[PATCH 1/6] mbedtls: Enable TLS 1.2 support

Ilias Apalodimas ilias.apalodimas at linaro.org
Mon Oct 21 12:31:47 CEST 2024 

Hi Raymond,

On Fri, 18 Oct 2024 at 18:26, Raymond Mao <raymond.mao at linaro.org> wrote:
>
> Hi Ilias,
>
> On Fri, 18 Oct 2024 at 10:55, Ilias Apalodimas <ilias.apalodimas at linaro.org> wrote:
>>
>> Hi Raymond,
>>
>> On Fri, 18 Oct 2024 at 17:39, Raymond Mao <raymond.mao at linaro.org> wrote:
>> >
>> > Hi Ilias,
>> >
>> > On Fri, 18 Oct 2024 at 10:22, Ilias Apalodimas <ilias.apalodimas at linaro.org> wrote:
>> >>
>> >> Since lwIP and mbedTLS have been merged we can tweak the config options
>> >> and enable TLS1.2 support. Add RSA and ECDSA by default and enable
>> >> enough block cipher modes of operation to be comatible with modern
>> >> TLS requirements and webservers
>> >>
>> >> Signed-off-by: Ilias Apalodimas <ilias.apalodimas at linaro.org>
>> >> ---
>> >>  lib/mbedtls/Kconfig              | 12 ++++++++
>> >>  lib/mbedtls/Makefile             | 33 +++++++++++++++++++-
>> >>  lib/mbedtls/mbedtls_def_config.h | 52 ++++++++++++++++++++++++++++++++
>> >>  3 files changed, 96 insertions(+), 1 deletion(-)
>> >>
>> >> diff --git a/lib/mbedtls/Kconfig b/lib/mbedtls/Kconfig
>> >> index d71adc3648ad..f3e172633999 100644
>> >> --- a/lib/mbedtls/Kconfig
>> >> +++ b/lib/mbedtls/Kconfig
>> >> @@ -430,4 +430,16 @@ endif # SPL
>> >>
>> >>  endif # MBEDTLS_LIB_X509
>> >>
>> >> +config MBEDTLS_LIB_TLS
>> >> +       bool "MbedTLS TLS library"
>> >> +       depends on RSA_PUBLIC_KEY_PARSER_MBEDTLS
>> >> +       depends on X509_CERTIFICATE_PARSER_MBEDTLS
>> >> +       depends on ASYMMETRIC_PUBLIC_KEY_MBEDTLS
>> >> +       depends on ASN1_DECODER_MBEDTLS
>> >> +       depends on ASYMMETRIC_PUBLIC_KEY_MBEDTLS
>> >> +       depends on MBEDTLS_LIB_CRYPTO
>> >> +       help
>> >> +         Enable MbedTLS TLS library. If enabled HTTPs support will be enabled
>> >> +         in wget
>> >> +
>> >>  endif # MBEDTLS_LIB
>> >> diff --git a/lib/mbedtls/Makefile b/lib/mbedtls/Makefile
>> >> index 83cb3c2fa705..845284799a11 100644
>> >> --- a/lib/mbedtls/Makefile
>> >> +++ b/lib/mbedtls/Makefile
>> >> @@ -25,7 +25,19 @@ obj-$(CONFIG_MBEDTLS_LIB) += mbedtls_lib_crypto.o
>> >>  mbedtls_lib_crypto-y := \
>> >>         $(MBEDTLS_LIB_DIR)/platform_util.o \
>> >>         $(MBEDTLS_LIB_DIR)/constant_time.o \
>> >> -       $(MBEDTLS_LIB_DIR)/md.o
>> >> +       $(MBEDTLS_LIB_DIR)/md.o \
>> >> +       $(MBEDTLS_LIB_DIR)/entropy.o \
>> >> +       $(MBEDTLS_LIB_DIR)/entropy_poll.o \
>> >> +       $(MBEDTLS_LIB_DIR)/aes.o \
>> >> +       $(MBEDTLS_LIB_DIR)/cipher.o \
>> >> +       $(MBEDTLS_LIB_DIR)/cipher_wrap.o \
>> >> +       $(MBEDTLS_LIB_DIR)/ecdh.o \
>> >> +       $(MBEDTLS_LIB_DIR)/ecdsa.o \
>> >> +       $(MBEDTLS_LIB_DIR)/ecp.o \
>> >> +       $(MBEDTLS_LIB_DIR)/ecp_curves.o \
>> >> +       $(MBEDTLS_LIB_DIR)/ecp_curves_new.o \
>> >> +       $(MBEDTLS_LIB_DIR)/gcm.o \
>> >> +
>> >
>> > I think we should move these to mbedtls_lib_tls.o and add the U-Boot Kconfig
>> > control if it exists.
>> > Take ECDSA for example:
>> > mbedtls_lib_tls-$(CONFIG_$(SPL_)ECDSA) += $(MBEDTLS_LIB_DIR)/ecdsa.o
>>
>> Fair enough, but ECDSA is the only one that exists atm. I can move
>> that there, but I don't think we should create a Kconfig option per
>> object file.
>> Those are mbedTLS internals dependencies to enable TLS1.2.  Perhaps
>> only ECDSA, AES and ECDH? OTOH the existing md5 doesn't follow that.
>>
> I agree. We can move ECDSA and AES with Kconfig control and keep others as-is at the moment.

Ok I had a closer look at this. ECDSA and AES currently have Kconfig
options for the legacy crypto libs. As a result, we need to define
mbedtls variants etc which is ok.
We only have one board using AES atm and sandbox using ECDSA. Since I
want efi https for 2025.01, we can move the new .o files under
CONFIG_MBEDTLS_LIB_TLS and then send a patch on top cleaning up the
Kconfigs for all crypto which is a bit messy atm.

Are you ok with this?

>
>>
>> >
>> >>
>> >>  mbedtls_lib_crypto-$(CONFIG_$(SPL_)MD5_MBEDTLS) += $(MBEDTLS_LIB_DIR)/md5.o
>> >>  mbedtls_lib_crypto-$(CONFIG_$(SPL_)SHA1_MBEDTLS) += $(MBEDTLS_LIB_DIR)/sha1.o
>> >>  mbedtls_lib_crypto-$(CONFIG_$(SPL_)SHA256_MBEDTLS) += \
>> >> @@ -54,3 +66,22 @@ mbedtls_lib_x509-$(CONFIG_$(SPL_)X509_CERTIFICATE_PARSER_MBEDTLS) += \
>> >>         $(MBEDTLS_LIB_DIR)/x509_crt.o
>> >>  mbedtls_lib_x509-$(CONFIG_$(SPL_)PKCS7_MESSAGE_PARSER_MBEDTLS) += \
>> >>         $(MBEDTLS_LIB_DIR)/pkcs7.o
>> >> +
>> >> +#mbedTLS TLS support
>> >> +obj-$(CONFIG_MBEDTLS_LIB_TLS) += mbedtls_lib_tls.o
>> >> +mbedtls_lib_tls-y := \
>> >> +       $(MBEDTLS_LIB_DIR)/mps_reader.o \
>> >> +       $(MBEDTLS_LIB_DIR)/mps_trace.o \
>> >> +       $(MBEDTLS_LIB_DIR)/net_sockets.o \
>> >> +       $(MBEDTLS_LIB_DIR)/pk_ecc.o \
>> >> +       $(MBEDTLS_LIB_DIR)/ssl_cache.o \
>> >> +       $(MBEDTLS_LIB_DIR)/ssl_ciphersuites.o \
>> >> +       $(MBEDTLS_LIB_DIR)/ssl_client.o \
>> >> +       $(MBEDTLS_LIB_DIR)/ssl_cookie.o \
>> >> +       $(MBEDTLS_LIB_DIR)/ssl_debug_helpers_generated.o \
>> >> +       $(MBEDTLS_LIB_DIR)/ssl_msg.o \
>> >> +       $(MBEDTLS_LIB_DIR)/ssl_ticket.o \
>> >> +       $(MBEDTLS_LIB_DIR)/ssl_tls.o \
>> >> +       $(MBEDTLS_LIB_DIR)/ssl_tls12_client.o \
>> >> +       $(MBEDTLS_LIB_DIR)/hmac_drbg.o \
>> >> +       $(MBEDTLS_LIB_DIR)/ctr_drbg.o \
>> >
>> > Ditto, add the U-Boot Kconfig control if it exists.
>>
>> None of these don't make sense to be a U-Boot Kconfig. They are
>> mbedTLS internal to enable TLS1.2 support.
>
>
> I saw Jerome added CONFIG_NET and CONFIG_NET_LWIP in his LWIP series.
> I think the net_sockets, ssl_# and ssl_tls12_# can be under this control.

I would prefer having TLS as a separate Kconfig option. We might need
to use it without wget and binding mbedTLS to lwIP doesn't make that
much sense. It does *currently* because that's the only code that uses
it

Thanks
/Ilias
>
> [snip]
>
> Regards,
> Raymond

More information about the U-Boot mailing list