[PATCH v2 07/28] lib: Adapt digest header files to MbedTLS

Ilias Apalodimas ilias.apalodimas at linaro.org
Wed May 8 12:30:14 CEST 2024


On Tue, 7 May 2024 at 20:54, Raymond Mao <raymond.mao at linaro.org> wrote:
>
> Adapt digest header files to support both original libs and MbedTLS
> by switching on/off MBEDTLS_LIB_CRYPTO
>
> FIXME:
> `IS_ENABLED` or `CONFIG_IS_ENABLED` is not applicable here, since
> including <linux/kconfig.h> causes undefined reference on schedule()
> with sandbox build.
> As <linux/kconfig.h> includes <generated/autoconf.h> which enables
> `CONFIG_HW_WATCHDOG` and `CONFIG_WATCHDOG` but no schedule() are
> defined in sandbox build.
> `#if defined(CONFIG_MBEDTLS_LIB_CRYPTO)` is a workaround.
>
> Signed-off-by: Raymond Mao <raymond.mao at linaro.org>
> ---
> Changes in v2
> - Initial patch.
>
>  include/u-boot/md5.h    | 17 ++++++++++++-----
>  include/u-boot/sha1.h   | 21 ++++++++++++++++++++-
>  include/u-boot/sha256.h | 20 ++++++++++++++++++++
>  include/u-boot/sha512.h | 22 +++++++++++++++++++---
>  lib/Makefile            |  6 +++++-
>  5 files changed, 76 insertions(+), 10 deletions(-)
>
> diff --git a/include/u-boot/md5.h b/include/u-boot/md5.h
> index d61364c0ae3..3cfd33a8e56 100644
> --- a/include/u-boot/md5.h
> +++ b/include/u-boot/md5.h
> @@ -6,22 +6,29 @@
>  #ifndef _MD5_H
>  #define _MD5_H
>
> +#if defined(CONFIG_MBEDTLS_LIB_CRYPTO)
> +#include <external/mbedtls/include/mbedtls/md5.h>
> +#endif
>  #include "compiler.h"
>
>  #define MD5_SUM_LEN    16
>
> -struct MD5Context {
> +#if defined(CONFIG_MBEDTLS_LIB_CRYPTO)
> +typedef mbedtls_md5_context MD5Context;
> +#else
> +typedef struct MD5Context {
>         __u32 buf[4];
>         __u32 bits[2];
>         union {
>                 unsigned char in[64];
>                 __u32 in32[16];
>         };
> -};
> +} MD5Context;
> +#endif
>
> -void MD5Init(struct MD5Context *ctx);
> -void MD5Update(struct MD5Context *ctx, unsigned char const *buf, unsigned len);
> -void MD5Final(unsigned char digest[16], struct MD5Context *ctx);
> +void MD5Init(MD5Context *ctx);
> +void MD5Update(MD5Context *ctx, unsigned char const *buf, unsigned int len);
> +void MD5Final(unsigned char digest[16], MD5Context *ctx);
>
>  /*
>   * Calculate and store in 'output' the MD5 digest of 'len' bytes at
> diff --git a/include/u-boot/sha1.h b/include/u-boot/sha1.h
> index 09fee594d26..ee46fe947a0 100644
> --- a/include/u-boot/sha1.h
> +++ b/include/u-boot/sha1.h
> @@ -14,6 +14,21 @@
>  #ifndef _SHA1_H
>  #define _SHA1_H
>
> +#if defined(CONFIG_MBEDTLS_LIB_CRYPTO)
> +/*
> + * FIXME:
> + * MbedTLS define the members of "mbedtls_sha256_context" as private,
> + * but "state" needs to be access by arch/arm/cpu/armv8/sha1_ce_glue.
> + * MBEDTLS_ALLOW_PRIVATE_ACCESS needs to be enabled to allow the external
> + * access.
> + * Directly including <external/mbedtls/library/common.h> is not allowed,
> + * since this will include <malloc.h> and break the sandbox test.
> + */
> +#define MBEDTLS_ALLOW_PRIVATE_ACCESS
> +
> +#include <external/mbedtls/include/mbedtls/sha1.h>
> +#endif
> +
>  #ifdef __cplusplus
>  extern "C" {
>  #endif
> @@ -24,6 +39,9 @@ extern "C" {
>
>  extern const uint8_t sha1_der_prefix[];
>
> +#if defined(CONFIG_MBEDTLS_LIB_CRYPTO)
> +typedef mbedtls_sha1_context sha1_context;
> +#else
>  /**
>   * \brief         SHA-1 context structure
>   */
> @@ -34,13 +52,14 @@ typedef struct
>      unsigned char buffer[64];  /*!< data block being processed */
>  }
>  sha1_context;
> +#endif
>
>  /**
>   * \brief         SHA-1 context setup
>   *
>   * \param ctx     SHA-1 context to be initialized
>   */
> -void sha1_starts( sha1_context *ctx );
> +void sha1_starts(sha1_context *ctx);
>
>  /**
>   * \brief         SHA-1 process buffer
> diff --git a/include/u-boot/sha256.h b/include/u-boot/sha256.h
> index 9aa1251789a..e2b7fdd41c8 100644
> --- a/include/u-boot/sha256.h
> +++ b/include/u-boot/sha256.h
> @@ -1,6 +1,22 @@
>  #ifndef _SHA256_H
>  #define _SHA256_H
>
> +#if defined(CONFIG_MBEDTLS_LIB_CRYPTO)
> +/*
> + * FIXME:
> + * MbedTLS define the members of "mbedtls_sha256_context" as private,
> + * but "state" needs to be access by arch/arm/cpu/armv8/sha256_ce_glue.

'be able to access.'

Isn't the MBEDTLS_ALLOW_PRIVATE_ACCESS considered deprecated?
I'd prefer if we fix this properly.

Thanks
/Ilias
> + * MBEDTLS_ALLOW_PRIVATE_ACCESS needs to be enabled to allow the external
> + * access.
> + * Directly including <external/mbedtls/library/common.h> is not allowed,
> + * since this will include <malloc.h> and break the sandbox test.
> + */
> +#define MBEDTLS_ALLOW_PRIVATE_ACCESS
> +
> +#include <external/mbedtls/include/mbedtls/sha256.h>
> +#endif
> +
> +#define SHA224_SUM_LEN 28
>  #define SHA256_SUM_LEN 32
>  #define SHA256_DER_LEN 19
>
> @@ -9,11 +25,15 @@ extern const uint8_t sha256_der_prefix[];
>  /* Reset watchdog each time we process this many bytes */
>  #define CHUNKSZ_SHA256 (64 * 1024)
>
> +#if defined(CONFIG_MBEDTLS_LIB_CRYPTO)
> +typedef mbedtls_sha256_context sha256_context;
> +#else
>  typedef struct {
>         uint32_t total[2];
>         uint32_t state[8];
>         uint8_t buffer[64];
>  } sha256_context;
> +#endif
>
>  void sha256_starts(sha256_context * ctx);
>  void sha256_update(sha256_context *ctx, const uint8_t *input, uint32_t length);
> diff --git a/include/u-boot/sha512.h b/include/u-boot/sha512.h
> index 516729d7750..a0c0de89d60 100644
> --- a/include/u-boot/sha512.h
> +++ b/include/u-boot/sha512.h
> @@ -1,6 +1,10 @@
>  #ifndef _SHA512_H
>  #define _SHA512_H
>
> +#if defined(CONFIG_MBEDTLS_LIB_CRYPTO)
> +#include <external/mbedtls/include/mbedtls/sha512.h>
> +#endif
> +
>  #define SHA384_SUM_LEN          48
>  #define SHA384_DER_LEN          19
>  #define SHA512_SUM_LEN          64
> @@ -10,11 +14,16 @@
>  #define CHUNKSZ_SHA384 (16 * 1024)
>  #define CHUNKSZ_SHA512 (16 * 1024)
>
> +#if defined(CONFIG_MBEDTLS_LIB_CRYPTO)
> +typedef mbedtls_sha512_context sha384_context;
> +typedef mbedtls_sha512_context sha512_context;
> +#else
>  typedef struct {
>         uint64_t state[SHA512_SUM_LEN / 8];
>         uint64_t count[2];
>         uint8_t buf[SHA512_BLOCK_SIZE];
>  } sha512_context;
> +#endif
>
>  extern const uint8_t sha512_der_prefix[];
>
> @@ -27,12 +36,19 @@ void sha512_csum_wd(const unsigned char *input, unsigned int ilen,
>
>  extern const uint8_t sha384_der_prefix[];
>
> +#if defined(CONFIG_MBEDTLS_LIB_CRYPTO)
> +void sha384_starts(sha512_context *ctx);
> +void
> +sha384_update(sha512_context *ctx, const uint8_t *input, uint32_t length);
> +void sha384_finish(sha512_context *ctx, uint8_t digest[SHA384_SUM_LEN]);
> +void sha384_csum_wd(const unsigned char *input, unsigned int length,
> +                   unsigned char *output, unsigned int chunk_sz);
> +#else
>  void sha384_starts(sha512_context * ctx);
>  void sha384_update(sha512_context *ctx, const uint8_t *input, uint32_t length);
>  void sha384_finish(sha512_context * ctx, uint8_t digest[SHA384_SUM_LEN]);
>
>  void sha384_csum_wd(const unsigned char *input, unsigned int ilen,
> -               unsigned char *output, unsigned int chunk_sz);
> -
> -
> +                   unsigned char *output, unsigned int chunk_sz);
> +#endif
>  #endif /* _SHA512_H */
> diff --git a/lib/Makefile b/lib/Makefile
> index a4600b09f49..3534b3301ae 100644
> --- a/lib/Makefile
> +++ b/lib/Makefile
> @@ -69,14 +69,18 @@ obj-$(CONFIG_$(SPL_TPL_)CRC16) += crc16.o
>  obj-y += crypto/
>
>  obj-$(CONFIG_$(SPL_TPL_)ACPI) += acpi/
> -obj-$(CONFIG_$(SPL_)MD5) += md5.o
>  obj-$(CONFIG_ECDSA) += ecdsa/
>  obj-$(CONFIG_$(SPL_)RSA) += rsa/
>  obj-$(CONFIG_HASH) += hash-checksum.o
>  obj-$(CONFIG_BLAKE2) += blake2/blake2b.o
> +
> +ifneq ($(CONFIG_MBEDTLS_LIB_CRYPTO), y)
> +obj-$(CONFIG_$(SPL_)MD5) += md5.o
>  obj-$(CONFIG_$(SPL_)SHA1) += sha1.o
>  obj-$(CONFIG_$(SPL_)SHA256) += sha256.o
>  obj-$(CONFIG_$(SPL_)SHA512) += sha512.o
> +endif
> +
>  obj-$(CONFIG_CRYPT_PW) += crypt/
>  obj-$(CONFIG_$(SPL_)ASN1_DECODER) += asn1_decoder.o
>
> --
> 2.25.1
>


More information about the U-Boot mailing list