[PATCH 1/6] mbedtls: Enable TLS 1.2 support

Ilias Apalodimas ilias.apalodimas at linaro.org
Fri Oct 18 16:54:53 CEST 2024 

Hi Raymond,

On Fri, 18 Oct 2024 at 17:39, Raymond Mao <raymond.mao at linaro.org> wrote:
>
> Hi Ilias,
>
> On Fri, 18 Oct 2024 at 10:22, Ilias Apalodimas <ilias.apalodimas at linaro.org> wrote:
>>
>> Since lwIP and mbedTLS have been merged we can tweak the config options
>> and enable TLS1.2 support. Add RSA and ECDSA by default and enable
>> enough block cipher modes of operation to be comatible with modern
>> TLS requirements and webservers
>>
>> Signed-off-by: Ilias Apalodimas <ilias.apalodimas at linaro.org>
>> ---
>>  lib/mbedtls/Kconfig              | 12 ++++++++
>>  lib/mbedtls/Makefile             | 33 +++++++++++++++++++-
>>  lib/mbedtls/mbedtls_def_config.h | 52 ++++++++++++++++++++++++++++++++
>>  3 files changed, 96 insertions(+), 1 deletion(-)
>>
>> diff --git a/lib/mbedtls/Kconfig b/lib/mbedtls/Kconfig
>> index d71adc3648ad..f3e172633999 100644
>> --- a/lib/mbedtls/Kconfig
>> +++ b/lib/mbedtls/Kconfig
>> @@ -430,4 +430,16 @@ endif # SPL
>>
>>  endif # MBEDTLS_LIB_X509
>>
>> +config MBEDTLS_LIB_TLS
>> +       bool "MbedTLS TLS library"
>> +       depends on RSA_PUBLIC_KEY_PARSER_MBEDTLS
>> +       depends on X509_CERTIFICATE_PARSER_MBEDTLS
>> +       depends on ASYMMETRIC_PUBLIC_KEY_MBEDTLS
>> +       depends on ASN1_DECODER_MBEDTLS
>> +       depends on ASYMMETRIC_PUBLIC_KEY_MBEDTLS
>> +       depends on MBEDTLS_LIB_CRYPTO
>> +       help
>> +         Enable MbedTLS TLS library. If enabled HTTPs support will be enabled
>> +         in wget
>> +
>>  endif # MBEDTLS_LIB
>> diff --git a/lib/mbedtls/Makefile b/lib/mbedtls/Makefile
>> index 83cb3c2fa705..845284799a11 100644
>> --- a/lib/mbedtls/Makefile
>> +++ b/lib/mbedtls/Makefile
>> @@ -25,7 +25,19 @@ obj-$(CONFIG_MBEDTLS_LIB) += mbedtls_lib_crypto.o
>>  mbedtls_lib_crypto-y := \
>>         $(MBEDTLS_LIB_DIR)/platform_util.o \
>>         $(MBEDTLS_LIB_DIR)/constant_time.o \
>> -       $(MBEDTLS_LIB_DIR)/md.o
>> +       $(MBEDTLS_LIB_DIR)/md.o \
>> +       $(MBEDTLS_LIB_DIR)/entropy.o \
>> +       $(MBEDTLS_LIB_DIR)/entropy_poll.o \
>> +       $(MBEDTLS_LIB_DIR)/aes.o \
>> +       $(MBEDTLS_LIB_DIR)/cipher.o \
>> +       $(MBEDTLS_LIB_DIR)/cipher_wrap.o \
>> +       $(MBEDTLS_LIB_DIR)/ecdh.o \
>> +       $(MBEDTLS_LIB_DIR)/ecdsa.o \
>> +       $(MBEDTLS_LIB_DIR)/ecp.o \
>> +       $(MBEDTLS_LIB_DIR)/ecp_curves.o \
>> +       $(MBEDTLS_LIB_DIR)/ecp_curves_new.o \
>> +       $(MBEDTLS_LIB_DIR)/gcm.o \
>> +
>
> I think we should move these to mbedtls_lib_tls.o and add the U-Boot Kconfig
> control if it exists.
> Take ECDSA for example:
> mbedtls_lib_tls-$(CONFIG_$(SPL_)ECDSA) += $(MBEDTLS_LIB_DIR)/ecdsa.o

Fair enough, but ECDSA is the only one that exists atm. I can move
that there, but I don't think we should create a Kconfig option per
object file.
Those are mbedTLS internals dependencies to enable TLS1.2.  Perhaps
only ECDSA, AES and ECDH? OTOH the existing md5 doesn't follow that.

>
>>
>>  mbedtls_lib_crypto-$(CONFIG_$(SPL_)MD5_MBEDTLS) += $(MBEDTLS_LIB_DIR)/md5.o
>>  mbedtls_lib_crypto-$(CONFIG_$(SPL_)SHA1_MBEDTLS) += $(MBEDTLS_LIB_DIR)/sha1.o
>>  mbedtls_lib_crypto-$(CONFIG_$(SPL_)SHA256_MBEDTLS) += \
>> @@ -54,3 +66,22 @@ mbedtls_lib_x509-$(CONFIG_$(SPL_)X509_CERTIFICATE_PARSER_MBEDTLS) += \
>>         $(MBEDTLS_LIB_DIR)/x509_crt.o
>>  mbedtls_lib_x509-$(CONFIG_$(SPL_)PKCS7_MESSAGE_PARSER_MBEDTLS) += \
>>         $(MBEDTLS_LIB_DIR)/pkcs7.o
>> +
>> +#mbedTLS TLS support
>> +obj-$(CONFIG_MBEDTLS_LIB_TLS) += mbedtls_lib_tls.o
>> +mbedtls_lib_tls-y := \
>> +       $(MBEDTLS_LIB_DIR)/mps_reader.o \
>> +       $(MBEDTLS_LIB_DIR)/mps_trace.o \
>> +       $(MBEDTLS_LIB_DIR)/net_sockets.o \
>> +       $(MBEDTLS_LIB_DIR)/pk_ecc.o \
>> +       $(MBEDTLS_LIB_DIR)/ssl_cache.o \
>> +       $(MBEDTLS_LIB_DIR)/ssl_ciphersuites.o \
>> +       $(MBEDTLS_LIB_DIR)/ssl_client.o \
>> +       $(MBEDTLS_LIB_DIR)/ssl_cookie.o \
>> +       $(MBEDTLS_LIB_DIR)/ssl_debug_helpers_generated.o \
>> +       $(MBEDTLS_LIB_DIR)/ssl_msg.o \
>> +       $(MBEDTLS_LIB_DIR)/ssl_ticket.o \
>> +       $(MBEDTLS_LIB_DIR)/ssl_tls.o \
>> +       $(MBEDTLS_LIB_DIR)/ssl_tls12_client.o \
>> +       $(MBEDTLS_LIB_DIR)/hmac_drbg.o \
>> +       $(MBEDTLS_LIB_DIR)/ctr_drbg.o \
>
> Ditto, add the U-Boot Kconfig control if it exists.

None of these don't make sense to be a U-Boot Kconfig. They are
mbedTLS internal to enable TLS1.2 support.

Thanks
/Ilias

>
>>
>> diff --git a/lib/mbedtls/mbedtls_def_config.h b/lib/mbedtls/mbedtls_def_config.h
>> index 1af911c2003f..ac8f0bbf2c0e 100644
>> --- a/lib/mbedtls/mbedtls_def_config.h
>> +++ b/lib/mbedtls/mbedtls_def_config.h
>> @@ -87,4 +87,56 @@
>>
>>  #endif /* #if defined CONFIG_MBEDTLS_LIB_X509 */
>>
>> +#if CONFIG_IS_ENABLED(MBEDTLS_LIB_TLS)
>> +#include "rtc.h"
>> +
>> +/* Generic options */
>> +#define MBEDTLS_ENTROPY_HARDWARE_ALT
>> +#define MBEDTLS_HAVE_TIME
>> +#define MBEDTLS_PLATFORM_MS_TIME_ALT
>> +#define MBEDTLS_PLATFORM_TIME_MACRO rtc_mktime
>> +#define MBEDTLS_PLATFORM_C
>> +#define MBEDTLS_SSL_CLI_C
>> +#define MBEDTLS_SSL_TLS_C
>> +#define MBEDTLS_CIPHER_C
>> +#define MBEDTLS_MD_C
>> +#define MBEDTLS_CTR_DRBG_C
>> +#define MBEDTLS_AES_C
>> +#define MBEDTLS_ENTROPY_C
>> +#define MBEDTLS_NO_PLATFORM_ENTROPY
>> +#define MBEDTLS_SSL_PROTO_TLS1_2
>> +#define MBEDTLS_SSL_SERVER_NAME_INDICATION
>> +#define MBEDTLS_KEY_EXCHANGE_PSK_ENABLED
>> +
>> +/* RSA */
>> +#define MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
>> +#define MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
>> +#define MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
>> +#define MBEDTLS_GCM_C
>> +
>> +/* ECDSA */
>> +#define MBEDTLS_ECDSA_C
>> +#define MBEDTLS_ECDH_C
>> +#define MBEDTLS_ECDSA_DETERMINISTIC
>> +#define MBEDTLS_HMAC_DRBG_C
>> +#define MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
>> +#define MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED
>> +#define MBEDTLS_CAN_ECDH
>> +#define MBEDTLS_PK_CAN_ECDSA_SIGN
>> +#define MBEDTLS_ECP_C
>> +#define MBEDTLS_ECP_DP_SECP256K1_ENABLED
>> +#define MBEDTLS_ECP_DP_SECP192R1_ENABLED
>> +#define MBEDTLS_ECP_DP_SECP224R1_ENABLED
>> +#define MBEDTLS_ECP_DP_SECP256R1_ENABLED
>> +#define MBEDTLS_ECP_DP_SECP384R1_ENABLED
>> +#define MBEDTLS_ECP_DP_SECP521R1_ENABLED
>> +#define MBEDTLS_ECP_DP_SECP192K1_ENABLED
>> +#define MBEDTLS_ECP_DP_SECP224K1_ENABLED
>> +#define MBEDTLS_ECP_DP_SECP256K1_ENABLED
>> +#define MBEDTLS_ECP_DP_BP256R1_ENABLED
>> +#define MBEDTLS_ECP_DP_BP384R1_ENABLED
>> +#define MBEDTLS_ECP_DP_BP512R1_ENABLED
>> +
>> +#endif /* #if defined CONFIG_MBEDTLS_LIB_TLS */
>> +
>>  #endif /* #if defined CONFIG_MBEDTLS_LIB */
>> --
>> 2.45.2
>>

More information about the U-Boot mailing list