Support larger RSA key sizes when using MBEDTLS
Previously, TF-A could not support large RSA key sizes as the
configuration options passed to MBEDTLS prevented storing and performing
calculations with the larger, higher-precision numbers required. With
these changes to the arguments passed to MBEDTLS, TF-A now supports
using 3072 (3K) and 4096 (4K) keys in certificates.
Change-Id: Ib73a6773145d2faa25c28d04f9a42e86f2fd555f
Signed-off-by: Justin Chadwell <justin.chadwell@arm.com>
diff --git a/Makefile b/Makefile
index bcfbd65..d1376e8 100644
--- a/Makefile
+++ b/Makefile
@@ -694,6 +694,10 @@
$(eval $(call assert_numeric,ARM_ARCH_MINOR))
$(eval $(call assert_numeric,BRANCH_PROTECTION))
+ifdef KEY_SIZE
+ $(eval $(call assert_numeric,KEY_SIZE))
+endif
+
ifeq ($(filter $(SANITIZE_UB), on off trap),)
$(error "Invalid value for SANITIZE_UB: can be one of on, off, trap")
endif
diff --git a/drivers/auth/mbedtls/mbedtls_common.mk b/drivers/auth/mbedtls/mbedtls_common.mk
index 63e65bd..f34d3d0 100644
--- a/drivers/auth/mbedtls/mbedtls_common.mk
+++ b/drivers/auth/mbedtls/mbedtls_common.mk
@@ -1,5 +1,5 @@
#
-# Copyright (c) 2015-2018, ARM Limited and Contributors. All rights reserved.
+# Copyright (c) 2015-2019, ARM Limited and Contributors. All rights reserved.
#
# SPDX-License-Identifier: BSD-3-Clause
#
@@ -59,6 +59,16 @@
endif
endif
+ifeq (${TF_MBEDTLS_KEY_SIZE},)
+ ifneq ($(findstring rsa,${TF_MBEDTLS_KEY_ALG}),)
+ ifeq (${KEY_SIZE},)
+ TF_MBEDTLS_KEY_SIZE := 2048
+ else
+ TF_MBEDTLS_KEY_SIZE := ${KEY_SIZE}
+ endif
+ endif
+endif
+
ifeq (${HASH_ALG}, sha384)
TF_MBEDTLS_HASH_ALG_ID := TF_MBEDTLS_SHA384
else ifeq (${HASH_ALG}, sha512)
@@ -79,6 +89,7 @@
# Needs to be set to drive mbed TLS configuration correctly
$(eval $(call add_define,TF_MBEDTLS_KEY_ALG_ID))
+$(eval $(call add_define,TF_MBEDTLS_KEY_SIZE))
$(eval $(call add_define,TF_MBEDTLS_HASH_ALG_ID))
diff --git a/drivers/auth/tbbr/tbbr_cot.c b/drivers/auth/tbbr/tbbr_cot.c
index da3631b..6dd4ae2 100644
--- a/drivers/auth/tbbr/tbbr_cot.c
+++ b/drivers/auth/tbbr/tbbr_cot.c
@@ -7,6 +7,7 @@
#include <stddef.h>
#include <platform_def.h>
+#include <drivers/auth/mbedtls/mbedtls_config.h>
#include <drivers/auth/auth_mod.h>
#if USE_TBBR_DEFS
@@ -19,7 +20,22 @@
/*
* Maximum key and hash sizes (in DER format)
*/
+#if TF_MBEDTLS_USE_RSA
+#if TF_MBEDTLS_KEY_SIZE == 1024
+#define PK_DER_LEN 162
+#elif TF_MBEDTLS_KEY_SIZE == 2048
#define PK_DER_LEN 294
+#elif TF_MBEDTLS_KEY_SIZE == 3072
+#define PK_DER_LEN 422
+#elif TF_MBEDTLS_KEY_SIZE == 4096
+#define PK_DER_LEN 550
+#else
+#error "Invalid value for TF_MBEDTLS_KEY_SIZE"
+#endif
+#else
+#define PK_DER_LEN 294
+#endif
+
#define HASH_DER_LEN 83
/*
diff --git a/include/drivers/auth/mbedtls/mbedtls_config.h b/include/drivers/auth/mbedtls/mbedtls_config.h
index f7248f9..6e179bb 100644
--- a/include/drivers/auth/mbedtls/mbedtls_config.h
+++ b/include/drivers/auth/mbedtls/mbedtls_config.h
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2015-2018, ARM Limited and Contributors. All rights reserved.
+ * Copyright (c) 2015-2019, ARM Limited and Contributors. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*/
@@ -13,6 +13,11 @@
#define TF_MBEDTLS_ECDSA 2
#define TF_MBEDTLS_RSA_AND_ECDSA 3
+#define TF_MBEDTLS_USE_RSA (TF_MBEDTLS_KEY_ALG_ID == TF_MBEDTLS_RSA \
+ || TF_MBEDTLS_KEY_ALG_ID == TF_MBEDTLS_RSA_AND_ECDSA)
+#define TF_MBEDTLS_USE_ECDSA (TF_MBEDTLS_KEY_ALG_ID == TF_MBEDTLS_ECDSA \
+ || TF_MBEDTLS_KEY_ALG_ID == TF_MBEDTLS_RSA_AND_ECDSA)
+
/*
* Hash algorithms currently supported on mbed TLS libraries
*/
@@ -54,19 +59,14 @@
#define MBEDTLS_PLATFORM_C
-#if (TF_MBEDTLS_KEY_ALG_ID == TF_MBEDTLS_ECDSA)
+#if TF_MBEDTLS_USE_ECDSA
#define MBEDTLS_ECDSA_C
#define MBEDTLS_ECP_C
#define MBEDTLS_ECP_DP_SECP256R1_ENABLED
-#elif (TF_MBEDTLS_KEY_ALG_ID == TF_MBEDTLS_RSA)
-#define MBEDTLS_RSA_C
-#define MBEDTLS_X509_RSASSA_PSS_SUPPORT
-#elif (TF_MBEDTLS_KEY_ALG_ID == TF_MBEDTLS_RSA_AND_ECDSA)
+#endif
+#if TF_MBEDTLS_USE_RSA
#define MBEDTLS_RSA_C
#define MBEDTLS_X509_RSASSA_PSS_SUPPORT
-#define MBEDTLS_ECDSA_C
-#define MBEDTLS_ECP_C
-#define MBEDTLS_ECP_DP_SECP256R1_ENABLED
#endif
#define MBEDTLS_SHA256_C
@@ -80,11 +80,20 @@
#define MBEDTLS_X509_CRT_PARSE_C
/* MPI / BIGNUM options */
-#define MBEDTLS_MPI_WINDOW_SIZE 2
-#define MBEDTLS_MPI_MAX_SIZE 256
+#define MBEDTLS_MPI_WINDOW_SIZE 2
+
+#if TF_MBEDTLS_USE_RSA
+#if TF_MBEDTLS_KEY_SIZE <= 2048
+#define MBEDTLS_MPI_MAX_SIZE 256
+#else
+#define MBEDTLS_MPI_MAX_SIZE 512
+#endif
+#else
+#define MBEDTLS_MPI_MAX_SIZE 256
+#endif
/* Memory buffer allocator options */
-#define MBEDTLS_MEMORY_ALIGN_MULTIPLE 8
+#define MBEDTLS_MEMORY_ALIGN_MULTIPLE 8
#ifndef __ASSEMBLER__
/* System headers required to build mbed TLS with the current configuration */
@@ -95,13 +104,17 @@
/*
* Determine Mbed TLS heap size
* 13312 = 13*1024
- * 7168 = 7*1024
+ * 11264 = 11*1024
+ * 7168 = 7*1024
*/
-#if (TF_MBEDTLS_KEY_ALG_ID == TF_MBEDTLS_ECDSA) \
- || (TF_MBEDTLS_KEY_ALG_ID == TF_MBEDTLS_RSA_AND_ECDSA)
+#if TF_MBEDTLS_USE_ECDSA
#define TF_MBEDTLS_HEAP_SIZE U(13312)
-#elif (TF_MBEDTLS_KEY_ALG_ID == TF_MBEDTLS_RSA)
+#elif TF_MBEDTLS_USE_RSA
+#if TF_MBEDTLS_KEY_SIZE <= 2048
#define TF_MBEDTLS_HEAP_SIZE U(7168)
+#else
+#define TF_MBEDTLS_HEAP_SIZE U(11264)
+#endif
#endif
#endif /* MBEDTLS_CONFIG_H */