[PATCH 1/3] mbedtls: fix incorrect kconfig dependencies on mbedtls

Raymond Mao raymond.mao at linaro.org
Fri Jan 31 15:38:26 CET 2025 

Hi Ilias,

On Fri, 31 Jan 2025 at 08:40, Ilias Apalodimas
<ilias.apalodimas at linaro.org> wrote:
>
> Hi Raymond
>
> On Mon, 27 Jan 2025 at 17:17, Raymond Mao <raymond.mao at linaro.org> wrote:
> >
> > Currently building with WGET_HTTPS,NET_LWIP and MBEDTLS_LIB failed
> > due to a few incorrect kconfig dependencies.
> > Fix these and clarify what is the purpose of MBEDTLS_LIB_CRYPTO_ALT.
> >
> > Signed-off-by: Raymond Mao <raymond.mao at linaro.org>
> > ---
> >  cmd/Kconfig         | 1 -
> >  lib/mbedtls/Kconfig | 8 +++++---
> >  2 files changed, 5 insertions(+), 4 deletions(-)
> >
> > diff --git a/cmd/Kconfig b/cmd/Kconfig
> > index 1a0985ca479..071601b5ac2 100644
> > --- a/cmd/Kconfig
> > +++ b/cmd/Kconfig
> > @@ -2161,7 +2161,6 @@ config WGET_HTTPS
> >          select ASYMMETRIC_PUBLIC_KEY_SUBTYPE
> >          select X509_CERTIFICATE_PARSER
> >          select PKCS7_MESSAGE_PARSER
> > -       select MBEDTLS_LIB_CRYPTO
> >         select MBEDTLS_LIB_TLS
> >         select RSA_VERIFY_WITH_PKEY
> >         select X509_CERTIFICATE_PARSER
> > diff --git a/lib/mbedtls/Kconfig b/lib/mbedtls/Kconfig
> > index aa82336ef14..17ed2bc71de 100644
> > --- a/lib/mbedtls/Kconfig
> > +++ b/lib/mbedtls/Kconfig
> > @@ -116,6 +116,7 @@ endif # LEGACY_CRYPTO_BASIC
> >
> >  config LEGACY_CRYPTO_CERT
> >         bool "legacy certificate libraries"
> > +       depends on LEGACY_CRYPTO
> >         select ASN1_DECODER_LEGACY if ASN1_DECODER
> >         select ASYMMETRIC_PUBLIC_KEY_LEGACY if \
> >                 ASYMMETRIC_PUBLIC_KEY_SUBTYPE
> > @@ -210,12 +211,13 @@ endif # LEGACY_CRYPTO
> >  if MBEDTLS_LIB
> >
> >  config MBEDTLS_LIB_CRYPTO_ALT
> > -       bool "MbedTLS crypto alternatives"
> > +       bool "Use legacy crypto libraries as MbedTLS alternatives"
> >         depends on MBEDTLS_LIB && !MBEDTLS_LIB_CRYPTO
> >         select LEGACY_CRYPTO_BASIC
> >         default y if MBEDTLS_LIB && !MBEDTLS_LIB_CRYPTO
> >         help
> > -         Enable MbedTLS crypto alternatives.
> > +         Enable MbedTLS crypto alternatives and replace it with legacy crypto
> > +         libraries.
>
> This isn't too clear for someone that hasn't been involved with mbedTLS.
> Isn't that enabling U-Boot's hashing algorithms instead of the mbedTLS ones?
>

Yes, currently only hashing will be replaced by U-Boot legacy crypto
when MBEDTLS_LIB_CRYPTO_ALT is selected.
But mbedtls provides more "alternatives" options than hashing.
The reason I keep it named as "_CRYPTO_ALT" is to allow us to extend
the usage other than hashing in the future.

Regards,
Raymond


> Thanks
> /Ilias
> >           Mutually incompatible with MBEDTLS_LIB_CRYPTO.
> >
> >  config MBEDTLS_LIB_CRYPTO
> > @@ -451,7 +453,7 @@ config MBEDTLS_LIB_TLS
> >         depends on ASYMMETRIC_PUBLIC_KEY_MBEDTLS
> >         depends on ASN1_DECODER_MBEDTLS
> >         depends on ASYMMETRIC_PUBLIC_KEY_MBEDTLS
> > -       depends on MBEDTLS_LIB_CRYPTO
> > +       depends on MBEDTLS_LIB
> >         help
> >           Enable MbedTLS TLS library. Required for HTTPs support
> >           in wget
> > --
> > 2.25.1
> >

More information about the U-Boot mailing list