[PATCH v7 03/27] lib: Adapt digest header files to MbedTLS
Raymond Mao
raymond.mao at linaro.org
Fri Sep 13 18:03:20 CEST 2024
Adapt digest header files to support both original libs and MbedTLS
by switching on/off MBEDTLS_LIB_CRYPTO.
Introduce <alg>_LEGACY kconfig for legacy hash implementations.
sha256.o should depend on SHA256 kconfig only but not SUPPORT_EMMC_RPMB,
SHA256 should be selected when SUPPORT_EMMC_RPMB is enabled instead.
`IS_ENABLED` or `CONFIG_IS_ENABLED` is not applicable here, since
including <linux/kconfig.h> causes undefined reference on schedule()
with sandbox build, as <linux/kconfig.h> includes <generated/autoconf.h>
which enables `CONFIG_HW_WATCHDOG` and `CONFIG_WATCHDOG` but no schedule()
are defined in sandbox build,
Thus we use `#if defined(CONFIG_MBEDTLS_LIB_CRYPTO)` instead.
Signed-off-by: Raymond Mao <raymond.mao at linaro.org>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas at linaro.org>
---
Changes in v2
- Initial patch.
Changes in v3
- Remove the changes that were done in previous clean-up patch set.
Changes in v4
- Introduce <alg>_LEGACY kconfig for legacy hash implementations.
Changes in v5
- Correct header file include directories.
- Correct kconfig dependence.
Changes in v6
- Update commit message.
- Rebased on next branch.
Changes in v7
- Fixed the dependency between SUPPORT_EMMC_RPMB and SHA256.
drivers/mmc/Kconfig | 1 +
include/u-boot/md5.h | 7 ++++
include/u-boot/sha1.h | 21 +++++++++-
include/u-boot/sha256.h | 20 +++++++++
include/u-boot/sha512.h | 9 ++++
lib/Makefile | 11 ++---
lib/mbedtls/Kconfig | 91 +++++++++++++++++++++++++++++++++++++++++
7 files changed, 154 insertions(+), 6 deletions(-)
diff --git a/drivers/mmc/Kconfig b/drivers/mmc/Kconfig
index 982e84dc3bc..5d7fd904950 100644
--- a/drivers/mmc/Kconfig
+++ b/drivers/mmc/Kconfig
@@ -119,6 +119,7 @@ config MMC_HW_PARTITIONING
config SUPPORT_EMMC_RPMB
bool "Support eMMC replay protected memory block (RPMB)"
imply CMD_MMC_RPMB
+ select SHA256
help
Enable support for reading, writing and programming the
key for the Replay Protection Memory Block partition in eMMC.
diff --git a/include/u-boot/md5.h b/include/u-boot/md5.h
index c465925ea8d..69898fcbe49 100644
--- a/include/u-boot/md5.h
+++ b/include/u-boot/md5.h
@@ -6,10 +6,16 @@
#ifndef _MD5_H
#define _MD5_H
+#if defined(CONFIG_MBEDTLS_LIB_CRYPTO)
+#include <mbedtls/md5.h>
+#endif
#include "compiler.h"
#define MD5_SUM_LEN 16
+#if defined(CONFIG_MBEDTLS_LIB_CRYPTO)
+typedef mbedtls_md5_context MD5Context;
+#else
typedef struct MD5Context {
__u32 buf[4];
__u32 bits[2];
@@ -18,6 +24,7 @@ typedef struct MD5Context {
__u32 in32[16];
};
} MD5Context;
+#endif
void MD5Init(MD5Context *ctx);
void MD5Update(MD5Context *ctx, unsigned char const *buf, unsigned int len);
diff --git a/include/u-boot/sha1.h b/include/u-boot/sha1.h
index c1e9f67068d..ab88134fb98 100644
--- a/include/u-boot/sha1.h
+++ b/include/u-boot/sha1.h
@@ -16,6 +16,21 @@
#include <linux/types.h>
+#if defined(CONFIG_MBEDTLS_LIB_CRYPTO)
+/*
+ * FIXME:
+ * MbedTLS define the members of "mbedtls_sha256_context" as private,
+ * but "state" needs to be access by arch/arm/cpu/armv8/sha1_ce_glue.
+ * MBEDTLS_ALLOW_PRIVATE_ACCESS needs to be enabled to allow the external
+ * access.
+ * Directly including <external/mbedtls/library/common.h> is not allowed,
+ * since this will include <malloc.h> and break the sandbox test.
+ */
+#define MBEDTLS_ALLOW_PRIVATE_ACCESS
+
+#include <mbedtls/sha1.h>
+#endif
+
#ifdef __cplusplus
extern "C" {
#endif
@@ -26,6 +41,9 @@ extern "C" {
extern const uint8_t sha1_der_prefix[];
+#if defined(CONFIG_MBEDTLS_LIB_CRYPTO)
+typedef mbedtls_sha1_context sha1_context;
+#else
/**
* \brief SHA-1 context structure
*/
@@ -36,13 +54,14 @@ typedef struct
unsigned char buffer[64]; /*!< data block being processed */
}
sha1_context;
+#endif
/**
* \brief SHA-1 context setup
*
* \param ctx SHA-1 context to be initialized
*/
-void sha1_starts( sha1_context *ctx );
+void sha1_starts(sha1_context *ctx);
/**
* \brief SHA-1 process buffer
diff --git a/include/u-boot/sha256.h b/include/u-boot/sha256.h
index a4fe176c0b4..b58d5b58d39 100644
--- a/include/u-boot/sha256.h
+++ b/include/u-boot/sha256.h
@@ -3,6 +3,22 @@
#include <linux/types.h>
+#if defined(CONFIG_MBEDTLS_LIB_CRYPTO)
+/*
+ * FIXME:
+ * MbedTLS define the members of "mbedtls_sha256_context" as private,
+ * but "state" needs to be access by arch/arm/cpu/armv8/sha256_ce_glue.
+ * MBEDTLS_ALLOW_PRIVATE_ACCESS needs to be enabled to allow the external
+ * access.
+ * Directly including <external/mbedtls/library/common.h> is not allowed,
+ * since this will include <malloc.h> and break the sandbox test.
+ */
+#define MBEDTLS_ALLOW_PRIVATE_ACCESS
+
+#include <mbedtls/sha256.h>
+#endif
+
+#define SHA224_SUM_LEN 28
#define SHA256_SUM_LEN 32
#define SHA256_DER_LEN 19
@@ -11,11 +27,15 @@ extern const uint8_t sha256_der_prefix[];
/* Reset watchdog each time we process this many bytes */
#define CHUNKSZ_SHA256 (64 * 1024)
+#if defined(CONFIG_MBEDTLS_LIB_CRYPTO)
+typedef mbedtls_sha256_context sha256_context;
+#else
typedef struct {
uint32_t total[2];
uint32_t state[8];
uint8_t buffer[64];
} sha256_context;
+#endif
void sha256_starts(sha256_context * ctx);
void sha256_update(sha256_context *ctx, const uint8_t *input, uint32_t length);
diff --git a/include/u-boot/sha512.h b/include/u-boot/sha512.h
index 83c2119cd26..7e10f590a1d 100644
--- a/include/u-boot/sha512.h
+++ b/include/u-boot/sha512.h
@@ -3,6 +3,10 @@
#include <linux/types.h>
+#if defined(CONFIG_MBEDTLS_LIB_CRYPTO)
+#include <mbedtls/sha512.h>
+#endif
+
#define SHA384_SUM_LEN 48
#define SHA384_DER_LEN 19
#define SHA512_SUM_LEN 64
@@ -12,11 +16,16 @@
#define CHUNKSZ_SHA384 (16 * 1024)
#define CHUNKSZ_SHA512 (16 * 1024)
+#if defined(CONFIG_MBEDTLS_LIB_CRYPTO)
+typedef mbedtls_sha512_context sha384_context;
+typedef mbedtls_sha512_context sha512_context;
+#else
typedef struct {
uint64_t state[SHA512_SUM_LEN / 8];
uint64_t count[2];
uint8_t buf[SHA512_BLOCK_SIZE];
} sha512_context;
+#endif
extern const uint8_t sha512_der_prefix[];
diff --git a/lib/Makefile b/lib/Makefile
index c4950b78a29..33755778283 100644
--- a/lib/Makefile
+++ b/lib/Makefile
@@ -50,7 +50,6 @@ obj-$(CONFIG_XXHASH) += xxhash.o
obj-y += net_utils.o
obj-$(CONFIG_PHYSMEM) += physmem.o
obj-y += rc4.o
-obj-$(CONFIG_SUPPORT_EMMC_RPMB) += sha256.o
obj-$(CONFIG_RBTREE) += rbtree.o
obj-$(CONFIG_BITREVERSE) += bitrev.o
obj-y += list_sort.o
@@ -71,14 +70,16 @@ obj-$(CONFIG_$(SPL_TPL_)CRC16) += crc16.o
obj-y += crypto/
obj-$(CONFIG_$(SPL_TPL_)ACPI) += acpi/
-obj-$(CONFIG_$(SPL_)MD5) += md5.o
obj-$(CONFIG_ECDSA) += ecdsa/
obj-$(CONFIG_$(SPL_)RSA) += rsa/
obj-$(CONFIG_HASH) += hash-checksum.o
obj-$(CONFIG_BLAKE2) += blake2/blake2b.o
-obj-$(CONFIG_$(SPL_)SHA1) += sha1.o
-obj-$(CONFIG_$(SPL_)SHA256) += sha256.o
-obj-$(CONFIG_$(SPL_)SHA512) += sha512.o
+
+obj-$(CONFIG_$(SPL_)MD5_LEGACY) += md5.o
+obj-$(CONFIG_$(SPL_)SHA1_LEGACY) += sha1.o
+obj-$(CONFIG_$(SPL_)SHA256_LEGACY) += sha256.o
+obj-$(CONFIG_$(SPL_)SHA512_LEGACY) += sha512.o
+
obj-$(CONFIG_CRYPT_PW) += crypt/
obj-$(CONFIG_$(SPL_)ASN1_DECODER) += asn1_decoder.o
diff --git a/lib/mbedtls/Kconfig b/lib/mbedtls/Kconfig
index 3e9057f1acf..efae2c4fd72 100644
--- a/lib/mbedtls/Kconfig
+++ b/lib/mbedtls/Kconfig
@@ -21,9 +21,100 @@ if LEGACY_CRYPTO
config LEGACY_CRYPTO_BASIC
bool "legacy basic crypto libraries"
+ select MD5_LEGACY if MD5
+ select SHA1_LEGACY if SHA1
+ select SHA256_LEGACY if SHA256
+ select SHA512_LEGACY if SHA512
+ select SHA384_LEGACY if SHA384
+ select SPL_MD5_LEGACY if SPL_MD5
+ select SPL_SHA1_LEGACY if SPL_SHA1
+ select SPL_SHA256_LEGACY if SPL_SHA256
+ select SPL_SHA512_LEGACY if SPL_SHA512
+ select SPL_SHA384_LEGACY if SPL_SHA384
help
Enable legacy basic crypto libraries.
+if LEGACY_CRYPTO_BASIC
+
+config SHA1_LEGACY
+ bool "Enable SHA1 support with legacy crypto library"
+ depends on LEGACY_CRYPTO_BASIC && SHA1
+ help
+ This option enables support of hashing using SHA1 algorithm
+ with legacy crypto library.
+
+config SHA256_LEGACY
+ bool "Enable SHA256 support with legacy crypto library"
+ depends on LEGACY_CRYPTO_BASIC && SHA256
+ help
+ This option enables support of hashing using SHA256 algorithm
+ with legacy crypto library.
+
+config SHA512_LEGACY
+ bool "Enable SHA512 support with legacy crypto library"
+ depends on LEGACY_CRYPTO_BASIC && SHA512
+ default y if TI_SECURE_DEVICE && FIT_SIGNATURE
+ help
+ This option enables support of hashing using SHA512 algorithm
+ with legacy crypto library.
+
+config SHA384_LEGACY
+ bool "Enable SHA384 support with legacy crypto library"
+ depends on LEGACY_CRYPTO_BASIC && SHA384
+ select SHA512_LEGACY
+ help
+ This option enables support of hashing using SHA384 algorithm
+ with legacy crypto library.
+
+config MD5_LEGACY
+ bool "Enable MD5 support with legacy crypto library"
+ depends on LEGACY_CRYPTO_BASIC && MD5
+ help
+ This option enables support of hashing using MD5 algorithm
+ with legacy crypto library.
+
+if SPL
+
+config SPL_SHA1_LEGACY
+ bool "Enable SHA1 support in SPL with legacy crypto library"
+ depends on LEGACY_CRYPTO_BASIC && SPL_SHA1
+ help
+ This option enables support of hashing using SHA1 algorithm
+ with legacy crypto library.
+
+config SPL_SHA256_LEGACY
+ bool "Enable SHA256 support in SPL with legacy crypto library"
+ depends on LEGACY_CRYPTO_BASIC && SPL_SHA256
+ help
+ This option enables support of hashing using SHA256 algorithm
+ with legacy crypto library.
+
+config SPL_SHA512_LEGACY
+ bool "Enable SHA512 support in SPL with legacy crypto library"
+ depends on LEGACY_CRYPTO_BASIC && SPL_SHA512
+ help
+ This option enables support of hashing using SHA512 algorithm
+ with legacy crypto library.
+
+config SPL_SHA384_LEGACY
+ bool "Enable SHA384 support in SPL with legacy crypto library"
+ depends on LEGACY_CRYPTO_BASIC && SPL_SHA384
+ select SPL_SHA512_LEGACY
+ help
+ This option enables support of hashing using SHA384 algorithm
+ with legacy crypto library.
+
+config SPL_MD5_LEGACY
+ bool "Enable MD5 support in SPL with legacy crypto library"
+ depends on LEGACY_CRYPTO_BASIC && SPL_MD5
+ help
+ This option enables support of hashing using MD5 algorithm
+ with legacy crypto library.
+
+endif # SPL
+
+endif # LEGACY_CRYPTO_BASIC
+
config LEGACY_CRYPTO_CERT
bool "legacy certificate libraries"
help
--
2.25.1
More information about the U-Boot
mailing list