA512_C 92*91f16700Schasinglulu #endif 93*91f16700Schasinglulu #endif 94*91f16700Schasinglulu 95*91f16700Schasinglulu #define MBEDTLS_VERSION_C 96*91f16700Schasinglulu 97*91f16700Schasinglulu #define MBEDTLS_X509_USE_C 98*91f16700Schasinglulu #define MBEDTLS_X509_CRT_PARSE_C 99*91f16700Schasinglulu 100*91f16700Schasinglulu #if TF_MBEDTLS_USE_AES_GCM 101*91f16700Schasinglulu #define MBEDTLS_AES_C 102*91f16700Schasinglulu #define MBEDTLS_CIPHER_C 103*91f16700Schasinglulu #define MBEDTLS_GCM_C 104*91f16700Schasinglulu #endif 105*91f16700Schasinglulu 106*91f16700Schasinglulu /* MPI / BIGNUM options */ 107*91f16700Schasinglulu #define MBEDTLS_MPI_WINDOW_SIZE 2 108*91f16700Schasinglulu 109*91f16700Schasinglulu #if TF_MBEDTLS_USE_RSA 110*91f16700Schasinglulu #if TF_MBEDTLS_KEY_SIZE <= 2048 111*91f16700Schasinglulu #define MBEDTLS_MPI_MAX_SIZE 256 112*91f16700Schasinglulu #else 113*91f16700Schasinglulu #define MBEDTLS_MPI_MAX_SIZE 512 114*91f16700Schasinglulu #endif 115*91f16700Schasinglulu #else 116*91f16700Schasinglulu #define MBEDTLS_MPI_MAX_SIZE 256 117*91f16700Schasinglulu #endif 118*91f16700Schasinglulu 119*91f16700Schasinglulu /* Memory buffer allocator options */ 120*91f16700Schasinglulu #define MBEDTLS_MEMORY_ALIGN_MULTIPLE 8 121*91f16700Schasinglulu 122*91f16700Schasinglulu /* 123*91f16700Schasinglulu * Prevent the use of 128-bit division which 124*91f16700Schasinglulu * creates dependency on external libraries. 125*91f16700Schasinglulu */ 126*91f16700Schasinglulu #define MBEDTLS_NO_UDBL_DIVISION 127*91f16700Schasinglulu 128*91f16700Schasinglulu #ifndef __ASSEMBLER__ 129*91f16700Schasinglulu /* System headers required to build mbed TLS with the current configuration */ 130*91f16700Schasinglulu #include <stdlib.h> 131*91f16700Schasinglulu #include <mbedtls/check_config.h> 132*91f16700Schasinglulu #endif 133*91f16700Schasinglulu 134*91f16700Schasinglulu /* 135*91f16700Schasinglulu * Determine Mbed TLS heap size 136*91f16700Schasinglulu * 13312 = 13*1024 137*91f16700Schasinglulu * 11264 = 11*1024 138*91f16700Schasinglulu * 7168 = 7*1024 139*91f16700Schasinglulu */ 140*91f16700Schasinglulu #if TF_MBEDTLS_USE_ECDSA 141*91f16700Schasinglulu #define TF_MBEDTLS_HEAP_SIZE U(13312) 142*91f16700Schasinglulu #elif TF_MBEDTLS_USE_RSA 143*91f16700Schasinglulu #if TF_MBEDTLS_KEY_SIZE <= 2048 144*91f16700Schasinglulu #define TF_MBEDTLS_HEAP_SIZE U(7168) 145*91f16700Schasinglulu #else 146*91f16700Schasinglulu #define TF_MBEDTLS_HEAP_SIZE U(11264) 147*91f16700Schasinglulu #endif 148*91f16700Schasinglulu #endif 149*91f16700Schasinglulu 150*91f16700Schasinglulu /* 151*91f16700Schasinglulu * Warn if errors from certain functions are ignored. 152*91f16700Schasinglulu * 153*91f16700Schasinglulu * The warnings are always enabled (where supported) for critical functions 154*91f16700Schasinglulu * where ignoring the return value is almost always a bug. This macro extends 155*91f16700Schasinglulu * the warnings to more functions. 156*91f16700Schasinglulu */ 157*91f16700Schasinglulu #define MBEDTLS_CHECK_RETURN_WARNING 158