From 0956439bb70cda852ba13fe6cdf219c55ebcb44c Mon Sep 17 00:00:00 2001
From: Etienne Carriere <etienne.carriere@foss.st.com>
Date: Wed, 11 Dec 2024 15:14:45 +0100
Subject: [PATCH 1/2] ta: pkcs11: default disable CFG_PKCS11_TA_RSA_X_509

Disable CFG_PKCS11_TA_RSA_X_509 in pkcs11 TA default configuration
since raw RSA signature (CKM_RSA_X_509) computation and verification
can be unsafe. Target systems willing to embed its support (e.g. for
some TSL v1.2 support) will need to enable it explicitly.

Signed-off-by: Etienne Carriere <etienne.carriere@foss.st.com>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
---
 ta/pkcs11/sub.mk | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ta/pkcs11/sub.mk b/ta/pkcs11/sub.mk
index e9eebac2da1..9ce6b6944fe 100644
--- a/ta/pkcs11/sub.mk
+++ b/ta/pkcs11/sub.mk
@@ -16,7 +16,7 @@ CFG_PKCS11_TA_CHECK_VALUE_ATTRIBUTE ?= y
 # When enabled, embed support for CKM_RSA_X_509 (a.k.a. Raw RSA) ciphering
 # and authentication. The feature can be needed for some TLS v1.2 connections.
 # Raw RSA can be unsafe if client uses a weak clear data padding scheme.
-CFG_PKCS11_TA_RSA_X_509 ?= y
+CFG_PKCS11_TA_RSA_X_509 ?= n
 
 global-incdirs-y += include
 global-incdirs-y += src

From 98328d9e68bccbd1ae8438be6a5e00ea600c689c Mon Sep 17 00:00:00 2001
From: Etienne Carriere <etienne.carriere@foss.st.com>
Date: Wed, 11 Dec 2024 15:19:05 +0100
Subject: [PATCH 2/2] plat-vexpress: conf: default enable
 CFG_PKCS11_TA_RSA_X_509

Default enable PKCS#11 TA config switch CFG_PKCS11_TA_RSA_X_509 to
embed this feature in the TA test environment. Raw RSA is no more
a recommended feature but can be required for some TLS v1.2
feature support. Therefore CFG_PKCS11_TA_RSA_X_509 has been disable
in PKCS#11 TA default configuration but should still be supported
hence we enable it in vexpress platforms that are intended to
test and development environments.

Signed-off-by: Etienne Carriere <etienne.carriere@foss.st.com>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
---
 core/arch/arm/plat-vexpress/conf.mk | 1 +
 1 file changed, 1 insertion(+)

diff --git a/core/arch/arm/plat-vexpress/conf.mk b/core/arch/arm/plat-vexpress/conf.mk
index d9fbe14a437..a12a09c45ff 100644
--- a/core/arch/arm/plat-vexpress/conf.mk
+++ b/core/arch/arm/plat-vexpress/conf.mk
@@ -172,3 +172,4 @@ endif
 endif
 
 CFG_PKCS11_TA ?= y
+CFG_PKCS11_TA_RSA_X_509 ?= y