1CFG_CRYPTO ?= y 2# Select small code size in the crypto library if applicable (for instance 3# LibTomCrypt has -DLTC_SMALL_CODE) 4# Note: the compiler flag -Os is not set here but by CFG_CC_OPTIMIZE_FOR_SIZE 5CFG_CRYPTO_SIZE_OPTIMIZATION ?= y 6 7ifeq (y,$(CFG_CRYPTO)) 8 9# Ciphers 10CFG_CRYPTO_AES ?= y 11CFG_CRYPTO_DES ?= y 12CFG_CRYPTO_SM4 ?= y 13 14# Cipher block modes 15CFG_CRYPTO_ECB ?= y 16CFG_CRYPTO_CBC ?= y 17CFG_CRYPTO_CTR ?= y 18CFG_CRYPTO_CTS ?= y 19CFG_CRYPTO_XTS ?= y 20 21# Message authentication codes 22CFG_CRYPTO_HMAC ?= y 23CFG_CRYPTO_CMAC ?= y 24CFG_CRYPTO_CBC_MAC ?= y 25 26# Hashes 27CFG_CRYPTO_MD5 ?= y 28CFG_CRYPTO_SHA1 ?= y 29CFG_CRYPTO_SHA224 ?= y 30CFG_CRYPTO_SHA256 ?= y 31CFG_CRYPTO_SHA384 ?= y 32CFG_CRYPTO_SHA512 ?= y 33CFG_CRYPTO_SHA512_256 ?= y 34 35# Asymmetric ciphers 36CFG_CRYPTO_DSA ?= y 37CFG_CRYPTO_RSA ?= y 38CFG_CRYPTO_DH ?= y 39CFG_CRYPTO_ECC ?= y 40 41# Authenticated encryption 42CFG_CRYPTO_CCM ?= y 43CFG_CRYPTO_GCM ?= y 44# Default uses the OP-TEE internal AES-GCM implementation 45CFG_CRYPTO_AES_GCM_FROM_CRYPTOLIB ?= n 46 47endif 48 49ifeq ($(CFG_WITH_PAGER),y) 50ifneq ($(CFG_CRYPTO_SHA256),y) 51$(warning Warning: Enabling CFG_CRYPTO_SHA256 [required by CFG_WITH_PAGER]) 52CFG_CRYPTO_SHA256:=y 53endif 54endif 55 56$(eval $(call cryp-enable-all-depends,CFG_WITH_SOFTWARE_PRNG, AES ECB SHA256)) 57 58ifeq ($(CFG_CRYPTO_WITH_CE),y) 59 60$(call force,CFG_AES_GCM_TABLE_BASED,n,conflicts with CFG_CRYPTO_WITH_CE) 61 62# CFG_HWSUPP_PMULT_64 defines whether the CPU supports polynomial multiplies 63# of 64-bit values (Aarch64: PMULL/PMULL2 with the 1Q specifier; Aarch32: 64# VMULL.P64). These operations are part of the Cryptographic Extensions, so 65# assume they are implicitly contained in CFG_CRYPTO_WITH_CE=y. 66CFG_HWSUPP_PMULT_64 ?= y 67 68ifeq ($(CFG_ARM32_core),y) 69CFG_CRYPTO_AES_ARM32_CE ?= $(CFG_CRYPTO_AES) 70CFG_CRYPTO_SHA1_ARM32_CE ?= $(CFG_CRYPTO_SHA1) 71CFG_CRYPTO_SHA256_ARM32_CE ?= $(CFG_CRYPTO_SHA256) 72endif 73 74ifeq ($(CFG_ARM64_core),y) 75CFG_CRYPTO_AES_ARM64_CE ?= $(CFG_CRYPTO_AES) 76CFG_CRYPTO_SHA1_ARM64_CE ?= $(CFG_CRYPTO_SHA1) 77CFG_CRYPTO_SHA256_ARM64_CE ?= $(CFG_CRYPTO_SHA256) 78endif 79 80else #CFG_CRYPTO_WITH_CE 81 82CFG_AES_GCM_TABLE_BASED ?= y 83 84endif #!CFG_CRYPTO_WITH_CE 85 86 87# Cryptographic extensions can only be used safely when OP-TEE knows how to 88# preserve the VFP context 89ifeq ($(CFG_CRYPTO_SHA256_ARM32_CE),y) 90$(call force,CFG_WITH_VFP,y,required by CFG_CRYPTO_SHA256_ARM32_CE) 91endif 92ifeq ($(CFG_CRYPTO_SHA256_ARM64_CE),y) 93$(call force,CFG_WITH_VFP,y,required by CFG_CRYPTO_SHA256_ARM64_CE) 94endif 95ifeq ($(CFG_CRYPTO_SHA1_ARM32_CE),y) 96$(call force,CFG_WITH_VFP,y,required by CFG_CRYPTO_SHA1_ARM32_CE) 97endif 98ifeq ($(CFG_CRYPTO_SHA1_ARM64_CE),y) 99$(call force,CFG_WITH_VFP,y,required by CFG_CRYPTO_SHA1_ARM64_CE) 100endif 101ifeq ($(CFG_CRYPTO_AES_ARM64_CE),y) 102$(call force,CFG_WITH_VFP,y,required by CFG_CRYPTO_AES_ARM64_CE) 103endif 104 105cryp-enable-all-depends = $(call cfg-enable-all-depends,$(strip $(1)),$(foreach v,$(2),CFG_CRYPTO_$(v))) 106$(eval $(call cryp-enable-all-depends,CFG_REE_FS, AES ECB CTR HMAC SHA256 GCM)) 107$(eval $(call cryp-enable-all-depends,CFG_RPMB_FS, AES ECB CTR HMAC SHA256 GCM)) 108 109# Dependency checks: warn and disable some features if dependencies are not met 110 111cryp-dep-one = $(call cfg-depends-one,CFG_CRYPTO_$(strip $(1)),$(patsubst %, CFG_CRYPTO_%,$(strip $(2)))) 112cryp-dep-all = $(call cfg-depends-all,CFG_CRYPTO_$(strip $(1)),$(patsubst %, CFG_CRYPTO_%,$(strip $(2)))) 113 114$(eval $(call cryp-dep-one, ECB, AES DES)) 115$(eval $(call cryp-dep-one, CBC, AES DES)) 116$(eval $(call cryp-dep-one, CTR, AES)) 117# CTS is implemented with ECB and CBC 118$(eval $(call cryp-dep-all, CTS, AES ECB CBC)) 119$(eval $(call cryp-dep-one, XTS, AES)) 120$(eval $(call cryp-dep-one, HMAC, AES DES)) 121$(eval $(call cryp-dep-one, HMAC, MD5 SHA1 SHA224 SHA256 SHA384 SHA512)) 122$(eval $(call cryp-dep-one, CMAC, AES)) 123$(eval $(call cryp-dep-one, CBC_MAC, AES DES)) 124$(eval $(call cryp-dep-one, CCM, AES)) 125$(eval $(call cryp-dep-one, GCM, AES)) 126# If no AES cipher mode is left, disable AES 127$(eval $(call cryp-dep-one, AES, ECB CBC CTR CTS XTS)) 128# If no DES cipher mode is left, disable DES 129$(eval $(call cryp-dep-one, DES, ECB CBC)) 130 131############################################################### 132# libtomcrypt (LTC) specifics, phase #1 133# LTC is only configured via _CFG_CORE_LTC_ prefixed variables 134# 135# _CFG_CORE_LTC_xxx_DESC means that LTC will only register the 136# descriptor of the algorithm, not provide a 137# crypt_xxx_alloc_ctx() function. 138############################################################### 139 140# If LTC is the cryptolib, pull configuration from CFG_CRYPTO_xxx 141ifeq ($(CFG_CRYPTOLIB_NAME),tomcrypt) 142# dsa_make_params() needs all three SHA-2 algorithms. 143# Disable DSA if any is missing. 144$(eval $(call cryp-dep-all, DSA, SHA256 SHA384 SHA512)) 145 146# Assign _CFG_CORE_LTC_xxx based on CFG_CRYPTO_yyy 147core-ltc-vars = AES DES 148core-ltc-vars += ECB CBC CTR CTS XTS 149core-ltc-vars += MD5 SHA1 SHA224 SHA256 SHA384 SHA512 SHA512_256 150core-ltc-vars += HMAC CMAC CBC_MAC 151core-ltc-vars += CCM 152ifeq ($(CFG_CRYPTO_AES_GCM_FROM_CRYPTOLIB),y) 153core-ltc-vars += GCM 154endif 155core-ltc-vars += RSA DSA DH ECC 156core-ltc-vars += AES_ARM64_CE AES_ARM32_CE 157core-ltc-vars += SHA1_ARM32_CE SHA1_ARM64_CE 158core-ltc-vars += SHA256_ARM32_CE SHA256_ARM64_CE 159core-ltc-vars += SIZE_OPTIMIZATION 160# Assigned selected CFG_CRYPTO_xxx as _CFG_CORE_LTC_xxx 161$(foreach v, $(core-ltc-vars), $(eval _CFG_CORE_LTC_$(v) := $(CFG_CRYPTO_$(v)))) 162_CFG_CORE_LTC_MPI := $(CFG_CORE_MBEDTLS_MPI) 163endif 164 165############################################################### 166# mbedtls specifics 167############################################################### 168 169ifeq ($(CFG_CRYPTOLIB_NAME),mbedtls) 170# mbedtls has to be complemented with some algorithms by LTC 171# Specify the algorithms here 172_CFG_CORE_LTC_DSA := $(CFG_CRYPTO_DSA) 173_CFG_CORE_LTC_MPI := $(CFG_CRYPTO_DSA) 174_CFG_CORE_LTC_SHA256_DESC := $(CFG_CRYPTO_DSA) 175_CFG_CORE_LTC_SHA384_DESC := $(CFG_CRYPTO_DSA) 176_CFG_CORE_LTC_SHA512_DESC := $(CFG_CRYPTO_DSA) 177_CFG_CORE_LTC_XTS := $(CFG_CRYPTO_XTS) 178_CFG_CORE_LTC_CCM := $(CFG_CRYPTO_CCM) 179_CFG_CORE_LTC_AES_DESC := $(call cfg-one-enabled, CFG_CRYPTO_XTS CFG_CRYPTO_CCM) 180endif 181 182############################################################### 183# libtomcrypt (LTC) specifics, phase #2 184############################################################### 185 186# Assign system variables 187_CFG_CORE_LTC_CE := $(CFG_CRYPTO_WITH_CE) 188_CFG_CORE_LTC_VFP := $(CFG_WITH_VFP) 189_CFG_CORE_LTC_BIGNUM_MAX_BITS := $(CFG_CORE_BIGNUM_MAX_BITS) 190_CFG_CORE_LTC_PAGER := $(CFG_WITH_PAGER) 191_CFG_CORE_LTC_OPTEE_THREAD := $(CFG_LTC_OPTEE_THREAD) 192_CFG_CORE_LTC_HWSUPP_PMULL := $(CFG_HWSUPP_PMULL) 193 194# Assign aggregated variables 195ltc-one-enabled = $(call cfg-one-enabled,$(foreach v,$(1),_CFG_CORE_LTC_$(v))) 196_CFG_CORE_LTC_ACIPHER := $(call ltc-one-enabled, RSA DSA DH ECC) 197_CFG_CORE_LTC_AUTHENC := $(and $(filter y,$(_CFG_CORE_LTC_AES) \ 198 $(_CFG_CORE_LTC_AES_DESC)), \ 199 $(filter y,$(call ltc-one-enabled, CCM GCM))) 200_CFG_CORE_LTC_CIPHER := $(call ltc-one-enabled, AES AES_DESC DES) 201_CFG_CORE_LTC_HASH := $(call ltc-one-enabled, MD5 SHA1 SHA224 SHA256 SHA384 \ 202 SHA512) 203_CFG_CORE_LTC_MAC := $(call ltc-one-enabled, HMAC CMAC CBC_MAC) 204_CFG_CORE_LTC_CBC := $(call ltc-one-enabled, CBC CBC_MAC) 205_CFG_CORE_LTC_ASN1 := $(call ltc-one-enabled, RSA DSA ECC) 206