Merge changes from topic "mb_hash" into integration
* changes:
refactor(imx): update config of mbedtls support
refactor(qemu): update configuring mbedtls support
refactor(measured-boot): mb algorithm selection
diff --git a/drivers/auth/mbedtls/mbedtls_common.mk b/drivers/auth/mbedtls/mbedtls_common.mk
index 3eb4161..16ce65f 100644
--- a/drivers/auth/mbedtls/mbedtls_common.mk
+++ b/drivers/auth/mbedtls/mbedtls_common.mk
@@ -97,18 +97,6 @@
TF_MBEDTLS_USE_AES_GCM := 0
endif
-ifeq ($(MEASURED_BOOT),1)
- ifeq (${TPM_HASH_ALG}, sha256)
- TF_MBEDTLS_TPM_HASH_ALG_ID := TF_MBEDTLS_SHA256
- else ifeq (${TPM_HASH_ALG}, sha384)
- TF_MBEDTLS_TPM_HASH_ALG_ID := TF_MBEDTLS_SHA384
- else ifeq (${TPM_HASH_ALG}, sha512)
- TF_MBEDTLS_TPM_HASH_ALG_ID := TF_MBEDTLS_SHA512
- else
- $(error "TPM_HASH_ALG not defined.")
- endif
-endif
-
# Needs to be set to drive mbed TLS configuration correctly
$(eval $(call add_defines,\
$(sort \
@@ -118,10 +106,6 @@
TF_MBEDTLS_USE_AES_GCM \
)))
-ifeq ($(MEASURED_BOOT),1)
- $(eval $(call add_define,TF_MBEDTLS_TPM_HASH_ALG_ID))
-endif
-
$(eval $(call MAKE_LIB,mbedtls))
endif
diff --git a/drivers/measured_boot/event_log/event_log.mk b/drivers/measured_boot/event_log/event_log.mk
index 1ff4aa8..5ea4c55 100644
--- a/drivers/measured_boot/event_log/event_log.mk
+++ b/drivers/measured_boot/event_log/event_log.mk
@@ -7,20 +7,25 @@
# Default log level to dump the event log (LOG_LEVEL_INFO)
EVENT_LOG_LEVEL ?= 40
-# TPM hash algorithm.
+# Measured Boot hash algorithm.
# SHA-256 (or stronger) is required for all devices that are TPM 2.0 compliant.
-TPM_HASH_ALG := sha256
+ifdef TPM_HASH_ALG
+ $(warning "TPM_HASH_ALG is deprecated. Please use MBOOT_EL_HASH_ALG instead.")
+ MBOOT_EL_HASH_ALG := ${TPM_HASH_ALG}
+else
+ MBOOT_EL_HASH_ALG := sha256
+endif
-ifeq (${TPM_HASH_ALG}, sha512)
+ifeq (${MBOOT_EL_HASH_ALG}, sha512)
TPM_ALG_ID := TPM_ALG_SHA512
TCG_DIGEST_SIZE := 64U
-else ifeq (${TPM_HASH_ALG}, sha384)
+else ifeq (${MBOOT_EL_HASH_ALG}, sha384)
TPM_ALG_ID := TPM_ALG_SHA384
TCG_DIGEST_SIZE := 48U
else
TPM_ALG_ID := TPM_ALG_SHA256
TCG_DIGEST_SIZE := 32U
-endif #TPM_HASH_ALG
+endif #MBOOT_EL_HASH_ALG
# Set definitions for Measured Boot driver.
$(eval $(call add_defines,\
diff --git a/drivers/measured_boot/rss/rss_measured_boot.mk b/drivers/measured_boot/rss/rss_measured_boot.mk
index 01545af..18ee836 100644
--- a/drivers/measured_boot/rss/rss_measured_boot.mk
+++ b/drivers/measured_boot/rss/rss_measured_boot.mk
@@ -6,21 +6,18 @@
# Hash algorithm for measured boot
# SHA-256 (or stronger) is required.
-# TODO: The measurement algorithm incorrectly suggests that the TPM backend
-# is used which may not be the case. It is currently being worked on and
-# soon TPM_HASH_ALG will be replaced by a more generic name.
-TPM_HASH_ALG := sha256
+MBOOT_RSS_HASH_ALG := sha256
-ifeq (${TPM_HASH_ALG}, sha512)
+ifeq (${MBOOT_RSS_HASH_ALG}, sha512)
MBOOT_ALG_ID := MBOOT_ALG_SHA512
MBOOT_DIGEST_SIZE := 64U
-else ifeq (${TPM_HASH_ALG}, sha384)
+else ifeq (${MBOOT_RSS_HASH_ALG}, sha384)
MBOOT_ALG_ID := MBOOT_ALG_SHA384
MBOOT_DIGEST_SIZE := 48U
else
MBOOT_ALG_ID := MBOOT_ALG_SHA256
MBOOT_DIGEST_SIZE := 32U
-endif #TPM_HASH_ALG
+endif #MBOOT_RSS_HASH_ALG
# Set definitions for Measured Boot driver.
$(eval $(call add_defines,\
diff --git a/include/drivers/auth/mbedtls/mbedtls_config.h b/include/drivers/auth/mbedtls/mbedtls_config.h
index 8ad6d7a..92188a2 100644
--- a/include/drivers/auth/mbedtls/mbedtls_config.h
+++ b/include/drivers/auth/mbedtls/mbedtls_config.h
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2015-2021, Arm Limited. All rights reserved.
+ * Copyright (c) 2015-2022, Arm Limited. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*/
@@ -80,8 +80,7 @@
#define MBEDTLS_SHA512_C
#else
/* TBB uses SHA-256, what about measured boot? */
-#if defined(TF_MBEDTLS_TPM_HASH_ALG_ID) && \
- (TF_MBEDTLS_TPM_HASH_ALG_ID != TF_MBEDTLS_SHA256)
+#if defined(TF_MBEDTLS_MBOOT_USE_SHA512)
#define MBEDTLS_SHA512_C
#endif
#endif
diff --git a/plat/arm/board/fvp/platform.mk b/plat/arm/board/fvp/platform.mk
index 54c5e75..f9053a8 100644
--- a/plat/arm/board/fvp/platform.mk
+++ b/plat/arm/board/fvp/platform.mk
@@ -375,6 +375,10 @@
$(info Including ${RSS_MEASURED_BOOT_MK})
include ${RSS_MEASURED_BOOT_MK}
+ ifneq (${MBOOT_RSS_HASH_ALG}, sha256)
+ $(eval $(call add_define,TF_MBEDTLS_MBOOT_USE_SHA512))
+ endif
+
BL1_SOURCES += ${MEASURED_BOOT_SOURCES}
BL2_SOURCES += ${MEASURED_BOOT_SOURCES}
endif
diff --git a/plat/arm/common/arm_common.mk b/plat/arm/common/arm_common.mk
index 10b01fa..290b4ee 100644
--- a/plat/arm/common/arm_common.mk
+++ b/plat/arm/common/arm_common.mk
@@ -403,6 +403,10 @@
$(info Including ${MEASURED_BOOT_MK})
include ${MEASURED_BOOT_MK}
+ ifneq (${MBOOT_EL_HASH_ALG}, sha256)
+ $(eval $(call add_define,TF_MBEDTLS_MBOOT_USE_SHA512))
+ endif
+
BL1_SOURCES += ${EVENT_LOG_SOURCES}
BL2_SOURCES += ${EVENT_LOG_SOURCES}
endif
diff --git a/plat/imx/imx8m/imx8mm/platform.mk b/plat/imx/imx8m/imx8mm/platform.mk
index 0cce7ca..60fa325 100644
--- a/plat/imx/imx8m/imx8mm/platform.mk
+++ b/plat/imx/imx8m/imx8mm/platform.mk
@@ -162,6 +162,10 @@
$(info Including ${MEASURED_BOOT_MK})
include ${MEASURED_BOOT_MK}
+ifneq (${MBOOT_EL_HASH_ALG}, sha256)
+ $(eval $(call add_define,TF_MBEDTLS_MBOOT_USE_SHA512))
+endif
+
BL2_SOURCES += plat/imx/imx8m/imx8m_measured_boot.c \
plat/imx/imx8m/imx8m_dyn_cfg_helpers.c \
${EVENT_LOG_SOURCES}
diff --git a/plat/qemu/qemu/platform.mk b/plat/qemu/qemu/platform.mk
index 6a877c3..8e7f7c8 100644
--- a/plat/qemu/qemu/platform.mk
+++ b/plat/qemu/qemu/platform.mk
@@ -104,6 +104,10 @@
$(info Including ${MEASURED_BOOT_MK})
include ${MEASURED_BOOT_MK}
+ ifneq (${MBOOT_EL_HASH_ALG}, sha256)
+ $(eval $(call add_define,TF_MBEDTLS_MBOOT_USE_SHA512))
+ endif
+
BL2_SOURCES += plat/qemu/qemu/qemu_measured_boot.c \
plat/qemu/qemu/qemu_common_measured_boot.c \
plat/qemu/qemu/qemu_helpers.c \