1 /*
2  * Copyright (c) 2023-2024, Arm Limited. All rights reserved.
3  *
4  * SPDX-License-Identifier: BSD-3-Clause
5  */
6 
7 /**
8  *  This set of compile-time options may be used to enable
9  *  or disable features selectively, and reduce the global
10  *  memory footprint.
11  */
12 
13 /*
14  * Key algorithms currently supported on mbed TLS libraries
15  */
16 #define TF_MBEDTLS_RSA			1
17 #define TF_MBEDTLS_ECDSA		2
18 #define TF_MBEDTLS_RSA_AND_ECDSA	3
19 
20 #define TF_MBEDTLS_USE_RSA (TF_MBEDTLS_KEY_ALG_ID == TF_MBEDTLS_RSA \
21 		|| TF_MBEDTLS_KEY_ALG_ID == TF_MBEDTLS_RSA_AND_ECDSA)
22 #define TF_MBEDTLS_USE_ECDSA (TF_MBEDTLS_KEY_ALG_ID == TF_MBEDTLS_ECDSA \
23 		|| TF_MBEDTLS_KEY_ALG_ID == TF_MBEDTLS_RSA_AND_ECDSA)
24 
25 /*
26  * Hash algorithms currently supported on mbed TLS libraries
27  */
28 #define TF_MBEDTLS_SHA256		1
29 #define TF_MBEDTLS_SHA384		2
30 #define TF_MBEDTLS_SHA512		3
31 
32 /*
33  * Configuration file to build mbed TLS with the required features for
34  * Trusted Boot
35  */
36 
37 #define MBEDTLS_PLATFORM_MEMORY
38 #define MBEDTLS_PLATFORM_NO_STD_FUNCTIONS
39 /* Prevent mbed TLS from using snprintf so that it can use tf_snprintf. */
40 #define MBEDTLS_PLATFORM_SNPRINTF_ALT
41 
42 #define MBEDTLS_PKCS1_V21
43 
44 #define MBEDTLS_ASN1_PARSE_C
45 #define MBEDTLS_ASN1_WRITE_C
46 
47 #define MBEDTLS_BASE64_C
48 #define MBEDTLS_BIGNUM_C
49 
50 #define MBEDTLS_ERROR_C
51 #define MBEDTLS_MD_C
52 
53 #define MBEDTLS_MEMORY_BUFFER_ALLOC_C
54 #define MBEDTLS_OID_C
55 
56 #define MBEDTLS_PK_C
57 #define MBEDTLS_PK_PARSE_C
58 #define MBEDTLS_PK_WRITE_C
59 
60 #define MBEDTLS_PLATFORM_C
61 
62 #if TF_MBEDTLS_USE_ECDSA
63 #define MBEDTLS_ECDSA_C
64 #define MBEDTLS_ECP_C
65 #if TF_MBEDTLS_KEY_SIZE == 384
66 #define MBEDTLS_ECP_DP_SECP384R1_ENABLED
67 #else
68 #define MBEDTLS_ECP_DP_SECP256R1_ENABLED
69 #endif
70 #endif
71 #if TF_MBEDTLS_USE_RSA
72 #define MBEDTLS_RSA_C
73 #define MBEDTLS_X509_RSASSA_PSS_SUPPORT
74 #endif
75 
76 /* The library does not currently support enabling SHA-256 without SHA-224. */
77 #define MBEDTLS_SHA224_C
78 #define MBEDTLS_SHA256_C
79 /*
80  * If either Trusted Boot or Measured Boot require a stronger algorithm than
81  * SHA-256, pull in SHA-512 support. Library currently needs to have SHA_384
82  * support when enabling SHA-512.
83  */
84 #if (TF_MBEDTLS_HASH_ALG_ID != TF_MBEDTLS_SHA256) /* TBB hash algo */
85 #define MBEDTLS_SHA384_C
86 #define	MBEDTLS_SHA512_C
87 #else
88    /* TBB uses SHA-256, what about measured boot? */
89 #if defined(TF_MBEDTLS_MBOOT_USE_SHA512)
90 #define MBEDTLS_SHA384_C
91 #define MBEDTLS_SHA512_C
92 #endif
93 #endif
94 
95 #define MBEDTLS_VERSION_C
96 
97 #define MBEDTLS_X509_USE_C
98 #define MBEDTLS_X509_CRT_PARSE_C
99 
100 #if TF_MBEDTLS_USE_AES_GCM
101 #define MBEDTLS_AES_C
102 #define MBEDTLS_CIPHER_C
103 #define MBEDTLS_GCM_C
104 #endif
105 
106 /* MPI / BIGNUM options */
107 #define MBEDTLS_MPI_WINDOW_SIZE			2
108 
109 #if TF_MBEDTLS_USE_RSA
110 #if TF_MBEDTLS_KEY_SIZE <= 2048
111 #define MBEDTLS_MPI_MAX_SIZE			256
112 #else
113 #define MBEDTLS_MPI_MAX_SIZE			512
114 #endif
115 #else
116 #define MBEDTLS_MPI_MAX_SIZE			256
117 #endif
118 
119 /* Memory buffer allocator options */
120 #define MBEDTLS_MEMORY_ALIGN_MULTIPLE		8
121 
122 /*
123  * Prevent the use of 128-bit division which
124  * creates dependency on external libraries.
125  */
126 #define MBEDTLS_NO_UDBL_DIVISION
127 
128 #ifndef __ASSEMBLER__
129 /* System headers required to build mbed TLS with the current configuration */
130 #include <stdlib.h>
131 #endif
132 
133 /*
134  * Determine Mbed TLS heap size
135  * 13312 = 13*1024
136  * 11264 = 11*1024
137  * 7168  = 7*1024
138  */
139 #if TF_MBEDTLS_USE_ECDSA
140 #define TF_MBEDTLS_HEAP_SIZE		U(13312)
141 #elif TF_MBEDTLS_USE_RSA
142 #if TF_MBEDTLS_KEY_SIZE <= 2048
143 #define TF_MBEDTLS_HEAP_SIZE		U(7168)
144 #else
145 #define TF_MBEDTLS_HEAP_SIZE		U(11264)
146 #endif
147 #endif
148 
149 /*
150  * Warn if errors from certain functions are ignored.
151  *
152  * The warnings are always enabled (where supported) for critical functions
153  * where ignoring the return value is almost always a bug. This macro extends
154  * the warnings to more functions.
155  */
156 #define MBEDTLS_CHECK_RETURN_WARNING
157