Gitiles
Code Review Sign In
git01.mediatek.com / filogic / atf / 9dede0821a8f6a360e27f784ec5f5dede9a193d0^! / . / plat / arm / board
commit9dede0821a8f6a360e27f784ec5f5dede9a193d0[log] [tgz]
authorManish V Badarkhe <Manish.Badarkhe@arm.com>Fri Sep 06 10:53:54 2024 +0100
committerManish V Badarkhe <Manish.Badarkhe@arm.com>Mon Sep 09 11:22:28 2024 +0100
treebc3d64dadfa356212aad125b710e4f2843404069
parentd44943c59bec631f2ca1c8cd3d38ffaf04c51fd5 [diff]
fix(arm): add extra hash config to validate ROTPK

The default mbedTLS configuration enables hash algorithms based on
the HASH_ALG or MBOOT_EL_HASH_ALG selected. However, the Arm ROTPK
is always embedded as a SHA256 hash in BL1 and BL2. In the future,
we may need to adjust this to use the HASH_ALG algorithm for
embedding the ROTPK hash.

As a temporary workaround, a separate mbedTLS configuration has
been created for Arm platforms to explicitly set SHA256 defines,
rather than relying on the default configuration. This adjustment
is reflected in the mbedTLS configuration file for the TC platform
as well as in the PSA Crypto configuration file.

Change-Id: Ib3128ce7b0fb5c0858624ecbc998d456968beddf
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>

diff --git a/plat/arm/board/fvp_r/platform.mk b/plat/arm/board/fvp_r/platform.mk
index f14ea54..71cb9e2 100644
--- a/plat/arm/board/fvp_r/platform.mk
+++ b/plat/arm/board/fvp_r/platform.mk

@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2021, ARM Limited and Contributors. All rights reserved.
+# Copyright (c) 2021-2024, Arm Limited and Contributors. All rights reserved.
 #
 # SPDX-License-Identifier: BSD-3-Clause
 #
@@ -25,7 +25,7 @@
 include plat/arm/board/common/board_common.mk
 include plat/arm/common/arm_common.mk
 
-PLAT_INCLUDES		:=	-Iplat/arm/board/fvp_r/include
+PLAT_INCLUDES		+=	-Iplat/arm/board/fvp_r/include
 
 FVP_R_BL_COMMON_SOURCES	:=	plat/arm/board/fvp_r/fvp_r_common.c		\
 				plat/arm/board/fvp_r/fvp_r_context_mgmt.c	\

diff --git a/plat/arm/board/tc/plat_tc_mbedtls_config.h b/plat/arm/board/tc/plat_tc_mbedtls_config.h
index de7b1aa..4fd8b6b 100644
--- a/plat/arm/board/tc/plat_tc_mbedtls_config.h
+++ b/plat/arm/board/tc/plat_tc_mbedtls_config.h

@@ -21,6 +21,20 @@
 #endif
 #endif /* TF_MBEDTLS_HEAP_SIZE */
 
+/**
+ * On Arm TC platforms, the ROTPK is always hashed using the SHA-256
+ * algorithm.
+ * TODO: Update to hash the ROTPK with the selected HASH_ALG to avoid
+ * the need for explicitly enabling the SHA-256 configuration in mbedTLS.
+ */
+#define MBEDTLS_SHA256_C
+
+/*
+ * Use an implementation of SHA-256 with a smaller memory footprint
+ * but reduced speed.
+ */
+#define MBEDTLS_SHA256_SMALLER
+
 #define MBEDTLS_PSA_CRYPTO_C
 #define MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG
 #define MBEDTLS_ECP_C