[PATCH v3 03/25] mbedtls: add mbedtls into the build system
Raymond Mao
raymond.mao at linaro.org
Wed May 29 19:42:16 CEST 2024
Hi Tom,
On Wed, 29 May 2024 at 12:58, Tom Rini <trini at konsulko.com> wrote:
> On Tue, May 28, 2024 at 07:09:14AM -0700, Raymond Mao wrote:
>
> > Port mbedtls with dummy libc header files.
> > Add mbedtls default config header file.
> > Optimize mbedtls default config by disabling unused features to
> > reduce the target size.
> > Add mbedtls kbuild makefile.
> > Add Kconfig and mbedtls config submenu.
> [snip]
> > diff --git a/lib/mbedtls/Kconfig b/lib/mbedtls/Kconfig
> > new file mode 100644
> > index 00000000000..d6e77d56871
> > --- /dev/null
> > +++ b/lib/mbedtls/Kconfig
> > @@ -0,0 +1,25 @@
> > +menuconfig MBEDTLS_LIB
> > + bool "Use mbedtls libraries"
> > + select MBEDTLS_LIB_CRYPTO
> > + select MBEDTLS_LIB_X509
> > + help
> > + Enable mbedtls libraries
> > +
> > +if MBEDTLS_LIB
> > +
> > +config MBEDTLS_LIB_CRYPTO
> > + bool "Crypto library"
> > + help
> > + Enable mbedtls crypto library
> > +
> > +config MBEDTLS_LIB_X509
> > + bool "X509 library"
> > + help
> > + Enable mbedtls X509 library
> > +
> > +config MBEDTLS_LIB_TLS
> > + bool "TLS library"
> > + help
> > + Enable mbedtls TLS library
> > +
> > +endif # MBEDTLS_LIB
>
> We need much more granularity here, and to re-think some existing
> symbols too perhaps. What we should be able to do is pick mbedTLS or
> "legacy SW implementation" or "HW implementation" for the various
> algorithms, and that in turn can have some higher level grouping to it.
> This should then negate a bunch of the Makefile work you're doing as we
> won't have CONFIG_SHA256 enabled as we'll have CONFIG_MBEDTLS_LIB_SHA256
> or whatever enabled.
>
I think we should use CONFIG_MBEDTLS_LIB_[CRYPTO,X509,TLS] for high-level
grouping.
Underneath, the CONFIG_SHA[1,256,512] switches (and other crypto options)
can be
used as sub build options in both MbedTLS and "legacy libs".
Take hash as an example, if the users prefer to use MbedTLS other than
"legacy libs" for
hash operation, CONFIG_MBEDTLS_LIB_CRYPTO should be defined as the main
switch
(the users can still prefer to use "legacy libs" for X509 by
keeping CONFIG_MBEDTLS_LIB_X509
disabled).
Then enable the algorithms they need (e.g. CONFIG_SHA256) - the algorithm
options works
for both MbedTLS and "legacy libs".
HW implementations with MbedTLS (aka, Alternative algorithms in MbedTLS) is
another
topic which is not covered in this patch set (It needs to migrate each
vendor's solution under
MbedTLS alternative algorithm).
Current patch set is focused on SW implementation with MbedTLS.
Regards,
Raymond
More information about the U-Boot
mailing list