xref: /optee_os/core/crypto.mk (revision fb7ef469dfeb735e60383ad0e7410fe62dd97eb1) 
1CFG_CRYPTO ?= y
2CFG_CRYPTO_SIZE_OPTIMIZATION ?= y
3
4ifeq (y,$(CFG_CRYPTO))
5
6# Ciphers
7CFG_CRYPTO_AES ?= y
8CFG_CRYPTO_DES ?= y
9
10# Cipher block modes
11CFG_CRYPTO_ECB ?= y
12CFG_CRYPTO_CBC ?= y
13CFG_CRYPTO_CTR ?= y
14CFG_CRYPTO_CTS ?= y
15CFG_CRYPTO_XTS ?= y
16
17# Message authentication codes
18CFG_CRYPTO_HMAC ?= y
19CFG_CRYPTO_CMAC ?= y
20CFG_CRYPTO_CBC_MAC ?= y
21
22# Hashes
23CFG_CRYPTO_MD5 ?= y
24CFG_CRYPTO_SHA1 ?= y
25CFG_CRYPTO_SHA224 ?= y
26CFG_CRYPTO_SHA256 ?= y
27CFG_CRYPTO_SHA384 ?= y
28CFG_CRYPTO_SHA512 ?= y
29
30# Asymmetric ciphers
31CFG_CRYPTO_DSA ?= y
32CFG_CRYPTO_RSA ?= y
33CFG_CRYPTO_DH ?= y
34CFG_CRYPTO_ECC ?= y
35
36# Authenticated encryption
37CFG_CRYPTO_CCM ?= y
38CFG_CRYPTO_GCM ?= y
39# Default uses the OP-TEE internal AES-GCM implementation
40CFG_CRYPTO_AES_GCM_FROM_CRYPTOLIB ?= n
41
42endif
43
44ifeq ($(CFG_WITH_PAGER),y)
45ifneq ($(CFG_CRYPTO_SHA256),y)
46$(warning Warning: Enabling CFG_CRYPTO_SHA256 [required by CFG_WITH_PAGER])
47CFG_CRYPTO_SHA256:=y
48endif
49endif
50
51ifeq ($(CFG_CRYPTO_WITH_CE),y)
52
53$(call force,CFG_AES_GCM_TABLE_BASED,n,conflicts with CFG_CRYPTO_WITH_CE)
54
55ifeq ($(CFG_ARM32_core),y)
56CFG_CRYPTO_AES_ARM32_CE ?= $(CFG_CRYPTO_AES)
57CFG_CRYPTO_SHA1_ARM32_CE ?= $(CFG_CRYPTO_SHA1)
58CFG_CRYPTO_SHA256_ARM32_CE ?= $(CFG_CRYPTO_SHA256)
59endif
60
61ifeq ($(CFG_ARM64_core),y)
62CFG_CRYPTO_AES_ARM64_CE ?= $(CFG_CRYPTO_AES)
63CFG_CRYPTO_SHA1_ARM64_CE ?= $(CFG_CRYPTO_SHA1)
64CFG_CRYPTO_SHA256_ARM64_CE ?= $(CFG_CRYPTO_SHA256)
65endif
66
67else #CFG_CRYPTO_WITH_CE
68
69CFG_AES_GCM_TABLE_BASED ?= y
70
71endif #!CFG_CRYPTO_WITH_CE
72
73
74# Cryptographic extensions can only be used safely when OP-TEE knows how to
75# preserve the VFP context
76ifeq ($(CFG_CRYPTO_SHA256_ARM32_CE),y)
77$(call force,CFG_WITH_VFP,y,required by CFG_CRYPTO_SHA256_ARM32_CE)
78endif
79ifeq ($(CFG_CRYPTO_SHA256_ARM64_CE),y)
80$(call force,CFG_WITH_VFP,y,required by CFG_CRYPTO_SHA256_ARM64_CE)
81endif
82ifeq ($(CFG_CRYPTO_SHA1_ARM32_CE),y)
83$(call force,CFG_WITH_VFP,y,required by CFG_CRYPTO_SHA1_ARM32_CE)
84endif
85ifeq ($(CFG_CRYPTO_SHA1_ARM64_CE),y)
86$(call force,CFG_WITH_VFP,y,required by CFG_CRYPTO_SHA1_ARM64_CE)
87endif
88ifeq ($(CFG_CRYPTO_AES_ARM64_CE),y)
89$(call force,CFG_WITH_VFP,y,required by CFG_CRYPTO_AES_ARM64_CE)
90endif
91
92cryp-enable-all-depends = $(call cfg-enable-all-depends,$(strip $(1)),$(foreach v,$(2),CFG_CRYPTO_$(v)))
93$(eval $(call cryp-enable-all-depends,CFG_REE_FS, AES ECB CTR HMAC SHA256 GCM))
94$(eval $(call cryp-enable-all-depends,CFG_RPMB_FS, AES ECB CTR HMAC SHA256 GCM))
95
96# Dependency checks: warn and disable some features if dependencies are not met
97
98cryp-dep-one = $(call cfg-depends-one,CFG_CRYPTO_$(strip $(1)),$(patsubst %, CFG_CRYPTO_%,$(strip $(2))))
99cryp-dep-all = $(call cfg-depends-all,CFG_CRYPTO_$(strip $(1)),$(patsubst %, CFG_CRYPTO_%,$(strip $(2))))
100
101$(eval $(call cryp-dep-one, ECB, AES DES))
102$(eval $(call cryp-dep-one, CBC, AES DES))
103$(eval $(call cryp-dep-one, CTR, AES))
104# CTS is implemented with ECB and CBC
105$(eval $(call cryp-dep-all, CTS, AES ECB CBC))
106$(eval $(call cryp-dep-one, XTS, AES))
107$(eval $(call cryp-dep-one, HMAC, AES DES))
108$(eval $(call cryp-dep-one, HMAC, MD5 SHA1 SHA224 SHA256 SHA384 SHA512))
109$(eval $(call cryp-dep-one, CMAC, AES))
110$(eval $(call cryp-dep-one, CBC_MAC, AES DES))
111$(eval $(call cryp-dep-one, CCM, AES))
112$(eval $(call cryp-dep-one, GCM, AES))
113# If no AES cipher mode is left, disable AES
114$(eval $(call cryp-dep-one, AES, ECB CBC CTR CTS XTS))
115# If no DES cipher mode is left, disable DES
116$(eval $(call cryp-dep-one, DES, ECB CBC))
117
118# dsa_make_params() needs all three SHA-2 algorithms.
119# Disable DSA if any is missing.
120$(eval $(call cryp-dep-all, DSA, SHA256 SHA384 SHA512))
121
122cryp-one-enabled = $(call cfg-one-enabled,$(foreach v,$(1),CFG_CRYPTO_$(v)))
123cryp-all-enabled = $(call cfg-all-enabled,$(foreach v,$(1),CFG_CRYPTO_$(v)))
124
125_CFG_CRYPTO_WITH_ACIPHER := $(call cryp-one-enabled, RSA DSA DH ECC)
126_CFG_CRYPTO_WITH_AUTHENC := $(and $(filter y,$(CFG_CRYPTO_AES)), $(call cryp-one-enabled, CCM GCM))
127_CFG_CRYPTO_WITH_CIPHER := $(call cryp-one-enabled, AES DES)
128_CFG_CRYPTO_WITH_HASH := $(call cryp-one-enabled, MD5 SHA1 SHA224 SHA256 SHA384 SHA512)
129_CFG_CRYPTO_WITH_MAC := $(call cryp-one-enabled, HMAC CMAC CBC_MAC)
130_CFG_CRYPTO_WITH_CBC := $(call cryp-one-enabled, CBC CBC_MAC)
131_CFG_CRYPTO_WITH_ASN1 := $(call cryp-one-enabled, RSA DSA ECC)
132_CFG_CRYPTO_WITH_FORTUNA_PRNG := $(call cryp-all-enabled, AES SHA256)
133