From: Justin Chadwell Date: Mon, 29 Jul 2019 16:13:10 +0000 (+0100) Subject: Support larger RSA key sizes when using MBEDTLS X-Git-Url: http://git.lede-project.org./?a=commitdiff_plain;h=aacff7498c7241696f55a9b80473e59b72d4d095;p=project%2Fbcm63xx%2Fatf.git Support larger RSA key sizes when using MBEDTLS Previously, TF-A could not support large RSA key sizes as the configuration options passed to MBEDTLS prevented storing and performing calculations with the larger, higher-precision numbers required. With these changes to the arguments passed to MBEDTLS, TF-A now supports using 3072 (3K) and 4096 (4K) keys in certificates. Change-Id: Ib73a6773145d2faa25c28d04f9a42e86f2fd555f Signed-off-by: Justin Chadwell --- diff --git a/Makefile b/Makefile index bcfbd65e..d1376e86 100644 --- a/Makefile +++ b/Makefile @@ -694,6 +694,10 @@ $(eval $(call assert_numeric,ARM_ARCH_MAJOR)) $(eval $(call assert_numeric,ARM_ARCH_MINOR)) $(eval $(call assert_numeric,BRANCH_PROTECTION)) +ifdef KEY_SIZE + $(eval $(call assert_numeric,KEY_SIZE)) +endif + ifeq ($(filter $(SANITIZE_UB), on off trap),) $(error "Invalid value for SANITIZE_UB: can be one of on, off, trap") endif diff --git a/drivers/auth/mbedtls/mbedtls_common.mk b/drivers/auth/mbedtls/mbedtls_common.mk index 63e65bd4..f34d3d00 100644 --- a/drivers/auth/mbedtls/mbedtls_common.mk +++ b/drivers/auth/mbedtls/mbedtls_common.mk @@ -1,5 +1,5 @@ # -# Copyright (c) 2015-2018, ARM Limited and Contributors. All rights reserved. +# Copyright (c) 2015-2019, ARM Limited and Contributors. All rights reserved. # # SPDX-License-Identifier: BSD-3-Clause # @@ -59,6 +59,16 @@ ifeq (${TF_MBEDTLS_KEY_ALG},) endif endif +ifeq (${TF_MBEDTLS_KEY_SIZE},) + ifneq ($(findstring rsa,${TF_MBEDTLS_KEY_ALG}),) + ifeq (${KEY_SIZE},) + TF_MBEDTLS_KEY_SIZE := 2048 + else + TF_MBEDTLS_KEY_SIZE := ${KEY_SIZE} + endif + endif +endif + ifeq (${HASH_ALG}, sha384) TF_MBEDTLS_HASH_ALG_ID := TF_MBEDTLS_SHA384 else ifeq (${HASH_ALG}, sha512) @@ -79,6 +89,7 @@ endif # Needs to be set to drive mbed TLS configuration correctly $(eval $(call add_define,TF_MBEDTLS_KEY_ALG_ID)) +$(eval $(call add_define,TF_MBEDTLS_KEY_SIZE)) $(eval $(call add_define,TF_MBEDTLS_HASH_ALG_ID)) diff --git a/drivers/auth/tbbr/tbbr_cot.c b/drivers/auth/tbbr/tbbr_cot.c index da3631bb..6dd4ae25 100644 --- a/drivers/auth/tbbr/tbbr_cot.c +++ b/drivers/auth/tbbr/tbbr_cot.c @@ -7,6 +7,7 @@ #include #include +#include #include #if USE_TBBR_DEFS @@ -19,7 +20,22 @@ /* * Maximum key and hash sizes (in DER format) */ +#if TF_MBEDTLS_USE_RSA +#if TF_MBEDTLS_KEY_SIZE == 1024 +#define PK_DER_LEN 162 +#elif TF_MBEDTLS_KEY_SIZE == 2048 #define PK_DER_LEN 294 +#elif TF_MBEDTLS_KEY_SIZE == 3072 +#define PK_DER_LEN 422 +#elif TF_MBEDTLS_KEY_SIZE == 4096 +#define PK_DER_LEN 550 +#else +#error "Invalid value for TF_MBEDTLS_KEY_SIZE" +#endif +#else +#define PK_DER_LEN 294 +#endif + #define HASH_DER_LEN 83 /* diff --git a/include/drivers/auth/mbedtls/mbedtls_config.h b/include/drivers/auth/mbedtls/mbedtls_config.h index f7248f98..6e179bbd 100644 --- a/include/drivers/auth/mbedtls/mbedtls_config.h +++ b/include/drivers/auth/mbedtls/mbedtls_config.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 2015-2018, ARM Limited and Contributors. All rights reserved. + * Copyright (c) 2015-2019, ARM Limited and Contributors. All rights reserved. * * SPDX-License-Identifier: BSD-3-Clause */ @@ -13,6 +13,11 @@ #define TF_MBEDTLS_ECDSA 2 #define TF_MBEDTLS_RSA_AND_ECDSA 3 +#define TF_MBEDTLS_USE_RSA (TF_MBEDTLS_KEY_ALG_ID == TF_MBEDTLS_RSA \ + || TF_MBEDTLS_KEY_ALG_ID == TF_MBEDTLS_RSA_AND_ECDSA) +#define TF_MBEDTLS_USE_ECDSA (TF_MBEDTLS_KEY_ALG_ID == TF_MBEDTLS_ECDSA \ + || TF_MBEDTLS_KEY_ALG_ID == TF_MBEDTLS_RSA_AND_ECDSA) + /* * Hash algorithms currently supported on mbed TLS libraries */ @@ -54,19 +59,14 @@ #define MBEDTLS_PLATFORM_C -#if (TF_MBEDTLS_KEY_ALG_ID == TF_MBEDTLS_ECDSA) +#if TF_MBEDTLS_USE_ECDSA #define MBEDTLS_ECDSA_C #define MBEDTLS_ECP_C #define MBEDTLS_ECP_DP_SECP256R1_ENABLED -#elif (TF_MBEDTLS_KEY_ALG_ID == TF_MBEDTLS_RSA) -#define MBEDTLS_RSA_C -#define MBEDTLS_X509_RSASSA_PSS_SUPPORT -#elif (TF_MBEDTLS_KEY_ALG_ID == TF_MBEDTLS_RSA_AND_ECDSA) +#endif +#if TF_MBEDTLS_USE_RSA #define MBEDTLS_RSA_C #define MBEDTLS_X509_RSASSA_PSS_SUPPORT -#define MBEDTLS_ECDSA_C -#define MBEDTLS_ECP_C -#define MBEDTLS_ECP_DP_SECP256R1_ENABLED #endif #define MBEDTLS_SHA256_C @@ -80,11 +80,20 @@ #define MBEDTLS_X509_CRT_PARSE_C /* MPI / BIGNUM options */ -#define MBEDTLS_MPI_WINDOW_SIZE 2 -#define MBEDTLS_MPI_MAX_SIZE 256 +#define MBEDTLS_MPI_WINDOW_SIZE 2 + +#if TF_MBEDTLS_USE_RSA +#if TF_MBEDTLS_KEY_SIZE <= 2048 +#define MBEDTLS_MPI_MAX_SIZE 256 +#else +#define MBEDTLS_MPI_MAX_SIZE 512 +#endif +#else +#define MBEDTLS_MPI_MAX_SIZE 256 +#endif /* Memory buffer allocator options */ -#define MBEDTLS_MEMORY_ALIGN_MULTIPLE 8 +#define MBEDTLS_MEMORY_ALIGN_MULTIPLE 8 #ifndef __ASSEMBLER__ /* System headers required to build mbed TLS with the current configuration */ @@ -95,13 +104,17 @@ /* * Determine Mbed TLS heap size * 13312 = 13*1024 - * 7168 = 7*1024 + * 11264 = 11*1024 + * 7168 = 7*1024 */ -#if (TF_MBEDTLS_KEY_ALG_ID == TF_MBEDTLS_ECDSA) \ - || (TF_MBEDTLS_KEY_ALG_ID == TF_MBEDTLS_RSA_AND_ECDSA) +#if TF_MBEDTLS_USE_ECDSA #define TF_MBEDTLS_HEAP_SIZE U(13312) -#elif (TF_MBEDTLS_KEY_ALG_ID == TF_MBEDTLS_RSA) +#elif TF_MBEDTLS_USE_RSA +#if TF_MBEDTLS_KEY_SIZE <= 2048 #define TF_MBEDTLS_HEAP_SIZE U(7168) +#else +#define TF_MBEDTLS_HEAP_SIZE U(11264) +#endif #endif #endif /* MBEDTLS_CONFIG_H */