2017-01-11 00:51:39 +08:00
|
|
|
/*
|
|
|
|
|
* Minimal configuration for using TLS in the bootloader
|
|
|
|
|
*
|
|
|
|
|
* Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
|
|
|
|
|
* Copyright (C) 2016, Linaro Ltd
|
|
|
|
|
* SPDX-License-Identifier: Apache-2.0
|
|
|
|
|
*
|
|
|
|
|
* Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
|
|
|
* not use this file except in compliance with the License.
|
|
|
|
|
* You may obtain a copy of the License at
|
|
|
|
|
*
|
|
|
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
|
*
|
|
|
|
|
* Unless required by applicable law or agreed to in writing, software
|
|
|
|
|
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
|
|
|
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
|
|
|
* See the License for the specific language governing permissions and
|
|
|
|
|
* limitations under the License.
|
|
|
|
|
*
|
|
|
|
|
* This file is part of mbed TLS (https://tls.mbed.org)
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Minimal configuration for using TLS in the bootloader
|
|
|
|
|
*
|
|
|
|
|
* - RSA or ECDSA signature verification
|
|
|
|
|
*/
|
|
|
|
|
|
zephyr: migrate signature type to Kconfig
Handle the CONFIG_BOOT_SIGNATURE_TYPE_xxx values in Zephyr's
mcuboot_config.h by converting them into the platform-agnostic MCUboot
definitions.
This requires some changes to the way the release test Makefile is
structured, since Kconfig symbols cannot be set from the command line.
Instead, use the OVERLAY_CONFIG feature of the Zephyr build system,
which allows specifying extra fragments to merge into the final
.config. (This is an orthogonal mechanism to setting CONF_FILE; it is
used by Zephyr's CI script sanitycheck to add additional fragments, so
it's appropriate for use by MCUboot's testing scripts as well.)
We additionally need to move to a single prj.conf file due to a
dependency issue. We can no longer determine CONF_FILE from the
signature type, since that is now determined from the final .config or
autoconf.h, which is a build output that depends on CONF_FILE.
To move to a single prj.conf:
- delete prj-p256.conf and adjust prj.conf to serve both signature types
- add a top-level mbedTLS configuration file which dispatches to
the right sub-header depending on the key type
- as a side effect, have the simulator pick the right config file
depending on the case
This fixes and cleans up quite a bit of the signature type handling,
which had become something of a mess over time. For example, it fixes
a bug in ECDSA mode's configuration that wasn't actually selecting
config-asn1.h, and forces the simulator to use the same mbedTLS
configuration file as builds for real hardware.
Finally, we also have to move the mbedTLS vs. TinyCrypt choice into
mcuboot_config.h at the same time as well, since CMakeLists.txt was
making that decision based on the signature type.
Signed-off-by: Marti Bolivar <marti@opensourcefoundries.com>
2018-04-13 01:02:38 +08:00
|
|
|
#ifndef MCUBOOT_MBEDTLS_CONFIG_RSA
|
|
|
|
|
#define MCUBOOT_MBEDTLS_CONFIG_RSA
|
2017-01-11 00:51:39 +08:00
|
|
|
|
2017-09-08 22:49:14 +08:00
|
|
|
#ifdef CONFIG_MCUBOOT_SERIAL
|
|
|
|
|
/* Mcuboot uses mbedts-base64 for serial protocol encoding. */
|
|
|
|
|
#define MBEDTLS_BASE64_C
|
|
|
|
|
#endif
|
|
|
|
|
|
2017-01-11 00:51:39 +08:00
|
|
|
/* System support */
|
|
|
|
|
#define MBEDTLS_PLATFORM_C
|
|
|
|
|
#define MBEDTLS_PLATFORM_MEMORY
|
|
|
|
|
#define MBEDTLS_MEMORY_BUFFER_ALLOC_C
|
|
|
|
|
#define MBEDTLS_NO_PLATFORM_ENTROPY
|
|
|
|
|
#define MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES
|
2019-03-01 17:29:34 +08:00
|
|
|
|
|
|
|
|
/* STD functions */
|
|
|
|
|
#define MBEDTLS_PLATFORM_NO_STD_FUNCTIONS
|
|
|
|
|
|
|
|
|
|
#define MBEDTLS_PLATFORM_EXIT_ALT
|
2017-01-11 00:51:39 +08:00
|
|
|
#define MBEDTLS_PLATFORM_PRINTF_ALT
|
2019-03-01 17:30:44 +08:00
|
|
|
#define MBEDTLS_PLATFORM_SNPRINTF_ALT
|
2017-01-11 00:51:39 +08:00
|
|
|
|
|
|
|
|
#if !defined(CONFIG_ARM)
|
|
|
|
|
#define MBEDTLS_HAVE_ASM
|
|
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
#define MBEDTLS_RSA_C
|
2018-02-23 23:51:12 +08:00
|
|
|
#define MBEDTLS_PKCS1_V21
|
2017-01-11 00:51:39 +08:00
|
|
|
|
|
|
|
|
/* mbed TLS modules */
|
|
|
|
|
#define MBEDTLS_ASN1_PARSE_C
|
|
|
|
|
#define MBEDTLS_ASN1_WRITE_C
|
|
|
|
|
#define MBEDTLS_BIGNUM_C
|
|
|
|
|
#define MBEDTLS_MD_C
|
|
|
|
|
#define MBEDTLS_OID_C
|
|
|
|
|
#define MBEDTLS_SHA256_C
|
2018-08-31 18:41:50 +08:00
|
|
|
#define MBEDTLS_AES_C
|
2017-01-11 00:51:39 +08:00
|
|
|
|
|
|
|
|
/* Save RAM by adjusting to our exact needs */
|
|
|
|
|
#define MBEDTLS_ECP_MAX_BITS 2048
|
2019-05-14 06:08:12 +08:00
|
|
|
|
|
|
|
|
#if (CONFIG_BOOT_SIGNATURE_TYPE_RSA_LEN == 3072)
|
|
|
|
|
#define MBEDTLS_MPI_MAX_SIZE 384
|
|
|
|
|
#else
|
2017-01-11 00:51:39 +08:00
|
|
|
#define MBEDTLS_MPI_MAX_SIZE 256
|
2019-05-14 06:08:12 +08:00
|
|
|
#endif
|
2017-01-11 00:51:39 +08:00
|
|
|
|
|
|
|
|
#define MBEDTLS_SSL_MAX_CONTENT_LEN 1024
|
|
|
|
|
|
|
|
|
|
/* Save ROM and a few bytes of RAM by specifying our own ciphersuite list */
|
|
|
|
|
#define MBEDTLS_SSL_CIPHERSUITES MBEDTLS_TLS_ECJPAKE_WITH_AES_128_CCM_8
|
|
|
|
|
|
|
|
|
|
#include "mbedtls/check_config.h"
|
|
|
|
|
|
zephyr: migrate signature type to Kconfig
Handle the CONFIG_BOOT_SIGNATURE_TYPE_xxx values in Zephyr's
mcuboot_config.h by converting them into the platform-agnostic MCUboot
definitions.
This requires some changes to the way the release test Makefile is
structured, since Kconfig symbols cannot be set from the command line.
Instead, use the OVERLAY_CONFIG feature of the Zephyr build system,
which allows specifying extra fragments to merge into the final
.config. (This is an orthogonal mechanism to setting CONF_FILE; it is
used by Zephyr's CI script sanitycheck to add additional fragments, so
it's appropriate for use by MCUboot's testing scripts as well.)
We additionally need to move to a single prj.conf file due to a
dependency issue. We can no longer determine CONF_FILE from the
signature type, since that is now determined from the final .config or
autoconf.h, which is a build output that depends on CONF_FILE.
To move to a single prj.conf:
- delete prj-p256.conf and adjust prj.conf to serve both signature types
- add a top-level mbedTLS configuration file which dispatches to
the right sub-header depending on the key type
- as a side effect, have the simulator pick the right config file
depending on the case
This fixes and cleans up quite a bit of the signature type handling,
which had become something of a mess over time. For example, it fixes
a bug in ECDSA mode's configuration that wasn't actually selecting
config-asn1.h, and forces the simulator to use the same mbedTLS
configuration file as builds for real hardware.
Finally, we also have to move the mbedTLS vs. TinyCrypt choice into
mcuboot_config.h at the same time as well, since CMakeLists.txt was
making that decision based on the signature type.
Signed-off-by: Marti Bolivar <marti@opensourcefoundries.com>
2018-04-13 01:02:38 +08:00
|
|
|
#endif /* MCUBOOT_MBEDTLS_CONFIG_RSA */
|