summaryrefslogtreecommitdiffstats
path: root/include/drivers/auth
diff options
context:
space:
mode:
Diffstat (limited to 'include/drivers/auth')
-rw-r--r--include/drivers/auth/auth_common.h120
-rw-r--r--include/drivers/auth/auth_mod.h91
-rw-r--r--include/drivers/auth/crypto_mod.h136
-rw-r--r--include/drivers/auth/img_parser_mod.h64
-rw-r--r--include/drivers/auth/mbedtls/mbedtls_common.h12
-rw-r--r--include/drivers/auth/mbedtls/mbedtls_config-2.h152
-rw-r--r--include/drivers/auth/mbedtls/mbedtls_config-3.h157
-rw-r--r--include/drivers/auth/mbedtls/psa_mbedtls_config.h28
-rw-r--r--include/drivers/auth/tbbr_cot_common.h30
9 files changed, 790 insertions, 0 deletions
diff --git a/include/drivers/auth/auth_common.h b/include/drivers/auth/auth_common.h
new file mode 100644
index 0000000..e6859fd
--- /dev/null
+++ b/include/drivers/auth/auth_common.h
@@ -0,0 +1,120 @@
+/*
+ * Copyright (c) 2015, ARM Limited and Contributors. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#ifndef AUTH_COMMON_H
+#define AUTH_COMMON_H
+
+/*
+ * Authentication framework common types
+ */
+
+/*
+ * Type of parameters that can be extracted from an image and
+ * used for authentication
+ */
+typedef enum auth_param_type_enum {
+ AUTH_PARAM_NONE,
+ AUTH_PARAM_RAW_DATA, /* Raw image data */
+ AUTH_PARAM_SIG, /* The image signature */
+ AUTH_PARAM_SIG_ALG, /* The image signature algorithm */
+ AUTH_PARAM_HASH, /* A hash (including the algorithm) */
+ AUTH_PARAM_PUB_KEY, /* A public key */
+ AUTH_PARAM_NV_CTR, /* A non-volatile counter */
+} auth_param_type_t;
+
+/*
+ * Defines an authentication parameter. The cookie will be interpreted by the
+ * image parser module.
+ */
+typedef struct auth_param_type_desc_s {
+ auth_param_type_t type;
+ void *cookie;
+} auth_param_type_desc_t;
+
+/*
+ * Store a pointer to the authentication parameter and its length
+ */
+typedef struct auth_param_data_desc_s {
+ void *ptr;
+ unsigned int len;
+} auth_param_data_desc_t;
+
+/*
+ * Authentication parameter descriptor, including type and value
+ */
+typedef struct auth_param_desc_s {
+ auth_param_type_desc_t *type_desc;
+ auth_param_data_desc_t data;
+} auth_param_desc_t;
+
+/*
+ * The method type defines how an image is authenticated
+ */
+typedef enum auth_method_type_enum {
+ AUTH_METHOD_NONE = 0,
+ AUTH_METHOD_HASH, /* Authenticate by hash matching */
+ AUTH_METHOD_SIG, /* Authenticate by PK operation */
+ AUTH_METHOD_NV_CTR, /* Authenticate by Non-Volatile Counter */
+ AUTH_METHOD_NUM /* Number of methods */
+} auth_method_type_t;
+
+/*
+ * Parameters for authentication by hash matching
+ */
+typedef struct auth_method_param_hash_s {
+ auth_param_type_desc_t *data; /* Data to hash */
+ auth_param_type_desc_t *hash; /* Hash to match with */
+} auth_method_param_hash_t;
+
+/*
+ * Parameters for authentication by signature
+ */
+typedef struct auth_method_param_sig_s {
+ auth_param_type_desc_t *pk; /* Public key */
+ auth_param_type_desc_t *sig; /* Signature to check */
+ auth_param_type_desc_t *alg; /* Signature algorithm */
+ auth_param_type_desc_t *data; /* Data signed */
+} auth_method_param_sig_t;
+
+/*
+ * Parameters for authentication by NV counter
+ */
+typedef struct auth_method_param_nv_ctr_s {
+ auth_param_type_desc_t *cert_nv_ctr; /* NV counter in certificate */
+ auth_param_type_desc_t *plat_nv_ctr; /* NV counter in platform */
+} auth_method_param_nv_ctr_t;
+
+/*
+ * Authentication method descriptor
+ */
+typedef struct auth_method_desc_s {
+ auth_method_type_t type;
+ union {
+ auth_method_param_hash_t hash;
+ auth_method_param_sig_t sig;
+ auth_method_param_nv_ctr_t nv_ctr;
+ } param;
+} auth_method_desc_t;
+
+/*
+ * Helper macro to define an authentication parameter type descriptor
+ */
+#define AUTH_PARAM_TYPE_DESC(_type, _cookie) \
+ { \
+ .type = _type, \
+ .cookie = (void *)_cookie \
+ }
+
+/*
+ * Helper macro to define an authentication parameter data descriptor
+ */
+#define AUTH_PARAM_DATA_DESC(_ptr, _len) \
+ { \
+ .ptr = (void *)_ptr, \
+ .len = (unsigned int)_len \
+ }
+
+#endif /* AUTH_COMMON_H */
diff --git a/include/drivers/auth/auth_mod.h b/include/drivers/auth/auth_mod.h
new file mode 100644
index 0000000..28aa407
--- /dev/null
+++ b/include/drivers/auth/auth_mod.h
@@ -0,0 +1,91 @@
+/*
+ * Copyright (c) 2015-2023, ARM Limited and Contributors. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#ifndef AUTH_MOD_H
+#define AUTH_MOD_H
+
+#include <common/tbbr/tbbr_img_def.h>
+#include <drivers/auth/auth_common.h>
+#include <drivers/auth/img_parser_mod.h>
+
+#include <lib/utils_def.h>
+
+/*
+ * Image flags
+ */
+#define IMG_FLAG_AUTHENTICATED (1 << 0)
+
+#if COT_DESC_IN_DTB && !IMAGE_BL1
+/*
+ * Authentication image descriptor
+ */
+typedef struct auth_img_desc_s {
+ unsigned int img_id;
+ img_type_t img_type;
+ const struct auth_img_desc_s *parent;
+ auth_method_desc_t *img_auth_methods;
+ auth_param_desc_t *authenticated_data;
+} auth_img_desc_t;
+#else
+/*
+ * Authentication image descriptor
+ */
+typedef struct auth_img_desc_s {
+ unsigned int img_id;
+ img_type_t img_type;
+ const struct auth_img_desc_s *parent;
+ const auth_method_desc_t *const img_auth_methods;
+ const auth_param_desc_t *const authenticated_data;
+} auth_img_desc_t;
+#endif /* COT_DESC_IN_DTB && !IMAGE_BL1 */
+
+/* Public functions */
+#if TRUSTED_BOARD_BOOT
+void auth_mod_init(void);
+#else
+static inline void auth_mod_init(void)
+{
+}
+#endif /* TRUSTED_BOARD_BOOT */
+int auth_mod_get_parent_id(unsigned int img_id, unsigned int *parent_id);
+int auth_mod_verify_img(unsigned int img_id,
+ void *img_ptr,
+ unsigned int img_len);
+
+/* Macro to register a CoT defined as an array of auth_img_desc_t pointers */
+#define REGISTER_COT(_cot) \
+ const auth_img_desc_t *const *const cot_desc_ptr = (_cot); \
+ const size_t cot_desc_size = ARRAY_SIZE(_cot); \
+ unsigned int auth_img_flags[MAX_NUMBER_IDS]
+
+extern const auth_img_desc_t *const *const cot_desc_ptr;
+extern const size_t cot_desc_size;
+extern unsigned int auth_img_flags[MAX_NUMBER_IDS];
+
+#if defined(SPD_spmd)
+
+#define DEFINE_SIP_SP_PKG(n) DEFINE_SP_PKG(n, sip_sp_content_cert)
+#define DEFINE_PLAT_SP_PKG(n) DEFINE_SP_PKG(n, plat_sp_content_cert)
+
+#define DEFINE_SP_PKG(n, cert) \
+ static const auth_img_desc_t sp_pkg##n = { \
+ .img_id = SP_PKG##n##_ID, \
+ .img_type = IMG_RAW, \
+ .parent = &cert, \
+ .img_auth_methods = (const auth_method_desc_t[AUTH_METHOD_NUM]) { \
+ [0] = { \
+ .type = AUTH_METHOD_HASH, \
+ .param.hash = { \
+ .data = &raw_data, \
+ .hash = &sp_pkg##n##_hash \
+ } \
+ } \
+ } \
+ }
+
+#endif
+
+#endif /* AUTH_MOD_H */
diff --git a/include/drivers/auth/crypto_mod.h b/include/drivers/auth/crypto_mod.h
new file mode 100644
index 0000000..bec19da
--- /dev/null
+++ b/include/drivers/auth/crypto_mod.h
@@ -0,0 +1,136 @@
+/*
+ * Copyright (c) 2015-2023, Arm Limited and Contributors. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#ifndef CRYPTO_MOD_H
+#define CRYPTO_MOD_H
+
+#define CRYPTO_AUTH_VERIFY_ONLY 1
+#define CRYPTO_HASH_CALC_ONLY 2
+#define CRYPTO_AUTH_VERIFY_AND_HASH_CALC 3
+
+/* Return values */
+enum crypto_ret_value {
+ CRYPTO_SUCCESS = 0,
+ CRYPTO_ERR_INIT,
+ CRYPTO_ERR_HASH,
+ CRYPTO_ERR_SIGNATURE,
+ CRYPTO_ERR_DECRYPTION,
+ CRYPTO_ERR_UNKNOWN
+};
+
+#define CRYPTO_MAX_IV_SIZE 16U
+#define CRYPTO_MAX_TAG_SIZE 16U
+
+/* Decryption algorithm */
+enum crypto_dec_algo {
+ CRYPTO_GCM_DECRYPT = 0
+};
+
+/* Message digest algorithm */
+enum crypto_md_algo {
+ CRYPTO_MD_SHA256,
+ CRYPTO_MD_SHA384,
+ CRYPTO_MD_SHA512,
+};
+
+/* Maximum size as per the known stronger hash algorithm i.e.SHA512 */
+#define CRYPTO_MD_MAX_SIZE 64U
+
+/*
+ * Cryptographic library descriptor
+ */
+typedef struct crypto_lib_desc_s {
+ const char *name;
+
+ /* Initialize library. This function is not expected to fail. All errors
+ * must be handled inside the function, asserting or panicking in case of
+ * a non-recoverable error */
+ void (*init)(void);
+
+ /* Verify a digital signature. Return one of the
+ * 'enum crypto_ret_value' options */
+ int (*verify_signature)(void *data_ptr, unsigned int data_len,
+ void *sig_ptr, unsigned int sig_len,
+ void *sig_alg, unsigned int sig_alg_len,
+ void *pk_ptr, unsigned int pk_len);
+
+ /* Verify a hash. Return one of the 'enum crypto_ret_value' options */
+ int (*verify_hash)(void *data_ptr, unsigned int data_len,
+ void *digest_info_ptr, unsigned int digest_info_len);
+
+ /* Calculate a hash. Return hash value */
+ int (*calc_hash)(enum crypto_md_algo md_alg, void *data_ptr,
+ unsigned int data_len,
+ unsigned char output[CRYPTO_MD_MAX_SIZE]);
+
+ /* Convert Public key (optional) */
+ int (*convert_pk)(void *full_pk_ptr, unsigned int full_pk_len,
+ void **hashed_pk_ptr, unsigned int *hashed_pk_len);
+
+ /*
+ * Authenticated decryption. Return one of the
+ * 'enum crypto_ret_value' options.
+ */
+ int (*auth_decrypt)(enum crypto_dec_algo dec_algo, void *data_ptr,
+ size_t len, const void *key, unsigned int key_len,
+ unsigned int key_flags, const void *iv,
+ unsigned int iv_len, const void *tag,
+ unsigned int tag_len);
+} crypto_lib_desc_t;
+
+/* Public functions */
+#if CRYPTO_SUPPORT
+void crypto_mod_init(void);
+#else
+static inline void crypto_mod_init(void)
+{
+}
+#endif /* CRYPTO_SUPPORT */
+
+#if (CRYPTO_SUPPORT == CRYPTO_AUTH_VERIFY_ONLY) || \
+ (CRYPTO_SUPPORT == CRYPTO_AUTH_VERIFY_AND_HASH_CALC)
+int crypto_mod_verify_signature(void *data_ptr, unsigned int data_len,
+ void *sig_ptr, unsigned int sig_len,
+ void *sig_alg_ptr, unsigned int sig_alg_len,
+ void *pk_ptr, unsigned int pk_len);
+int crypto_mod_verify_hash(void *data_ptr, unsigned int data_len,
+ void *digest_info_ptr, unsigned int digest_info_len);
+#endif /* (CRYPTO_SUPPORT == CRYPTO_AUTH_VERIFY_ONLY) || \
+ (CRYPTO_SUPPORT == CRYPTO_AUTH_VERIFY_AND_HASH_CALC) */
+
+int crypto_mod_auth_decrypt(enum crypto_dec_algo dec_algo, void *data_ptr,
+ size_t len, const void *key, unsigned int key_len,
+ unsigned int key_flags, const void *iv,
+ unsigned int iv_len, const void *tag,
+ unsigned int tag_len);
+
+#if (CRYPTO_SUPPORT == CRYPTO_HASH_CALC_ONLY) || \
+ (CRYPTO_SUPPORT == CRYPTO_AUTH_VERIFY_AND_HASH_CALC)
+int crypto_mod_calc_hash(enum crypto_md_algo alg, void *data_ptr,
+ unsigned int data_len,
+ unsigned char output[CRYPTO_MD_MAX_SIZE]);
+#endif /* (CRYPTO_SUPPORT == CRYPTO_HASH_CALC_ONLY) || \
+ (CRYPTO_SUPPORT == CRYPTO_AUTH_VERIFY_AND_HASH_CALC) */
+
+int crypto_mod_convert_pk(void *full_pk_ptr, unsigned int full_pk_len,
+ void **hashed_pk_ptr, unsigned int *hashed_pk_len);
+
+/* Macro to register a cryptographic library */
+#define REGISTER_CRYPTO_LIB(_name, _init, _verify_signature, _verify_hash, \
+ _calc_hash, _auth_decrypt, _convert_pk) \
+ const crypto_lib_desc_t crypto_lib_desc = { \
+ .name = _name, \
+ .init = _init, \
+ .verify_signature = _verify_signature, \
+ .verify_hash = _verify_hash, \
+ .calc_hash = _calc_hash, \
+ .auth_decrypt = _auth_decrypt, \
+ .convert_pk = _convert_pk \
+ }
+
+extern const crypto_lib_desc_t crypto_lib_desc;
+
+#endif /* CRYPTO_MOD_H */
diff --git a/include/drivers/auth/img_parser_mod.h b/include/drivers/auth/img_parser_mod.h
new file mode 100644
index 0000000..b2fb60e
--- /dev/null
+++ b/include/drivers/auth/img_parser_mod.h
@@ -0,0 +1,64 @@
+/*
+ * Copyright (c) 2015-2018, ARM Limited and Contributors. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#ifndef IMG_PARSER_MOD_H
+#define IMG_PARSER_MOD_H
+
+#include <drivers/auth/auth_common.h>
+
+/*
+ * Return values
+ */
+enum img_parser_ret_value {
+ IMG_PARSER_OK,
+ IMG_PARSER_ERR, /* Parser internal error */
+ IMG_PARSER_ERR_FORMAT, /* Malformed image */
+ IMG_PARSER_ERR_NOT_FOUND /* Authentication data not found */
+};
+
+/*
+ * Image types. A parser should be instantiated and registered for each type
+ */
+typedef enum img_type_enum {
+ IMG_RAW, /* Binary image */
+ IMG_PLAT, /* Platform specific format */
+ IMG_CERT, /* X509v3 certificate */
+ IMG_MAX_TYPES,
+} img_type_t;
+
+/* Image parser library structure */
+typedef struct img_parser_lib_desc_s {
+ img_type_t img_type;
+ const char *name;
+
+ void (*init)(void);
+ int (*check_integrity)(void *img, unsigned int img_len);
+ int (*get_auth_param)(const auth_param_type_desc_t *type_desc,
+ void *img, unsigned int img_len,
+ void **param, unsigned int *param_len);
+} img_parser_lib_desc_t;
+
+/* Exported functions */
+void img_parser_init(void);
+int img_parser_check_integrity(img_type_t img_type,
+ void *img_ptr, unsigned int img_len);
+int img_parser_get_auth_param(img_type_t img_type,
+ const auth_param_type_desc_t *type_desc,
+ void *img_ptr, unsigned int img_len,
+ void **param_ptr, unsigned int *param_len);
+
+/* Macro to register an image parser library */
+#define REGISTER_IMG_PARSER_LIB(_type, _name, _init, _check_int, _get_param) \
+ static const img_parser_lib_desc_t __img_parser_lib_desc_##_type \
+ __section(".img_parser_lib_descs") __used = { \
+ .img_type = _type, \
+ .name = _name, \
+ .init = _init, \
+ .check_integrity = _check_int, \
+ .get_auth_param = _get_param \
+ }
+
+#endif /* IMG_PARSER_MOD_H */
diff --git a/include/drivers/auth/mbedtls/mbedtls_common.h b/include/drivers/auth/mbedtls/mbedtls_common.h
new file mode 100644
index 0000000..a9c2352
--- /dev/null
+++ b/include/drivers/auth/mbedtls/mbedtls_common.h
@@ -0,0 +1,12 @@
+/*
+ * Copyright (c) 2015, ARM Limited and Contributors. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#ifndef MBEDTLS_COMMON_H
+#define MBEDTLS_COMMON_H
+
+void mbedtls_init(void);
+
+#endif /* MBEDTLS_COMMON_H */
diff --git a/include/drivers/auth/mbedtls/mbedtls_config-2.h b/include/drivers/auth/mbedtls/mbedtls_config-2.h
new file mode 100644
index 0000000..01e261a
--- /dev/null
+++ b/include/drivers/auth/mbedtls/mbedtls_config-2.h
@@ -0,0 +1,152 @@
+/*
+ * Copyright (c) 2015-2022, Arm Limited. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+#ifndef MBEDTLS_CONFIG_H
+#define MBEDTLS_CONFIG_H
+
+/*
+ * Key algorithms currently supported on mbed TLS libraries
+ */
+#define TF_MBEDTLS_RSA 1
+#define TF_MBEDTLS_ECDSA 2
+#define TF_MBEDTLS_RSA_AND_ECDSA 3
+
+#define TF_MBEDTLS_USE_RSA (TF_MBEDTLS_KEY_ALG_ID == TF_MBEDTLS_RSA \
+ || TF_MBEDTLS_KEY_ALG_ID == TF_MBEDTLS_RSA_AND_ECDSA)
+#define TF_MBEDTLS_USE_ECDSA (TF_MBEDTLS_KEY_ALG_ID == TF_MBEDTLS_ECDSA \
+ || TF_MBEDTLS_KEY_ALG_ID == TF_MBEDTLS_RSA_AND_ECDSA)
+
+/*
+ * Hash algorithms currently supported on mbed TLS libraries
+ */
+#define TF_MBEDTLS_SHA256 1
+#define TF_MBEDTLS_SHA384 2
+#define TF_MBEDTLS_SHA512 3
+
+/*
+ * Configuration file to build mbed TLS with the required features for
+ * Trusted Boot
+ */
+
+#define MBEDTLS_PLATFORM_MEMORY
+#define MBEDTLS_PLATFORM_NO_STD_FUNCTIONS
+/* Prevent mbed TLS from using snprintf so that it can use tf_snprintf. */
+#define MBEDTLS_PLATFORM_SNPRINTF_ALT
+
+#define MBEDTLS_PKCS1_V21
+
+#define MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION
+#define MBEDTLS_X509_CHECK_KEY_USAGE
+#define MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE
+
+#define MBEDTLS_ASN1_PARSE_C
+#define MBEDTLS_ASN1_WRITE_C
+
+#define MBEDTLS_BASE64_C
+#define MBEDTLS_BIGNUM_C
+
+#define MBEDTLS_ERROR_C
+#define MBEDTLS_MD_C
+
+#define MBEDTLS_MEMORY_BUFFER_ALLOC_C
+#define MBEDTLS_OID_C
+
+#define MBEDTLS_PK_C
+#define MBEDTLS_PK_PARSE_C
+#define MBEDTLS_PK_WRITE_C
+
+#define MBEDTLS_PLATFORM_C
+
+#if TF_MBEDTLS_USE_ECDSA
+#define MBEDTLS_ECDSA_C
+#define MBEDTLS_ECP_C
+#define MBEDTLS_ECP_DP_SECP256R1_ENABLED
+#define MBEDTLS_ECP_NO_INTERNAL_RNG
+#endif
+#if TF_MBEDTLS_USE_RSA
+#define MBEDTLS_RSA_C
+#define MBEDTLS_X509_RSASSA_PSS_SUPPORT
+#endif
+
+#define MBEDTLS_SHA256_C
+
+/*
+ * If either Trusted Boot or Measured Boot require a stronger algorithm than
+ * SHA-256, pull in SHA-512 support.
+ */
+#if (TF_MBEDTLS_HASH_ALG_ID != TF_MBEDTLS_SHA256) /* TBB hash algo */
+#define MBEDTLS_SHA512_C
+#else
+ /* TBB uses SHA-256, what about measured boot? */
+#if defined(TF_MBEDTLS_MBOOT_USE_SHA512)
+#define MBEDTLS_SHA512_C
+#endif
+#endif
+
+#define MBEDTLS_VERSION_C
+
+#define MBEDTLS_X509_USE_C
+#define MBEDTLS_X509_CRT_PARSE_C
+
+#if TF_MBEDTLS_USE_AES_GCM
+#define MBEDTLS_AES_C
+#define MBEDTLS_CIPHER_C
+#define MBEDTLS_GCM_C
+#endif
+
+/* MPI / BIGNUM options */
+#define MBEDTLS_MPI_WINDOW_SIZE 2
+
+#if TF_MBEDTLS_USE_RSA
+#if TF_MBEDTLS_KEY_SIZE <= 2048
+#define MBEDTLS_MPI_MAX_SIZE 256
+#else
+#define MBEDTLS_MPI_MAX_SIZE 512
+#endif
+#else
+#define MBEDTLS_MPI_MAX_SIZE 256
+#endif
+
+/* Memory buffer allocator options */
+#define MBEDTLS_MEMORY_ALIGN_MULTIPLE 8
+
+/*
+ * Prevent the use of 128-bit division which
+ * creates dependency on external libraries.
+ */
+#define MBEDTLS_NO_UDBL_DIVISION
+
+#ifndef __ASSEMBLER__
+/* System headers required to build mbed TLS with the current configuration */
+#include <stdlib.h>
+#include <mbedtls/check_config.h>
+#endif
+
+/*
+ * Determine Mbed TLS heap size
+ * 13312 = 13*1024
+ * 11264 = 11*1024
+ * 7168 = 7*1024
+ */
+#if TF_MBEDTLS_USE_ECDSA
+#define TF_MBEDTLS_HEAP_SIZE U(13312)
+#elif TF_MBEDTLS_USE_RSA
+#if TF_MBEDTLS_KEY_SIZE <= 2048
+#define TF_MBEDTLS_HEAP_SIZE U(7168)
+#else
+#define TF_MBEDTLS_HEAP_SIZE U(11264)
+#endif
+#endif
+
+/*
+ * Warn if errors from certain functions are ignored.
+ *
+ * The warnings are always enabled (where supported) for critical functions
+ * where ignoring the return value is almost always a bug. This macro extends
+ * the warnings to more functions.
+ */
+#define MBEDTLS_CHECK_RETURN_WARNING
+
+#endif /* MBEDTLS_CONFIG_H */
diff --git a/include/drivers/auth/mbedtls/mbedtls_config-3.h b/include/drivers/auth/mbedtls/mbedtls_config-3.h
new file mode 100644
index 0000000..923fc54
--- /dev/null
+++ b/include/drivers/auth/mbedtls/mbedtls_config-3.h
@@ -0,0 +1,157 @@
+/*
+ * Copyright (c) 2023, Arm Limited. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+/**
+ * This set of compile-time options may be used to enable
+ * or disable features selectively, and reduce the global
+ * memory footprint.
+ */
+
+/*
+ * Key algorithms currently supported on mbed TLS libraries
+ */
+#define TF_MBEDTLS_RSA 1
+#define TF_MBEDTLS_ECDSA 2
+#define TF_MBEDTLS_RSA_AND_ECDSA 3
+
+#define TF_MBEDTLS_USE_RSA (TF_MBEDTLS_KEY_ALG_ID == TF_MBEDTLS_RSA \
+ || TF_MBEDTLS_KEY_ALG_ID == TF_MBEDTLS_RSA_AND_ECDSA)
+#define TF_MBEDTLS_USE_ECDSA (TF_MBEDTLS_KEY_ALG_ID == TF_MBEDTLS_ECDSA \
+ || TF_MBEDTLS_KEY_ALG_ID == TF_MBEDTLS_RSA_AND_ECDSA)
+
+/*
+ * Hash algorithms currently supported on mbed TLS libraries
+ */
+#define TF_MBEDTLS_SHA256 1
+#define TF_MBEDTLS_SHA384 2
+#define TF_MBEDTLS_SHA512 3
+
+/*
+ * Configuration file to build mbed TLS with the required features for
+ * Trusted Boot
+ */
+
+#define MBEDTLS_PLATFORM_MEMORY
+#define MBEDTLS_PLATFORM_NO_STD_FUNCTIONS
+/* Prevent mbed TLS from using snprintf so that it can use tf_snprintf. */
+#define MBEDTLS_PLATFORM_SNPRINTF_ALT
+
+#define MBEDTLS_PKCS1_V21
+
+#define MBEDTLS_ASN1_PARSE_C
+#define MBEDTLS_ASN1_WRITE_C
+
+#define MBEDTLS_BASE64_C
+#define MBEDTLS_BIGNUM_C
+
+#define MBEDTLS_ERROR_C
+#define MBEDTLS_MD_C
+
+#define MBEDTLS_MEMORY_BUFFER_ALLOC_C
+#define MBEDTLS_OID_C
+
+#define MBEDTLS_PK_C
+#define MBEDTLS_PK_PARSE_C
+#define MBEDTLS_PK_WRITE_C
+
+#define MBEDTLS_PLATFORM_C
+
+#if TF_MBEDTLS_USE_ECDSA
+#define MBEDTLS_ECDSA_C
+#define MBEDTLS_ECP_C
+#if TF_MBEDTLS_KEY_SIZE == 384
+#define MBEDTLS_ECP_DP_SECP384R1_ENABLED
+#else
+#define MBEDTLS_ECP_DP_SECP256R1_ENABLED
+#endif
+#endif
+#if TF_MBEDTLS_USE_RSA
+#define MBEDTLS_RSA_C
+#define MBEDTLS_X509_RSASSA_PSS_SUPPORT
+#endif
+
+/* The library does not currently support enabling SHA-256 without SHA-224. */
+#define MBEDTLS_SHA224_C
+#define MBEDTLS_SHA256_C
+/*
+ * If either Trusted Boot or Measured Boot require a stronger algorithm than
+ * SHA-256, pull in SHA-512 support. Library currently needs to have SHA_384
+ * support when enabling SHA-512.
+ */
+#if (TF_MBEDTLS_HASH_ALG_ID != TF_MBEDTLS_SHA256) /* TBB hash algo */
+#define MBEDTLS_SHA384_C
+#define MBEDTLS_SHA512_C
+#else
+ /* TBB uses SHA-256, what about measured boot? */
+#if defined(TF_MBEDTLS_MBOOT_USE_SHA512)
+#define MBEDTLS_SHA384_C
+#define MBEDTLS_SHA512_C
+#endif
+#endif
+
+#define MBEDTLS_VERSION_C
+
+#define MBEDTLS_X509_USE_C
+#define MBEDTLS_X509_CRT_PARSE_C
+
+#if TF_MBEDTLS_USE_AES_GCM
+#define MBEDTLS_AES_C
+#define MBEDTLS_CIPHER_C
+#define MBEDTLS_GCM_C
+#endif
+
+/* MPI / BIGNUM options */
+#define MBEDTLS_MPI_WINDOW_SIZE 2
+
+#if TF_MBEDTLS_USE_RSA
+#if TF_MBEDTLS_KEY_SIZE <= 2048
+#define MBEDTLS_MPI_MAX_SIZE 256
+#else
+#define MBEDTLS_MPI_MAX_SIZE 512
+#endif
+#else
+#define MBEDTLS_MPI_MAX_SIZE 256
+#endif
+
+/* Memory buffer allocator options */
+#define MBEDTLS_MEMORY_ALIGN_MULTIPLE 8
+
+/*
+ * Prevent the use of 128-bit division which
+ * creates dependency on external libraries.
+ */
+#define MBEDTLS_NO_UDBL_DIVISION
+
+#ifndef __ASSEMBLER__
+/* System headers required to build mbed TLS with the current configuration */
+#include <stdlib.h>
+#include <mbedtls/check_config.h>
+#endif
+
+/*
+ * Determine Mbed TLS heap size
+ * 13312 = 13*1024
+ * 11264 = 11*1024
+ * 7168 = 7*1024
+ */
+#if TF_MBEDTLS_USE_ECDSA
+#define TF_MBEDTLS_HEAP_SIZE U(13312)
+#elif TF_MBEDTLS_USE_RSA
+#if TF_MBEDTLS_KEY_SIZE <= 2048
+#define TF_MBEDTLS_HEAP_SIZE U(7168)
+#else
+#define TF_MBEDTLS_HEAP_SIZE U(11264)
+#endif
+#endif
+
+/*
+ * Warn if errors from certain functions are ignored.
+ *
+ * The warnings are always enabled (where supported) for critical functions
+ * where ignoring the return value is almost always a bug. This macro extends
+ * the warnings to more functions.
+ */
+#define MBEDTLS_CHECK_RETURN_WARNING
diff --git a/include/drivers/auth/mbedtls/psa_mbedtls_config.h b/include/drivers/auth/mbedtls/psa_mbedtls_config.h
new file mode 100644
index 0000000..ad825f0
--- /dev/null
+++ b/include/drivers/auth/mbedtls/psa_mbedtls_config.h
@@ -0,0 +1,28 @@
+/*
+ * Copyright (c) 2023, Arm Ltd. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#ifndef PSA_MBEDTLS_CONFIG_H
+#define PSA_MBEDTLS_CONFIG_H
+
+#include "mbedtls_config-3.h"
+
+#define MBEDTLS_PSA_CRYPTO_C
+
+/*
+ * Using PSA crypto API requires an RNG right now. If we don't define the macro
+ * below then we get build errors.
+ *
+ * This is a functionality gap in mbedTLS. The technical limitation is that
+ * psa_crypto_init() is all-or-nothing, and fixing that would require separate
+ * initialization of the keystore, the RNG, etc.
+ *
+ * By defining MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG, we pretend using an external
+ * RNG. As a result, the PSA crypto init code does nothing when it comes to
+ * initializing the RNG, as we are supposed to take care of that ourselves.
+ */
+#define MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG
+
+#endif /* PSA_MBEDTLS_CONFIG_H */
diff --git a/include/drivers/auth/tbbr_cot_common.h b/include/drivers/auth/tbbr_cot_common.h
new file mode 100644
index 0000000..b4f2d22
--- /dev/null
+++ b/include/drivers/auth/tbbr_cot_common.h
@@ -0,0 +1,30 @@
+/*
+ * Copyright (c) 2020,2023, ARM Limited and Contributors. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#ifndef TBBR_COT_COMMON_H
+#define TBBR_COT_COMMON_H
+
+#include <common/tbbr/cot_def.h>
+#include <drivers/auth/auth_mod.h>
+
+extern unsigned char tb_fw_hash_buf[HASH_DER_LEN];
+extern unsigned char scp_fw_hash_buf[HASH_DER_LEN];
+extern unsigned char nt_world_bl_hash_buf[HASH_DER_LEN];
+
+extern auth_param_type_desc_t trusted_nv_ctr;
+extern auth_param_type_desc_t subject_pk;
+extern auth_param_type_desc_t sig;
+extern auth_param_type_desc_t sig_alg;
+extern auth_param_type_desc_t raw_data;
+
+extern auth_param_type_desc_t tb_fw_hash;
+extern auth_param_type_desc_t tb_fw_config_hash;
+extern auth_param_type_desc_t fw_config_hash;
+
+extern const auth_img_desc_t trusted_boot_fw_cert;
+extern const auth_img_desc_t hw_config;
+
+#endif /* TBBR_COT_COMMON_H */