1 /*
2  *  Minimal configuration for using TLS in the bootloader
3  *
4  *  Copyright (C) 2006-2023, Arm Limited. All rights reserved.
5  *  Copyright (C) 2016, Linaro Ltd
6  *
7  *  SPDX-License-Identifier: Apache-2.0
8  *
9  *  Licensed under the Apache License, Version 2.0 (the "License"); you may
10  *  not use this file except in compliance with the License.
11  *  You may obtain a copy of the License at
12  *
13  *  http://www.apache.org/licenses/LICENSE-2.0
14  *
15  *  Unless required by applicable law or agreed to in writing, software
16  *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
17  *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
18  *  See the License for the specific language governing permissions and
19  *  limitations under the License.
20  *
21  *  This file is part of mbed TLS (https://tls.mbed.org)
22  */
23 
24 /*
25  * Original code taken from mcuboot project at:
26  * https://github.com/mcu-tools/mcuboot
27  * Git SHA of the original version: ac55554059147fff718015be9f4bd3108123f50a
28  */
29 
30 /*
31  * Minimal configuration for using mbed TLS in the bootloader
32  *
33  * - RSA signature verification
34  * - ECDSA signature verification
35  * - Optionally, enable support for PSA Crypto APIs
36  */
37 
38 #ifndef __MCUBOOT_MBEDTLS_CFG__
39 #define __MCUBOOT_MBEDTLS_CFG__
40 
41 #if defined(MCUBOOT_USE_PSA_CRYPTO)
42 /* Enable PSA Crypto Core without support for the permanent storage
43  * Don't define MBEDTLS_PSA_CRYPTO_STORAGE_C to make sure that support
44  * for permanent keys is not enabled, as it is not available during boot
45  */
46 #define MBEDTLS_PK_PARSE_C
47 #define MBEDTLS_PK_WRITE_C
48 #define MBEDTLS_PK_C
49 #define MBEDTLS_CTR_DRBG_C
50 #define MBEDTLS_CIPHER_C
51 #define MBEDTLS_ENTROPY_C
52 #define MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG
53 #define MBEDTLS_PSA_CRYPTO_CONFIG
54 #define MBEDTLS_PSA_CRYPTO_C
55 #if defined(MCUBOOT_SIGN_EC256)
56 #define MBEDTLS_PSA_P256M_DRIVER_ENABLED
57 #endif
58 #endif /* MCUBOOT_USE_PSA_CRYPTO */
59 
60 #if defined(MCUBOOT_SIGN_RSA)
61 #define MBEDTLS_RSA_C
62 #define MBEDTLS_PKCS1_V21
63 /* Save RAM by adjusting to our exact needs */
64 #if MCUBOOT_SIGN_RSA_LEN == 3072
65 #define MBEDTLS_MPI_MAX_SIZE 384
66 #else /* RSA2048 */
67 #define MBEDTLS_MPI_MAX_SIZE 256
68 #endif
69 #endif /* MCUBOOT_SIGN_RSA */
70 
71 #if defined(MCUBOOT_SIGN_EC384)
72 #define MBEDTLS_ECP_DP_SECP384R1_ENABLED
73 /* When the image is signed with EC-P384 the image hash
74  * is calculated using SHA-384
75  */
76 #define MBEDTLS_SHA512_C
77 #define MBEDTLS_SHA384_C
78 #else
79 /* All the other supported signing algorithms use SHA-256 to compute the image hash */
80 #define MBEDTLS_SHA256_C
81 #endif /* MCUBOOT_SIGN_EC384 */
82 
83 #ifdef MCUBOOT_SIGN_EC256
84 #define MBEDTLS_ECP_DP_SECP256R1_ENABLED
85 #endif /* MCUBOOT_SIGN_EC256 */
86 
87 /* System support */
88 #define MBEDTLS_PLATFORM_C
89 #define MBEDTLS_PLATFORM_MEMORY
90 #define MBEDTLS_MEMORY_BUFFER_ALLOC_C
91 #define MBEDTLS_NO_PLATFORM_ENTROPY
92 #define MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES
93 
94 #define MBEDTLS_PLATFORM_EXIT_ALT
95 #define MBEDTLS_PLATFORM_PRINTF_ALT
96 
97 
98 /* mbed TLS modules */
99 #define MBEDTLS_ASN1_PARSE_C
100 #define MBEDTLS_ASN1_WRITE_C
101 #define MBEDTLS_BIGNUM_C
102 #define MBEDTLS_MD_C
103 #define MBEDTLS_OID_C
104 #define MBEDTLS_AES_C
105 #define MBEDTLS_CIPHER_MODE_CTR
106 #if defined(MCUBOOT_SIGN_EC256) || \
107     defined(MCUBOOT_SIGN_EC384)
108 #define MBEDTLS_ECP_C
109 #define MBEDTLS_ECP_NIST_OPTIM
110 #define MBEDTLS_ECDSA_C
111 #endif
112 
113 #define MBEDTLS_SSL_MAX_CONTENT_LEN 1024
114 
115 /* Save ROM and a few bytes of RAM by specifying our own ciphersuite list */
116 #define MBEDTLS_SSL_CIPHERSUITES MBEDTLS_TLS_ECJPAKE_WITH_AES_128_CCM_8
117 
118 #ifdef CRYPTO_HW_ACCELERATOR_OTP_PROVISIONING
119 #ifndef MBEDTLS_CIPHER_C
120 #define MBEDTLS_CIPHER_C
121 #endif
122 #define MBEDTLS_CCM_C
123 #define MBEDTLS_ECDSA_C
124 #define MBEDTLS_ECP_C
125 #define MBEDTLS_ECP_DP_SECP256R1_ENABLED
126 #define MBEDTLS_ECP_DP_CURVE25519_ENABLED
127 #endif /* CRYPTO_HW_ACCELERATOR_OTP_PROVISIONING */
128 
129 #ifdef CRYPTO_HW_ACCELERATOR
130 #ifndef LEGACY_DRIVER_API_ENABLED
131 /*
132  * Forcing the legacy driver API enabled all the time regardless of
133  * cmake configuration in BL2.
134  */
135 #define LEGACY_DRIVER_API_ENABLED
136 #warning "Use legacy driver API for BL2"
137 #include "mbedtls_accelerator_config.h"
138 #undef LEGACY_DRIVER_API_ENABLED
139 #else
140 #include "mbedtls_accelerator_config.h"
141 #endif /* !LEGACY_DRIVER_API_ENABLED */
142 #endif
143 
144 #endif /* __MCUBOOT_MBEDTLS_CFG__ */
145