Hi all,
I am proposing we disable SHA-1 by default in the TF-M Crypto service, by turning off the option in the default Mbed Crypto config in platform/ext/common/tfm_mbedcrypto_config.h.
SHA-1 is not considered a strong message digest, so we should not encourage its use. Disabling it also has the benefit of reducing the code size of a default TF-M build by 4.5KB.
It would still be possible to re-enable SHA-1 by providing a platform-specific Mbed Crypto config, but we would no longer test it or recommend it be enabled.
The patch is open for review here: https://review.trustedfirmware.org/c/trusted-firmware-m/+/3289
Kind regards, Jamie
tf-m@lists.trustedfirmware.org