[PATCH v3 03/25] mbedtls: add mbedtls into the build system

Tom Rini trini at konsulko.com
Tue Jun 4 19:47:11 CEST 2024 

On Fri, May 31, 2024 at 01:07:23PM -0400, Raymond Mao wrote:
> Hi Ilias and Tom,
> 
> On Thu, 30 May 2024 at 16:17, Ilias Apalodimas <ilias.apalodimas at linaro.org>
> wrote:
> 
> > Hi Tom
> >
> > On Wed, 29 May 2024 at 22:47, Tom Rini <trini at konsulko.com> wrote:
> > >
> > > On Wed, May 29, 2024 at 03:42:04PM -0400, Raymond Mao wrote:
> > > > Hi Tom,
> > > >
> > > > On Wed, 29 May 2024 at 14:43, Tom Rini <trini at konsulko.com> wrote:
> > > >
> > > > > On Wed, May 29, 2024 at 02:38:10PM -0400, Raymond Mao wrote:
> > > > > > Hi Tom,
> > > > > >
> > > > > > On Wed, 29 May 2024 at 14:01, Tom Rini <trini at konsulko.com> wrote:
> > > > > >
> > > > > > > On Wed, May 29, 2024 at 01:42:16PM -0400, Raymond Mao wrote:
> > > > > > > > Hi Tom,
> > > > > > > >
> > > > > > > > On Wed, 29 May 2024 at 12:58, Tom Rini <trini at konsulko.com>
> > wrote:
> > > > > > > >
> > > > > > > > > On Tue, May 28, 2024 at 07:09:14AM -0700, Raymond Mao wrote:
> > > > > > > > >
> > > > > > > > > > Port mbedtls with dummy libc header files.
> > > > > > > > > > Add mbedtls default config header file.
> > > > > > > > > > Optimize mbedtls default config by disabling unused
> > features to
> > > > > > > > > > reduce the target size.
> > > > > > > > > > Add mbedtls kbuild makefile.
> > > > > > > > > > Add Kconfig and mbedtls config submenu.
> > > > > > > > > [snip]
> > > > > > > > > > diff --git a/lib/mbedtls/Kconfig b/lib/mbedtls/Kconfig
> > > > > > > > > > new file mode 100644
> > > > > > > > > > index 00000000000..d6e77d56871
> > > > > > > > > > --- /dev/null
> > > > > > > > > > +++ b/lib/mbedtls/Kconfig
> > > > > > > > > > @@ -0,0 +1,25 @@
> > > > > > > > > > +menuconfig MBEDTLS_LIB
> > > > > > > > > > +     bool "Use mbedtls libraries"
> > > > > > > > > > +     select MBEDTLS_LIB_CRYPTO
> > > > > > > > > > +     select MBEDTLS_LIB_X509
> > > > > > > > > > +     help
> > > > > > > > > > +       Enable mbedtls libraries
> > > > > > > > > > +
> > > > > > > > > > +if MBEDTLS_LIB
> > > > > > > > > > +
> > > > > > > > > > +config MBEDTLS_LIB_CRYPTO
> > > > > > > > > > +     bool "Crypto library"
> > > > > > > > > > +     help
> > > > > > > > > > +       Enable mbedtls crypto library
> > > > > > > > > > +
> > > > > > > > > > +config MBEDTLS_LIB_X509
> > > > > > > > > > +     bool "X509 library"
> > > > > > > > > > +     help
> > > > > > > > > > +       Enable mbedtls X509 library
> > > > > > > > > > +
> > > > > > > > > > +config MBEDTLS_LIB_TLS
> > > > > > > > > > +     bool "TLS library"
> > > > > > > > > > +     help
> > > > > > > > > > +       Enable mbedtls TLS library
> > > > > > > > > > +
> > > > > > > > > > +endif # MBEDTLS_LIB
> > > > > > > > >
> > > > > > > > > We need much more granularity here, and to re-think some
> > existing
> > > > > > > > > symbols too perhaps. What we should be able to do is pick
> > mbedTLS
> > > > > or
> > > > > > > > > "legacy SW implementation" or "HW implementation" for the
> > various
> > > > > > > > > algorithms, and that in turn can have some higher level
> > grouping
> > > > > to it.
> > > > > > > > > This should then negate a bunch of the Makefile work you're
> > doing
> > > > > as we
> > > > > > > > > won't have CONFIG_SHA256 enabled as we'll have
> > > > > > > CONFIG_MBEDTLS_LIB_SHA256
> > > > > > > > > or whatever enabled.
> > > > > > > > >
> > > > > > > >
> > > > > > > > I think we should use CONFIG_MBEDTLS_LIB_[CRYPTO,X509,TLS] for
> > > > > high-level
> > > > > > > > grouping.
> > > > > > > > Underneath, the CONFIG_SHA[1,256,512] switches (and other
> > crypto
> > > > > options)
> > > > > > > > can be
> > > > > > > > used as sub build options in both MbedTLS and "legacy libs".
> > > > > > > >
> > > > > > > > Take hash as an example, if the users prefer to use MbedTLS
> > other
> > > > > than
> > > > > > > > "legacy libs" for
> > > > > > > > hash operation, CONFIG_MBEDTLS_LIB_CRYPTO should be defined as
> > the
> > > > > main
> > > > > > > > switch
> > > > > > > > (the users can still prefer to use "legacy libs" for X509 by
> > > > > > > > keeping  CONFIG_MBEDTLS_LIB_X509
> > > > > > > > disabled).
> > > > > > > > Then enable the algorithms they need (e.g. CONFIG_SHA256) - the
> > > > > algorithm
> > > > > > > > options works
> > > > > > > > for both MbedTLS and "legacy libs".
> > > > > > > >
> > > > > > > > HW implementations with MbedTLS (aka, Alternative algorithms in
> > > > > MbedTLS)
> > > > > > > is
> > > > > > > > another
> > > > > > > > topic which is not covered in this patch set (It needs to
> > migrate
> > > > > each
> > > > > > > > vendor's solution under
> > > > > > > > MbedTLS alternative algorithm).
> > > > > > > > Current patch set is focused on SW implementation with MbedTLS.
> > > > > > >
> > > > > > > The "easy" problem with what's in v3 is that X509 and CRYPTO are
> > > > > > > select'd under the main heading.
> > > > > >
> > > > > > Not sure if I get what you mentioned, currently all MbedTLS
> > options are
> > > > > > under
> > > > > > Library routines > Security support
> > > > > > Do you think we should keep them in other places?
> > > > > >
> > > > > >
> > > > > > > The harder problem is that we
> > > > > > > intentionally have granularity for SHA256, SHA512, etc, etc and
> > all of
> > > > > > > that goes away with the current Kconfig option if you select
> > mbedTLS.
> > > > > We
> > > > > > > need to bring that back. And we shouldn't need to have all of
> > the ifneq
> > > > > > > statements in Makefiles because both CONFIG_SHA256 and
> > > > > > > CONFIG_MBEDLTS_LIB_CRYPTO_SHA256 will not be true (Or possibly,
> > > > > > > CONFIG_SHA256 gates things U-Boot's internal API for sha256'ing
> > > > > > > something and CONFIG_LEGACY_SHA256 controls building
> > lib/sha256.c).
> > > > > > >
> > > > > > > I think we should not introduce new ones like CONFIG_LEGACY_,
> > > > > > CONFIG_SHA[1,256,512] should be used no matter whether MbedTLS is
> > > > > > enabled or not.
> > > > > > I understand your concern, I will bring CONFIG_SHA[1,256,512] back
> > when
> > > > > > MbedTLS is enabled. Those options should control the options in the
> > > > > MbedTLS
> > > > > > default config file.
> > > > >
> > > > > My concern is that we do not have the correct level of granularity,
> > and
> > > > > that can partly be seen by the number of ifneq(...) statements being
> > > > > added around already conditional logic. We should have almost none of
> > > > > those, in the end, is what I'm saying. We have a mechanism for
> > > > > configuring the build, Kconfig, and that should drive the decisions
> > as
> > > > > much as possible.
> > > >
> > > > The `ifneq(ONFIG_MBEDTLS_LIB_*)` statements are due to the fact that we
> > > > still
> > > > need lib/Makefile and lib/crypto/Makefile when building hash and x509
> > > > stuffs with
> > > > MbedTLS enabled.
> > > > To address this, I guess we have to first refactor all "legacy libs"
> > that
> > > > will be replaced
> > > > by MbedTLS:
> > > > Move md5, sha* from lib to to a new dir lib/hash and move public_key,
> > > > rsapubkey*,
> > > > rsa_helper, x509*, pkcs7*,mscode* from lib/crypto to a new dir
> > lib/x509.
> > > > When they are all independent modules with separated Makefile, we can
> > remove
> > > > `ifneq(ONFIG_MBEDTLS_LIB_*)` and all can be driven in lib/Makefile.
> > > >
> > > > Is that something you expect?
> > > > If yes I can do this for v4, or put it into another
> > prerequisite/refactor
> > > > series.
> > >
> >
> > Just trying to make sure we are all on the same page here.
> > Your main concerns are that the configuration options are not on par,
> > we lack granularity, and it's currently confusing to turn the feature
> > on since we have to enable both CONFIG_SHA256 &&
> > CONFIG_MBEDTLS_LIB_CRYPTO. This also leads to makefiles being a bit
> > weird-looking as well. Correct?
> >
> > The suggestion is that we add 3 symbols overall (again only using
> > sha256 as an example, this applies to all)
> > CONFIG_LEGACY_SHA256 -> This is the renamed CONFIG_SHA256
> > CONFIG_MBEDTLS_SHA256 -> new symbol and has to map the existing options
> > CONFIG_SHA256 -> This gets selected if either of the above is on and
> > we use it to control the API.
> >
> > > We should not need to do that because we should not have CONFIG_SHA256
> > > set if we are not building lib/sha256.c at that stage, is what I'm
> > > saying.
> >
> > I am fine with all the above. This is the part that confused me. If we
> > end up with the symbols above, we will need,
> >
> > obj-CONFIG_LEGACY$(SPL_)SHA256 -> compiles the existing code
> > obj-CONFIG_MBEDTLS$(SPL_)SHA256 -> compiles the new mbedTLS variant,
> > which now goes into a new .c file instead of an ifdef in the existing
> > lib/sha256.c
> >
> > Did I miss anything?
> >
> >
> Moreover, to prevent user selecting algorithms mixed up from MbedTLS and
> the legacy
> ones (e.g. sha1 from legacy lib but sha256 from MbedTLS):
> 
> When any of 'CONFIG_LEGACY_<alg>' is ON, CONFIG_LEGACY_CRYPTO is
> selected automatically.
> When each of 'CONFIG_ MBEDTLS  _<alg>' is ON, CONFIG_MBEDTLS_LIB_CRYPTO
> is selected automatically.
> Mark CONFIG_LEGACY_CRYPTO and CONFIG_MBEDTLS_LIB_CRYPTO as
> mutually exclusive.
> 
> Is this correct?

That's correct, but backwards in my mind.  The user should pick "legacy
SW" or "mbedTLS" or "HW" and then "SHA256" or "SHA512". So it's really
that If the user selects MBEDTLS_LIB_CRYPTO and SHA256 then
MBEDTLS_LIB_CRYPTO_SHA256 is selected automatically. Does this make
sense?

-- 
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
URL: <https://lists.denx.de/pipermail/u-boot/attachments/20240604/ef5fb62a/attachment.sig>

More information about the U-Boot mailing list