Message ID | 20240702182325.2904421-1-raymond.mao@linaro.org |
---|---|
Headers | show |
Series | Integrate MbedTLS v3.6 LTS with U-Boot | expand |
On Tue, Jul 02, 2024 at 11:22:36AM -0700, Raymond Mao wrote: > Integrate MbedTLS v3.6 LTS (currently v3.6.0-RC1) with U-Boot. > > Motivations: > ------------ > > 1. MbedTLS is well maintained with LTS versions. > 2. LWIP is integrated with MbedTLS and easily to enable HTTPS. > 3. MbedTLS recently switched license back to GPLv2. > > Prerequisite: > ------------- > > This patch series requires mbedtls git repo to be added as a > subtree to the main U-Boot repo via: > $ git subtree add --prefix lib/mbedtls/external/mbedtls \ > https://github.com/Mbed-TLS/mbedtls.git \ > v3.6.0 --squash > Moreover, due to the Windows-style files from mbedtls git repo, > we need to convert the CRLF endings to LF and do a commit manually: > $ git add --renormalize . > $ git commit > > New Kconfig options: > -------------------- > > `MBEDTLS_LIB` is for MbedTLS general switch. > `MBEDTLS_LIB_CRYPTO` is for replacing original digest and crypto libs with > MbedTLS. > `MBEDTLS_LIB_X509` is for replacing original X509, PKCS7, MSCode, ASN1, > and Pubkey parser with MbedTLS. > `MBEDTLS_LIB_TLS` is for SSL/TLS (Disabled until LWIP port for MbedTLS is > ready). > `LEGACY_CRYPTO` is introduced as a main switch for legacy crypto library. > `LEGACY_CRYPTO_BASIC` is for the basic crypto functionalities and > `LEGACY_CRYPTO_CERT` is for the certificate related functionalities. > For each of the algorithm, a pair of `<alg>_LEGACY` and `<alg>_MBEDTLS` > Kconfig options are introduced. Meanwhile, `SPL_` Kconfig options are > introduced. > > In this patch set, MBEDTLS_LIB, MBEDTLS_LIB_CRYPTO and MBEDTLS_LIB_X509 > are by default enabled in qemu_arm64_defconfig for testing purpose. > > Patches for external MbedTLS project: > ------------------------------------- > > Since U-Boot uses Microsoft Authentication Code to verify PE/COFFs > executables which is not supported by MbedTLS at the moment, > addtional patches for MbedTLS are created to adapt with the EFI loader: > 1. Decoding of Microsoft Authentication Code. > 2. Decoding of PKCS#9 Authenticate Attributes. > 3. Extending MbedTLS PKCS#7 lib to support multiple signer's certificates. > 4. MbedTLS native test suites for PKCS#7 signer's info. > > All above 4 patches (tagged with `mbedtls/external`) are submitted to > MbedTLS project and being reviewed, eventually they should be part of > MbedTLS LTS release. > But before that, please merge them into U-Boot, otherwise the building > will be broken when MBEDTLS_LIB_X509 is enabled. > > See below PR link for the reference: > https://github.com/Mbed-TLS/mbedtls/pull/9001 > > Miscellaneous: > -------------- > > Optimized MbedTLS library size by tailoring the config file > and disabling all unnecessary features for EFI loader. > From v2, original libs (rsa, asn1_decoder, rsa_helper, md5, sha1, sha256, > sha512) are completely replaced when MbedTLS is enabled. > From v3, the size-growth is slightly reduced by refactoring Hash functions. > > Target(QEMU arm64) size-growth when enabling MbedTLS: > v1: 6.03% > v2: 4.66% > v3 & v4: 4.55% > > Please see the latest output of bloat-o-meter for the reference of the > size-growth on QEMU arm64 target [1]. > > Tests done: > ----------- > > EFI Secure Boot test (EFI variables loading and verifying, EFI signed image > verifying and booting) via U-Boot console. > EFI Secure Boot and Capsule sandbox test passed. > > Known issues: > ------------- > > None. > > [1]: bloat-o-meter output between disabling/enabling MbedTLS (QEMU arm64) > ``` > add/remove: 206/81 grow/shrink: 19/17 up/down: 55548/-17495 (38053) bloat-o-meter is a bit off then, since buildman shows: u-boot: add: 243/-17, grow: 18/-17 bytes: 65723/-8480 (57243) (Please use buildman for the size comparisons in the future). And in both cases, there's a pretty big non-removal of code I was expecting since overall we're replacing a lot of functionality, not just enabling new functionality? If I'm wrong about that and we're doing both, please separate out "enables new features" from "feature parity with legacy" in commit updates to qemu_arm64 since buildman's handy "show the delta for each commit in a series" is quite helpful in spotting when we changed more/less than expected. And in this case perhaps qemu_army64 wasn't fully enabling stuff before? sandbox changes by only ~16Kib which is much better and I see pkcs7 and x509 related removals in the size comparison. Another note is that qemu-x86_64, which should be similar in EFI feature function only grows by 129 bytes. Which isn't zero, but isn't bad. I haven't done a for-each-commit build, but if we have generic bugfixes here, we should split those out. For example, I do see we're dropping some legacy hash related code, but I'd want to dig a bit to make sure it's all of it. And for v4 I'm not doing a world build comparison with mbedTLS being default rather than legacy since I think the logic there is where some of the Kconfig issues I mentioned are from and so I'm not confident the results would look good. But for v5, please pick some arbitrary platforms and switch them over and check the size change there as well. Thanks!
Hi Tom, On Tue, 2 Jul 2024 at 21:26, Tom Rini <trini@konsulko.com> wrote: > On Tue, Jul 02, 2024 at 11:22:36AM -0700, Raymond Mao wrote: > > > Integrate MbedTLS v3.6 LTS (currently v3.6.0-RC1) with U-Boot. > > > > Motivations: > > ------------ > > > > 1. MbedTLS is well maintained with LTS versions. > > 2. LWIP is integrated with MbedTLS and easily to enable HTTPS. > > 3. MbedTLS recently switched license back to GPLv2. > > > > Prerequisite: > > ------------- > > > > This patch series requires mbedtls git repo to be added as a > > subtree to the main U-Boot repo via: > > $ git subtree add --prefix lib/mbedtls/external/mbedtls \ > > https://github.com/Mbed-TLS/mbedtls.git \ > > v3.6.0 --squash > > Moreover, due to the Windows-style files from mbedtls git repo, > > we need to convert the CRLF endings to LF and do a commit manually: > > $ git add --renormalize . > > $ git commit > > > > New Kconfig options: > > -------------------- > > > > `MBEDTLS_LIB` is for MbedTLS general switch. > > `MBEDTLS_LIB_CRYPTO` is for replacing original digest and crypto libs > with > > MbedTLS. > > `MBEDTLS_LIB_X509` is for replacing original X509, PKCS7, MSCode, ASN1, > > and Pubkey parser with MbedTLS. > > `MBEDTLS_LIB_TLS` is for SSL/TLS (Disabled until LWIP port for MbedTLS is > > ready). > > `LEGACY_CRYPTO` is introduced as a main switch for legacy crypto library. > > `LEGACY_CRYPTO_BASIC` is for the basic crypto functionalities and > > `LEGACY_CRYPTO_CERT` is for the certificate related functionalities. > > For each of the algorithm, a pair of `<alg>_LEGACY` and `<alg>_MBEDTLS` > > Kconfig options are introduced. Meanwhile, `SPL_` Kconfig options are > > introduced. > > > > In this patch set, MBEDTLS_LIB, MBEDTLS_LIB_CRYPTO and MBEDTLS_LIB_X509 > > are by default enabled in qemu_arm64_defconfig for testing purpose. > > > > Patches for external MbedTLS project: > > ------------------------------------- > > > > Since U-Boot uses Microsoft Authentication Code to verify PE/COFFs > > executables which is not supported by MbedTLS at the moment, > > addtional patches for MbedTLS are created to adapt with the EFI loader: > > 1. Decoding of Microsoft Authentication Code. > > 2. Decoding of PKCS#9 Authenticate Attributes. > > 3. Extending MbedTLS PKCS#7 lib to support multiple signer's > certificates. > > 4. MbedTLS native test suites for PKCS#7 signer's info. > > > > All above 4 patches (tagged with `mbedtls/external`) are submitted to > > MbedTLS project and being reviewed, eventually they should be part of > > MbedTLS LTS release. > > But before that, please merge them into U-Boot, otherwise the building > > will be broken when MBEDTLS_LIB_X509 is enabled. > > > > See below PR link for the reference: > > https://github.com/Mbed-TLS/mbedtls/pull/9001 > > > > Miscellaneous: > > -------------- > > > > Optimized MbedTLS library size by tailoring the config file > > and disabling all unnecessary features for EFI loader. > > From v2, original libs (rsa, asn1_decoder, rsa_helper, md5, sha1, sha256, > > sha512) are completely replaced when MbedTLS is enabled. > > From v3, the size-growth is slightly reduced by refactoring Hash > functions. > > > > Target(QEMU arm64) size-growth when enabling MbedTLS: > > v1: 6.03% > > v2: 4.66% > > v3 & v4: 4.55% > > > > Please see the latest output of bloat-o-meter for the reference of the > > size-growth on QEMU arm64 target [1]. > > > > Tests done: > > ----------- > > > > EFI Secure Boot test (EFI variables loading and verifying, EFI signed > image > > verifying and booting) via U-Boot console. > > EFI Secure Boot and Capsule sandbox test passed. > > > > Known issues: > > ------------- > > > > None. > > > > [1]: bloat-o-meter output between disabling/enabling MbedTLS (QEMU arm64) > > ``` > > add/remove: 206/81 grow/shrink: 19/17 up/down: 55548/-17495 (38053) > > bloat-o-meter is a bit off then, since buildman shows: > u-boot: add: 243/-17, grow: 18/-17 bytes: 65723/-8480 (57243) > > (Please use buildman for the size comparisons in the future). > I have a problem with buildman. As I followed the buildman/README.rst and run below command, but cannot get any output size summary. Is anything missing? I saw some artifacts of building each commit being generated in the upper dir though. ``` ./tools/buildman/buildman -b <my_branch_name> --boards qemu_arm64 -sSdB ``` I have set my branch upstream to upstream/next. Regards, Raymond
On Tue, Jul 23, 2024 at 03:24:29PM -0400, Raymond Mao wrote: > Hi Tom, > > On Tue, 2 Jul 2024 at 21:26, Tom Rini <trini@konsulko.com> wrote: > > > On Tue, Jul 02, 2024 at 11:22:36AM -0700, Raymond Mao wrote: > > > > > Integrate MbedTLS v3.6 LTS (currently v3.6.0-RC1) with U-Boot. > > > > > > Motivations: > > > ------------ > > > > > > 1. MbedTLS is well maintained with LTS versions. > > > 2. LWIP is integrated with MbedTLS and easily to enable HTTPS. > > > 3. MbedTLS recently switched license back to GPLv2. > > > > > > Prerequisite: > > > ------------- > > > > > > This patch series requires mbedtls git repo to be added as a > > > subtree to the main U-Boot repo via: > > > $ git subtree add --prefix lib/mbedtls/external/mbedtls \ > > > https://github.com/Mbed-TLS/mbedtls.git \ > > > v3.6.0 --squash > > > Moreover, due to the Windows-style files from mbedtls git repo, > > > we need to convert the CRLF endings to LF and do a commit manually: > > > $ git add --renormalize . > > > $ git commit > > > > > > New Kconfig options: > > > -------------------- > > > > > > `MBEDTLS_LIB` is for MbedTLS general switch. > > > `MBEDTLS_LIB_CRYPTO` is for replacing original digest and crypto libs > > with > > > MbedTLS. > > > `MBEDTLS_LIB_X509` is for replacing original X509, PKCS7, MSCode, ASN1, > > > and Pubkey parser with MbedTLS. > > > `MBEDTLS_LIB_TLS` is for SSL/TLS (Disabled until LWIP port for MbedTLS is > > > ready). > > > `LEGACY_CRYPTO` is introduced as a main switch for legacy crypto library. > > > `LEGACY_CRYPTO_BASIC` is for the basic crypto functionalities and > > > `LEGACY_CRYPTO_CERT` is for the certificate related functionalities. > > > For each of the algorithm, a pair of `<alg>_LEGACY` and `<alg>_MBEDTLS` > > > Kconfig options are introduced. Meanwhile, `SPL_` Kconfig options are > > > introduced. > > > > > > In this patch set, MBEDTLS_LIB, MBEDTLS_LIB_CRYPTO and MBEDTLS_LIB_X509 > > > are by default enabled in qemu_arm64_defconfig for testing purpose. > > > > > > Patches for external MbedTLS project: > > > ------------------------------------- > > > > > > Since U-Boot uses Microsoft Authentication Code to verify PE/COFFs > > > executables which is not supported by MbedTLS at the moment, > > > addtional patches for MbedTLS are created to adapt with the EFI loader: > > > 1. Decoding of Microsoft Authentication Code. > > > 2. Decoding of PKCS#9 Authenticate Attributes. > > > 3. Extending MbedTLS PKCS#7 lib to support multiple signer's > > certificates. > > > 4. MbedTLS native test suites for PKCS#7 signer's info. > > > > > > All above 4 patches (tagged with `mbedtls/external`) are submitted to > > > MbedTLS project and being reviewed, eventually they should be part of > > > MbedTLS LTS release. > > > But before that, please merge them into U-Boot, otherwise the building > > > will be broken when MBEDTLS_LIB_X509 is enabled. > > > > > > See below PR link for the reference: > > > https://github.com/Mbed-TLS/mbedtls/pull/9001 > > > > > > Miscellaneous: > > > -------------- > > > > > > Optimized MbedTLS library size by tailoring the config file > > > and disabling all unnecessary features for EFI loader. > > > From v2, original libs (rsa, asn1_decoder, rsa_helper, md5, sha1, sha256, > > > sha512) are completely replaced when MbedTLS is enabled. > > > From v3, the size-growth is slightly reduced by refactoring Hash > > functions. > > > > > > Target(QEMU arm64) size-growth when enabling MbedTLS: > > > v1: 6.03% > > > v2: 4.66% > > > v3 & v4: 4.55% > > > > > > Please see the latest output of bloat-o-meter for the reference of the > > > size-growth on QEMU arm64 target [1]. > > > > > > Tests done: > > > ----------- > > > > > > EFI Secure Boot test (EFI variables loading and verifying, EFI signed > > image > > > verifying and booting) via U-Boot console. > > > EFI Secure Boot and Capsule sandbox test passed. > > > > > > Known issues: > > > ------------- > > > > > > None. > > > > > > [1]: bloat-o-meter output between disabling/enabling MbedTLS (QEMU arm64) > > > ``` > > > add/remove: 206/81 grow/shrink: 19/17 up/down: 55548/-17495 (38053) > > > > bloat-o-meter is a bit off then, since buildman shows: > > u-boot: add: 243/-17, grow: 18/-17 bytes: 65723/-8480 (57243) > > > > (Please use buildman for the size comparisons in the future). > > > > I have a problem with buildman. > As I followed the buildman/README.rst and run below command, but cannot get > any > output size summary. Is anything missing? I saw some artifacts of building > each > commit being generated in the upper dir though. > ``` > ./tools/buildman/buildman -b <my_branch_name> --boards qemu_arm64 -sSdB > ``` > I have set my branch upstream to upstream/next. You have to tell it twice, once to build and a second to summarize things. My wrapper looks like: #!/bin/bash # Initial and constant buildman args ARGS="-devl -PEWM" ALL=0 KEEP=0 # Find our arguments while test $# -ne 0; do if [ "$1" == "--all" ]; then ALL=1 shift 1 elif [ "$1" == "--branch" ]; then BRANCH=$2 shift 2 elif [ "$1" == "--keep" ]; then KEEP=1 ARGS="$ARGS -k" shift 1 elif [ "$1" == "--board" ]; then MACHINE="--board $2" OUTDIR=/tmp/$2 shift 2 else MACHINE=$1 shift 1 fi done OUTDIR=${OUTDIR:-/tmp/$MACHINE} if [ -z "$MACHINE" ]; then echo Usage: $0 MACHINE [--all] [--keep] [--branch BRANCH] exit 1 fi # If not all, then only first/last if [ $ALL -ne 1 ]; then ARGS="$ARGS --step 0" fi if [ ! -z $BRANCH ]; then ARGS="$ARGS -b $BRANCH" else ARGS="$ARGS -b `git rev-parse --abbrev-ref HEAD`" fi mkdir -p ${OUTDIR} export SOURCE_DATE_EPOCH=`date +%s` ./tools/buildman/buildman -o ${OUTDIR} $ARGS -SBC $MACHINE ./tools/buildman/buildman -o ${OUTDIR} $ARGS -SsB $MACHINE [ $KEEP -eq 0 ] && rm -rf ${OUTDIR}
Hi Tom, On Tue, 2 Jul 2024 at 21:26, Tom Rini <trini@konsulko.com> wrote: > On Tue, Jul 02, 2024 at 11:22:36AM -0700, Raymond Mao wrote: > > > Integrate MbedTLS v3.6 LTS (currently v3.6.0-RC1) with U-Boot. > > > > Motivations: > > ------------ > > > > 1. MbedTLS is well maintained with LTS versions. > > 2. LWIP is integrated with MbedTLS and easily to enable HTTPS. > > 3. MbedTLS recently switched license back to GPLv2. > > > > Prerequisite: > > ------------- > > > > This patch series requires mbedtls git repo to be added as a > > subtree to the main U-Boot repo via: > > $ git subtree add --prefix lib/mbedtls/external/mbedtls \ > > https://github.com/Mbed-TLS/mbedtls.git \ > > v3.6.0 --squash > > Moreover, due to the Windows-style files from mbedtls git repo, > > we need to convert the CRLF endings to LF and do a commit manually: > > $ git add --renormalize . > > $ git commit > > > > New Kconfig options: > > -------------------- > > > > `MBEDTLS_LIB` is for MbedTLS general switch. > > `MBEDTLS_LIB_CRYPTO` is for replacing original digest and crypto libs > with > > MbedTLS. > > `MBEDTLS_LIB_X509` is for replacing original X509, PKCS7, MSCode, ASN1, > > and Pubkey parser with MbedTLS. > > `MBEDTLS_LIB_TLS` is for SSL/TLS (Disabled until LWIP port for MbedTLS is > > ready). > > `LEGACY_CRYPTO` is introduced as a main switch for legacy crypto library. > > `LEGACY_CRYPTO_BASIC` is for the basic crypto functionalities and > > `LEGACY_CRYPTO_CERT` is for the certificate related functionalities. > > For each of the algorithm, a pair of `<alg>_LEGACY` and `<alg>_MBEDTLS` > > Kconfig options are introduced. Meanwhile, `SPL_` Kconfig options are > > introduced. > > > > In this patch set, MBEDTLS_LIB, MBEDTLS_LIB_CRYPTO and MBEDTLS_LIB_X509 > > are by default enabled in qemu_arm64_defconfig for testing purpose. > > > > Patches for external MbedTLS project: > > ------------------------------------- > > > > Since U-Boot uses Microsoft Authentication Code to verify PE/COFFs > > executables which is not supported by MbedTLS at the moment, > > addtional patches for MbedTLS are created to adapt with the EFI loader: > > 1. Decoding of Microsoft Authentication Code. > > 2. Decoding of PKCS#9 Authenticate Attributes. > > 3. Extending MbedTLS PKCS#7 lib to support multiple signer's > certificates. > > 4. MbedTLS native test suites for PKCS#7 signer's info. > > > > All above 4 patches (tagged with `mbedtls/external`) are submitted to > > MbedTLS project and being reviewed, eventually they should be part of > > MbedTLS LTS release. > > But before that, please merge them into U-Boot, otherwise the building > > will be broken when MBEDTLS_LIB_X509 is enabled. > > > > See below PR link for the reference: > > https://github.com/Mbed-TLS/mbedtls/pull/9001 > > > > Miscellaneous: > > -------------- > > > > Optimized MbedTLS library size by tailoring the config file > > and disabling all unnecessary features for EFI loader. > > From v2, original libs (rsa, asn1_decoder, rsa_helper, md5, sha1, sha256, > > sha512) are completely replaced when MbedTLS is enabled. > > From v3, the size-growth is slightly reduced by refactoring Hash > functions. > > > > Target(QEMU arm64) size-growth when enabling MbedTLS: > > v1: 6.03% > > v2: 4.66% > > v3 & v4: 4.55% > > > > Please see the latest output of bloat-o-meter for the reference of the > > size-growth on QEMU arm64 target [1]. > > > > Tests done: > > ----------- > > > > EFI Secure Boot test (EFI variables loading and verifying, EFI signed > image > > verifying and booting) via U-Boot console. > > EFI Secure Boot and Capsule sandbox test passed. > > > > Known issues: > > ------------- > > > > None. > > > > [1]: bloat-o-meter output between disabling/enabling MbedTLS (QEMU arm64) > > ``` > > add/remove: 206/81 grow/shrink: 19/17 up/down: 55548/-17495 (38053) > > bloat-o-meter is a bit off then, since buildman shows: > u-boot: add: 243/-17, grow: 18/-17 bytes: 65723/-8480 (57243) > > (Please use buildman for the size comparisons in the future). > > The reason that buildman is showing more growth is because I enable "CONFIG_EFI_SECURE_BOOT=y" in my patch, which is off by default for qemu_arm64. Since the buildman is always comparing one local branch with the 'upstream' (I didn't find a way to let it compare two local branches or maybe I am wrong), I guess I have to first merge one commit with just enabling CONFIG_EFI_SECURE_BOOT to solve this. But I get this makes less value... I think it is better to use sandbox for comparison from v5, and I will add one more platform (e.g. imx8mp) for reference. Regards, Raymond
Hi Raymond, On Tue, 23 Jul 2024 at 14:45, Tom Rini <trini@konsulko.com> wrote: > > On Tue, Jul 23, 2024 at 03:24:29PM -0400, Raymond Mao wrote: > > Hi Tom, > > > > On Tue, 2 Jul 2024 at 21:26, Tom Rini <trini@konsulko.com> wrote: > > > > > On Tue, Jul 02, 2024 at 11:22:36AM -0700, Raymond Mao wrote: > > > > > > > Integrate MbedTLS v3.6 LTS (currently v3.6.0-RC1) with U-Boot. > > > > > > > > Motivations: > > > > ------------ > > > > > > > > 1. MbedTLS is well maintained with LTS versions. > > > > 2. LWIP is integrated with MbedTLS and easily to enable HTTPS. > > > > 3. MbedTLS recently switched license back to GPLv2. > > > > > > > > Prerequisite: > > > > ------------- > > > > > > > > This patch series requires mbedtls git repo to be added as a > > > > subtree to the main U-Boot repo via: > > > > $ git subtree add --prefix lib/mbedtls/external/mbedtls \ > > > > https://github.com/Mbed-TLS/mbedtls.git \ > > > > v3.6.0 --squash > > > > Moreover, due to the Windows-style files from mbedtls git repo, > > > > we need to convert the CRLF endings to LF and do a commit manually: > > > > $ git add --renormalize . > > > > $ git commit > > > > > > > > New Kconfig options: > > > > -------------------- > > > > > > > > `MBEDTLS_LIB` is for MbedTLS general switch. > > > > `MBEDTLS_LIB_CRYPTO` is for replacing original digest and crypto libs > > > with > > > > MbedTLS. > > > > `MBEDTLS_LIB_X509` is for replacing original X509, PKCS7, MSCode, ASN1, > > > > and Pubkey parser with MbedTLS. > > > > `MBEDTLS_LIB_TLS` is for SSL/TLS (Disabled until LWIP port for MbedTLS is > > > > ready). > > > > `LEGACY_CRYPTO` is introduced as a main switch for legacy crypto library. > > > > `LEGACY_CRYPTO_BASIC` is for the basic crypto functionalities and > > > > `LEGACY_CRYPTO_CERT` is for the certificate related functionalities. > > > > For each of the algorithm, a pair of `<alg>_LEGACY` and `<alg>_MBEDTLS` > > > > Kconfig options are introduced. Meanwhile, `SPL_` Kconfig options are > > > > introduced. > > > > > > > > In this patch set, MBEDTLS_LIB, MBEDTLS_LIB_CRYPTO and MBEDTLS_LIB_X509 > > > > are by default enabled in qemu_arm64_defconfig for testing purpose. > > > > > > > > Patches for external MbedTLS project: > > > > ------------------------------------- > > > > > > > > Since U-Boot uses Microsoft Authentication Code to verify PE/COFFs > > > > executables which is not supported by MbedTLS at the moment, > > > > addtional patches for MbedTLS are created to adapt with the EFI loader: > > > > 1. Decoding of Microsoft Authentication Code. > > > > 2. Decoding of PKCS#9 Authenticate Attributes. > > > > 3. Extending MbedTLS PKCS#7 lib to support multiple signer's > > > certificates. > > > > 4. MbedTLS native test suites for PKCS#7 signer's info. > > > > > > > > All above 4 patches (tagged with `mbedtls/external`) are submitted to > > > > MbedTLS project and being reviewed, eventually they should be part of > > > > MbedTLS LTS release. > > > > But before that, please merge them into U-Boot, otherwise the building > > > > will be broken when MBEDTLS_LIB_X509 is enabled. > > > > > > > > See below PR link for the reference: > > > > https://github.com/Mbed-TLS/mbedtls/pull/9001 > > > > > > > > Miscellaneous: > > > > -------------- > > > > > > > > Optimized MbedTLS library size by tailoring the config file > > > > and disabling all unnecessary features for EFI loader. > > > > From v2, original libs (rsa, asn1_decoder, rsa_helper, md5, sha1, sha256, > > > > sha512) are completely replaced when MbedTLS is enabled. > > > > From v3, the size-growth is slightly reduced by refactoring Hash > > > functions. > > > > > > > > Target(QEMU arm64) size-growth when enabling MbedTLS: > > > > v1: 6.03% > > > > v2: 4.66% > > > > v3 & v4: 4.55% > > > > > > > > Please see the latest output of bloat-o-meter for the reference of the > > > > size-growth on QEMU arm64 target [1]. > > > > > > > > Tests done: > > > > ----------- > > > > > > > > EFI Secure Boot test (EFI variables loading and verifying, EFI signed > > > image > > > > verifying and booting) via U-Boot console. > > > > EFI Secure Boot and Capsule sandbox test passed. > > > > > > > > Known issues: > > > > ------------- > > > > > > > > None. > > > > > > > > [1]: bloat-o-meter output between disabling/enabling MbedTLS (QEMU arm64) > > > > ``` > > > > add/remove: 206/81 grow/shrink: 19/17 up/down: 55548/-17495 (38053) > > > > > > bloat-o-meter is a bit off then, since buildman shows: > > > u-boot: add: 243/-17, grow: 18/-17 bytes: 65723/-8480 (57243) > > > > > > (Please use buildman for the size comparisons in the future). > > > > > > > I have a problem with buildman. > > As I followed the buildman/README.rst and run below command, but cannot get > > any > > output size summary. Is anything missing? I saw some artifacts of building > > each > > commit being generated in the upper dir though. > > ``` > > ./tools/buildman/buildman -b <my_branch_name> --boards qemu_arm64 -sSdB > > ``` > > I have set my branch upstream to upstream/next. Please check here as well: https://docs.u-boot.org/en/latest/build/buildman.html#theory-of-operation > > You have to tell it twice, once to build and a second to summarize > things. My wrapper looks like: > #!/bin/bash > > # Initial and constant buildman args > ARGS="-devl -PEWM" > ALL=0 > KEEP=0 > > # Find our arguments > while test $# -ne 0; do > if [ "$1" == "--all" ]; then > ALL=1 > shift 1 > elif [ "$1" == "--branch" ]; then > BRANCH=$2 > shift 2 > elif [ "$1" == "--keep" ]; then > KEEP=1 > ARGS="$ARGS -k" > shift 1 > elif [ "$1" == "--board" ]; then > MACHINE="--board $2" > OUTDIR=/tmp/$2 > shift 2 > else > MACHINE=$1 > shift 1 > fi > done > > OUTDIR=${OUTDIR:-/tmp/$MACHINE} > > if [ -z "$MACHINE" ]; then > echo Usage: $0 MACHINE [--all] [--keep] [--branch BRANCH] > exit 1 > fi > > # If not all, then only first/last > if [ $ALL -ne 1 ]; then > ARGS="$ARGS --step 0" > fi > > if [ ! -z $BRANCH ]; then > ARGS="$ARGS -b $BRANCH" > else > ARGS="$ARGS -b `git rev-parse --abbrev-ref HEAD`" > fi > > mkdir -p ${OUTDIR} > > export SOURCE_DATE_EPOCH=`date +%s` > ./tools/buildman/buildman -o ${OUTDIR} $ARGS -SBC $MACHINE > ./tools/buildman/buildman -o ${OUTDIR} $ARGS -SsB $MACHINE > > [ $KEEP -eq 0 ] && rm -rf ${OUTDIR} Regards, Simon
Hi Raymond, On Wed, 24 Jul 2024 at 08:35, Raymond Mao <raymond.mao@linaro.org> wrote: > > Hi Tom, > > On Tue, 2 Jul 2024 at 21:26, Tom Rini <trini@konsulko.com> wrote: >> >> On Tue, Jul 02, 2024 at 11:22:36AM -0700, Raymond Mao wrote: >> >> > Integrate MbedTLS v3.6 LTS (currently v3.6.0-RC1) with U-Boot. >> > >> > Motivations: >> > ------------ >> > >> > 1. MbedTLS is well maintained with LTS versions. >> > 2. LWIP is integrated with MbedTLS and easily to enable HTTPS. >> > 3. MbedTLS recently switched license back to GPLv2. >> > >> > Prerequisite: >> > ------------- >> > >> > This patch series requires mbedtls git repo to be added as a >> > subtree to the main U-Boot repo via: >> > $ git subtree add --prefix lib/mbedtls/external/mbedtls \ >> > https://github.com/Mbed-TLS/mbedtls.git \ >> > v3.6.0 --squash >> > Moreover, due to the Windows-style files from mbedtls git repo, >> > we need to convert the CRLF endings to LF and do a commit manually: >> > $ git add --renormalize . >> > $ git commit >> > >> > New Kconfig options: >> > -------------------- >> > >> > `MBEDTLS_LIB` is for MbedTLS general switch. >> > `MBEDTLS_LIB_CRYPTO` is for replacing original digest and crypto libs with >> > MbedTLS. >> > `MBEDTLS_LIB_X509` is for replacing original X509, PKCS7, MSCode, ASN1, >> > and Pubkey parser with MbedTLS. >> > `MBEDTLS_LIB_TLS` is for SSL/TLS (Disabled until LWIP port for MbedTLS is >> > ready). >> > `LEGACY_CRYPTO` is introduced as a main switch for legacy crypto library. >> > `LEGACY_CRYPTO_BASIC` is for the basic crypto functionalities and >> > `LEGACY_CRYPTO_CERT` is for the certificate related functionalities. >> > For each of the algorithm, a pair of `<alg>_LEGACY` and `<alg>_MBEDTLS` >> > Kconfig options are introduced. Meanwhile, `SPL_` Kconfig options are >> > introduced. >> > >> > In this patch set, MBEDTLS_LIB, MBEDTLS_LIB_CRYPTO and MBEDTLS_LIB_X509 >> > are by default enabled in qemu_arm64_defconfig for testing purpose. >> > >> > Patches for external MbedTLS project: >> > ------------------------------------- >> > >> > Since U-Boot uses Microsoft Authentication Code to verify PE/COFFs >> > executables which is not supported by MbedTLS at the moment, >> > addtional patches for MbedTLS are created to adapt with the EFI loader: >> > 1. Decoding of Microsoft Authentication Code. >> > 2. Decoding of PKCS#9 Authenticate Attributes. >> > 3. Extending MbedTLS PKCS#7 lib to support multiple signer's certificates. >> > 4. MbedTLS native test suites for PKCS#7 signer's info. >> > >> > All above 4 patches (tagged with `mbedtls/external`) are submitted to >> > MbedTLS project and being reviewed, eventually they should be part of >> > MbedTLS LTS release. >> > But before that, please merge them into U-Boot, otherwise the building >> > will be broken when MBEDTLS_LIB_X509 is enabled. >> > >> > See below PR link for the reference: >> > https://github.com/Mbed-TLS/mbedtls/pull/9001 >> > >> > Miscellaneous: >> > -------------- >> > >> > Optimized MbedTLS library size by tailoring the config file >> > and disabling all unnecessary features for EFI loader. >> > From v2, original libs (rsa, asn1_decoder, rsa_helper, md5, sha1, sha256, >> > sha512) are completely replaced when MbedTLS is enabled. >> > From v3, the size-growth is slightly reduced by refactoring Hash functions. >> > >> > Target(QEMU arm64) size-growth when enabling MbedTLS: >> > v1: 6.03% >> > v2: 4.66% >> > v3 & v4: 4.55% >> > >> > Please see the latest output of bloat-o-meter for the reference of the >> > size-growth on QEMU arm64 target [1]. >> > >> > Tests done: >> > ----------- >> > >> > EFI Secure Boot test (EFI variables loading and verifying, EFI signed image >> > verifying and booting) via U-Boot console. >> > EFI Secure Boot and Capsule sandbox test passed. >> > >> > Known issues: >> > ------------- >> > >> > None. >> > >> > [1]: bloat-o-meter output between disabling/enabling MbedTLS (QEMU arm64) >> > ``` >> > add/remove: 206/81 grow/shrink: 19/17 up/down: 55548/-17495 (38053) >> >> bloat-o-meter is a bit off then, since buildman shows: >> u-boot: add: 243/-17, grow: 18/-17 bytes: 65723/-8480 (57243) >> >> (Please use buildman for the size comparisons in the future). >> > The reason that buildman is showing more growth is because I enable > "CONFIG_EFI_SECURE_BOOT=y" in my patch, which is off by default > for qemu_arm64. > Since the buildman is always comparing one local branch with the > 'upstream' (I didn't find a way to let it compare two local branches or maybe > I am wrong), I guess I have to first merge one commit with just enabling > CONFIG_EFI_SECURE_BOOT to solve this. But I get this makes less > value... Yes, that's one way to do it. It cannot compare two branches. It only compares one commit with the next. > > I think it is better to use sandbox for comparison from v5, > and I will add one more platform (e.g. imx8mp) for reference. Regards, Simon
On Wed, Jul 24, 2024 at 10:34:50AM -0400, Raymond Mao wrote: > Hi Tom, > > On Tue, 2 Jul 2024 at 21:26, Tom Rini <trini@konsulko.com> wrote: > > > On Tue, Jul 02, 2024 at 11:22:36AM -0700, Raymond Mao wrote: > > > > > Integrate MbedTLS v3.6 LTS (currently v3.6.0-RC1) with U-Boot. > > > > > > Motivations: > > > ------------ > > > > > > 1. MbedTLS is well maintained with LTS versions. > > > 2. LWIP is integrated with MbedTLS and easily to enable HTTPS. > > > 3. MbedTLS recently switched license back to GPLv2. > > > > > > Prerequisite: > > > ------------- > > > > > > This patch series requires mbedtls git repo to be added as a > > > subtree to the main U-Boot repo via: > > > $ git subtree add --prefix lib/mbedtls/external/mbedtls \ > > > https://github.com/Mbed-TLS/mbedtls.git \ > > > v3.6.0 --squash > > > Moreover, due to the Windows-style files from mbedtls git repo, > > > we need to convert the CRLF endings to LF and do a commit manually: > > > $ git add --renormalize . > > > $ git commit > > > > > > New Kconfig options: > > > -------------------- > > > > > > `MBEDTLS_LIB` is for MbedTLS general switch. > > > `MBEDTLS_LIB_CRYPTO` is for replacing original digest and crypto libs > > with > > > MbedTLS. > > > `MBEDTLS_LIB_X509` is for replacing original X509, PKCS7, MSCode, ASN1, > > > and Pubkey parser with MbedTLS. > > > `MBEDTLS_LIB_TLS` is for SSL/TLS (Disabled until LWIP port for MbedTLS is > > > ready). > > > `LEGACY_CRYPTO` is introduced as a main switch for legacy crypto library. > > > `LEGACY_CRYPTO_BASIC` is for the basic crypto functionalities and > > > `LEGACY_CRYPTO_CERT` is for the certificate related functionalities. > > > For each of the algorithm, a pair of `<alg>_LEGACY` and `<alg>_MBEDTLS` > > > Kconfig options are introduced. Meanwhile, `SPL_` Kconfig options are > > > introduced. > > > > > > In this patch set, MBEDTLS_LIB, MBEDTLS_LIB_CRYPTO and MBEDTLS_LIB_X509 > > > are by default enabled in qemu_arm64_defconfig for testing purpose. > > > > > > Patches for external MbedTLS project: > > > ------------------------------------- > > > > > > Since U-Boot uses Microsoft Authentication Code to verify PE/COFFs > > > executables which is not supported by MbedTLS at the moment, > > > addtional patches for MbedTLS are created to adapt with the EFI loader: > > > 1. Decoding of Microsoft Authentication Code. > > > 2. Decoding of PKCS#9 Authenticate Attributes. > > > 3. Extending MbedTLS PKCS#7 lib to support multiple signer's > > certificates. > > > 4. MbedTLS native test suites for PKCS#7 signer's info. > > > > > > All above 4 patches (tagged with `mbedtls/external`) are submitted to > > > MbedTLS project and being reviewed, eventually they should be part of > > > MbedTLS LTS release. > > > But before that, please merge them into U-Boot, otherwise the building > > > will be broken when MBEDTLS_LIB_X509 is enabled. > > > > > > See below PR link for the reference: > > > https://github.com/Mbed-TLS/mbedtls/pull/9001 > > > > > > Miscellaneous: > > > -------------- > > > > > > Optimized MbedTLS library size by tailoring the config file > > > and disabling all unnecessary features for EFI loader. > > > From v2, original libs (rsa, asn1_decoder, rsa_helper, md5, sha1, sha256, > > > sha512) are completely replaced when MbedTLS is enabled. > > > From v3, the size-growth is slightly reduced by refactoring Hash > > functions. > > > > > > Target(QEMU arm64) size-growth when enabling MbedTLS: > > > v1: 6.03% > > > v2: 4.66% > > > v3 & v4: 4.55% > > > > > > Please see the latest output of bloat-o-meter for the reference of the > > > size-growth on QEMU arm64 target [1]. > > > > > > Tests done: > > > ----------- > > > > > > EFI Secure Boot test (EFI variables loading and verifying, EFI signed > > image > > > verifying and booting) via U-Boot console. > > > EFI Secure Boot and Capsule sandbox test passed. > > > > > > Known issues: > > > ------------- > > > > > > None. > > > > > > [1]: bloat-o-meter output between disabling/enabling MbedTLS (QEMU arm64) > > > ``` > > > add/remove: 206/81 grow/shrink: 19/17 up/down: 55548/-17495 (38053) > > > > bloat-o-meter is a bit off then, since buildman shows: > > u-boot: add: 243/-17, grow: 18/-17 bytes: 65723/-8480 (57243) > > > > (Please use buildman for the size comparisons in the future). > > > > The reason that buildman is showing more growth is because I enable > "CONFIG_EFI_SECURE_BOOT=y" in my patch, which is off by default > for qemu_arm64. > Since the buildman is always comparing one local branch with the > 'upstream' (I didn't find a way to let it compare two local branches or > maybe > I am wrong), I guess I have to first merge one commit with just enabling > CONFIG_EFI_SECURE_BOOT to solve this. But I get this makes less > value... > > I think it is better to use sandbox for comparison from v5, > and I will add one more platform (e.g. imx8mp) for reference. Please note that I check the world before/after, not just single platforms, for size growth. I'll note some examples of issues when I find them, typically. And with the wrapper I posted, sometimes I will "--all" a platform to see which commit increases things.
Hi Tom, On Wed, 24 Jul 2024 at 18:42, Tom Rini <trini@konsulko.com> wrote: > On Wed, Jul 24, 2024 at 10:34:50AM -0400, Raymond Mao wrote: > > Hi Tom, > > > > On Tue, 2 Jul 2024 at 21:26, Tom Rini <trini@konsulko.com> wrote: > > > > > On Tue, Jul 02, 2024 at 11:22:36AM -0700, Raymond Mao wrote: > > > > > > > Integrate MbedTLS v3.6 LTS (currently v3.6.0-RC1) with U-Boot. > > > > > > > > Motivations: > > > > ------------ > > > > > > > > 1. MbedTLS is well maintained with LTS versions. > > > > 2. LWIP is integrated with MbedTLS and easily to enable HTTPS. > > > > 3. MbedTLS recently switched license back to GPLv2. > > > > > > > > Prerequisite: > > > > ------------- > > > > > > > > This patch series requires mbedtls git repo to be added as a > > > > subtree to the main U-Boot repo via: > > > > $ git subtree add --prefix lib/mbedtls/external/mbedtls \ > > > > https://github.com/Mbed-TLS/mbedtls.git \ > > > > v3.6.0 --squash > > > > Moreover, due to the Windows-style files from mbedtls git repo, > > > > we need to convert the CRLF endings to LF and do a commit manually: > > > > $ git add --renormalize . > > > > $ git commit > > > > > > > > New Kconfig options: > > > > -------------------- > > > > > > > > `MBEDTLS_LIB` is for MbedTLS general switch. > > > > `MBEDTLS_LIB_CRYPTO` is for replacing original digest and crypto libs > > > with > > > > MbedTLS. > > > > `MBEDTLS_LIB_X509` is for replacing original X509, PKCS7, MSCode, > ASN1, > > > > and Pubkey parser with MbedTLS. > > > > `MBEDTLS_LIB_TLS` is for SSL/TLS (Disabled until LWIP port for > MbedTLS is > > > > ready). > > > > `LEGACY_CRYPTO` is introduced as a main switch for legacy crypto > library. > > > > `LEGACY_CRYPTO_BASIC` is for the basic crypto functionalities and > > > > `LEGACY_CRYPTO_CERT` is for the certificate related functionalities. > > > > For each of the algorithm, a pair of `<alg>_LEGACY` and > `<alg>_MBEDTLS` > > > > Kconfig options are introduced. Meanwhile, `SPL_` Kconfig options are > > > > introduced. > > > > > > > > In this patch set, MBEDTLS_LIB, MBEDTLS_LIB_CRYPTO and > MBEDTLS_LIB_X509 > > > > are by default enabled in qemu_arm64_defconfig for testing purpose. > > > > > > > > Patches for external MbedTLS project: > > > > ------------------------------------- > > > > > > > > Since U-Boot uses Microsoft Authentication Code to verify PE/COFFs > > > > executables which is not supported by MbedTLS at the moment, > > > > addtional patches for MbedTLS are created to adapt with the EFI > loader: > > > > 1. Decoding of Microsoft Authentication Code. > > > > 2. Decoding of PKCS#9 Authenticate Attributes. > > > > 3. Extending MbedTLS PKCS#7 lib to support multiple signer's > > > certificates. > > > > 4. MbedTLS native test suites for PKCS#7 signer's info. > > > > > > > > All above 4 patches (tagged with `mbedtls/external`) are submitted to > > > > MbedTLS project and being reviewed, eventually they should be part of > > > > MbedTLS LTS release. > > > > But before that, please merge them into U-Boot, otherwise the > building > > > > will be broken when MBEDTLS_LIB_X509 is enabled. > > > > > > > > See below PR link for the reference: > > > > https://github.com/Mbed-TLS/mbedtls/pull/9001 > > > > > > > > Miscellaneous: > > > > -------------- > > > > > > > > Optimized MbedTLS library size by tailoring the config file > > > > and disabling all unnecessary features for EFI loader. > > > > From v2, original libs (rsa, asn1_decoder, rsa_helper, md5, sha1, > sha256, > > > > sha512) are completely replaced when MbedTLS is enabled. > > > > From v3, the size-growth is slightly reduced by refactoring Hash > > > functions. > > > > > > > > Target(QEMU arm64) size-growth when enabling MbedTLS: > > > > v1: 6.03% > > > > v2: 4.66% > > > > v3 & v4: 4.55% > > > > > > > > Please see the latest output of bloat-o-meter for the reference of > the > > > > size-growth on QEMU arm64 target [1]. > > > > > > > > Tests done: > > > > ----------- > > > > > > > > EFI Secure Boot test (EFI variables loading and verifying, EFI signed > > > image > > > > verifying and booting) via U-Boot console. > > > > EFI Secure Boot and Capsule sandbox test passed. > > > > > > > > Known issues: > > > > ------------- > > > > > > > > None. > > > > > > > > [1]: bloat-o-meter output between disabling/enabling MbedTLS (QEMU > arm64) > > > > ``` > > > > add/remove: 206/81 grow/shrink: 19/17 up/down: 55548/-17495 (38053) > > > > > > bloat-o-meter is a bit off then, since buildman shows: > > > u-boot: add: 243/-17, grow: 18/-17 bytes: 65723/-8480 (57243) > > > > > > (Please use buildman for the size comparisons in the future). > > > > > > The reason that buildman is showing more growth is because I enable > > "CONFIG_EFI_SECURE_BOOT=y" in my patch, which is off by default > > for qemu_arm64. > > Since the buildman is always comparing one local branch with the > > 'upstream' (I didn't find a way to let it compare two local branches or > > maybe > > I am wrong), I guess I have to first merge one commit with just enabling > > CONFIG_EFI_SECURE_BOOT to solve this. But I get this makes less > > value... > > > > I think it is better to use sandbox for comparison from v5, > > and I will add one more platform (e.g. imx8mp) for reference. > > Please note that I check the world before/after, not just single > platforms, for size growth. I'll note some examples of issues when I > find them, typically. And with the wrapper I posted, sometimes I will > "--all" a platform to see which commit increases things. > > For your reference, below size-growth is for v5 (qemu_arm64, nanopi_a64, sandbox): aarch64: (for 2/2 boards) all +582.0 bss +40.0 data -64.0 rodata +206.0 text +400.0 qemu_arm64 : all +7040 bss +80 data -64 rodata +212 text +6812 u-boot: add: 28/-17, grow: 12/-16 bytes: 15492/-8304 (7188) nanopi_a64 : all -5876 data -64 rodata +200 text -6012 u-boot: add: 21/-8, grow: 4/-8 bytes: 12312/-4364 (7948) sandbox: (for 1/1 boards) all +22416.0 data +1440.0 rodata -4160.0 text +25136.0 sandbox : all +22416 data +1440 rodata -4160 text +25136 u-boot: add: 253/-203, grow: 115/-61 bytes: 93168/-76647 (16521) I think the size-growth should be reasonable. I will attach the details in v5 cover-letter. Regards, Raymond