[PATCH v8 02/27] mbedtls: add mbedtls into the build system
Ilias Apalodimas
ilias.apalodimas at linaro.org
Wed Oct 9 12:13:46 CEST 2024
Hi Raymond
On Fri, 4 Oct 2024 at 00:52, Raymond Mao <raymond.mao at linaro.org> wrote:
>
> Port mbedtls with adapted libc header files.
> Add mbedtls default config header file.
> Optimize mbedtls default config by disabling unused features to
> reduce the target size.
> Add mbedtls kbuild makefile.
> Add Kconfig skeleton and config submenu entry for selecting
> crypto libraries between mbedtls and legacy ones.
> Add the mbedtls include directories into the build system.
> Port u-boot hash functions as MbedTLS crypto alternatives and set
> it as default.
>
> Subsequent patches will separate those Kconfigs into pairs of
> _LEGACY and _MBEDTLS for controlling the implementations of legacy
> crypto libraries and MbedTLS ones respectively.
>
> The motivation of moving and adapting *INT* macros from kernel.h
> to limits.h is to fullfill the MbedTLS building requirement.
> The conditional compilation statements in MbedTLS expects the
> *INT* macros as constant expressions, thus expressions like
> `((int)(~0U >> 1))` will not work.
>
> Prerequisite
> ------------
>
> This patch series requires mbedtls git repo to be added as a
> subtree to the main U-Boot repo via:
>
> $ git subtree add --prefix lib/mbedtls/external/mbedtls \
> https://github.com/Mbed-TLS/mbedtls.git \
> v3.6.0 --squash
>
> Moreover, due to the Windows-style files from mbedtls git repo,
> we need to convert the CRLF endings to LF and do a commit manually:
>
> $ git add --renormalize .
> $ git commit
>
> Signed-off-by: Raymond Mao <raymond.mao at linaro.org>
> ---
> Changes in v2
> - Disabled unused MbedTLS features to optimize the target size.
> Changes in v3
> - Removed changes in stdio.h.
> Changes in v4
> - Move limits.h as a common header file that is included by kernel.h.
> - Refactor the Kconfig to support legacy and MbedTLS options for each
> algorithm.
> - Refactor MbedTLS makefile and default config file to remove unused
> config options and objects.
> Changes in v5
> - Merged patch #9 of v4 into this patch.
> - Removed unused config MBEDTLS_LIB_TLS.
> - Refactored MbedTLS Makefile and default config file.
> Changes in v6
> - Fixed UINT64_MAX.
> - Removed copy right statement from limits.h
> Changes in v7
> - Fixed CI world build failures due to config dependencies.
> - Fixed values of UINT_MAX and UINT32_MAX.
> Changes in v8
> - Port u-boot hash functions as MbedTLS crypto alternatives and set
> it as default.
>
> Makefile | 6 +++
> include/limits.h | 25 ++++++++++
> include/linux/kernel.h | 13 +----
> include/stdlib.h | 1 +
> lib/Kconfig | 4 ++
> lib/Makefile | 2 +
> lib/mbedtls/Kconfig | 56 +++++++++++++++++++++
> lib/mbedtls/Makefile | 41 ++++++++++++++++
> lib/mbedtls/mbedtls_def_config.h | 84 ++++++++++++++++++++++++++++++++
> lib/mbedtls/port/assert.h | 12 +++++
> lib/mbedtls/port/md5_alt.h | 57 ++++++++++++++++++++++
> lib/mbedtls/port/sha1_alt.h | 57 ++++++++++++++++++++++
> lib/mbedtls/port/sha256_alt.h | 64 ++++++++++++++++++++++++
> lib/mbedtls/port/sha512_alt.h | 78 +++++++++++++++++++++++++++++
> 14 files changed, 488 insertions(+), 12 deletions(-)
> create mode 100644 include/limits.h
> create mode 100644 lib/mbedtls/Kconfig
> create mode 100644 lib/mbedtls/Makefile
> create mode 100644 lib/mbedtls/mbedtls_def_config.h
> create mode 100644 lib/mbedtls/port/assert.h
> create mode 100644 lib/mbedtls/port/md5_alt.h
> create mode 100644 lib/mbedtls/port/sha1_alt.h
> create mode 100644 lib/mbedtls/port/sha256_alt.h
> create mode 100644 lib/mbedtls/port/sha512_alt.h
>
> diff --git a/Makefile b/Makefile
> index 525576f987d..f4659f9493a 100644
> --- a/Makefile
> +++ b/Makefile
> @@ -829,6 +829,12 @@ KBUILD_HOSTCFLAGS += $(if $(CONFIG_TOOLS_DEBUG),-g)
> UBOOTINCLUDE := \
> -Iinclude \
> $(if $(KBUILD_SRC), -I$(srctree)/include) \
> + $(if $(CONFIG_MBEDTLS_LIB), \
> + "-DMBEDTLS_CONFIG_FILE=\"mbedtls_def_config.h\"" \
> + -I$(srctree)/lib/mbedtls \
> + -I$(srctree)/lib/mbedtls/port \
> + -I$(srctree)/lib/mbedtls/external/mbedtls \
> + -I$(srctree)/lib/mbedtls/external/mbedtls/include) \
> $(if $(CONFIG_$(SPL_)SYS_THUMB_BUILD), \
> $(if $(CONFIG_HAS_THUMB2), \
> $(if $(CONFIG_CPU_V7M), \
> diff --git a/include/limits.h b/include/limits.h
> new file mode 100644
> index 00000000000..4700cc7a59f
> --- /dev/null
> +++ b/include/limits.h
> @@ -0,0 +1,25 @@
> +/* SPDX-License-Identifier: GPL-2.0+ */
> +
> +#ifndef _LIMITS_H
> +#define _LIMITS_H
> +
> +#define INT_MAX 0x7fffffff
> +#define UINT_MAX 0xffffffffU
> +#define CHAR_BIT 8
> +#define UINT32_MAX 0xffffffffU
> +#define UINT64_MAX 0xffffffffffffffffULL
> +
> +#ifdef CONFIG_64BIT
> + #define UINTPTR_MAX UINT64_MAX
> +#else
> + #define UINTPTR_MAX UINT32_MAX
> +#endif
> +
> +#ifndef SIZE_MAX
> +#define SIZE_MAX UINTPTR_MAX
> +#endif
> +#ifndef SSIZE_MAX
> +#define SSIZE_MAX ((ssize_t)(SIZE_MAX >> 1))
> +#endif
> +
> +#endif /* _LIMITS_H */
> diff --git a/include/linux/kernel.h b/include/linux/kernel.h
> index 939465f372b..9467edd65ab 100644
> --- a/include/linux/kernel.h
> +++ b/include/linux/kernel.h
> @@ -3,25 +3,18 @@
>
> #include <linux/types.h>
> #include <linux/printk.h> /* for printf/pr_* utilities */
> +#include <limits.h>
>
> #define USHRT_MAX ((u16)(~0U))
> #define SHRT_MAX ((s16)(USHRT_MAX>>1))
> #define SHRT_MIN ((s16)(-SHRT_MAX - 1))
> -#define INT_MAX ((int)(~0U>>1))
> #define INT_MIN (-INT_MAX - 1)
> -#define UINT_MAX (~0U)
> #define LONG_MAX ((long)(~0UL>>1))
> #define LONG_MIN (-LONG_MAX - 1)
> #define ULONG_MAX (~0UL)
> #define LLONG_MAX ((long long)(~0ULL>>1))
> #define LLONG_MIN (-LLONG_MAX - 1)
> #define ULLONG_MAX (~0ULL)
> -#ifndef SIZE_MAX
> -#define SIZE_MAX (~(size_t)0)
> -#endif
> -#ifndef SSIZE_MAX
> -#define SSIZE_MAX ((ssize_t)(SIZE_MAX >> 1))
> -#endif
>
> #define U8_MAX ((u8)~0U)
> #define S8_MAX ((s8)(U8_MAX>>1))
> @@ -36,10 +29,6 @@
> #define S64_MAX ((s64)(U64_MAX>>1))
> #define S64_MIN ((s64)(-S64_MAX - 1))
>
> -/* Aliases defined by stdint.h */
> -#define UINT32_MAX U32_MAX
> -#define UINT64_MAX U64_MAX
> -
> #define INT32_MAX S32_MAX
>
> #define STACK_MAGIC 0xdeadbeef
> diff --git a/include/stdlib.h b/include/stdlib.h
> index 9c175d4d74c..dedfd52a144 100644
> --- a/include/stdlib.h
> +++ b/include/stdlib.h
> @@ -7,5 +7,6 @@
> #define __STDLIB_H_
>
> #include <malloc.h>
> +#include <rand.h>
>
> #endif /* __STDLIB_H_ */
> diff --git a/lib/Kconfig b/lib/Kconfig
> index 1dd4f271595..67a60160dac 100644
> --- a/lib/Kconfig
> +++ b/lib/Kconfig
> @@ -419,6 +419,10 @@ config CIRCBUF
>
> source "lib/dhry/Kconfig"
>
> +menu "Alternative crypto libraries"
> +source lib/mbedtls/Kconfig
> +endmenu
> +
> menu "Security support"
>
> config AES
> diff --git a/lib/Makefile b/lib/Makefile
> index d300249f57c..c4950b78a29 100644
> --- a/lib/Makefile
> +++ b/lib/Makefile
> @@ -96,6 +96,8 @@ obj-$(CONFIG_LIBAVB) += libavb/
> obj-$(CONFIG_$(SPL_TPL_)OF_LIBFDT) += libfdt/
> obj-$(CONFIG_$(SPL_TPL_)OF_REAL) += fdtdec_common.o fdtdec.o
>
> +obj-$(CONFIG_MBEDTLS_LIB) += mbedtls/
> +
> ifdef CONFIG_SPL_BUILD
> obj-$(CONFIG_SPL_YMODEM_SUPPORT) += crc16-ccitt.o
> obj-$(CONFIG_$(SPL_TPL_)HASH) += crc16-ccitt.o
> diff --git a/lib/mbedtls/Kconfig b/lib/mbedtls/Kconfig
> new file mode 100644
> index 00000000000..9d1a63c1ca6
> --- /dev/null
> +++ b/lib/mbedtls/Kconfig
> @@ -0,0 +1,56 @@
> +choice
> + prompt "Select crypto libraries"
> + default LEGACY_CRYPTO
> + help
> + Select crypto libraries.
> + LEGACY_CRYPTO for legacy crypto libraries,
> + MBEDTLS_LIB for MbedTLS libraries.
> +
> +config LEGACY_CRYPTO
> + bool "legacy crypto libraries"
> + select LEGACY_CRYPTO_BASIC
> + select LEGACY_CRYPTO_CERT
> +
This overall llooks ok, but the native mbedTLS hashing should depend
on !CONFIG_SHA_HW_ACCEL.
If everyone thinks the series is good enough to merge, I don't mind
this going on a followup commit
> +config MBEDTLS_LIB
> + bool "MbedTLS libraries"
> + select MBEDTLS_LIB_X509
> +endchoice
> +
> +if LEGACY_CRYPTO || MBEDTLS_LIB_CRYPTO_ALT
> +
> +config LEGACY_CRYPTO_BASIC
> + bool "legacy basic crypto libraries"
> + help
> + Enable legacy basic crypto libraries.
> +
> +config LEGACY_CRYPTO_CERT
> + bool "legacy certificate libraries"
> + help
> + Enable legacy certificate libraries.
> +
> +endif # LEGACY_CRYPTO
> +
> +if MBEDTLS_LIB
> +
> +config MBEDTLS_LIB_CRYPTO_ALT
> + bool "MbedTLS crypto alternatives"
> + depends on MBEDTLS_LIB && !MBEDTLS_LIB_CRYPTO
> + select LEGACY_CRYPTO_BASIC
> + default y if MBEDTLS_LIB && !MBEDTLS_LIB_CRYPTO
> + help
> + Enable MbedTLS crypto alternatives.
> + Mutually incompatible with MBEDTLS_LIB_CRYPTO.
> +
> +config MBEDTLS_LIB_CRYPTO
> + bool "MbedTLS crypto libraries"
> + help
> + Enable MbedTLS crypto libraries.
> + Mutually incompatible with MBEDTLS_LIB_CRYPTO_ALT.
> +
> +
> +config MBEDTLS_LIB_X509
> + bool "MbedTLS certificate libraries"
> + * Author: Raymond Mao <raymond.mao at linaro.org>
> + */
> +
> +#if defined CONFIG_MBEDTLS_LIB
> +
> +#if CONFIG_IS_ENABLED(MD5)
> +#define MBEDTLS_MD_C
> +#define MBEDTLS_MD5_C
> +#if defined CONFIG_MBEDTLS_LIB_CRYPTO_ALT
> +#define MBEDTLS_MD5_ALT
> +#endif
> +#endif
> +
> +#if CONFIG_IS_ENABLED(SHA1)
> +#define MBEDTLS_MD_C
> +#define MBEDTLS_SHA1_C
> +#if defined CONFIG_MBEDTLS_LIB_CRYPTO_ALT
> +#define MBEDTLS_SHA1_ALT
> +#endif
> +#endif
> +
> +#if CONFIG_IS_ENABLED(SHA256)
> +#define MBEDTLS_MD_C
> +#define MBEDTLS_SHA256_C
> +#if defined CONFIG_MBEDTLS_LIB_CRYPTO_ALT
> +#define MBEDTLS_SHA256_ALT
> +#endif
> +#endif
> +
> +#if CONFIG_IS_ENABLED(SHA384)
> +#define MBEDTLS_MD_C
> +#define MBEDTLS_SHA384_C
> +#endif
> +
[...]
Thanks
/Ilias
More information about the U-Boot
mailing list