libmbedtls: config: re-enable long long divisions

This reverts commit d3ec4328a070 ("libmbedtls: config: disable long long
divisions") to address performance regressions introduced by that
commit. T

libmbedtls: config: re-enable long long divisions

This reverts commit d3ec4328a070 ("libmbedtls: config: disable long long
divisions") to address performance regressions introduced by that
commit. The commit can be reverted now that __udivti3() needed by the
unsigned long long divisions is available again.

Link: https://github.com/OP-TEE/optee_os/pull/7359
Link: https://github.com/OP-TEE/optee_os/issues/7374
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

libmbedtls: config: disable long long divisions

Currently on Aarch64, mbedtls uses long long divisions which result in
calls to __udivti3() in libgcc. This is at the moment the only
dependency on li

libmbedtls: config: disable long long divisions

Currently on Aarch64, mbedtls uses long long divisions which result in
calls to __udivti3() in libgcc. This is at the moment the only
dependency on libgcc in mbedtls, so disable the long long divisions by
defining MBEDTLS_NO_UDBL_DIVISION to remove the dependency.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

Squashed commit upgrading to mbedtls-3.6.0

Squash merging branch import/mbedtls-3.6.0

0fc9291f4 ("libmbedtls: bignum: restore mbedtls_mpi_exp_mod() from v3.5.2")
0ef87b1e6 ("libmbedtls: reset minim

Squashed commit upgrading to mbedtls-3.6.0

Squash merging branch import/mbedtls-3.6.0

0fc9291f4 ("libmbedtls: bignum: restore mbedtls_mpi_exp_mod() from v3.5.2")
0ef87b1e6 ("libmbedtls: reset minimum rsa key size")
70b079496 ("libmbedtls: adjust use of rsa pk_wrap API")
6cf76464f ("libmbedtls: allow inclusion of arm_neon.h")
27df5c911 ("libmbedtls: fix cipher_wrap.c for NIST AES Key Wrap mode")
aa584f9ed ("libmbedtls: fix cipher_wrap.c for chacha20 and chachapoly")
523ae957e ("libmbedtls: add fault mitigation in mbedtls_rsa_rsassa_pkcs1_v15_verify()")
30bdb1bbf ("libmbedtls: add fault mitigation in mbedtls_rsa_rsassa_pss_verify_ext()")
e45cdab62 ("libmbedtls: add SM2 curve")
d2fda4fc2 ("libmbedtls: fix no CRT issue")
ab0eb5515 ("libmbedtls: add interfaces in mbedtls for context memory operation")
7925a6f26 ("libmedtls: mpi_miller_rabin: increase count limit")
8eaf69279 ("libmbedtls: add mbedtls_mpi_init_mempool()")
12e83fc8d ("libmbedtls: make mbedtls_mpi_mont*() available")
f9e261da5 ("mbedtls: configure mbedtls to reach for config")
7b6f378d7 ("mbedtls: remove default include/mbedtls/config.h")
c16331743 ("Import mbedtls-3.6.0")

Signed-off-by: Tom Van Eyck <tom.vaneyck@kuleuven.be>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

Squashed commit upgrading to mbedtls-3.4.0

Squash merging branch import/mbedtls-3.4.0

8225713449d3 ("libmbedtls: fix unrecognized compiler option")
f03730842d7b ("core: ltc: configure internal MD5"

Squashed commit upgrading to mbedtls-3.4.0

Squash merging branch import/mbedtls-3.4.0

8225713449d3 ("libmbedtls: fix unrecognized compiler option")
f03730842d7b ("core: ltc: configure internal MD5")
2b0d0c50127c ("core: ltc: configure internal SHA-1 and SHA-224")
0e48a6e17630 ("libmedtls: core: update to mbedTLS 3.4.0 API")
049882b143af ("libutee: update to mbedTLS 3.4.0 API")
982307bf6169 ("core: LTC mpi_desc.c: update to mbedTLS 3.4.0 API")
33218e9eff7b ("ta: pkcs11: update to mbedTLS 3.4.0 API")
6956420cc064 ("libmbedtls: fix cipher_wrap.c for NIST AES Key Wrap mode")
ad67ef0b43fd ("libmbedtls: fix cipher_wrap.c for chacha20 and chachapoly")
7300f4d97bbf ("libmbedtls: add fault mitigation in mbedtls_rsa_rsassa_pkcs1_v15_verify()")
cec89b62a86d ("libmbedtls: add fault mitigation in mbedtls_rsa_rsassa_pss_verify_ext()")
e7e048796c44 ("libmbedtls: add SM2 curve")
096beff2cd31 ("libmbedtls: mbedtls_mpi_exp_mod(): optimize mempool usage")
7108668efd3f ("libmbedtls: mbedtls_mpi_exp_mod(): reduce stack usage")
0ba4eb8d0572 ("libmbedtls: mbedtls_mpi_exp_mod() initialize W")
3fd6ecf00382 ("libmbedtls: fix no CRT issue")
d5ea7e9e9aa7 ("libmbedtls: add interfaces in mbedtls for context memory operation")
2b0fb3f1fa3d ("libmedtls: mpi_miller_rabin: increase count limit")
2c3301ab99bb ("libmbedtls: add mbedtls_mpi_init_mempool()")
9a111f0da04b ("libmbedtls: make mbedtls_mpi_mont*() available")
804fe3a374f5 ("mbedtls: configure mbedtls to reach for config")
b28a41531427 ("mbedtls: remove default include/mbedtls/config.h")
dfafe507bbef ("Import mbedtls-3.4.0")

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Tested-by: Jerome Forissier <jerome.forissier@linaro.org> (vexpress-qemu_armv8a)

show more ...

core: mbedtls: use SHA-512 crypto accelerated routines

Uses the recently provided accelerated SHA-512 routine.

Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklan

core: mbedtls: use SHA-512 crypto accelerated routines

Uses the recently provided accelerated SHA-512 routine.

Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: mbedtls: fix use of SHA-256 crypto accelerated routines

The wrong name of a configuration was used to test in mbedtls if the
accelerated SHA-256 routines should be used. Fix this by using the

core: mbedtls: fix use of SHA-256 crypto accelerated routines

The wrong name of a configuration was used to test in mbedtls if the
accelerated SHA-256 routines should be used. Fix this by using the
correct name CFG_CORE_CRYPTO_SHA256_ACCEL instead.

Fixes: 2fc5dc95a949 ("core: mbedtls: use SHA-256 crypto accelerated routines")
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: add support for SM2 using MBed TLS

The SM2 algorithms (PKE, KEP and DSA) are currently implemented using
LibTomCrypt. They are automatically disabled when MBed TLS is selected
as the core cryp

core: add support for SM2 using MBed TLS

The SM2 algorithms (PKE, KEP and DSA) are currently implemented using
LibTomCrypt. They are automatically disabled when MBed TLS is selected
as the core crypto library (that is, when CFG_CRYPTOLIB_NAME=mbedtls
CFG_CRYPTOLIB_DIR=lib/libmbedtls).

This commit removes this restriction by porting the relevant files
(core/lib/libtomcrypt/sm2-{dsa,kep,pke}.c) over to the MBed TLS API in
lib/libmbedtls/core.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

Squashed commit upgrading to mbedtls-2.22.0

Squash merging branch import/mbedtls-2.22.0

5cab03377186 ("mk/clang.mk: define libgcc$(sm)")
3607a5386a72 ("core: mbedtls: enable MBEDTLS_ECDH_LEGACY_CON

Squashed commit upgrading to mbedtls-2.22.0

Squash merging branch import/mbedtls-2.22.0

5cab03377186 ("mk/clang.mk: define libgcc$(sm)")
3607a5386a72 ("core: mbedtls: enable MBEDTLS_ECDH_LEGACY_CONTEXT")
896c8845bbda ("mbedtls: remove file md_wrap.c from build")
400b2af54fa0 ("libmbedtls: mbedtls_mpi_exp_mod(): optimize mempool usage")
777827c7af3d ("libmbedtls: mbedtls_mpi_exp_mod(): reduce stack usage")
549e4600678e ("libmbedtls: preserve mempool usage on reinit")
02d636083fe2 ("libmbedtls: mbedtls_mpi_exp_mod() initialize W")
d2ac2b3c92bf ("libmbedtls: fix no CRT issue")
f550879d5be2 ("libmbedtls: add interfaces in mbedtls for context memory operation")
219173d807ce ("libmedtls: mpi_miller_rabin: increase count limit")
7930b0b6b5e4 ("libmbedtls: add mbedtls_mpi_init_mempool()")
78af9fdc120f ("libmbedtls: make mbedtls_mpi_mont*() available")
8f7357271cc2 ("libmbedtls: refine mbedtls license header")
c5993878881f ("mbedtls: configure mbedtls to reach for config")
6f9c587783af ("mbedtls: remove default include/mbedtls/config.h")
3d3bd3b12752 ("Import mbedtls-2.22.0")

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: mbedtls: use SHA-256 crypto accelerated routines

Uses the recently provided accelerated SHA-256 routine.

Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander

core: mbedtls: use SHA-256 crypto accelerated routines

Uses the recently provided accelerated SHA-256 routine.

Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: mbedtls: use SHA-1 crypto accelerated routines

Uses the recently provided accelerated SHA-1 routine.

Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <je

core: mbedtls: use SHA-1 crypto accelerated routines

Uses the recently provided accelerated SHA-1 routine.

Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: mbedtls: use AES crypto accelerated routines

Uses the recently provided accelerated AES crypto routines in mbedtls.

Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jen

core: mbedtls: use AES crypto accelerated routines

Uses the recently provided accelerated AES crypto routines in mbedtls.

Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

Remove libmpa in favor of libmbedtls

We currently have two "big numbers" library, Mbed TLS and MPA. Both can
be used by libutee to implement the TEE Internal Core API Arithmetical
functions, and by

Remove libmpa in favor of libmbedtls

We currently have two "big numbers" library, Mbed TLS and MPA. Both can
be used by libutee to implement the TEE Internal Core API Arithmetical
functions, and by the TEE core or pseudo-TAs. This situation is
reflected by two configuration variables allowing to choose between
libmbedtls and libmpa:

- CFG_TA_MBEDTLS_MPI (default y) configures libutee,
- CFG_CORE_MBEDTLS_MPI (default y) configures the TEE core/PTAs.

In addition there is CFG_TA_MBEDTLS (default y, mandatory when
CFG_TA_MBEDTLS_MPI is y) to build libmbedtls and install it into the
SDK for direct use by TAs (libmbedtls also has function to deal with
certificates for instance).

MBed TLS has been supported and used by default for just over a year;
and we have recently found an issue with the MPA implementation of the
integer multiplication with modulus (mpa_mulmod()) [1] [2]. Therefore,
now is a good time to remove libmpa and use libmbedtls instead.

Link: [1] https://github.com/OP-TEE/optee_os/pull/3541#issuecomment-577592381
Link: [2] https://github.com/OP-TEE/optee_test/pull/389
Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

libmbedtls: Support DSA algorithm

DSA is not supported in MbedTLS, use libtomcrypt instead.

Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@li

libmbedtls: Support DSA algorithm

DSA is not supported in MbedTLS, use libtomcrypt instead.

Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

libmbedtls: support mbedtls ECC function

Support mbedtls ECC: ecdh and ecdsa.

Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Edison Ai <edison.ai@arm.com>
Signed-off-by: Je

libmbedtls: support mbedtls ECC function

Support mbedtls ECC: ecdh and ecdsa.

Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Edison Ai <edison.ai@arm.com>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

libmbedtls: support mbedtls DH function

Implement DH function based on mbedtls.

Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Edison Ai <edison.ai@arm.com>
Signed-off-by:

libmbedtls: support mbedtls DH function

Implement DH function based on mbedtls.

Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Edison Ai <edison.ai@arm.com>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

libmbedtls: support mbedtls acipher RSA function

Support RSA:
RSASSA_PKCS1_V1_5
RSASSA_PKCS1_PSS_MGF1
RSAES_PKCS1_V1_5
RSAES_PKCS1_OAEP_MGF1

Acked-by: Etienne Carriere <etienne.carriere@linaro.

libmbedtls: support mbedtls acipher RSA function

Support RSA:
RSASSA_PKCS1_V1_5
RSASSA_PKCS1_PSS_MGF1
RSAES_PKCS1_V1_5
RSAES_PKCS1_OAEP_MGF1

Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Edison Ai <edison.ai@arm.com>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

libmbedtls: support mbedtls bignum functions

Implement bignum function based on mbedtls.

Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Edison Ai <edison.ai@arm.com>
Signed

libmbedtls: support mbedtls bignum functions

Implement bignum function based on mbedtls.

Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Edison Ai <edison.ai@arm.com>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

libmbedtls: support CMAC algorithm

Implement CMAC function based on mbedtls.

Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Edison Ai <edison.ai@arm.com>
Signed-off-by: Jen

libmbedtls: support CMAC algorithm

Implement CMAC function based on mbedtls.

Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Edison Ai <edison.ai@arm.com>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

libmbedtls: support mbedtls HMAC algorithm

Implement HMAC function based on mbedtls.

Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Edison Ai <edison.ai@arm.com>
Signed-off

libmbedtls: support mbedtls HMAC algorithm

Implement HMAC function based on mbedtls.

Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Edison Ai <edison.ai@arm.com>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

libmbedtls: support symmetrical ciphers

Adds support for symmetrical ciphers. The XTS mode is not supported in
mbedTLS and will be dealt with later.

Acked-by: Etienne Carriere <etienne.carriere@lin

libmbedtls: support symmetrical ciphers

Adds support for symmetrical ciphers. The XTS mode is not supported in
mbedTLS and will be dealt with later.

Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Edison Ai <edison.ai@arm.com>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

libmbedtls: support mbedtls hash algorithm

1. Support mbedtls hash algorithm.
2. Add mbedtls source configure

Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Edison Ai <edis

libmbedtls: support mbedtls hash algorithm

1. Support mbedtls hash algorithm.
2. Add mbedtls source configure

Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Edison Ai <edison.ai@arm.com>
[jw: moved hash routines to hash.c using ops interface]
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

libmbedtls: support mbedTLS in kernel mode

Initial step of mbedtls cryptos integration.
Directory created and interface file is drafted.
All function interfaces are set to "not supported".
The mbedt

libmbedtls: support mbedTLS in kernel mode

Initial step of mbedtls cryptos integration.
Directory created and interface file is drafted.
All function interfaces are set to "not supported".
The mbedtls can be selected by specifying build flags
"CFG_CRYPTOLIB_NAME=mbedtls" and "CFG_CRYPTOLIB_DIR=lib/libmbedtls"

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Edison Ai <edison.ai@arm.com>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: mbedtls: configure bignum word size

Configures mbedtls bignum word size (mbedtls_mpi_uint and mbedtls_mpi_sint)
as 32-bit or 64-bit depending on arm architecture.

Reviewed-by: Jerome Forissie

core: mbedtls: configure bignum word size

Configures mbedtls bignum word size (mbedtls_mpi_uint and mbedtls_mpi_sint)
as 32-bit or 64-bit depending on arm architecture.

Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: switch to mbedtls for bignum

Adds a mpi_desc.c wrapper to LTC in order to enable usage of bignum
(mpi) routines from mbedtls.

CFG_MBEDTLS_MPI=y (default y) builds the bignum routines for mbed

core: switch to mbedtls for bignum

Adds a mpi_desc.c wrapper to LTC in order to enable usage of bignum
(mpi) routines from mbedtls.

CFG_MBEDTLS_MPI=y (default y) builds the bignum routines for mbedtls and
also enables their usage in LTC and by that replaces libmpa for
privileged mode usage.

User mode TAs still use libmpa.

Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

libmbedtls: configure and compile mbedtls

Configures mbedtls with a minimal user mode TA configuration and makes
it compile.

Adds dummy include/mbedtls_config_kernel.h to give a good error message

libmbedtls: configure and compile mbedtls

Configures mbedtls with a minimal user mode TA configuration and makes
it compile.

Adds dummy include/mbedtls_config_kernel.h to give a good error message
in case mbedTLS is compiled in for kernel mode.

mbedTLS is enabled for TAs with CFG_TA_MBEDTLS = y
Builtin self tests are enabled with CFG_TA_MBEDTLS_SELF_TEST = y

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...