[PATCH v6 07/28] hash: integrate hash on mbedtls
Ilias Apalodimas
ilias.apalodimas at linaro.org
Fri Sep 6 16:05:19 CEST 2024
Hi Raymond,
On Fri, 6 Sept 2024 at 17:00, Raymond Mao <raymond.mao at linaro.org> wrote:
>
> Hi Ilias,
>
> On Fri, 6 Sept 2024 at 03:36, Ilias Apalodimas <ilias.apalodimas at linaro.org> wrote:
>>
>> Hi Raymond,
>>
>> On Tue, 3 Sept 2024 at 18:54, Raymond Mao <raymond.mao at linaro.org> wrote:
>> >
>> > Hi Ilias,
>> >
>> > On Fri, 30 Aug 2024 at 05:37, Ilias Apalodimas <ilias.apalodimas at linaro.org> wrote:
>> >>
>> >> Hi Simon,
>> >>
>> >> On Thu, 29 Aug 2024 at 18:01, Simon Glass <sjg at chromium.org> wrote:
>> >> >
>> >> > Hi Raymond,
>> >> >
>> >> > On Fri, 16 Aug 2024 at 15:47, Raymond Mao <raymond.mao at linaro.org> wrote:
>> >> > >
>> >> > > Integrate common/hash.c on the hash shim layer so that hash APIs
>> >> > > from mbedtls can be leveraged by boot/image and efi_loader.
>> >> > >
>> >> > > Signed-off-by: Raymond Mao <raymond.mao at linaro.org>
>> >> > > ---
>> >> > > Changes in v2
>> >> > > - Use the original head files instead of creating new ones.
>> >> > > Changes in v3
>> >> > > - Add handle checkers for malloc.
>> >> > > Changes in v4
>> >> > > - None.
>> >> > > Changes in v5
>> >> > > - Add __maybe_unused to solve linker errors in some platforms.
>> >> > > - replace malloc with calloc.
>> >> > > Changes in v6
>> >> > > - None.
>> >> > >
>> >> > > common/hash.c | 146 ++++++++++++++++++++++++++++++++++++++++++++++++++
>> >> > > 1 file changed, 146 insertions(+)
>> >> >
>> >> > I am not seeing the benefit of replacing U-Boot's hashing algorithms.
>> >> > They work well and don't change. Also it seems to be making the code a
>> >> > lot uglier, with an uncertain timeline for clean-up.
>> >>
>> >> A lot uglier where? It adds a few wrappers that fit into the current
>> >> design and callbacks.
>> >> I don't think what you are asking is possible. To do assymetric
>> >> crypto, signatures etc -- and in the future add TLS support in wget
>> >> mbedTLS relies on its internal hashing functions for the cipher suites
>> >> it supports. So what you are asking would just make the code even
>> >> larger. Raymond can you please double check?
>> >>
>> > Digest is the basic library of MbedTLS, I don't believe we can disable it
>> > but only use the ones for certificates, unless MbedTLS makes changes
>> > to allow hooking external digest libraries - as I mentioned in a previous reply,
>> > I don't think this is what MbedTLS wants.
>>
>> There's a config option on config.h we could use to override shaXXX,
>> but given that mbedTLS can be used to add more hashing alogorithms, I
>> dont think we should do that
>>
> If you mean the _ALT macros, they are used for porting HW acceleration.
> Maybe we can point this to the original U-Boot ones, but I didn't try.
>
That will work, it's not for hw accel only, it's for an alternative
implementation. But then again you have to change the args of the
u-boot ones to match mbedTLS. I really don't think it's worth the
effort.
Besides the main advantage here, is that we can use more than just the
SHAXXX U-Boot has, without adding any crypto code to U-Boot -- just a
glue layer.
Thanks
/Ilias
> Raymond
More information about the U-Boot
mailing list