1 /* 2 * Copyright (c) 2015-2022, Arm Limited. All rights reserved. 3 * 4 * SPDX-License-Identifier: BSD-3-Clause 5 */ 6 #ifndef MBEDTLS_CONFIG_H 7 #define MBEDTLS_CONFIG_H 8 9 /* 10 * Key algorithms currently supported on mbed TLS libraries 11 */ 12 #define TF_MBEDTLS_RSA 1 13 #define TF_MBEDTLS_ECDSA 2 14 #define TF_MBEDTLS_RSA_AND_ECDSA 3 15 16 #define TF_MBEDTLS_USE_RSA (TF_MBEDTLS_KEY_ALG_ID == TF_MBEDTLS_RSA \ 17 || TF_MBEDTLS_KEY_ALG_ID == TF_MBEDTLS_RSA_AND_ECDSA) 18 #define TF_MBEDTLS_USE_ECDSA (TF_MBEDTLS_KEY_ALG_ID == TF_MBEDTLS_ECDSA \ 19 || TF_MBEDTLS_KEY_ALG_ID == TF_MBEDTLS_RSA_AND_ECDSA) 20 21 /* 22 * Hash algorithms currently supported on mbed TLS libraries 23 */ 24 #define TF_MBEDTLS_SHA256 1 25 #define TF_MBEDTLS_SHA384 2 26 #define TF_MBEDTLS_SHA512 3 27 28 /* 29 * Configuration file to build mbed TLS with the required features for 30 * Trusted Boot 31 */ 32 33 #define MBEDTLS_PLATFORM_MEMORY 34 #define MBEDTLS_PLATFORM_NO_STD_FUNCTIONS 35 /* Prevent mbed TLS from using snprintf so that it can use tf_snprintf. */ 36 #define MBEDTLS_PLATFORM_SNPRINTF_ALT 37 38 #define MBEDTLS_PKCS1_V21 39 40 #define MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION 41 #define MBEDTLS_X509_CHECK_KEY_USAGE 42 #define MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE 43 44 #define MBEDTLS_ASN1_PARSE_C 45 #define MBEDTLS_ASN1_WRITE_C 46 47 #define MBEDTLS_BASE64_C 48 #define MBEDTLS_BIGNUM_C 49 50 #define MBEDTLS_ERROR_C 51 #define MBEDTLS_MD_C 52 53 #define MBEDTLS_MEMORY_BUFFER_ALLOC_C 54 #define MBEDTLS_OID_C 55 56 #define MBEDTLS_PK_C 57 #define MBEDTLS_PK_PARSE_C 58 #define MBEDTLS_PK_WRITE_C 59 60 #define MBEDTLS_PLATFORM_C 61 62 #if TF_MBEDTLS_USE_ECDSA 63 #define MBEDTLS_ECDSA_C 64 #define MBEDTLS_ECP_C 65 #define MBEDTLS_ECP_DP_SECP256R1_ENABLED 66 #define MBEDTLS_ECP_NO_INTERNAL_RNG 67 #endif 68 #if TF_MBEDTLS_USE_RSA 69 #define MBEDTLS_RSA_C 70 #define MBEDTLS_X509_RSASSA_PSS_SUPPORT 71 #endif 72 73 #define MBEDTLS_SHA256_C 74 75 /* 76 * If either Trusted Boot or Measured Boot require a stronger algorithm than 77 * SHA-256, pull in SHA-512 support. 78 */ 79 #if (TF_MBEDTLS_HASH_ALG_ID != TF_MBEDTLS_SHA256) /* TBB hash algo */ 80 #define MBEDTLS_SHA512_C 81 #else 82 /* TBB uses SHA-256, what about measured boot? */ 83 #if defined(TF_MBEDTLS_MBOOT_USE_SHA512) 84 #define MBEDTLS_SHA512_C 85 #endif 86 #endif 87 88 #define MBEDTLS_VERSION_C 89 90 #define MBEDTLS_X509_USE_C 91 #define MBEDTLS_X509_CRT_PARSE_C 92 93 #if TF_MBEDTLS_USE_AES_GCM 94 #define MBEDTLS_AES_C 95 #define MBEDTLS_CIPHER_C 96 #define MBEDTLS_GCM_C 97 #endif 98 99 /* MPI / BIGNUM options */ 100 #define MBEDTLS_MPI_WINDOW_SIZE 2 101 102 #if TF_MBEDTLS_USE_RSA 103 #if TF_MBEDTLS_KEY_SIZE <= 2048 104 #define MBEDTLS_MPI_MAX_SIZE 256 105 #else 106 #define MBEDTLS_MPI_MAX_SIZE 512 107 #endif 108 #else 109 #define MBEDTLS_MPI_MAX_SIZE 256 110 #endif 111 112 /* Memory buffer allocator options */ 113 #define MBEDTLS_MEMORY_ALIGN_MULTIPLE 8 114 115 /* 116 * Prevent the use of 128-bit division which 117 * creates dependency on external libraries. 118 */ 119 #define MBEDTLS_NO_UDBL_DIVISION 120 121 #ifndef __ASSEMBLER__ 122 /* System headers required to build mbed TLS with the current configuration */ 123 #include <stdlib.h> 124 #include <mbedtls/check_config.h> 125 #endif 126 127 /* 128 * Determine Mbed TLS heap size 129 * 13312 = 13*1024 130 * 11264 = 11*1024 131 * 7168 = 7*1024 132 */ 133 #if TF_MBEDTLS_USE_ECDSA 134 #define TF_MBEDTLS_HEAP_SIZE U(13312) 135 #elif TF_MBEDTLS_USE_RSA 136 #if TF_MBEDTLS_KEY_SIZE <= 2048 137 #define TF_MBEDTLS_HEAP_SIZE U(7168) 138 #else 139 #define TF_MBEDTLS_HEAP_SIZE U(11264) 140 #endif 141 #endif 142 143 /* 144 * Warn if errors from certain functions are ignored. 145 * 146 * The warnings are always enabled (where supported) for critical functions 147 * where ignoring the return value is almost always a bug. This macro extends 148 * the warnings to more functions. 149 */ 150 #define MBEDTLS_CHECK_RETURN_WARNING 151 152 #endif /* MBEDTLS_CONFIG_H */ 153