[PATCH v8 02/27] mbedtls: add mbedtls into the build system

Raymond Mao raymond.mao at linaro.org
Fri Oct 11 21:00:21 CEST 2024 

Hi Ilias,

On Wed, 9 Oct 2024 at 06:14, Ilias Apalodimas <ilias.apalodimas at linaro.org>
wrote:

> Hi Raymond
>
> On Fri, 4 Oct 2024 at 00:52, Raymond Mao <raymond.mao at linaro.org> wrote:
> >
> > Port mbedtls with adapted libc header files.
> > Add mbedtls default config header file.
> > Optimize mbedtls default config by disabling unused features to
> > reduce the target size.
> > Add mbedtls kbuild makefile.
> > Add Kconfig skeleton and config submenu entry for selecting
> > crypto libraries between mbedtls and legacy ones.
> > Add the mbedtls include directories into the build system.
> > Port u-boot hash functions as MbedTLS crypto alternatives and set
> > it as default.
> >
> > Subsequent patches will separate those Kconfigs into pairs of
> > _LEGACY and _MBEDTLS for controlling the implementations of legacy
> > crypto libraries and MbedTLS ones respectively.
> >
> > The motivation of moving and adapting *INT* macros from kernel.h
> > to limits.h is to fullfill the MbedTLS building requirement.
> > The conditional compilation statements in MbedTLS expects the
> > *INT* macros as constant expressions, thus expressions like
> > `((int)(~0U >> 1))` will not work.
> >
> > Prerequisite
> > ------------
> >
> > This patch series requires mbedtls git repo to be added as a
> > subtree to the main U-Boot repo via:
> >
> > $ git subtree add --prefix lib/mbedtls/external/mbedtls \
> >       https://github.com/Mbed-TLS/mbedtls.git \
> >       v3.6.0 --squash
> >
> > Moreover, due to the Windows-style files from mbedtls git repo,
> > we need to convert the CRLF endings to LF and do a commit manually:
> >
> > $ git add --renormalize .
> > $ git commit
> >
> > Signed-off-by: Raymond Mao <raymond.mao at linaro.org>
> > ---
> > Changes in v2
> > - Disabled unused MbedTLS features to optimize the target size.
> > Changes in v3
> > - Removed changes in stdio.h.
> > Changes in v4
> > - Move limits.h as a common header file that is included by kernel.h.
> > - Refactor the Kconfig to support legacy and MbedTLS options for each
> >   algorithm.
> > - Refactor MbedTLS makefile and default config file to remove unused
> >   config options and objects.
> > Changes in v5
> > - Merged patch #9 of v4 into this patch.
> > - Removed unused config MBEDTLS_LIB_TLS.
> > - Refactored MbedTLS Makefile and default config file.
> > Changes in v6
> > - Fixed UINT64_MAX.
> > - Removed copy right statement from limits.h
> > Changes in v7
> > - Fixed CI world build failures due to config dependencies.
> > - Fixed values of UINT_MAX and UINT32_MAX.
> > Changes in v8
> > - Port u-boot hash functions as MbedTLS crypto alternatives and set
> >   it as default.
> >
> >  Makefile                         |  6 +++
> >  include/limits.h                 | 25 ++++++++++
> >  include/linux/kernel.h           | 13 +----
> >  include/stdlib.h                 |  1 +
> >  lib/Kconfig                      |  4 ++
> >  lib/Makefile                     |  2 +
> >  lib/mbedtls/Kconfig              | 56 +++++++++++++++++++++
> >  lib/mbedtls/Makefile             | 41 ++++++++++++++++
> >  lib/mbedtls/mbedtls_def_config.h | 84 ++++++++++++++++++++++++++++++++
> >  lib/mbedtls/port/assert.h        | 12 +++++
> >  lib/mbedtls/port/md5_alt.h       | 57 ++++++++++++++++++++++
> >  lib/mbedtls/port/sha1_alt.h      | 57 ++++++++++++++++++++++
> >  lib/mbedtls/port/sha256_alt.h    | 64 ++++++++++++++++++++++++
> >  lib/mbedtls/port/sha512_alt.h    | 78 +++++++++++++++++++++++++++++
> >  14 files changed, 488 insertions(+), 12 deletions(-)
> >  create mode 100644 include/limits.h
> >  create mode 100644 lib/mbedtls/Kconfig
> >  create mode 100644 lib/mbedtls/Makefile
> >  create mode 100644 lib/mbedtls/mbedtls_def_config.h
> >  create mode 100644 lib/mbedtls/port/assert.h
> >  create mode 100644 lib/mbedtls/port/md5_alt.h
> >  create mode 100644 lib/mbedtls/port/sha1_alt.h
> >  create mode 100644 lib/mbedtls/port/sha256_alt.h
> >  create mode 100644 lib/mbedtls/port/sha512_alt.h
> >
> > diff --git a/Makefile b/Makefile
> > index 525576f987d..f4659f9493a 100644
> > --- a/Makefile
> > +++ b/Makefile
> > @@ -829,6 +829,12 @@ KBUILD_HOSTCFLAGS += $(if $(CONFIG_TOOLS_DEBUG),-g)
> >  UBOOTINCLUDE    := \
> >         -Iinclude \
> >         $(if $(KBUILD_SRC), -I$(srctree)/include) \
> > +       $(if $(CONFIG_MBEDTLS_LIB), \
> > +               "-DMBEDTLS_CONFIG_FILE=\"mbedtls_def_config.h\"" \
> > +               -I$(srctree)/lib/mbedtls \
> > +               -I$(srctree)/lib/mbedtls/port \
> > +               -I$(srctree)/lib/mbedtls/external/mbedtls \
> > +               -I$(srctree)/lib/mbedtls/external/mbedtls/include) \
> >         $(if $(CONFIG_$(SPL_)SYS_THUMB_BUILD), \
> >                 $(if $(CONFIG_HAS_THUMB2), \
> >                         $(if $(CONFIG_CPU_V7M), \
> > diff --git a/include/limits.h b/include/limits.h
> > new file mode 100644
> > index 00000000000..4700cc7a59f
> > --- /dev/null
> > +++ b/include/limits.h
> > @@ -0,0 +1,25 @@
> > +/* SPDX-License-Identifier: GPL-2.0+ */
> > +
> > +#ifndef _LIMITS_H
> > +#define _LIMITS_H
> > +
> > +#define INT_MAX     0x7fffffff
> > +#define UINT_MAX    0xffffffffU
> > +#define CHAR_BIT    8
> > +#define UINT32_MAX  0xffffffffU
> > +#define UINT64_MAX  0xffffffffffffffffULL
> > +
> > +#ifdef CONFIG_64BIT
> > +    #define UINTPTR_MAX UINT64_MAX
> > +#else
> > +    #define UINTPTR_MAX UINT32_MAX
> > +#endif
> > +
> > +#ifndef SIZE_MAX
> > +#define SIZE_MAX    UINTPTR_MAX
> > +#endif
> > +#ifndef SSIZE_MAX
> > +#define SSIZE_MAX   ((ssize_t)(SIZE_MAX >> 1))
> > +#endif
> > +
> > +#endif /* _LIMITS_H */
> > diff --git a/include/linux/kernel.h b/include/linux/kernel.h
> > index 939465f372b..9467edd65ab 100644
> > --- a/include/linux/kernel.h
> > +++ b/include/linux/kernel.h
> > @@ -3,25 +3,18 @@
> >
> >  #include <linux/types.h>
> >  #include <linux/printk.h> /* for printf/pr_* utilities */
> > +#include <limits.h>
> >
> >  #define USHRT_MAX      ((u16)(~0U))
> >  #define SHRT_MAX       ((s16)(USHRT_MAX>>1))
> >  #define SHRT_MIN       ((s16)(-SHRT_MAX - 1))
> > -#define INT_MAX                ((int)(~0U>>1))
> >  #define INT_MIN                (-INT_MAX - 1)
> > -#define UINT_MAX       (~0U)
> >  #define LONG_MAX       ((long)(~0UL>>1))
> >  #define LONG_MIN       (-LONG_MAX - 1)
> >  #define ULONG_MAX      (~0UL)
> >  #define LLONG_MAX      ((long long)(~0ULL>>1))
> >  #define LLONG_MIN      (-LLONG_MAX - 1)
> >  #define ULLONG_MAX     (~0ULL)
> > -#ifndef SIZE_MAX
> > -#define SIZE_MAX       (~(size_t)0)
> > -#endif
> > -#ifndef SSIZE_MAX
> > -#define SSIZE_MAX      ((ssize_t)(SIZE_MAX >> 1))
> > -#endif
> >
> >  #define U8_MAX         ((u8)~0U)
> >  #define S8_MAX         ((s8)(U8_MAX>>1))
> > @@ -36,10 +29,6 @@
> >  #define S64_MAX                ((s64)(U64_MAX>>1))
> >  #define S64_MIN                ((s64)(-S64_MAX - 1))
> >
> > -/* Aliases defined by stdint.h */
> > -#define UINT32_MAX     U32_MAX
> > -#define UINT64_MAX     U64_MAX
> > -
> >  #define INT32_MAX      S32_MAX
> >
> >  #define STACK_MAGIC    0xdeadbeef
> > diff --git a/include/stdlib.h b/include/stdlib.h
> > index 9c175d4d74c..dedfd52a144 100644
> > --- a/include/stdlib.h
> > +++ b/include/stdlib.h
> > @@ -7,5 +7,6 @@
> >  #define __STDLIB_H_
> >
> >  #include <malloc.h>
> > +#include <rand.h>
> >
> >  #endif /* __STDLIB_H_ */
> > diff --git a/lib/Kconfig b/lib/Kconfig
> > index 1dd4f271595..67a60160dac 100644
> > --- a/lib/Kconfig
> > +++ b/lib/Kconfig
> > @@ -419,6 +419,10 @@ config CIRCBUF
> >
> >  source "lib/dhry/Kconfig"
> >
> > +menu "Alternative crypto libraries"
> > +source lib/mbedtls/Kconfig
> > +endmenu
> > +
> >  menu "Security support"
> >
> >  config AES
> > diff --git a/lib/Makefile b/lib/Makefile
> > index d300249f57c..c4950b78a29 100644
> > --- a/lib/Makefile
> > +++ b/lib/Makefile
> > @@ -96,6 +96,8 @@ obj-$(CONFIG_LIBAVB) += libavb/
> >  obj-$(CONFIG_$(SPL_TPL_)OF_LIBFDT) += libfdt/
> >  obj-$(CONFIG_$(SPL_TPL_)OF_REAL) += fdtdec_common.o fdtdec.o
> >
> > +obj-$(CONFIG_MBEDTLS_LIB) += mbedtls/
> > +
> >  ifdef CONFIG_SPL_BUILD
> >  obj-$(CONFIG_SPL_YMODEM_SUPPORT) += crc16-ccitt.o
> >  obj-$(CONFIG_$(SPL_TPL_)HASH) += crc16-ccitt.o
> > diff --git a/lib/mbedtls/Kconfig b/lib/mbedtls/Kconfig
> > new file mode 100644
> > index 00000000000..9d1a63c1ca6
> > --- /dev/null
> > +++ b/lib/mbedtls/Kconfig
> > @@ -0,0 +1,56 @@
> > +choice
> > +       prompt "Select crypto libraries"
> > +       default LEGACY_CRYPTO
> > +       help
> > +         Select crypto libraries.
> > +         LEGACY_CRYPTO for legacy crypto libraries,
> > +         MBEDTLS_LIB for MbedTLS libraries.
> > +
> > +config LEGACY_CRYPTO
> > +       bool "legacy crypto libraries"
> > +       select LEGACY_CRYPTO_BASIC
> > +       select LEGACY_CRYPTO_CERT
> > +
>
>
> This overall llooks ok, but the native mbedTLS hashing should depend
> on !CONFIG_SHA_HW_ACCEL.
> If everyone thinks the series is good enough to merge, I don't mind
> this going on a followup commit
>
> I will add this into v9 with other changes.

[snip]

Raymond

More information about the U-Boot mailing list