Raymond Mao <raymond.mao@linaro.org> says:
Integrate MbedTLS v3.6 LTS (currently v3.6.0) with U-Boot.
Motivations:
------------
1. MbedTLS is well maintained with LTS versions.
2. LWIP is integrated with MbedTLS and easily to enable HTTPS.
3. MbedTLS recently switched license back to GPLv2.
Prerequisite:
-------------
This patch series requires mbedtls git repo to be added as a
subtree to the main U-Boot repo via:
$ git subtree add --prefix lib/mbedtls/external/mbedtls \
https://github.com/Mbed-TLS/mbedtls.git \
v3.6.0 --squash
Moreover, due to the Windows-style files from mbedtls git repo,
we need to convert the CRLF endings to LF and do a commit manually:
$ git add --renormalize .
$ git commit
New Kconfig options:
--------------------
`MBEDTLS_LIB` is for MbedTLS general switch.
`MBEDTLS_LIB_CRYPTO` is for replacing original digest and crypto libs with
MbedTLS.
`MBEDTLS_LIB_CRYPTO_ALT` is for using original U-Boot crypto libs as
MbedTLS crypto alternatives.
`MBEDTLS_LIB_X509` is for replacing original X509, PKCS7, MSCode, ASN1,
and Pubkey parser with MbedTLS.
By default `MBEDTLS_LIB_CRYPTO_ALT` and `MBEDTLS_LIB_X509` are selected
when `MBEDTLS_LIB` is enabled.
`LEGACY_CRYPTO` is introduced as a main switch for legacy crypto library.
`LEGACY_CRYPTO_BASIC` is for the basic crypto functionalities and
`LEGACY_CRYPTO_CERT` is for the certificate related functionalities.
For each of the algorithm, a pair of `<alg>_LEGACY` and `<alg>_MBEDTLS`
Kconfig options are introduced. Meanwhile, `SPL_` Kconfig options are
introduced.
In this patch set, MBEDTLS_LIB, MBEDTLS_LIB_CRYPTO and MBEDTLS_LIB_X509
are by default enabled in qemu_arm64_defconfig and sandbox_defconfig
for testing purpose.
Patches for external MbedTLS project:
-------------------------------------
Since U-Boot uses Microsoft Authentication Code to verify PE/COFFs
executables which is not supported by MbedTLS at the moment,
addtional patches for MbedTLS are created to adapt with the EFI loader:
1. Decoding of Microsoft Authentication Code.
2. Decoding of PKCS#9 Authenticate Attributes.
3. Extending MbedTLS PKCS#7 lib to support multiple signer's certificates.
4. MbedTLS native test suites for PKCS#7 signer's info.
All above 4 patches (tagged with `mbedtls/external`) are submitted to
MbedTLS project and being reviewed, eventually they should be part of
MbedTLS LTS release.
But before that, please merge them into U-Boot, otherwise the building
will be broken when MBEDTLS_LIB_X509 is enabled.
See below PR link for the reference:
https://github.com/Mbed-TLS/mbedtls/pull/9001
Miscellaneous:
--------------
Optimized MbedTLS library size by tailoring the config file
and disabling all unnecessary features for EFI loader.
From v2, original libs (rsa, asn1_decoder, rsa_helper, md5, sha1, sha256,
sha512) are completely replaced when MbedTLS is enabled.
From v3, the size-growth is slightly reduced by refactoring Hash functions.
From v6, smaller implementations for SHA256 and SHA512 are enabled and
target size reduce significantly.
Target(QEMU arm64) size-growth when enabling MbedTLS:
v1: 6.03%
v2: 4.66%
v3 - v5: 4.55%
v6: 2.90%
Tests done:
-----------
EFI Secure Boot test (EFI variables loading and verifying, EFI signed image
verifying and booting) via U-Boot console.
EFI Secure Boot and Capsule sandbox test passed.
Known issues:
-------------
None.
Link: https://lore.kernel.org/u-boot/20241003215112.3103601-1-raymond.mao@linaro.org/
UBOOTINCLUDE := \
-Iinclude \
$(if $(KBUILD_SRC), -I$(srctree)/include) \
- $(if $(CONFIG_$(SPL_)SYS_THUMB_BUILD), \
+ $(if $(CONFIG_MBEDTLS_LIB), \
+ "-DMBEDTLS_CONFIG_FILE=\"mbedtls_def_config.h\"" \
+ -I$(srctree)/lib/mbedtls \
+ -I$(srctree)/lib/mbedtls/port \
+ -I$(srctree)/lib/mbedtls/external/mbedtls \
+ -I$(srctree)/lib/mbedtls/external/mbedtls/include) \
+ $(if $(CONFIG_$(XPL_)SYS_THUMB_BUILD), \
$(if $(CONFIG_HAS_THUMB2), \
$(if $(CONFIG_CPU_V7M), \
-I$(srctree)/arch/arm/thumb1/include), \
obj-y += crypto/
-obj-$(CONFIG_$(SPL_TPL_)ACPI) += acpi/
+obj-$(CONFIG_$(PHASE_)ACPI) += acpi/
- obj-$(CONFIG_$(XPL_)MD5) += md5.o
obj-$(CONFIG_ECDSA) += ecdsa/
-obj-$(CONFIG_$(SPL_)RSA) += rsa/
+obj-$(CONFIG_$(XPL_)RSA) += rsa/
obj-$(CONFIG_HASH) += hash-checksum.o
obj-$(CONFIG_BLAKE2) += blake2/blake2b.o
- obj-$(CONFIG_$(XPL_)SHA1) += sha1.o
- obj-$(CONFIG_$(XPL_)SHA256) += sha256.o
- obj-$(CONFIG_$(XPL_)SHA512) += sha512.o
+
-obj-$(CONFIG_$(SPL_)MD5_LEGACY) += md5.o
-obj-$(CONFIG_$(SPL_)SHA1_LEGACY) += sha1.o
-obj-$(CONFIG_$(SPL_)SHA256_LEGACY) += sha256.o
-obj-$(CONFIG_$(SPL_)SHA512_LEGACY) += sha512.o
++obj-$(CONFIG_$(XPL_)MD5_LEGACY) += md5.o
++obj-$(CONFIG_$(XPL_)SHA1_LEGACY) += sha1.o
++obj-$(CONFIG_$(XPL_)SHA256_LEGACY) += sha256.o
++obj-$(CONFIG_$(XPL_)SHA512_LEGACY) += sha512.o
+
obj-$(CONFIG_CRYPT_PW) += crypt/
- obj-$(CONFIG_$(XPL_)ASN1_DECODER) += asn1_decoder.o
-obj-$(CONFIG_$(SPL_)ASN1_DECODER_LEGACY) += asn1_decoder.o
++obj-$(CONFIG_$(XPL_)ASN1_DECODER_LEGACY) += asn1_decoder.o
-obj-$(CONFIG_$(SPL_)ZLIB) += zlib/
-obj-$(CONFIG_$(SPL_)ZSTD) += zstd/
-obj-$(CONFIG_$(SPL_)GZIP) += gunzip.o
-obj-$(CONFIG_$(SPL_)LZO) += lzo/
-obj-$(CONFIG_$(SPL_)LZMA) += lzma/
-obj-$(CONFIG_$(SPL_)LZ4) += lz4_wrapper.o
+obj-$(CONFIG_$(XPL_)ZLIB) += zlib/
+obj-$(CONFIG_$(XPL_)ZSTD) += zstd/
+obj-$(CONFIG_$(XPL_)GZIP) += gunzip.o
+obj-$(CONFIG_$(XPL_)LZO) += lzo/
+obj-$(CONFIG_$(XPL_)LZMA) += lzma/
+obj-$(CONFIG_$(XPL_)LZ4) += lz4_wrapper.o
-obj-$(CONFIG_$(SPL_)LIB_RATIONAL) += rational.o
+obj-$(CONFIG_$(XPL_)LIB_RATIONAL) += rational.o
obj-$(CONFIG_LIBAVB) += libavb/
-obj-$(CONFIG_$(SPL_TPL_)OF_LIBFDT) += libfdt/
-obj-$(CONFIG_$(SPL_TPL_)OF_REAL) += fdtdec_common.o fdtdec.o
+obj-$(CONFIG_$(PHASE_)OF_LIBFDT) += libfdt/
+obj-$(CONFIG_$(PHASE_)OF_REAL) += fdtdec_common.o fdtdec.o
-ifdef CONFIG_SPL_BUILD
+ obj-$(CONFIG_MBEDTLS_LIB) += mbedtls/
+
+ifdef CONFIG_XPL_BUILD
obj-$(CONFIG_SPL_YMODEM_SUPPORT) += crc16-ccitt.o
-obj-$(CONFIG_$(SPL_TPL_)HASH) += crc16-ccitt.o
+obj-$(CONFIG_$(PHASE_)HASH) += crc16-ccitt.o
obj-$(CONFIG_MMC_SPI_CRC_ON) += crc16-ccitt.o
obj-y += net_utils.o
endif
asymmetric_keys-y := asymmetric_type.o
- obj-$(CONFIG_$(XPL_)ASYMMETRIC_PUBLIC_KEY_SUBTYPE) += public_key.o
-obj-$(CONFIG_$(SPL_)ASYMMETRIC_PUBLIC_KEY_SUBTYPE) += public_key_helper.o
-obj-$(CONFIG_$(SPL_)ASYMMETRIC_PUBLIC_KEY_LEGACY) += public_key.o
++obj-$(CONFIG_$(XPL_)ASYMMETRIC_PUBLIC_KEY_SUBTYPE) += public_key_helper.o
++obj-$(CONFIG_$(XPL_)ASYMMETRIC_PUBLIC_KEY_LEGACY) += public_key.o
#
# RSA public key parser
#
- obj-$(CONFIG_$(XPL_)RSA_PUBLIC_KEY_PARSER) += rsa_public_key.o
-obj-$(CONFIG_$(SPL_)RSA_PUBLIC_KEY_PARSER_LEGACY) += rsa_public_key.o
++obj-$(CONFIG_$(XPL_)RSA_PUBLIC_KEY_PARSER_LEGACY) += rsa_public_key.o
rsa_public_key-y := \
rsapubkey.asn1.o \
rsa_helper.o
#
# X.509 Certificate handling
#
-obj-$(CONFIG_$(SPL_)X509_CERTIFICATE_PARSER) += x509_key_parser.o
+obj-$(CONFIG_$(XPL_)X509_CERTIFICATE_PARSER) += x509_key_parser.o
- x509_key_parser-y := \
+ x509_key_parser-y := x509_helper.o
-x509_key_parser-$(CONFIG_$(SPL_)X509_CERTIFICATE_PARSER_LEGACY) += \
++x509_key_parser-$(CONFIG_$(XPL_)X509_CERTIFICATE_PARSER_LEGACY) += \
x509.asn1.o \
x509_akid.asn1.o \
x509_cert_parser.o \
#
# PKCS#7 message handling
#
-obj-$(CONFIG_$(SPL_)PKCS7_MESSAGE_PARSER) += pkcs7_message.o
+obj-$(CONFIG_$(XPL_)PKCS7_MESSAGE_PARSER) += pkcs7_message.o
- pkcs7_message-y := \
+ pkcs7_message-y := pkcs7_helper.o
+ pkcs7_message-$(CONFIG_$(SPL_)PKCS7_MESSAGE_PARSER_LEGACY) += \
pkcs7.asn1.o \
pkcs7_parser.o
- obj-$(CONFIG_$(XPL_)PKCS7_VERIFY) += pkcs7_verify.o
$(obj)/pkcs7_parser.o: $(obj)/pkcs7.asn1.h
$(obj)/pkcs7.asn1.o: $(obj)/pkcs7.asn1.c $(obj)/pkcs7.asn1.h
-obj-$(CONFIG_$(SPL_)PKCS7_VERIFY) += pkcs7_verify.o
++obj-$(CONFIG_$(XPL_)PKCS7_VERIFY) += pkcs7_verify.o
+
#
# Signed PE binary-wrapped key handling
#
- obj-$(CONFIG_$(XPL_)MSCODE_PARSER) += mscode.o
-obj-$(CONFIG_$(SPL_)MSCODE_PARSER_LEGACY) += mscode.o
++obj-$(CONFIG_$(XPL_)MSCODE_PARSER_LEGACY) += mscode.o
mscode-y := \
mscode_parser.o \
projects / u-boot.git / commitdiff