[v4,04/29] lib: Adapt digest header files to MbedTLS

Message ID	20240702182325.2904421-5-raymond.mao@linaro.org
State	Changes Requested
Delegated to:	Tom Rini
Headers	show Return-Path: <u-boot-bounces@lists.denx.de> From: Raymond Mao <raymond.mao@linaro.org> To: u-boot@lists.denx.de Cc: manish.pandey2@arm.com, Raymond Mao <raymond.mao@linaro.org>, Tom Rini <trini@konsulko.com>, Stefan Bosch <stefan_b@posteo.net>, Mario Six <mario.six@gdsys.cc>, Andy Shevchenko <andriy.shevchenko@linux.intel.com>, Michal Simek <michal.simek@amd.com>, Tuomas Tynkkynen <tuomas.tynkkynen@iki.fi>, Simon Glass <sjg@chromium.org>, Ilias Apalodimas <ilias.apalodimas@linaro.org>, Leo Yu-Chi Liang <ycliang@andestech.com>, Andrejs Cainikovs <andrejs.cainikovs@toradex.com>, Marek Vasut <marek.vasut+renesas@mailbox.org>, Sean Anderson <seanga2@gmail.com>, Jesse Taube <mr.bossman075@gmail.com>, Bryan Brattlof <bb@ti.com>, "Leon M. Busch-George" <leon@georgemail.eu>, Sergei Antonov <saproj@gmail.com>, Ilya Lukin <4.shket@gmail.com>, Igor Opaniuk <igor.opaniuk@gmail.com>, Heinrich Schuchardt <xypron.glpk@gmx.de>, Alper Nebi Yasak <alpernebiyasak@gmail.com>, AKASHI Takahiro <akashi.tkhro@gmail.com>, Abdellatif El Khlifi <abdellatif.elkhlifi@arm.com>, Alexander Gendin <agendin@matrox.com>, Bin Meng <bmeng@tinylab.org>, =?utf-8?q?Vincent_Stehl=C3=A9?= <vincent.stehle@arm.com>, Oleksandr Suvorov <oleksandr.suvorov@foundries.io> Subject: [PATCH v4 04/29] lib: Adapt digest header files to MbedTLS Date: Tue, 2 Jul 2024 11:22:40 -0700 Message-Id: <20240702182325.2904421-5-raymond.mao@linaro.org> In-Reply-To: <20240702182325.2904421-1-raymond.mao@linaro.org> References: <20240702182325.2904421-1-raymond.mao@linaro.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: list Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" <u-boot-bounces@lists.denx.de>
Series	Integrate MbedTLS v3.6 LTS with U-Boot \| expand [v4,00/29] Integrate MbedTLS v3.6 LTS with U-Boot [v4,01/29] CI: Exclude MbedTLS subtree for CONFIG checks [v4,02/29] mbedtls: Add script to update MbedTLS subtree [v4,03/29] mbedtls: add mbedtls into the build system [v4,04/29] lib: Adapt digest header files to MbedTLS [v4,05/29] md5: Remove md5 non-watchdog API [v4,06/29] sha1: Remove sha1 non-watchdog API [v4,07/29] mbedtls: add digest shim layer for MbedTLS [v4,08/29] hash: integrate hash on mbedtls [v4,09/29] makefile: add mbedtls include directories [v4,10/29] mbedtls/external: support Microsoft Authentication Code [v4,11/29] mbedtls/external: support PKCS9 Authenticate Attributes [v4,12/29] mbedtls/external: support decoding multiple signer's cert [v4,13/29] mbedtls/external: update MbedTLS PKCS7 test suites [v4,14/29] public_key: move common functions to public key helper [v4,15/29] x509: move common functions to x509 helper [v4,16/29] pkcs7: move common functions to PKCS7 helper [v4,17/29] mbedtls: add public key porting layer [v4,18/29] lib/crypto: Adapt public_key header with MbedTLS [v4,19/29] mbedtls: add X509 cert parser porting layer [v4,20/29] lib/crypto: Adapt x509_cert_parser to MbedTLS [v4,21/29] mbedtls: add PKCS7 parser porting layer [v4,22/29] lib/crypto: Adapt PKCS7 parser to MbedTLS [v4,23/29] mbedtls: add MSCode parser porting layer [v4,24/29] lib/crypto: Adapt mscode_parser to MbedTLS [v4,25/29] mbedtls: add RSA helper layer on MbedTLS [v4,26/29] lib/rypto: Adapt rsa_helper to MbedTLS [v4,27/29] asn1_decoder: add build options for ASN1 decoder [v4,28/29] test: Remove ASN1 library test [v4,29/29] configs: enable MbedTLS as default setting

Message ID

20240702182325.2904421-5-raymond.mao@linaro.org

State

Changes Requested

Delegated to:

Tom Rini

Headers

From: Raymond Mao <raymond.mao@linaro.org>
To: u-boot@lists.denx.de
Cc: manish.pandey2@arm.com, Raymond Mao <raymond.mao@linaro.org>,
 Tom Rini <trini@konsulko.com>, Stefan Bosch <stefan_b@posteo.net>,
 Mario Six <mario.six@gdsys.cc>,
 Andy Shevchenko <andriy.shevchenko@linux.intel.com>,
 Michal Simek <michal.simek@amd.com>,
 Tuomas Tynkkynen <tuomas.tynkkynen@iki.fi>, Simon Glass <sjg@chromium.org>,
 Ilias Apalodimas <ilias.apalodimas@linaro.org>,
 Leo Yu-Chi Liang <ycliang@andestech.com>,
 Andrejs Cainikovs <andrejs.cainikovs@toradex.com>,
 Marek Vasut <marek.vasut+renesas@mailbox.org>,
 Sean Anderson <seanga2@gmail.com>, Jesse Taube <mr.bossman075@gmail.com>,
 Bryan Brattlof <bb@ti.com>, "Leon M. Busch-George" <leon@georgemail.eu>,
 Sergei Antonov <saproj@gmail.com>, Ilya Lukin <4.shket@gmail.com>,
 Igor Opaniuk <igor.opaniuk@gmail.com>,
 Heinrich Schuchardt <xypron.glpk@gmx.de>,
 Alper Nebi Yasak <alpernebiyasak@gmail.com>,
 AKASHI Takahiro <akashi.tkhro@gmail.com>,
 Abdellatif El Khlifi <abdellatif.elkhlifi@arm.com>,
 Alexander Gendin <agendin@matrox.com>, Bin Meng <bmeng@tinylab.org>,
	=?utf-8?q?Vincent_Stehl=C3=A9?= <vincent.stehle@arm.com>,
 Oleksandr Suvorov <oleksandr.suvorov@foundries.io>
Subject: [PATCH v4 04/29] lib: Adapt digest header files to MbedTLS
Date: Tue,  2 Jul 2024 11:22:40 -0700
Message-Id: <20240702182325.2904421-5-raymond.mao@linaro.org>
In-Reply-To: <20240702182325.2904421-1-raymond.mao@linaro.org>
References: <20240702182325.2904421-1-raymond.mao@linaro.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Precedence: list
Errors-To: u-boot-bounces@lists.denx.de
Sender: "U-Boot" <u-boot-bounces@lists.denx.de>

Series

Integrate MbedTLS v3.6 LTS with U-Boot | expand

Commit Message

Raymond Mao July 2, 2024, 6:22 p.m. UTC

Adapt digest header files to support both original libs and MbedTLS
by switching on/off MBEDTLS_LIB_CRYPTO.
Introduce <alg>_LEGACY kconfig for legacy hash implementations.

FIXME:
`IS_ENABLED` or `CONFIG_IS_ENABLED` is not applicable here, since
including <linux/kconfig.h> causes undefined reference on schedule()
with sandbox build.
As <linux/kconfig.h> includes <generated/autoconf.h> which enables
`CONFIG_HW_WATCHDOG` and `CONFIG_WATCHDOG` but no schedule() are
defined in sandbox build.
`#if defined(CONFIG_MBEDTLS_LIB_CRYPTO)` is a workaround.

Signed-off-by: Raymond Mao <raymond.mao@linaro.org>
---
Changes in v2
- Initial patch.
Changes in v3
- Remove the changes that were done in previous clean-up patch set.
Changes in v4
- Introduce <alg>_LEGACY kconfig for legacy hash implementations.
- Minor fix of the include directories.

 include/u-boot/md5.h    |  7 +++
 include/u-boot/sha1.h   | 21 ++++++++-
 include/u-boot/sha256.h | 20 +++++++++
 include/u-boot/sha512.h | 22 ++++++++--
 lib/Makefile            | 10 +++--
 lib/mbedtls/Kconfig     | 96 +++++++++++++++++++++++++++++++++++++++++
 6 files changed, 168 insertions(+), 8 deletions(-)

Comments

Tom Rini July 2, 2024, 10:48 p.m. UTC | #1

On Tue, Jul 02, 2024 at 11:22:40AM -0700, Raymond Mao wrote:

> Adapt digest header files to support both original libs and MbedTLS
> by switching on/off MBEDTLS_LIB_CRYPTO.
> Introduce <alg>_LEGACY kconfig for legacy hash implementations.
[snip]
> diff --git a/lib/mbedtls/Kconfig b/lib/mbedtls/Kconfig
> index 3e9057f1acf..6662a9d20f1 100644
> --- a/lib/mbedtls/Kconfig
> +++ b/lib/mbedtls/Kconfig
> @@ -21,9 +21,105 @@ if LEGACY_CRYPTO
>  
>  config LEGACY_CRYPTO_BASIC
>  	bool "legacy basic crypto libraries"
> +	select MD5_LEGACY if MD5
> +	select SHA1_LEGACY if SHA1
> +	select SHA256_LEGACY if SHA256
> +	select SHA512_LEGACY if SHA512
> +	select SHA384_LEGACY if SHA384
> +	select SPL_MD5_LEGACY if MD5 && SPL
> +	select SPL_SHA1_LEGACY if SHA1 && SPL
> +	select SPL_SHA256_LEGACY if SHA256 && SPL
> +	select SPL_SHA512_LEGACY if SHA512 && SPL
> +	select SPL_SHA384_LEGACY if SHA384 && SPL
>  	help
>  	  Enable legacy basic crypto libraries.
>  
> +if LEGACY_CRYPTO_BASIC
> +
> +config SHA1_LEGACY
> +	bool "Enable SHA1 support with legacy crypto library"
> +	depends on LEGACY_CRYPTO_BASIC && SHA1
> +	help
> +	  This option enables support of hashing using SHA1 algorithm
> +	  with legacy crypto library.
> +
> +config SHA256_LEGACY
> +	bool "Enable SHA256 support with legacy crypto library"
> +	depends on LEGACY_CRYPTO_BASIC && SHA256
> +	help
> +	  This option enables support of hashing using SHA256 algorithm
> +	  with legacy crypto library.
> +
> +config SHA512_LEGACY
> +	bool "Enable SHA512 support with legacy crypto library"
> +	depends on LEGACY_CRYPTO_BASIC && SHA512
> +	default y if TI_SECURE_DEVICE && FIT_SIGNATURE
> +	help
> +	  This option enables support of hashing using SHA512 algorithm
> +	  with legacy crypto library.
> +
> +config SHA384_LEGACY
> +	bool "Enable SHA384 support with legacy crypto library"
> +	depends on LEGACY_CRYPTO_BASIC && SHA384
> +	select SHA512_LEGACY
> +	help
> +	  This option enables support of hashing using SHA384 algorithm
> +	  with legacy crypto library.
> +
> +config MD5_LEGACY
> +	bool "Enable MD5 support with legacy crypto library"
> +	depends on LEGACY_CRYPTO_BASIC && MD5
> +	help
> +	  This option enables support of hashing using MD5 algorithm
> +	  with legacy crypto library.
> +
> +if SPL
> +
> +config SPL_SHA1_LEGACY
> +	bool "Enable SHA1 support in SPL with legacy crypto library"
> +	depends on LEGACY_CRYPTO_BASIC && SPL_SHA1
> +	default y if SHA1 && LEGACY_CRYPTO_BASIC
> +	help
> +	  This option enables support of hashing using SHA1 algorithm
> +	  with legacy crypto library.
> +
> +config SPL_SHA256_LEGACY
> +	bool "Enable SHA256 support in SPL with legacy crypto library"
> +	depends on LEGACY_CRYPTO_BASIC && SPL_SHA256
> +	default y if SHA256 && LEGACY_CRYPTO_BASIC
> +	help
> +	  This option enables support of hashing using SHA256 algorithm
> +	  with legacy crypto library.
> +
> +config SPL_SHA512_LEGACY
> +	bool "Enable SHA512 support in SPL with legacy crypto library"
> +	depends on LEGACY_CRYPTO_BASIC && SPL_SHA512
> +	default y if SHA512 && LEGACY_CRYPTO_BASIC
> +	help
> +	  This option enables support of hashing using SHA512 algorithm
> +	  with legacy crypto library.
> +
> +config SPL_SHA384_LEGACY
> +	bool "Enable SHA384 support in SPL with legacy crypto library"
> +	depends on LEGACY_CRYPTO_BASIC && SPL_SHA384
> +	default y if SHA384 && LEGACY_CRYPTO_BASIC
> +	select SPL_SHA512
> +	help
> +	  This option enables support of hashing using SHA384 algorithm
> +	  with legacy crypto library.
> +
> +config SPL_MD5_LEGACY
> +	bool "Enable MD5 support in SPL with legacy crypto library"
> +	depends on LEGACY_CRYPTO_BASIC && SPL_MD5
> +	default y if MD5 && LEGACY_CRYPTO_BASIC
> +	help
> +	  This option enables support of hashing using MD5 algorithm
> +	  with legacy crypto library.
> +
> +endif # SPL
> +
> +endif # LEGACY_CRYPTO_BASIC
> +
>  config LEGACY_CRYPTO_CERT
>  	bool "legacy certificate libraries"
>  	help

This is all certainly moving in the right direction, but there's
dependency issues:
   aarch64:  w+   xilinx_zynqmp_kria
+(xilinx_zynqmp_kria)
+(xilinx_zynqmp_kria) WARNING: unmet direct dependencies detected for SPL_MD5_LEGACY
+(xilinx_zynqmp_kria)   Depends on [n]: LEGACY_CRYPTO [=y] && SPL [=y] && LEGACY_CRYPTO_BASIC [=y] && SPL_MD5 [=n]
+(xilinx_zynqmp_kria)   Selected by [y]:
+(xilinx_zynqmp_kria)   - LEGACY_CRYPTO_BASIC [=y] && LEGACY_CRYPTO [=y] && MD5 [=y] && SPL [=y]

Annoyingly I was not able to previously figure out how to make such
problems a fatal error, but if you look at the output from each of the
world build CI steps you'll see a lot of hits for "WARNING: unmet direct
dependencies" and that'll help you track down which are where and what
to do about it.

Raymond Mao July 3, 2024, 12:02 a.m. UTC | #2

Hi Tom,

On Tue, 2 Jul 2024 at 18:48, Tom Rini <trini@konsulko.com> wrote:

> On Tue, Jul 02, 2024 at 11:22:40AM -0700, Raymond Mao wrote:
>
> > Adapt digest header files to support both original libs and MbedTLS
> > by switching on/off MBEDTLS_LIB_CRYPTO.
> > Introduce <alg>_LEGACY kconfig for legacy hash implementations.
> [snip]
> > diff --git a/lib/mbedtls/Kconfig b/lib/mbedtls/Kconfig
> > index 3e9057f1acf..6662a9d20f1 100644
> > --- a/lib/mbedtls/Kconfig
> > +++ b/lib/mbedtls/Kconfig
> > @@ -21,9 +21,105 @@ if LEGACY_CRYPTO
> >
> >  config LEGACY_CRYPTO_BASIC
> >       bool "legacy basic crypto libraries"
> > +     select MD5_LEGACY if MD5
> > +     select SHA1_LEGACY if SHA1
> > +     select SHA256_LEGACY if SHA256
> > +     select SHA512_LEGACY if SHA512
> > +     select SHA384_LEGACY if SHA384
> > +     select SPL_MD5_LEGACY if MD5 && SPL
> > +     select SPL_SHA1_LEGACY if SHA1 && SPL
> > +     select SPL_SHA256_LEGACY if SHA256 && SPL
> > +     select SPL_SHA512_LEGACY if SHA512 && SPL
> > +     select SPL_SHA384_LEGACY if SHA384 && SPL
> >       help
> >         Enable legacy basic crypto libraries.
> >
> > +if LEGACY_CRYPTO_BASIC
> > +
> > +config SHA1_LEGACY
> > +     bool "Enable SHA1 support with legacy crypto library"
> > +     depends on LEGACY_CRYPTO_BASIC && SHA1
> > +     help
> > +       This option enables support of hashing using SHA1 algorithm
> > +       with legacy crypto library.
> > +
> > +config SHA256_LEGACY
> > +     bool "Enable SHA256 support with legacy crypto library"
> > +     depends on LEGACY_CRYPTO_BASIC && SHA256
> > +     help
> > +       This option enables support of hashing using SHA256 algorithm
> > +       with legacy crypto library.
> > +
> > +config SHA512_LEGACY
> > +     bool "Enable SHA512 support with legacy crypto library"
> > +     depends on LEGACY_CRYPTO_BASIC && SHA512
> > +     default y if TI_SECURE_DEVICE && FIT_SIGNATURE
> > +     help
> > +       This option enables support of hashing using SHA512 algorithm
> > +       with legacy crypto library.
> > +
> > +config SHA384_LEGACY
> > +     bool "Enable SHA384 support with legacy crypto library"
> > +     depends on LEGACY_CRYPTO_BASIC && SHA384
> > +     select SHA512_LEGACY
> > +     help
> > +       This option enables support of hashing using SHA384 algorithm
> > +       with legacy crypto library.
> > +
> > +config MD5_LEGACY
> > +     bool "Enable MD5 support with legacy crypto library"
> > +     depends on LEGACY_CRYPTO_BASIC && MD5
> > +     help
> > +       This option enables support of hashing using MD5 algorithm
> > +       with legacy crypto library.
> > +
> > +if SPL
> > +
> > +config SPL_SHA1_LEGACY
> > +     bool "Enable SHA1 support in SPL with legacy crypto library"
> > +     depends on LEGACY_CRYPTO_BASIC && SPL_SHA1
> > +     default y if SHA1 && LEGACY_CRYPTO_BASIC
> > +     help
> > +       This option enables support of hashing using SHA1 algorithm
> > +       with legacy crypto library.
> > +
> > +config SPL_SHA256_LEGACY
> > +     bool "Enable SHA256 support in SPL with legacy crypto library"
> > +     depends on LEGACY_CRYPTO_BASIC && SPL_SHA256
> > +     default y if SHA256 && LEGACY_CRYPTO_BASIC
> > +     help
> > +       This option enables support of hashing using SHA256 algorithm
> > +       with legacy crypto library.
> > +
> > +config SPL_SHA512_LEGACY
> > +     bool "Enable SHA512 support in SPL with legacy crypto library"
> > +     depends on LEGACY_CRYPTO_BASIC && SPL_SHA512
> > +     default y if SHA512 && LEGACY_CRYPTO_BASIC
> > +     help
> > +       This option enables support of hashing using SHA512 algorithm
> > +       with legacy crypto library.
> > +
> > +config SPL_SHA384_LEGACY
> > +     bool "Enable SHA384 support in SPL with legacy crypto library"
> > +     depends on LEGACY_CRYPTO_BASIC && SPL_SHA384
> > +     default y if SHA384 && LEGACY_CRYPTO_BASIC
> > +     select SPL_SHA512
> > +     help
> > +       This option enables support of hashing using SHA384 algorithm
> > +       with legacy crypto library.
> > +
> > +config SPL_MD5_LEGACY
> > +     bool "Enable MD5 support in SPL with legacy crypto library"
> > +     depends on LEGACY_CRYPTO_BASIC && SPL_MD5
> > +     default y if MD5 && LEGACY_CRYPTO_BASIC
> > +     help
> > +       This option enables support of hashing using MD5 algorithm
> > +       with legacy crypto library.
> > +
> > +endif # SPL
> > +
> > +endif # LEGACY_CRYPTO_BASIC
> > +
> >  config LEGACY_CRYPTO_CERT
> >       bool "legacy certificate libraries"
> >       help
>
> This is all certainly moving in the right direction, but there's
> dependency issues:
>    aarch64:  w+   xilinx_zynqmp_kria
> +(xilinx_zynqmp_kria)
> +(xilinx_zynqmp_kria) WARNING: unmet direct dependencies detected for
> SPL_MD5_LEGACY
> +(xilinx_zynqmp_kria)   Depends on [n]: LEGACY_CRYPTO [=y] && SPL [=y] &&
> LEGACY_CRYPTO_BASIC [=y] && SPL_MD5 [=n]
> +(xilinx_zynqmp_kria)   Selected by [y]:
> +(xilinx_zynqmp_kria)   - LEGACY_CRYPTO_BASIC [=y] && LEGACY_CRYPTO [=y]
> && MD5 [=y] && SPL [=y]
>

I am a bit confused by SPL_MD5, why it is [n] when both MD5 and SPL are [y].
Of course we can replace 'SPL_MD5' with 'MD5 && SPL' to solve the warning,
but I guess the wrong dependence is on SPL_MD5 but not the new added ones.
```
config SPL_MD5
bool "Support MD5 algorithm in SPL"
depends on SPL
```
I think it should be 'default y if SPL && MD5' instead of 'depends on SPL'.

Similarly SPL_ASYMMETRIC_PUBLIC_KEY_SUBTYPE is not selected when both
ASYMMETRIC_PUBLIC_KEY_SUBTYPE
and SPL are selected;
SPL_ASN1_DECODER is not selected when both ASN1_DECODER and SPL are
selected.

I think generally for each algorithm, 'SPL_<ALG>' config should be selected
when both 'SPL' and '<ALG>' are selected.

If you agree I can fix this in the next patch set.

Regards,
Raymond

Tom Rini July 3, 2024, 12:15 a.m. UTC | #3

On Tue, Jul 02, 2024 at 08:02:37PM -0400, Raymond Mao wrote:
> Hi Tom,
> 
> On Tue, 2 Jul 2024 at 18:48, Tom Rini <trini@konsulko.com> wrote:
> 
> > On Tue, Jul 02, 2024 at 11:22:40AM -0700, Raymond Mao wrote:
> >
> > > Adapt digest header files to support both original libs and MbedTLS
> > > by switching on/off MBEDTLS_LIB_CRYPTO.
> > > Introduce <alg>_LEGACY kconfig for legacy hash implementations.
> > [snip]
> > > diff --git a/lib/mbedtls/Kconfig b/lib/mbedtls/Kconfig
> > > index 3e9057f1acf..6662a9d20f1 100644
> > > --- a/lib/mbedtls/Kconfig
> > > +++ b/lib/mbedtls/Kconfig
> > > @@ -21,9 +21,105 @@ if LEGACY_CRYPTO
> > >
> > >  config LEGACY_CRYPTO_BASIC
> > >       bool "legacy basic crypto libraries"
> > > +     select MD5_LEGACY if MD5
> > > +     select SHA1_LEGACY if SHA1
> > > +     select SHA256_LEGACY if SHA256
> > > +     select SHA512_LEGACY if SHA512
> > > +     select SHA384_LEGACY if SHA384
> > > +     select SPL_MD5_LEGACY if MD5 && SPL
> > > +     select SPL_SHA1_LEGACY if SHA1 && SPL
> > > +     select SPL_SHA256_LEGACY if SHA256 && SPL
> > > +     select SPL_SHA512_LEGACY if SHA512 && SPL
> > > +     select SPL_SHA384_LEGACY if SHA384 && SPL
> > >       help
> > >         Enable legacy basic crypto libraries.
> > >
> > > +if LEGACY_CRYPTO_BASIC
> > > +
> > > +config SHA1_LEGACY
> > > +     bool "Enable SHA1 support with legacy crypto library"
> > > +     depends on LEGACY_CRYPTO_BASIC && SHA1
> > > +     help
> > > +       This option enables support of hashing using SHA1 algorithm
> > > +       with legacy crypto library.
> > > +
> > > +config SHA256_LEGACY
> > > +     bool "Enable SHA256 support with legacy crypto library"
> > > +     depends on LEGACY_CRYPTO_BASIC && SHA256
> > > +     help
> > > +       This option enables support of hashing using SHA256 algorithm
> > > +       with legacy crypto library.
> > > +
> > > +config SHA512_LEGACY
> > > +     bool "Enable SHA512 support with legacy crypto library"
> > > +     depends on LEGACY_CRYPTO_BASIC && SHA512
> > > +     default y if TI_SECURE_DEVICE && FIT_SIGNATURE
> > > +     help
> > > +       This option enables support of hashing using SHA512 algorithm
> > > +       with legacy crypto library.
> > > +
> > > +config SHA384_LEGACY
> > > +     bool "Enable SHA384 support with legacy crypto library"
> > > +     depends on LEGACY_CRYPTO_BASIC && SHA384
> > > +     select SHA512_LEGACY
> > > +     help
> > > +       This option enables support of hashing using SHA384 algorithm
> > > +       with legacy crypto library.
> > > +
> > > +config MD5_LEGACY
> > > +     bool "Enable MD5 support with legacy crypto library"
> > > +     depends on LEGACY_CRYPTO_BASIC && MD5
> > > +     help
> > > +       This option enables support of hashing using MD5 algorithm
> > > +       with legacy crypto library.
> > > +
> > > +if SPL
> > > +
> > > +config SPL_SHA1_LEGACY
> > > +     bool "Enable SHA1 support in SPL with legacy crypto library"
> > > +     depends on LEGACY_CRYPTO_BASIC && SPL_SHA1
> > > +     default y if SHA1 && LEGACY_CRYPTO_BASIC
> > > +     help
> > > +       This option enables support of hashing using SHA1 algorithm
> > > +       with legacy crypto library.
> > > +
> > > +config SPL_SHA256_LEGACY
> > > +     bool "Enable SHA256 support in SPL with legacy crypto library"
> > > +     depends on LEGACY_CRYPTO_BASIC && SPL_SHA256
> > > +     default y if SHA256 && LEGACY_CRYPTO_BASIC
> > > +     help
> > > +       This option enables support of hashing using SHA256 algorithm
> > > +       with legacy crypto library.
> > > +
> > > +config SPL_SHA512_LEGACY
> > > +     bool "Enable SHA512 support in SPL with legacy crypto library"
> > > +     depends on LEGACY_CRYPTO_BASIC && SPL_SHA512
> > > +     default y if SHA512 && LEGACY_CRYPTO_BASIC
> > > +     help
> > > +       This option enables support of hashing using SHA512 algorithm
> > > +       with legacy crypto library.
> > > +
> > > +config SPL_SHA384_LEGACY
> > > +     bool "Enable SHA384 support in SPL with legacy crypto library"
> > > +     depends on LEGACY_CRYPTO_BASIC && SPL_SHA384
> > > +     default y if SHA384 && LEGACY_CRYPTO_BASIC
> > > +     select SPL_SHA512
> > > +     help
> > > +       This option enables support of hashing using SHA384 algorithm
> > > +       with legacy crypto library.
> > > +
> > > +config SPL_MD5_LEGACY
> > > +     bool "Enable MD5 support in SPL with legacy crypto library"
> > > +     depends on LEGACY_CRYPTO_BASIC && SPL_MD5
> > > +     default y if MD5 && LEGACY_CRYPTO_BASIC
> > > +     help
> > > +       This option enables support of hashing using MD5 algorithm
> > > +       with legacy crypto library.
> > > +
> > > +endif # SPL
> > > +
> > > +endif # LEGACY_CRYPTO_BASIC
> > > +
> > >  config LEGACY_CRYPTO_CERT
> > >       bool "legacy certificate libraries"
> > >       help
> >
> > This is all certainly moving in the right direction, but there's
> > dependency issues:
> >    aarch64:  w+   xilinx_zynqmp_kria
> > +(xilinx_zynqmp_kria)
> > +(xilinx_zynqmp_kria) WARNING: unmet direct dependencies detected for
> > SPL_MD5_LEGACY
> > +(xilinx_zynqmp_kria)   Depends on [n]: LEGACY_CRYPTO [=y] && SPL [=y] &&
> > LEGACY_CRYPTO_BASIC [=y] && SPL_MD5 [=n]
> > +(xilinx_zynqmp_kria)   Selected by [y]:
> > +(xilinx_zynqmp_kria)   - LEGACY_CRYPTO_BASIC [=y] && LEGACY_CRYPTO [=y]
> > && MD5 [=y] && SPL [=y]
> >
> 
> I am a bit confused by SPL_MD5, why it is [n] when both MD5 and SPL are [y].
> Of course we can replace 'SPL_MD5' with 'MD5 && SPL' to solve the warning,
> but I guess the wrong dependence is on SPL_MD5 but not the new added ones.
> ```
> config SPL_MD5
> bool "Support MD5 algorithm in SPL"
> depends on SPL
> ```
> I think it should be 'default y if SPL && MD5' instead of 'depends on SPL'.
> 
> Similarly SPL_ASYMMETRIC_PUBLIC_KEY_SUBTYPE is not selected when both
> ASYMMETRIC_PUBLIC_KEY_SUBTYPE
> and SPL are selected;
> SPL_ASN1_DECODER is not selected when both ASN1_DECODER and SPL are
> selected.
> 
> I think generally for each algorithm, 'SPL_<ALG>' config should be selected
> when both 'SPL' and '<ALG>' are selected.
> 
> If you agree I can fix this in the next patch set.

Kconfig error messages are a bit difficult to understand at times, yes.
Please figure out what exactly the depends on / default y combinations
should be such that (a) there's no functional changes, and buildman size
comparison builds are good for that and (b) no warnings like this are
found.

diff --git a/include/u-boot/md5.h b/include/u-boot/md5.h
index c465925ea8d..69898fcbe49 100644
--- a/include/u-boot/md5.h
+++ b/include/u-boot/md5.h
@@ -6,10 +6,16 @@ 
 #ifndef _MD5_H
 #define _MD5_H
 
+#if defined(CONFIG_MBEDTLS_LIB_CRYPTO)
+#include <mbedtls/md5.h>
+#endif
 #include "compiler.h"
 
 #define MD5_SUM_LEN	16
 
+#if defined(CONFIG_MBEDTLS_LIB_CRYPTO)
+typedef mbedtls_md5_context MD5Context;
+#else
 typedef struct MD5Context {
 	__u32 buf[4];
 	__u32 bits[2];
@@ -18,6 +24,7 @@  typedef struct MD5Context {
 		__u32 in32[16];
 	};
 } MD5Context;
+#endif
 
 void MD5Init(MD5Context *ctx);
 void MD5Update(MD5Context *ctx, unsigned char const *buf, unsigned int len);
diff --git a/include/u-boot/sha1.h b/include/u-boot/sha1.h
index c1e9f67068d..ab88134fb98 100644
--- a/include/u-boot/sha1.h
+++ b/include/u-boot/sha1.h
@@ -16,6 +16,21 @@ 
 
 #include <linux/types.h>
 
+#if defined(CONFIG_MBEDTLS_LIB_CRYPTO)
+/*
+ * FIXME:
+ * MbedTLS define the members of "mbedtls_sha256_context" as private,
+ * but "state" needs to be access by arch/arm/cpu/armv8/sha1_ce_glue.
+ * MBEDTLS_ALLOW_PRIVATE_ACCESS needs to be enabled to allow the external
+ * access.
+ * Directly including <external/mbedtls/library/common.h> is not allowed,
+ * since this will include <malloc.h> and break the sandbox test.
+ */
+#define MBEDTLS_ALLOW_PRIVATE_ACCESS
+
+#include <mbedtls/sha1.h>
+#endif
+
 #ifdef __cplusplus
 extern "C" {
 #endif
@@ -26,6 +41,9 @@  extern "C" {
 
 extern const uint8_t sha1_der_prefix[];
 
+#if defined(CONFIG_MBEDTLS_LIB_CRYPTO)
+typedef mbedtls_sha1_context sha1_context;
+#else
 /**
  * \brief	   SHA-1 context structure
  */
@@ -36,13 +54,14 @@  typedef struct
     unsigned char buffer[64];	/*!< data block being processed */
 }
 sha1_context;
+#endif
 
 /**
  * \brief	   SHA-1 context setup
  *
  * \param ctx	   SHA-1 context to be initialized
  */
-void sha1_starts( sha1_context *ctx );
+void sha1_starts(sha1_context *ctx);
 
 /**
  * \brief	   SHA-1 process buffer
diff --git a/include/u-boot/sha256.h b/include/u-boot/sha256.h
index a4fe176c0b4..b58d5b58d39 100644
--- a/include/u-boot/sha256.h
+++ b/include/u-boot/sha256.h
@@ -3,6 +3,22 @@ 
 
 #include <linux/types.h>
 
+#if defined(CONFIG_MBEDTLS_LIB_CRYPTO)
+/*
+ * FIXME:
+ * MbedTLS define the members of "mbedtls_sha256_context" as private,
+ * but "state" needs to be access by arch/arm/cpu/armv8/sha256_ce_glue.
+ * MBEDTLS_ALLOW_PRIVATE_ACCESS needs to be enabled to allow the external
+ * access.
+ * Directly including <external/mbedtls/library/common.h> is not allowed,
+ * since this will include <malloc.h> and break the sandbox test.
+ */
+#define MBEDTLS_ALLOW_PRIVATE_ACCESS
+
+#include <mbedtls/sha256.h>
+#endif
+
+#define SHA224_SUM_LEN	28
 #define SHA256_SUM_LEN	32
 #define SHA256_DER_LEN	19
 
@@ -11,11 +27,15 @@  extern const uint8_t sha256_der_prefix[];
 /* Reset watchdog each time we process this many bytes */
 #define CHUNKSZ_SHA256	(64 * 1024)
 
+#if defined(CONFIG_MBEDTLS_LIB_CRYPTO)
+typedef mbedtls_sha256_context sha256_context;
+#else
 typedef struct {
 	uint32_t total[2];
 	uint32_t state[8];
 	uint8_t buffer[64];
 } sha256_context;
+#endif
 
 void sha256_starts(sha256_context * ctx);
 void sha256_update(sha256_context *ctx, const uint8_t *input, uint32_t length);
diff --git a/include/u-boot/sha512.h b/include/u-boot/sha512.h
index 90bd96a3f8c..2b5a21a7c70 100644
--- a/include/u-boot/sha512.h
+++ b/include/u-boot/sha512.h
@@ -3,6 +3,10 @@ 
 
 #include <linux/types.h>
 
+#if defined(CONFIG_MBEDTLS_LIB_CRYPTO)
+#include <mbedtls/sha512.h>
+#endif
+
 #define SHA384_SUM_LEN          48
 #define SHA384_DER_LEN          19
 #define SHA512_SUM_LEN          64
@@ -12,11 +16,16 @@ 
 #define CHUNKSZ_SHA384	(16 * 1024)
 #define CHUNKSZ_SHA512	(16 * 1024)
 
+#if defined(CONFIG_MBEDTLS_LIB_CRYPTO)
+typedef mbedtls_sha512_context sha384_context;
+typedef mbedtls_sha512_context sha512_context;
+#else
 typedef struct {
 	uint64_t state[SHA512_SUM_LEN / 8];
 	uint64_t count[2];
 	uint8_t buf[SHA512_BLOCK_SIZE];
 } sha512_context;
+#endif
 
 extern const uint8_t sha512_der_prefix[];
 
@@ -29,12 +38,19 @@  void sha512_csum_wd(const unsigned char *input, unsigned int ilen,
 
 extern const uint8_t sha384_der_prefix[];
 
+#if defined(CONFIG_MBEDTLS_LIB_CRYPTO)
+void sha384_starts(sha512_context *ctx);
+void
+sha384_update(sha512_context *ctx, const uint8_t *input, uint32_t length);
+void sha384_finish(sha512_context *ctx, uint8_t digest[SHA384_SUM_LEN]);
+void sha384_csum_wd(const unsigned char *input, unsigned int length,
+		    unsigned char *output, unsigned int chunk_sz);
+#else
 void sha384_starts(sha512_context * ctx);
 void sha384_update(sha512_context *ctx, const uint8_t *input, uint32_t length);
 void sha384_finish(sha512_context * ctx, uint8_t digest[SHA384_SUM_LEN]);
 
 void sha384_csum_wd(const unsigned char *input, unsigned int ilen,
-		unsigned char *output, unsigned int chunk_sz);
-
-
+		    unsigned char *output, unsigned int chunk_sz);
+#endif
 #endif /* _SHA512_H */
diff --git a/lib/Makefile b/lib/Makefile
index a4600b09f49..f76af77a969 100644
--- a/lib/Makefile
+++ b/lib/Makefile
@@ -69,14 +69,16 @@  obj-$(CONFIG_$(SPL_TPL_)CRC16) += crc16.o
 obj-y += crypto/
 
 obj-$(CONFIG_$(SPL_TPL_)ACPI) += acpi/
-obj-$(CONFIG_$(SPL_)MD5) += md5.o
 obj-$(CONFIG_ECDSA) += ecdsa/
 obj-$(CONFIG_$(SPL_)RSA) += rsa/
 obj-$(CONFIG_HASH) += hash-checksum.o
 obj-$(CONFIG_BLAKE2) += blake2/blake2b.o
-obj-$(CONFIG_$(SPL_)SHA1) += sha1.o
-obj-$(CONFIG_$(SPL_)SHA256) += sha256.o
-obj-$(CONFIG_$(SPL_)SHA512) += sha512.o
+
+obj-$(CONFIG_$(SPL_)MD5_LEGACY) += md5.o
+obj-$(CONFIG_$(SPL_)SHA1_LEGACY) += sha1.o
+obj-$(CONFIG_$(SPL_)SHA256_LEGACY) += sha256.o
+obj-$(CONFIG_$(SPL_)SHA512_LEGACY) += sha512.o
+
 obj-$(CONFIG_CRYPT_PW) += crypt/
 obj-$(CONFIG_$(SPL_)ASN1_DECODER) += asn1_decoder.o
 
diff --git a/lib/mbedtls/Kconfig b/lib/mbedtls/Kconfig
index 3e9057f1acf..6662a9d20f1 100644
--- a/lib/mbedtls/Kconfig
+++ b/lib/mbedtls/Kconfig
@@ -21,9 +21,105 @@  if LEGACY_CRYPTO
 
 config LEGACY_CRYPTO_BASIC
 	bool "legacy basic crypto libraries"
+	select MD5_LEGACY if MD5
+	select SHA1_LEGACY if SHA1
+	select SHA256_LEGACY if SHA256
+	select SHA512_LEGACY if SHA512
+	select SHA384_LEGACY if SHA384
+	select SPL_MD5_LEGACY if MD5 && SPL
+	select SPL_SHA1_LEGACY if SHA1 && SPL
+	select SPL_SHA256_LEGACY if SHA256 && SPL
+	select SPL_SHA512_LEGACY if SHA512 && SPL
+	select SPL_SHA384_LEGACY if SHA384 && SPL
 	help
 	  Enable legacy basic crypto libraries.
 
+if LEGACY_CRYPTO_BASIC
+
+config SHA1_LEGACY
+	bool "Enable SHA1 support with legacy crypto library"
+	depends on LEGACY_CRYPTO_BASIC && SHA1
+	help
+	  This option enables support of hashing using SHA1 algorithm
+	  with legacy crypto library.
+
+config SHA256_LEGACY
+	bool "Enable SHA256 support with legacy crypto library"
+	depends on LEGACY_CRYPTO_BASIC && SHA256
+	help
+	  This option enables support of hashing using SHA256 algorithm
+	  with legacy crypto library.
+
+config SHA512_LEGACY
+	bool "Enable SHA512 support with legacy crypto library"
+	depends on LEGACY_CRYPTO_BASIC && SHA512
+	default y if TI_SECURE_DEVICE && FIT_SIGNATURE
+	help
+	  This option enables support of hashing using SHA512 algorithm
+	  with legacy crypto library.
+
+config SHA384_LEGACY
+	bool "Enable SHA384 support with legacy crypto library"
+	depends on LEGACY_CRYPTO_BASIC && SHA384
+	select SHA512_LEGACY
+	help
+	  This option enables support of hashing using SHA384 algorithm
+	  with legacy crypto library.
+
+config MD5_LEGACY
+	bool "Enable MD5 support with legacy crypto library"
+	depends on LEGACY_CRYPTO_BASIC && MD5
+	help
+	  This option enables support of hashing using MD5 algorithm
+	  with legacy crypto library.
+
+if SPL
+
+config SPL_SHA1_LEGACY
+	bool "Enable SHA1 support in SPL with legacy crypto library"
+	depends on LEGACY_CRYPTO_BASIC && SPL_SHA1
+	default y if SHA1 && LEGACY_CRYPTO_BASIC
+	help
+	  This option enables support of hashing using SHA1 algorithm
+	  with legacy crypto library.
+
+config SPL_SHA256_LEGACY
+	bool "Enable SHA256 support in SPL with legacy crypto library"
+	depends on LEGACY_CRYPTO_BASIC && SPL_SHA256
+	default y if SHA256 && LEGACY_CRYPTO_BASIC
+	help
+	  This option enables support of hashing using SHA256 algorithm
+	  with legacy crypto library.
+
+config SPL_SHA512_LEGACY
+	bool "Enable SHA512 support in SPL with legacy crypto library"
+	depends on LEGACY_CRYPTO_BASIC && SPL_SHA512
+	default y if SHA512 && LEGACY_CRYPTO_BASIC
+	help
+	  This option enables support of hashing using SHA512 algorithm
+	  with legacy crypto library.
+
+config SPL_SHA384_LEGACY
+	bool "Enable SHA384 support in SPL with legacy crypto library"
+	depends on LEGACY_CRYPTO_BASIC && SPL_SHA384
+	default y if SHA384 && LEGACY_CRYPTO_BASIC
+	select SPL_SHA512
+	help
+	  This option enables support of hashing using SHA384 algorithm
+	  with legacy crypto library.
+
+config SPL_MD5_LEGACY
+	bool "Enable MD5 support in SPL with legacy crypto library"
+	depends on LEGACY_CRYPTO_BASIC && SPL_MD5
+	default y if MD5 && LEGACY_CRYPTO_BASIC
+	help
+	  This option enables support of hashing using MD5 algorithm
+	  with legacy crypto library.
+
+endif # SPL
+
+endif # LEGACY_CRYPTO_BASIC
+
 config LEGACY_CRYPTO_CERT
 	bool "legacy certificate libraries"
 	help

[v4,04/29] lib: Adapt digest header files to MbedTLS

Commit Message

Comments

Patch