Hi all,

 

I am proposing we disable SHA-1 by default in the TF-M Crypto service, by turning off the option in the default Mbed Crypto config in platform/ext/common/tfm_mbedcrypto_config.h.

 

SHA-1 is not considered a strong message digest, so we should not encourage its use. Disabling it also has the benefit of reducing the code size of a default TF-M build by 4.5KB.

 

It would still be possible to re-enable SHA-1 by providing a platform-specific Mbed Crypto config, but we would no longer test it or recommend it be enabled.

 

The patch is open for review here: https://review.trustedfirmware.org/c/trusted-firmware-m/+/3289

 

Kind regards,

Jamie