| Message ID | 20240507175132.1456512-8-raymond.mao@linaro.org |
|---|---|
| State | RFC |
| Delegated to: | Tom Rini |
| Headers | show |
| Series | Integrate MbedTLS v3.6 LTS with U-Boot | expand |
On Tue, 7 May 2024 at 20:54, Raymond Mao <raymond.mao@linaro.org> wrote: > > Adapt digest header files to support both original libs and MbedTLS > by switching on/off MBEDTLS_LIB_CRYPTO > > FIXME: > `IS_ENABLED` or `CONFIG_IS_ENABLED` is not applicable here, since > including <linux/kconfig.h> causes undefined reference on schedule() > with sandbox build. > As <linux/kconfig.h> includes <generated/autoconf.h> which enables > `CONFIG_HW_WATCHDOG` and `CONFIG_WATCHDOG` but no schedule() are > defined in sandbox build. > `#if defined(CONFIG_MBEDTLS_LIB_CRYPTO)` is a workaround. > > Signed-off-by: Raymond Mao <raymond.mao@linaro.org> > --- > Changes in v2 > - Initial patch. > > include/u-boot/md5.h | 17 ++++++++++++----- > include/u-boot/sha1.h | 21 ++++++++++++++++++++- > include/u-boot/sha256.h | 20 ++++++++++++++++++++ > include/u-boot/sha512.h | 22 +++++++++++++++++++--- > lib/Makefile | 6 +++++- > 5 files changed, 76 insertions(+), 10 deletions(-) > > diff --git a/include/u-boot/md5.h b/include/u-boot/md5.h > index d61364c0ae3..3cfd33a8e56 100644 > --- a/include/u-boot/md5.h > +++ b/include/u-boot/md5.h > @@ -6,22 +6,29 @@ > #ifndef _MD5_H > #define _MD5_H > > +#if defined(CONFIG_MBEDTLS_LIB_CRYPTO) > +#include <external/mbedtls/include/mbedtls/md5.h> > +#endif > #include "compiler.h" > > #define MD5_SUM_LEN 16 > > -struct MD5Context { > +#if defined(CONFIG_MBEDTLS_LIB_CRYPTO) > +typedef mbedtls_md5_context MD5Context; > +#else > +typedef struct MD5Context { > __u32 buf[4]; > __u32 bits[2]; > union { > unsigned char in[64]; > __u32 in32[16]; > }; > -}; > +} MD5Context; > +#endif > > -void MD5Init(struct MD5Context *ctx); > -void MD5Update(struct MD5Context *ctx, unsigned char const *buf, unsigned len); > -void MD5Final(unsigned char digest[16], struct MD5Context *ctx); > +void MD5Init(MD5Context *ctx); > +void MD5Update(MD5Context *ctx, unsigned char const *buf, unsigned int len); > +void MD5Final(unsigned char digest[16], MD5Context *ctx); > > /* > * Calculate and store in 'output' the MD5 digest of 'len' bytes at > diff --git a/include/u-boot/sha1.h b/include/u-boot/sha1.h > index 09fee594d26..ee46fe947a0 100644 > --- a/include/u-boot/sha1.h > +++ b/include/u-boot/sha1.h > @@ -14,6 +14,21 @@ > #ifndef _SHA1_H > #define _SHA1_H > > +#if defined(CONFIG_MBEDTLS_LIB_CRYPTO) > +/* > + * FIXME: > + * MbedTLS define the members of "mbedtls_sha256_context" as private, > + * but "state" needs to be access by arch/arm/cpu/armv8/sha1_ce_glue. > + * MBEDTLS_ALLOW_PRIVATE_ACCESS needs to be enabled to allow the external > + * access. > + * Directly including <external/mbedtls/library/common.h> is not allowed, > + * since this will include <malloc.h> and break the sandbox test. > + */ > +#define MBEDTLS_ALLOW_PRIVATE_ACCESS > + > +#include <external/mbedtls/include/mbedtls/sha1.h> > +#endif > + > #ifdef __cplusplus > extern "C" { > #endif > @@ -24,6 +39,9 @@ extern "C" { > > extern const uint8_t sha1_der_prefix[]; > > +#if defined(CONFIG_MBEDTLS_LIB_CRYPTO) > +typedef mbedtls_sha1_context sha1_context; > +#else > /** > * \brief SHA-1 context structure > */ > @@ -34,13 +52,14 @@ typedef struct > unsigned char buffer[64]; /*!< data block being processed */ > } > sha1_context; > +#endif > > /** > * \brief SHA-1 context setup > * > * \param ctx SHA-1 context to be initialized > */ > -void sha1_starts( sha1_context *ctx ); > +void sha1_starts(sha1_context *ctx); > > /** > * \brief SHA-1 process buffer > diff --git a/include/u-boot/sha256.h b/include/u-boot/sha256.h > index 9aa1251789a..e2b7fdd41c8 100644 > --- a/include/u-boot/sha256.h > +++ b/include/u-boot/sha256.h > @@ -1,6 +1,22 @@ > #ifndef _SHA256_H > #define _SHA256_H > > +#if defined(CONFIG_MBEDTLS_LIB_CRYPTO) > +/* > + * FIXME: > + * MbedTLS define the members of "mbedtls_sha256_context" as private, > + * but "state" needs to be access by arch/arm/cpu/armv8/sha256_ce_glue. 'be able to access.' Isn't the MBEDTLS_ALLOW_PRIVATE_ACCESS considered deprecated? I'd prefer if we fix this properly. Thanks /Ilias > + * MBEDTLS_ALLOW_PRIVATE_ACCESS needs to be enabled to allow the external > + * access. > + * Directly including <external/mbedtls/library/common.h> is not allowed, > + * since this will include <malloc.h> and break the sandbox test. > + */ > +#define MBEDTLS_ALLOW_PRIVATE_ACCESS > + > +#include <external/mbedtls/include/mbedtls/sha256.h> > +#endif > + > +#define SHA224_SUM_LEN 28 > #define SHA256_SUM_LEN 32 > #define SHA256_DER_LEN 19 > > @@ -9,11 +25,15 @@ extern const uint8_t sha256_der_prefix[]; > /* Reset watchdog each time we process this many bytes */ > #define CHUNKSZ_SHA256 (64 * 1024) > > +#if defined(CONFIG_MBEDTLS_LIB_CRYPTO) > +typedef mbedtls_sha256_context sha256_context; > +#else > typedef struct { > uint32_t total[2]; > uint32_t state[8]; > uint8_t buffer[64]; > } sha256_context; > +#endif > > void sha256_starts(sha256_context * ctx); > void sha256_update(sha256_context *ctx, const uint8_t *input, uint32_t length); > diff --git a/include/u-boot/sha512.h b/include/u-boot/sha512.h > index 516729d7750..a0c0de89d60 100644 > --- a/include/u-boot/sha512.h > +++ b/include/u-boot/sha512.h > @@ -1,6 +1,10 @@ > #ifndef _SHA512_H > #define _SHA512_H > > +#if defined(CONFIG_MBEDTLS_LIB_CRYPTO) > +#include <external/mbedtls/include/mbedtls/sha512.h> > +#endif > + > #define SHA384_SUM_LEN 48 > #define SHA384_DER_LEN 19 > #define SHA512_SUM_LEN 64 > @@ -10,11 +14,16 @@ > #define CHUNKSZ_SHA384 (16 * 1024) > #define CHUNKSZ_SHA512 (16 * 1024) > > +#if defined(CONFIG_MBEDTLS_LIB_CRYPTO) > +typedef mbedtls_sha512_context sha384_context; > +typedef mbedtls_sha512_context sha512_context; > +#else > typedef struct { > uint64_t state[SHA512_SUM_LEN / 8]; > uint64_t count[2]; > uint8_t buf[SHA512_BLOCK_SIZE]; > } sha512_context; > +#endif > > extern const uint8_t sha512_der_prefix[]; > > @@ -27,12 +36,19 @@ void sha512_csum_wd(const unsigned char *input, unsigned int ilen, > > extern const uint8_t sha384_der_prefix[]; > > +#if defined(CONFIG_MBEDTLS_LIB_CRYPTO) > +void sha384_starts(sha512_context *ctx); > +void > +sha384_update(sha512_context *ctx, const uint8_t *input, uint32_t length); > +void sha384_finish(sha512_context *ctx, uint8_t digest[SHA384_SUM_LEN]); > +void sha384_csum_wd(const unsigned char *input, unsigned int length, > + unsigned char *output, unsigned int chunk_sz); > +#else > void sha384_starts(sha512_context * ctx); > void sha384_update(sha512_context *ctx, const uint8_t *input, uint32_t length); > void sha384_finish(sha512_context * ctx, uint8_t digest[SHA384_SUM_LEN]); > > void sha384_csum_wd(const unsigned char *input, unsigned int ilen, > - unsigned char *output, unsigned int chunk_sz); > - > - > + unsigned char *output, unsigned int chunk_sz); > +#endif > #endif /* _SHA512_H */ > diff --git a/lib/Makefile b/lib/Makefile > index a4600b09f49..3534b3301ae 100644 > --- a/lib/Makefile > +++ b/lib/Makefile > @@ -69,14 +69,18 @@ obj-$(CONFIG_$(SPL_TPL_)CRC16) += crc16.o > obj-y += crypto/ > > obj-$(CONFIG_$(SPL_TPL_)ACPI) += acpi/ > -obj-$(CONFIG_$(SPL_)MD5) += md5.o > obj-$(CONFIG_ECDSA) += ecdsa/ > obj-$(CONFIG_$(SPL_)RSA) += rsa/ > obj-$(CONFIG_HASH) += hash-checksum.o > obj-$(CONFIG_BLAKE2) += blake2/blake2b.o > + > +ifneq ($(CONFIG_MBEDTLS_LIB_CRYPTO), y) > +obj-$(CONFIG_$(SPL_)MD5) += md5.o > obj-$(CONFIG_$(SPL_)SHA1) += sha1.o > obj-$(CONFIG_$(SPL_)SHA256) += sha256.o > obj-$(CONFIG_$(SPL_)SHA512) += sha512.o > +endif > + > obj-$(CONFIG_CRYPT_PW) += crypt/ > obj-$(CONFIG_$(SPL_)ASN1_DECODER) += asn1_decoder.o > > -- > 2.25.1 >
Hi Ilias, On Wed, 8 May 2024 at 06:30, Ilias Apalodimas <ilias.apalodimas@linaro.org> wrote: > On Tue, 7 May 2024 at 20:54, Raymond Mao <raymond.mao@linaro.org> wrote: > > > > Adapt digest header files to support both original libs and MbedTLS > > by switching on/off MBEDTLS_LIB_CRYPTO > > > > FIXME: > > `IS_ENABLED` or `CONFIG_IS_ENABLED` is not applicable here, since > > including <linux/kconfig.h> causes undefined reference on schedule() > > with sandbox build. > > As <linux/kconfig.h> includes <generated/autoconf.h> which enables > > `CONFIG_HW_WATCHDOG` and `CONFIG_WATCHDOG` but no schedule() are > > defined in sandbox build. > > `#if defined(CONFIG_MBEDTLS_LIB_CRYPTO)` is a workaround. > > > > Signed-off-by: Raymond Mao <raymond.mao@linaro.org> > > --- > > Changes in v2 > > - Initial patch. > > > > include/u-boot/md5.h | 17 ++++++++++++----- > > include/u-boot/sha1.h | 21 ++++++++++++++++++++- > > include/u-boot/sha256.h | 20 ++++++++++++++++++++ > > include/u-boot/sha512.h | 22 +++++++++++++++++++--- > > lib/Makefile | 6 +++++- > > 5 files changed, 76 insertions(+), 10 deletions(-) > > > [snip] > > diff --git a/include/u-boot/sha256.h b/include/u-boot/sha256.h > > index 9aa1251789a..e2b7fdd41c8 100644 > > --- a/include/u-boot/sha256.h > > +++ b/include/u-boot/sha256.h > > @@ -1,6 +1,22 @@ > > #ifndef _SHA256_H > > #define _SHA256_H > > > > +#if defined(CONFIG_MBEDTLS_LIB_CRYPTO) > > +/* > > + * FIXME: > > + * MbedTLS define the members of "mbedtls_sha256_context" as private, > > + * but "state" needs to be access by arch/arm/cpu/armv8/sha256_ce_glue. > > 'be able to access.' > > Isn't the MBEDTLS_ALLOW_PRIVATE_ACCESS considered deprecated? > I'd prefer if we fix this properly. > > If MBEDTLS_ALLOW_PRIVATE_ACCESS is deprecated, that is another issue other than the one I marked FIXME here. Once MBEDTLS_ALLOW_PRIVATE_ACCESS is deprecated, all callers are not able to access the private members (e.g. 'hash->state'). Currently only arm drivers are using 'hash->state', but I don't have the background context about this - why we cannot use the normal hash functions without knowing the 'state' like other arches. Regards, Raymond
diff --git a/include/u-boot/md5.h b/include/u-boot/md5.h index d61364c0ae3..3cfd33a8e56 100644 --- a/include/u-boot/md5.h +++ b/include/u-boot/md5.h @@ -6,22 +6,29 @@ #ifndef _MD5_H #define _MD5_H +#if defined(CONFIG_MBEDTLS_LIB_CRYPTO) +#include <external/mbedtls/include/mbedtls/md5.h> +#endif #include "compiler.h" #define MD5_SUM_LEN 16 -struct MD5Context { +#if defined(CONFIG_MBEDTLS_LIB_CRYPTO) +typedef mbedtls_md5_context MD5Context; +#else +typedef struct MD5Context { __u32 buf[4]; __u32 bits[2]; union { unsigned char in[64]; __u32 in32[16]; }; -}; +} MD5Context; +#endif -void MD5Init(struct MD5Context *ctx); -void MD5Update(struct MD5Context *ctx, unsigned char const *buf, unsigned len); -void MD5Final(unsigned char digest[16], struct MD5Context *ctx); +void MD5Init(MD5Context *ctx); +void MD5Update(MD5Context *ctx, unsigned char const *buf, unsigned int len); +void MD5Final(unsigned char digest[16], MD5Context *ctx); /* * Calculate and store in 'output' the MD5 digest of 'len' bytes at diff --git a/include/u-boot/sha1.h b/include/u-boot/sha1.h index 09fee594d26..ee46fe947a0 100644 --- a/include/u-boot/sha1.h +++ b/include/u-boot/sha1.h @@ -14,6 +14,21 @@ #ifndef _SHA1_H #define _SHA1_H +#if defined(CONFIG_MBEDTLS_LIB_CRYPTO) +/* + * FIXME: + * MbedTLS define the members of "mbedtls_sha256_context" as private, + * but "state" needs to be access by arch/arm/cpu/armv8/sha1_ce_glue. + * MBEDTLS_ALLOW_PRIVATE_ACCESS needs to be enabled to allow the external + * access. + * Directly including <external/mbedtls/library/common.h> is not allowed, + * since this will include <malloc.h> and break the sandbox test. + */ +#define MBEDTLS_ALLOW_PRIVATE_ACCESS + +#include <external/mbedtls/include/mbedtls/sha1.h> +#endif + #ifdef __cplusplus extern "C" { #endif @@ -24,6 +39,9 @@ extern "C" { extern const uint8_t sha1_der_prefix[]; +#if defined(CONFIG_MBEDTLS_LIB_CRYPTO) +typedef mbedtls_sha1_context sha1_context; +#else /** * \brief SHA-1 context structure */ @@ -34,13 +52,14 @@ typedef struct unsigned char buffer[64]; /*!< data block being processed */ } sha1_context; +#endif /** * \brief SHA-1 context setup * * \param ctx SHA-1 context to be initialized */ -void sha1_starts( sha1_context *ctx ); +void sha1_starts(sha1_context *ctx); /** * \brief SHA-1 process buffer diff --git a/include/u-boot/sha256.h b/include/u-boot/sha256.h index 9aa1251789a..e2b7fdd41c8 100644 --- a/include/u-boot/sha256.h +++ b/include/u-boot/sha256.h @@ -1,6 +1,22 @@ #ifndef _SHA256_H #define _SHA256_H +#if defined(CONFIG_MBEDTLS_LIB_CRYPTO) +/* + * FIXME: + * MbedTLS define the members of "mbedtls_sha256_context" as private, + * but "state" needs to be access by arch/arm/cpu/armv8/sha256_ce_glue. + * MBEDTLS_ALLOW_PRIVATE_ACCESS needs to be enabled to allow the external + * access. + * Directly including <external/mbedtls/library/common.h> is not allowed, + * since this will include <malloc.h> and break the sandbox test. + */ +#define MBEDTLS_ALLOW_PRIVATE_ACCESS + +#include <external/mbedtls/include/mbedtls/sha256.h> +#endif + +#define SHA224_SUM_LEN 28 #define SHA256_SUM_LEN 32 #define SHA256_DER_LEN 19 @@ -9,11 +25,15 @@ extern const uint8_t sha256_der_prefix[]; /* Reset watchdog each time we process this many bytes */ #define CHUNKSZ_SHA256 (64 * 1024) +#if defined(CONFIG_MBEDTLS_LIB_CRYPTO) +typedef mbedtls_sha256_context sha256_context; +#else typedef struct { uint32_t total[2]; uint32_t state[8]; uint8_t buffer[64]; } sha256_context; +#endif void sha256_starts(sha256_context * ctx); void sha256_update(sha256_context *ctx, const uint8_t *input, uint32_t length); diff --git a/include/u-boot/sha512.h b/include/u-boot/sha512.h index 516729d7750..a0c0de89d60 100644 --- a/include/u-boot/sha512.h +++ b/include/u-boot/sha512.h @@ -1,6 +1,10 @@ #ifndef _SHA512_H #define _SHA512_H +#if defined(CONFIG_MBEDTLS_LIB_CRYPTO) +#include <external/mbedtls/include/mbedtls/sha512.h> +#endif + #define SHA384_SUM_LEN 48 #define SHA384_DER_LEN 19 #define SHA512_SUM_LEN 64 @@ -10,11 +14,16 @@ #define CHUNKSZ_SHA384 (16 * 1024) #define CHUNKSZ_SHA512 (16 * 1024) +#if defined(CONFIG_MBEDTLS_LIB_CRYPTO) +typedef mbedtls_sha512_context sha384_context; +typedef mbedtls_sha512_context sha512_context; +#else typedef struct { uint64_t state[SHA512_SUM_LEN / 8]; uint64_t count[2]; uint8_t buf[SHA512_BLOCK_SIZE]; } sha512_context; +#endif extern const uint8_t sha512_der_prefix[]; @@ -27,12 +36,19 @@ void sha512_csum_wd(const unsigned char *input, unsigned int ilen, extern const uint8_t sha384_der_prefix[]; +#if defined(CONFIG_MBEDTLS_LIB_CRYPTO) +void sha384_starts(sha512_context *ctx); +void +sha384_update(sha512_context *ctx, const uint8_t *input, uint32_t length); +void sha384_finish(sha512_context *ctx, uint8_t digest[SHA384_SUM_LEN]); +void sha384_csum_wd(const unsigned char *input, unsigned int length, + unsigned char *output, unsigned int chunk_sz); +#else void sha384_starts(sha512_context * ctx); void sha384_update(sha512_context *ctx, const uint8_t *input, uint32_t length); void sha384_finish(sha512_context * ctx, uint8_t digest[SHA384_SUM_LEN]); void sha384_csum_wd(const unsigned char *input, unsigned int ilen, - unsigned char *output, unsigned int chunk_sz); - - + unsigned char *output, unsigned int chunk_sz); +#endif #endif /* _SHA512_H */ diff --git a/lib/Makefile b/lib/Makefile index a4600b09f49..3534b3301ae 100644 --- a/lib/Makefile +++ b/lib/Makefile @@ -69,14 +69,18 @@ obj-$(CONFIG_$(SPL_TPL_)CRC16) += crc16.o obj-y += crypto/ obj-$(CONFIG_$(SPL_TPL_)ACPI) += acpi/ -obj-$(CONFIG_$(SPL_)MD5) += md5.o obj-$(CONFIG_ECDSA) += ecdsa/ obj-$(CONFIG_$(SPL_)RSA) += rsa/ obj-$(CONFIG_HASH) += hash-checksum.o obj-$(CONFIG_BLAKE2) += blake2/blake2b.o + +ifneq ($(CONFIG_MBEDTLS_LIB_CRYPTO), y) +obj-$(CONFIG_$(SPL_)MD5) += md5.o obj-$(CONFIG_$(SPL_)SHA1) += sha1.o obj-$(CONFIG_$(SPL_)SHA256) += sha256.o obj-$(CONFIG_$(SPL_)SHA512) += sha512.o +endif + obj-$(CONFIG_CRYPT_PW) += crypt/ obj-$(CONFIG_$(SPL_)ASN1_DECODER) += asn1_decoder.o
Adapt digest header files to support both original libs and MbedTLS by switching on/off MBEDTLS_LIB_CRYPTO FIXME: `IS_ENABLED` or `CONFIG_IS_ENABLED` is not applicable here, since including <linux/kconfig.h> causes undefined reference on schedule() with sandbox build. As <linux/kconfig.h> includes <generated/autoconf.h> which enables `CONFIG_HW_WATCHDOG` and `CONFIG_WATCHDOG` but no schedule() are defined in sandbox build. `#if defined(CONFIG_MBEDTLS_LIB_CRYPTO)` is a workaround. Signed-off-by: Raymond Mao <raymond.mao@linaro.org> --- Changes in v2 - Initial patch. include/u-boot/md5.h | 17 ++++++++++++----- include/u-boot/sha1.h | 21 ++++++++++++++++++++- include/u-boot/sha256.h | 20 ++++++++++++++++++++ include/u-boot/sha512.h | 22 +++++++++++++++++++--- lib/Makefile | 6 +++++- 5 files changed, 76 insertions(+), 10 deletions(-)