1 /* 2 * Minimal configuration for using TLS in the bootloader 3 * 4 * Copyright (C) 2006-2023, Arm Limited. All rights reserved. 5 * Copyright (C) 2016, Linaro Ltd 6 * 7 * SPDX-License-Identifier: Apache-2.0 8 * 9 * Licensed under the Apache License, Version 2.0 (the "License"); you may 10 * not use this file except in compliance with the License. 11 * You may obtain a copy of the License at 12 * 13 * http://www.apache.org/licenses/LICENSE-2.0 14 * 15 * Unless required by applicable law or agreed to in writing, software 16 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 17 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 18 * See the License for the specific language governing permissions and 19 * limitations under the License. 20 * 21 * This file is part of mbed TLS (https://tls.mbed.org) 22 */ 23 24 /* 25 * Original code taken from mcuboot project at: 26 * https://github.com/mcu-tools/mcuboot 27 * Git SHA of the original version: ac55554059147fff718015be9f4bd3108123f50a 28 */ 29 30 /* 31 * Minimal configuration for using mbed TLS in the bootloader 32 * 33 * - RSA signature verification 34 * - ECDSA signature verification 35 * - Optionally, enable support for PSA Crypto APIs 36 */ 37 38 #ifndef __MCUBOOT_MBEDTLS_CFG__ 39 #define __MCUBOOT_MBEDTLS_CFG__ 40 41 #if defined(MCUBOOT_USE_PSA_CRYPTO) 42 /* Enable PSA Crypto Core without support for the permanent storage 43 * Don't define MBEDTLS_PSA_CRYPTO_STORAGE_C to make sure that support 44 * for permanent keys is not enabled, as it is not available during boot 45 */ 46 #define MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG 47 #define MBEDTLS_PSA_CRYPTO_CONFIG 48 #define MBEDTLS_PSA_CRYPTO_C 49 #if defined(MCUBOOT_SIGN_EC256) 50 #define MBEDTLS_PSA_P256M_DRIVER_ENABLED 51 #endif 52 #endif /* MCUBOOT_USE_PSA_CRYPTO */ 53 54 #if defined(MCUBOOT_SIGN_RSA) 55 #define MBEDTLS_RSA_C 56 #define MBEDTLS_PKCS1_V21 57 /* Save RAM by adjusting to our exact needs */ 58 #if MCUBOOT_SIGN_RSA_LEN == 3072 59 #define MBEDTLS_MPI_MAX_SIZE 384 60 #else /* RSA2048 */ 61 #define MBEDTLS_MPI_MAX_SIZE 256 62 #endif 63 #endif /* MCUBOOT_SIGN_RSA */ 64 65 #if defined(MCUBOOT_SIGN_EC384) 66 #define MBEDTLS_ECP_DP_SECP384R1_ENABLED 67 /* When the image is signed with EC-P384 the image hash 68 * is calculated using SHA-384 69 */ 70 #define MBEDTLS_SHA512_C 71 #define MBEDTLS_SHA384_C 72 #else 73 /* All the other supported signing algorithms use SHA-256 to compute the image hash */ 74 #define MBEDTLS_SHA256_C 75 #endif /* MCUBOOT_SIGN_EC384 */ 76 77 #ifdef MCUBOOT_SIGN_EC256 78 #define MBEDTLS_ECP_DP_SECP256R1_ENABLED 79 #endif /* MCUBOOT_SIGN_EC256 */ 80 81 /* System support */ 82 #define MBEDTLS_PLATFORM_C 83 #define MBEDTLS_PLATFORM_MEMORY 84 #define MBEDTLS_MEMORY_BUFFER_ALLOC_C 85 #define MBEDTLS_NO_PLATFORM_ENTROPY 86 #define MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES 87 88 #define MBEDTLS_PLATFORM_EXIT_ALT 89 #define MBEDTLS_PLATFORM_PRINTF_ALT 90 91 /* mbed TLS modules */ 92 #define MBEDTLS_ASN1_PARSE_C 93 #define MBEDTLS_ASN1_WRITE_C 94 #define MBEDTLS_BIGNUM_C 95 #define MBEDTLS_MD_C 96 #define MBEDTLS_OID_C 97 #if defined(MCUBOOT_SIGN_EC256) || defined(MCUBOOT_SIGN_EC384) 98 #define MBEDTLS_ECP_C 99 #define MBEDTLS_ECP_NIST_OPTIM 100 #define MBEDTLS_ECDSA_C 101 #endif 102 103 #ifdef CRYPTO_HW_ACCELERATOR_OTP_PROVISIONING 104 #define MBEDTLS_CIPHER_C 105 #define MBEDTLS_CCM_C 106 #define MBEDTLS_ECDSA_C 107 #define MBEDTLS_ECP_C 108 #define MBEDTLS_ECP_DP_SECP256R1_ENABLED 109 #define MBEDTLS_ECP_DP_CURVE25519_ENABLED 110 #endif /* CRYPTO_HW_ACCELERATOR_OTP_PROVISIONING */ 111 112 /* This is still required by encrypted.c until that part is moved to MBED_TLS_USE_PSA_CRYPTO as well */ 113 #define MBEDTLS_AES_C 114 #define MBEDTLS_AES_FEWER_TABLES 115 #define MBEDTLS_CIPHER_MODE_CTR 116 117 #if defined(CRYPTO_HW_ACCELERATOR) && defined(MBEDTLS_ACCELERATOR_CONFIG_FILE) 118 #include MBEDTLS_ACCELERATOR_CONFIG_FILE 119 #endif 120 121 #endif /* __MCUBOOT_MBEDTLS_CFG__ */ 122