Hi Raymond On Fri, 4 Oct 2024 at 00:52, Raymond Mao <[email protected]> wrote: > > Port mbedtls with adapted libc header files. > Add mbedtls default config header file. > Optimize mbedtls default config by disabling unused features to > reduce the target size. > Add mbedtls kbuild makefile. > Add Kconfig skeleton and config submenu entry for selecting > crypto libraries between mbedtls and legacy ones. > Add the mbedtls include directories into the build system. > Port u-boot hash functions as MbedTLS crypto alternatives and set > it as default. > > Subsequent patches will separate those Kconfigs into pairs of > _LEGACY and _MBEDTLS for controlling the implementations of legacy > crypto libraries and MbedTLS ones respectively. > > The motivation of moving and adapting *INT* macros from kernel.h > to limits.h is to fullfill the MbedTLS building requirement. > The conditional compilation statements in MbedTLS expects the > *INT* macros as constant expressions, thus expressions like > `((int)(~0U >> 1))` will not work. > > Prerequisite > ------------ > > This patch series requires mbedtls git repo to be added as a > subtree to the main U-Boot repo via: > > $ git subtree add --prefix lib/mbedtls/external/mbedtls \ > https://github.com/Mbed-TLS/mbedtls.git \ > v3.6.0 --squash > > Moreover, due to the Windows-style files from mbedtls git repo, > we need to convert the CRLF endings to LF and do a commit manually: > > $ git add --renormalize . > $ git commit > > Signed-off-by: Raymond Mao <[email protected]> > --- > Changes in v2 > - Disabled unused MbedTLS features to optimize the target size. > Changes in v3 > - Removed changes in stdio.h. > Changes in v4 > - Move limits.h as a common header file that is included by kernel.h. > - Refactor the Kconfig to support legacy and MbedTLS options for each > algorithm. > - Refactor MbedTLS makefile and default config file to remove unused > config options and objects. > Changes in v5 > - Merged patch #9 of v4 into this patch. > - Removed unused config MBEDTLS_LIB_TLS. > - Refactored MbedTLS Makefile and default config file. > Changes in v6 > - Fixed UINT64_MAX. > - Removed copy right statement from limits.h > Changes in v7 > - Fixed CI world build failures due to config dependencies. > - Fixed values of UINT_MAX and UINT32_MAX. > Changes in v8 > - Port u-boot hash functions as MbedTLS crypto alternatives and set > it as default. > > Makefile | 6 +++ > include/limits.h | 25 ++++++++++ > include/linux/kernel.h | 13 +---- > include/stdlib.h | 1 + > lib/Kconfig | 4 ++ > lib/Makefile | 2 + > lib/mbedtls/Kconfig | 56 +++++++++++++++++++++ > lib/mbedtls/Makefile | 41 ++++++++++++++++ > lib/mbedtls/mbedtls_def_config.h | 84 ++++++++++++++++++++++++++++++++ > lib/mbedtls/port/assert.h | 12 +++++ > lib/mbedtls/port/md5_alt.h | 57 ++++++++++++++++++++++ > lib/mbedtls/port/sha1_alt.h | 57 ++++++++++++++++++++++ > lib/mbedtls/port/sha256_alt.h | 64 ++++++++++++++++++++++++ > lib/mbedtls/port/sha512_alt.h | 78 +++++++++++++++++++++++++++++ > 14 files changed, 488 insertions(+), 12 deletions(-) > create mode 100644 include/limits.h > create mode 100644 lib/mbedtls/Kconfig > create mode 100644 lib/mbedtls/Makefile > create mode 100644 lib/mbedtls/mbedtls_def_config.h > create mode 100644 lib/mbedtls/port/assert.h > create mode 100644 lib/mbedtls/port/md5_alt.h > create mode 100644 lib/mbedtls/port/sha1_alt.h > create mode 100644 lib/mbedtls/port/sha256_alt.h > create mode 100644 lib/mbedtls/port/sha512_alt.h > > diff --git a/Makefile b/Makefile > index 525576f987d..f4659f9493a 100644 > --- a/Makefile > +++ b/Makefile > @@ -829,6 +829,12 @@ KBUILD_HOSTCFLAGS += $(if $(CONFIG_TOOLS_DEBUG),-g) > UBOOTINCLUDE := \ > -Iinclude \ > $(if $(KBUILD_SRC), -I$(srctree)/include) \ > + $(if $(CONFIG_MBEDTLS_LIB), \ > + "-DMBEDTLS_CONFIG_FILE=\"mbedtls_def_config.h\"" \ > + -I$(srctree)/lib/mbedtls \ > + -I$(srctree)/lib/mbedtls/port \ > + -I$(srctree)/lib/mbedtls/external/mbedtls \ > + -I$(srctree)/lib/mbedtls/external/mbedtls/include) \ > $(if $(CONFIG_$(SPL_)SYS_THUMB_BUILD), \ > $(if $(CONFIG_HAS_THUMB2), \ > $(if $(CONFIG_CPU_V7M), \ > diff --git a/include/limits.h b/include/limits.h > new file mode 100644 > index 00000000000..4700cc7a59f > --- /dev/null > +++ b/include/limits.h > @@ -0,0 +1,25 @@ > +/* SPDX-License-Identifier: GPL-2.0+ */ > + > +#ifndef _LIMITS_H > +#define _LIMITS_H > + > +#define INT_MAX 0x7fffffff > +#define UINT_MAX 0xffffffffU > +#define CHAR_BIT 8 > +#define UINT32_MAX 0xffffffffU > +#define UINT64_MAX 0xffffffffffffffffULL > + > +#ifdef CONFIG_64BIT > + #define UINTPTR_MAX UINT64_MAX > +#else > + #define UINTPTR_MAX UINT32_MAX > +#endif > + > +#ifndef SIZE_MAX > +#define SIZE_MAX UINTPTR_MAX > +#endif > +#ifndef SSIZE_MAX > +#define SSIZE_MAX ((ssize_t)(SIZE_MAX >> 1)) > +#endif > + > +#endif /* _LIMITS_H */ > diff --git a/include/linux/kernel.h b/include/linux/kernel.h > index 939465f372b..9467edd65ab 100644 > --- a/include/linux/kernel.h > +++ b/include/linux/kernel.h > @@ -3,25 +3,18 @@ > > #include <linux/types.h> > #include <linux/printk.h> /* for printf/pr_* utilities */ > +#include <limits.h> > > #define USHRT_MAX ((u16)(~0U)) > #define SHRT_MAX ((s16)(USHRT_MAX>>1)) > #define SHRT_MIN ((s16)(-SHRT_MAX - 1)) > -#define INT_MAX ((int)(~0U>>1)) > #define INT_MIN (-INT_MAX - 1) > -#define UINT_MAX (~0U) > #define LONG_MAX ((long)(~0UL>>1)) > #define LONG_MIN (-LONG_MAX - 1) > #define ULONG_MAX (~0UL) > #define LLONG_MAX ((long long)(~0ULL>>1)) > #define LLONG_MIN (-LLONG_MAX - 1) > #define ULLONG_MAX (~0ULL) > -#ifndef SIZE_MAX > -#define SIZE_MAX (~(size_t)0) > -#endif > -#ifndef SSIZE_MAX > -#define SSIZE_MAX ((ssize_t)(SIZE_MAX >> 1)) > -#endif > > #define U8_MAX ((u8)~0U) > #define S8_MAX ((s8)(U8_MAX>>1)) > @@ -36,10 +29,6 @@ > #define S64_MAX ((s64)(U64_MAX>>1)) > #define S64_MIN ((s64)(-S64_MAX - 1)) > > -/* Aliases defined by stdint.h */ > -#define UINT32_MAX U32_MAX > -#define UINT64_MAX U64_MAX > - > #define INT32_MAX S32_MAX > > #define STACK_MAGIC 0xdeadbeef > diff --git a/include/stdlib.h b/include/stdlib.h > index 9c175d4d74c..dedfd52a144 100644 > --- a/include/stdlib.h > +++ b/include/stdlib.h > @@ -7,5 +7,6 @@ > #define __STDLIB_H_ > > #include <malloc.h> > +#include <rand.h> > > #endif /* __STDLIB_H_ */ > diff --git a/lib/Kconfig b/lib/Kconfig > index 1dd4f271595..67a60160dac 100644 > --- a/lib/Kconfig > +++ b/lib/Kconfig > @@ -419,6 +419,10 @@ config CIRCBUF > > source "lib/dhry/Kconfig" > > +menu "Alternative crypto libraries" > +source lib/mbedtls/Kconfig > +endmenu > + > menu "Security support" > > config AES > diff --git a/lib/Makefile b/lib/Makefile > index d300249f57c..c4950b78a29 100644 > --- a/lib/Makefile > +++ b/lib/Makefile > @@ -96,6 +96,8 @@ obj-$(CONFIG_LIBAVB) += libavb/ > obj-$(CONFIG_$(SPL_TPL_)OF_LIBFDT) += libfdt/ > obj-$(CONFIG_$(SPL_TPL_)OF_REAL) += fdtdec_common.o fdtdec.o > > +obj-$(CONFIG_MBEDTLS_LIB) += mbedtls/ > + > ifdef CONFIG_SPL_BUILD > obj-$(CONFIG_SPL_YMODEM_SUPPORT) += crc16-ccitt.o > obj-$(CONFIG_$(SPL_TPL_)HASH) += crc16-ccitt.o > diff --git a/lib/mbedtls/Kconfig b/lib/mbedtls/Kconfig > new file mode 100644 > index 00000000000..9d1a63c1ca6 > --- /dev/null > +++ b/lib/mbedtls/Kconfig > @@ -0,0 +1,56 @@ > +choice > + prompt "Select crypto libraries" > + default LEGACY_CRYPTO > + help > + Select crypto libraries. > + LEGACY_CRYPTO for legacy crypto libraries, > + MBEDTLS_LIB for MbedTLS libraries. > + > +config LEGACY_CRYPTO > + bool "legacy crypto libraries" > + select LEGACY_CRYPTO_BASIC > + select LEGACY_CRYPTO_CERT > +
This overall llooks ok, but the native mbedTLS hashing should depend on !CONFIG_SHA_HW_ACCEL. If everyone thinks the series is good enough to merge, I don't mind this going on a followup commit > +config MBEDTLS_LIB > + bool "MbedTLS libraries" > + select MBEDTLS_LIB_X509 > +endchoice > + > +if LEGACY_CRYPTO || MBEDTLS_LIB_CRYPTO_ALT > + > +config LEGACY_CRYPTO_BASIC > + bool "legacy basic crypto libraries" > + help > + Enable legacy basic crypto libraries. > + > +config LEGACY_CRYPTO_CERT > + bool "legacy certificate libraries" > + help > + Enable legacy certificate libraries. > + > +endif # LEGACY_CRYPTO > + > +if MBEDTLS_LIB > + > +config MBEDTLS_LIB_CRYPTO_ALT > + bool "MbedTLS crypto alternatives" > + depends on MBEDTLS_LIB && !MBEDTLS_LIB_CRYPTO > + select LEGACY_CRYPTO_BASIC > + default y if MBEDTLS_LIB && !MBEDTLS_LIB_CRYPTO > + help > + Enable MbedTLS crypto alternatives. > + Mutually incompatible with MBEDTLS_LIB_CRYPTO. > + > +config MBEDTLS_LIB_CRYPTO > + bool "MbedTLS crypto libraries" > + help > + Enable MbedTLS crypto libraries. > + Mutually incompatible with MBEDTLS_LIB_CRYPTO_ALT. > + > + > +config MBEDTLS_LIB_X509 > + bool "MbedTLS certificate libraries" > + * Author: Raymond Mao <[email protected]> > + */ > + > +#if defined CONFIG_MBEDTLS_LIB > + > +#if CONFIG_IS_ENABLED(MD5) > +#define MBEDTLS_MD_C > +#define MBEDTLS_MD5_C > +#if defined CONFIG_MBEDTLS_LIB_CRYPTO_ALT > +#define MBEDTLS_MD5_ALT > +#endif > +#endif > + > +#if CONFIG_IS_ENABLED(SHA1) > +#define MBEDTLS_MD_C > +#define MBEDTLS_SHA1_C > +#if defined CONFIG_MBEDTLS_LIB_CRYPTO_ALT > +#define MBEDTLS_SHA1_ALT > +#endif > +#endif > + > +#if CONFIG_IS_ENABLED(SHA256) > +#define MBEDTLS_MD_C > +#define MBEDTLS_SHA256_C > +#if defined CONFIG_MBEDTLS_LIB_CRYPTO_ALT > +#define MBEDTLS_SHA256_ALT > +#endif > +#endif > + > +#if CONFIG_IS_ENABLED(SHA384) > +#define MBEDTLS_MD_C > +#define MBEDTLS_SHA384_C > +#endif > + [...] Thanks /Ilias
