1CFG_CRYPTO ?= y 2CFG_CRYPTO_SIZE_OPTIMIZATION ?= y 3 4ifeq (y,$(CFG_CRYPTO)) 5 6# Ciphers 7CFG_CRYPTO_AES ?= y 8CFG_CRYPTO_DES ?= y 9 10# Cipher block modes 11CFG_CRYPTO_ECB ?= y 12CFG_CRYPTO_CBC ?= y 13CFG_CRYPTO_CTR ?= y 14CFG_CRYPTO_CTS ?= y 15CFG_CRYPTO_XTS ?= y 16 17# Message authentication codes 18CFG_CRYPTO_HMAC ?= y 19CFG_CRYPTO_CMAC ?= y 20CFG_CRYPTO_CBC_MAC ?= y 21 22# Hashes 23CFG_CRYPTO_MD5 ?= y 24CFG_CRYPTO_SHA1 ?= y 25CFG_CRYPTO_SHA224 ?= y 26CFG_CRYPTO_SHA256 ?= y 27CFG_CRYPTO_SHA384 ?= y 28CFG_CRYPTO_SHA512 ?= y 29CFG_CRYPTO_SHA512_256 ?= y 30 31# Asymmetric ciphers 32CFG_CRYPTO_DSA ?= y 33CFG_CRYPTO_RSA ?= y 34CFG_CRYPTO_DH ?= y 35CFG_CRYPTO_ECC ?= y 36 37# Authenticated encryption 38CFG_CRYPTO_CCM ?= y 39CFG_CRYPTO_GCM ?= y 40# Default uses the OP-TEE internal AES-GCM implementation 41CFG_CRYPTO_AES_GCM_FROM_CRYPTOLIB ?= n 42 43endif 44 45ifeq ($(CFG_WITH_PAGER),y) 46ifneq ($(CFG_CRYPTO_SHA256),y) 47$(warning Warning: Enabling CFG_CRYPTO_SHA256 [required by CFG_WITH_PAGER]) 48CFG_CRYPTO_SHA256:=y 49endif 50endif 51 52$(eval $(call cryp-enable-all-depends,CFG_WITH_SOFTWARE_PRNG, AES ECB SHA256)) 53 54ifeq ($(CFG_CRYPTO_WITH_CE),y) 55 56$(call force,CFG_AES_GCM_TABLE_BASED,n,conflicts with CFG_CRYPTO_WITH_CE) 57 58# CFG_HWSUPP_PMULT_64 defines whether the CPU supports polynomial multiplies 59# of 64-bit values (Aarch64: PMULL/PMULL2 with the 1Q specifier; Aarch32: 60# VMULL.P64). These operations are part of the Cryptographic Extensions, so 61# assume they are implicitly contained in CFG_CRYPTO_WITH_CE=y. 62CFG_HWSUPP_PMULT_64 ?= y 63 64ifeq ($(CFG_ARM32_core),y) 65CFG_CRYPTO_AES_ARM32_CE ?= $(CFG_CRYPTO_AES) 66CFG_CRYPTO_SHA1_ARM32_CE ?= $(CFG_CRYPTO_SHA1) 67CFG_CRYPTO_SHA256_ARM32_CE ?= $(CFG_CRYPTO_SHA256) 68endif 69 70ifeq ($(CFG_ARM64_core),y) 71CFG_CRYPTO_AES_ARM64_CE ?= $(CFG_CRYPTO_AES) 72CFG_CRYPTO_SHA1_ARM64_CE ?= $(CFG_CRYPTO_SHA1) 73CFG_CRYPTO_SHA256_ARM64_CE ?= $(CFG_CRYPTO_SHA256) 74endif 75 76else #CFG_CRYPTO_WITH_CE 77 78CFG_AES_GCM_TABLE_BASED ?= y 79 80endif #!CFG_CRYPTO_WITH_CE 81 82 83# Cryptographic extensions can only be used safely when OP-TEE knows how to 84# preserve the VFP context 85ifeq ($(CFG_CRYPTO_SHA256_ARM32_CE),y) 86$(call force,CFG_WITH_VFP,y,required by CFG_CRYPTO_SHA256_ARM32_CE) 87endif 88ifeq ($(CFG_CRYPTO_SHA256_ARM64_CE),y) 89$(call force,CFG_WITH_VFP,y,required by CFG_CRYPTO_SHA256_ARM64_CE) 90endif 91ifeq ($(CFG_CRYPTO_SHA1_ARM32_CE),y) 92$(call force,CFG_WITH_VFP,y,required by CFG_CRYPTO_SHA1_ARM32_CE) 93endif 94ifeq ($(CFG_CRYPTO_SHA1_ARM64_CE),y) 95$(call force,CFG_WITH_VFP,y,required by CFG_CRYPTO_SHA1_ARM64_CE) 96endif 97ifeq ($(CFG_CRYPTO_AES_ARM64_CE),y) 98$(call force,CFG_WITH_VFP,y,required by CFG_CRYPTO_AES_ARM64_CE) 99endif 100 101cryp-enable-all-depends = $(call cfg-enable-all-depends,$(strip $(1)),$(foreach v,$(2),CFG_CRYPTO_$(v))) 102$(eval $(call cryp-enable-all-depends,CFG_REE_FS, AES ECB CTR HMAC SHA256 GCM)) 103$(eval $(call cryp-enable-all-depends,CFG_RPMB_FS, AES ECB CTR HMAC SHA256 GCM)) 104 105# Dependency checks: warn and disable some features if dependencies are not met 106 107cryp-dep-one = $(call cfg-depends-one,CFG_CRYPTO_$(strip $(1)),$(patsubst %, CFG_CRYPTO_%,$(strip $(2)))) 108cryp-dep-all = $(call cfg-depends-all,CFG_CRYPTO_$(strip $(1)),$(patsubst %, CFG_CRYPTO_%,$(strip $(2)))) 109 110$(eval $(call cryp-dep-one, ECB, AES DES)) 111$(eval $(call cryp-dep-one, CBC, AES DES)) 112$(eval $(call cryp-dep-one, CTR, AES)) 113# CTS is implemented with ECB and CBC 114$(eval $(call cryp-dep-all, CTS, AES ECB CBC)) 115$(eval $(call cryp-dep-one, XTS, AES)) 116$(eval $(call cryp-dep-one, HMAC, AES DES)) 117$(eval $(call cryp-dep-one, HMAC, MD5 SHA1 SHA224 SHA256 SHA384 SHA512)) 118$(eval $(call cryp-dep-one, CMAC, AES)) 119$(eval $(call cryp-dep-one, CBC_MAC, AES DES)) 120$(eval $(call cryp-dep-one, CCM, AES)) 121$(eval $(call cryp-dep-one, GCM, AES)) 122# If no AES cipher mode is left, disable AES 123$(eval $(call cryp-dep-one, AES, ECB CBC CTR CTS XTS)) 124# If no DES cipher mode is left, disable DES 125$(eval $(call cryp-dep-one, DES, ECB CBC)) 126 127############################################################### 128# libtomcrypt (LTC) specifics, phase #1 129# LTC is only configured via _CFG_CORE_LTC_ prefixed variables 130# 131# _CFG_CORE_LTC_xxx_DESC means that LTC will only register the 132# descriptor of the algorithm, not provide a 133# crypt_xxx_alloc_ctx() function. 134############################################################### 135 136# If LTC is the cryptolib, pull configuration from CFG_CRYPTO_xxx 137ifeq ($(CFG_CRYPTOLIB_NAME),tomcrypt) 138# dsa_make_params() needs all three SHA-2 algorithms. 139# Disable DSA if any is missing. 140$(eval $(call cryp-dep-all, DSA, SHA256 SHA384 SHA512)) 141 142# Assign _CFG_CORE_LTC_xxx based on CFG_CRYPTO_yyy 143core-ltc-vars = AES DES 144core-ltc-vars += ECB CBC CTR CTS XTS 145core-ltc-vars += MD5 SHA1 SHA224 SHA256 SHA384 SHA512 SHA512_256 146core-ltc-vars += HMAC CMAC CBC_MAC 147core-ltc-vars += CCM 148ifeq ($(CFG_CRYPTO_AES_GCM_FROM_CRYPTOLIB),y) 149core-ltc-vars += GCM 150endif 151core-ltc-vars += RSA DSA DH ECC 152core-ltc-vars += AES_ARM64_CE AES_ARM32_CE 153core-ltc-vars += SHA1_ARM32_CE SHA1_ARM64_CE 154core-ltc-vars += SHA256_ARM32_CE SHA256_ARM64_CE 155core-ltc-vars += SIZE_OPTIMIZATION 156# Assigned selected CFG_CRYPTO_xxx as _CFG_CORE_LTC_xxx 157$(foreach v, $(core-ltc-vars), $(eval _CFG_CORE_LTC_$(v) := $(CFG_CRYPTO_$(v)))) 158_CFG_CORE_LTC_MPI := $(CFG_CORE_MBEDTLS_MPI) 159endif 160 161############################################################### 162# libtomcrypt (LTC) specifics, phase #2 163############################################################### 164 165# Assign system variables 166_CFG_CORE_LTC_CE := $(CFG_CRYPTO_WITH_CE) 167_CFG_CORE_LTC_VFP := $(CFG_WITH_VFP) 168_CFG_CORE_LTC_BIGNUM_MAX_BITS := $(CFG_CORE_BIGNUM_MAX_BITS) 169_CFG_CORE_LTC_PAGER := $(CFG_WITH_PAGER) 170_CFG_CORE_LTC_OPTEE_THREAD := $(CFG_LTC_OPTEE_THREAD) 171_CFG_CORE_LTC_HWSUPP_PMULL := $(CFG_HWSUPP_PMULL) 172 173# Assign aggregated variables 174ltc-one-enabled = $(call cfg-one-enabled,$(foreach v,$(1),_CFG_CORE_LTC_$(v))) 175_CFG_CORE_LTC_ACIPHER := $(call ltc-one-enabled, RSA DSA DH ECC) 176_CFG_CORE_LTC_AUTHENC := $(and $(filter y,$(_CFG_CORE_LTC_AES) \ 177 $(_CFG_CORE_LTC_AES_DESC)), \ 178 $(call ltc-one-enabled, CCM GCM)) 179_CFG_CORE_LTC_CIPHER := $(call ltc-one-enabled, AES AES_DESC DES) 180_CFG_CORE_LTC_HASH := $(call ltc-one-enabled, MD5 SHA1 SHA224 SHA256 SHA384 \ 181 SHA512) 182_CFG_CORE_LTC_MAC := $(call ltc-one-enabled, HMAC CMAC CBC_MAC) 183_CFG_CORE_LTC_CBC := $(call ltc-one-enabled, CBC CBC_MAC) 184_CFG_CORE_LTC_ASN1 := $(call ltc-one-enabled, RSA DSA ECC) 185