From: Tom Rini Date: Mon, 14 Oct 2024 19:34:06 +0000 (-0600) Subject: Merge patch series "Integrate MbedTLS v3.6 LTS with U-Boot" X-Git-Url: http://git.dujemihanovic.xyz/posts?a=commitdiff_plain;h=d467f359c4c875a96857ced2b660b4d185b4714f;p=u-boot.git Merge patch series "Integrate MbedTLS v3.6 LTS with U-Boot" Raymond Mao says: Integrate MbedTLS v3.6 LTS (currently v3.6.0) with U-Boot. Motivations: ------------ 1. MbedTLS is well maintained with LTS versions. 2. LWIP is integrated with MbedTLS and easily to enable HTTPS. 3. MbedTLS recently switched license back to GPLv2. Prerequisite: ------------- This patch series requires mbedtls git repo to be added as a subtree to the main U-Boot repo via: $ git subtree add --prefix lib/mbedtls/external/mbedtls \ https://github.com/Mbed-TLS/mbedtls.git \ v3.6.0 --squash Moreover, due to the Windows-style files from mbedtls git repo, we need to convert the CRLF endings to LF and do a commit manually: $ git add --renormalize . $ git commit New Kconfig options: -------------------- `MBEDTLS_LIB` is for MbedTLS general switch. `MBEDTLS_LIB_CRYPTO` is for replacing original digest and crypto libs with MbedTLS. `MBEDTLS_LIB_CRYPTO_ALT` is for using original U-Boot crypto libs as MbedTLS crypto alternatives. `MBEDTLS_LIB_X509` is for replacing original X509, PKCS7, MSCode, ASN1, and Pubkey parser with MbedTLS. By default `MBEDTLS_LIB_CRYPTO_ALT` and `MBEDTLS_LIB_X509` are selected when `MBEDTLS_LIB` is enabled. `LEGACY_CRYPTO` is introduced as a main switch for legacy crypto library. `LEGACY_CRYPTO_BASIC` is for the basic crypto functionalities and `LEGACY_CRYPTO_CERT` is for the certificate related functionalities. For each of the algorithm, a pair of `_LEGACY` and `_MBEDTLS` Kconfig options are introduced. Meanwhile, `SPL_` Kconfig options are introduced. In this patch set, MBEDTLS_LIB, MBEDTLS_LIB_CRYPTO and MBEDTLS_LIB_X509 are by default enabled in qemu_arm64_defconfig and sandbox_defconfig for testing purpose. Patches for external MbedTLS project: ------------------------------------- Since U-Boot uses Microsoft Authentication Code to verify PE/COFFs executables which is not supported by MbedTLS at the moment, addtional patches for MbedTLS are created to adapt with the EFI loader: 1. Decoding of Microsoft Authentication Code. 2. Decoding of PKCS#9 Authenticate Attributes. 3. Extending MbedTLS PKCS#7 lib to support multiple signer's certificates. 4. MbedTLS native test suites for PKCS#7 signer's info. All above 4 patches (tagged with `mbedtls/external`) are submitted to MbedTLS project and being reviewed, eventually they should be part of MbedTLS LTS release. But before that, please merge them into U-Boot, otherwise the building will be broken when MBEDTLS_LIB_X509 is enabled. See below PR link for the reference: https://github.com/Mbed-TLS/mbedtls/pull/9001 Miscellaneous: -------------- Optimized MbedTLS library size by tailoring the config file and disabling all unnecessary features for EFI loader. From v2, original libs (rsa, asn1_decoder, rsa_helper, md5, sha1, sha256, sha512) are completely replaced when MbedTLS is enabled. From v3, the size-growth is slightly reduced by refactoring Hash functions. From v6, smaller implementations for SHA256 and SHA512 are enabled and target size reduce significantly. Target(QEMU arm64) size-growth when enabling MbedTLS: v1: 6.03% v2: 4.66% v3 - v5: 4.55% v6: 2.90% Tests done: ----------- EFI Secure Boot test (EFI variables loading and verifying, EFI signed image verifying and booting) via U-Boot console. EFI Secure Boot and Capsule sandbox test passed. Known issues: ------------- None. Link: https://lore.kernel.org/u-boot/20241003215112.3103601-1-raymond.mao@linaro.org/ --- d467f359c4c875a96857ced2b660b4d185b4714f diff --cc Makefile index 575aeb29f8,5ed5c8feff..3267fb1c46 --- a/Makefile +++ b/Makefile @@@ -829,7 -829,13 +829,13 @@@ KBUILD_HOSTCFLAGS += $(if $(CONFIG_TOOL UBOOTINCLUDE := \ -Iinclude \ $(if $(KBUILD_SRC), -I$(srctree)/include) \ + $(if $(CONFIG_MBEDTLS_LIB), \ + "-DMBEDTLS_CONFIG_FILE=\"mbedtls_def_config.h\"" \ + -I$(srctree)/lib/mbedtls \ + -I$(srctree)/lib/mbedtls/port \ + -I$(srctree)/lib/mbedtls/external/mbedtls \ + -I$(srctree)/lib/mbedtls/external/mbedtls/include) \ - $(if $(CONFIG_$(SPL_)SYS_THUMB_BUILD), \ + $(if $(CONFIG_$(XPL_)SYS_THUMB_BUILD), \ $(if $(CONFIG_HAS_THUMB2), \ $(if $(CONFIG_CPU_V7M), \ -I$(srctree)/arch/arm/thumb1/include), \ diff --cc lib/Makefile index 7ccc91f5d3,561e0d44a1..3fc428cff1 --- a/lib/Makefile +++ b/lib/Makefile @@@ -70,35 -69,39 +69,39 @@@ obj-$(CONFIG_$(PHASE_)CRC16) += crc16. obj-y += crypto/ -obj-$(CONFIG_$(SPL_TPL_)ACPI) += acpi/ +obj-$(CONFIG_$(PHASE_)ACPI) += acpi/ - obj-$(CONFIG_$(XPL_)MD5) += md5.o obj-$(CONFIG_ECDSA) += ecdsa/ -obj-$(CONFIG_$(SPL_)RSA) += rsa/ +obj-$(CONFIG_$(XPL_)RSA) += rsa/ obj-$(CONFIG_HASH) += hash-checksum.o obj-$(CONFIG_BLAKE2) += blake2/blake2b.o - obj-$(CONFIG_$(XPL_)SHA1) += sha1.o - obj-$(CONFIG_$(XPL_)SHA256) += sha256.o - obj-$(CONFIG_$(XPL_)SHA512) += sha512.o + -obj-$(CONFIG_$(SPL_)MD5_LEGACY) += md5.o -obj-$(CONFIG_$(SPL_)SHA1_LEGACY) += sha1.o -obj-$(CONFIG_$(SPL_)SHA256_LEGACY) += sha256.o -obj-$(CONFIG_$(SPL_)SHA512_LEGACY) += sha512.o ++obj-$(CONFIG_$(XPL_)MD5_LEGACY) += md5.o ++obj-$(CONFIG_$(XPL_)SHA1_LEGACY) += sha1.o ++obj-$(CONFIG_$(XPL_)SHA256_LEGACY) += sha256.o ++obj-$(CONFIG_$(XPL_)SHA512_LEGACY) += sha512.o + obj-$(CONFIG_CRYPT_PW) += crypt/ - obj-$(CONFIG_$(XPL_)ASN1_DECODER) += asn1_decoder.o -obj-$(CONFIG_$(SPL_)ASN1_DECODER_LEGACY) += asn1_decoder.o ++obj-$(CONFIG_$(XPL_)ASN1_DECODER_LEGACY) += asn1_decoder.o -obj-$(CONFIG_$(SPL_)ZLIB) += zlib/ -obj-$(CONFIG_$(SPL_)ZSTD) += zstd/ -obj-$(CONFIG_$(SPL_)GZIP) += gunzip.o -obj-$(CONFIG_$(SPL_)LZO) += lzo/ -obj-$(CONFIG_$(SPL_)LZMA) += lzma/ -obj-$(CONFIG_$(SPL_)LZ4) += lz4_wrapper.o +obj-$(CONFIG_$(XPL_)ZLIB) += zlib/ +obj-$(CONFIG_$(XPL_)ZSTD) += zstd/ +obj-$(CONFIG_$(XPL_)GZIP) += gunzip.o +obj-$(CONFIG_$(XPL_)LZO) += lzo/ +obj-$(CONFIG_$(XPL_)LZMA) += lzma/ +obj-$(CONFIG_$(XPL_)LZ4) += lz4_wrapper.o -obj-$(CONFIG_$(SPL_)LIB_RATIONAL) += rational.o +obj-$(CONFIG_$(XPL_)LIB_RATIONAL) += rational.o obj-$(CONFIG_LIBAVB) += libavb/ -obj-$(CONFIG_$(SPL_TPL_)OF_LIBFDT) += libfdt/ -obj-$(CONFIG_$(SPL_TPL_)OF_REAL) += fdtdec_common.o fdtdec.o +obj-$(CONFIG_$(PHASE_)OF_LIBFDT) += libfdt/ +obj-$(CONFIG_$(PHASE_)OF_REAL) += fdtdec_common.o fdtdec.o + obj-$(CONFIG_MBEDTLS_LIB) += mbedtls/ + -ifdef CONFIG_SPL_BUILD +ifdef CONFIG_XPL_BUILD obj-$(CONFIG_SPL_YMODEM_SUPPORT) += crc16-ccitt.o -obj-$(CONFIG_$(SPL_TPL_)HASH) += crc16-ccitt.o +obj-$(CONFIG_$(PHASE_)HASH) += crc16-ccitt.o obj-$(CONFIG_MMC_SPI_CRC_ON) += crc16-ccitt.o obj-y += net_utils.o endif diff --cc lib/crypto/Makefile index de1510d3eb,72b413d85a..b729824df3 --- a/lib/crypto/Makefile +++ b/lib/crypto/Makefile @@@ -7,12 -7,13 +7,13 @@@ obj-$(CONFIG_$(XPL_)ASYMMETRIC_KEY_TYPE asymmetric_keys-y := asymmetric_type.o - obj-$(CONFIG_$(XPL_)ASYMMETRIC_PUBLIC_KEY_SUBTYPE) += public_key.o -obj-$(CONFIG_$(SPL_)ASYMMETRIC_PUBLIC_KEY_SUBTYPE) += public_key_helper.o -obj-$(CONFIG_$(SPL_)ASYMMETRIC_PUBLIC_KEY_LEGACY) += public_key.o ++obj-$(CONFIG_$(XPL_)ASYMMETRIC_PUBLIC_KEY_SUBTYPE) += public_key_helper.o ++obj-$(CONFIG_$(XPL_)ASYMMETRIC_PUBLIC_KEY_LEGACY) += public_key.o # # RSA public key parser # - obj-$(CONFIG_$(XPL_)RSA_PUBLIC_KEY_PARSER) += rsa_public_key.o -obj-$(CONFIG_$(SPL_)RSA_PUBLIC_KEY_PARSER_LEGACY) += rsa_public_key.o ++obj-$(CONFIG_$(XPL_)RSA_PUBLIC_KEY_PARSER_LEGACY) += rsa_public_key.o rsa_public_key-y := \ rsapubkey.asn1.o \ rsa_helper.o @@@ -30,8 -31,9 +31,9 @@@ endi # # X.509 Certificate handling # -obj-$(CONFIG_$(SPL_)X509_CERTIFICATE_PARSER) += x509_key_parser.o +obj-$(CONFIG_$(XPL_)X509_CERTIFICATE_PARSER) += x509_key_parser.o - x509_key_parser-y := \ + x509_key_parser-y := x509_helper.o -x509_key_parser-$(CONFIG_$(SPL_)X509_CERTIFICATE_PARSER_LEGACY) += \ ++x509_key_parser-$(CONFIG_$(XPL_)X509_CERTIFICATE_PARSER_LEGACY) += \ x509.asn1.o \ x509_akid.asn1.o \ x509_cert_parser.o \ @@@ -47,19 -49,21 +49,21 @@@ $(obj)/x509_akid.asn1.o: $(obj)/x509_ak # # PKCS#7 message handling # -obj-$(CONFIG_$(SPL_)PKCS7_MESSAGE_PARSER) += pkcs7_message.o +obj-$(CONFIG_$(XPL_)PKCS7_MESSAGE_PARSER) += pkcs7_message.o - pkcs7_message-y := \ + pkcs7_message-y := pkcs7_helper.o + pkcs7_message-$(CONFIG_$(SPL_)PKCS7_MESSAGE_PARSER_LEGACY) += \ pkcs7.asn1.o \ pkcs7_parser.o - obj-$(CONFIG_$(XPL_)PKCS7_VERIFY) += pkcs7_verify.o $(obj)/pkcs7_parser.o: $(obj)/pkcs7.asn1.h $(obj)/pkcs7.asn1.o: $(obj)/pkcs7.asn1.c $(obj)/pkcs7.asn1.h -obj-$(CONFIG_$(SPL_)PKCS7_VERIFY) += pkcs7_verify.o ++obj-$(CONFIG_$(XPL_)PKCS7_VERIFY) += pkcs7_verify.o + # # Signed PE binary-wrapped key handling # - obj-$(CONFIG_$(XPL_)MSCODE_PARSER) += mscode.o -obj-$(CONFIG_$(SPL_)MSCODE_PARSER_LEGACY) += mscode.o ++obj-$(CONFIG_$(XPL_)MSCODE_PARSER_LEGACY) += mscode.o mscode-y := \ mscode_parser.o \