From patchwork Tue Jul 2 18:22:37 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Raymond Mao X-Patchwork-Id: 1955550 X-Patchwork-Delegate: trini@ti.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.a=rsa-sha256 header.s=google header.b=PbXlzfuv; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de (client-ip=85.214.62.61; helo=phobos.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=patchwork.ozlabs.org) Received: from phobos.denx.de (phobos.denx.de [85.214.62.61]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4WDBCF20RBz1xpN for ; Wed, 3 Jul 2024 04:24:41 +1000 (AEST) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id E98A688749; Tue, 2 Jul 2024 20:24:38 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="PbXlzfuv"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 066F88874C; Tue, 2 Jul 2024 20:24:37 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-qt1-x835.google.com (mail-qt1-x835.google.com [IPv6:2607:f8b0:4864:20::835]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id E56DC87C86 for ; Tue, 2 Jul 2024 20:24:34 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=raymond.mao@linaro.org Received: by mail-qt1-x835.google.com with SMTP id d75a77b69052e-44634afb2e7so36221701cf.1 for ; Tue, 02 Jul 2024 11:24:34 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1719944673; x=1720549473; darn=lists.denx.de; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=/HdsglUiGxuB/WHfmbt0h7ZvLJKmqtq+FeYl8npHyKk=; b=PbXlzfuv8W8X94NAqxe0UCMipAMwEOhnMKXfh4+xKDAzIFMDRvYcqZ7P5idsfxtEIq CRdBxc3jHVVn8Iay8jRRc76gx1S8m2UtL3p0E6DYO8SpsnDYMpEhObz1r4+xs2eKEoL5 4FzS2WTTYRuYfOj6OAWaWDjWuJ/90KK73+gWerkTBcfrdzFx2k3QKoclsabsvWNQd5YF rIx3jjfLH9vyIS0w8o67rh1JV5L+xmYcMBuBT9oAkZiXgx6HuUPskd1eZkjHyjMitTma E9rHUUc7LRdz31uQ7Ah6pNJRegbV/ERvwaP6uUbhIEEAYo33Qb7DxNjWw7mD2VR2iTND wS9A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1719944673; x=1720549473; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=/HdsglUiGxuB/WHfmbt0h7ZvLJKmqtq+FeYl8npHyKk=; b=l9sjsbOas7JzA72nzasbeLxROxCnWiQb3VKrsPCEB9CnXFVYOfWjmnNWVwJU1N2Xac YuZHOxs71MGY8a6k5XaCKDbIirJbGYNE0Nj7oafsHs26CnBZE89OnHbwkdR6RSSqv7S8 77kG9OtFrGsJgwrq028sw4W/onyNbgsYyDI7oAP9F1wA1ddPlZlD7Y4nBtLC9vLnfbnL hHqgAcChAfu5f6secGZuwmngVwpGlnB8UxSyg08yF+c1Yi4O7aqRFlqu7+dSCsa0SZaV A5p2plwzRTl0ISF7fK+iQUeMgn9oCu3rPC55XvSfE2u5ia+5Kp3FV8fx1bQ3uQ3+qFer UV/g== X-Gm-Message-State: AOJu0YwGfp8LqsQmps4oyphAFecLeHtihlue7rgxsdCGjtPo5KfB7ofO MAoFdzYFDwG95rWVRq47f5CAQXCeNXyzC3fI+OB2cU3tLFt8RWYZqc92G5aawMGtb1aSXw7FnyH P X-Google-Smtp-Source: AGHT+IEUi9hGUhRqosjEn7E+hn5qEzj6PeR5p14ddZ2sKotpLu8D63HePhdsd2TSbdGA1KBiv4ljFw== X-Received: by 2002:ac8:5802:0:b0:446:5a73:29d7 with SMTP id d75a77b69052e-44662e57779mr111673171cf.48.1719944673284; Tue, 02 Jul 2024 11:24:33 -0700 (PDT) Received: from ubuntu.localdomain (pool-174-114-184-37.cpe.net.cable.rogers.com. [174.114.184.37]) by smtp.gmail.com with ESMTPSA id d75a77b69052e-446514b613dsm43316351cf.84.2024.07.02.11.24.31 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 02 Jul 2024 11:24:32 -0700 (PDT) From: Raymond Mao To: u-boot@lists.denx.de Cc: manish.pandey2@arm.com, Raymond Mao , Tom Rini , Ilias Apalodimas , Stefan Bosch , Mario Six , Andy Shevchenko , Michal Simek , Tuomas Tynkkynen , Simon Glass , Leo Yu-Chi Liang , Andrejs Cainikovs , Marek Vasut , Sean Anderson , Jesse Taube , Bryan Brattlof , "Leon M. Busch-George" , Sergei Antonov , Ilya Lukin <4.shket@gmail.com>, Igor Opaniuk , Heinrich Schuchardt , Alper Nebi Yasak , AKASHI Takahiro , Abdellatif El Khlifi , Alexander Gendin , Bin Meng , =?utf-8?q?Vincent_Stehl=C3=A9?= , Oleksandr Suvorov Subject: [PATCH v4 01/29] CI: Exclude MbedTLS subtree for CONFIG checks Date: Tue, 2 Jul 2024 11:22:37 -0700 Message-Id: <20240702182325.2904421-2-raymond.mao@linaro.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20240702182325.2904421-1-raymond.mao@linaro.org> References: <20240702182325.2904421-1-raymond.mao@linaro.org> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.8 at phobos.denx.de X-Virus-Status: Clean Since MbedTLS is an external repo with its own coding style, exclude it from Azure and gitlab CI CONFIG checks. Signed-off-by: Raymond Mao Reviewed-by: Tom Rini Reviewed-by: Ilias Apalodimas --- Changes in v2 - Initial patch. Changes in v3 - None. Changes in v4 - None. .azure-pipelines.yml | 3 ++- .gitlab-ci.yml | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/.azure-pipelines.yml b/.azure-pipelines.yml index 27f69583c65..c8052771fa8 100644 --- a/.azure-pipelines.yml +++ b/.azure-pipelines.yml @@ -65,7 +65,8 @@ stages: # have no matches. - script: git grep -E '^#[[:blank:]]*(define|undef)[[:blank:]]*CONFIG_' :^doc/ :^arch/arm/dts/ :^scripts/kconfig/lkc.h - :^include/linux/kconfig.h :^tools/ :^dts/upstream/ && + :^include/linux/kconfig.h :^tools/ :^dts/upstream/ + :^lib/mbedtls/external :^lib/mbedtls/mbedtls_def_config.h && exit 1 || exit 0 - job: docs diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 165f765a833..a8f7f1940f3 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -156,7 +156,8 @@ check for new CONFIG symbols outside Kconfig: # have no matches. - git grep -E '^#[[:blank:]]*(define|undef)[[:blank:]]*CONFIG_' :^doc/ :^arch/arm/dts/ :^scripts/kconfig/lkc.h - :^include/linux/kconfig.h :^tools/ :^dts/upstream/ && + :^include/linux/kconfig.h :^tools/ :^dts/upstream/ + :^lib/mbedtls/external :^lib/mbedtls/mbedtls_def_config.h && exit 1 || exit 0 # build documentation From patchwork Tue Jul 2 18:22:38 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Raymond Mao X-Patchwork-Id: 1955551 X-Patchwork-Delegate: trini@ti.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.a=rsa-sha256 header.s=google header.b=rVu7NC9c; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de (client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; helo=phobos.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=patchwork.ozlabs.org) Received: from phobos.denx.de (phobos.denx.de [IPv6:2a01:238:438b:c500:173d:9f52:ddab:ee01]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4WDBCf68qbz1xpN for ; Wed, 3 Jul 2024 04:25:02 +1000 (AEST) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 53C0987D0A; Tue, 2 Jul 2024 20:25:00 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="rVu7NC9c"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id E5A2987C86; Tue, 2 Jul 2024 20:24:59 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-qt1-x832.google.com (mail-qt1-x832.google.com [IPv6:2607:f8b0:4864:20::832]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 884288874F for ; Tue, 2 Jul 2024 20:24:57 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=raymond.mao@linaro.org Received: by mail-qt1-x832.google.com with SMTP id d75a77b69052e-446340c6608so33840511cf.1 for ; Tue, 02 Jul 2024 11:24:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1719944696; x=1720549496; darn=lists.denx.de; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=G6WwdYlRiyXEUHkDqj0ZB2LeTSqBJNO+5VBwNtWPsrQ=; b=rVu7NC9cKkWxUEAWLzZeKnSJV2klrRG1fyqa89ROjKGNgRQgKPt9cgRhdQq731Vnd1 rwWYUTYFbtt+WYTGE0RqSN2Iii8tGt+GjfV1P6HwVMNk8rAnbKAeTDuZW3OAlEuBZTSB NYo6InB9D0UfckBzBjDhqjuegu2HjlnnD9SjYRnuYE/lTPPBmhGPILGFrOWRNOU7YmZp vQA6+s5ckd1kS6A4M0Y8aKfhSyP5anamf1euO/U25nwisQLgzKQchZw4LcRl9E0HZHmi roiT4QGvDhl7sQulxRd00N3N4TkKJD1YneTiXMgxosFprvtKh65zAYQlDgsLnoUrqzs9 /zWA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1719944696; x=1720549496; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=G6WwdYlRiyXEUHkDqj0ZB2LeTSqBJNO+5VBwNtWPsrQ=; b=rCW01gSfh327g0jDIsfE/UvwHHLxp3NV4ClkiYbb8wpgQgn/kd2Y/QjGfYiJ0UAnhH 8bxyKvMglgDxhYNmurQo0Z/VIQUBzn/6z+dspyvg6HpapKcuWxvra/cfjz4E1jzKlPep 1GLs6rZQ2yQH9UyMbRdIImZoxWeDYq4nDqGBbtrEmPpo6htfXnqGX5N2xsmCl9GkHXi5 bO74oQdLghBms/YoXpmi51/zsqB/0pUs9sJrkPRs9dko5sH3ciDZoJnW/CrgVedzAs3u 82joI+xbQAHpleMxoBN7v+xuzQTOk8hXOGG9Z218O2702a6vXy+J9aQRYYXvfdlkkHxE fy2Q== X-Gm-Message-State: AOJu0YwVR17zaytD+Gjc19Jiu8D5joshQoJ1/ALJLaRlJOo6L+DGaMRR /yl8vvGDp6MaCkg0ckYkJwhDqsKKurryCnfZ1msFFKM+qo5xqGdByPS9vuIQa8Cx/xsTraVyega Z X-Google-Smtp-Source: AGHT+IFvSWd5sEEnhC4m/jVemtSDZ0lijGVkq/Ju6EEHt3ATZ8B1MvPr6t7qED9/aF6+SElJYHTY4g== X-Received: by 2002:ac8:5f82:0:b0:440:51af:2977 with SMTP id d75a77b69052e-44662e53925mr120692571cf.59.1719944696221; Tue, 02 Jul 2024 11:24:56 -0700 (PDT) Received: from ubuntu.localdomain (pool-174-114-184-37.cpe.net.cable.rogers.com. [174.114.184.37]) by smtp.gmail.com with ESMTPSA id d75a77b69052e-446514b613dsm43316351cf.84.2024.07.02.11.24.54 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 02 Jul 2024 11:24:55 -0700 (PDT) From: Raymond Mao To: u-boot@lists.denx.de Cc: manish.pandey2@arm.com, Raymond Mao , Tom Rini , Stefan Bosch , Mario Six , Andy Shevchenko , Michal Simek , Tuomas Tynkkynen , Simon Glass , Ilias Apalodimas , Leo Yu-Chi Liang , Andrejs Cainikovs , Marek Vasut , Sean Anderson , Jesse Taube , Bryan Brattlof , "Leon M. Busch-George" , Igor Opaniuk , Sergei Antonov , Ilya Lukin <4.shket@gmail.com>, Heinrich Schuchardt , Alper Nebi Yasak , Abdellatif El Khlifi , AKASHI Takahiro , Alexander Gendin , Bin Meng , Eddie James , Oleksandr Suvorov Subject: [PATCH v4 02/29] mbedtls: Add script to update MbedTLS subtree Date: Tue, 2 Jul 2024 11:22:38 -0700 Message-Id: <20240702182325.2904421-3-raymond.mao@linaro.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20240702182325.2904421-1-raymond.mao@linaro.org> References: <20240702182325.2904421-1-raymond.mao@linaro.org> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.8 at phobos.denx.de X-Virus-Status: Clean lib/mbedtls/update-mbedtls-subtree.sh is a wrapper of git subtree commands. Usage from U-Boot top directory, run: $ ./lib/mbedtls/update-mbedtls-subtree.sh pull $ ./lib/mbedtls/update-mbedtls-subtree.sh pick Signed-off-by: Raymond Mao --- Changes in v2 - Initial patch. Changes in v3 - None. Changes in v4 - Minor fix and move the script into tools dir. tools/update-mbedtls-subtree.sh | 47 +++++++++++++++++++++++++++++++++ 1 file changed, 47 insertions(+) create mode 100755 tools/update-mbedtls-subtree.sh diff --git a/tools/update-mbedtls-subtree.sh b/tools/update-mbedtls-subtree.sh new file mode 100755 index 00000000000..0a98a4d6e82 --- /dev/null +++ b/tools/update-mbedtls-subtree.sh @@ -0,0 +1,47 @@ +#!/bin/sh +# SPDX-License-Identifier: GPL-2.0+ +# +# Copyright 2024 Linaro Ltd. +# +# Usage: from the top level U-Boot source tree, run: +# $ ./tools/update-mbedtls-subtree.sh pull +# $ ./tools/update-mbedtls-subtree.sh pick +# +# The script will pull changes from MbedTLS repo into U-Boot +# as a subtree located as /lib/mbedtls/external/mbedtls sub-directory. +# It will automatically create a squash/merge commit listing the commits +# imported. + +set -e + +merge_commit_msg=$(cat << EOF +Subtree merge tag '$2' of MbedTLS repo [1] into lib/mbedtls/external/mbedtls + +[1] https://github.com/Mbed-TLS/mbedtls.git +EOF +) + +remote_add_and_fetch() { + if [ -z "$(git remote get-url mbedtls_upstream 2>/dev/null)" ]; then + echo "Warning: Script automatically adds new git remote via:" + echo " git remote add mbedtls_upstream \\" + echo " https://github.com/Mbed-TLS/mbedtls.git" + git remote add mbedtls_upstream \ + https://github.com/Mbed-TLS/mbedtls.git + fi + git fetch mbedtls_upstream master +} + +if [ "$1" = 'pull' ]; then + remote_add_and_fetch + git subtree pull --prefix lib/mbedtls/external/mbedtls mbedtls_upstream \ + "$2" --squash -m "${merge_commit_msg}" +elif [ "$1" = 'pick' ]; then + remote_add_and_fetch + git cherry-pick -x --strategy=subtree \ + -Xsubtree=lib/mbedtls/external/mbedtls/ "$2" +else + echo "usage: $0 " + echo " pull or pick" + echo " release tag [pull] or commit id [pick]" +fi From patchwork Tue Jul 2 18:22:39 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Raymond Mao X-Patchwork-Id: 1955552 X-Patchwork-Delegate: trini@ti.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.a=rsa-sha256 header.s=google header.b=nzluQsQ7; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de (client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; helo=phobos.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=patchwork.ozlabs.org) Received: from phobos.denx.de (phobos.denx.de [IPv6:2a01:238:438b:c500:173d:9f52:ddab:ee01]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4WDBDB1Nhtz1xpc for ; Wed, 3 Jul 2024 04:25:30 +1000 (AEST) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id C16AF88749; Tue, 2 Jul 2024 20:25:27 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="nzluQsQ7"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id D9D7E88757; Tue, 2 Jul 2024 20:25:26 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-qt1-x82b.google.com (mail-qt1-x82b.google.com [IPv6:2607:f8b0:4864:20::82b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 284FD87C86 for ; Tue, 2 Jul 2024 20:25:24 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=raymond.mao@linaro.org Received: by mail-qt1-x82b.google.com with SMTP id d75a77b69052e-444fe697f61so32444531cf.3 for ; Tue, 02 Jul 2024 11:25:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1719944723; x=1720549523; darn=lists.denx.de; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=V/3Sa7UHb7NOVS5EbZTrb1gXDNrn5EoDgYMbliMV/ro=; b=nzluQsQ7ROKO+jKklo1ma7ihNhan5I1P8mjYAIPJkMco4SeVVBUnuL4UsafzozVXe+ xgv8SKSWe+6WMTuAEO72lqVGC5Ow/cSc4CEuAQJy71OpTPW5xD9NtRipLl/lix8h9RYR XuLiYvk7NsWX5YanT8eiV0yONMgthfJRFMqb7E1juo772kLZRab7CVFmbK21Tl/SG8mm DquMDSFBOQYIub4u4aJzJ3Mc8JltDIubHUKqHSIW7LccOa/tRXLRvNKqAQ29fxWSut7A gDn9ulZ4PhzEUtUGF9N09WiI4PdDsRzMyUgGoueg83L60t/svxUjzEfZLMV5GyQAooEb T0JA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1719944723; x=1720549523; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=V/3Sa7UHb7NOVS5EbZTrb1gXDNrn5EoDgYMbliMV/ro=; b=vBYZMiiN1w1HbWXzPimKRElEdHH0yXqVaWUO9TX1aD6U3uhqVyMG0zjTDYHvxY8kXg FAxopTjxiZwBtRjdS5mD/E0EGJ2ofjogB+1EsIXBYzKs0ER7Wpj2KtaEd20d5OEhBLhf hvcfd/q/oAoQwKAcDDo1zvQkAxs4cP1jRDW6cvrINwdyMI5XmkeGiBakWVl/22zFwQ+r OWT6CXEnhQXZrzb4qfysQFMC+iL8mP6FfGaDDwpPDzlTV5034o1775fvM7PxFshPKPb7 P3XPf6MMy9rOXaCmTp/MOVtx2v2nCcEQtfMHzRi2ffNVMQr4eV9Uvi1TvTgKcgIW1VhK 5ROg== X-Gm-Message-State: AOJu0YxiFaOSBnTsj1phyx1nAmrvmasy071OULTmbJOdnxh7qZhLGJ3p BlKvqaA5YxcaNnaLvUP8N3LDP8WcOptuHi8epKjMQlaSHZowpHfK7a/ZD7qhtcN4+VznI2YLnUH T X-Google-Smtp-Source: AGHT+IHkmebU5miWxTBp8X3ttcqIGwGcQnlCnNq25+gtQdZnLw/6+PyNHjZBbGOmrviwlyGaimUg0A== X-Received: by 2002:a05:622a:1107:b0:444:ae7d:ef1b with SMTP id d75a77b69052e-44662e1b45emr116977351cf.27.1719944722779; Tue, 02 Jul 2024 11:25:22 -0700 (PDT) Received: from ubuntu.localdomain (pool-174-114-184-37.cpe.net.cable.rogers.com. [174.114.184.37]) by smtp.gmail.com with ESMTPSA id d75a77b69052e-446514b613dsm43316351cf.84.2024.07.02.11.25.21 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 02 Jul 2024 11:25:22 -0700 (PDT) From: Raymond Mao To: u-boot@lists.denx.de Cc: manish.pandey2@arm.com, Raymond Mao , Tom Rini , Stefan Bosch , Mario Six , Andy Shevchenko , Michal Simek , Tuomas Tynkkynen , Simon Glass , Leo Yu-Chi Liang , Ilias Apalodimas , Andrejs Cainikovs , Marek Vasut , Sean Anderson , Jesse Taube , Bryan Brattlof , "Leon M. Busch-George" , Sergei Antonov , Igor Opaniuk , Ilya Lukin <4.shket@gmail.com>, Heinrich Schuchardt , Alper Nebi Yasak , Bin Meng , AKASHI Takahiro , Abdellatif El Khlifi , Alexander Gendin , =?utf-8?q?Vincent_Stehl=C3=A9?= , Oleksandr Suvorov Subject: [PATCH v4 03/29] mbedtls: add mbedtls into the build system Date: Tue, 2 Jul 2024 11:22:39 -0700 Message-Id: <20240702182325.2904421-4-raymond.mao@linaro.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20240702182325.2904421-1-raymond.mao@linaro.org> References: <20240702182325.2904421-1-raymond.mao@linaro.org> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.8 at phobos.denx.de X-Virus-Status: Clean Port mbedtls with adapted libc header files. Add mbedtls default config header file. Optimize mbedtls default config by disabling unused features to reduce the target size. Add mbedtls kbuild makefile. Add Kconfig skeleton and config submenu entry for selecting crypto libraries between mbedtls and legacy ones. Subsequent patches will separate those Kconfigs into pairs of _LEGACY and _MBEDTLS for controlling the implementations of legacy crypto libraries and MbedTLS ones respectively. The motivation of moving and adapting *INT* macros from kernel.h to limits.h is to fullfill the MbedTLS building requirement. The conditional compilation statements in MbedTLS expects the *INT* macros as constant expressions, thus expressions like `((int)(~0U >> 1))` will not work. Prerequisite ------------ This patch series requires mbedtls git repo to be added as a subtree to the main U-Boot repo via: $ git subtree add --prefix lib/mbedtls/external/mbedtls \ https://github.com/Mbed-TLS/mbedtls.git \ v3.6.0 --squash Moreover, due to the Windows-style files from mbedtls git repo, we need to convert the CRLF endings to LF and do a commit manually: $ git add --renormalize . $ git commit Signed-off-by: Raymond Mao --- Changes in v2 - Disabled unused MbedTLS features to optimize the target size. Changes in v3 - Removed changes in stdio.h. Changes in v4 - Move limits.h as a common header file that is included by kernel.h. - Refactor the Kconfig to support legacy and MbedTLS options for each algorithm. - Refactor MbedTLS makefile and default config file to remove unused config options and objects. - removed the unused CONFIG_MBEDTLS_LIB_TLS. include/limits.h | 29 ++++++++++++++ include/linux/kernel.h | 13 +----- include/stdlib.h | 1 + lib/Kconfig | 4 ++ lib/Makefile | 2 + lib/mbedtls/Kconfig | 47 ++++++++++++++++++++++ lib/mbedtls/Makefile | 49 +++++++++++++++++++++++ lib/mbedtls/mbedtls_def_config.h | 69 ++++++++++++++++++++++++++++++++ lib/mbedtls/port/assert.h | 12 ++++++ 9 files changed, 214 insertions(+), 12 deletions(-) create mode 100644 include/limits.h create mode 100644 lib/mbedtls/Kconfig create mode 100644 lib/mbedtls/Makefile create mode 100644 lib/mbedtls/mbedtls_def_config.h create mode 100644 lib/mbedtls/port/assert.h diff --git a/include/limits.h b/include/limits.h new file mode 100644 index 00000000000..cc691d15650 --- /dev/null +++ b/include/limits.h @@ -0,0 +1,29 @@ +/* SPDX-License-Identifier: GPL-2.0+ */ +/* + * Copyright (c) 2023 Linaro Limited + * Author: Raymond Mao + */ + +#ifndef _LIMITS_H +#define _LIMITS_H + +#define INT_MAX 0x7fffffff +#define UINT_MAX 0xffffffffUL +#define CHAR_BIT 8 +#define UINT32_MAX 0xffffffffUL +#define UINT64_MAX 0xffffffffffffffffUL + +#ifdef CONFIG_64BIT + #define UINTPTR_MAX UINT64_MAX +#else + #define UINTPTR_MAX UINT32_MAX +#endif + +#ifndef SIZE_MAX +#define SIZE_MAX UINTPTR_MAX +#endif +#ifndef SSIZE_MAX +#define SSIZE_MAX ((ssize_t)(SIZE_MAX >> 1)) +#endif + +#endif /* _LIMITS_H */ diff --git a/include/linux/kernel.h b/include/linux/kernel.h index 5cd6c9dc821..2cb2ceaf84b 100644 --- a/include/linux/kernel.h +++ b/include/linux/kernel.h @@ -3,25 +3,18 @@ #include #include /* for printf/pr_* utilities */ +#include #define USHRT_MAX ((u16)(~0U)) #define SHRT_MAX ((s16)(USHRT_MAX>>1)) #define SHRT_MIN ((s16)(-SHRT_MAX - 1)) -#define INT_MAX ((int)(~0U>>1)) #define INT_MIN (-INT_MAX - 1) -#define UINT_MAX (~0U) #define LONG_MAX ((long)(~0UL>>1)) #define LONG_MIN (-LONG_MAX - 1) #define ULONG_MAX (~0UL) #define LLONG_MAX ((long long)(~0ULL>>1)) #define LLONG_MIN (-LLONG_MAX - 1) #define ULLONG_MAX (~0ULL) -#ifndef SIZE_MAX -#define SIZE_MAX (~(size_t)0) -#endif -#ifndef SSIZE_MAX -#define SSIZE_MAX ((ssize_t)(SIZE_MAX >> 1)) -#endif #define U8_MAX ((u8)~0U) #define S8_MAX ((s8)(U8_MAX>>1)) @@ -36,10 +29,6 @@ #define S64_MAX ((s64)(U64_MAX>>1)) #define S64_MIN ((s64)(-S64_MAX - 1)) -/* Aliases defined by stdint.h */ -#define UINT32_MAX U32_MAX -#define UINT64_MAX U64_MAX - #define INT32_MAX S32_MAX #define STACK_MAGIC 0xdeadbeef diff --git a/include/stdlib.h b/include/stdlib.h index 9c175d4d74c..dedfd52a144 100644 --- a/include/stdlib.h +++ b/include/stdlib.h @@ -7,5 +7,6 @@ #define __STDLIB_H_ #include +#include #endif /* __STDLIB_H_ */ diff --git a/lib/Kconfig b/lib/Kconfig index 189e6eb31aa..ff89af6be74 100644 --- a/lib/Kconfig +++ b/lib/Kconfig @@ -418,6 +418,10 @@ config CIRCBUF source "lib/dhry/Kconfig" +menu "Alternative crypto libraries" +source lib/mbedtls/Kconfig +endmenu + menu "Security support" config AES diff --git a/lib/Makefile b/lib/Makefile index 2a76acf100d..a4600b09f49 100644 --- a/lib/Makefile +++ b/lib/Makefile @@ -94,6 +94,8 @@ obj-$(CONFIG_LIBAVB) += libavb/ obj-$(CONFIG_$(SPL_TPL_)OF_LIBFDT) += libfdt/ obj-$(CONFIG_$(SPL_TPL_)OF_REAL) += fdtdec_common.o fdtdec.o +obj-$(CONFIG_MBEDTLS_LIB) += mbedtls/ + ifdef CONFIG_SPL_BUILD obj-$(CONFIG_SPL_YMODEM_SUPPORT) += crc16-ccitt.o obj-$(CONFIG_$(SPL_TPL_)HASH) += crc16-ccitt.o diff --git a/lib/mbedtls/Kconfig b/lib/mbedtls/Kconfig new file mode 100644 index 00000000000..3e9057f1acf --- /dev/null +++ b/lib/mbedtls/Kconfig @@ -0,0 +1,47 @@ +choice + prompt "Select crypto libraries" + default LEGACY_CRYPTO + help + Select crypto libraries. + LEGACY_CRYPTO for legacy crypto libraries, + MBEDTLS_LIB for MbedTLS libraries. + +config LEGACY_CRYPTO + bool "legacy crypto libraries" + select LEGACY_CRYPTO_BASIC + select LEGACY_CRYPTO_CERT + +config MBEDTLS_LIB + bool "MbedTLS libraries" + select MBEDTLS_LIB_CRYPTO + select MBEDTLS_LIB_X509 +endchoice + +if LEGACY_CRYPTO + +config LEGACY_CRYPTO_BASIC + bool "legacy basic crypto libraries" + help + Enable legacy basic crypto libraries. + +config LEGACY_CRYPTO_CERT + bool "legacy certificate libraries" + help + Enable legacy certificate libraries. + +endif # LEGACY_CRYPTO + +if MBEDTLS_LIB + +config MBEDTLS_LIB_CRYPTO + bool "MbedTLS crypto libraries" + help + Enable MbedTLS crypto libraries. + + +config MBEDTLS_LIB_X509 + bool "MbedTLS certificate libraries" + help + Enable MbedTLS certificate libraries. + +endif # MBEDTLS_LIB diff --git a/lib/mbedtls/Makefile b/lib/mbedtls/Makefile new file mode 100644 index 00000000000..803ea0b62a0 --- /dev/null +++ b/lib/mbedtls/Makefile @@ -0,0 +1,49 @@ +# SPDX-License-Identifier: GPL-2.0+ +# +# Copyright (c) 2024 Linaro Limited +# Author: Raymond Mao + +MBEDTLS_LIB_DIR = external/mbedtls/library + +# MbedTLS default config file +ccflags-y += "-DMBEDTLS_CONFIG_FILE=\"mbedtls_def_config.h\"" + +ccflags-y += \ + -I$(src)/port \ + -I$(src)/external/mbedtls/include \ + -I$(src)/external/mbedtls/library + +# MbedTLS crypto library +obj-$(CONFIG_MBEDTLS_LIB_CRYPTO) += mbedtls_lib_crypto.o +mbedtls_lib_crypto-y += \ + $(MBEDTLS_LIB_DIR)/platform_util.o \ + $(MBEDTLS_LIB_DIR)/constant_time.o \ + $(MBEDTLS_LIB_DIR)/md.o +mbedtls_lib_crypto-$(CONFIG_$(SPL_)MD5) += $(MBEDTLS_LIB_DIR)/md5.o +mbedtls_lib_crypto-$(CONFIG_$(SPL_)SHA1) += $(MBEDTLS_LIB_DIR)/sha1.o +mbedtls_lib_crypto-$(CONFIG_$(SPL_)SHA256) += \ + $(MBEDTLS_LIB_DIR)/sha256.o +mbedtls_lib_crypto-$(CONFIG_$(SPL_)SHA512) += \ + $(MBEDTLS_LIB_DIR)/sha512.o + +# MbedTLS X509 library +obj-$(CONFIG_MBEDTLS_LIB_X509) += mbedtls_lib_x509.o +mbedtls_lib_x509-y += $(MBEDTLS_LIB_DIR)/x509.o +mbedtls_lib_x509-$(CONFIG_$(SPL_)ASN1_DECODER) += \ + $(MBEDTLS_LIB_DIR)/asn1parse.o \ + $(MBEDTLS_LIB_DIR)/asn1write.o \ + $(MBEDTLS_LIB_DIR)/oid.o +mbedtls_lib_x509-$(CONFIG_$(SPL_)RSA_PUBLIC_KEY_PARSER) += \ + $(MBEDTLS_LIB_DIR)/bignum.o \ + $(MBEDTLS_LIB_DIR)/bignum_core.o \ + $(MBEDTLS_LIB_DIR)/rsa.o \ + $(MBEDTLS_LIB_DIR)/rsa_alt_helpers.o +mbedtls_lib_x509-$(CONFIG_$(SPL_)ASYMMETRIC_PUBLIC_KEY_SUBTYPE) += \ + $(MBEDTLS_LIB_DIR)/pk.o \ + $(MBEDTLS_LIB_DIR)/pk_wrap.o \ + $(MBEDTLS_LIB_DIR)/pkparse.o +mbedtls_lib_x509-$(CONFIG_$(SPL_)X509_CERTIFICATE_PARSER) += \ + $(MBEDTLS_LIB_DIR)/x509_crl.o \ + $(MBEDTLS_LIB_DIR)/x509_crt.o +mbedtls_lib_x509-$(CONFIG_$(SPL_)PKCS7_MESSAGE_PARSER) += \ + $(MBEDTLS_LIB_DIR)/pkcs7.o diff --git a/lib/mbedtls/mbedtls_def_config.h b/lib/mbedtls/mbedtls_def_config.h new file mode 100644 index 00000000000..38de6b0b9af --- /dev/null +++ b/lib/mbedtls/mbedtls_def_config.h @@ -0,0 +1,69 @@ +/* SPDX-License-Identifier: GPL-2.0+ */ +/* + * MbedTLS config file + * + * Derived from the MbedTLS internal config file, + * for more information about each build option, + * please refer to: + * external/mbedtls/include/mbedtls/mbedtls_config.h + * + * Copyright (c) 2024 Linaro Limited + * Author: Raymond Mao + */ + +#if CONFIG_IS_ENABLED(MBEDTLS_LIB_CRYPTO) + +#define MBEDTLS_MD_C + +#if CONFIG_IS_ENABLED(MD5) +#define MBEDTLS_MD5_C +#endif + +#if CONFIG_IS_ENABLED(SHA1) +#define MBEDTLS_SHA1_C +#endif + +#if CONFIG_IS_ENABLED(SHA256) +#define MBEDTLS_SHA256_C +#endif + +#if CONFIG_IS_ENABLED(SHA384) +#define MBEDTLS_SHA384_C +#endif + +#if CONFIG_IS_ENABLED(SHA512) +#define MBEDTLS_SHA512_C +#endif + +#endif /* CONFIG_IS_ENABLED(MBEDTLS_LIB_CRYPTO) */ + +#if CONFIG_IS_ENABLED(MBEDTLS_LIB_X509) + +#if CONFIG_IS_ENABLED(X509_CERTIFICATE_PARSER) +#define MBEDTLS_PKCS1_V15 +#define MBEDTLS_X509_USE_C +#define MBEDTLS_X509_CRT_PARSE_C +#define MBEDTLS_X509_CRL_PARSE_C +#endif + +#if CONFIG_IS_ENABLED(ASYMMETRIC_PUBLIC_KEY_SUBTYPE) +#define MBEDTLS_PK_C +#define MBEDTLS_PK_PARSE_C +#endif + +#if CONFIG_IS_ENABLED(RSA_PUBLIC_KEY_PARSER) +#define MBEDTLS_BIGNUM_C +#define MBEDTLS_RSA_C +#endif + +#if CONFIG_IS_ENABLED(PKCS7_MESSAGE_PARSER) +#define MBEDTLS_PKCS7_C +#endif + +#if CONFIG_IS_ENABLED(ASN1_DECODER) +#define MBEDTLS_OID_C +#define MBEDTLS_ASN1_PARSE_C +#define MBEDTLS_ASN1_WRITE_C +#endif + +#endif /* CONFIG_IS_ENABLED(MBEDTLS_LIB_X509) */ diff --git a/lib/mbedtls/port/assert.h b/lib/mbedtls/port/assert.h new file mode 100644 index 00000000000..490701aa9d0 --- /dev/null +++ b/lib/mbedtls/port/assert.h @@ -0,0 +1,12 @@ +/* SPDX-License-Identifier: GPL-2.0+ */ +/* + * Dummy file to allow mbedtls linked with U-Boot to include assert.h + * + * Copyright (c) 2023 Linaro Limited + * Author: Raymond Mao + */ + +#ifndef _MBEDTLS_ASSERT_H +#define _MBEDTLS_ASSERT_H + +#endif /* _MBEDTLS_ASSERT_H */ From patchwork Tue Jul 2 18:22:40 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Raymond Mao X-Patchwork-Id: 1955553 X-Patchwork-Delegate: trini@ti.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.a=rsa-sha256 header.s=google header.b=G4Y2yYP7; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de (client-ip=85.214.62.61; helo=phobos.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=patchwork.ozlabs.org) Received: from phobos.denx.de (phobos.denx.de [85.214.62.61]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4WDBDd258kz1xpc for ; Wed, 3 Jul 2024 04:25:53 +1000 (AEST) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 9537F88746; Tue, 2 Jul 2024 20:25:50 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="G4Y2yYP7"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 73ECF8874F; Tue, 2 Jul 2024 20:25:49 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-qt1-x82a.google.com (mail-qt1-x82a.google.com [IPv6:2607:f8b0:4864:20::82a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 130BB87C86 for ; Tue, 2 Jul 2024 20:25:47 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=raymond.mao@linaro.org Received: by mail-qt1-x82a.google.com with SMTP id d75a77b69052e-4468ac3c579so3279921cf.0 for ; Tue, 02 Jul 2024 11:25:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1719944745; x=1720549545; darn=lists.denx.de; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=0frUaFhfhvYEuqoBkGLrGtcJfh6dNTq0Uq7TqxarjPY=; b=G4Y2yYP7F+vbGFJeQKuj5hyNnxO3mWPdi7JnkZBm4QDmve5kyVroHHD5DkaN7kp7zs hWUB7z5ezVLayulV/dLwgJRP7I5nBIuOJoSl6xv87qYYSXRxepyJBJykSBs0W37pm9ro 6vfUoBwTSuyTnI9lwODqnUKztTgk5lIP2vnadp3lSl3rYhEnrPvqbnWbUqnNfal9flXZ OMPaVrdI6qNOE4FlH/93zSUxSyI4YlaxoWUE6abCVuHXqLILbscyh0An1QvPV5NIUWtY I6ZOUQFtK5gLLImlA7vGEXNVo14usNWsvuHX1137a+Oa1ACcTncNZcRQEIa+5ciNtpcD Oo3g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1719944745; x=1720549545; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=0frUaFhfhvYEuqoBkGLrGtcJfh6dNTq0Uq7TqxarjPY=; b=hnH3m8nCXVCiiuyID6gvyQck38SLE0qmHXsppOqmLgBxuyiBUvTu1eT2h+kM+Nwg1n XZsCoLOt3ImklyTUBciJJZoAoCzU70RLRoR0JX59JCb1ZMgq/jR2pt3pQhF9RwGlSoRV hPG++3FBoqeC/+au2sUqXYVT6ifmni6pSvQ8bAxrUutON1O///T/Lvnapp8XQKM4RC5v ZkYNyiX9/QPPhZ4dKxBl+vXos7ufWyjfGKN+tBUbrX+1ddfd13qkuihr5Y6oqgWg6YE3 /DA4XV7pettxF/Mugi9mfPO0ETdyHryznHPatVztC/jhzUTKGUK069UuoIM/IKq3h8/I 9CpA== X-Gm-Message-State: AOJu0Yw7XTSYcQAzirFB4olkojMDLgM8YX5rSpvhzz8naplBe4pUusuH VltB87iq4F3B60D0R8FMZv31z/nM42hkDGtfEamV6DhIc2CqdcZMd0PC/M1HaDudscWLVrutYfM G X-Google-Smtp-Source: AGHT+IHSkjGqQ6j5cxOCCCbuH001MKrWNoheEL+RYC+EpceAOFBzPL+McIM1THMqIR6T9YglgCRMEQ== X-Received: by 2002:ac8:5751:0:b0:446:48b5:16c1 with SMTP id d75a77b69052e-44662e68b7dmr102867111cf.59.1719944745257; Tue, 02 Jul 2024 11:25:45 -0700 (PDT) Received: from ubuntu.localdomain (pool-174-114-184-37.cpe.net.cable.rogers.com. [174.114.184.37]) by smtp.gmail.com with ESMTPSA id d75a77b69052e-446514b613dsm43316351cf.84.2024.07.02.11.25.43 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 02 Jul 2024 11:25:44 -0700 (PDT) From: Raymond Mao To: u-boot@lists.denx.de Cc: manish.pandey2@arm.com, Raymond Mao , Tom Rini , Stefan Bosch , Mario Six , Andy Shevchenko , Michal Simek , Tuomas Tynkkynen , Simon Glass , Ilias Apalodimas , Leo Yu-Chi Liang , Andrejs Cainikovs , Marek Vasut , Sean Anderson , Jesse Taube , Bryan Brattlof , "Leon M. Busch-George" , Sergei Antonov , Ilya Lukin <4.shket@gmail.com>, Igor Opaniuk , Heinrich Schuchardt , Alper Nebi Yasak , AKASHI Takahiro , Abdellatif El Khlifi , Alexander Gendin , Bin Meng , =?utf-8?q?Vincent_Stehl=C3=A9?= , Oleksandr Suvorov Subject: [PATCH v4 04/29] lib: Adapt digest header files to MbedTLS Date: Tue, 2 Jul 2024 11:22:40 -0700 Message-Id: <20240702182325.2904421-5-raymond.mao@linaro.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20240702182325.2904421-1-raymond.mao@linaro.org> References: <20240702182325.2904421-1-raymond.mao@linaro.org> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.8 at phobos.denx.de X-Virus-Status: Clean Adapt digest header files to support both original libs and MbedTLS by switching on/off MBEDTLS_LIB_CRYPTO. Introduce _LEGACY kconfig for legacy hash implementations. FIXME: `IS_ENABLED` or `CONFIG_IS_ENABLED` is not applicable here, since including causes undefined reference on schedule() with sandbox build. As includes which enables `CONFIG_HW_WATCHDOG` and `CONFIG_WATCHDOG` but no schedule() are defined in sandbox build. `#if defined(CONFIG_MBEDTLS_LIB_CRYPTO)` is a workaround. Signed-off-by: Raymond Mao --- Changes in v2 - Initial patch. Changes in v3 - Remove the changes that were done in previous clean-up patch set. Changes in v4 - Introduce _LEGACY kconfig for legacy hash implementations. - Minor fix of the include directories. include/u-boot/md5.h | 7 +++ include/u-boot/sha1.h | 21 ++++++++- include/u-boot/sha256.h | 20 +++++++++ include/u-boot/sha512.h | 22 ++++++++-- lib/Makefile | 10 +++-- lib/mbedtls/Kconfig | 96 +++++++++++++++++++++++++++++++++++++++++ 6 files changed, 168 insertions(+), 8 deletions(-) diff --git a/include/u-boot/md5.h b/include/u-boot/md5.h index c465925ea8d..69898fcbe49 100644 --- a/include/u-boot/md5.h +++ b/include/u-boot/md5.h @@ -6,10 +6,16 @@ #ifndef _MD5_H #define _MD5_H +#if defined(CONFIG_MBEDTLS_LIB_CRYPTO) +#include +#endif #include "compiler.h" #define MD5_SUM_LEN 16 +#if defined(CONFIG_MBEDTLS_LIB_CRYPTO) +typedef mbedtls_md5_context MD5Context; +#else typedef struct MD5Context { __u32 buf[4]; __u32 bits[2]; @@ -18,6 +24,7 @@ typedef struct MD5Context { __u32 in32[16]; }; } MD5Context; +#endif void MD5Init(MD5Context *ctx); void MD5Update(MD5Context *ctx, unsigned char const *buf, unsigned int len); diff --git a/include/u-boot/sha1.h b/include/u-boot/sha1.h index c1e9f67068d..ab88134fb98 100644 --- a/include/u-boot/sha1.h +++ b/include/u-boot/sha1.h @@ -16,6 +16,21 @@ #include +#if defined(CONFIG_MBEDTLS_LIB_CRYPTO) +/* + * FIXME: + * MbedTLS define the members of "mbedtls_sha256_context" as private, + * but "state" needs to be access by arch/arm/cpu/armv8/sha1_ce_glue. + * MBEDTLS_ALLOW_PRIVATE_ACCESS needs to be enabled to allow the external + * access. + * Directly including is not allowed, + * since this will include and break the sandbox test. + */ +#define MBEDTLS_ALLOW_PRIVATE_ACCESS + +#include +#endif + #ifdef __cplusplus extern "C" { #endif @@ -26,6 +41,9 @@ extern "C" { extern const uint8_t sha1_der_prefix[]; +#if defined(CONFIG_MBEDTLS_LIB_CRYPTO) +typedef mbedtls_sha1_context sha1_context; +#else /** * \brief SHA-1 context structure */ @@ -36,13 +54,14 @@ typedef struct unsigned char buffer[64]; /*!< data block being processed */ } sha1_context; +#endif /** * \brief SHA-1 context setup * * \param ctx SHA-1 context to be initialized */ -void sha1_starts( sha1_context *ctx ); +void sha1_starts(sha1_context *ctx); /** * \brief SHA-1 process buffer diff --git a/include/u-boot/sha256.h b/include/u-boot/sha256.h index a4fe176c0b4..b58d5b58d39 100644 --- a/include/u-boot/sha256.h +++ b/include/u-boot/sha256.h @@ -3,6 +3,22 @@ #include +#if defined(CONFIG_MBEDTLS_LIB_CRYPTO) +/* + * FIXME: + * MbedTLS define the members of "mbedtls_sha256_context" as private, + * but "state" needs to be access by arch/arm/cpu/armv8/sha256_ce_glue. + * MBEDTLS_ALLOW_PRIVATE_ACCESS needs to be enabled to allow the external + * access. + * Directly including is not allowed, + * since this will include and break the sandbox test. + */ +#define MBEDTLS_ALLOW_PRIVATE_ACCESS + +#include +#endif + +#define SHA224_SUM_LEN 28 #define SHA256_SUM_LEN 32 #define SHA256_DER_LEN 19 @@ -11,11 +27,15 @@ extern const uint8_t sha256_der_prefix[]; /* Reset watchdog each time we process this many bytes */ #define CHUNKSZ_SHA256 (64 * 1024) +#if defined(CONFIG_MBEDTLS_LIB_CRYPTO) +typedef mbedtls_sha256_context sha256_context; +#else typedef struct { uint32_t total[2]; uint32_t state[8]; uint8_t buffer[64]; } sha256_context; +#endif void sha256_starts(sha256_context * ctx); void sha256_update(sha256_context *ctx, const uint8_t *input, uint32_t length); diff --git a/include/u-boot/sha512.h b/include/u-boot/sha512.h index 90bd96a3f8c..2b5a21a7c70 100644 --- a/include/u-boot/sha512.h +++ b/include/u-boot/sha512.h @@ -3,6 +3,10 @@ #include +#if defined(CONFIG_MBEDTLS_LIB_CRYPTO) +#include +#endif + #define SHA384_SUM_LEN 48 #define SHA384_DER_LEN 19 #define SHA512_SUM_LEN 64 @@ -12,11 +16,16 @@ #define CHUNKSZ_SHA384 (16 * 1024) #define CHUNKSZ_SHA512 (16 * 1024) +#if defined(CONFIG_MBEDTLS_LIB_CRYPTO) +typedef mbedtls_sha512_context sha384_context; +typedef mbedtls_sha512_context sha512_context; +#else typedef struct { uint64_t state[SHA512_SUM_LEN / 8]; uint64_t count[2]; uint8_t buf[SHA512_BLOCK_SIZE]; } sha512_context; +#endif extern const uint8_t sha512_der_prefix[]; @@ -29,12 +38,19 @@ void sha512_csum_wd(const unsigned char *input, unsigned int ilen, extern const uint8_t sha384_der_prefix[]; +#if defined(CONFIG_MBEDTLS_LIB_CRYPTO) +void sha384_starts(sha512_context *ctx); +void +sha384_update(sha512_context *ctx, const uint8_t *input, uint32_t length); +void sha384_finish(sha512_context *ctx, uint8_t digest[SHA384_SUM_LEN]); +void sha384_csum_wd(const unsigned char *input, unsigned int length, + unsigned char *output, unsigned int chunk_sz); +#else void sha384_starts(sha512_context * ctx); void sha384_update(sha512_context *ctx, const uint8_t *input, uint32_t length); void sha384_finish(sha512_context * ctx, uint8_t digest[SHA384_SUM_LEN]); void sha384_csum_wd(const unsigned char *input, unsigned int ilen, - unsigned char *output, unsigned int chunk_sz); - - + unsigned char *output, unsigned int chunk_sz); +#endif #endif /* _SHA512_H */ diff --git a/lib/Makefile b/lib/Makefile index a4600b09f49..f76af77a969 100644 --- a/lib/Makefile +++ b/lib/Makefile @@ -69,14 +69,16 @@ obj-$(CONFIG_$(SPL_TPL_)CRC16) += crc16.o obj-y += crypto/ obj-$(CONFIG_$(SPL_TPL_)ACPI) += acpi/ -obj-$(CONFIG_$(SPL_)MD5) += md5.o obj-$(CONFIG_ECDSA) += ecdsa/ obj-$(CONFIG_$(SPL_)RSA) += rsa/ obj-$(CONFIG_HASH) += hash-checksum.o obj-$(CONFIG_BLAKE2) += blake2/blake2b.o -obj-$(CONFIG_$(SPL_)SHA1) += sha1.o -obj-$(CONFIG_$(SPL_)SHA256) += sha256.o -obj-$(CONFIG_$(SPL_)SHA512) += sha512.o + +obj-$(CONFIG_$(SPL_)MD5_LEGACY) += md5.o +obj-$(CONFIG_$(SPL_)SHA1_LEGACY) += sha1.o +obj-$(CONFIG_$(SPL_)SHA256_LEGACY) += sha256.o +obj-$(CONFIG_$(SPL_)SHA512_LEGACY) += sha512.o + obj-$(CONFIG_CRYPT_PW) += crypt/ obj-$(CONFIG_$(SPL_)ASN1_DECODER) += asn1_decoder.o diff --git a/lib/mbedtls/Kconfig b/lib/mbedtls/Kconfig index 3e9057f1acf..6662a9d20f1 100644 --- a/lib/mbedtls/Kconfig +++ b/lib/mbedtls/Kconfig @@ -21,9 +21,105 @@ if LEGACY_CRYPTO config LEGACY_CRYPTO_BASIC bool "legacy basic crypto libraries" + select MD5_LEGACY if MD5 + select SHA1_LEGACY if SHA1 + select SHA256_LEGACY if SHA256 + select SHA512_LEGACY if SHA512 + select SHA384_LEGACY if SHA384 + select SPL_MD5_LEGACY if MD5 && SPL + select SPL_SHA1_LEGACY if SHA1 && SPL + select SPL_SHA256_LEGACY if SHA256 && SPL + select SPL_SHA512_LEGACY if SHA512 && SPL + select SPL_SHA384_LEGACY if SHA384 && SPL help Enable legacy basic crypto libraries. +if LEGACY_CRYPTO_BASIC + +config SHA1_LEGACY + bool "Enable SHA1 support with legacy crypto library" + depends on LEGACY_CRYPTO_BASIC && SHA1 + help + This option enables support of hashing using SHA1 algorithm + with legacy crypto library. + +config SHA256_LEGACY + bool "Enable SHA256 support with legacy crypto library" + depends on LEGACY_CRYPTO_BASIC && SHA256 + help + This option enables support of hashing using SHA256 algorithm + with legacy crypto library. + +config SHA512_LEGACY + bool "Enable SHA512 support with legacy crypto library" + depends on LEGACY_CRYPTO_BASIC && SHA512 + default y if TI_SECURE_DEVICE && FIT_SIGNATURE + help + This option enables support of hashing using SHA512 algorithm + with legacy crypto library. + +config SHA384_LEGACY + bool "Enable SHA384 support with legacy crypto library" + depends on LEGACY_CRYPTO_BASIC && SHA384 + select SHA512_LEGACY + help + This option enables support of hashing using SHA384 algorithm + with legacy crypto library. + +config MD5_LEGACY + bool "Enable MD5 support with legacy crypto library" + depends on LEGACY_CRYPTO_BASIC && MD5 + help + This option enables support of hashing using MD5 algorithm + with legacy crypto library. + +if SPL + +config SPL_SHA1_LEGACY + bool "Enable SHA1 support in SPL with legacy crypto library" + depends on LEGACY_CRYPTO_BASIC && SPL_SHA1 + default y if SHA1 && LEGACY_CRYPTO_BASIC + help + This option enables support of hashing using SHA1 algorithm + with legacy crypto library. + +config SPL_SHA256_LEGACY + bool "Enable SHA256 support in SPL with legacy crypto library" + depends on LEGACY_CRYPTO_BASIC && SPL_SHA256 + default y if SHA256 && LEGACY_CRYPTO_BASIC + help + This option enables support of hashing using SHA256 algorithm + with legacy crypto library. + +config SPL_SHA512_LEGACY + bool "Enable SHA512 support in SPL with legacy crypto library" + depends on LEGACY_CRYPTO_BASIC && SPL_SHA512 + default y if SHA512 && LEGACY_CRYPTO_BASIC + help + This option enables support of hashing using SHA512 algorithm + with legacy crypto library. + +config SPL_SHA384_LEGACY + bool "Enable SHA384 support in SPL with legacy crypto library" + depends on LEGACY_CRYPTO_BASIC && SPL_SHA384 + default y if SHA384 && LEGACY_CRYPTO_BASIC + select SPL_SHA512 + help + This option enables support of hashing using SHA384 algorithm + with legacy crypto library. + +config SPL_MD5_LEGACY + bool "Enable MD5 support in SPL with legacy crypto library" + depends on LEGACY_CRYPTO_BASIC && SPL_MD5 + default y if MD5 && LEGACY_CRYPTO_BASIC + help + This option enables support of hashing using MD5 algorithm + with legacy crypto library. + +endif # SPL + +endif # LEGACY_CRYPTO_BASIC + config LEGACY_CRYPTO_CERT bool "legacy certificate libraries" help From patchwork Tue Jul 2 18:22:41 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Raymond Mao X-Patchwork-Id: 1955554 X-Patchwork-Delegate: trini@ti.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.a=rsa-sha256 header.s=google header.b=aaWoydvA; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de (client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; helo=phobos.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=patchwork.ozlabs.org) Received: from phobos.denx.de (phobos.denx.de [IPv6:2a01:238:438b:c500:173d:9f52:ddab:ee01]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4WDBF23rvyz1xpc for ; Wed, 3 Jul 2024 04:26:14 +1000 (AEST) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 1A89288749; Tue, 2 Jul 2024 20:26:12 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="aaWoydvA"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id E99EE8876D; Tue, 2 Jul 2024 20:26:10 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-qt1-x82d.google.com (mail-qt1-x82d.google.com [IPv6:2607:f8b0:4864:20::82d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id B9BB188749 for ; Tue, 2 Jul 2024 20:26:08 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=raymond.mao@linaro.org Received: by mail-qt1-x82d.google.com with SMTP id d75a77b69052e-44680165e5bso7617111cf.3 for ; Tue, 02 Jul 2024 11:26:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1719944767; x=1720549567; darn=lists.denx.de; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=wmkpiEe8fwX94aawKVL5ZSY0APdY88nP1yn/QRIhCn8=; b=aaWoydvA1oz3QMEKqDyvkSp+p3WGj+1ET+kVnA6AY4f4avGNzjKT5kb+8sw7UGtilr /gPacEhcBIZf93D795tXYsMeAAeDgMQ/0nD/bf3nNOca7222Yry36Jx9vUXNucDkqtAI dquBcpzvskb1XasppyiaImCVjajZBTcSoi4qfIKMky+EsNV73+QEoUkEwdxkXNZVi5Wx +BOzyaov9IJZPccQiaRBs71nLXkneERPLim+GntiAiWxaV6qi9W4/bAKou9dZv+C41yd AINFlqeIB7BM93mAMeGWw7/BFquMEfXD7ugTMqHS2R+Ck3kCdhDTRwDTtPstaTNWS40k MnRA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1719944767; x=1720549567; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=wmkpiEe8fwX94aawKVL5ZSY0APdY88nP1yn/QRIhCn8=; b=m9XDsKgWTItV5Omeyt3Qts6pFIsT/X9qcxRTGecQRPRNSw87wkQoQXvEO5tOOgMved 9QHo7Yfwgz669VpnnoktG+ff5Jju+iwK4I6pX9EkCcBzDF3/ujEUh8WGH6BXpoCVysTV l9YGBeGzYY81l++GUJI8Cl2uVGMuctw1pJOmSfIZuTDUAU0tEJdcj+HoX9JmRx3gJg2c 59VQyCWWLgQBbYW3y0pJQ63J7V9pJwu/xPkjRJieJjwRgLPR5Ipxj3zCUrDttiHO8zQH 8zCB2+Sqv4B85EUiBd319tGltkI9nya4m0//f619C+KwniuFWeT9RHCMmp1ByeYeyStu QacA== X-Gm-Message-State: AOJu0YwT8+wuWHbKhVvjZup9qhBLo7fejHvBxxzowVVlgF7S80eW+taj 7iqykI0klLl5L6EaAoUSORCJyhc5ZhDlRENOKanhDBPt5CVBcyWZVFcJ5EudtdsUhowt2sWtJu7 y X-Google-Smtp-Source: AGHT+IHpbmat1woWJMO7DOr582cfMUGXqFpM3J/ACBkmxrQ1aAg62BZQX2ImlJTaxVRyXwp6cvtTfg== X-Received: by 2002:a05:622a:1441:b0:446:5c0a:1e42 with SMTP id d75a77b69052e-44662dfcb74mr97046381cf.4.1719944766673; Tue, 02 Jul 2024 11:26:06 -0700 (PDT) Received: from ubuntu.localdomain (pool-174-114-184-37.cpe.net.cable.rogers.com. [174.114.184.37]) by smtp.gmail.com with ESMTPSA id d75a77b69052e-446514b613dsm43316351cf.84.2024.07.02.11.26.04 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 02 Jul 2024 11:26:06 -0700 (PDT) From: Raymond Mao To: u-boot@lists.denx.de Cc: manish.pandey2@arm.com, Raymond Mao , Ilias Apalodimas , Michal Simek , Tom Rini , Stefan Bosch , Mario Six , Andy Shevchenko , Tuomas Tynkkynen , Simon Glass , Leo Yu-Chi Liang , Andrejs Cainikovs , Marek Vasut , Sean Anderson , Jesse Taube , Bryan Brattlof , "Leon M. Busch-George" , Igor Opaniuk , Sergei Antonov , Ilya Lukin <4.shket@gmail.com>, Heinrich Schuchardt , Bin Meng , Alper Nebi Yasak , Abdellatif El Khlifi , AKASHI Takahiro , Alexander Gendin , =?utf-8?q?Vincent_Stehl=C3=A9?= , Eddie James , Oleksandr Suvorov Subject: [PATCH v4 05/29] md5: Remove md5 non-watchdog API Date: Tue, 2 Jul 2024 11:22:41 -0700 Message-Id: <20240702182325.2904421-6-raymond.mao@linaro.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20240702182325.2904421-1-raymond.mao@linaro.org> References: <20240702182325.2904421-1-raymond.mao@linaro.org> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.8 at phobos.denx.de X-Virus-Status: Clean We don't need an API specially for non-watchdog since md5_wd supports it by disabling CONFIG_HW_WATCHDOG and CONFIG_WATCHDOG. Set 0x10000 as default chunk size for MD5. Signed-off-by: Raymond Mao Reviewed-by: Ilias Apalodimas Reviewed-by: Michal Simek --- Changes in v3 - Initial patch. Changes in v4 - Update commit message. board/friendlyarm/nanopi2/board.c | 3 ++- board/intel/edison/edison.c | 3 ++- board/xilinx/zynq/bootimg.c | 2 +- include/u-boot/md5.h | 7 +------ lib/md5.c | 15 --------------- 5 files changed, 6 insertions(+), 24 deletions(-) diff --git a/board/friendlyarm/nanopi2/board.c b/board/friendlyarm/nanopi2/board.c index c8cbc5a15fa..2d764e8eef3 100644 --- a/board/friendlyarm/nanopi2/board.c +++ b/board/friendlyarm/nanopi2/board.c @@ -263,7 +263,8 @@ static void make_ether_addr(u8 *addr) hash[6] = readl(PHY_BASEADDR_ECID + 0x08); hash[7] = readl(PHY_BASEADDR_ECID + 0x0c); - md5((unsigned char *)&hash[4], 64, (unsigned char *)hash); + md5_wd((unsigned char *)&hash[4], 64, (unsigned char *)hash, + MD5_DEF_CHUNK_SZ); hash[0] ^= hash[2]; hash[1] ^= hash[3]; diff --git a/board/intel/edison/edison.c b/board/intel/edison/edison.c index 911ffda2fc7..27fda3fc1d2 100644 --- a/board/intel/edison/edison.c +++ b/board/intel/edison/edison.c @@ -32,7 +32,8 @@ static void assign_serial(void) if (!mmc) return; - md5((unsigned char *)mmc->cid, sizeof(mmc->cid), ssn); + md5_wd((unsigned char *)mmc->cid, sizeof(mmc->cid), ssn, + MD5_DEF_CHUNK_SZ); snprintf(usb0addr, sizeof(usb0addr), "02:00:86:%02x:%02x:%02x", ssn[13], ssn[14], ssn[15]); diff --git a/board/xilinx/zynq/bootimg.c b/board/xilinx/zynq/bootimg.c index 79bec3a4cfb..9eb0735f55d 100644 --- a/board/xilinx/zynq/bootimg.c +++ b/board/xilinx/zynq/bootimg.c @@ -135,7 +135,7 @@ int zynq_validate_partition(u32 start_addr, u32 len, u32 chksum_off) memcpy(&checksum[0], (u32 *)chksum_off, MD5_CHECKSUM_SIZE); - md5_wd((u8 *)start_addr, len, &calchecksum[0], 0x10000); + md5_wd((u8 *)start_addr, len, &calchecksum[0], MD5_DEF_CHUNK_SZ); if (!memcmp(checksum, calchecksum, MD5_CHECKSUM_SIZE)) return 0; diff --git a/include/u-boot/md5.h b/include/u-boot/md5.h index 69898fcbe49..c98b1a58088 100644 --- a/include/u-boot/md5.h +++ b/include/u-boot/md5.h @@ -12,6 +12,7 @@ #include "compiler.h" #define MD5_SUM_LEN 16 +#define MD5_DEF_CHUNK_SZ 0x10000 #if defined(CONFIG_MBEDTLS_LIB_CRYPTO) typedef mbedtls_md5_context MD5Context; @@ -30,12 +31,6 @@ void MD5Init(MD5Context *ctx); void MD5Update(MD5Context *ctx, unsigned char const *buf, unsigned int len); void MD5Final(unsigned char digest[16], MD5Context *ctx); -/* - * Calculate and store in 'output' the MD5 digest of 'len' bytes at - * 'input'. 'output' must have enough space to hold 16 bytes. - */ -void md5 (unsigned char *input, int len, unsigned char output[16]); - /* * Calculate and store in 'output' the MD5 digest of 'len' bytes at 'input'. * 'output' must have enough space to hold 16 bytes. If 'chunk' Trigger the diff --git a/lib/md5.c b/lib/md5.c index 34343cf8e23..2d8977b2e85 100644 --- a/lib/md5.c +++ b/lib/md5.c @@ -262,21 +262,6 @@ MD5Transform(__u32 buf[4], __u32 const in[16]) buf[3] += d; } -/* - * Calculate and store in 'output' the MD5 digest of 'len' bytes at - * 'input'. 'output' must have enough space to hold 16 bytes. - */ -void -md5 (unsigned char *input, int len, unsigned char output[16]) -{ - MD5Context context; - - MD5Init(&context); - MD5Update(&context, input, len); - MD5Final(output, &context); -} - - /* * Calculate and store in 'output' the MD5 digest of 'len' bytes at 'input'. * 'output' must have enough space to hold 16 bytes. If 'chunk' Trigger the From patchwork Tue Jul 2 18:22:42 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Raymond Mao X-Patchwork-Id: 1955555 X-Patchwork-Delegate: trini@ti.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.a=rsa-sha256 header.s=google header.b=rzXkLTrW; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de (client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; helo=phobos.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=patchwork.ozlabs.org) Received: from phobos.denx.de (phobos.denx.de [IPv6:2a01:238:438b:c500:173d:9f52:ddab:ee01]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4WDBFS6zx5z1xpc for ; Wed, 3 Jul 2024 04:26:36 +1000 (AEST) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 89D6D87D0A; Tue, 2 Jul 2024 20:26:34 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="rzXkLTrW"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 20DED87F8C; Tue, 2 Jul 2024 20:26:33 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-qt1-x82f.google.com (mail-qt1-x82f.google.com [IPv6:2607:f8b0:4864:20::82f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id D7BE187C68 for ; Tue, 2 Jul 2024 20:26:30 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=raymond.mao@linaro.org Received: by mail-qt1-x82f.google.com with SMTP id d75a77b69052e-444fdb6c1cfso28417001cf.3 for ; Tue, 02 Jul 2024 11:26:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1719944789; x=1720549589; darn=lists.denx.de; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=yuCpFHGUDou197RK3J6iadrgfvGbnEfawRmScVLoYFE=; b=rzXkLTrWrLuFzm9Y52ovpt2J2J+w5Z/U9L35LYRh3xuU1wsgadu0C3ovn9Y3uAyLhn kHhaB85eRYXeRa7hfAMP9zOWGk4oRGdZhuam3HDOtKBugtaQukH2Xf2bNW8hs3cY2G7S JW7PwwGXVhIOOM70YAMOuQ+AExc0fpQ3EzA29qFrBKm43GBD7pfrEmJIKPsGDvSfXUpA SoknOd/p/mXf+ll8DY4GYsNQNqnw2PlkQrKmu9/meCVeejYfGAJT/lpS5cmLMiWU0dKw KQJXr8oS09xF77H1HP0L6wIbUHCRg58z29amSrEyFLmVE9eRWz906dvChqUanuc2XIPH 6vZw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1719944789; x=1720549589; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=yuCpFHGUDou197RK3J6iadrgfvGbnEfawRmScVLoYFE=; b=YJQTOS0g/E3f7PrVt7+IEL47ejRGRGtOpRgsMNnaRn6dh7L8zzlkJrCSrcYu77FWIW Uh8HN8y9x1RXDhxFMXdr8LzO5MDAhJ4NpnnNVH63bJoZcgF6H0D39909oD5IUZ/M/UOk P4j/irb0GgxifYep8KIh7DvhgenabqRqSbAyK2tXrParPTiRFSG/XS3EWwynhaBHEEpD eSwy4T9qkmal0iRocWlLkiLk27ZqQsDlUk2wYepN8AWOSIHBOf4ugv6LUSolHERNqcfP YVjsMIjHwnVQM0OHufIDlN5apFxEPSkSTDVQWP/Pz09UWnXvK4w5BBY1qfyUAZK9MKhA VTXQ== X-Gm-Message-State: AOJu0YwaEFNV6Y0gHpSEWHyY/aVIeYqZcS0CgWS8EqgH8jTEFeiH1Tbn WF0KqrbBDzxyU63cBk3twJ43yolhZF7XzCny0Edvw8Gm6jXoNei4W9qovEyM9bZBECVZT+5NJzi 1 X-Google-Smtp-Source: AGHT+IGYeYk6yz7WzTsM3RDxMvGKOKotRMs90k5k1+tHSLVAn9hPrSxSDy2B5zdBLgWN8ZrYx6f9hA== X-Received: by 2002:ac8:58ca:0:b0:440:6345:257f with SMTP id d75a77b69052e-44662f48304mr140415911cf.60.1719944789331; Tue, 02 Jul 2024 11:26:29 -0700 (PDT) Received: from ubuntu.localdomain (pool-174-114-184-37.cpe.net.cable.rogers.com. [174.114.184.37]) by smtp.gmail.com with ESMTPSA id d75a77b69052e-446514b613dsm43316351cf.84.2024.07.02.11.26.27 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 02 Jul 2024 11:26:28 -0700 (PDT) From: Raymond Mao To: u-boot@lists.denx.de Cc: manish.pandey2@arm.com, Raymond Mao , Tom Rini , Stefan Bosch , Mario Six , Andy Shevchenko , Michal Simek , Tuomas Tynkkynen , Simon Glass , Leo Yu-Chi Liang , Ilias Apalodimas , Andrejs Cainikovs , Marek Vasut , Sean Anderson , Jesse Taube , Bryan Brattlof , "Leon M. Busch-George" , Sergei Antonov , Igor Opaniuk , Ilya Lukin <4.shket@gmail.com>, Heinrich Schuchardt , Alper Nebi Yasak , AKASHI Takahiro , Abdellatif El Khlifi , Alexander Gendin , Bin Meng , Oleksandr Suvorov Subject: [PATCH v4 06/29] sha1: Remove sha1 non-watchdog API Date: Tue, 2 Jul 2024 11:22:42 -0700 Message-Id: <20240702182325.2904421-7-raymond.mao@linaro.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20240702182325.2904421-1-raymond.mao@linaro.org> References: <20240702182325.2904421-1-raymond.mao@linaro.org> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.8 at phobos.denx.de X-Virus-Status: Clean We don't need an API specially for non-watchdog since sha1_csum_wd supports it by disabling CONFIG_HW_WATCHDOG and CONFIG_WATCHDOG. Set 0x10000 as default chunk size for SHA1. Signed-off-by: Raymond Mao Reviewed-by: Ilias Apalodimas --- Changes in v4 - Initial patch. board/gdsys/a38x/hre.c | 2 +- include/u-boot/sha1.h | 12 ++---------- lib/sha1.c | 13 ------------- lib/tpm-v1.c | 2 +- 4 files changed, 4 insertions(+), 25 deletions(-) diff --git a/board/gdsys/a38x/hre.c b/board/gdsys/a38x/hre.c index f303793b63b..06856ea36d3 100644 --- a/board/gdsys/a38x/hre.c +++ b/board/gdsys/a38x/hre.c @@ -166,7 +166,7 @@ static int find_key(struct udevice *tpm, const uint8_t auth[20], return -1; if (err) continue; - sha1_csum(buf, buf_len, digest); + sha1_csum_wd(buf, buf_len, digest, SHA1_DEF_CHUNK_SZ); if (!memcmp(digest, pubkey_digest, 20)) { *handle = key_handles[i]; return 0; diff --git a/include/u-boot/sha1.h b/include/u-boot/sha1.h index ab88134fb98..36c3db15e22 100644 --- a/include/u-boot/sha1.h +++ b/include/u-boot/sha1.h @@ -39,6 +39,8 @@ extern "C" { #define SHA1_SUM_LEN 20 #define SHA1_DER_LEN 15 +#define SHA1_DEF_CHUNK_SZ 0x10000 + extern const uint8_t sha1_der_prefix[]; #if defined(CONFIG_MBEDTLS_LIB_CRYPTO) @@ -81,16 +83,6 @@ void sha1_update(sha1_context *ctx, const unsigned char *input, */ void sha1_finish( sha1_context *ctx, unsigned char output[20] ); -/** - * \brief Output = SHA-1( input buffer ) - * - * \param input buffer holding the data - * \param ilen length of the input data - * \param output SHA-1 checksum result - */ -void sha1_csum(const unsigned char *input, unsigned int ilen, - unsigned char *output); - /** * \brief Output = SHA-1( input buffer ), with watchdog triggering * diff --git a/lib/sha1.c b/lib/sha1.c index 7ef536f4b5d..81412283b49 100644 --- a/lib/sha1.c +++ b/lib/sha1.c @@ -304,19 +304,6 @@ void sha1_finish (sha1_context * ctx, unsigned char output[20]) PUT_UINT32_BE (ctx->state[4], output, 16); } -/* - * Output = SHA-1( input buffer ) - */ -void sha1_csum(const unsigned char *input, unsigned int ilen, - unsigned char *output) -{ - sha1_context ctx; - - sha1_starts (&ctx); - sha1_update (&ctx, input, ilen); - sha1_finish (&ctx, output); -} - /* * Output = SHA-1( input buffer ). Trigger the watchdog every 'chunk_sz' * bytes of input processed. diff --git a/lib/tpm-v1.c b/lib/tpm-v1.c index e66023da5e6..a6727c575fd 100644 --- a/lib/tpm-v1.c +++ b/lib/tpm-v1.c @@ -871,7 +871,7 @@ u32 tpm1_find_key_sha1(struct udevice *dev, const u8 auth[20], return -1; if (err) continue; - sha1_csum(buf, buf_len, digest); + sha1_csum_wd(buf, buf_len, digest, SHA1_DEF_CHUNK_SZ); if (!memcmp(digest, pubkey_digest, 20)) { *handle = key_handles[i]; return 0; From patchwork Tue Jul 2 18:22:43 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Raymond Mao X-Patchwork-Id: 1955556 X-Patchwork-Delegate: trini@ti.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.a=rsa-sha256 header.s=google header.b=GNYOiLrq; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de (client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; helo=phobos.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=patchwork.ozlabs.org) Received: from phobos.denx.de (phobos.denx.de [IPv6:2a01:238:438b:c500:173d:9f52:ddab:ee01]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4WDBFt4MYXz1xpc for ; Wed, 3 Jul 2024 04:26:58 +1000 (AEST) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id B226387F8C; Tue, 2 Jul 2024 20:26:55 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="GNYOiLrq"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 9456E87FBC; Tue, 2 Jul 2024 20:26:54 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-qt1-x82f.google.com (mail-qt1-x82f.google.com [IPv6:2607:f8b0:4864:20::82f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 2C54187F5C for ; Tue, 2 Jul 2024 20:26:52 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=raymond.mao@linaro.org Received: by mail-qt1-x82f.google.com with SMTP id d75a77b69052e-44639c3d8e7so26209011cf.1 for ; Tue, 02 Jul 2024 11:26:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1719944811; x=1720549611; darn=lists.denx.de; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=COi8ZwaHLxToeFl4e7mi/M11LMi+tS3JcBsEB/Kc4qM=; b=GNYOiLrqK2sitTsWkcuJ5O4iNSkUTlDoNzTANxp3I6EjM/FJng0/DxBtNjAfhvfBvg ftOBcKS7Y25DUaCFFyvUF9q7F8GcEqPlunWqd1aMtGekY5DnB4EykcrzazQIi/OXYlKh sw2Za+oevAMk9gDK5ZpxoPAYrBSiiTzovLv8N6m6qlLCxDvmdaM3deptcKg4RCykjDwV YnzzvoZrrQ3GhNhIoDOd92DSk3E6GCxaOe+aWzlsjLTnBA/yc3U9A/0omE59BlfvLjle SoJ8LmtVUHfxcXYK6Q3xJO4hwKDYumGStPmhPwZCKQGiL26+aCCJPbSMSQGyM8f8+71P q/EA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1719944811; x=1720549611; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=COi8ZwaHLxToeFl4e7mi/M11LMi+tS3JcBsEB/Kc4qM=; b=PFggT4UrQ3MlGMCntko5MUCUxhKDOyYXbP4tZKBhDbuIckjGqZ/gGpPoy4T6ZeGuGT 1qjtaSTTP6N3ieuqdPZ1HmVi6U8KuV4ublC3h+XTZ5csruNwLZC4SIpsm97IfhXPcsXD dy77BFr0wEswLn2IAyx7lptZFdacCgG5o5oPf9BGsgdmreflF3CjItD4NvLIRVcZhYbX nFAVAa/J0W8q/jgGnbXh0uiOdqFodRbI3bFhtmEdIAvHJly4wg/PhJuigKeM193RbYbq kFHxqMdPAz0ofMyClG0usIxd0UMNSAZIgX+g0P4M2G+c2Bz93M74FD1OTRpm19qvtljU Pg8w== X-Gm-Message-State: AOJu0YyDvmib4tTWMaSUdbsFZGF9QXw9to1snbnu7qLee6sizuc0uz5n HScdSkluovshJXWjdEvFuRRzo6ufDWJ9BhhFroQC5DL4thJghdVajlwPamoKD4m/wOkI4FlMGtP 0 X-Google-Smtp-Source: AGHT+IFYnzETKUfJWjwL/ysyd3D5LSxN1/L+HDaJeVm3cdOd/Q4bIXPRFRLeUT0aGaAyl6awkFM1Tw== X-Received: by 2002:ac8:5945:0:b0:446:5e12:bb43 with SMTP id d75a77b69052e-44662e3e675mr111620171cf.39.1719944810732; Tue, 02 Jul 2024 11:26:50 -0700 (PDT) Received: from ubuntu.localdomain (pool-174-114-184-37.cpe.net.cable.rogers.com. [174.114.184.37]) by smtp.gmail.com with ESMTPSA id d75a77b69052e-446514b613dsm43316351cf.84.2024.07.02.11.26.48 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 02 Jul 2024 11:26:50 -0700 (PDT) From: Raymond Mao To: u-boot@lists.denx.de Cc: manish.pandey2@arm.com, Raymond Mao , Tom Rini , Stefan Bosch , Mario Six , Andy Shevchenko , Michal Simek , Tuomas Tynkkynen , Simon Glass , Ilias Apalodimas , Leo Yu-Chi Liang , Andrejs Cainikovs , Marek Vasut , Sean Anderson , Jesse Taube , Bryan Brattlof , "Leon M. Busch-George" , Ilya Lukin <4.shket@gmail.com>, Sergei Antonov , Igor Opaniuk , Heinrich Schuchardt , Alper Nebi Yasak , Abdellatif El Khlifi , AKASHI Takahiro , Alexander Gendin , Bin Meng , =?utf-8?q?Vincent_Stehl=C3=A9?= , Eddie James , Oleksandr Suvorov Subject: [PATCH v4 07/29] mbedtls: add digest shim layer for MbedTLS Date: Tue, 2 Jul 2024 11:22:43 -0700 Message-Id: <20240702182325.2904421-8-raymond.mao@linaro.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20240702182325.2904421-1-raymond.mao@linaro.org> References: <20240702182325.2904421-1-raymond.mao@linaro.org> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.8 at phobos.denx.de X-Virus-Status: Clean Implement digest shim layer on top of MbedTLS crypto library. Introduce _MBEDTLS kconfig for MbedTLS crypto implementations. Signed-off-by: Raymond Mao --- Changes in v2 - Split the shim layer into separated files and use the original head files instead of creating new ones. Changes in v3 - Refactored sha1_hmac and removed non-watchdog md5 function. Changes in v4 - Refactored hash _wd functions. - Introduce _MBEDTLS kconfig for MbedTLS crypto implementations. include/u-boot/sha1.h | 4 ++ lib/mbedtls/Kconfig | 95 +++++++++++++++++++++++++++++++++++++++++ lib/mbedtls/Makefile | 15 +++++-- lib/mbedtls/md5.c | 57 +++++++++++++++++++++++++ lib/mbedtls/sha1.c | 99 +++++++++++++++++++++++++++++++++++++++++++ lib/mbedtls/sha256.c | 62 +++++++++++++++++++++++++++ lib/mbedtls/sha512.c | 93 ++++++++++++++++++++++++++++++++++++++++ 7 files changed, 421 insertions(+), 4 deletions(-) create mode 100644 lib/mbedtls/md5.c create mode 100644 lib/mbedtls/sha1.c create mode 100644 lib/mbedtls/sha256.c create mode 100644 lib/mbedtls/sha512.c diff --git a/include/u-boot/sha1.h b/include/u-boot/sha1.h index 36c3db15e22..2fca7f1be16 100644 --- a/include/u-boot/sha1.h +++ b/include/u-boot/sha1.h @@ -41,6 +41,10 @@ extern "C" { #define SHA1_DEF_CHUNK_SZ 0x10000 +#define K_IPAD_VAL 0x36 +#define K_OPAD_VAL 0x5C +#define K_PAD_LEN 64 + extern const uint8_t sha1_der_prefix[]; #if defined(CONFIG_MBEDTLS_LIB_CRYPTO) diff --git a/lib/mbedtls/Kconfig b/lib/mbedtls/Kconfig index 6662a9d20f1..0cdf0135667 100644 --- a/lib/mbedtls/Kconfig +++ b/lib/mbedtls/Kconfig @@ -131,9 +131,104 @@ if MBEDTLS_LIB config MBEDTLS_LIB_CRYPTO bool "MbedTLS crypto libraries" + select MD5_MBEDTLS if MD5 + select SHA1_MBEDTLS if SHA1 + select SHA256_MBEDTLS if SHA256 + select SHA512_MBEDTLS if SHA512 + select SHA384_MBEDTLS if SHA384 + select SPL_MD5_MBEDTLS if MD5 && SPL + select SPL_SHA1_MBEDTLS if SHA1 && SPL + select SPL_SHA256_MBEDTLS if SHA256 && SPL + select SPL_SHA512_MBEDTLS if SHA512 && SPL + select SPL_SHA384_MBEDTLS if SHA384 && SPL help Enable MbedTLS crypto libraries. +if MBEDTLS_LIB_CRYPTO + +config SHA1_MBEDTLS + bool "Enable SHA1 support with MbedTLS crypto library" + depends on MBEDTLS_LIB_CRYPTO && SHA1 + help + This option enables support of hashing using SHA1 algorithm + with MbedTLS crypto library. + +config SHA256_MBEDTLS + bool "Enable SHA256 support with MbedTLS crypto library" + depends on MBEDTLS_LIB_CRYPTO && SHA256 + help + This option enables support of hashing using SHA256 algorithm + with MbedTLS crypto library. + +config SHA512_MBEDTLS + bool "Enable SHA512 support with MbedTLS crypto library" + depends on MBEDTLS_LIB_CRYPTO && SHA512 + default y if TI_SECURE_DEVICE && FIT_SIGNATURE + help + This option enables support of hashing using SHA512 algorithm + with MbedTLS crypto library. + +config SHA384_MBEDTLS + bool "Enable SHA384 support with MbedTLS crypto library" + depends on MBEDTLS_LIB_CRYPTO && SHA384 + select SHA512_MBEDTLS + help + This option enables support of hashing using SHA384 algorithm + with MbedTLS crypto library. + +config MD5_MBEDTLS + bool "Enable MD5 support with MbedTLS crypto library" + depends on MBEDTLS_LIB_CRYPTO && MD5 + help + This option enables support of hashing using MD5 algorithm + with MbedTLS crypto library. + +if SPL + +config SPL_SHA1_MBEDTLS + bool "Enable SHA1 support in SPL with MbedTLS crypto library" + depends on MBEDTLS_LIB_CRYPTO && SPL_SHA1 + default y if SHA1 && MBEDTLS_LIB_CRYPTO + help + This option enables support of hashing using SHA1 algorithm + with MbedTLS crypto library. + +config SPL_SHA256_MBEDTLS + bool "Enable SHA256 support in SPL with MbedTLS crypto library" + depends on MBEDTLS_LIB_CRYPTO && SPL_SHA256 + default y if SHA256 && MBEDTLS_LIB_CRYPTO + help + This option enables support of hashing using SHA256 algorithm + with MbedTLS crypto library. + +config SPL_SHA512_MBEDTLS + bool "Enable SHA512 support in SPL with MbedTLS crypto library" + depends on MBEDTLS_LIB_CRYPTO && SPL_SHA512 + default y if SHA512 && MBEDTLS_LIB_CRYPTO + help + This option enables support of hashing using SHA512 algorithm + with MbedTLS crypto library. + +config SPL_SHA384_MBEDTLS + bool "Enable SHA384 support in SPL with MbedTLS crypto library" + depends on MBEDTLS_LIB_CRYPTO && SPL_SHA384 + default y if SHA384 && MBEDTLS_LIB_CRYPTO + select SPL_SHA512 + help + This option enables support of hashing using SHA384 algorithm + with MbedTLS crypto library. + +config SPL_MD5_MBEDTLS + bool "Enable MD5 support in SPL with MbedTLS crypto library" + depends on MBEDTLS_LIB_CRYPTO && SPL_MD5 + default y if MD5 && MBEDTLS_LIB_CRYPTO + help + This option enables support of hashing using MD5 algorithm + with MbedTLS crypto library. + +endif # SPL + +endif # MBEDTLS_LIB_CRYPTO config MBEDTLS_LIB_X509 bool "MbedTLS certificate libraries" diff --git a/lib/mbedtls/Makefile b/lib/mbedtls/Makefile index 803ea0b62a0..32a98b7f4ca 100644 --- a/lib/mbedtls/Makefile +++ b/lib/mbedtls/Makefile @@ -13,17 +13,24 @@ ccflags-y += \ -I$(src)/external/mbedtls/include \ -I$(src)/external/mbedtls/library +# shim layer for hash +obj-$(CONFIG_MBEDTLS_LIB_CRYPTO) += hash_mbedtls.o +hash_mbedtls-$(CONFIG_$(SPL_)MD5_MBEDTLS) += md5.o +hash_mbedtls-$(CONFIG_$(SPL_)SHA1_MBEDTLS) += sha1.o +hash_mbedtls-$(CONFIG_$(SPL_)SHA256_MBEDTLS) += sha256.o +hash_mbedtls-$(CONFIG_$(SPL_)SHA512_MBEDTLS) += sha512.o + # MbedTLS crypto library obj-$(CONFIG_MBEDTLS_LIB_CRYPTO) += mbedtls_lib_crypto.o mbedtls_lib_crypto-y += \ $(MBEDTLS_LIB_DIR)/platform_util.o \ $(MBEDTLS_LIB_DIR)/constant_time.o \ $(MBEDTLS_LIB_DIR)/md.o -mbedtls_lib_crypto-$(CONFIG_$(SPL_)MD5) += $(MBEDTLS_LIB_DIR)/md5.o -mbedtls_lib_crypto-$(CONFIG_$(SPL_)SHA1) += $(MBEDTLS_LIB_DIR)/sha1.o -mbedtls_lib_crypto-$(CONFIG_$(SPL_)SHA256) += \ +mbedtls_lib_crypto-$(CONFIG_$(SPL_)MD5_MBEDTLS) += $(MBEDTLS_LIB_DIR)/md5.o +mbedtls_lib_crypto-$(CONFIG_$(SPL_)SHA1_MBEDTLS) += $(MBEDTLS_LIB_DIR)/sha1.o +mbedtls_lib_crypto-$(CONFIG_$(SPL_)SHA256_MBEDTLS) += \ $(MBEDTLS_LIB_DIR)/sha256.o -mbedtls_lib_crypto-$(CONFIG_$(SPL_)SHA512) += \ +mbedtls_lib_crypto-$(CONFIG_$(SPL_)SHA512_MBEDTLS) += \ $(MBEDTLS_LIB_DIR)/sha512.o # MbedTLS X509 library diff --git a/lib/mbedtls/md5.c b/lib/mbedtls/md5.c new file mode 100644 index 00000000000..04388fce249 --- /dev/null +++ b/lib/mbedtls/md5.c @@ -0,0 +1,57 @@ +// SPDX-License-Identifier: GPL-2.0+ +/* + * Hash shim layer on MbedTLS Crypto library + * + * Copyright (c) 2024 Linaro Limited + * Author: Raymond Mao + */ +#include "compiler.h" + +#ifndef USE_HOSTCC +#include +#endif /* USE_HOSTCC */ +#include + +void MD5Init(MD5Context *ctx) +{ + mbedtls_md5_init(ctx); + mbedtls_md5_starts(ctx); +} + +void MD5Update(MD5Context *ctx, unsigned char const *buf, unsigned int len) +{ + mbedtls_md5_update(ctx, buf, len); +} + +void MD5Final(unsigned char digest[16], MD5Context *ctx) +{ + mbedtls_md5_finish(ctx, digest); + mbedtls_md5_free(ctx); +} + +void md5_wd(const unsigned char *input, unsigned int len, + unsigned char output[16], unsigned int chunk_sz) +{ + MD5Context context; + + MD5Init(&context); + + if (IS_ENABLED(CONFIG_HW_WATCHDOG) || IS_ENABLED(CONFIG_WATCHDOG)) { + const unsigned char *curr = input; + const unsigned char *end = input + len; + int chunk; + + while (curr < end) { + chunk = end - curr; + if (chunk > chunk_sz) + chunk = chunk_sz; + MD5Update(&context, curr, chunk); + curr += chunk; + schedule(); + } + } else { + MD5Update(&context, input, len); + } + + MD5Final(output, &context); +} diff --git a/lib/mbedtls/sha1.c b/lib/mbedtls/sha1.c new file mode 100644 index 00000000000..2aee5037795 --- /dev/null +++ b/lib/mbedtls/sha1.c @@ -0,0 +1,99 @@ +// SPDX-License-Identifier: GPL-2.0+ +/* + * Hash shim layer on MbedTLS Crypto library + * + * Copyright (c) 2024 Linaro Limited + * Author: Raymond Mao + */ +#ifndef USE_HOSTCC +#include +#endif /* USE_HOSTCC */ +#include +#include + +const u8 sha1_der_prefix[SHA1_DER_LEN] = { + 0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2b, 0x0e, + 0x03, 0x02, 0x1a, 0x05, 0x00, 0x04, 0x14 +}; + +void sha1_starts(sha1_context *ctx) +{ + mbedtls_sha1_init(ctx); + mbedtls_sha1_starts(ctx); +} + +void sha1_update(sha1_context *ctx, const unsigned char *input, + unsigned int length) +{ + mbedtls_sha1_update(ctx, input, length); +} + +void sha1_finish(sha1_context *ctx, unsigned char output[SHA1_SUM_LEN]) +{ + mbedtls_sha1_finish(ctx, output); + mbedtls_sha1_free(ctx); +} + +void sha1_csum_wd(const unsigned char *input, unsigned int ilen, + unsigned char *output, unsigned int chunk_sz) +{ + sha1_context ctx; + + sha1_starts(&ctx); + + if (IS_ENABLED(CONFIG_HW_WATCHDOG) || IS_ENABLED(CONFIG_WATCHDOG)) { + const unsigned char *curr = input; + const unsigned char *end = input + ilen; + int chunk; + + while (curr < end) { + chunk = end - curr; + if (chunk > chunk_sz) + chunk = chunk_sz; + sha1_update(&ctx, curr, chunk); + curr += chunk; + schedule(); + } + } else { + sha1_update(&ctx, input, ilen); + } + + sha1_finish(&ctx, output); +} + +void sha1_hmac(const unsigned char *key, int keylen, + const unsigned char *input, unsigned int ilen, + unsigned char *output) +{ + int i; + sha1_context ctx; + unsigned char k_ipad[K_PAD_LEN]; + unsigned char k_opad[K_PAD_LEN]; + unsigned char tmpbuf[20]; + + if (keylen > K_PAD_LEN) + return; + + memset(k_ipad, K_IPAD_VAL, sizeof(k_ipad)); + memset(k_opad, K_OPAD_VAL, sizeof(k_opad)); + + for (i = 0; i < keylen; i++) { + k_ipad[i] ^= key[i]; + k_opad[i] ^= key[i]; + } + + sha1_starts(&ctx); + sha1_update(&ctx, k_ipad, sizeof(k_ipad)); + sha1_update(&ctx, input, ilen); + sha1_finish(&ctx, tmpbuf); + + sha1_starts(&ctx); + sha1_update(&ctx, k_opad, sizeof(k_opad)); + sha1_update(&ctx, tmpbuf, sizeof(tmpbuf)); + sha1_finish(&ctx, output); + + memset(k_ipad, 0, sizeof(k_ipad)); + memset(k_opad, 0, sizeof(k_opad)); + memset(tmpbuf, 0, sizeof(tmpbuf)); + memset(&ctx, 0, sizeof(sha1_context)); +} diff --git a/lib/mbedtls/sha256.c b/lib/mbedtls/sha256.c new file mode 100644 index 00000000000..24aa58fa674 --- /dev/null +++ b/lib/mbedtls/sha256.c @@ -0,0 +1,62 @@ +// SPDX-License-Identifier: GPL-2.0+ +/* + * Hash shim layer on MbedTLS Crypto library + * + * Copyright (c) 2024 Linaro Limited + * Author: Raymond Mao + */ +#ifndef USE_HOSTCC +#include +#endif /* USE_HOSTCC */ +#include + +const u8 sha256_der_prefix[SHA256_DER_LEN] = { + 0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, + 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, + 0x00, 0x04, 0x20 +}; + +void sha256_starts(sha256_context *ctx) +{ + mbedtls_sha256_init(ctx); + mbedtls_sha256_starts(ctx, 0); +} + +void +sha256_update(sha256_context *ctx, const uint8_t *input, uint32_t length) +{ + mbedtls_sha256_update(ctx, input, length); +} + +void sha256_finish(sha256_context *ctx, uint8_t digest[SHA256_SUM_LEN]) +{ + mbedtls_sha256_finish(ctx, digest); + mbedtls_sha256_free(ctx); +} + +void sha256_csum_wd(const unsigned char *input, unsigned int ilen, + unsigned char *output, unsigned int chunk_sz) +{ + sha256_context ctx; + + sha256_starts(&ctx); + + if (IS_ENABLED(CONFIG_HW_WATCHDOG) || IS_ENABLED(CONFIG_WATCHDOG)) { + const unsigned char *curr = input; + const unsigned char *end = input + ilen; + int chunk; + + while (curr < end) { + chunk = end - curr; + if (chunk > chunk_sz) + chunk = chunk_sz; + sha256_update(&ctx, curr, chunk); + curr += chunk; + schedule(); + } + } else { + sha256_update(&ctx, input, ilen); + } + + sha256_finish(&ctx, output); +} diff --git a/lib/mbedtls/sha512.c b/lib/mbedtls/sha512.c new file mode 100644 index 00000000000..5615248cb91 --- /dev/null +++ b/lib/mbedtls/sha512.c @@ -0,0 +1,93 @@ +// SPDX-License-Identifier: GPL-2.0+ +/* + * Hash shim layer on MbedTLS Crypto library + * + * Copyright (c) 2024 Linaro Limited + * Author: Raymond Mao + */ +#ifndef USE_HOSTCC +#include +#endif /* USE_HOSTCC */ +#include +#include + +const u8 sha384_der_prefix[SHA384_DER_LEN] = { + 0x30, 0x41, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, + 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02, 0x05, + 0x00, 0x04, 0x30 +}; + +const u8 sha512_der_prefix[SHA512_DER_LEN] = { + 0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, + 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03, 0x05, + 0x00, 0x04, 0x40 +}; + +void sha384_starts(sha512_context *ctx) +{ + mbedtls_sha512_init(ctx); + mbedtls_sha512_starts(ctx, 1); +} + +void +sha384_update(sha512_context *ctx, const uint8_t *input, uint32_t length) +{ + mbedtls_sha512_update(ctx, input, length); +} + +void sha384_finish(sha512_context *ctx, uint8_t digest[SHA384_SUM_LEN]) +{ + mbedtls_sha512_finish(ctx, digest); + mbedtls_sha512_free(ctx); +} + +void sha384_csum_wd(const unsigned char *input, unsigned int length, + unsigned char *output, unsigned int chunk_sz) +{ + mbedtls_sha512(input, length, output, 1); +} + +void sha512_starts(sha512_context *ctx) +{ + mbedtls_sha512_init(ctx); + mbedtls_sha512_starts(ctx, 0); +} + +void +sha512_update(sha512_context *ctx, const uint8_t *input, uint32_t length) +{ + mbedtls_sha512_update(ctx, input, length); +} + +void sha512_finish(sha512_context *ctx, uint8_t digest[SHA512_SUM_LEN]) +{ + mbedtls_sha512_finish(ctx, digest); + mbedtls_sha512_free(ctx); +} + +void sha512_csum_wd(const unsigned char *input, unsigned int ilen, + unsigned char *output, unsigned int chunk_sz) +{ + sha512_context ctx; + + sha512_starts(&ctx); + + if (IS_ENABLED(CONFIG_HW_WATCHDOG) || IS_ENABLED(CONFIG_WATCHDOG)) { + const unsigned char *curr = input; + const unsigned char *end = input + ilen; + int chunk; + + while (curr < end) { + chunk = end - curr; + if (chunk > chunk_sz) + chunk = chunk_sz; + sha512_update(&ctx, curr, chunk); + curr += chunk; + schedule(); + } + } else { + sha512_update(&ctx, input, ilen); + } + + sha512_finish(&ctx, output); +} From patchwork Tue Jul 2 18:22:44 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Raymond Mao X-Patchwork-Id: 1955557 X-Patchwork-Delegate: trini@ti.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.a=rsa-sha256 header.s=google header.b=QxWlBsI9; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de (client-ip=85.214.62.61; helo=phobos.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=patchwork.ozlabs.org) Received: from phobos.denx.de (phobos.denx.de [85.214.62.61]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4WDBGH3kv0z1xpc for ; Wed, 3 Jul 2024 04:27:19 +1000 (AEST) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 2CF6B87D33; Tue, 2 Jul 2024 20:27:17 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="QxWlBsI9"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 1847988746; Tue, 2 Jul 2024 20:27:16 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-qt1-x82d.google.com (mail-qt1-x82d.google.com [IPv6:2607:f8b0:4864:20::82d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id DFE7F87D0A for ; Tue, 2 Jul 2024 20:27:13 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=raymond.mao@linaro.org Received: by mail-qt1-x82d.google.com with SMTP id d75a77b69052e-4464b843e37so22766511cf.0 for ; Tue, 02 Jul 2024 11:27:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1719944832; x=1720549632; darn=lists.denx.de; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=9tzZpPH6FUU0oBc6qSB40oD/BcxocmsYfFcRPw38OhY=; b=QxWlBsI9MfL+fzXssOWL7CXIZJHO03Ruw+8rEsmsQKsGUfGHp92BkugyalfXnP4u8x CCyow0WFLe9K67ckC9e20l0NLLiILPoV2uZy487qZu/gH2SlBR43Ar4f/GENhERgOBR1 WKYvJPuiNqao0c/693PL6XI+wEeFoWZd8TaqF2CkqtjU5bh7GrbYK1Oc0Xut2l3U1OkX +6dCVs7GRsq4C27+/FIhvV9BCXaxIfEWc1Pv9jkT4j0ppHOxNyT2S+Pxvyth7uXuJbJE /uSmK7AlzJGN9793PCXG+DPq0N7rPuGh7cBtVAdCZ4eT3HyELSWKCNPzwb2sLwhOHDhZ QkgA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1719944832; x=1720549632; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=9tzZpPH6FUU0oBc6qSB40oD/BcxocmsYfFcRPw38OhY=; b=My0g43f3ZRnjYd8DQFqWGL5lQtQsp5zw22bp5caRvE6ODSII+M8zX/QPpCo+zGhrny gDNmI4JwR1i05t+dZYi95IEZZ+SDSxgZueRU+pBi5zVzb3sOqY4MlKesgwyWgbYQqFU8 EJaXuYWUrLI+1/U2bjyzGk6PhrDCZRnsawYZmiJfX/Sc7dfcpvTJVa79xfEjlD9N5v6r 5I8z4vcAZVOEWaW1KI4JaiWuqQBiOSTUWvmjpjez5NjEopS8S2mqFONi2mH346TJo4fe pFv6PMsn10JsHMv76zYj9hzLP7uZkcMEXEH5bVV+5JbMqk9JtK1Nmwa9vGcoM0NQW9xr uCOA== X-Gm-Message-State: AOJu0YyN5pQJytUswHcJd1CyjzD29DCu3eNzldjfpfiUbuFNYiKPzrJT HrykR3X50ueB96T457Vphw31RYonQvVmkPX9Ry4BIKy+aroEVRpkeuVK3ABiLkkqfzEse0h/33n l X-Google-Smtp-Source: AGHT+IGPJTOkOKQ7dTrcfOUiTtjnDjjK9dUBTM0Pzhj/hX69/rsbRsLgfJgQ/OM0XxKen6cm08GCiA== X-Received: by 2002:ac8:570d:0:b0:441:207b:51b4 with SMTP id d75a77b69052e-44662e65739mr105284931cf.63.1719944832320; Tue, 02 Jul 2024 11:27:12 -0700 (PDT) Received: from ubuntu.localdomain (pool-174-114-184-37.cpe.net.cable.rogers.com. [174.114.184.37]) by smtp.gmail.com with ESMTPSA id d75a77b69052e-446514b613dsm43316351cf.84.2024.07.02.11.27.10 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 02 Jul 2024 11:27:11 -0700 (PDT) From: Raymond Mao To: u-boot@lists.denx.de Cc: manish.pandey2@arm.com, Raymond Mao , Tom Rini , Stefan Bosch , Mario Six , Andy Shevchenko , Michal Simek , Tuomas Tynkkynen , Simon Glass , Leo Yu-Chi Liang , Ilias Apalodimas , Andrejs Cainikovs , Marek Vasut , Sean Anderson , Jesse Taube , Bryan Brattlof , "Leon M. Busch-George" , Sergei Antonov , Ilya Lukin <4.shket@gmail.com>, Igor Opaniuk , Heinrich Schuchardt , Bin Meng , Alper Nebi Yasak , AKASHI Takahiro , Abdellatif El Khlifi , Alexander Gendin , Oleksandr Suvorov , Eddie James Subject: [PATCH v4 08/29] hash: integrate hash on mbedtls Date: Tue, 2 Jul 2024 11:22:44 -0700 Message-Id: <20240702182325.2904421-9-raymond.mao@linaro.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20240702182325.2904421-1-raymond.mao@linaro.org> References: <20240702182325.2904421-1-raymond.mao@linaro.org> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.8 at phobos.denx.de X-Virus-Status: Clean Integrate common/hash.c on the hash shim layer so that hash APIs from mbedtls can be leveraged by boot/image and efi_loader. Signed-off-by: Raymond Mao --- Changes in v2 - Use the original head files instead of creating new ones. Changes in v3 - Add handle checkers for malloc. Changes in v4 - None. common/hash.c | 143 ++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 143 insertions(+) diff --git a/common/hash.c b/common/hash.c index ac63803fed9..96caf074374 100644 --- a/common/hash.c +++ b/common/hash.c @@ -35,6 +35,141 @@ #include #include +#if CONFIG_IS_ENABLED(MBEDTLS_LIB_CRYPTO) + +static int hash_init_sha1(struct hash_algo *algo, void **ctxp) +{ + int ret; + mbedtls_sha1_context *ctx = malloc(sizeof(mbedtls_sha1_context)); + + if (!ctx) + return -ENOMEM; + + mbedtls_sha1_init(ctx); + ret = mbedtls_sha1_starts(ctx); + if (!ret) { + *ctxp = ctx; + } else { + mbedtls_sha1_free(ctx); + free(ctx); + } + + return ret; +} + +static int hash_update_sha1(struct hash_algo *algo, void *ctx, const void *buf, + unsigned int size, int is_last) +{ + return mbedtls_sha1_update((mbedtls_sha1_context *)ctx, buf, size); +} + +static int +hash_finish_sha1(struct hash_algo *algo, void *ctx, void *dest_buf, int size) +{ + int ret; + + if (size < algo->digest_size) + return -1; + + ret = mbedtls_sha1_finish((mbedtls_sha1_context *)ctx, dest_buf); + if (!ret) { + mbedtls_sha1_free((mbedtls_sha1_context *)ctx); + free(ctx); + } + + return ret; +} + +static int hash_init_sha256(struct hash_algo *algo, void **ctxp) +{ + int ret; + int is224 = algo->digest_size == SHA224_SUM_LEN ? 1 : 0; + mbedtls_sha256_context *ctx = malloc(sizeof(mbedtls_sha256_context)); + + if (!ctx) + return -ENOMEM; + + mbedtls_sha256_init(ctx); + ret = mbedtls_sha256_starts(ctx, is224); + if (!ret) { + *ctxp = ctx; + } else { + mbedtls_sha256_free(ctx); + free(ctx); + } + + return ret; +} + +static int hash_update_sha256(struct hash_algo *algo, void *ctx, const void *buf, + uint size, int is_last) +{ + return mbedtls_sha256_update((mbedtls_sha256_context *)ctx, buf, size); +} + +static int +hash_finish_sha256(struct hash_algo *algo, void *ctx, void *dest_buf, int size) +{ + int ret; + + if (size < algo->digest_size) + return -1; + + ret = mbedtls_sha256_finish((mbedtls_sha256_context *)ctx, dest_buf); + if (!ret) { + mbedtls_sha256_free((mbedtls_sha256_context *)ctx); + free(ctx); + } + + return ret; +} + +static int hash_init_sha512(struct hash_algo *algo, void **ctxp) +{ + int ret; + int is384 = algo->digest_size == SHA384_SUM_LEN ? 1 : 0; + mbedtls_sha512_context *ctx = malloc(sizeof(mbedtls_sha512_context)); + + if (!ctx) + return -ENOMEM; + + mbedtls_sha512_init(ctx); + ret = mbedtls_sha512_starts(ctx, is384); + if (!ret) { + *ctxp = ctx; + } else { + mbedtls_sha512_free(ctx); + free(ctx); + } + + return ret; +} + +static int hash_update_sha512(struct hash_algo *algo, void *ctx, const void *buf, + uint size, int is_last) +{ + return mbedtls_sha512_update((mbedtls_sha512_context *)ctx, buf, size); +} + +static int +hash_finish_sha512(struct hash_algo *algo, void *ctx, void *dest_buf, int size) +{ + int ret; + + if (size < algo->digest_size) + return -1; + + ret = mbedtls_sha512_finish((mbedtls_sha512_context *)ctx, dest_buf); + if (!ret) { + mbedtls_sha512_free((mbedtls_sha512_context *)ctx); + free(ctx); + } + + return ret; +} + +#else /* CONFIG_IS_ENABLED(MBEDTLS_LIB_CRYPTO) */ + static int __maybe_unused hash_init_sha1(struct hash_algo *algo, void **ctxp) { sha1_context *ctx = malloc(sizeof(sha1_context)); @@ -143,6 +278,8 @@ static int __maybe_unused hash_finish_sha512(struct hash_algo *algo, void *ctx, return 0; } +#endif /* CONFIG_IS_ENABLED(MBEDTLS_LIB_CRYPTO) */ + static int hash_init_crc16_ccitt(struct hash_algo *algo, void **ctxp) { uint16_t *ctx = malloc(sizeof(uint16_t)); @@ -267,10 +404,16 @@ static struct hash_algo hash_algo[] = { .hash_init = hw_sha_init, .hash_update = hw_sha_update, .hash_finish = hw_sha_finish, +#else +#if CONFIG_IS_ENABLED(MBEDTLS_LIB_CRYPTO) + .hash_init = hash_init_sha512, + .hash_update = hash_update_sha512, + .hash_finish = hash_finish_sha512, #else .hash_init = hash_init_sha384, .hash_update = hash_update_sha384, .hash_finish = hash_finish_sha384, +#endif #endif }, #endif From patchwork Tue Jul 2 18:22:45 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Raymond Mao X-Patchwork-Id: 1955558 X-Patchwork-Delegate: trini@ti.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.a=rsa-sha256 header.s=google header.b=nHzLAlMF; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de (client-ip=85.214.62.61; helo=phobos.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=patchwork.ozlabs.org) Received: from phobos.denx.de (phobos.denx.de [85.214.62.61]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4WDBGg6LHRz1xpc for ; Wed, 3 Jul 2024 04:27:39 +1000 (AEST) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 92946887A1; Tue, 2 Jul 2024 20:27:37 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="nHzLAlMF"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id A890E87D0A; Tue, 2 Jul 2024 20:27:36 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-qt1-x82f.google.com (mail-qt1-x82f.google.com [IPv6:2607:f8b0:4864:20::82f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 8CC4187F8C for ; Tue, 2 Jul 2024 20:27:34 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=raymond.mao@linaro.org Received: by mail-qt1-x82f.google.com with SMTP id d75a77b69052e-446416dccd5so21506531cf.3 for ; Tue, 02 Jul 2024 11:27:34 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1719944853; x=1720549653; darn=lists.denx.de; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=zvsvYrvUSA9Ga38zikKq4gGEQHNa7JCl+6hgGGEUeHU=; b=nHzLAlMFyWhUzV3elD0wP0IvsWB8477TnJR+Dra09AjNrq5shNmId+zdMAXrp3vP3N etTpKiEpY1GQq0ZuFtf6dxz70sFVLjTpDsRnfw8d71aVkkPtzegfm7/aFEOFhfJl6kg8 3NPsN9+U6v5Ili/aPdwqk21dYIWsEiMu3ZdlyL/odPGjl9jcrCYgY2HHTPM8y51vz/Hf dK2Kj2E73NF1vA1QpzTWpWABwo5cCjDNIXa/OPYtw8q1UQFAcnj0vymYfofEiC9YYjAS JC5SvJ3sWpfpvc7l9s1k5Qwf4uVJaKS5osGAe7Pgbx14PbyEY1qlWqSjAM8kGRSI9xpR OwqQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1719944853; x=1720549653; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=zvsvYrvUSA9Ga38zikKq4gGEQHNa7JCl+6hgGGEUeHU=; b=RsWmifukBL3o3EwMeRRtFkNKzNWRr6nrZnJJKJrrN6S9cgCYQoOnbVGyxYhwfHMEwF lXnK3g+NAiscKYjpJkhFrcnWNiWXVhPJwQvzuG2DRfXy2l4T1lq6eySm/x5XTOGOkX3Z TkM3W8x8WnslkWVkyCrN+XD2as2bDO6VxLE2J5e/o0KALHzHTW0FXO8qTz1oJ/JaeVFd wMU8b3nKOI9/iBlppNiC9nqkjdE0c3O/A8K5VcncsLsJSHk8huK0WuWTrUzHVRDFk3ie EcRaXPMyPCCBRMN9yjbiQG2XaR3Jfd/C0z2Udw2MovEwSz5ySg/NS/IM2g821wtVIJLW k5jw== X-Gm-Message-State: AOJu0YzpJs69B7wIsdGA7m+SSZ+X3tpfyWqZK8meo12bAoCNPul8m7IT ucwB8fM0c638qgHM7kL9hYTFelhGxaBm81FoAvYgBaRIZK6pqBjkVgqJi2WYwr3v8e7QKiRfDpw j X-Google-Smtp-Source: AGHT+IHn8gNzU8khcdbo3NxGR0dkQ9E/qiQU18rl6Dupq6w5OsS7qyfSpHMMKReUqNjG2eA59StRbg== X-Received: by 2002:ac8:5f82:0:b0:445:624:22ed with SMTP id d75a77b69052e-44662dd3be1mr142396461cf.9.1719944853286; Tue, 02 Jul 2024 11:27:33 -0700 (PDT) Received: from ubuntu.localdomain (pool-174-114-184-37.cpe.net.cable.rogers.com. [174.114.184.37]) by smtp.gmail.com with ESMTPSA id d75a77b69052e-446514b613dsm43316351cf.84.2024.07.02.11.27.31 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 02 Jul 2024 11:27:32 -0700 (PDT) From: Raymond Mao To: u-boot@lists.denx.de Cc: manish.pandey2@arm.com, Raymond Mao , Tom Rini , Stefan Bosch , Mario Six , Andy Shevchenko , Michal Simek , Tuomas Tynkkynen , Simon Glass , Leo Yu-Chi Liang , Ilias Apalodimas , Andrejs Cainikovs , Marek Vasut , Sean Anderson , Jesse Taube , Bryan Brattlof , "Leon M. Busch-George" , Ilya Lukin <4.shket@gmail.com>, Sergei Antonov , Igor Opaniuk , Heinrich Schuchardt , Alper Nebi Yasak , Abdellatif El Khlifi , AKASHI Takahiro , Alexander Gendin , Bin Meng , =?utf-8?q?Vincent_Stehl=C3=A9?= , Oleksandr Suvorov Subject: [PATCH v4 09/29] makefile: add mbedtls include directories Date: Tue, 2 Jul 2024 11:22:45 -0700 Message-Id: <20240702182325.2904421-10-raymond.mao@linaro.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20240702182325.2904421-1-raymond.mao@linaro.org> References: <20240702182325.2904421-1-raymond.mao@linaro.org> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.8 at phobos.denx.de X-Virus-Status: Clean Add the mbedtls include directories into the build system. Signed-off-by: Raymond Mao --- Changes in v2 - None. Changes in v3 - Remove changes for PLATFORM_CPPFLAGS. Changes in v4 - Fix errors when building without "O=". - Minor fix of the include directories. Makefile | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/Makefile b/Makefile index 07d7947c8af..fd855dbd5c9 100644 --- a/Makefile +++ b/Makefile @@ -829,6 +829,12 @@ KBUILD_HOSTCFLAGS += $(if $(CONFIG_TOOLS_DEBUG),-g) UBOOTINCLUDE := \ -Iinclude \ $(if $(KBUILD_SRC), -I$(srctree)/include) \ + $(if $(CONFIG_MBEDTLS_LIB), \ + "-DMBEDTLS_CONFIG_FILE=\"mbedtls_def_config.h\"" \ + -I$(srctree)/lib/mbedtls \ + -I$(srctree)/lib/mbedtls/port \ + -I$(srctree)/lib/mbedtls/external/mbedtls \ + -I$(srctree)/lib/mbedtls/external/mbedtls/include) \ $(if $(CONFIG_$(SPL_)SYS_THUMB_BUILD), \ $(if $(CONFIG_HAS_THUMB2), \ $(if $(CONFIG_CPU_V7M), \ From patchwork Tue Jul 2 18:22:46 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Raymond Mao X-Patchwork-Id: 1955559 X-Patchwork-Delegate: trini@ti.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.a=rsa-sha256 header.s=google header.b=CiUW550X; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de (client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; helo=phobos.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=patchwork.ozlabs.org) Received: from phobos.denx.de (phobos.denx.de [IPv6:2a01:238:438b:c500:173d:9f52:ddab:ee01]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4WDBH63NDSz1xpc for ; Wed, 3 Jul 2024 04:28:02 +1000 (AEST) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 094F987D33; Tue, 2 Jul 2024 20:28:00 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="CiUW550X"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 7166A87F8C; Tue, 2 Jul 2024 20:27:59 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-yw1-x112e.google.com (mail-yw1-x112e.google.com [IPv6:2607:f8b0:4864:20::112e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id D884087D0A for ; Tue, 2 Jul 2024 20:27:56 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=raymond.mao@linaro.org Received: by mail-yw1-x112e.google.com with SMTP id 00721157ae682-64f2fe21015so19745917b3.3 for ; Tue, 02 Jul 2024 11:27:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1719944875; x=1720549675; darn=lists.denx.de; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=aguKPxxgUifvmCq0Ne3ePlaUEaE2/0uTqZrny8v16wA=; b=CiUW550XRY12lPDmroy02ZBdJKY6G9R3coCzmRVR02c/XHbNkKu2mSfgBerLKnpgUU ke/0ZwNK/dQwhfDyep0wCR9VFgX6OLG0boMrscb1iHCkeGlu9Rr+Ow6a6GbZh+HbHLTn 3GtZx6lGYcIabft7VwaKzynyfru2rAP5xLY4xdg7JuIJN47EszEo1UsXkVPzV+NyVZ+P JNK1E5D1Z+Acf3Z36Z1lf0uhvl8AXym7tmJkZS8akd7XUi4xZYz4LNsSFYS2VDrJZD7+ 4e7LwVI16Ud6++oochu033B4Xwcw0MXS8Kl9dBTPyNJ3mfB5rIFbVtkFir3MPTB1Dz5+ tXfA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1719944875; x=1720549675; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=aguKPxxgUifvmCq0Ne3ePlaUEaE2/0uTqZrny8v16wA=; b=dcIp0p/oNjKJg3emfhuJ9Y3XWtpy/DEXjyDJbhfDU7/XgltwOs8HVMONspcbWV64Bi p1xOraqcdDmaDpb8n0j/dIdfzsFopfvxbXOTRHR/lsSBi8XSYUNka3HwWLUPXhYQRCkN ZmKF6fj298GoE4mFsbuTBrjJtXDqxzaKLh2PvEOo0s5tIrleg1jpb+RXnNYUoDpURjaP wuDLucfKCKSmWIH3HxpvxK3VBHUT2s7UcgUFe4ZvOLC4thFtznR5nRoCdt0pxxqfnmGb hOOqPmmyhiS6x2L7HLaSEyNfI/QGBOS1mGwL4hxgr6KI+bIGfIejlgGIbr2uBmx9uqWx uJVA== X-Gm-Message-State: AOJu0YzR/zRGpbNcJkdBI7x+zWrT78Ipfo3JkJBoC0O+xSWUqgMxZ1cG aXXzAMkrPACPf8R4b1ncvMZIEUe399MMfJ6V7k3WpFD+cODCWftS0eG+5IVsbwTT3ph2Co3ggu5 a X-Google-Smtp-Source: AGHT+IGQxMpVUjYJC1JBDl+6VkpJboQzhixTjzrViOKMiwqBGHNPhAgIAu9CDxEORlSMTcIeemTqQg== X-Received: by 2002:a81:91c5:0:b0:650:93e3:fe7a with SMTP id 00721157ae682-65093e40863mr18837147b3.18.1719944875230; Tue, 02 Jul 2024 11:27:55 -0700 (PDT) Received: from ubuntu.localdomain (pool-174-114-184-37.cpe.net.cable.rogers.com. [174.114.184.37]) by smtp.gmail.com with ESMTPSA id d75a77b69052e-446514b613dsm43316351cf.84.2024.07.02.11.27.53 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 02 Jul 2024 11:27:54 -0700 (PDT) From: Raymond Mao To: u-boot@lists.denx.de Cc: manish.pandey2@arm.com, Raymond Mao , Tom Rini , Stefan Bosch , Mario Six , Andy Shevchenko , Michal Simek , Tuomas Tynkkynen , Simon Glass , Ilias Apalodimas , Leo Yu-Chi Liang , Andrejs Cainikovs , Marek Vasut , Sean Anderson , Jesse Taube , Bryan Brattlof , "Leon M. Busch-George" , Ilya Lukin <4.shket@gmail.com>, Sergei Antonov , Igor Opaniuk , Heinrich Schuchardt , Alper Nebi Yasak , Abdellatif El Khlifi , AKASHI Takahiro , Alexander Gendin , Bin Meng , =?utf-8?q?Vincent_Stehl=C3=A9?= , Oleksandr Suvorov Subject: [PATCH v4 10/29] mbedtls/external: support Microsoft Authentication Code Date: Tue, 2 Jul 2024 11:22:46 -0700 Message-Id: <20240702182325.2904421-11-raymond.mao@linaro.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20240702182325.2904421-1-raymond.mao@linaro.org> References: <20240702182325.2904421-1-raymond.mao@linaro.org> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.8 at phobos.denx.de X-Virus-Status: Clean Populate Microsoft Authentication Code from the content data into PKCS7 decoding context if it exists in a PKCS7 message. Add OIDs for describing objects using for Microsoft Authentication Code. The PR for this patch is at: https://github.com/Mbed-TLS/mbedtls/pull/9001 For enabling EFI loader PKCS7 features with MbedTLS build, we need this patch on top of MbedTLS v3.6.0 before it is merged into the next MbedTLS LTS release. Signed-off-by: Raymond Mao --- Changes in v2 - None. Changes in v3 - Update commit message. Changes in v4 - None. .../external/mbedtls/include/mbedtls/oid.h | 30 ++++++++++ .../external/mbedtls/include/mbedtls/pkcs7.h | 10 ++++ lib/mbedtls/external/mbedtls/library/pkcs7.c | 60 +++++++++++++++---- 3 files changed, 90 insertions(+), 10 deletions(-) diff --git a/lib/mbedtls/external/mbedtls/include/mbedtls/oid.h b/lib/mbedtls/external/mbedtls/include/mbedtls/oid.h index fdc25ebf885..2ee982808fa 100644 --- a/lib/mbedtls/external/mbedtls/include/mbedtls/oid.h +++ b/lib/mbedtls/external/mbedtls/include/mbedtls/oid.h @@ -352,6 +352,36 @@ #define MBEDTLS_OID_PKCS12_PBE_SHA1_RC2_128_CBC MBEDTLS_OID_PKCS12_PBE "\x05" /**< pbeWithSHAAnd128BitRC2-CBC OBJECT IDENTIFIER ::= {pkcs-12PbeIds 5} */ #define MBEDTLS_OID_PKCS12_PBE_SHA1_RC2_40_CBC MBEDTLS_OID_PKCS12_PBE "\x06" /**< pbeWithSHAAnd40BitRC2-CBC OBJECT IDENTIFIER ::= {pkcs-12PbeIds 6} */ +/* + * MicroSoft Authenticate Code OIDs + */ +#define MBEDTLS_OID_PRIVATE_ENTERPRISE MBEDTLS_OID_INTERNET "\x04\x01" /* {iso(1) identified-organization(3) dod(6) internet(1) private(4) enterprise(1) */ +#define MBEDTLS_OID_MICROSOFT "\x82\x37" /* {microsoft(311)} */ +/* + * OID_msIndirectData: (1.3.6.1.4.1.311.2.1.4) + * {iso(1) identified-organization(3) dod(6) internet(1) private(4) enterprise(1) microsoft(311) 2(2) 1(1) 4(4)} + */ +#define MBEDTLS_OID_MICROSOFT_INDIRECTDATA MBEDTLS_OID_PRIVATE_ENTERPRISE MBEDTLS_OID_MICROSOFT \ + "\x02\x01\x04" +/* + * OID_msStatementType: (1.3.6.1.4.1.311.2.1.11) + * {iso(1) identified-organization(3) dod(6) internet(1) private(4) enterprise(1) microsoft(311) 2(2) 1(1) 11(11)} + */ +#define MBEDTLS_OID_MICROSOFT_STATETYPE MBEDTLS_OID_PRIVATE_ENTERPRISE MBEDTLS_OID_MICROSOFT \ + "\x02\x01\x0b" +/* + * OID_msSpOpusInfo: (1.3.6.1.4.1.311.2.1.12) + * {iso(1) identified-organization(3) dod(6) internet(1) private(4) enterprise(1) microsoft(311) 2(2) 1(1) 12(12)} + */ +#define MBEDTLS_OID_MICROSOFT_SPOPUSINFO MBEDTLS_OID_PRIVATE_ENTERPRISE MBEDTLS_OID_MICROSOFT \ + "\x02\x01\x0b" +/* + * OID_msPeImageDataObjId: (1.3.6.1.4.1.311.2.1.15) + * {iso(1) identified-organization(3) dod(6) internet(1) private(4) enterprise(1) microsoft(311) 2(2) 1(1) 15(15)} + */ +#define MBEDTLS_OID_MICROSOFT_PEIMAGEDATA MBEDTLS_OID_PRIVATE_ENTERPRISE MBEDTLS_OID_MICROSOFT \ + "\x02\x01\x0f" + /* * EC key algorithms from RFC 5480 */ diff --git a/lib/mbedtls/external/mbedtls/include/mbedtls/pkcs7.h b/lib/mbedtls/external/mbedtls/include/mbedtls/pkcs7.h index e9b482208e6..9e29b74af70 100644 --- a/lib/mbedtls/external/mbedtls/include/mbedtls/pkcs7.h +++ b/lib/mbedtls/external/mbedtls/include/mbedtls/pkcs7.h @@ -132,12 +132,22 @@ typedef struct mbedtls_pkcs7_signed_data { } mbedtls_pkcs7_signed_data; +/* Content Data for MicroSoft Authentication Code using in U-Boot Secure Boot */ +typedef struct mbedtls_pkcs7_conten_data { + int data_type; /* Type of Data */ + size_t data_len; /* Length of Data */ + size_t data_hdrlen; /* Length of Data ASN.1 header */ + void *data; /* Content Data */ +} +mbedtls_pkcs7_conten_data; + /** * Structure holding PKCS #7 structure, only signed data for now */ typedef struct mbedtls_pkcs7 { mbedtls_pkcs7_buf MBEDTLS_PRIVATE(raw); mbedtls_pkcs7_signed_data MBEDTLS_PRIVATE(signed_data); + mbedtls_pkcs7_conten_data content_data; } mbedtls_pkcs7; diff --git a/lib/mbedtls/external/mbedtls/library/pkcs7.c b/lib/mbedtls/external/mbedtls/library/pkcs7.c index 3aac662ba69..0c2436b56b7 100644 --- a/lib/mbedtls/external/mbedtls/library/pkcs7.c +++ b/lib/mbedtls/external/mbedtls/library/pkcs7.c @@ -29,6 +29,13 @@ #include #endif +enum OID { + /* PKCS#7 {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-7(7)} */ + MBEDTLS_OID_DATA = 13, /* 1.2.840.113549.1.7.1 */ + /* Microsoft Authenticode & Software Publishing */ + MBEDTLS_OID_MS_INDIRECTDATA = 24, /* 1.3.6.1.4.1.311.2.1.4 */ +}; + /** * Initializes the mbedtls_pkcs7 structure. */ @@ -449,7 +456,7 @@ cleanup: * signerInfos SignerInfos } */ static int pkcs7_get_signed_data(unsigned char *buf, size_t buflen, - mbedtls_pkcs7_signed_data *signed_data) + mbedtls_pkcs7 *pkcs7) { unsigned char *p = buf; unsigned char *end = buf + buflen; @@ -457,6 +464,7 @@ static int pkcs7_get_signed_data(unsigned char *buf, size_t buflen, size_t len = 0; int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; mbedtls_md_type_t md_alg; + mbedtls_pkcs7_signed_data *signed_data = &pkcs7->signed_data; ret = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE); @@ -493,25 +501,57 @@ static int pkcs7_get_signed_data(unsigned char *buf, size_t buflen, if (ret != 0) { return ret; } - if (MBEDTLS_OID_CMP(MBEDTLS_OID_PKCS7_DATA, &content_type)) { + + /* + * We should only support 1.2.840.113549.1.7.1 (PKCS7 DATA) and + * 1.3.6.1.4.1.311.2.1.4 (MicroSoft Authentication Code) that is for + * U-Boot Secure Boot + */ + if (!MBEDTLS_OID_CMP(MBEDTLS_OID_PKCS7_DATA, &content_type)) { + pkcs7->content_data.data_type = MBEDTLS_OID_DATA; + } else if (!MBEDTLS_OID_CMP(MBEDTLS_OID_MICROSOFT_INDIRECTDATA, + &content_type)) { + pkcs7->content_data.data_type = MBEDTLS_OID_MS_INDIRECTDATA; + } else { return MBEDTLS_ERR_PKCS7_INVALID_CONTENT_INFO; } if (p != end_content_info) { + unsigned char *tmp_p = p; + /* Determine if valid content is present */ ret = mbedtls_asn1_get_tag(&p, end_content_info, &len, - MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_CONTEXT_SPECIFIC); + MBEDTLS_ASN1_CONSTRUCTED | + MBEDTLS_ASN1_CONTEXT_SPECIFIC); + if (ret != 0 || p + len != end_content_info) { + return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS7_INVALID_CONTENT_INFO, + ret); + } + + /* + * U-Boot Secure Boot needs to calculate the digest of MicroSoft + * Authentication Code during verifying an EFI image. + * Thus we need to save the context of Content Data. + */ + pkcs7->content_data.data_hdrlen = p - tmp_p; + /* Parse the content data from a sequence */ + ret = mbedtls_asn1_get_tag(&p, end_content_info, &len, + MBEDTLS_ASN1_CONSTRUCTED | + MBEDTLS_ASN1_SEQUENCE); if (ret != 0) { - return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS7_INVALID_CONTENT_INFO, ret); + /* TODO: Other Content Data formats are not supported at the moment */ + return MBEDTLS_ERR_PKCS7_FEATURE_UNAVAILABLE; + } else if (p + len != end_content_info) { + return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS7_INVALID_CONTENT_INFO, + ret); } + + pkcs7->content_data.data = p; + pkcs7->content_data.data_len = len; + p += len; - if (p != end_content_info) { - return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS7_INVALID_CONTENT_INFO, ret); - } - /* Valid content is present - this is not supported */ - return MBEDTLS_ERR_PKCS7_FEATURE_UNAVAILABLE; } /* Look for certificates, there may or may not be any */ @@ -624,7 +664,7 @@ int mbedtls_pkcs7_parse_der(mbedtls_pkcs7 *pkcs7, const unsigned char *buf, } try_data: - ret = pkcs7_get_signed_data(p, len, &pkcs7->signed_data); + ret = pkcs7_get_signed_data(p, len, pkcs7); if (ret != 0) { goto out; } From patchwork Tue Jul 2 18:22:47 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Raymond Mao X-Patchwork-Id: 1955560 X-Patchwork-Delegate: trini@ti.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.a=rsa-sha256 header.s=google header.b=mdLYOwxh; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de (client-ip=85.214.62.61; helo=phobos.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=patchwork.ozlabs.org) Received: from phobos.denx.de (phobos.denx.de [85.214.62.61]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4WDBHX6HpQz1xpc for ; Wed, 3 Jul 2024 04:28:24 +1000 (AEST) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 7CBBA887B2; Tue, 2 Jul 2024 20:28:22 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="mdLYOwxh"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id B8232887B2; Tue, 2 Jul 2024 20:28:21 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-qt1-x82c.google.com (mail-qt1-x82c.google.com [IPv6:2607:f8b0:4864:20::82c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 3F587887B5 for ; Tue, 2 Jul 2024 20:28:18 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=raymond.mao@linaro.org Received: by mail-qt1-x82c.google.com with SMTP id d75a77b69052e-444fa363d1aso33131961cf.0 for ; Tue, 02 Jul 2024 11:28:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1719944897; x=1720549697; darn=lists.denx.de; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=3ESb0ZfKBqnqowlNZLND+GjDAEJimvOXZqN4Hrc7VmM=; b=mdLYOwxhv3ne5lJVZBv0teDl9PHPJ5x96WKoerwldh4+R4zES5+6gjCVby92GSwzh3 R6qAvsOaj2x0z1ZZrlyoAFl5VrGlJFreG/RPbaItTdinkoDnmWThQLs8F9xWrno/yrSj Q+i4QycBmVJp1QwPOciHn8NLPMab2KIrDjBBbK5esoNQgdzaCcazULRTavBVRLMqaegO bzziF2HTX/qcEQyadTCAjEFCrLyrOSM7fFDkYQlHx4YeUCRz83y0ToNRaRuP9CVeSwyw z59PSS+wH1ryc0CcBDtTp2xv+bam+DIHfUkKOI/d97aoTwRYtLDmUIRXT2PCM7xpJeE3 pC9Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1719944897; x=1720549697; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=3ESb0ZfKBqnqowlNZLND+GjDAEJimvOXZqN4Hrc7VmM=; b=ENxIE74i/dsGrmY6E5KXMlZK3lmYHTxNA28iKc7PZ+pMRWbmKqPtIiR/3fynZQBCHY zny6onmp/e6PFS5zmo+FbmcO8cFepqt+NE7Wk69mwjiypz2uc+2T2AKT58bMDQG7iIvI HgL20FAc+UIE+2auwzl1hY1Qh9IhiaPJJBjIgSos2Gq/9ilirmXg6KeS5FE7188u0Owj RMemuRQhGQcDdkI588sq+Be0eSYeqlFNoGDlwXvxZazUjtnRoYz/XFsoSdmFTw8yOvuO YVCYAA+CRvK961vl0X3Mwv2FtcFrPFrZ+v4cIWX7s8utVeHVGEWHk0OS7djcXlB5Qw1b P3qg== X-Gm-Message-State: AOJu0YyDKxWsNifzWzfvgjYM4bDhuaCJ8xmKLueKK9ZqJ/56bP1jehgf dD0bdyLCt0hecL681ScnUkmJtIFth6VMNXkvvNDY5TZAC0MRElcmE8cwLPVc4YiO5DuRJ133+qR q X-Google-Smtp-Source: AGHT+IGn1o8MsoqpN8DPv9q5sHXzI7vHZApDuzseZCuTlbPD+D/9yJEbFhiRYtlYUUdhrpe7CO+GLA== X-Received: by 2002:a05:622a:10c:b0:440:5f5c:2a4f with SMTP id d75a77b69052e-44655787a90mr209799001cf.33.1719944896887; Tue, 02 Jul 2024 11:28:16 -0700 (PDT) Received: from ubuntu.localdomain (pool-174-114-184-37.cpe.net.cable.rogers.com. [174.114.184.37]) by smtp.gmail.com with ESMTPSA id d75a77b69052e-446514b613dsm43316351cf.84.2024.07.02.11.28.14 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 02 Jul 2024 11:28:16 -0700 (PDT) From: Raymond Mao To: u-boot@lists.denx.de Cc: manish.pandey2@arm.com, Raymond Mao , Tom Rini , Stefan Bosch , Mario Six , Andy Shevchenko , Michal Simek , Tuomas Tynkkynen , Simon Glass , Ilias Apalodimas , Leo Yu-Chi Liang , Andrejs Cainikovs , Marek Vasut , Sean Anderson , Jesse Taube , Bryan Brattlof , "Leon M. Busch-George" , Igor Opaniuk , Sergei Antonov , Ilya Lukin <4.shket@gmail.com>, Heinrich Schuchardt , Bin Meng , Alper Nebi Yasak , Abdellatif El Khlifi , AKASHI Takahiro , Alexander Gendin , Eddie James , Oleksandr Suvorov Subject: [PATCH v4 11/29] mbedtls/external: support PKCS9 Authenticate Attributes Date: Tue, 2 Jul 2024 11:22:47 -0700 Message-Id: <20240702182325.2904421-12-raymond.mao@linaro.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20240702182325.2904421-1-raymond.mao@linaro.org> References: <20240702182325.2904421-1-raymond.mao@linaro.org> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.8 at phobos.denx.de X-Virus-Status: Clean Populate PKCS9 Authenticate Attributes from signer info if it exists in a PKCS7 message. Add OIDs for describing objects using for Authenticate Attributes. The PR for this patch is at: https://github.com/Mbed-TLS/mbedtls/pull/9001 For enabling EFI loader PKCS7 features with MbedTLS build, we need this patch on top of MbedTLS v3.6.0 before it is merged into the next MbedTLS LTS release. Signed-off-by: Raymond Mao --- Changes in v2 - None. Changes in v3 - Update commit message. Changes in v4 - None. .../external/mbedtls/include/mbedtls/oid.h | 5 +++++ .../external/mbedtls/include/mbedtls/pkcs7.h | 11 +++++++++++ lib/mbedtls/external/mbedtls/library/pkcs7.c | 19 ++++++++++++++++++- 3 files changed, 34 insertions(+), 1 deletion(-) diff --git a/lib/mbedtls/external/mbedtls/include/mbedtls/oid.h b/lib/mbedtls/external/mbedtls/include/mbedtls/oid.h index 2ee982808fa..43cef99f1e3 100644 --- a/lib/mbedtls/external/mbedtls/include/mbedtls/oid.h +++ b/lib/mbedtls/external/mbedtls/include/mbedtls/oid.h @@ -238,6 +238,11 @@ #define MBEDTLS_OID_RSA_SHA_OBS "\x2B\x0E\x03\x02\x1D" #define MBEDTLS_OID_PKCS9_EMAIL MBEDTLS_OID_PKCS9 "\x01" /**< emailAddress AttributeType ::= { pkcs-9 1 } */ +#define MBEDTLS_OID_PKCS9_CONTENTTYPE MBEDTLS_OID_PKCS9 "\x03" /**< contentType AttributeType ::= { pkcs-9 3 } */ +#define MBEDTLS_OID_PKCS9_MESSAGEDIGEST MBEDTLS_OID_PKCS9 "\x04" /**< messageDigest AttributeType ::= { pkcs-9 4 } */ +#define MBEDTLS_OID_PKCS9_SIGNINGTIME MBEDTLS_OID_PKCS9 "\x05" /**< signingTime AttributeType ::= { pkcs-9 5 } */ +#define MBEDTLS_OID_PKCS9_SMIMECAP MBEDTLS_OID_PKCS9 "\x0f" /**< smimeCapabilites AttributeType ::= { pkcs-9 15 } */ +#define MBEDTLS_OID_PKCS9_SMIMEAA MBEDTLS_OID_PKCS9 "\x10\x02\x0b" /**< smimeCapabilites AttributeType ::= { pkcs-9 16 2 11} */ /* RFC 4055 */ #define MBEDTLS_OID_RSASSA_PSS MBEDTLS_OID_PKCS1 "\x0a" /**< id-RSASSA-PSS ::= { pkcs-1 10 } */ diff --git a/lib/mbedtls/external/mbedtls/include/mbedtls/pkcs7.h b/lib/mbedtls/external/mbedtls/include/mbedtls/pkcs7.h index 9e29b74af70..a88a5e858fc 100644 --- a/lib/mbedtls/external/mbedtls/include/mbedtls/pkcs7.h +++ b/lib/mbedtls/external/mbedtls/include/mbedtls/pkcs7.h @@ -102,6 +102,16 @@ typedef enum { } mbedtls_pkcs7_type; +/* + * Authenticate Attributes for MicroSoft Authentication Code using in U-Boot + * Secure Boot + */ +typedef struct mbedtls_pkcs7_authattrs { + size_t data_len; + void *data; +} +mbedtls_pkcs7_authattrs; + /** * Structure holding PKCS #7 signer info */ @@ -113,6 +123,7 @@ typedef struct mbedtls_pkcs7_signer_info { mbedtls_x509_buf MBEDTLS_PRIVATE(alg_identifier); mbedtls_x509_buf MBEDTLS_PRIVATE(sig_alg_identifier); mbedtls_x509_buf MBEDTLS_PRIVATE(sig); + mbedtls_pkcs7_authattrs authattrs; struct mbedtls_pkcs7_signer_info *MBEDTLS_PRIVATE(next); } mbedtls_pkcs7_signer_info; diff --git a/lib/mbedtls/external/mbedtls/library/pkcs7.c b/lib/mbedtls/external/mbedtls/library/pkcs7.c index 0c2436b56b7..da73fb341d6 100644 --- a/lib/mbedtls/external/mbedtls/library/pkcs7.c +++ b/lib/mbedtls/external/mbedtls/library/pkcs7.c @@ -288,6 +288,7 @@ static int pkcs7_get_signer_info(unsigned char **p, unsigned char *end, unsigned char *end_signer, *end_issuer_and_sn; int asn1_ret = 0, ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; size_t len = 0; + unsigned char *tmp_p; asn1_ret = mbedtls_asn1_get_tag(p, end, &len, MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE); @@ -349,7 +350,23 @@ static int pkcs7_get_signer_info(unsigned char **p, unsigned char *end, goto out; } - /* Assume authenticatedAttributes is nonexistent */ + /* Save authenticatedAttributes if present */ + if (*p < end_signer && + **p == (MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_ASN1_CONSTRUCTED | 0)) { + tmp_p = *p; + + ret = mbedtls_asn1_get_tag(p, end_signer, &len, + MBEDTLS_ASN1_CONTEXT_SPECIFIC | + MBEDTLS_ASN1_CONSTRUCTED | 0); + if (ret != 0) { + goto out; + } + + signer->authattrs.data = tmp_p; + signer->authattrs.data_len = len + *p - tmp_p; + *p += len; + } + ret = pkcs7_get_digest_algorithm(p, end_signer, &signer->sig_alg_identifier); if (ret != 0) { goto out; From patchwork Tue Jul 2 18:22:48 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Raymond Mao X-Patchwork-Id: 1955561 X-Patchwork-Delegate: trini@ti.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.a=rsa-sha256 header.s=google header.b=y3AuA/os; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de (client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; helo=phobos.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=patchwork.ozlabs.org) Received: from phobos.denx.de (phobos.denx.de [IPv6:2a01:238:438b:c500:173d:9f52:ddab:ee01]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4WDBHy32Y0z1xpc for ; Wed, 3 Jul 2024 04:28:46 +1000 (AEST) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id F1C6387D33; Tue, 2 Jul 2024 20:28:43 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="y3AuA/os"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id D801687D33; Tue, 2 Jul 2024 20:28:42 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-qt1-x82e.google.com (mail-qt1-x82e.google.com [IPv6:2607:f8b0:4864:20::82e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 520C287D0A for ; Tue, 2 Jul 2024 20:28:40 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=raymond.mao@linaro.org Received: by mail-qt1-x82e.google.com with SMTP id d75a77b69052e-446449e5df5so22112071cf.0 for ; Tue, 02 Jul 2024 11:28:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1719944919; x=1720549719; darn=lists.denx.de; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=OBkO6mof8pqrxXImXrRflCZDqdhmog3oVk6n6ue+ohc=; b=y3AuA/osFTd52E6ctsUtIX/+sTiMeF657swBqV6U6C9NhEfuYIbtQZOnGqhATsDOCL Tmc7RKBvey88K1tYuXIUdbptKBRViwo/eORNWMQQ1PjOLeKEB+rAzqdhZDj6AGL+DxmQ fX2S6Cb1fGnVWkKJlj9735qJCDpA8kTQ6RvhVwIX3jkNXU7iXX3e+K/QzMd0ngdN7M2d Mdx0BodgQIkSLtM39WAiepIpP4/tKVQv0SXNa48homMTe7h9YEfoZHPtHJcaOomx1Q7Q M32jgnF7ZInOg5xMEAd0deSfo0PyMpUjEBLfaIXr2JFo2CuTzGB+pS5GdxTOIqikgEy6 wZmA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1719944919; x=1720549719; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=OBkO6mof8pqrxXImXrRflCZDqdhmog3oVk6n6ue+ohc=; b=dSwOQmTVilmbAKnETkjK5/jU3aVaXXhZ81zpVUirEDqhDAHs8HTL93DZ7Pj5qj4XOf i2ugtZxqiwKYfOP1DIqnLB+xFaI5Ic51phcAHEZApHA22La1IH9EUJKTxDD6w8Er+R/F +0c86RQRoQYuAB3T1jsU97qbR6p03ADL3vMT1MGZ8ZSh3GgFuMl4YHBzADioWiOOxXky eOgdqRPglf+5yb/4pdEqQAAS+g2YDt7vecpzf9ow/lLaq0UpjQcMCQKaZUaLnScosK9T fy4B9196brXTGDG0Z+clKHNimXYw+Aal/QtMygPwnGpOBbTwW3bIiXOWKg9A7/UoytAc 7cqQ== X-Gm-Message-State: AOJu0YyHbj2G3cgTOMEueY3JkGgDg41WZsU4rlKqduthMTH1Ez6hP6LY nBN1FRqJRLvd4Ol6DwySLjED+p2RRVejiBN8RgbnUrb6sepVeVbLAM+vY5NKrYGCYUJb3tQYitG Q X-Google-Smtp-Source: AGHT+IE35BNGirDYVUxIkU3E+9wXQOUsPtiTumnnSGxDFMOk2sdKY/beGrF5x/AVzT2MCgYeqLzifw== X-Received: by 2002:ac8:5803:0:b0:441:5994:fd40 with SMTP id d75a77b69052e-44662e54497mr98296161cf.61.1719944918974; Tue, 02 Jul 2024 11:28:38 -0700 (PDT) Received: from ubuntu.localdomain (pool-174-114-184-37.cpe.net.cable.rogers.com. [174.114.184.37]) by smtp.gmail.com with ESMTPSA id d75a77b69052e-446514b613dsm43316351cf.84.2024.07.02.11.28.37 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 02 Jul 2024 11:28:38 -0700 (PDT) From: Raymond Mao To: u-boot@lists.denx.de Cc: manish.pandey2@arm.com, Raymond Mao , Tom Rini , Stefan Bosch , Mario Six , Andy Shevchenko , Michal Simek , Tuomas Tynkkynen , Simon Glass , Leo Yu-Chi Liang , Ilias Apalodimas , Andrejs Cainikovs , Marek Vasut , Sean Anderson , Jesse Taube , Bryan Brattlof , "Leon M. Busch-George" , Sergei Antonov , Igor Opaniuk , Ilya Lukin <4.shket@gmail.com>, Heinrich Schuchardt , Bin Meng , Alper Nebi Yasak , Abdellatif El Khlifi , AKASHI Takahiro , Alexander Gendin , Oleksandr Suvorov Subject: [PATCH v4 12/29] mbedtls/external: support decoding multiple signer's cert Date: Tue, 2 Jul 2024 11:22:48 -0700 Message-Id: <20240702182325.2904421-13-raymond.mao@linaro.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20240702182325.2904421-1-raymond.mao@linaro.org> References: <20240702182325.2904421-1-raymond.mao@linaro.org> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.8 at phobos.denx.de X-Virus-Status: Clean Support decoding multiple signer's cert in the signed data within a PKCS7 message. The PR for this patch is at: https://github.com/Mbed-TLS/mbedtls/pull/9001 For enabling EFI loader PKCS7 features with MbedTLS build, we need this patch on top of MbedTLS v3.6.0 before it is merged into the next MbedTLS LTS release. Signed-off-by: Raymond Mao --- Changes in v2 - None. Changes in v3 - Update commit message. Changes in v4 - None. lib/mbedtls/external/mbedtls/library/pkcs7.c | 75 ++++++++++++-------- 1 file changed, 47 insertions(+), 28 deletions(-) diff --git a/lib/mbedtls/external/mbedtls/library/pkcs7.c b/lib/mbedtls/external/mbedtls/library/pkcs7.c index da73fb341d6..01105227d7a 100644 --- a/lib/mbedtls/external/mbedtls/library/pkcs7.c +++ b/lib/mbedtls/external/mbedtls/library/pkcs7.c @@ -61,6 +61,36 @@ static int pkcs7_get_next_content_len(unsigned char **p, unsigned char *end, return ret; } +/** + * Get and decode one cert from a sequence. + * Return 0 for success, + * Return negative error code for failure. + **/ +static int pkcs7_get_one_cert(unsigned char **p, unsigned char *end, + mbedtls_x509_crt *certs) +{ + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + size_t len = 0; + unsigned char *start = *p; + unsigned char *end_cert; + + ret = mbedtls_asn1_get_tag(p, end, &len, MBEDTLS_ASN1_CONSTRUCTED + | MBEDTLS_ASN1_SEQUENCE); + if (ret != 0) { + return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS7_INVALID_CERT, ret); + } + + end_cert = *p + len; + + if ((ret = mbedtls_x509_crt_parse_der(certs, start, end_cert - start)) < 0) { + return MBEDTLS_ERR_PKCS7_INVALID_CERT; + } + + *p = end_cert; + + return 0; +} + /** * version Version * Version ::= INTEGER @@ -178,11 +208,12 @@ static int pkcs7_get_certificates(unsigned char **p, unsigned char *end, mbedtls_x509_crt *certs) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - size_t len1 = 0; - size_t len2 = 0; - unsigned char *end_set, *end_cert, *start; + size_t len = 0; + unsigned char *end_set; + int num_of_certs = 0; - ret = mbedtls_asn1_get_tag(p, end, &len1, MBEDTLS_ASN1_CONSTRUCTED + /* Get the set of certs */ + ret = mbedtls_asn1_get_tag(p, end, &len, MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_CONTEXT_SPECIFIC); if (ret == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG) { return 0; @@ -190,38 +221,26 @@ static int pkcs7_get_certificates(unsigned char **p, unsigned char *end, if (ret != 0) { return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS7_INVALID_FORMAT, ret); } - start = *p; - end_set = *p + len1; + end_set = *p + len; - ret = mbedtls_asn1_get_tag(p, end_set, &len2, MBEDTLS_ASN1_CONSTRUCTED - | MBEDTLS_ASN1_SEQUENCE); + ret = pkcs7_get_one_cert(p, end_set, certs); if (ret != 0) { - return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS7_INVALID_CERT, ret); + return ret; } - end_cert = *p + len2; + num_of_certs++; - /* - * This is to verify that there is only one signer certificate. It seems it is - * not easy to differentiate between the chain vs different signer's certificate. - * So, we support only the root certificate and the single signer. - * The behaviour would be improved with addition of multiple signer support. - */ - if (end_cert != end_set) { - return MBEDTLS_ERR_PKCS7_FEATURE_UNAVAILABLE; - } - - if ((ret = mbedtls_x509_crt_parse_der(certs, start, len1)) < 0) { - return MBEDTLS_ERR_PKCS7_INVALID_CERT; + while (*p != end_set) { + ret = pkcs7_get_one_cert(p, end_set, certs); + if (ret != 0) { + return ret; + } + num_of_certs++; } - *p = end_cert; + *p = end_set; - /* - * Since in this version we strictly support single certificate, and reaching - * here implies we have parsed successfully, we return 1. - */ - return 1; + return num_of_certs; } /** From patchwork Tue Jul 2 18:22:49 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Raymond Mao X-Patchwork-Id: 1955562 X-Patchwork-Delegate: trini@ti.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.a=rsa-sha256 header.s=google header.b=H3v7lu2V; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de (client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; helo=phobos.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=patchwork.ozlabs.org) Received: from phobos.denx.de (phobos.denx.de [IPv6:2a01:238:438b:c500:173d:9f52:ddab:ee01]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4WDBJM6Dshz1xpc for ; Wed, 3 Jul 2024 04:29:07 +1000 (AEST) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 671B6887A1; Tue, 2 Jul 2024 20:29:05 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="H3v7lu2V"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 61125887B2; Tue, 2 Jul 2024 20:29:04 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-qt1-x832.google.com (mail-qt1-x832.google.com [IPv6:2607:f8b0:4864:20::832]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 0976987D0A for ; Tue, 2 Jul 2024 20:29:02 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=raymond.mao@linaro.org Received: by mail-qt1-x832.google.com with SMTP id d75a77b69052e-4468ac3c579so3295011cf.0 for ; Tue, 02 Jul 2024 11:29:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1719944940; x=1720549740; darn=lists.denx.de; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=w51ycu0Ck8ZvbQIoGfv2pnMBqCAtaWnBVBbUXVW8pXA=; b=H3v7lu2VymFnLS7Hb0F27EmXKGPrJvdVGg28QtUfUzeBlCdotKGF0WzlI9984Lau43 2pQsD1RGE/pRD0zjA5x7JVfWrN9XODPUpImHMjA25PC4JVbof4Ng9aePs8QdqnoKAtmq erKdAEHMwGIFCk4/G090w94hGiIvRlrfbLSPwejqOUGU9NBUOdcjdX1kNwD1id+omJCk TF9+ODJysKCVazknjQWS2Fss9oQqjKMI2ytALiOrxPZHaIp7Xabjb/T5UheaRhDEs4h1 fcs+Gm4sGhqSSrNZbyyKuDRRX4IJSwstqkS0C39cM4iYQjzM9aGxK3+adStmz2e4hqwr mBVA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1719944940; x=1720549740; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=w51ycu0Ck8ZvbQIoGfv2pnMBqCAtaWnBVBbUXVW8pXA=; b=EJNm9tzauv/cxpxN5ah1kQaG1wu38Uxlm6pl4jybps8gtY3QmCJiBrVbxqVqWdHMaE 38OSw7rlvlmTjOHELz4BoFKuRZe4phNnJN+G948ft/J0rFXbreFrx9ohho/yDP+IrcNw W4vr3U6Djbf76QEMtd+gx19EIT3Ygdc1f891epJ6U2cNfzph99alWmQ9CdDdnpViCIyP A/YxlNkoyo1A0kSPcF7O4tTvrZDQWhVxh0zrzky0ptZbQCE82ZjH66nKW8kMpwu3g2ok U5l4Ijtu+q58+YHEdSD+MynAiOsT4N2LlpXJfqyiKB8Lb0fPAhdX30jzGkZMdX2NGCPe vzeQ== X-Gm-Message-State: AOJu0YwKlLWkmquzkSJMIkdaxEkaA6ZnAFAeeF53f8Gq4PdokNiV/Yzp ElbY73OALhMbs+feeWEd07iVrMAaKPVXAoQTYxtjftme6/cfK7PEV9fhcAsTJK3gFaX/EbNyUT1 r X-Google-Smtp-Source: AGHT+IE4cbA7nqo6nR4pHcMndq9hBs0rQGEOlB0hFQpr7Ao5tQ5MYZfKFScwp68WAxq4FiLgkac0xg== X-Received: by 2002:ac8:4551:0:b0:446:641d:d11e with SMTP id d75a77b69052e-446641de3bdmr84560081cf.61.1719944940491; Tue, 02 Jul 2024 11:29:00 -0700 (PDT) Received: from ubuntu.localdomain (pool-174-114-184-37.cpe.net.cable.rogers.com. [174.114.184.37]) by smtp.gmail.com with ESMTPSA id d75a77b69052e-446514b613dsm43316351cf.84.2024.07.02.11.28.58 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 02 Jul 2024 11:29:00 -0700 (PDT) From: Raymond Mao To: u-boot@lists.denx.de Cc: manish.pandey2@arm.com, Raymond Mao , Tom Rini , Stefan Bosch , Mario Six , Andy Shevchenko , Michal Simek , Tuomas Tynkkynen , Simon Glass , Leo Yu-Chi Liang , Ilias Apalodimas , Andrejs Cainikovs , Marek Vasut , Sean Anderson , Jesse Taube , Bryan Brattlof , "Leon M. Busch-George" , Igor Opaniuk , Ilya Lukin <4.shket@gmail.com>, Sergei Antonov , Heinrich Schuchardt , Alper Nebi Yasak , Abdellatif El Khlifi , AKASHI Takahiro , Alexander Gendin , Bin Meng , =?utf-8?q?Vincent_Stehl=C3=A9?= , Oleksandr Suvorov Subject: [PATCH v4 13/29] mbedtls/external: update MbedTLS PKCS7 test suites Date: Tue, 2 Jul 2024 11:22:49 -0700 Message-Id: <20240702182325.2904421-14-raymond.mao@linaro.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20240702182325.2904421-1-raymond.mao@linaro.org> References: <20240702182325.2904421-1-raymond.mao@linaro.org> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.8 at phobos.denx.de X-Virus-Status: Clean Update the PKCS7 test suites for multiple certs. The PR for this patch is at: https://github.com/Mbed-TLS/mbedtls/pull/9001 For enabling EFI loader PKCS7 features with MbedTLS build, we need this patch on top of MbedTLS v3.6.0 before it is merged into the next MbedTLS LTS release. Signed-off-by: Raymond Mao --- Changes in v2 - None. Changes in v3 - Update commit message. Changes in v4 - None. .../external/mbedtls/tests/suites/test_suite_pkcs7.data | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/mbedtls/external/mbedtls/tests/suites/test_suite_pkcs7.data b/lib/mbedtls/external/mbedtls/tests/suites/test_suite_pkcs7.data index d3b83cdf0aa..2dd1c56109f 100644 --- a/lib/mbedtls/external/mbedtls/tests/suites/test_suite_pkcs7.data +++ b/lib/mbedtls/external/mbedtls/tests/suites/test_suite_pkcs7.data @@ -14,9 +14,9 @@ PKCS7 Signed Data Parse with zero signers depends_on:MBEDTLS_MD_CAN_SHA256 pkcs7_parse:"data_files/pkcs7_data_no_signers.der":MBEDTLS_PKCS7_SIGNED_DATA -PKCS7 Signed Data Parse Fail with multiple certs #4 +PKCS7 Signed Data Parse Pass with multiple certs #4 depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C -pkcs7_parse:"data_files/pkcs7_data_multiple_certs_signed.der":MBEDTLS_ERR_PKCS7_FEATURE_UNAVAILABLE +pkcs7_parse:"data_files/pkcs7_data_multiple_certs_signed.der":MBEDTLS_PKCS7_SIGNED_DATA PKCS7 Signed Data Parse Fail with corrupted cert #5.0 depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C From patchwork Tue Jul 2 18:22:50 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Raymond Mao X-Patchwork-Id: 1955563 X-Patchwork-Delegate: trini@ti.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.a=rsa-sha256 header.s=google header.b=q+LH8WjF; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de (client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; helo=phobos.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=patchwork.ozlabs.org) Received: from phobos.denx.de (phobos.denx.de [IPv6:2a01:238:438b:c500:173d:9f52:ddab:ee01]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4WDBJy2gVsz1xpc for ; Wed, 3 Jul 2024 04:29:38 +1000 (AEST) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id D2AE888791; Tue, 2 Jul 2024 20:29:35 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="q+LH8WjF"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 03271887BA; Tue, 2 Jul 2024 20:29:34 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-qt1-x82b.google.com (mail-qt1-x82b.google.com [IPv6:2607:f8b0:4864:20::82b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id D08CE87D33 for ; Tue, 2 Jul 2024 20:29:31 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=raymond.mao@linaro.org Received: by mail-qt1-x82b.google.com with SMTP id d75a77b69052e-4450292a50bso36328731cf.1 for ; Tue, 02 Jul 2024 11:29:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1719944970; x=1720549770; darn=lists.denx.de; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=tZFujoRGsZy5SjPAvtivR86KDexXcBka0C6NPv48vg0=; b=q+LH8WjFnNH3wEysx7f/obV14Gis96EeZWpDSnxV1Oa1FtcPe6z+pol/ErQKz0IB7b TrNNQtGdbRlMdkXSqUasJkgmR9iI9NgyKkixbrWE+wpXc2ql8gVOKM+ADl5zJcB4k9vm MYWODpkknBBbeMMwYnrzHfv0rhlJO+YJHX4NWkGuUcCv9aSDFTFz5KE/AL/5t8U0jXKq qksvjyQKd8wNcUehCi72WduCkJcSmA5zcpw8RteIs5S7tDKvp0gPAP19chVbE40+JmWr /hjVr7Yt4B5pFqExAXyMvQXqWFJx8xroBpaQCiL/xi+ZIzTYD/W0rTxVhBjtarElv1dI j5Pw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1719944970; x=1720549770; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=tZFujoRGsZy5SjPAvtivR86KDexXcBka0C6NPv48vg0=; b=Ze8funKNBFI7GjhqIKRyYLrLtddV2IYS9ruA+LvzaY9UwnHCULE71SivIyh1GZKNmw 5ASliok4soPTaJmii+v+hz9kJAlQ059keKibadjxgqHVP7Q8mg7VCDv4waz0hYC/epI9 UJa8uUqQzHMFqluQ7GLG7AN74CY9KJJbBAYVzBYzuh9BJRebK8GrP4hyKGOhVJFdBOIf I7rsXj+hcJkmuDZtAO6re136lRf5Xgg3x67zxX1whxB9g17WjGONzT/cVtCozDJc0OnI VNyjFDIhH3P2T4pyy3J/uv14GxcAMhJiyFHMroYgDoKYDV/jqaSMYGR0WFScSc1T/RB+ DxbQ== X-Gm-Message-State: AOJu0YxyWwmFm0bozWoxf1CFa03G0J3OvcKHqXcqp739EFLljQP6e2js nBtH3+UtBSxWminkAlgBi6ESSczTAZgceC/mRZk0NyKy/EG4tpf2ptEhQ/uZHGwmim79LA+6/Df Y X-Google-Smtp-Source: AGHT+IGskLE9nWXS3KcaKbNJFtJVCZwaeS/8yx579DdNdUQTd0VlNX8LP7LsvzWblsjLi5ClR6V1Hw== X-Received: by 2002:a05:622a:11cd:b0:446:437f:4cc with SMTP id d75a77b69052e-44662dd3af1mr120083101cf.11.1719944970130; Tue, 02 Jul 2024 11:29:30 -0700 (PDT) Received: from ubuntu.localdomain (pool-174-114-184-37.cpe.net.cable.rogers.com. [174.114.184.37]) by smtp.gmail.com with ESMTPSA id d75a77b69052e-446514b613dsm43316351cf.84.2024.07.02.11.29.28 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 02 Jul 2024 11:29:29 -0700 (PDT) From: Raymond Mao To: u-boot@lists.denx.de Cc: manish.pandey2@arm.com, Raymond Mao , Tom Rini , Stefan Bosch , Mario Six , Andy Shevchenko , Michal Simek , Tuomas Tynkkynen , Simon Glass , Ilias Apalodimas , Leo Yu-Chi Liang , Andrejs Cainikovs , Marek Vasut , Sean Anderson , Jesse Taube , Bryan Brattlof , "Leon M. Busch-George" , Igor Opaniuk , Ilya Lukin <4.shket@gmail.com>, Sergei Antonov , Heinrich Schuchardt , Bin Meng , Alper Nebi Yasak , AKASHI Takahiro , Abdellatif El Khlifi , Alexander Gendin , Oleksandr Suvorov Subject: [PATCH v4 14/29] public_key: move common functions to public key helper Date: Tue, 2 Jul 2024 11:22:50 -0700 Message-Id: <20240702182325.2904421-15-raymond.mao@linaro.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20240702182325.2904421-1-raymond.mao@linaro.org> References: <20240702182325.2904421-1-raymond.mao@linaro.org> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.8 at phobos.denx.de X-Virus-Status: Clean Move public_key_free and public_key_signature_free as helper functions that can be shared by legacy crypto lib and MbedTLS implementation. Signed-off-by: Raymond Mao Reviewed-by: Ilias Apalodimas --- Changes in v4 - Initial patch. lib/crypto/Makefile | 4 +++- lib/crypto/public_key.c | 31 ------------------------- lib/crypto/public_key_helper.c | 42 ++++++++++++++++++++++++++++++++++ 3 files changed, 45 insertions(+), 32 deletions(-) create mode 100644 lib/crypto/public_key_helper.c diff --git a/lib/crypto/Makefile b/lib/crypto/Makefile index bec1bc95a65..4ad1849040d 100644 --- a/lib/crypto/Makefile +++ b/lib/crypto/Makefile @@ -7,7 +7,9 @@ obj-$(CONFIG_$(SPL_)ASYMMETRIC_KEY_TYPE) += asymmetric_keys.o asymmetric_keys-y := asymmetric_type.o -obj-$(CONFIG_$(SPL_)ASYMMETRIC_PUBLIC_KEY_SUBTYPE) += public_key.o +obj-$(CONFIG_$(SPL_)ASYMMETRIC_PUBLIC_KEY_SUBTYPE) += \ + public_key_helper.o \ + public_key.o # # RSA public key parser diff --git a/lib/crypto/public_key.c b/lib/crypto/public_key.c index 6efe951c057..408742907f1 100644 --- a/lib/crypto/public_key.c +++ b/lib/crypto/public_key.c @@ -51,38 +51,7 @@ static void public_key_describe(const struct key *asymmetric_key, } #endif -/* - * Destroy a public key algorithm key. - */ -void public_key_free(struct public_key *key) -{ - if (key) { - kfree(key->key); - kfree(key->params); - kfree(key); - } -} -EXPORT_SYMBOL_GPL(public_key_free); - #ifdef __UBOOT__ -/* - * from /crypto/asymmetric_keys/signature.c - * - * Destroy a public key signature. - */ -void public_key_signature_free(struct public_key_signature *sig) -{ - int i; - - if (sig) { - for (i = 0; i < ARRAY_SIZE(sig->auth_ids); i++) - free(sig->auth_ids[i]); - free(sig->s); - free(sig->digest); - free(sig); - } -} -EXPORT_SYMBOL_GPL(public_key_signature_free); /** * public_key_verify_signature - Verify a signature using a public key. diff --git a/lib/crypto/public_key_helper.c b/lib/crypto/public_key_helper.c new file mode 100644 index 00000000000..4cb21edddf3 --- /dev/null +++ b/lib/crypto/public_key_helper.c @@ -0,0 +1,42 @@ +// SPDX-License-Identifier: GPL-2.0+ +/* + * X509 helper functions + * + * Copyright (c) 2012 Red Hat, Inc. All Rights Reserved. + * Written by David Howells (dhowells@redhat.com) + * + * Copyright (c) 2024 Linaro Limited + * Author: Raymond Mao + */ +#include +#include + +/* + * Destroy a public key algorithm key. + */ +void public_key_free(struct public_key *key) +{ + if (key) { + kfree(key->key); + kfree(key->params); + kfree(key); + } +} + +/* + * from /crypto/asymmetric_keys/signature.c + * + * Destroy a public key signature. + */ +void public_key_signature_free(struct public_key_signature *sig) +{ + int i; + + if (sig) { + for (i = 0; i < ARRAY_SIZE(sig->auth_ids); i++) + kfree(sig->auth_ids[i]); + kfree(sig->s); + kfree(sig->digest); + kfree(sig); + } +} From patchwork Tue Jul 2 18:22:51 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Raymond Mao X-Patchwork-Id: 1955564 X-Patchwork-Delegate: trini@ti.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.a=rsa-sha256 header.s=google header.b=g1PWyBO6; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de (client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; helo=phobos.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=patchwork.ozlabs.org) Received: from phobos.denx.de (phobos.denx.de [IPv6:2a01:238:438b:c500:173d:9f52:ddab:ee01]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4WDBKQ64xyz1xpc for ; Wed, 3 Jul 2024 04:30:02 +1000 (AEST) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 61A6A887C0; Tue, 2 Jul 2024 20:30:00 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="g1PWyBO6"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 31F66887C1; Tue, 2 Jul 2024 20:29:59 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-qt1-x836.google.com (mail-qt1-x836.google.com [IPv6:2607:f8b0:4864:20::836]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id F01CF87D33 for ; Tue, 2 Jul 2024 20:29:56 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=raymond.mao@linaro.org Received: by mail-qt1-x836.google.com with SMTP id d75a77b69052e-4464c31a874so22299781cf.2 for ; Tue, 02 Jul 2024 11:29:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1719944995; x=1720549795; darn=lists.denx.de; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=2YaA+hS24uk71OQHWWbaKeNWt94mmaG9VTyW2Eh/SdY=; b=g1PWyBO6Vc3Y/f2c0zq/LJByQgrHD2otWS8XWEqGOE1EJi2N+U6vSsSQ475rtoU5h8 Uy4MQzKQfviGzScBmAVoOB7IPAMaTuw78jbioAYn0fFgfO25EYs/cR8Ovz5Z+j+0EFUw 1OXHSrIpndK0zzBaXryBt00xSYv3yc04xQnexTZBhCgwS1VqonecbaCx/HY6hc5pTDip 2tNuAdXqY4qRwYyuSxS7/N2dbewzuSxyhhgiuhdqnzcENwly6EIQfTmfcLKd0IW7sFmb MxdfZkVNIQ2l1xQqk1HpJIUOUXBeogPjgMytNjlQy/2CE86H+8g40OC0xecnXQ4LFuel ZUVw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1719944995; x=1720549795; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=2YaA+hS24uk71OQHWWbaKeNWt94mmaG9VTyW2Eh/SdY=; b=EgFjemiIDTD/xl5Ti5tYFaWHNHBK9S93brcNblvXz0S/mxbqZpIEwK1XnxEHYuUT9I TKZ2ZaSJtnCbQkB9wLVUAxPb91A7WNIz98Xk9TOTefSv9jWStULuIVJLmp0tdgPZC8Fr 40pVenCvDwzUk+IUlBCeKFCEV7pezLq4ophrZ15Id59lWNDBFr9mRuhHSt5z+cgBoDZt igkGDYLPjkKS4gbZELmfr3o9TRRmASMlv5mm42/m3r91T2KHjU9Z6/ges/bS971r7KGq lJMpuTeZ1utAYGWzT5e5tVStthNx0PaS9CtDZYj6eErhbagqr6EKY7AYEJZCmkI/a58Q iCEg== X-Gm-Message-State: AOJu0Yz2ktWjcFVxHHgg28JYApCJm5ivAzcqrNnxRYuQxmOfTzZ1XeEU VF+D5klM/K2otX/GkoNt9R0AQv8Qyxw7Q9aDuNLqPsW6+EtzZaqO8rRJFmrIXMxUL2unxAXjVJ1 9 X-Google-Smtp-Source: AGHT+IGbGGlNI68/aeAnpl1LnEUFuPfmLuw0PeAJHgIQq7r1L/EEnw/DZZPC8m/pwRg1ygFeqbJhmQ== X-Received: by 2002:ac8:5f0b:0:b0:446:3fa5:255 with SMTP id d75a77b69052e-44662e5d025mr112870671cf.54.1719944995617; Tue, 02 Jul 2024 11:29:55 -0700 (PDT) Received: from ubuntu.localdomain (pool-174-114-184-37.cpe.net.cable.rogers.com. [174.114.184.37]) by smtp.gmail.com with ESMTPSA id d75a77b69052e-446514b613dsm43316351cf.84.2024.07.02.11.29.53 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 02 Jul 2024 11:29:55 -0700 (PDT) From: Raymond Mao To: u-boot@lists.denx.de Cc: manish.pandey2@arm.com, Raymond Mao , Tom Rini , Stefan Bosch , Mario Six , Andy Shevchenko , Michal Simek , Tuomas Tynkkynen , Simon Glass , Ilias Apalodimas , Leo Yu-Chi Liang , Andrejs Cainikovs , Marek Vasut , Sean Anderson , Jesse Taube , Bryan Brattlof , "Leon M. Busch-George" , Sergei Antonov , Ilya Lukin <4.shket@gmail.com>, Igor Opaniuk , Heinrich Schuchardt , Bin Meng , Alper Nebi Yasak , Abdellatif El Khlifi , AKASHI Takahiro , Alexander Gendin , =?utf-8?q?Vincent_Stehl=C3=A9?= , Manorit Chawdhry , Oleksandr Suvorov Subject: [PATCH v4 15/29] x509: move common functions to x509 helper Date: Tue, 2 Jul 2024 11:22:51 -0700 Message-Id: <20240702182325.2904421-16-raymond.mao@linaro.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20240702182325.2904421-1-raymond.mao@linaro.org> References: <20240702182325.2904421-1-raymond.mao@linaro.org> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.8 at phobos.denx.de X-Virus-Status: Clean Move x509_check_for_self_signed as a common helper function that can be shared by legacy crypto lib and MbedTLS implementation. Signed-off-by: Raymond Mao Reviewed-by: Ilias Apalodimas --- Changes in v4 - Initial patch. lib/crypto/Makefile | 1 + lib/crypto/x509_helper.c | 67 ++++++++++++++++++++++++++++++++++++ lib/crypto/x509_public_key.c | 56 +----------------------------- 3 files changed, 69 insertions(+), 55 deletions(-) create mode 100644 lib/crypto/x509_helper.c diff --git a/lib/crypto/Makefile b/lib/crypto/Makefile index 4ad1849040d..946cc3a7b59 100644 --- a/lib/crypto/Makefile +++ b/lib/crypto/Makefile @@ -37,6 +37,7 @@ x509_key_parser-y := \ x509.asn1.o \ x509_akid.asn1.o \ x509_cert_parser.o \ + x509_helper.o \ x509_public_key.o $(obj)/x509_cert_parser.o: \ diff --git a/lib/crypto/x509_helper.c b/lib/crypto/x509_helper.c new file mode 100644 index 00000000000..d0c80907ec3 --- /dev/null +++ b/lib/crypto/x509_helper.c @@ -0,0 +1,67 @@ +// SPDX-License-Identifier: GPL-2.0+ +/* + * X509 helper functions + * + * Copyright (C) 2012 Red Hat, Inc. All Rights Reserved. + * Written by David Howells (dhowells@redhat.com) + * + * Copyright (c) 2024 Linaro Limited + * Author: Raymond Mao + */ +#include +#include +#include + +/* + * Check for self-signedness in an X.509 cert and if found, check the signature + * immediately if we can. + */ +int x509_check_for_self_signed(struct x509_certificate *cert) +{ + int ret = 0; + + if (cert->raw_subject_size != cert->raw_issuer_size || + memcmp(cert->raw_subject, cert->raw_issuer, + cert->raw_issuer_size)) + goto not_self_signed; + + if (cert->sig->auth_ids[0] || cert->sig->auth_ids[1]) { + /* + * If the AKID is present it may have one or two parts. If + * both are supplied, both must match. + */ + bool a = asymmetric_key_id_same(cert->skid, + cert->sig->auth_ids[1]); + bool b = asymmetric_key_id_same(cert->id, + cert->sig->auth_ids[0]); + + if (!a && !b) + goto not_self_signed; + + ret = -EKEYREJECTED; + if (((a && !b) || (b && !a)) && + cert->sig->auth_ids[0] && cert->sig->auth_ids[1]) + goto out; + } + + ret = -EKEYREJECTED; + if (strcmp(cert->pub->pkey_algo, cert->sig->pkey_algo)) + goto out; + + ret = public_key_verify_signature(cert->pub, cert->sig); + if (ret == -ENOPKG) { + cert->unsupported_sig = true; + goto not_self_signed; + } + if (ret < 0) + goto out; + + pr_devel("Cert Self-signature verified"); + cert->self_signed = true; + +out: + return ret; + +not_self_signed: + return 0; +} diff --git a/lib/crypto/x509_public_key.c b/lib/crypto/x509_public_key.c index a10145a7cdc..4ba13c1adc3 100644 --- a/lib/crypto/x509_public_key.c +++ b/lib/crypto/x509_public_key.c @@ -139,61 +139,7 @@ error: return ret; } -/* - * Check for self-signedness in an X.509 cert and if found, check the signature - * immediately if we can. - */ -int x509_check_for_self_signed(struct x509_certificate *cert) -{ - int ret = 0; - - pr_devel("==>%s()\n", __func__); - - if (cert->raw_subject_size != cert->raw_issuer_size || - memcmp(cert->raw_subject, cert->raw_issuer, - cert->raw_issuer_size) != 0) - goto not_self_signed; - - if (cert->sig->auth_ids[0] || cert->sig->auth_ids[1]) { - /* If the AKID is present it may have one or two parts. If - * both are supplied, both must match. - */ - bool a = asymmetric_key_id_same(cert->skid, cert->sig->auth_ids[1]); - bool b = asymmetric_key_id_same(cert->id, cert->sig->auth_ids[0]); - - if (!a && !b) - goto not_self_signed; - - ret = -EKEYREJECTED; - if (((a && !b) || (b && !a)) && - cert->sig->auth_ids[0] && cert->sig->auth_ids[1]) - goto out; - } - - ret = -EKEYREJECTED; - if (strcmp(cert->pub->pkey_algo, cert->sig->pkey_algo) != 0) - goto out; - - ret = public_key_verify_signature(cert->pub, cert->sig); - if (ret < 0) { - if (ret == -ENOPKG) { - cert->unsupported_sig = true; - ret = 0; - } - goto out; - } - - pr_devel("Cert Self-signature verified"); - cert->self_signed = true; - -out: - pr_devel("<==%s() = %d\n", __func__, ret); - return ret; - -not_self_signed: - pr_devel("<==%s() = 0 [not]\n", __func__); - return 0; -} +#endif /* !CONFIG_IS_ENABLED(MBEDTLS_LIB_X509) */ #ifndef __UBOOT__ /* From patchwork Tue Jul 2 18:22:52 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Raymond Mao X-Patchwork-Id: 1955565 X-Patchwork-Delegate: trini@ti.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.a=rsa-sha256 header.s=google header.b=rS9yIXAT; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de (client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; helo=phobos.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=patchwork.ozlabs.org) Received: from phobos.denx.de (phobos.denx.de [IPv6:2a01:238:438b:c500:173d:9f52:ddab:ee01]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4WDBKr2KgPz1xqb for ; Wed, 3 Jul 2024 04:30:24 +1000 (AEST) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id D0535887C8; Tue, 2 Jul 2024 20:30:21 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="rS9yIXAT"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id D9EE987D33; Tue, 2 Jul 2024 20:30:20 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-qt1-x82d.google.com (mail-qt1-x82d.google.com [IPv6:2607:f8b0:4864:20::82d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id AA9B6887C7 for ; Tue, 2 Jul 2024 20:30:18 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=raymond.mao@linaro.org Received: by mail-qt1-x82d.google.com with SMTP id d75a77b69052e-44651f094adso20684491cf.1 for ; Tue, 02 Jul 2024 11:30:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1719945017; x=1720549817; darn=lists.denx.de; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=tiSNl9DQWbc7XfMN41/109F+th4+e9WHOe7hpYqFrsQ=; b=rS9yIXATfy4NKuX2xnGEMEYa9xyzcH7c071MK8+XGNVoxeCeB6wI9vd3NeImJMPUXD DEAqCu5Nv/8mXmLCdaIBqk5JlhbAcOliEtEb39rxXrWTJTGA0kbMCMqPMJM6VCAoBgk3 VcI92yQdZ0aIkWDbk5mCSShAn+5zHomvzBq+4GXuj3AzRVLju/UHRnNlseKQlAJkiaXg cXkYfeFCTwuUQhi8ZpDY81CaaHbTp/B7JAacTbIYx8haiaVQk3Qwl9Aqsv7bd4JEsN2F vO9I+wtB+OcgW/jnMCL8wRHYtv4UilMVy9k4qWn7i/pALMEAGB0w618NhNSL0gjvyC+x H6wA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1719945017; x=1720549817; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=tiSNl9DQWbc7XfMN41/109F+th4+e9WHOe7hpYqFrsQ=; b=vMYabxxEx6vOxoUYztFrB72+6rOmB7XKt8now6zhrAbL4O3iXR9aakHyX+cweCA/af YrGStRMnWpME53HiUmToZvZp4s62vjbXD/XRB2YUXD4nwPIQa5JjysCAwMYKAH3RjdyF KKD6GmNVYkGrkGm0SwDsUXXWe0P0SzRGG1/ABFeGr+4azlC4LtvsJHuxb8EorRYMBkfZ TtItmEROuk3X523CeCR9fkhXntBJVaYF7SNFeNGch3C8VNqJtgs4q+UWp3KxYbMQl81u eKeI9F29miInZKSj7n7fRIBTZZ+1yxFV/b/utwbTcZIaIBagrGIS23hsEcgxaBuolA3A wv4A== X-Gm-Message-State: AOJu0Yz1iVMEQbwk3P2jTcfXVStjLf/EU/GKV685uQW4SZlDD7sncRMO /BPKcpgxMZC2qTQRuKQZdpcwCRoEU04Zyqj8X1gTcoPyvbgWhDE65hsPAH/Hv9QjWMzP9cyUDai V X-Google-Smtp-Source: AGHT+IHzyXXQiFZd189DEuXpDmntD0CcNr+uadJ84RurQ/mWM238aI8jwkygzoE60eeu/ZO4iTMnBA== X-Received: by 2002:ac8:58ca:0:b0:446:596c:5359 with SMTP id d75a77b69052e-44662e0bd74mr114818861cf.39.1719945017336; Tue, 02 Jul 2024 11:30:17 -0700 (PDT) Received: from ubuntu.localdomain (pool-174-114-184-37.cpe.net.cable.rogers.com. [174.114.184.37]) by smtp.gmail.com with ESMTPSA id d75a77b69052e-446514b613dsm43316351cf.84.2024.07.02.11.30.15 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 02 Jul 2024 11:30:16 -0700 (PDT) From: Raymond Mao To: u-boot@lists.denx.de Cc: manish.pandey2@arm.com, Raymond Mao , Tom Rini , Stefan Bosch , Mario Six , Andy Shevchenko , Michal Simek , Tuomas Tynkkynen , Simon Glass , Leo Yu-Chi Liang , Ilias Apalodimas , Andrejs Cainikovs , Marek Vasut , Sean Anderson , Jesse Taube , Bryan Brattlof , "Leon M. Busch-George" , Ilya Lukin <4.shket@gmail.com>, Sergei Antonov , Igor Opaniuk , Heinrich Schuchardt , Alper Nebi Yasak , Abdellatif El Khlifi , AKASHI Takahiro , Alexander Gendin , Bin Meng , =?utf-8?q?Vincent_Stehl=C3=A9?= , Oleksandr Suvorov Subject: [PATCH v4 16/29] pkcs7: move common functions to PKCS7 helper Date: Tue, 2 Jul 2024 11:22:52 -0700 Message-Id: <20240702182325.2904421-17-raymond.mao@linaro.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20240702182325.2904421-1-raymond.mao@linaro.org> References: <20240702182325.2904421-1-raymond.mao@linaro.org> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.8 at phobos.denx.de X-Virus-Status: Clean Move pkcs7_get_content_data as a helper function that can be shared by legacy crypto lib and MbedTLS implementation. Signed-off-by: Raymond Mao Reviewed-by: Ilias Apalodimas --- Changes in v4 - Initial patch. lib/crypto/Makefile | 1 + lib/crypto/pkcs7_helper.c | 40 +++++++++++++++++++++++++++++++++++++++ lib/crypto/pkcs7_parser.c | 28 --------------------------- 3 files changed, 41 insertions(+), 28 deletions(-) create mode 100644 lib/crypto/pkcs7_helper.c diff --git a/lib/crypto/Makefile b/lib/crypto/Makefile index 946cc3a7b59..16059088f26 100644 --- a/lib/crypto/Makefile +++ b/lib/crypto/Makefile @@ -53,6 +53,7 @@ $(obj)/x509_akid.asn1.o: $(obj)/x509_akid.asn1.c $(obj)/x509_akid.asn1.h obj-$(CONFIG_$(SPL_)PKCS7_MESSAGE_PARSER) += pkcs7_message.o pkcs7_message-y := \ pkcs7.asn1.o \ + pkcs7_helper.o \ pkcs7_parser.o obj-$(CONFIG_$(SPL_)PKCS7_VERIFY) += pkcs7_verify.o diff --git a/lib/crypto/pkcs7_helper.c b/lib/crypto/pkcs7_helper.c new file mode 100644 index 00000000000..6c8dcd1a935 --- /dev/null +++ b/lib/crypto/pkcs7_helper.c @@ -0,0 +1,40 @@ +// SPDX-License-Identifier: GPL-2.0+ +/* + * PKCS7 helper functions + * + * Copyright (c) 2012 Red Hat, Inc. All Rights Reserved. + * Written by David Howells (dhowells@redhat.com) + * + * Copyright (c) 2024 Linaro Limited + * Author: Raymond Mao + */ +#include +#include +#include + +/** + * pkcs7_get_content_data - Get access to the PKCS#7 content + * @pkcs7: The preparsed PKCS#7 message to access + * @_data: Place to return a pointer to the data + * @_data_len: Place to return the data length + * @_headerlen: Size of ASN.1 header not included in _data + * + * Get access to the data content of the PKCS#7 message. The size of the + * header of the ASN.1 object that contains it is also provided and can be used + * to adjust *_data and *_data_len to get the entire object. + * + * Returns -ENODATA if the data object was missing from the message. + */ +int pkcs7_get_content_data(const struct pkcs7_message *pkcs7, + const void **_data, size_t *_data_len, + size_t *_headerlen) +{ + if (!pkcs7->data) + return -ENODATA; + + *_data = pkcs7->data; + *_data_len = pkcs7->data_len; + if (_headerlen) + *_headerlen = pkcs7->data_hdrlen; + return 0; +} diff --git a/lib/crypto/pkcs7_parser.c b/lib/crypto/pkcs7_parser.c index d5efa828d6a..c849dc0d92d 100644 --- a/lib/crypto/pkcs7_parser.c +++ b/lib/crypto/pkcs7_parser.c @@ -182,34 +182,6 @@ out_no_ctx: } EXPORT_SYMBOL_GPL(pkcs7_parse_message); -/** - * pkcs7_get_content_data - Get access to the PKCS#7 content - * @pkcs7: The preparsed PKCS#7 message to access - * @_data: Place to return a pointer to the data - * @_data_len: Place to return the data length - * @_headerlen: Size of ASN.1 header not included in _data - * - * Get access to the data content of the PKCS#7 message. The size of the - * header of the ASN.1 object that contains it is also provided and can be used - * to adjust *_data and *_data_len to get the entire object. - * - * Returns -ENODATA if the data object was missing from the message. - */ -int pkcs7_get_content_data(const struct pkcs7_message *pkcs7, - const void **_data, size_t *_data_len, - size_t *_headerlen) -{ - if (!pkcs7->data) - return -ENODATA; - - *_data = pkcs7->data; - *_data_len = pkcs7->data_len; - if (_headerlen) - *_headerlen = pkcs7->data_hdrlen; - return 0; -} -EXPORT_SYMBOL_GPL(pkcs7_get_content_data); - /* * Note an OID when we find one for later processing when we know how * to interpret it. From patchwork Tue Jul 2 18:22:53 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Raymond Mao X-Patchwork-Id: 1955566 X-Patchwork-Delegate: trini@ti.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.a=rsa-sha256 header.s=google header.b=yjgd298V; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de (client-ip=85.214.62.61; helo=phobos.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=patchwork.ozlabs.org) Received: from phobos.denx.de (phobos.denx.de [85.214.62.61]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4WDBLG3zk9z1xqb for ; Wed, 3 Jul 2024 04:30:46 +1000 (AEST) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 438AA887A1; Tue, 2 Jul 2024 20:30:44 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="yjgd298V"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 7ECAD887D7; Tue, 2 Jul 2024 20:30:42 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-qk1-x736.google.com (mail-qk1-x736.google.com [IPv6:2607:f8b0:4864:20::736]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 4623387D33 for ; Tue, 2 Jul 2024 20:30:40 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=raymond.mao@linaro.org Received: by mail-qk1-x736.google.com with SMTP id af79cd13be357-79c076c0e1aso270502285a.2 for ; Tue, 02 Jul 2024 11:30:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1719945039; x=1720549839; darn=lists.denx.de; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=rZZ3bXfhSiOht+/fa97+XfGPJlvbLXlnm8V/28V+bw4=; b=yjgd298VN9RTwbN4NKT6SCjGBpH5rzf3QwpTFsDNqMGa2k2jHrR/zyBN4JrUYNq5UE oPMRdf3+Lgvm357ClADg7XPVeEoJ/FpF2GWS+RqowesKHLAunEl5RNztJQHCNdLk1R/a yNr1OBf4XFLb5k6Wk3RGQIyyfz8tjuOUyOXrv/jZW+8OGe3NsI9bWNLLXJD018CysepW TjH9UEtW/OMVcV8JgaywAuPSSyRHRpwfTwVcRXgNnlO8zauA8VatZgIeSXxdUSiny9EL D7iKYg7xV0SwGVjb3Vs743+UTyaVXjq5/qDhjGo9n2aWhFEtewVkwBYFzMRJLf+ODrqW gq5Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1719945039; x=1720549839; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=rZZ3bXfhSiOht+/fa97+XfGPJlvbLXlnm8V/28V+bw4=; b=RnOUvEwfQNgD9a71TR1e21CU1W0rL3zU/HOOJySjZbHa1HrVIXOXKImGVOGkBpFjkC v/OjmAKqukKtGmQhfUl9gdAWLtnXx/n5zFjwizP4tCzxczx0vOGDa3Xq5mEPtYr8WLgh gCjba7b+5Jpur67DqiXnxnNeAi+hjWQJtimoZmpNRasw3pc75aNSSZ3ZcV5dtDxcNuv/ is8y2W0tL7pCWdoiqndd+AcJnssUqQC+E+zq/bAZlgG4jUKoki1AHc/4SqoOR+rt3mbk EzOX0zU3jtOl7M4E6wOR5f5lXyeAH3eHZi4oHibLqdi968u3ae0S5zLwi4dm3UAPko9h Sddg== X-Gm-Message-State: AOJu0YwztYRuOTME1CTcEVUmrSbh3RdIb59iMg0x63D52SqJDVJt2nsT CdxrHYzCH3l+omcuU+xL0h7X9CQXJSTgEG2kkhgW8CndNV8Lm7rGEa4v+dupSUASn315Fuv0kvP Y X-Google-Smtp-Source: AGHT+IEKfXOLo3bQ7R7MFpDNnVLn9/KFRy3afeWK0FrAq+fkeWY649yOs02JeOx/lfub9Vtwh8JsIQ== X-Received: by 2002:a05:620a:941:b0:79d:6039:784c with SMTP id af79cd13be357-79d7b9de31fmr1180330185a.30.1719945038898; Tue, 02 Jul 2024 11:30:38 -0700 (PDT) Received: from ubuntu.localdomain (pool-174-114-184-37.cpe.net.cable.rogers.com. [174.114.184.37]) by smtp.gmail.com with ESMTPSA id d75a77b69052e-446514b613dsm43316351cf.84.2024.07.02.11.30.36 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 02 Jul 2024 11:30:37 -0700 (PDT) From: Raymond Mao To: u-boot@lists.denx.de Cc: manish.pandey2@arm.com, Raymond Mao , Tom Rini , Stefan Bosch , Mario Six , Andy Shevchenko , Michal Simek , Tuomas Tynkkynen , Simon Glass , Ilias Apalodimas , Leo Yu-Chi Liang , Andrejs Cainikovs , Marek Vasut , Sean Anderson , Jesse Taube , Bryan Brattlof , "Leon M. Busch-George" , Sergei Antonov , Ilya Lukin <4.shket@gmail.com>, Igor Opaniuk , Heinrich Schuchardt , Bin Meng , Alper Nebi Yasak , AKASHI Takahiro , Abdellatif El Khlifi , Alexander Gendin , Manorit Chawdhry , =?utf-8?q?Vincent_Stehl=C3=A9?= , Oleksandr Suvorov Subject: [PATCH v4 17/29] mbedtls: add public key porting layer Date: Tue, 2 Jul 2024 11:22:53 -0700 Message-Id: <20240702182325.2904421-18-raymond.mao@linaro.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20240702182325.2904421-1-raymond.mao@linaro.org> References: <20240702182325.2904421-1-raymond.mao@linaro.org> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.8 at phobos.denx.de X-Virus-Status: Clean Add porting layer for public key on top of MbedTLS X509 library. Introduce _LEGACY and _MBEDTLS kconfigs for public key legacy and MbedTLS implementations respectively. Signed-off-by: Raymond Mao --- Changes in v2 - Move the porting layer to MbedTLS dir. Changes in v3 - None. Changes in v4 - Introduce _LEGACY and _MBEDTLS kconfigs for public key legacy and MbedTLS implementations respectively. - Move common functions to helper. lib/mbedtls/Kconfig | 50 ++++++++++++++++++++++++ lib/mbedtls/Makefile | 7 +++- lib/mbedtls/public_key.c | 82 ++++++++++++++++++++++++++++++++++++++++ 3 files changed, 138 insertions(+), 1 deletion(-) create mode 100644 lib/mbedtls/public_key.c diff --git a/lib/mbedtls/Kconfig b/lib/mbedtls/Kconfig index 0cdf0135667..6f29b0c81a2 100644 --- a/lib/mbedtls/Kconfig +++ b/lib/mbedtls/Kconfig @@ -122,9 +122,35 @@ endif # LEGACY_CRYPTO_BASIC config LEGACY_CRYPTO_CERT bool "legacy certificate libraries" + select ASYMMETRIC_PUBLIC_KEY_SUBTYPE_LEGACY if \ + ASYMMETRIC_PUBLIC_KEY_SUBTYPE + select SPL_ASYMMETRIC_PUBLIC_KEY_SUBTYPE_LEGACY if \ + ASYMMETRIC_PUBLIC_KEY_SUBTYPE && SPL help Enable legacy certificate libraries. +if LEGACY_CRYPTO_CERT + +config ASYMMETRIC_PUBLIC_KEY_SUBTYPE_LEGACY + bool "Asymmetric public key crypto with legacy certificate library" + depends on LEGACY_CRYPTO_CERT && ASYMMETRIC_PUBLIC_KEY_SUBTYPE + help + This option chooses legacy certificate library for asymmetric public + key crypto algorithm. + +if SPL + +config SPL_ASYMMETRIC_PUBLIC_KEY_SUBTYPE_LEGACY + bool "Asymmetric public key crypto with legacy certificate library in SPL" + depends on LEGACY_CRYPTO_CERT && SPL_ASYMMETRIC_PUBLIC_KEY_SUBTYPE + help + This option chooses legacy certificate library for asymmetric public + key crypto algorithm in SPL. + +endif # SPL + +endif # LEGACY_CRYPTO_CERT + endif # LEGACY_CRYPTO if MBEDTLS_LIB @@ -232,7 +258,31 @@ endif # MBEDTLS_LIB_CRYPTO config MBEDTLS_LIB_X509 bool "MbedTLS certificate libraries" + select ASYMMETRIC_PUBLIC_KEY_SUBTYPE_MBEDTLS if \ + ASYMMETRIC_PUBLIC_KEY_SUBTYPE + select SPL_ASYMMETRIC_PUBLIC_KEY_SUBTYPE_MBEDTLS if \ + ASYMMETRIC_PUBLIC_KEY_SUBTYPE && SPL help Enable MbedTLS certificate libraries. +if MBEDTLS_LIB_X509 + +config ASYMMETRIC_PUBLIC_KEY_SUBTYPE_MBEDTLS + bool "Asymmetric public key crypto with MbedTLS certificate library" + help + This option chooses MbedTLS certificate library for asymmetric public + key crypto algorithm. + +if SPL + +config SPL_ASYMMETRIC_PUBLIC_KEY_SUBTYPE_MBEDTLS + bool "Asymmetric public key crypto with MbedTLS certificate library in SPL" + help + This option chooses MbedTLS certificate library for asymmetric public + key crypto algorithm in SPL. + +endif # SPL + +endif # MBEDTLS_LIB_X509 + endif # MBEDTLS_LIB diff --git a/lib/mbedtls/Makefile b/lib/mbedtls/Makefile index 32a98b7f4ca..f06d0704502 100644 --- a/lib/mbedtls/Makefile +++ b/lib/mbedtls/Makefile @@ -20,6 +20,11 @@ hash_mbedtls-$(CONFIG_$(SPL_)SHA1_MBEDTLS) += sha1.o hash_mbedtls-$(CONFIG_$(SPL_)SHA256_MBEDTLS) += sha256.o hash_mbedtls-$(CONFIG_$(SPL_)SHA512_MBEDTLS) += sha512.o +# x509 libraries +obj-$(CONFIG_MBEDTLS_LIB_X509) += x509_mbedtls.o +x509_mbedtls-$(CONFIG_$(SPL_)ASYMMETRIC_PUBLIC_KEY_SUBTYPE_MBEDTLS) += \ + public_key.o + # MbedTLS crypto library obj-$(CONFIG_MBEDTLS_LIB_CRYPTO) += mbedtls_lib_crypto.o mbedtls_lib_crypto-y += \ @@ -45,7 +50,7 @@ mbedtls_lib_x509-$(CONFIG_$(SPL_)RSA_PUBLIC_KEY_PARSER) += \ $(MBEDTLS_LIB_DIR)/bignum_core.o \ $(MBEDTLS_LIB_DIR)/rsa.o \ $(MBEDTLS_LIB_DIR)/rsa_alt_helpers.o -mbedtls_lib_x509-$(CONFIG_$(SPL_)ASYMMETRIC_PUBLIC_KEY_SUBTYPE) += \ +mbedtls_lib_x509-$(CONFIG_$(SPL_)ASYMMETRIC_PUBLIC_KEY_SUBTYPE_MBEDTLS) += \ $(MBEDTLS_LIB_DIR)/pk.o \ $(MBEDTLS_LIB_DIR)/pk_wrap.o \ $(MBEDTLS_LIB_DIR)/pkparse.o diff --git a/lib/mbedtls/public_key.c b/lib/mbedtls/public_key.c new file mode 100644 index 00000000000..076a61862cb --- /dev/null +++ b/lib/mbedtls/public_key.c @@ -0,0 +1,82 @@ +// SPDX-License-Identifier: GPL-2.0+ +/* + * Public key helper functions using MbedTLS X509 library + * + * Copyright (c) 2024 Linaro Limited + * Author: Raymond Mao + */ + +#include +#include + +int public_key_verify_signature(const struct public_key *pkey, + const struct public_key_signature *sig) +{ + mbedtls_md_type_t mb_hash_algo; + mbedtls_pk_context pk_ctx; + int ret; + + if (!pkey || !sig || pkey->key_is_private) + return -EINVAL; + + /* + * ECRDSA (Elliptic Curve RedDSA) from Red Hat is not supported by + * MbedTLS + */ + if (strcmp(pkey->pkey_algo, "rsa")) { + pr_err("Encryption is not RSA: %s\n", sig->pkey_algo); + return -EINVAL; + } + + /* + * Can be pkcs1 or raw, but pkcs1 is expected. + * This is just for argument checking, not necessarily passed to MbedTLS, + * For RSA signatures, MbedTLS typically supports the PKCS#1 v1.5 + * (aka. pkcs1) encoding by default. + * The library internally handles the details of decoding and verifying + * the signature according to the expected encoding for the specified algorithm. + */ + if (strcmp(sig->encoding, "pkcs1")) { + pr_err("Encoding %s is not supported, only supports pkcs1\n", + sig->encoding); + return -EINVAL; + } + + if (!strcmp(sig->hash_algo, "sha1")) + mb_hash_algo = MBEDTLS_MD_SHA1; + else if (!strcmp(sig->hash_algo, "sha224")) + mb_hash_algo = MBEDTLS_MD_SHA224; + else if (!strcmp(sig->hash_algo, "sha256")) + mb_hash_algo = MBEDTLS_MD_SHA256; + else if (!strcmp(sig->hash_algo, "sha384")) + mb_hash_algo = MBEDTLS_MD_SHA384; + else if (!strcmp(sig->hash_algo, "sha512")) + mb_hash_algo = MBEDTLS_MD_SHA512; + else /* Unknown or unsupported hash algorithm */ + return -EINVAL; + /* Initialize the mbedtls_pk_context with RSA key type */ + mbedtls_pk_init(&pk_ctx); + + /* Parse the DER-encoded public key */ + ret = mbedtls_pk_parse_public_key(&pk_ctx, pkey->key, pkey->keylen); + if (ret) { + pr_err("Failed to parse public key, ret:-0x%04x\n", -ret); + ret = -EINVAL; + goto err_key; + } + + /* Ensure that it is a RSA key */ + if (mbedtls_pk_get_type(&pk_ctx) != MBEDTLS_PK_RSA) { + pr_err("Only RSA keys are supported\n"); + ret = -EKEYREJECTED; + goto err_key; + } + + /* Verify the hash */ + ret = mbedtls_pk_verify(&pk_ctx, mb_hash_algo, sig->digest, + sig->digest_size, sig->s, sig->s_size); + +err_key: + mbedtls_pk_free(&pk_ctx); + return ret; +} From patchwork Tue Jul 2 18:22:54 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Raymond Mao X-Patchwork-Id: 1955567 X-Patchwork-Delegate: trini@ti.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.a=rsa-sha256 header.s=google header.b=eV5G1/X6; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de (client-ip=85.214.62.61; helo=phobos.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=patchwork.ozlabs.org) Received: from phobos.denx.de (phobos.denx.de [85.214.62.61]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4WDBLt2HSXz1xqb for ; Wed, 3 Jul 2024 04:31:18 +1000 (AEST) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id B4EC2887C0; Tue, 2 Jul 2024 20:31:15 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="eV5G1/X6"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 6255E887C0; Tue, 2 Jul 2024 20:31:15 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-qt1-x82c.google.com (mail-qt1-x82c.google.com [IPv6:2607:f8b0:4864:20::82c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 36137887C9 for ; Tue, 2 Jul 2024 20:31:13 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=raymond.mao@linaro.org Received: by mail-qt1-x82c.google.com with SMTP id d75a77b69052e-446427c5923so40650071cf.0 for ; Tue, 02 Jul 2024 11:31:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1719945072; x=1720549872; darn=lists.denx.de; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=5wK3VmHwNDZiuoj0qezexNs9T+JrDsbaue15zxbzT2c=; b=eV5G1/X6k2jQPXZRYibU4qMRAp795Xi1WAwcFDnPfu2cQnuy1HwSghVZ3a0HQCWCV9 zJ3abqNafJ3HURuWz3k62qnA5+R3mBRAyL2Xo/5RqkV5sv1EduJmbkKuYttGzGBelvtT 8YynicGuI1AO8jE6FKFPBMdg6DDaO4jOehtW8BsWOjGYMt5v0QAtMyNLMrh0wBkw8+1p /lXNia3gIfD1ceNPE73pNtym9WC7Dgwl59VfnN6PhN9ZDBGUAyQ+gu02UMokaLgwDnJL RI/rnrXipGvh9Tj8KLSyjuQwmYZ7XBF2ucnKAHISY0wlt3KhuN214TjRFtIAWKtmUu9p JXbA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1719945072; x=1720549872; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=5wK3VmHwNDZiuoj0qezexNs9T+JrDsbaue15zxbzT2c=; b=OqIGd/SMYNAAmaOlUa2Q7wVy9OIOln4Zs5vSVrXKjFjV6ZSAi0fR9Q6qX77y8kiJxI 35NjsBDXPZP6AndGZ5b/yykuM2KIDscJwq5QcCfibq6C/LTq0Z0fAk5IL3j6HKiF+UmS BqTAFRFoddBzL7Phw6LDnCNVLEiSNxRANW/XPh99BX9erILEFKmqADYH16oBzNdD0mAK /Qbms7h4sUQDOSQ+h/LzfRx19yVpgmEpMtdMTvMxuekQka6Ke2GhowIOjL5WB2wQcD8O Z6+TKdgtIfsH4KCKKAu+PwYfOaNcdgNTz9mTqwOyNm/AfIC7tKFmL3Ukboh2v8bvwBpk Ourw== X-Gm-Message-State: AOJu0YyCkCEmtLyBZLZDjjwLHrPsGatsurBkBdrNyIdzuRSZbBYqkdsC PBgZ+f1Q205gxJ5AdBzJnbHrfPAIkakNSyyNIEKBK7q06m4sKmgFlfPTleWBSaoPwAaHmZlQ78w S X-Google-Smtp-Source: AGHT+IENU5ONc/9kPID2b9AJvz+QI/y5cv2E+tbh59w4OBifiXfGzQzchwkX/EmaAz6poa9HCHXCuQ== X-Received: by 2002:a05:622a:ca:b0:444:ce36:f12b with SMTP id d75a77b69052e-446556c21a8mr240453201cf.22.1719945071653; Tue, 02 Jul 2024 11:31:11 -0700 (PDT) Received: from ubuntu.localdomain (pool-174-114-184-37.cpe.net.cable.rogers.com. [174.114.184.37]) by smtp.gmail.com with ESMTPSA id d75a77b69052e-446514b613dsm43316351cf.84.2024.07.02.11.31.09 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 02 Jul 2024 11:31:11 -0700 (PDT) From: Raymond Mao To: u-boot@lists.denx.de Cc: manish.pandey2@arm.com, Raymond Mao , Tom Rini , Stefan Bosch , Mario Six , Andy Shevchenko , Michal Simek , Tuomas Tynkkynen , Simon Glass , Leo Yu-Chi Liang , Ilias Apalodimas , Andrejs Cainikovs , Marek Vasut , Sean Anderson , Jesse Taube , Bryan Brattlof , "Leon M. Busch-George" , Ilya Lukin <4.shket@gmail.com>, Igor Opaniuk , Sergei Antonov , Heinrich Schuchardt , Alper Nebi Yasak , Abdellatif El Khlifi , AKASHI Takahiro , Alexander Gendin , Bin Meng , Oleksandr Suvorov Subject: [PATCH v4 18/29] lib/crypto: Adapt public_key header with MbedTLS Date: Tue, 2 Jul 2024 11:22:54 -0700 Message-Id: <20240702182325.2904421-19-raymond.mao@linaro.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20240702182325.2904421-1-raymond.mao@linaro.org> References: <20240702182325.2904421-1-raymond.mao@linaro.org> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.8 at phobos.denx.de X-Virus-Status: Clean Previous patch has introduced MbedTLS porting layer for public key, here to adjust the header and makefiles accordingly. Signed-off-by: Raymond Mao Reviewed-by: Ilias Apalodimas --- Changes in v2 - Move the porting layer to MbedTLS dir. Changes in v3 - Update commit message. Changes in v4 - Control building legacy library via '_LEGACY' Kconfig. - Minor fix of the include directories. include/crypto/public_key.h | 6 ++++++ lib/crypto/Makefile | 5 ++--- lib/crypto/asymmetric_type.c | 2 +- 3 files changed, 9 insertions(+), 4 deletions(-) diff --git a/include/crypto/public_key.h b/include/crypto/public_key.h index 3ba90fcc348..25cfb68adce 100644 --- a/include/crypto/public_key.h +++ b/include/crypto/public_key.h @@ -12,6 +12,12 @@ #ifdef __UBOOT__ #include +#if CONFIG_IS_ENABLED(MBEDTLS_LIB_X509) +#include +#include +#include +#include +#endif #else #include #endif diff --git a/lib/crypto/Makefile b/lib/crypto/Makefile index 16059088f26..228ae443a27 100644 --- a/lib/crypto/Makefile +++ b/lib/crypto/Makefile @@ -7,9 +7,8 @@ obj-$(CONFIG_$(SPL_)ASYMMETRIC_KEY_TYPE) += asymmetric_keys.o asymmetric_keys-y := asymmetric_type.o -obj-$(CONFIG_$(SPL_)ASYMMETRIC_PUBLIC_KEY_SUBTYPE) += \ - public_key_helper.o \ - public_key.o +obj-$(CONFIG_$(SPL_)ASYMMETRIC_PUBLIC_KEY_SUBTYPE) += public_key_helper.o +obj-$(CONFIG_$(SPL_)ASYMMETRIC_PUBLIC_KEY_SUBTYPE_LEGACY) += public_key.o # # RSA public key parser diff --git a/lib/crypto/asymmetric_type.c b/lib/crypto/asymmetric_type.c index 24c2d15ef97..95b82cd8e84 100644 --- a/lib/crypto/asymmetric_type.c +++ b/lib/crypto/asymmetric_type.c @@ -12,7 +12,6 @@ #include #include #endif -#include #ifdef __UBOOT__ #include #include @@ -26,6 +25,7 @@ #include #include #endif +#include #ifdef __UBOOT__ #include #else From patchwork Tue Jul 2 18:22:55 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Raymond Mao X-Patchwork-Id: 1955568 X-Patchwork-Delegate: trini@ti.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.a=rsa-sha256 header.s=google header.b=urwQ3t0B; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de (client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; helo=phobos.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=patchwork.ozlabs.org) Received: from phobos.denx.de (phobos.denx.de [IPv6:2a01:238:438b:c500:173d:9f52:ddab:ee01]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4WDBML4Wryz1xqb for ; Wed, 3 Jul 2024 04:31:42 +1000 (AEST) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 2A15588722; Tue, 2 Jul 2024 20:31:40 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="urwQ3t0B"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 9230B87D74; Tue, 2 Jul 2024 20:31:38 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-qt1-x82d.google.com (mail-qt1-x82d.google.com [IPv6:2607:f8b0:4864:20::82d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 11A1688722 for ; Tue, 2 Jul 2024 20:31:36 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=raymond.mao@linaro.org Received: by mail-qt1-x82d.google.com with SMTP id d75a77b69052e-44639c3d8e7so26234331cf.1 for ; Tue, 02 Jul 2024 11:31:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1719945095; x=1720549895; darn=lists.denx.de; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=D5YI8TE9N0JO/PSNPZXBdWDxF28bCmGQc/Zr4es0YuA=; b=urwQ3t0BJRpEyaKpqh+DB5z3d5d6clzdKRMRFAIV3Jt4GCKsO86bslqR3Pn+4IwFcZ Wv7zVLXHt/NBsskuWRFnrKgM6xygqPmY+PataSqwppT3kQAA11B/sVF+kB/x3Mzp7Prl qJ52quDhVlrSCtO3XdSNaRJ3OVy/WeKg6en1ccLwZinbBOyR+9WrknXSVmT0FixCsnIO t/WFdZBscc29PEBGPSNTg0mtAnEAWDyPy+oIvOXeCTTkDTRzLQWHE5u+afz//AHT3CP4 feAYBQOopA3SxaCUa2UioOSmpln8yrbTWIUZTjDfoni4zGgI9lwk8AP7ixfJn2FZ/Z6E 8A3w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1719945095; x=1720549895; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=D5YI8TE9N0JO/PSNPZXBdWDxF28bCmGQc/Zr4es0YuA=; b=Ch4dW3w9C6hJlV1DjjOghXYG7ACY1y/II6TQeojJZ+YSNnMj2+FL6QKM8Qt+YSsEQB wonUlGiGBKai3SlLBfvsNiDCaya2BOdQDKIByBAMa+ybVQhcCzJ3ciDnWztImK6vsviv iWSqWO5ilVPU/o40+KElbcZkRTjj/VISo1eL3V5neVivEov7HMcswnSOJFfj0DhGE5rH 1ekljO9n7AKGwC0Qmed/Y9lIkZsJfA+BzEJj/sco7d8pX5P11I1Q90RPXVuPE0OK1n18 3Y3cUT5GHjz9LpnSxYrXMyrHlwOfnthgneIU1WoVwSELu/FD0Thj1Vnr442mGlXnL6Ox h7RA== X-Gm-Message-State: AOJu0YwmDw2jQy7KZE/kiCi64wGzOQPCMPUFsDPHdwVg6LTdfgJZ3z53 ItMgCzNhcZWAAkEZBkIvjK8om1H/Bj/Elv0pmXzMgMz/z4uyYzZVjCrHpaxrzRWgu7fGLKNwASX a X-Google-Smtp-Source: AGHT+IFfyhDAYnH4atPXlgjcoOavzy+IoEdca+mI+JjyZ+DE1YuXjCjmTC/NDZ06Qt6F+4SZw1DTrQ== X-Received: by 2002:ac8:5f82:0:b0:440:5f59:7c58 with SMTP id d75a77b69052e-44662e74a56mr128502301cf.47.1719945094596; Tue, 02 Jul 2024 11:31:34 -0700 (PDT) Received: from ubuntu.localdomain (pool-174-114-184-37.cpe.net.cable.rogers.com. [174.114.184.37]) by smtp.gmail.com with ESMTPSA id d75a77b69052e-446514b613dsm43316351cf.84.2024.07.02.11.31.32 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 02 Jul 2024 11:31:34 -0700 (PDT) From: Raymond Mao To: u-boot@lists.denx.de Cc: manish.pandey2@arm.com, Raymond Mao , Tom Rini , Stefan Bosch , Mario Six , Andy Shevchenko , Michal Simek , Tuomas Tynkkynen , Simon Glass , Ilias Apalodimas , Leo Yu-Chi Liang , Andrejs Cainikovs , Marek Vasut , Sean Anderson , Jesse Taube , Bryan Brattlof , "Leon M. Busch-George" , Igor Opaniuk , Sergei Antonov , Ilya Lukin <4.shket@gmail.com>, Heinrich Schuchardt , Alper Nebi Yasak , Bin Meng , Abdellatif El Khlifi , AKASHI Takahiro , Alexander Gendin , Oleksandr Suvorov Subject: [PATCH v4 19/29] mbedtls: add X509 cert parser porting layer Date: Tue, 2 Jul 2024 11:22:55 -0700 Message-Id: <20240702182325.2904421-20-raymond.mao@linaro.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20240702182325.2904421-1-raymond.mao@linaro.org> References: <20240702182325.2904421-1-raymond.mao@linaro.org> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.8 at phobos.denx.de X-Virus-Status: Clean Add porting layer for X509 cert parser on top of MbedTLS X509 library. Introduce _LEGACY and _MBEDTLS kconfigs for X509 cert parser legacy and MbedTLS implementations respectively. Signed-off-by: Raymond Mao --- Changes in v2 - Move the porting layer to MbedTLS dir. Changes in v3 - None. Changes in v4 - Introduce _LEGACY and _MBEDTLS kconfigs for X509 cert parser legacy and MbedTLS implementations respectively. - Move common functions to helper. lib/mbedtls/Kconfig | 18 ++ lib/mbedtls/Makefile | 4 +- lib/mbedtls/x509_cert_parser.c | 446 +++++++++++++++++++++++++++++++++ 3 files changed, 467 insertions(+), 1 deletion(-) create mode 100644 lib/mbedtls/x509_cert_parser.c diff --git a/lib/mbedtls/Kconfig b/lib/mbedtls/Kconfig index 6f29b0c81a2..c62a556a39a 100644 --- a/lib/mbedtls/Kconfig +++ b/lib/mbedtls/Kconfig @@ -124,6 +124,7 @@ config LEGACY_CRYPTO_CERT bool "legacy certificate libraries" select ASYMMETRIC_PUBLIC_KEY_SUBTYPE_LEGACY if \ ASYMMETRIC_PUBLIC_KEY_SUBTYPE + select X509_CERTIFICATE_PARSER_LEGACY if X509_CERTIFICATE_PARSER select SPL_ASYMMETRIC_PUBLIC_KEY_SUBTYPE_LEGACY if \ ASYMMETRIC_PUBLIC_KEY_SUBTYPE && SPL help @@ -138,6 +139,14 @@ config ASYMMETRIC_PUBLIC_KEY_SUBTYPE_LEGACY This option chooses legacy certificate library for asymmetric public key crypto algorithm. +config X509_CERTIFICATE_PARSER_LEGACY + bool "X.509 certificate parser with legacy certificate library" + depends on ASYMMETRIC_PUBLIC_KEY_SUBTYPE_LEGACY + select ASN1_DECODER_LEGACY + help + This option chooses legacy certificate library for X509 certificate + parser. + if SPL config SPL_ASYMMETRIC_PUBLIC_KEY_SUBTYPE_LEGACY @@ -260,6 +269,7 @@ config MBEDTLS_LIB_X509 bool "MbedTLS certificate libraries" select ASYMMETRIC_PUBLIC_KEY_SUBTYPE_MBEDTLS if \ ASYMMETRIC_PUBLIC_KEY_SUBTYPE + select X509_CERTIFICATE_PARSER_MBEDTLS if X509_CERTIFICATE_PARSER select SPL_ASYMMETRIC_PUBLIC_KEY_SUBTYPE_MBEDTLS if \ ASYMMETRIC_PUBLIC_KEY_SUBTYPE && SPL help @@ -273,6 +283,14 @@ config ASYMMETRIC_PUBLIC_KEY_SUBTYPE_MBEDTLS This option chooses MbedTLS certificate library for asymmetric public key crypto algorithm. +config X509_CERTIFICATE_PARSER_MBEDTLS + bool "X.509 certificate parser with MbedTLS certificate library" + depends on ASYMMETRIC_PUBLIC_KEY_SUBTYPE_MBEDTLS + select ASN1_DECODER_MBEDTLS + help + This option chooses MbedTLS certificate library for X509 certificate + parser. + if SPL config SPL_ASYMMETRIC_PUBLIC_KEY_SUBTYPE_MBEDTLS diff --git a/lib/mbedtls/Makefile b/lib/mbedtls/Makefile index f06d0704502..75d6a2cca07 100644 --- a/lib/mbedtls/Makefile +++ b/lib/mbedtls/Makefile @@ -24,6 +24,8 @@ hash_mbedtls-$(CONFIG_$(SPL_)SHA512_MBEDTLS) += sha512.o obj-$(CONFIG_MBEDTLS_LIB_X509) += x509_mbedtls.o x509_mbedtls-$(CONFIG_$(SPL_)ASYMMETRIC_PUBLIC_KEY_SUBTYPE_MBEDTLS) += \ public_key.o +x509_mbedtls-$(CONFIG_$(SPL_)X509_CERTIFICATE_PARSER_MBEDTLS) += \ + x509_cert_parser.o # MbedTLS crypto library obj-$(CONFIG_MBEDTLS_LIB_CRYPTO) += mbedtls_lib_crypto.o @@ -54,7 +56,7 @@ mbedtls_lib_x509-$(CONFIG_$(SPL_)ASYMMETRIC_PUBLIC_KEY_SUBTYPE_MBEDTLS) += \ $(MBEDTLS_LIB_DIR)/pk.o \ $(MBEDTLS_LIB_DIR)/pk_wrap.o \ $(MBEDTLS_LIB_DIR)/pkparse.o -mbedtls_lib_x509-$(CONFIG_$(SPL_)X509_CERTIFICATE_PARSER) += \ +mbedtls_lib_x509-$(CONFIG_$(SPL_)X509_CERTIFICATE_PARSER_MBEDTLS) += \ $(MBEDTLS_LIB_DIR)/x509_crl.o \ $(MBEDTLS_LIB_DIR)/x509_crt.o mbedtls_lib_x509-$(CONFIG_$(SPL_)PKCS7_MESSAGE_PARSER) += \ diff --git a/lib/mbedtls/x509_cert_parser.c b/lib/mbedtls/x509_cert_parser.c new file mode 100644 index 00000000000..0323dea3152 --- /dev/null +++ b/lib/mbedtls/x509_cert_parser.c @@ -0,0 +1,446 @@ +// SPDX-License-Identifier: GPL-2.0+ +/* + * X509 cert parser using MbedTLS X509 library + * + * Copyright (c) 2024 Linaro Limited + * Author: Raymond Mao + */ + +#include +#include +#include + +static void x509_free_mbedtls_ctx(struct x509_cert_mbedtls_ctx *ctx) +{ + if (!ctx) + return; + + kfree(ctx->tbs); + kfree(ctx->raw_serial); + kfree(ctx->raw_issuer); + kfree(ctx->raw_subject); + kfree(ctx->raw_skid); + kfree(ctx); +} + +static int x509_set_cert_flags(struct x509_certificate *cert) +{ + struct public_key_signature *sig = cert->sig; + + if (!sig || !cert->pub) { + pr_err("Signature or public key is not initialized\n"); + return -ENOPKG; + } + + if (!cert->pub->pkey_algo) + cert->unsupported_key = true; + + if (!sig->pkey_algo) + cert->unsupported_sig = true; + + if (!sig->hash_algo) + cert->unsupported_sig = true; + + /* TODO: is_hash_blacklisted()? */ + + /* Detect self-signed certificates and set self_signed flag */ + return x509_check_for_self_signed(cert); +} + +time64_t x509_get_timestamp(const mbedtls_x509_time *x509_time) +{ + unsigned int year, mon, day, hour, min, sec; + + /* Adjust for year since 1900 */ + year = x509_time->year - 1900; + /* Adjust for 0-based month */ + mon = x509_time->mon - 1; + day = x509_time->day; + hour = x509_time->hour; + min = x509_time->min; + sec = x509_time->sec; + + return (time64_t)mktime64(year, mon, day, hour, min, sec); +} + +static char *x509_populate_dn_name_string(const mbedtls_x509_name *name) +{ + size_t len = 256; + size_t wb; + char *name_str; + + do { + name_str = kzalloc(len, GFP_KERNEL); + if (!name_str) + return NULL; + + wb = mbedtls_x509_dn_gets(name_str, len, name); + if (wb < 0) { + pr_err("Get DN string failed, ret:-0x%04x\n", + (unsigned int)-wb); + kfree(name_str); + len = len * 2; /* Try with a bigger buffer */ + } + } while (wb < 0); + + name_str[wb] = '\0'; /* add the terminator */ + + return name_str; +} + +static int x509_populate_signature_params(const mbedtls_x509_crt *cert, + struct public_key_signature **sig) +{ + struct public_key_signature *s; + struct image_region region; + size_t akid_len; + unsigned char *akid_data; + int ret; + + /* Check if signed data exist */ + if (!cert->tbs.p || !cert->tbs.len) + return -EINVAL; + + region.data = cert->tbs.p; + region.size = cert->tbs.len; + + s = kzalloc(sizeof(*s), GFP_KERNEL); + if (!s) + return -ENOMEM; + + /* + * Get the public key algorithm. + * Note: ECRDSA (Elliptic Curve RedDSA) from Red Hat is not supported by + * MbedTLS. + */ + switch (cert->sig_pk) { + case MBEDTLS_PK_RSA: + s->pkey_algo = "rsa"; + break; + default: + ret = -EINVAL; + goto error_sig; + } + + /* Get the hash algorithm */ + switch (cert->sig_md) { + case MBEDTLS_MD_SHA1: + s->hash_algo = "sha1"; + s->digest_size = SHA1_SUM_LEN; + break; + case MBEDTLS_MD_SHA256: + s->hash_algo = "sha256"; + s->digest_size = SHA256_SUM_LEN; + break; + case MBEDTLS_MD_SHA384: + s->hash_algo = "sha384"; + s->digest_size = SHA384_SUM_LEN; + break; + case MBEDTLS_MD_SHA512: + s->hash_algo = "sha512"; + s->digest_size = SHA512_SUM_LEN; + break; + /* Unsupported algo */ + case MBEDTLS_MD_MD5: + case MBEDTLS_MD_SHA224: + default: + ret = -EINVAL; + goto error_sig; + } + + /* + * Optional attributes: + * auth_ids holds AuthorityKeyIdentifier (information of issuer), + * aka akid, which is used to match with a cert's id or skid to + * indicate that is the issuer when we lookup a cert chain. + * + * auth_ids[0]: + * [PKCS#7 or CMS ver 1] - generated from "Issuer + Serial number" + * [CMS ver 3] - generated from skid (subjectKeyId) + * auth_ids[1]: generated from skid (subjectKeyId) + * + * Assume that we are using PKCS#7 (msg->version=1), + * not CMS ver 3 (msg->version=3). + */ + akid_len = cert->authority_key_id.authorityCertSerialNumber.len; + akid_data = cert->authority_key_id.authorityCertSerialNumber.p; + + /* Check if serial number exists */ + if (akid_len && akid_data) { + s->auth_ids[0] = asymmetric_key_generate_id(akid_data, + akid_len, + cert->issuer_raw.p, + cert->issuer_raw.len); + if (!s->auth_ids[0]) { + ret = -ENOMEM; + goto error_sig; + } + } + + akid_len = cert->authority_key_id.keyIdentifier.len; + akid_data = cert->authority_key_id.keyIdentifier.p; + + /* Check if subjectKeyId exists */ + if (akid_len && akid_data) { + s->auth_ids[1] = asymmetric_key_generate_id(akid_data, + akid_len, + "", 0); + if (!s->auth_ids[1]) { + ret = -ENOMEM; + goto error_sig; + } + } + + /* + * Encoding can be pkcs1 or raw, but only pkcs1 is supported. + * Set the encoding explicitly to pkcs1. + */ + s->encoding = "pkcs1"; + + /* Copy the signature data */ + s->s = kmemdup(cert->sig.p, cert->sig.len, GFP_KERNEL); + if (!s->s) { + ret = -ENOMEM; + goto error_sig; + } + s->s_size = cert->sig.len; + + /* Calculate the digest of signed data (tbs) */ + s->digest = kzalloc(s->digest_size, GFP_KERNEL); + if (!s->digest) { + ret = -ENOMEM; + goto error_sig; + } + + ret = hash_calculate(s->hash_algo, ®ion, 1, s->digest); + if (!ret) + *sig = s; + + return ret; + +error_sig: + public_key_signature_free(s); + return ret; +} + +static int x509_save_mbedtls_ctx(const mbedtls_x509_crt *cert, + struct x509_cert_mbedtls_ctx **pctx) +{ + struct x509_cert_mbedtls_ctx *ctx; + + ctx = kzalloc(sizeof(*ctx), GFP_KERNEL); + if (!ctx) + return -ENOMEM; + + /* Signed data (tbs - The part that is To Be Signed)*/ + ctx->tbs = kmemdup(cert->tbs.p, cert->tbs.len, + GFP_KERNEL); + if (!ctx->tbs) + goto error_ctx; + + /* Raw serial number */ + ctx->raw_serial = kmemdup(cert->serial.p, + cert->serial.len, GFP_KERNEL); + if (!ctx->raw_serial) + goto error_ctx; + + /* Raw issuer */ + ctx->raw_issuer = kmemdup(cert->issuer_raw.p, + cert->issuer_raw.len, GFP_KERNEL); + if (!ctx->raw_issuer) + goto error_ctx; + + /* Raw subject */ + ctx->raw_subject = kmemdup(cert->subject_raw.p, + cert->subject_raw.len, GFP_KERNEL); + if (!ctx->raw_subject) + goto error_ctx; + + /* Raw subjectKeyId */ + ctx->raw_skid = kmemdup(cert->subject_key_id.p, + cert->subject_key_id.len, GFP_KERNEL); + if (!ctx->raw_skid) + goto error_ctx; + + *pctx = ctx; + + return 0; + +error_ctx: + x509_free_mbedtls_ctx(ctx); + return -ENOMEM; +} + +/* + * Free an X.509 certificate + */ +void x509_free_certificate(struct x509_certificate *cert) +{ + if (cert) { + public_key_free(cert->pub); + public_key_signature_free(cert->sig); + kfree(cert->issuer); + kfree(cert->subject); + kfree(cert->id); + kfree(cert->skid); + x509_free_mbedtls_ctx(cert->mbedtls_ctx); + kfree(cert); + } +} + +int x509_populate_pubkey(mbedtls_x509_crt *cert, struct public_key **pub_key) +{ + struct public_key *pk; + + pk = kzalloc(sizeof(*pk), GFP_KERNEL); + if (!pk) + return -ENOMEM; + + pk->key = kzalloc(cert->pk_raw.len, GFP_KERNEL); + if (!pk->key) { + kfree(pk); + return -ENOMEM; + } + memcpy(pk->key, cert->pk_raw.p, cert->pk_raw.len); + pk->keylen = cert->pk_raw.len; + + /* + * For ECC keys, params field might include information about the curve used, + * the generator point, or other algorithm-specific parameters. + * For RSA keys, it's common for the params field to be NULL. + * FIXME: Assume that we just support RSA keys with id_type X509. + */ + pk->params = NULL; + pk->paramlen = 0; + + pk->key_is_private = false; + pk->id_type = "X509"; + pk->pkey_algo = "rsa"; + pk->algo = OID_rsaEncryption; + + *pub_key = pk; + + return 0; +} + +int x509_populate_cert(mbedtls_x509_crt *mbedtls_cert, + struct x509_certificate **pcert) +{ + struct x509_certificate *cert; + struct asymmetric_key_id *kid; + struct asymmetric_key_id *skid; + int ret; + + cert = kzalloc(sizeof(*cert), GFP_KERNEL); + if (!cert) + return -ENOMEM; + + /* Public key details */ + ret = x509_populate_pubkey(mbedtls_cert, &cert->pub); + if (ret) + goto error_cert_pop; + + /* Signature parameters */ + ret = x509_populate_signature_params(mbedtls_cert, &cert->sig); + if (ret) + goto error_cert_pop; + + ret = -ENOMEM; + + /* Name of certificate issuer */ + cert->issuer = x509_populate_dn_name_string(&mbedtls_cert->issuer); + if (!cert->issuer) + goto error_cert_pop; + + /* Name of certificate subject */ + cert->subject = x509_populate_dn_name_string(&mbedtls_cert->subject); + if (!cert->subject) + goto error_cert_pop; + + /* Certificate validity */ + cert->valid_from = x509_get_timestamp(&mbedtls_cert->valid_from); + cert->valid_to = x509_get_timestamp(&mbedtls_cert->valid_to); + + /* Save mbedtls context we need */ + ret = x509_save_mbedtls_ctx(mbedtls_cert, &cert->mbedtls_ctx); + if (ret) + goto error_cert_pop; + + /* Signed data (tbs - The part that is To Be Signed)*/ + cert->tbs = cert->mbedtls_ctx->tbs; + cert->tbs_size = mbedtls_cert->tbs.len; + + /* Raw serial number */ + cert->raw_serial = cert->mbedtls_ctx->raw_serial; + cert->raw_serial_size = mbedtls_cert->serial.len; + + /* Raw issuer */ + cert->raw_issuer = cert->mbedtls_ctx->raw_issuer; + cert->raw_issuer_size = mbedtls_cert->issuer_raw.len; + + /* Raw subject */ + cert->raw_subject = cert->mbedtls_ctx->raw_subject; + cert->raw_subject_size = mbedtls_cert->subject_raw.len; + + /* Raw subjectKeyId */ + cert->raw_skid = cert->mbedtls_ctx->raw_skid; + cert->raw_skid_size = mbedtls_cert->subject_key_id.len; + + /* Generate cert issuer + serial number key ID */ + kid = asymmetric_key_generate_id(cert->raw_serial, + cert->raw_serial_size, + cert->raw_issuer, + cert->raw_issuer_size); + if (IS_ERR(kid)) { + ret = PTR_ERR(kid); + goto error_cert_pop; + } + cert->id = kid; + + /* Generate subject + subjectKeyId */ + skid = asymmetric_key_generate_id(cert->raw_skid, cert->raw_skid_size, "", 0); + if (IS_ERR(skid)) { + ret = PTR_ERR(skid); + goto error_cert_pop; + } + cert->skid = skid; + + /* + * Set the certificate flags: + * self_signed, unsupported_key, unsupported_sig, blacklisted + */ + ret = x509_set_cert_flags(cert); + if (!ret) { + *pcert = cert; + return 0; + } + +error_cert_pop: + x509_free_certificate(cert); + return ret; +} + +struct x509_certificate *x509_cert_parse(const void *data, size_t datalen) +{ + mbedtls_x509_crt mbedtls_cert; + struct x509_certificate *cert = NULL; + long ret; + + /* Parse DER encoded certificate */ + mbedtls_x509_crt_init(&mbedtls_cert); + ret = mbedtls_x509_crt_parse_der(&mbedtls_cert, data, datalen); + if (ret) + goto clean_up_ctx; + + /* Populate x509_certificate from mbedtls_x509_crt */ + ret = x509_populate_cert(&mbedtls_cert, &cert); + if (ret) + goto clean_up_ctx; + +clean_up_ctx: + mbedtls_x509_crt_free(&mbedtls_cert); + if (!ret) + return cert; + + return ERR_PTR(ret); +} From patchwork Tue Jul 2 18:22:56 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Raymond Mao X-Patchwork-Id: 1955569 X-Patchwork-Delegate: trini@ti.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.a=rsa-sha256 header.s=google header.b=xv0IcMe4; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de (client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; helo=phobos.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=patchwork.ozlabs.org) Received: from phobos.denx.de (phobos.denx.de [IPv6:2a01:238:438b:c500:173d:9f52:ddab:ee01]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4WDBMq0khZz1xqb for ; Wed, 3 Jul 2024 04:32:07 +1000 (AEST) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 99ACE887C0; Tue, 2 Jul 2024 20:32:04 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="xv0IcMe4"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 1E685887CD; Tue, 2 Jul 2024 20:32:03 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-ot1-x336.google.com (mail-ot1-x336.google.com [IPv6:2607:f8b0:4864:20::336]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 1564887D74 for ; Tue, 2 Jul 2024 20:31:57 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=raymond.mao@linaro.org Received: by mail-ot1-x336.google.com with SMTP id 46e09a7af769-6f8d0a00a35so4255192a34.2 for ; Tue, 02 Jul 2024 11:31:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1719945115; x=1720549915; darn=lists.denx.de; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=3PF091OcruIWFIVedk0xEdKWelHWz1rP8nNq0+l81Vc=; b=xv0IcMe4VabBk7+AgrNNcbdoPmhEKFsw0MIgRRUVSf9KjnsZ4XANEaC/Hnu3Jm5Wng FmZS3HZUtt003gk0WMPQahD+aHBNgD2eHPttgVMs+HM1lzQqj1SEngfH2KID+2SVuc96 9co8dy3C7MlvoUzZwNYMs9F5d164xmrpxSjqsmLuhe5OHLCokM5iGcjIMDhUBsX2Bj9h VIzHmH82kBJduwhKhlinQ/vhxyRb61fEzrcKDKluHsadjBh1aHUbID0TKCcEtRvwQK9g Dgp2geXNg04m0y34ld9uHjv7raIotad9jei4rIx4vBb04mDMrUb2K2HL3fJnw+Ef/FJN t2hg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1719945115; x=1720549915; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=3PF091OcruIWFIVedk0xEdKWelHWz1rP8nNq0+l81Vc=; b=Iwr+5hWALv1vcgxFEWcRTK05iNZ6QzNDVt5i3Ic+fO3YD7WXpVKgWTpJATvddOXOOC qgvEKWa0AAgW/D0jOKzHRgVXwTzSti/nH0ImNxuieNZSGYCNYeGRhFGRiStVNaj6BJlJ QQ0EVEPOC/7+UmYYTdtofM7rAEzjaCPauejArUfhc37Lw3SKfGw+7ZvcFuh/C3EMTHOJ QbdgBA7t7aZTElLBkBV8R6EJ8g+SmcUuZOpuM0ELGb6V85RYJWhi6+i9uo0htv4+KUBg qI7plBaHYsy+LcA6lUXWNekMao1M0TSP2QGqlaEz8sDp5mf9eHT96Y86Z7iEXOzIPAJy +T2Q== X-Gm-Message-State: AOJu0YxTmxxQrexpdEVlCnpnf0mR79JLUgNkHr1NwKqCRuR+ZuVkr0ak 7PRH7LBoHfJv4JJ9NDoqJCEq4R09AvlWXXH48OxAe71vT9fjVPe6OJQxb/KkPqSDTbdUx/zltzE d X-Google-Smtp-Source: AGHT+IEKSw0ENgs0MhezWbKV/Mz0HPUtED/kBvxnsY+rqHvQ2XoAp/xRDR215WBte/HW3PaM0Fvp5Q== X-Received: by 2002:a05:6808:1507:b0:3d5:5fdc:ac7c with SMTP id 5614622812f47-3d6b30f52d9mr12607313b6e.15.1719945115235; Tue, 02 Jul 2024 11:31:55 -0700 (PDT) Received: from ubuntu.localdomain (pool-174-114-184-37.cpe.net.cable.rogers.com. [174.114.184.37]) by smtp.gmail.com with ESMTPSA id d75a77b69052e-446514b613dsm43316351cf.84.2024.07.02.11.31.53 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 02 Jul 2024 11:31:54 -0700 (PDT) From: Raymond Mao To: u-boot@lists.denx.de Cc: manish.pandey2@arm.com, Raymond Mao , Tom Rini , Stefan Bosch , Mario Six , Andy Shevchenko , Michal Simek , Tuomas Tynkkynen , Simon Glass , Leo Yu-Chi Liang , Ilias Apalodimas , Andrejs Cainikovs , Marek Vasut , Sean Anderson , Jesse Taube , Bryan Brattlof , "Leon M. Busch-George" , Igor Opaniuk , Ilya Lukin <4.shket@gmail.com>, Sergei Antonov , Heinrich Schuchardt , Bin Meng , Alper Nebi Yasak , Abdellatif El Khlifi , AKASHI Takahiro , Alexander Gendin , Oleksandr Suvorov Subject: [PATCH v4 20/29] lib/crypto: Adapt x509_cert_parser to MbedTLS Date: Tue, 2 Jul 2024 11:22:56 -0700 Message-Id: <20240702182325.2904421-21-raymond.mao@linaro.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20240702182325.2904421-1-raymond.mao@linaro.org> References: <20240702182325.2904421-1-raymond.mao@linaro.org> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.8 at phobos.denx.de X-Virus-Status: Clean Previous patch has introduced MbedTLS porting layer for x509 cert parser, here to adjust the header and makefiles accordingly. Signed-off-by: Raymond Mao --- Changes in v2 - Move the porting layer to MbedTLS dir. Changes in v3 - Update commit message. Changes in v4 - Control building legacy library via '_LEGACY' Kconfig. - Add function comments for the new APIs. - Update the dependence of ASYMMETRIC_KEY_TYPE. - Minor fix of the include directories. include/crypto/x509_parser.h | 56 ++++++++++++++++++++++++++++++++++++ lib/crypto/Kconfig | 2 +- lib/crypto/Makefile | 4 +-- lib/crypto/x509_public_key.c | 2 ++ 4 files changed, 61 insertions(+), 3 deletions(-) diff --git a/include/crypto/x509_parser.h b/include/crypto/x509_parser.h index 4cbdc1d6612..3f917da5430 100644 --- a/include/crypto/x509_parser.h +++ b/include/crypto/x509_parser.h @@ -11,8 +11,36 @@ #include #include #include +#if CONFIG_IS_ENABLED(MBEDTLS_LIB_X509) +#include +#include +#include +#endif +#if CONFIG_IS_ENABLED(MBEDTLS_LIB_X509) +/* Backup of part of the parsing context */ +struct x509_cert_mbedtls_ctx { + void *tbs; /* Signed data */ + void *raw_serial; /* Raw serial number in ASN.1 */ + void *raw_issuer; /* Raw issuer name in ASN.1 */ + void *raw_subject; /* Raw subject name in ASN.1 */ + void *raw_skid; /* Raw subjectKeyId in ASN.1 */ +}; +#endif + +/* + * MbedTLS integration Notes: + * + * Fields we don't need to populate from MbedTLS: + * 'raw_sig' and 'raw_sig_size' are buffer for x509_parse_context, + * not needed for MbedTLS. + * 'signer' and 'seen' are used internally by pkcs7_verify. + * 'verified' is not inuse. + */ struct x509_certificate { +#if CONFIG_IS_ENABLED(MBEDTLS_LIB_X509) + struct x509_cert_mbedtls_ctx *mbedtls_ctx; +#endif struct x509_certificate *next; struct x509_certificate *signer; /* Certificate that signed this one */ struct public_key *pub; /* Public key details */ @@ -48,6 +76,32 @@ struct x509_certificate { * x509_cert_parser.c */ extern void x509_free_certificate(struct x509_certificate *cert); +#if CONFIG_IS_ENABLED(MBEDTLS_LIB_X509) +/** + * x509_populate_pubkey() - Populate public key from MbedTLS context + * + * @cert: Pointer to MbedTLS X509 cert + * @pub_key: Pointer to the populated public key handle + * Return: 0 on succcess, error code on failure + */ +int x509_populate_pubkey(mbedtls_x509_crt *cert, struct public_key **pub_key); +/** + * x509_populate_cert() - Populate X509 cert from MbedTLS context + * + * @mbedtls_cert: Pointer to MbedTLS X509 cert + * @pcert: Pointer to the populated X509 cert handle + * Return: 0 on succcess, error code on failure + */ +int x509_populate_cert(mbedtls_x509_crt *mbedtls_cert, + struct x509_certificate **pcert); +/** + * x509_get_timestamp() - Translate timestamp from MbedTLS context + * + * @x509_time: Pointer to MbedTLS time + * Return: Time in time64_t format + */ +time64_t x509_get_timestamp(const mbedtls_x509_time *x509_time); +#endif extern struct x509_certificate *x509_cert_parse(const void *data, size_t datalen); extern int x509_decode_time(time64_t *_t, size_t hdrlen, unsigned char tag, @@ -56,6 +110,8 @@ extern int x509_decode_time(time64_t *_t, size_t hdrlen, /* * x509_public_key.c */ +#if !CONFIG_IS_ENABLED(MBEDTLS_LIB_X509) extern int x509_get_sig_params(struct x509_certificate *cert); +#endif extern int x509_check_for_self_signed(struct x509_certificate *cert); #endif /* _X509_PARSER_H */ diff --git a/lib/crypto/Kconfig b/lib/crypto/Kconfig index 6e0656ad1c5..6106190677e 100644 --- a/lib/crypto/Kconfig +++ b/lib/crypto/Kconfig @@ -1,6 +1,6 @@ menuconfig ASYMMETRIC_KEY_TYPE bool "Asymmetric (public-key cryptographic) key Support" - depends on FIT_SIGNATURE + depends on LEGACY_CRYPTO_CERT || MBEDTLS_LIB_X509 help This option provides support for a key type that holds the data for the asymmetric keys used for public key cryptographic operations such diff --git a/lib/crypto/Makefile b/lib/crypto/Makefile index 228ae443a27..7f5f04d582c 100644 --- a/lib/crypto/Makefile +++ b/lib/crypto/Makefile @@ -32,11 +32,11 @@ endif # X.509 Certificate handling # obj-$(CONFIG_$(SPL_)X509_CERTIFICATE_PARSER) += x509_key_parser.o -x509_key_parser-y := \ +x509_key_parser-y := x509_helper.o +x509_key_parser-$(CONFIG_$(SPL_)X509_CERTIFICATE_PARSER_LEGACY) += \ x509.asn1.o \ x509_akid.asn1.o \ x509_cert_parser.o \ - x509_helper.o \ x509_public_key.o $(obj)/x509_cert_parser.o: \ diff --git a/lib/crypto/x509_public_key.c b/lib/crypto/x509_public_key.c index 4ba13c1adc3..310edbd21be 100644 --- a/lib/crypto/x509_public_key.c +++ b/lib/crypto/x509_public_key.c @@ -30,6 +30,8 @@ #include "x509_parser.h" #endif +#if !CONFIG_IS_ENABLED(MBEDTLS_LIB_X509) + /* * Set up the signature parameters in an X.509 certificate. This involves * digesting the signed data and extracting the signature. From patchwork Tue Jul 2 18:22:57 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Raymond Mao X-Patchwork-Id: 1955570 X-Patchwork-Delegate: trini@ti.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.a=rsa-sha256 header.s=google header.b=c+ql+tha; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de (client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; helo=phobos.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=patchwork.ozlabs.org) Received: from phobos.denx.de (phobos.denx.de [IPv6:2a01:238:438b:c500:173d:9f52:ddab:ee01]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4WDBN8451bz1xqb for ; Wed, 3 Jul 2024 04:32:24 +1000 (AEST) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 1DDF988722; Tue, 2 Jul 2024 20:32:22 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="c+ql+tha"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 65A9A887DB; Tue, 2 Jul 2024 20:32:21 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-oi1-x22e.google.com (mail-oi1-x22e.google.com [IPv6:2607:f8b0:4864:20::22e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id B307E87D74 for ; Tue, 2 Jul 2024 20:32:18 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=raymond.mao@linaro.org Received: by mail-oi1-x22e.google.com with SMTP id 5614622812f47-3d55cfebcc5so2019067b6e.2 for ; Tue, 02 Jul 2024 11:32:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1719945137; x=1720549937; darn=lists.denx.de; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=BWjit0bImleOSDPiHFC2xiq6djBvdl9hmRE/UbUZON0=; b=c+ql+thazdFzbJq1XEq5YsUXF2qAOLd5fJrBV9AJJ9eyJ0CtM4UuyCkWP7f0pW4ySi eLzy8hIwNuhfojd+TxhJBS09T5pToIiETa3QaGbU2D4ycFW52mjBlPZzhUPMDvCiZp+3 1iSoqUEEWj0+mRL+tfnhsPNZ7dWtZeadmlwKoMfJpaVfDbOv0h2okFT/tallsxAXanro Kg1IFQLeswcIxbNf/UOZ/hObBQtfR6ViQBWYOxj9vWeJCtuXpR8gqVbEaIB80p3UsQmL So3pIA7YdYrn1PKLxbFd8nNcKeuHjFM5ceqUF8OKsGhJAVr+AdKGgosoHKHq6dAKbQat cCrg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1719945137; x=1720549937; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=BWjit0bImleOSDPiHFC2xiq6djBvdl9hmRE/UbUZON0=; b=G0c+ToP4yG7qWydqILfHXJXDSrwmdoAQXsST+2IoR9zqFiAOTK4Ie/GWTzIGWribzO eco7TG5H9ibHyjHjQmWpocvCbrAfvAvUp3mqDUFevwtWKu7Pi+4UQygTDamftAu8lxsO fNKzm/X4j6yt3iHFzlb6ZtCbrDcFkdrTdWOoTRXnilWT+Pt/L2o85VWgRxEIuHwXg/KF 5C9eqHVtCfjSixUzKNmuIx+iFdn6sMZ7ezXwY7HrRCfLjxwFozL8hMmtI1lOy4hcrvAL jYCfKS+k2d4M+7hQSeR/VmZ5GDF9pUyy/Arw3Jp0DkiznouCgcRF07E6bCHtCNp5BK88 aRxA== X-Gm-Message-State: AOJu0YxZM6c7zFuE/W1DcyKFyPRCMzEtoYW1m2rPiNYBIvGxpjb28kUJ Fw/krhI4wMjAekMV0s0pHr/kEwAGJm5ScLMCFCMVmAG7R/AtX0aSbzgCsdSfapPogRz1fENfL4n J X-Google-Smtp-Source: AGHT+IG/yHAf4RNjeGcOnQ5RAQWjCllwDkJjk5yDKjkYsendP39hSkOg/tdUxFaFzMfkp5YF6HtNow== X-Received: by 2002:a05:6808:152b:b0:3d6:2d6d:e0b4 with SMTP id 5614622812f47-3d6b30f4f66mr8685803b6e.15.1719945136914; Tue, 02 Jul 2024 11:32:16 -0700 (PDT) Received: from ubuntu.localdomain (pool-174-114-184-37.cpe.net.cable.rogers.com. [174.114.184.37]) by smtp.gmail.com with ESMTPSA id d75a77b69052e-446514b613dsm43316351cf.84.2024.07.02.11.32.15 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 02 Jul 2024 11:32:16 -0700 (PDT) From: Raymond Mao To: u-boot@lists.denx.de Cc: manish.pandey2@arm.com, Raymond Mao , Tom Rini , Stefan Bosch , Mario Six , Andy Shevchenko , Michal Simek , Tuomas Tynkkynen , Simon Glass , Leo Yu-Chi Liang , Ilias Apalodimas , Andrejs Cainikovs , Marek Vasut , Sean Anderson , Jesse Taube , Bryan Brattlof , "Leon M. Busch-George" , Igor Opaniuk , Sergei Antonov , Heinrich Schuchardt , Bin Meng , Alper Nebi Yasak , Abdellatif El Khlifi , AKASHI Takahiro , Alexander Gendin , Manorit Chawdhry , Oleksandr Suvorov Subject: [PATCH v4 21/29] mbedtls: add PKCS7 parser porting layer Date: Tue, 2 Jul 2024 11:22:57 -0700 Message-Id: <20240702182325.2904421-22-raymond.mao@linaro.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20240702182325.2904421-1-raymond.mao@linaro.org> References: <20240702182325.2904421-1-raymond.mao@linaro.org> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.8 at phobos.denx.de X-Virus-Status: Clean Add porting layer for PKCS7 parser on top of MbedTLS PKCS7 library. Introduce _LEGACY and _MBEDTLS kconfigs for PKCS7 parser legacy and MbedTLS implementations respectively. Signed-off-by: Raymond Mao --- Changes in v2 - Move the porting layer to MbedTLS dir. - Fix EFI Capsule CI test failures. Changes in v3 - None. Changes in v4 - Introduce _LEGACY and _MBEDTLS kconfigs for PKCS7 parser legacy and MbedTLS implementations respectively. - Move common functions to helper. - Fix an unnecessary pointer casting. lib/mbedtls/Kconfig | 18 ++ lib/mbedtls/Makefile | 3 +- lib/mbedtls/pkcs7_parser.c | 506 +++++++++++++++++++++++++++++++++++++ 3 files changed, 526 insertions(+), 1 deletion(-) create mode 100644 lib/mbedtls/pkcs7_parser.c diff --git a/lib/mbedtls/Kconfig b/lib/mbedtls/Kconfig index c62a556a39a..8c5b617bb48 100644 --- a/lib/mbedtls/Kconfig +++ b/lib/mbedtls/Kconfig @@ -125,6 +125,7 @@ config LEGACY_CRYPTO_CERT select ASYMMETRIC_PUBLIC_KEY_SUBTYPE_LEGACY if \ ASYMMETRIC_PUBLIC_KEY_SUBTYPE select X509_CERTIFICATE_PARSER_LEGACY if X509_CERTIFICATE_PARSER + select PKCS7_MESSAGE_PARSER_LEGACY if PKCS7_MESSAGE_PARSER select SPL_ASYMMETRIC_PUBLIC_KEY_SUBTYPE_LEGACY if \ ASYMMETRIC_PUBLIC_KEY_SUBTYPE && SPL help @@ -147,6 +148,14 @@ config X509_CERTIFICATE_PARSER_LEGACY This option chooses legacy certificate library for X509 certificate parser. +config PKCS7_MESSAGE_PARSER_LEGACY + bool "PKCS#7 message parser with legacy certificate library" + depends on X509_CERTIFICATE_PARSER_LEGACY + select ASN1_DECODER_LEGACY + help + This option chooses legacy certificate library for PKCS7 message + parser. + if SPL config SPL_ASYMMETRIC_PUBLIC_KEY_SUBTYPE_LEGACY @@ -270,6 +279,7 @@ config MBEDTLS_LIB_X509 select ASYMMETRIC_PUBLIC_KEY_SUBTYPE_MBEDTLS if \ ASYMMETRIC_PUBLIC_KEY_SUBTYPE select X509_CERTIFICATE_PARSER_MBEDTLS if X509_CERTIFICATE_PARSER + select PKCS7_MESSAGE_PARSER_MBEDTLS if PKCS7_MESSAGE_PARSER select SPL_ASYMMETRIC_PUBLIC_KEY_SUBTYPE_MBEDTLS if \ ASYMMETRIC_PUBLIC_KEY_SUBTYPE && SPL help @@ -291,6 +301,14 @@ config X509_CERTIFICATE_PARSER_MBEDTLS This option chooses MbedTLS certificate library for X509 certificate parser. +config PKCS7_MESSAGE_PARSER_MBEDTLS + bool "PKCS#7 message parser with MbedTLS certificate library" + depends on X509_CERTIFICATE_PARSER_MBEDTLS + select ASN1_DECODER_MBEDTLS + help + This option chooses MbedTLS certificate library for PKCS7 message + parser. + if SPL config SPL_ASYMMETRIC_PUBLIC_KEY_SUBTYPE_MBEDTLS diff --git a/lib/mbedtls/Makefile b/lib/mbedtls/Makefile index 75d6a2cca07..7b40ff0c467 100644 --- a/lib/mbedtls/Makefile +++ b/lib/mbedtls/Makefile @@ -26,6 +26,7 @@ x509_mbedtls-$(CONFIG_$(SPL_)ASYMMETRIC_PUBLIC_KEY_SUBTYPE_MBEDTLS) += \ public_key.o x509_mbedtls-$(CONFIG_$(SPL_)X509_CERTIFICATE_PARSER_MBEDTLS) += \ x509_cert_parser.o +x509_mbedtls-$(CONFIG_$(SPL_)PKCS7_MESSAGE_PARSER_MBEDTLS) += pkcs7_parser.o # MbedTLS crypto library obj-$(CONFIG_MBEDTLS_LIB_CRYPTO) += mbedtls_lib_crypto.o @@ -59,5 +60,5 @@ mbedtls_lib_x509-$(CONFIG_$(SPL_)ASYMMETRIC_PUBLIC_KEY_SUBTYPE_MBEDTLS) += \ mbedtls_lib_x509-$(CONFIG_$(SPL_)X509_CERTIFICATE_PARSER_MBEDTLS) += \ $(MBEDTLS_LIB_DIR)/x509_crl.o \ $(MBEDTLS_LIB_DIR)/x509_crt.o -mbedtls_lib_x509-$(CONFIG_$(SPL_)PKCS7_MESSAGE_PARSER) += \ +mbedtls_lib_x509-$(CONFIG_$(SPL_)PKCS7_MESSAGE_PARSER_MBEDTLS) += \ $(MBEDTLS_LIB_DIR)/pkcs7.o diff --git a/lib/mbedtls/pkcs7_parser.c b/lib/mbedtls/pkcs7_parser.c new file mode 100644 index 00000000000..69ca784858e --- /dev/null +++ b/lib/mbedtls/pkcs7_parser.c @@ -0,0 +1,506 @@ +// SPDX-License-Identifier: GPL-2.0+ +/* + * PKCS#7 parser using MbedTLS PKCS#7 library + * + * Copyright (c) 2024 Linaro Limited + * Author: Raymond Mao + */ + +#include +#include +#include +#include +#include + +static void pkcs7_free_mbedtls_ctx(struct pkcs7_mbedtls_ctx *ctx) +{ + if (ctx) { + kfree(ctx->content_data); + kfree(ctx); + } +} + +static void pkcs7_free_sinfo_mbedtls_ctx(struct pkcs7_sinfo_mbedtls_ctx *ctx) +{ + if (ctx) { + kfree(ctx->authattrs_data); + kfree(ctx->content_data_digest); + kfree(ctx); + } +} + +/* + * Parse Authenticate Attributes + * TODO: Shall we consider to integrate decoding of authenticate attribute into + * MbedTLS library? + * + * There are two kinds of structure for the Authenticate Attributes being used + * in U-Boot. + * + * Type 1 - contains in a PE/COFF EFI image: + * + * [C.P.0] { + * U.P.SEQUENCE { + * U.P.OBJECTIDENTIFIER 1.2.840.113549.1.9.3 (OID_contentType) + * U.P.SET { + * U.P.OBJECTIDENTIFIER 1.3.6.1.4.1.311.2.1.4 (OID_msIndirectData) + * } + * } + * U.P.SEQUENCE { + * U.P.OBJECTIDENTIFIER 1.2.840.113549.1.9.5 (OID_signingTime) + * U.P.SET { + * U.P.UTCTime '' + * } + * } + * U.P.SEQUENCE { + * U.P.OBJECTIDENTIFIER 1.2.840.113549.1.9.4 (OID_messageDigest) + * U.P.SET { + * U.P.OCTETSTRING + * } + * } + * U.P.SEQUENCE { + * U.P.OBJECTIDENTIFIER 1.2.840.113549.1.9.15 (OID_smimeCapabilites) + * U.P.SET { + * U.P.SEQUENCE { + * <...> + * } + * } + * } + * } + * + * Type 2 - contains in an EFI Capsule: + * + * [C.P.0] { + * U.P.SEQUENCE { + * U.P.OBJECTIDENTIFIER 1.2.840.113549.1.9.3 (OID_contentType) + * U.P.SET { + * U.P.OBJECTIDENTIFIER 1.2.840.113549.1.7.1 (OID_data) + * } + * } + * U.P.SEQUENCE { + * U.P.OBJECTIDENTIFIER 1.2.840.113549.1.9.5 (OID_signingTime) + * U.P.SET { + * U.P.UTCTime '' + * } + * } + * U.P.SEQUENCE { + * U.P.OBJECTIDENTIFIER 1.2.840.113549.1.9.4 (OID_messageDigest) + * U.P.SET { + * U.P.OCTETSTRING + * } + * } + *} + * + * Note: + * They have different Content Type (OID_msIndirectData or OID_data). + * OID_smimeCapabilites only exists in a PE/COFF EFI image. + */ +static int authattrs_parse(struct pkcs7_message *msg, void *aa, size_t aa_len, + struct pkcs7_signed_info *sinfo) +{ + unsigned char *p = aa; + unsigned char *end = (unsigned char *)aa + aa_len; + size_t len = 0; + int ret; + unsigned char *inner_p; + size_t seq_len = 0; + + ret = mbedtls_asn1_get_tag(&p, end, &seq_len, + MBEDTLS_ASN1_CONTEXT_SPECIFIC | + MBEDTLS_ASN1_CONSTRUCTED); + if (ret) + return ret; + + while (!mbedtls_asn1_get_tag(&p, end, &seq_len, + MBEDTLS_ASN1_CONSTRUCTED | + MBEDTLS_ASN1_SEQUENCE)) { + inner_p = p; + ret = mbedtls_asn1_get_tag(&inner_p, p + seq_len, &len, + MBEDTLS_ASN1_OID); + if (ret) + return ret; + + if (!MBEDTLS_OID_CMP_RAW(MBEDTLS_OID_PKCS9_CONTENTTYPE, inner_p, len)) { + inner_p += len; + ret = mbedtls_asn1_get_tag(&inner_p, p + seq_len, &len, + MBEDTLS_ASN1_CONSTRUCTED | + MBEDTLS_ASN1_SET); + if (ret) + return ret; + + ret = mbedtls_asn1_get_tag(&inner_p, p + seq_len, &len, + MBEDTLS_ASN1_OID); + if (ret) + return ret; + + /* + * We should only support 1.2.840.113549.1.7.1 (OID_data) + * for PKCS7 DATA that is used in EFI Capsule and + * 1.3.6.1.4.1.311.2.1.4 (OID_msIndirectData) for + * MicroSoft Authentication Code that is used in EFI + * Secure Boot. + */ + if (MBEDTLS_OID_CMP_RAW(MBEDTLS_OID_MICROSOFT_INDIRECTDATA, + inner_p, len) && + MBEDTLS_OID_CMP_RAW(MBEDTLS_OID_PKCS7_DATA, + inner_p, len)) + return -EINVAL; + + if (__test_and_set_bit(sinfo_has_content_type, &sinfo->aa_set)) + return -EINVAL; + } else if (!MBEDTLS_OID_CMP_RAW(MBEDTLS_OID_PKCS9_MESSAGEDIGEST, inner_p, + len)) { + inner_p += len; + ret = mbedtls_asn1_get_tag(&inner_p, p + seq_len, &len, + MBEDTLS_ASN1_CONSTRUCTED | + MBEDTLS_ASN1_SET); + if (ret) + return ret; + + ret = mbedtls_asn1_get_tag(&inner_p, p + seq_len, &len, + MBEDTLS_ASN1_OCTET_STRING); + if (ret) + return ret; + + sinfo->msgdigest = inner_p; + sinfo->msgdigest_len = len; + + if (__test_and_set_bit(sinfo_has_message_digest, &sinfo->aa_set)) + return -EINVAL; + } else if (!MBEDTLS_OID_CMP_RAW(MBEDTLS_OID_PKCS9_SIGNINGTIME, inner_p, + len)) { + mbedtls_x509_time st; + + inner_p += len; + ret = mbedtls_asn1_get_tag(&inner_p, p + seq_len, &len, + MBEDTLS_ASN1_CONSTRUCTED | + MBEDTLS_ASN1_SET); + if (ret) + return ret; + + ret = mbedtls_x509_get_time(&inner_p, p + seq_len, &st); + if (ret) + return ret; + sinfo->signing_time = x509_get_timestamp(&st); + + if (__test_and_set_bit(sinfo_has_signing_time, &sinfo->aa_set)) + return -EINVAL; + } else if (!MBEDTLS_OID_CMP_RAW(MBEDTLS_OID_PKCS9_SMIMECAP, inner_p, + len)) { + if (__test_and_set_bit(sinfo_has_smime_caps, &sinfo->aa_set)) + return -EINVAL; + + if (msg->data_type != OID_msIndirectData && + msg->data_type != OID_data) + return -EINVAL; + } else if (!MBEDTLS_OID_CMP_RAW(MBEDTLS_OID_MICROSOFT_SPOPUSINFO, inner_p, + len)) { + if (__test_and_set_bit(sinfo_has_ms_opus_info, &sinfo->aa_set)) + return -EINVAL; + } else if (!MBEDTLS_OID_CMP_RAW(MBEDTLS_OID_MICROSOFT_STATETYPE, inner_p, + len)) { + if (__test_and_set_bit(sinfo_has_ms_statement_type, &sinfo->aa_set)) + return -EINVAL; + } + + p += seq_len; + } + + if (ret && ret != MBEDTLS_ERR_ASN1_OUT_OF_DATA) + return ret; + + msg->have_authattrs = true; + + /* + * Skip the leading tag byte (MBEDTLS_ASN1_CONTEXT_SPECIFIC | + * MBEDTLS_ASN1_CONSTRUCTED) to satisfy pkcs7_digest() when calculating + * the digest of authattrs. + */ + sinfo->authattrs = aa + 1; + sinfo->authattrs_len = aa_len - 1; + + return 0; +} + +static int x509_populate_content_data(struct pkcs7_message *msg, + mbedtls_pkcs7 *pkcs7_ctx) +{ + struct pkcs7_mbedtls_ctx *mctx; + + if (!pkcs7_ctx->content_data.data || + !pkcs7_ctx->content_data.data_len) + return 0; + + mctx = kzalloc(sizeof(*mctx), GFP_KERNEL); + if (!mctx) + return -ENOMEM; + + mctx->content_data = kmemdup(pkcs7_ctx->content_data.data, + pkcs7_ctx->content_data.data_len, + GFP_KERNEL); + if (!mctx->content_data) { + pkcs7_free_mbedtls_ctx(mctx); + return -ENOMEM; + } + + msg->data = mctx->content_data; + msg->data_len = pkcs7_ctx->content_data.data_len; + msg->data_hdrlen = pkcs7_ctx->content_data.data_hdrlen; + msg->data_type = pkcs7_ctx->content_data.data_type; + + msg->mbedtls_ctx = mctx; + return 0; +} + +static int x509_populate_sinfo(struct pkcs7_message *msg, + mbedtls_pkcs7_signer_info *mb_sinfo, + struct pkcs7_signed_info **sinfo) +{ + struct pkcs7_signed_info *signed_info; + struct public_key_signature *s; + mbedtls_md_type_t md_alg; + struct pkcs7_sinfo_mbedtls_ctx *mctx; + int ret; + + signed_info = kzalloc(sizeof(*signed_info), GFP_KERNEL); + if (!signed_info) + return -ENOMEM; + + s = kzalloc(sizeof(*s), GFP_KERNEL); + if (!s) { + ret = -ENOMEM; + goto out_no_sig; + } + + mctx = kzalloc(sizeof(*mctx), GFP_KERNEL); + if (!mctx) { + ret = -ENOMEM; + goto out_no_mctx; + } + + /* + * Hash algorithm: + * + * alg_identifier = digestAlgorithm (DigestAlgorithmIdentifier) + * MbedTLS internally checks this field to ensure + * it is the same as digest_alg_identifiers. + * sig_alg_identifier = digestEncryptionAlgorithm + * (DigestEncryptionAlgorithmIdentifier) + * MbedTLS just saves this field without any actions. + * See function pkcs7_get_signer_info() for reference. + * + * Public key algorithm: + * No information related to public key algorithm under MbedTLS signer + * info. Assume that we are using RSA. + */ + ret = mbedtls_oid_get_md_alg(&mb_sinfo->alg_identifier, &md_alg); + if (ret) + goto out_err_sinfo; + s->pkey_algo = "rsa"; + + /* Translate the hash algorithm */ + switch (md_alg) { + case MBEDTLS_MD_SHA1: + s->hash_algo = "sha1"; + s->digest_size = SHA1_SUM_LEN; + break; + case MBEDTLS_MD_SHA256: + s->hash_algo = "sha256"; + s->digest_size = SHA256_SUM_LEN; + break; + case MBEDTLS_MD_SHA384: + s->hash_algo = "sha384"; + s->digest_size = SHA384_SUM_LEN; + break; + case MBEDTLS_MD_SHA512: + s->hash_algo = "sha512"; + s->digest_size = SHA512_SUM_LEN; + break; + /* Unsupported algo */ + case MBEDTLS_MD_MD5: + case MBEDTLS_MD_SHA224: + default: + ret = -EINVAL; + goto out_err_sinfo; + } + + /* + * auth_ids holds AuthorityKeyIdentifier, aka akid + * auth_ids[0]: + * [PKCS#7 or CMS ver 1] - generated from "Issuer + Serial number" + * [CMS ver 3] - generated from skid (subjectKeyId) + * auth_ids[1]: generated from skid (subjectKeyId) + * + * Assume that we are using PKCS#7 (msg->version=1), + * not CMS ver 3 (msg->version=3). + */ + s->auth_ids[0] = asymmetric_key_generate_id(mb_sinfo->serial.p, + mb_sinfo->serial.len, + mb_sinfo->issuer_raw.p, + mb_sinfo->issuer_raw.len); + if (!s->auth_ids[0]) { + ret = -ENOMEM; + goto out_err_sinfo; + } + + /* skip s->auth_ids[1], no subjectKeyId in MbedTLS signer info ctx */ + + /* + * Encoding can be pkcs1 or raw, but only pkcs1 is supported. + * Set the encoding explicitly to pkcs1. + */ + s->encoding = "pkcs1"; + + /* Copy the signature data */ + s->s = kmemdup(mb_sinfo->sig.p, mb_sinfo->sig.len, GFP_KERNEL); + if (!s->s) { + ret = -ENOMEM; + goto out_err_sinfo; + } + s->s_size = mb_sinfo->sig.len; + signed_info->sig = s; + + /* Save the Authenticate Attributes data if exists */ + if (!mb_sinfo->authattrs.data || !mb_sinfo->authattrs.data_len) + goto no_authattrs; + + mctx->authattrs_data = kmemdup(mb_sinfo->authattrs.data, + mb_sinfo->authattrs.data_len, + GFP_KERNEL); + if (!mctx->authattrs_data) { + ret = -ENOMEM; + goto out_err_sinfo; + } + signed_info->mbedtls_ctx = mctx; + + /* If authattrs exists, decode it and parse msgdigest from it */ + ret = authattrs_parse(msg, mctx->authattrs_data, + mb_sinfo->authattrs.data_len, + signed_info); + if (ret) + goto out_err_sinfo; + +no_authattrs: + *sinfo = signed_info; + return 0; + +out_err_sinfo: + pkcs7_free_sinfo_mbedtls_ctx(mctx); +out_no_mctx: + public_key_signature_free(s); +out_no_sig: + kfree(signed_info); + return ret; +} + +/* + * Free a signed information block. + */ +static void pkcs7_free_signed_info(struct pkcs7_signed_info *sinfo) +{ + if (sinfo) { + public_key_signature_free(sinfo->sig); + pkcs7_free_sinfo_mbedtls_ctx(sinfo->mbedtls_ctx); + kfree(sinfo); + } +} + +/** + * pkcs7_free_message - Free a PKCS#7 message + * @pkcs7: The PKCS#7 message to free + */ +void pkcs7_free_message(struct pkcs7_message *pkcs7) +{ + struct x509_certificate *cert; + struct pkcs7_signed_info *sinfo; + + if (pkcs7) { + while (pkcs7->certs) { + cert = pkcs7->certs; + pkcs7->certs = cert->next; + x509_free_certificate(cert); + } + while (pkcs7->crl) { + cert = pkcs7->crl; + pkcs7->crl = cert->next; + x509_free_certificate(cert); + } + while (pkcs7->signed_infos) { + sinfo = pkcs7->signed_infos; + pkcs7->signed_infos = sinfo->next; + pkcs7_free_signed_info(sinfo); + } + pkcs7_free_mbedtls_ctx(pkcs7->mbedtls_ctx); + kfree(pkcs7); + } +} + +struct pkcs7_message *pkcs7_parse_message(const void *data, size_t datalen) +{ + int i; + int ret; + mbedtls_pkcs7 pkcs7_ctx; + mbedtls_pkcs7_signer_info *mb_sinfos; + mbedtls_x509_crt *mb_certs; + struct pkcs7_message *msg; + struct x509_certificate **cert; + struct pkcs7_signed_info **sinfos; + + msg = kzalloc(sizeof(*msg), GFP_KERNEL); + if (!msg) { + ret = -ENOMEM; + goto out_no_msg; + } + + /* Parse the DER encoded PKCS#7 message using MbedTLS */ + mbedtls_pkcs7_init(&pkcs7_ctx); + ret = mbedtls_pkcs7_parse_der(&pkcs7_ctx, data, datalen); + /* Check if it is a PKCS#7 message with signed data */ + if (ret != MBEDTLS_PKCS7_SIGNED_DATA) + goto parse_fail; + + /* Assume that we are using PKCS#7, not CMS ver 3 */ + msg->version = 1; /* 1 for [PKCS#7 or CMS ver 1] */ + + /* Populate the certs to msg->certs */ + for (i = 0, cert = &msg->certs, mb_certs = &pkcs7_ctx.signed_data.certs; + i < pkcs7_ctx.signed_data.no_of_certs && mb_certs; + i++, cert = &(*cert)->next, mb_certs = mb_certs->next) { + ret = x509_populate_cert(mb_certs, cert); + if (ret) + goto parse_fail; + + (*cert)->index = i + 1; + } + + /* + * Skip populating crl, that is not currently in-use. + */ + + /* Populate content data */ + ret = x509_populate_content_data(msg, &pkcs7_ctx); + if (ret) + goto parse_fail; + + /* Populate signed info to msg->signed_infos */ + for (i = 0, sinfos = &msg->signed_infos, + mb_sinfos = &pkcs7_ctx.signed_data.signers; + i < pkcs7_ctx.signed_data.no_of_signers && mb_sinfos; + i++, sinfos = &(*sinfos)->next, mb_sinfos = mb_sinfos->next) { + ret = x509_populate_sinfo(msg, mb_sinfos, sinfos); + if (ret) + goto parse_fail; + + (*sinfos)->index = i + 1; + } + + mbedtls_pkcs7_free(&pkcs7_ctx); + return msg; + +parse_fail: + mbedtls_pkcs7_free(&pkcs7_ctx); + pkcs7_free_message(msg); +out_no_msg: + msg = ERR_PTR(ret); + return msg; +} From patchwork Tue Jul 2 18:22:58 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Raymond Mao X-Patchwork-Id: 1955571 X-Patchwork-Delegate: trini@ti.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.a=rsa-sha256 header.s=google header.b=dSYU4BiT; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de (client-ip=85.214.62.61; helo=phobos.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=patchwork.ozlabs.org) Received: from phobos.denx.de (phobos.denx.de [85.214.62.61]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4WDBNX64Y5z1xqb for ; Wed, 3 Jul 2024 04:32:44 +1000 (AEST) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 826FE887E3; Tue, 2 Jul 2024 20:32:42 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="dSYU4BiT"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id E6B1E887E4; Tue, 2 Jul 2024 20:32:40 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-qk1-x72c.google.com (mail-qk1-x72c.google.com [IPv6:2607:f8b0:4864:20::72c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id C09E787D74 for ; Tue, 2 Jul 2024 20:32:38 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=raymond.mao@linaro.org Received: by mail-qk1-x72c.google.com with SMTP id af79cd13be357-79d5e61704eso276397685a.3 for ; Tue, 02 Jul 2024 11:32:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1719945157; x=1720549957; darn=lists.denx.de; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=e1HYAfVjlkAiFFwMJYWGiQOWsGpJ3jn5FCf0xeu4vP0=; b=dSYU4BiTT4hxZ1Gx5HvI0yd8HTC2DrNX41VNbEhIlvGpxe46eEBeuuJd7dSOxiBhF/ mOJAJdOnW60VJrESnB0iDZqc/lttdHwj5AzbyWnrGiTb2vPvlxdB90CKI7RlVzTjSjer okmjoXHWPdpq1Ke0yDqbnzhBY1Wu4ciWucvnhVC5SF+HNmyD9KsIzk88Hzdqfc4zgvdV kpA4w4n3Xm+kzafKVihjhixxmH2byKUWOdlWdYn/KyJmt1N9b47L3Voe4q3E116kG+9a D9ti0mjotGMYRZkxLl6UwADbVD7M0wnGOYhFJClwUgbF/Q3eqkHGb1fMcjnJcSso5rXd ED+g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1719945157; x=1720549957; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=e1HYAfVjlkAiFFwMJYWGiQOWsGpJ3jn5FCf0xeu4vP0=; b=DpxHCdLJV1IyuOwIHZy2gMtJijwUdnCGmzCHSqxnLJo+VG/BZs923Qm1P6YaMSlyOA ZaFV7T6y+2e4pQ3b0lQXTGCyEGqLhGBgMJ8aM1rX3KkoU9Whq3hnZ20FdIuT6MtAERYJ RxAMgqHXf4OOFh1pXu3xNFZEssF0K89V8WFJshx6AVkiPJOkgvMW1eSvge09/qoFhI6F BEruE1z6gUGrR/x8xSr8MLVZEcrTXTs8O9wpLBUoqpEh0kwtaXNxovpf+/bDYW1sz9va C9AuNFkTztRhb+uCnP4fjpGpodajx8G6EkMkjh54deDFzJnxzdXiwDWZ+FRo1bw00UES x+og== X-Gm-Message-State: AOJu0YyzUJ0qAoiBbRRAfEBao/2/BmUW3yPLEjeUMA5o1H5+N4lkjtLH 4JdJpqDCGBiCBysooZe3uFaBKuXtbwi5CniRohlx3/QG4rpOmsCSGc4/REkwoejRRk+bZPfLj1W e X-Google-Smtp-Source: AGHT+IEFF/5i+NtZOe97oKpTSShLZAW1gnvULYGFf+PsuSlxqjQz/hf3EOEJkEfXcsxFbkDL0by1Vg== X-Received: by 2002:a05:620a:462b:b0:79d:8033:91da with SMTP id af79cd13be357-79d80339485mr1106009985a.22.1719945157347; Tue, 02 Jul 2024 11:32:37 -0700 (PDT) Received: from ubuntu.localdomain (pool-174-114-184-37.cpe.net.cable.rogers.com. [174.114.184.37]) by smtp.gmail.com with ESMTPSA id d75a77b69052e-446514b613dsm43316351cf.84.2024.07.02.11.32.35 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 02 Jul 2024 11:32:36 -0700 (PDT) From: Raymond Mao To: u-boot@lists.denx.de Cc: manish.pandey2@arm.com, Raymond Mao , Tom Rini , Stefan Bosch , Mario Six , Andy Shevchenko , Michal Simek , Tuomas Tynkkynen , Simon Glass , Leo Yu-Chi Liang , Ilias Apalodimas , Andrejs Cainikovs , Marek Vasut , Sean Anderson , Jesse Taube , Bryan Brattlof , "Leon M. Busch-George" , Ilya Lukin <4.shket@gmail.com>, Sergei Antonov , Igor Opaniuk , Heinrich Schuchardt , Bin Meng , Alper Nebi Yasak , Abdellatif El Khlifi , AKASHI Takahiro , Alexander Gendin , =?utf-8?q?Vincent_Stehl=C3=A9?= , Oleksandr Suvorov Subject: [PATCH v4 22/29] lib/crypto: Adapt PKCS7 parser to MbedTLS Date: Tue, 2 Jul 2024 11:22:58 -0700 Message-Id: <20240702182325.2904421-23-raymond.mao@linaro.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20240702182325.2904421-1-raymond.mao@linaro.org> References: <20240702182325.2904421-1-raymond.mao@linaro.org> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.8 at phobos.denx.de X-Virus-Status: Clean Previous patch has introduced MbedTLS porting layer for PKCS7 parser, here to adjust the header and makefiles accordingly. Signed-off-by: Raymond Mao --- Changes in v2 - Move the porting layer to MbedTLS dir. Changes in v3 - Update commit message. Changes in v4 - Control building legacy library via '_LEGACY' Kconfig. - Minor fix of the include directories. include/crypto/pkcs7_parser.h | 56 +++++++++++++++++++++++++++++++++++ lib/crypto/Makefile | 7 +++-- 2 files changed, 60 insertions(+), 3 deletions(-) diff --git a/include/crypto/pkcs7_parser.h b/include/crypto/pkcs7_parser.h index 2c45cce5234..469c2711fa6 100644 --- a/include/crypto/pkcs7_parser.h +++ b/include/crypto/pkcs7_parser.h @@ -11,6 +11,12 @@ #include #include #include +#if CONFIG_IS_ENABLED(MBEDTLS_LIB_X509) +#include +#include +#include +#include +#endif #include #define kenter(FMT, ...) \ @@ -18,7 +24,54 @@ #define kleave(FMT, ...) \ pr_devel("<== %s()"FMT"\n", __func__, ##__VA_ARGS__) +/* Backup the parsed MedTLS context that we need */ +#if CONFIG_IS_ENABLED(MBEDTLS_LIB_X509) +struct pkcs7_mbedtls_ctx { + void *content_data; +}; + +struct pkcs7_sinfo_mbedtls_ctx { + void *authattrs_data; + void *content_data_digest; +}; +#endif + +/* + * MbedTLS integration Notes: + * + * MbedTLS PKCS#7 library does not originally support parsing MicroSoft + * Authentication Code which is used for verifying the PE image digest. + * + * 1. Authenticated Attributes (authenticatedAttributes) + * MbedTLS assumes unauthenticatedAttributes and authenticatedAttributes + * fields not exist. + * See MbedTLS function 'pkcs7_get_signer_info' for details. + * + * 2. MicroSoft Authentication Code (mscode) + * MbedTLS only supports Content Data type defined as 1.2.840.113549.1.7.1 + * (MBEDTLS_OID_PKCS7_DATA, aka OID_data). + * 1.3.6.1.4.1.311.2.1.4 (MicroSoft Authentication Code, aka + * OID_msIndirectData) is not supported. + * See MbedTLS function 'pkcs7_get_content_info_type' for details. + * + * But the EFI loader assumes that a PKCS#7 message with an EFI image always + * contains MicroSoft Authentication Code as Content Data (msg->data is NOT + * NULL), see function 'efi_signature_verify'. + * + * MbedTLS patch "0002-support-MicroSoft-authentication-code-in-PKCS7-lib.patch" + * is to support both above features by parsing the Content Data and + * Authenticate Attributes from a given PKCS#7 message. + * + * Other fields we don't need to populate from MbedTLS, which are used + * internally by pkcs7_verify: + * 'signer', 'unsupported_crypto', 'blacklisted' + * 'sig->digest' is used internally by pkcs7_digest to calculate the hash of + * Content Data or Authenticate Attributes. + */ struct pkcs7_signed_info { +#if CONFIG_IS_ENABLED(MBEDTLS_LIB_X509) + struct pkcs7_sinfo_mbedtls_ctx *mbedtls_ctx; +#endif struct pkcs7_signed_info *next; struct x509_certificate *signer; /* Signing certificate (in msg->certs) */ unsigned index; @@ -55,6 +108,9 @@ struct pkcs7_signed_info { }; struct pkcs7_message { +#if CONFIG_IS_ENABLED(MBEDTLS_LIB_X509) + struct pkcs7_mbedtls_ctx *mbedtls_ctx; +#endif struct x509_certificate *certs; /* Certificate list */ struct x509_certificate *crl; /* Revocation list */ struct pkcs7_signed_info *signed_infos; diff --git a/lib/crypto/Makefile b/lib/crypto/Makefile index 7f5f04d582c..428dcba0a6b 100644 --- a/lib/crypto/Makefile +++ b/lib/crypto/Makefile @@ -50,15 +50,16 @@ $(obj)/x509_akid.asn1.o: $(obj)/x509_akid.asn1.c $(obj)/x509_akid.asn1.h # PKCS#7 message handling # obj-$(CONFIG_$(SPL_)PKCS7_MESSAGE_PARSER) += pkcs7_message.o -pkcs7_message-y := \ +pkcs7_message-y := pkcs7_helper.o +pkcs7_message-$(CONFIG_$(SPL_)PKCS7_MESSAGE_PARSER_LEGACY) += \ pkcs7.asn1.o \ - pkcs7_helper.o \ pkcs7_parser.o -obj-$(CONFIG_$(SPL_)PKCS7_VERIFY) += pkcs7_verify.o $(obj)/pkcs7_parser.o: $(obj)/pkcs7.asn1.h $(obj)/pkcs7.asn1.o: $(obj)/pkcs7.asn1.c $(obj)/pkcs7.asn1.h +obj-$(CONFIG_$(SPL_)PKCS7_VERIFY) += pkcs7_verify.o + # # Signed PE binary-wrapped key handling # From patchwork Tue Jul 2 18:22:59 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Raymond Mao X-Patchwork-Id: 1955572 X-Patchwork-Delegate: trini@ti.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.a=rsa-sha256 header.s=google header.b=T/FW/9sy; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de (client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; helo=phobos.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=patchwork.ozlabs.org) Received: from phobos.denx.de (phobos.denx.de [IPv6:2a01:238:438b:c500:173d:9f52:ddab:ee01]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4WDBNy5zRMz1xqb for ; Wed, 3 Jul 2024 04:33:06 +1000 (AEST) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 5AAEF88651; Tue, 2 Jul 2024 20:33:04 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="T/FW/9sy"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 5877787D74; Tue, 2 Jul 2024 20:33:03 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-oi1-x22b.google.com (mail-oi1-x22b.google.com [IPv6:2607:f8b0:4864:20::22b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 13E6F887E7 for ; Tue, 2 Jul 2024 20:33:01 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=raymond.mao@linaro.org Received: by mail-oi1-x22b.google.com with SMTP id 5614622812f47-3d8470bd455so880211b6e.1 for ; Tue, 02 Jul 2024 11:33:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1719945179; x=1720549979; darn=lists.denx.de; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=p9tG+fKNPYNl49KLLuPmJ+TDNzUs80bQ9CvdGzAeQWA=; b=T/FW/9sy+2yfoQQmTvjhFvLonag9MFQbXhJeTwDHuQCf4VOFPUymCHhR4Oh7sITh2P VGPYP225aeBCekpWSBNOGCsZhyX2KoIEEgEkHW1uwDgq5mzith1yHfjgqMicPaMFgJLS 8QL5UCRzkVMA/RQ6njzAJh6XJMh/NoYLmxFzNXkHZ281qbcltQBBN+/7fq52OulJx+zB x8k3gTTMNAj9aJBi86qjeHDLoDUifU2T+Fi5SKPn4+pgrSM2R4zt5NOvo1DX7OP0ZzMb Qx/78RGXY8sOrsVmr024JbWNONGth3jLaPPtW7psNjz9vkQurl/CUSLyH8FE8LFUIj4p cLNw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1719945179; x=1720549979; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=p9tG+fKNPYNl49KLLuPmJ+TDNzUs80bQ9CvdGzAeQWA=; b=UYKn1R03SkFQGvuOm62vi3r6q1VKfYNQmGy4GDRYByXa64f5WH2iuh5obT+Jzy1baE zyx+AfDjUSVrmc0kgLqSXQo7qUv0gJjIENJIyV9VOgoCLZPFhpuv+fG4STe5KJOfRgrh xX2Zljzwi0CUvO2tFecSpEX4OAIP+jT0ClsxWUS/9rQHessIj7GKgGX+ugNyFO5BgfIb UlX7TOktRG3kXtrNkLDGG53cxdgLsCw/z98bqsNX9FsgrAK+4yY1MwsSZBBTHe5kCRbR 4rpMj2syJXXXw/P+74U4FJi/kHtKZ/3Ll+CRMHnlGDZ63Uhm0MQggOLGcb7mtME568zY cteA== X-Gm-Message-State: AOJu0YwOp58IdrxcDOzm+AyXYWwoQD1eMFXlHFh5K5OMioZTZfuJOoiF EZcBkP5OOw/o8/1w4pZpIcPOWC26NXTCXjdEqvLTIs+o5temgcFdS7iA0qALH6di1hrWnG+BzKc 3 X-Google-Smtp-Source: AGHT+IEG3cWdiPL/9um9QkET2OOUopsTxF4d83HACVlViRKHU5aMh0+aDTj3VAcFTWP18ERCco1P6A== X-Received: by 2002:a05:6808:f8d:b0:3d6:32b4:b8fa with SMTP id 5614622812f47-3d6b30f45cemr12001738b6e.13.1719945179608; Tue, 02 Jul 2024 11:32:59 -0700 (PDT) Received: from ubuntu.localdomain (pool-174-114-184-37.cpe.net.cable.rogers.com. [174.114.184.37]) by smtp.gmail.com with ESMTPSA id d75a77b69052e-446514b613dsm43316351cf.84.2024.07.02.11.32.57 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 02 Jul 2024 11:32:59 -0700 (PDT) From: Raymond Mao To: u-boot@lists.denx.de Cc: manish.pandey2@arm.com, Raymond Mao , Tom Rini , Stefan Bosch , Mario Six , Andy Shevchenko , Michal Simek , Tuomas Tynkkynen , Simon Glass , Leo Yu-Chi Liang , Ilias Apalodimas , Andrejs Cainikovs , Marek Vasut , Sean Anderson , Jesse Taube , Bryan Brattlof , "Leon M. Busch-George" , Sergei Antonov , Igor Opaniuk , Ilya Lukin <4.shket@gmail.com>, Heinrich Schuchardt , Bin Meng , Alper Nebi Yasak , Abdellatif El Khlifi , AKASHI Takahiro , Alexander Gendin , Eddie James , Oleksandr Suvorov Subject: [PATCH v4 23/29] mbedtls: add MSCode parser porting layer Date: Tue, 2 Jul 2024 11:22:59 -0700 Message-Id: <20240702182325.2904421-24-raymond.mao@linaro.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20240702182325.2904421-1-raymond.mao@linaro.org> References: <20240702182325.2904421-1-raymond.mao@linaro.org> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.8 at phobos.denx.de X-Virus-Status: Clean Add porting layer for MSCode on top of MbedTLS ASN1 library. Introduce _LEGACY and _MBEDTLS kconfigs for MSCode legacy and MbedTLS implementations respectively. Signed-off-by: Raymond Mao --- Changes in v2 - Move the porting layer to MbedTLS dir. Changes in v3 - None. Changes in v4 - Introduce _LEGACY and _MBEDTLS kconfigs for MSCode legacy and MbedTLS implementations respectively. - Fix a few code style. lib/mbedtls/Kconfig | 17 +++++ lib/mbedtls/Makefile | 1 + lib/mbedtls/mscode_parser.c | 123 ++++++++++++++++++++++++++++++++++++ 3 files changed, 141 insertions(+) create mode 100644 lib/mbedtls/mscode_parser.c diff --git a/lib/mbedtls/Kconfig b/lib/mbedtls/Kconfig index 8c5b617bb48..d8a8f87e031 100644 --- a/lib/mbedtls/Kconfig +++ b/lib/mbedtls/Kconfig @@ -126,6 +126,7 @@ config LEGACY_CRYPTO_CERT ASYMMETRIC_PUBLIC_KEY_SUBTYPE select X509_CERTIFICATE_PARSER_LEGACY if X509_CERTIFICATE_PARSER select PKCS7_MESSAGE_PARSER_LEGACY if PKCS7_MESSAGE_PARSER + select MSCODE_PARSER_LEGACY if MSCODE_PARSER select SPL_ASYMMETRIC_PUBLIC_KEY_SUBTYPE_LEGACY if \ ASYMMETRIC_PUBLIC_KEY_SUBTYPE && SPL help @@ -156,6 +157,14 @@ config PKCS7_MESSAGE_PARSER_LEGACY This option chooses legacy certificate library for PKCS7 message parser. +config MSCODE_PARSER_LEGACY + bool "MS authenticode parser with legacy certificate library" + depends on LEGACY_CRYPTO_CERT && MSCODE_PARSER + select ASN1_DECODER_LEGACY + help + This option chooses legacy certificate library for MS authenticode + parser. + if SPL config SPL_ASYMMETRIC_PUBLIC_KEY_SUBTYPE_LEGACY @@ -280,6 +289,7 @@ config MBEDTLS_LIB_X509 ASYMMETRIC_PUBLIC_KEY_SUBTYPE select X509_CERTIFICATE_PARSER_MBEDTLS if X509_CERTIFICATE_PARSER select PKCS7_MESSAGE_PARSER_MBEDTLS if PKCS7_MESSAGE_PARSER + select MSCODE_PARSER_MBEDTLS if MSCODE_PARSER select SPL_ASYMMETRIC_PUBLIC_KEY_SUBTYPE_MBEDTLS if \ ASYMMETRIC_PUBLIC_KEY_SUBTYPE && SPL help @@ -309,6 +319,13 @@ config PKCS7_MESSAGE_PARSER_MBEDTLS This option chooses MbedTLS certificate library for PKCS7 message parser. +config MSCODE_PARSER_MBEDTLS + bool "MS authenticode parser with MbedTLS certificate library" + select ASN1_DECODER_MBEDTLS + help + This option chooses MbedTLS certificate library for MS authenticode + parser. + if SPL config SPL_ASYMMETRIC_PUBLIC_KEY_SUBTYPE_MBEDTLS diff --git a/lib/mbedtls/Makefile b/lib/mbedtls/Makefile index 7b40ff0c467..ac7c487449d 100644 --- a/lib/mbedtls/Makefile +++ b/lib/mbedtls/Makefile @@ -27,6 +27,7 @@ x509_mbedtls-$(CONFIG_$(SPL_)ASYMMETRIC_PUBLIC_KEY_SUBTYPE_MBEDTLS) += \ x509_mbedtls-$(CONFIG_$(SPL_)X509_CERTIFICATE_PARSER_MBEDTLS) += \ x509_cert_parser.o x509_mbedtls-$(CONFIG_$(SPL_)PKCS7_MESSAGE_PARSER_MBEDTLS) += pkcs7_parser.o +x509_mbedtls-$(CONFIG_$(SPL_)MSCODE_PARSER_MBEDTLS) += mscode_parser.o # MbedTLS crypto library obj-$(CONFIG_MBEDTLS_LIB_CRYPTO) += mbedtls_lib_crypto.o diff --git a/lib/mbedtls/mscode_parser.c b/lib/mbedtls/mscode_parser.c new file mode 100644 index 00000000000..c3805c6503c --- /dev/null +++ b/lib/mbedtls/mscode_parser.c @@ -0,0 +1,123 @@ +// SPDX-License-Identifier: GPL-2.0+ +/* + * MSCode parser using MbedTLS ASN1 library + * + * Copyright (c) 2024 Linaro Limited + * Author: Raymond Mao + */ + +#include +#include +#include +#include + +/* + * Parse a Microsoft Individual Code Signing blob + * + * U.P.SEQUENCE { + * U.P.OBJECTIDENTIFIER 1.3.6.1.4.1.311.2.1.15 (SPC_PE_IMAGE_DATA_OBJID) + * U.P.SEQUENCE { + * U.P.BITSTRING NaN : 0 unused bit(s); + * [C.P.0] { + * [C.P.2] { + * [C.P.0] + * } + * } + * } + * } + * U.P.SEQUENCE { + * U.P.SEQUENCE { + * U.P.OBJECTIDENTIFIER + * U.P.NULL + * } + * U.P.OCTETSTRING + * } + * + * @ctx: PE file context. + * @content_data: content data pointer. + * @data_len: content data length. + * @asn1hdrlen: ASN1 header length. + */ +int mscode_parse(void *ctx, const void *content_data, size_t data_len, + size_t asn1hdrlen) +{ + struct pefile_context *_ctx = ctx; + unsigned char *p = (unsigned char *)content_data; + unsigned char *end = (unsigned char *)content_data + data_len; + size_t len = 0; + int ret; + unsigned char *inner_p; + size_t seq_len = 0; + + ret = mbedtls_asn1_get_tag(&p, end, &seq_len, + MBEDTLS_ASN1_CONSTRUCTED | + MBEDTLS_ASN1_SEQUENCE); + if (ret) + return ret; + + inner_p = p; + ret = mbedtls_asn1_get_tag(&inner_p, inner_p + seq_len, &len, + MBEDTLS_ASN1_OID); + if (ret) + return ret; + + /* Sanity check on the PE Image Data OID (1.3.6.1.4.1.311.2.1.15) */ + if (MBEDTLS_OID_CMP_RAW(MBEDTLS_OID_MICROSOFT_PEIMAGEDATA, inner_p, + len)) + return -EINVAL; + + p += seq_len; + ret = mbedtls_asn1_get_tag(&p, end, &seq_len, + MBEDTLS_ASN1_CONSTRUCTED | + MBEDTLS_ASN1_SEQUENCE); + if (ret) + return ret; + + ret = mbedtls_asn1_get_tag(&p, p + seq_len, &seq_len, + MBEDTLS_ASN1_CONSTRUCTED | + MBEDTLS_ASN1_SEQUENCE); + if (ret) + return ret; + + inner_p = p; + + /* + * Check if the inner sequence contains a supported hash + * algorithm OID + */ + ret = mbedtls_asn1_get_tag(&inner_p, inner_p + seq_len, &len, + MBEDTLS_ASN1_OID); + if (ret) + return ret; + + if (!MBEDTLS_OID_CMP_RAW(MBEDTLS_OID_DIGEST_ALG_MD5, inner_p, len)) + _ctx->digest_algo = "md5"; + else if (!MBEDTLS_OID_CMP_RAW(MBEDTLS_OID_DIGEST_ALG_SHA1, inner_p, + len)) + _ctx->digest_algo = "sha1"; + else if (!MBEDTLS_OID_CMP_RAW(MBEDTLS_OID_DIGEST_ALG_SHA224, inner_p, + len)) + _ctx->digest_algo = "sha224"; + else if (!MBEDTLS_OID_CMP_RAW(MBEDTLS_OID_DIGEST_ALG_SHA256, inner_p, + len)) + _ctx->digest_algo = "sha256"; + else if (!MBEDTLS_OID_CMP_RAW(MBEDTLS_OID_DIGEST_ALG_SHA384, inner_p, + len)) + _ctx->digest_algo = "sha384"; + else if (!MBEDTLS_OID_CMP_RAW(MBEDTLS_OID_DIGEST_ALG_SHA512, inner_p, + len)) + _ctx->digest_algo = "sha512"; + + if (!_ctx->digest_algo) + return -EINVAL; + + p += seq_len; + ret = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_OCTET_STRING); + if (ret) + return ret; + + _ctx->digest = p; + _ctx->digest_len = len; + + return 0; +} From patchwork Tue Jul 2 18:23:00 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Raymond Mao X-Patchwork-Id: 1955573 X-Patchwork-Delegate: trini@ti.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.a=rsa-sha256 header.s=google header.b=efJ9+Xeg; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de (client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; helo=phobos.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=patchwork.ozlabs.org) Received: from phobos.denx.de (phobos.denx.de [IPv6:2a01:238:438b:c500:173d:9f52:ddab:ee01]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4WDBPN1nNqz1xqb for ; Wed, 3 Jul 2024 04:33:28 +1000 (AEST) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id CF185887E3; Tue, 2 Jul 2024 20:33:25 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="efJ9+Xeg"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 6DE6A887EB; Tue, 2 Jul 2024 20:33:24 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-qt1-x82d.google.com (mail-qt1-x82d.google.com [IPv6:2607:f8b0:4864:20::82d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 4ACDC87D74 for ; Tue, 2 Jul 2024 20:33:22 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=raymond.mao@linaro.org Received: by mail-qt1-x82d.google.com with SMTP id d75a77b69052e-4464b843e37so22796971cf.0 for ; Tue, 02 Jul 2024 11:33:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1719945201; x=1720550001; darn=lists.denx.de; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=27tw/fHfcKg1GSDpQTqme+GGGSVk/OfU2XJenDJbcVs=; b=efJ9+XeghwnktBqFlYhZVxh/EapNO9d6gIdITDB7y4/V1d7LCwKgZXVk5LeW59CNZ8 zDRdZmV2pIdh1NkpmPOgiFb0xjMBNiiR6H3K1w4JbMwwS8XM8xUPOiJZ6erVoZ2eQpH5 LsU+1lOSycvph9Yh4Vw25Goplq+GuZ5MegjdThGy5kLYt+isaY+7MHoBRY6Mffr/82tM xwCKWokvGYvynrjk771b/02XJV3rD0H6yG4CtfPx/CHl04v1OcwgUF9N4DBJZ3sn6gyT qJqViPhnKAjxfp0XXOpWfmRBawY52lqOuZrXLnNpbZKZTZZIPdSj47JR8y9uAptdU5hX OyOA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1719945201; x=1720550001; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=27tw/fHfcKg1GSDpQTqme+GGGSVk/OfU2XJenDJbcVs=; b=mAERKLweLphciw4xX8o5XOEidb7yGnGNsyVRUfL6tiNVjoOzPaH9B0hQGFRNR9fyUD FQNNMYc9QoLDOIyxR9kc/o9x/UcsY+DKm7oJLRAAD2F5ecgzZXiD5OiaiHconD2d2u6v vXKi2AjGVeYICUf1mp26rRJyYOdTYIRaG631Ci98rdISDrr3JwwwM7L5PFxjb1nQPaNS Pkk1Opa0KkSRTAbnzhd5/7bYcvoSJ7hPncNZ39J6DvNds7gh2YwHxrmQkDwNbljieViT 5XlvOehP4JN8x5ywep1dia3PKhY76XRW2FdHgf+vPxI1RJU3vAnV57iw5B3o1unbeC1B jubg== X-Gm-Message-State: AOJu0YzydiYyhSjix3uQb1GqOxF5NKn0TBgQLod/O22NhVXfzlWUpJay 7GZSS3kjRWPbklATDdKCKIiUghH3geYc0OarYJ5qae5wQSncopqjQUJlgNqAqGtbzWnvf+TFFRe 7 X-Google-Smtp-Source: AGHT+IG9bN0w/yS+wmTFpmClFyRiuZTaofsJ2YC5YzAjwPrPFe3punbvYUDIlOIhdiQrjfLEcjBYKw== X-Received: by 2002:a05:622a:4f:b0:446:5c9b:4e00 with SMTP id d75a77b69052e-44662c99c3amr98596101cf.8.1719945200670; Tue, 02 Jul 2024 11:33:20 -0700 (PDT) Received: from ubuntu.localdomain (pool-174-114-184-37.cpe.net.cable.rogers.com. [174.114.184.37]) by smtp.gmail.com with ESMTPSA id d75a77b69052e-446514b613dsm43316351cf.84.2024.07.02.11.33.18 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 02 Jul 2024 11:33:20 -0700 (PDT) From: Raymond Mao To: u-boot@lists.denx.de Cc: manish.pandey2@arm.com, Raymond Mao , Tom Rini , Stefan Bosch , Mario Six , Andy Shevchenko , Michal Simek , Tuomas Tynkkynen , Simon Glass , Ilias Apalodimas , Leo Yu-Chi Liang , Andrejs Cainikovs , Marek Vasut , Sean Anderson , Jesse Taube , Bryan Brattlof , "Leon M. Busch-George" , Sergei Antonov , Igor Opaniuk , Ilya Lukin <4.shket@gmail.com>, Heinrich Schuchardt , Bin Meng , Alper Nebi Yasak , AKASHI Takahiro , Abdellatif El Khlifi , Alexander Gendin , =?utf-8?q?Vincent_Stehl=C3=A9?= , Oleksandr Suvorov Subject: [PATCH v4 24/29] lib/crypto: Adapt mscode_parser to MbedTLS Date: Tue, 2 Jul 2024 11:23:00 -0700 Message-Id: <20240702182325.2904421-25-raymond.mao@linaro.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20240702182325.2904421-1-raymond.mao@linaro.org> References: <20240702182325.2904421-1-raymond.mao@linaro.org> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.8 at phobos.denx.de X-Virus-Status: Clean Previous patch has introduced MbedTLS porting layer for mscode parser, here to adjust the header and makefiles accordingly. Signed-off-by: Raymond Mao --- Changes in v2 - Move the porting layer to MbedTLS dir. Changes in v3 - Update commit message. Changes in v4 - Control building legacy library via '_LEGACY' Kconfig. - Minor fix of the include directories. include/crypto/mscode.h | 4 ++++ lib/crypto/Makefile | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/include/crypto/mscode.h b/include/crypto/mscode.h index 551058b96e6..678e69001b9 100644 --- a/include/crypto/mscode.h +++ b/include/crypto/mscode.h @@ -9,6 +9,10 @@ #ifndef __UBOOT__ #include #endif +#if CONFIG_IS_ENABLED(MBEDTLS_LIB_X509) +#include +#include +#endif struct pefile_context { #ifndef __UBOOT__ diff --git a/lib/crypto/Makefile b/lib/crypto/Makefile index 428dcba0a6b..9bbd8b48d77 100644 --- a/lib/crypto/Makefile +++ b/lib/crypto/Makefile @@ -63,7 +63,7 @@ obj-$(CONFIG_$(SPL_)PKCS7_VERIFY) += pkcs7_verify.o # # Signed PE binary-wrapped key handling # -obj-$(CONFIG_$(SPL_)MSCODE_PARSER) += mscode.o +obj-$(CONFIG_$(SPL_)MSCODE_PARSER_LEGACY) += mscode.o mscode-y := \ mscode_parser.o \ From patchwork Tue Jul 2 18:23:01 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Raymond Mao X-Patchwork-Id: 1955574 X-Patchwork-Delegate: trini@ti.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.a=rsa-sha256 header.s=google header.b=okyn1pZy; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de (client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; helo=phobos.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=patchwork.ozlabs.org) Received: from phobos.denx.de (phobos.denx.de [IPv6:2a01:238:438b:c500:173d:9f52:ddab:ee01]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4WDBPm5ByRz1xqb for ; Wed, 3 Jul 2024 04:33:48 +1000 (AEST) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 4598088651; Tue, 2 Jul 2024 20:33:46 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="okyn1pZy"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id C9E3288651; Tue, 2 Jul 2024 20:33:45 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-qt1-x832.google.com (mail-qt1-x832.google.com [IPv6:2607:f8b0:4864:20::832]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 75C86887F3 for ; Tue, 2 Jul 2024 20:33:43 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=raymond.mao@linaro.org Received: by mail-qt1-x832.google.com with SMTP id d75a77b69052e-446883be273so4565331cf.1 for ; Tue, 02 Jul 2024 11:33:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1719945222; x=1720550022; darn=lists.denx.de; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=N/AsRuYvZzjSnj9xSL7lz/6l5OFv0vCjgMjCFb21VUw=; b=okyn1pZyfCIETAkXxakSnexrBMMWLaeq6ViZznl0Cdq3qr8Xj2RV1aNA1hpJJj/LXq dAOWq49IHVEAgiDwJNDTcZyADL6vrNHB6QP0uFBhEjwOjfM8anxPhRMVEHId+p98k74X rW/CPT4CKQGm8IJqP7MTVFHLjzqCbkynvHtVmrjHY60DU0qv3SodZyPvT0GEwFT5Uzvy 9Gpmb2Ps+/Dh/da5yIL+UKPw4i1mXQAkxhUW7G8X7DjB3lg75HqsflZ7ZA9lZCIW3/qy erj7/1UgEwlWIZ0Ys4sX8YzZE1ff9E5QIbyT09OIbOnnvauIiBcP5e4Fp+GCu3DDz3+Y 9CAg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1719945222; x=1720550022; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=N/AsRuYvZzjSnj9xSL7lz/6l5OFv0vCjgMjCFb21VUw=; b=An2MSwEaXQ4V+GVrnCqqyZnCkRpcEbC8/1/RyQxmE222o9Fk1nkV4PsshAW3kPTs96 xb4vWoYydb4AjYEXgvz+WgEeSl3ER1elf8Wj6iRawYEBmPfexEzKoenaQsJh7lW7Oobv m2+numnjdVBcR0q69X9oJSF3pmBoT8mAUSCkJNqE64LT1fDjTG9/8b2HcqfodZWJaJby g4GefVqzoX9dg7sq8kwoUEEv1kFqsqrZxiUnFOx1acNxmhggIHP4Gh++Ch6YNM9lSXul a0tJKlwiWYpGm1MIf3VUfd6sY5xgk2jn74dmuKUpW25HNYVtjTWA9+okxHVx6iraFIIu lwdw== X-Gm-Message-State: AOJu0Yz6u3pJVXaKXd//Yux9hiYbgKHpYXXQ2ye2PlE0kzZ+Fsb5G2C7 k5swlLeayl3s36E5Am1tn2a62hgW04T+he02NhooU1R+AuqqB44UEmTfJcHt4hvVSPPDjyOaGeE 2 X-Google-Smtp-Source: AGHT+IGSD6vopZ25mStrJPpde9yUSv/m+u53LSbJNZrESrYHzre9PqjeNRrodO+i+Rz2k5a0r3ClKg== X-Received: by 2002:a05:622a:138d:b0:446:5fe5:5e6e with SMTP id d75a77b69052e-44662da0de5mr107956421cf.17.1719945222113; Tue, 02 Jul 2024 11:33:42 -0700 (PDT) Received: from ubuntu.localdomain (pool-174-114-184-37.cpe.net.cable.rogers.com. [174.114.184.37]) by smtp.gmail.com with ESMTPSA id d75a77b69052e-446514b613dsm43316351cf.84.2024.07.02.11.33.40 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 02 Jul 2024 11:33:41 -0700 (PDT) From: Raymond Mao To: u-boot@lists.denx.de Cc: manish.pandey2@arm.com, Raymond Mao , Tom Rini , Stefan Bosch , Mario Six , Andy Shevchenko , Michal Simek , Tuomas Tynkkynen , Simon Glass , Ilias Apalodimas , Leo Yu-Chi Liang , Andrejs Cainikovs , Marek Vasut , Sean Anderson , Jesse Taube , Bryan Brattlof , "Leon M. Busch-George" , Sergei Antonov , Ilya Lukin <4.shket@gmail.com>, Igor Opaniuk , Heinrich Schuchardt , Alper Nebi Yasak , AKASHI Takahiro , Abdellatif El Khlifi , Alexander Gendin , Bin Meng , Manorit Chawdhry , =?utf-8?q?Vincent_Stehl=C3=A9?= , Oleksandr Suvorov Subject: [PATCH v4 25/29] mbedtls: add RSA helper layer on MbedTLS Date: Tue, 2 Jul 2024 11:23:01 -0700 Message-Id: <20240702182325.2904421-26-raymond.mao@linaro.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20240702182325.2904421-1-raymond.mao@linaro.org> References: <20240702182325.2904421-1-raymond.mao@linaro.org> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.8 at phobos.denx.de X-Virus-Status: Clean Add RSA helper layer on top on MbedTLS PK and RSA library. Introduce _LEGACY and _MBEDTLS kconfigs for RSA helper legacy and MbedTLS implementations respectively. Signed-off-by: Raymond Mao --- Changes in v2 - Initial patch. Changes in v3 - None. Changes in v4 - Introduce _LEGACY and _MBEDTLS kconfigs for RSA helper legacy and MbedTLS implementations respectively. - Remove unnecessary type casting. - Minor fix of the include directories. lib/mbedtls/Kconfig | 36 +++++++++++++++ lib/mbedtls/Makefile | 3 +- lib/mbedtls/rsa_helper.c | 95 ++++++++++++++++++++++++++++++++++++++++ 3 files changed, 133 insertions(+), 1 deletion(-) create mode 100644 lib/mbedtls/rsa_helper.c diff --git a/lib/mbedtls/Kconfig b/lib/mbedtls/Kconfig index d8a8f87e031..87c500d6ca9 100644 --- a/lib/mbedtls/Kconfig +++ b/lib/mbedtls/Kconfig @@ -124,11 +124,13 @@ config LEGACY_CRYPTO_CERT bool "legacy certificate libraries" select ASYMMETRIC_PUBLIC_KEY_SUBTYPE_LEGACY if \ ASYMMETRIC_PUBLIC_KEY_SUBTYPE + select RSA_PUBLIC_KEY_PARSER_LEGACY if RSA_PUBLIC_KEY_PARSER select X509_CERTIFICATE_PARSER_LEGACY if X509_CERTIFICATE_PARSER select PKCS7_MESSAGE_PARSER_LEGACY if PKCS7_MESSAGE_PARSER select MSCODE_PARSER_LEGACY if MSCODE_PARSER select SPL_ASYMMETRIC_PUBLIC_KEY_SUBTYPE_LEGACY if \ ASYMMETRIC_PUBLIC_KEY_SUBTYPE && SPL + select SPL_RSA_PUBLIC_KEY_PARSER_LEGACY if RSA_PUBLIC_KEY_PARSER && SPL help Enable legacy certificate libraries. @@ -141,6 +143,14 @@ config ASYMMETRIC_PUBLIC_KEY_SUBTYPE_LEGACY This option chooses legacy certificate library for asymmetric public key crypto algorithm. +config RSA_PUBLIC_KEY_PARSER_LEGACY + bool "RSA public key parser with legacy certificate library" + depends on ASYMMETRIC_PUBLIC_KEY_SUBTYPE_LEGACY + select ASN1_DECODER_LEGACY + help + This option chooses legacy certificate library for RSA public key + parser. + config X509_CERTIFICATE_PARSER_LEGACY bool "X.509 certificate parser with legacy certificate library" depends on ASYMMETRIC_PUBLIC_KEY_SUBTYPE_LEGACY @@ -174,6 +184,14 @@ config SPL_ASYMMETRIC_PUBLIC_KEY_SUBTYPE_LEGACY This option chooses legacy certificate library for asymmetric public key crypto algorithm in SPL. +config SPL_RSA_PUBLIC_KEY_PARSER_LEGACY + bool "RSA public key parser with legacy certificate library in SPL" + depends on SPL_ASYMMETRIC_PUBLIC_KEY_SUBTYPE_LEGACY + select SPL_ASN1_DECODER_LEGACY + help + This option chooses legacy certificate library for RSA public key + parser in SPL. + endif # SPL endif # LEGACY_CRYPTO_CERT @@ -287,11 +305,13 @@ config MBEDTLS_LIB_X509 bool "MbedTLS certificate libraries" select ASYMMETRIC_PUBLIC_KEY_SUBTYPE_MBEDTLS if \ ASYMMETRIC_PUBLIC_KEY_SUBTYPE + select RSA_PUBLIC_KEY_PARSER_MBEDTLS if RSA_PUBLIC_KEY_PARSER select X509_CERTIFICATE_PARSER_MBEDTLS if X509_CERTIFICATE_PARSER select PKCS7_MESSAGE_PARSER_MBEDTLS if PKCS7_MESSAGE_PARSER select MSCODE_PARSER_MBEDTLS if MSCODE_PARSER select SPL_ASYMMETRIC_PUBLIC_KEY_SUBTYPE_MBEDTLS if \ ASYMMETRIC_PUBLIC_KEY_SUBTYPE && SPL + select SPL_RSA_PUBLIC_KEY_PARSER_MBEDTLS if RSA_PUBLIC_KEY_PARSER && SPL help Enable MbedTLS certificate libraries. @@ -303,6 +323,14 @@ config ASYMMETRIC_PUBLIC_KEY_SUBTYPE_MBEDTLS This option chooses MbedTLS certificate library for asymmetric public key crypto algorithm. +config RSA_PUBLIC_KEY_PARSER_MBEDTLS + bool "RSA public key parser with MbedTLS certificate library" + depends on ASYMMETRIC_PUBLIC_KEY_SUBTYPE_MBEDTLS + select ASN1_DECODER_MBEDTLS + help + This option chooses MbedTLS certificate library for RSA public key + parser. + config X509_CERTIFICATE_PARSER_MBEDTLS bool "X.509 certificate parser with MbedTLS certificate library" depends on ASYMMETRIC_PUBLIC_KEY_SUBTYPE_MBEDTLS @@ -334,6 +362,14 @@ config SPL_ASYMMETRIC_PUBLIC_KEY_SUBTYPE_MBEDTLS This option chooses MbedTLS certificate library for asymmetric public key crypto algorithm in SPL. +config SPL_RSA_PUBLIC_KEY_PARSER_MBEDTLS + bool "RSA public key parser with MbedTLS certificate library in SPL" + depends on SPL_ASYMMETRIC_PUBLIC_KEY_SUBTYPE_MBEDTLS + select SPL_ASN1_DECODER_MBEDTLS + help + This option chooses MbedTLS certificate library for RSA public key + parser in SPL. + endif # SPL endif # MBEDTLS_LIB_X509 diff --git a/lib/mbedtls/Makefile b/lib/mbedtls/Makefile index ac7c487449d..9c6991f8783 100644 --- a/lib/mbedtls/Makefile +++ b/lib/mbedtls/Makefile @@ -28,6 +28,7 @@ x509_mbedtls-$(CONFIG_$(SPL_)X509_CERTIFICATE_PARSER_MBEDTLS) += \ x509_cert_parser.o x509_mbedtls-$(CONFIG_$(SPL_)PKCS7_MESSAGE_PARSER_MBEDTLS) += pkcs7_parser.o x509_mbedtls-$(CONFIG_$(SPL_)MSCODE_PARSER_MBEDTLS) += mscode_parser.o +x509_mbedtls-$(CONFIG_$(SPL_)RSA_PUBLIC_KEY_PARSER_MBEDTLS) += rsa_helper.o # MbedTLS crypto library obj-$(CONFIG_MBEDTLS_LIB_CRYPTO) += mbedtls_lib_crypto.o @@ -49,7 +50,7 @@ mbedtls_lib_x509-$(CONFIG_$(SPL_)ASN1_DECODER) += \ $(MBEDTLS_LIB_DIR)/asn1parse.o \ $(MBEDTLS_LIB_DIR)/asn1write.o \ $(MBEDTLS_LIB_DIR)/oid.o -mbedtls_lib_x509-$(CONFIG_$(SPL_)RSA_PUBLIC_KEY_PARSER) += \ +mbedtls_lib_x509-$(CONFIG_$(SPL_)RSA_PUBLIC_KEY_PARSER_MBEDTLS) += \ $(MBEDTLS_LIB_DIR)/bignum.o \ $(MBEDTLS_LIB_DIR)/bignum_core.o \ $(MBEDTLS_LIB_DIR)/rsa.o \ diff --git a/lib/mbedtls/rsa_helper.c b/lib/mbedtls/rsa_helper.c new file mode 100644 index 00000000000..3d94eee9954 --- /dev/null +++ b/lib/mbedtls/rsa_helper.c @@ -0,0 +1,95 @@ +// SPDX-License-Identifier: GPL-2.0+ +/* + * RSA helper functions using MbedTLS + * + * Copyright (c) 2024 Linaro Limited + * Author: Raymond Mao + */ + +#include +#include +#include +#include +#include +#include + +/** + * rsa_parse_pub_key() - decodes the BER encoded buffer and stores in the + * provided struct rsa_key, pointers to the raw key as is, + * so that the caller can copy it or MPI parse it, etc. + * + * @rsa_key: struct rsa_key key representation + * @key: key in BER format + * @key_len: length of key + * + * Return: 0 on success or error code in case of error + */ +int rsa_parse_pub_key(struct rsa_key *rsa_key, const void *key, + unsigned int key_len) +{ + int ret = 0; + mbedtls_pk_context pk; + mbedtls_rsa_context *rsa; + + mbedtls_pk_init(&pk); + + ret = mbedtls_pk_parse_public_key(&pk, (const unsigned char *)key, + key_len); + if (ret) { + pr_err("Failed to parse public key, ret:-0x%04x\n", -ret); + ret = -EINVAL; + goto clean_pubkey; + } + + /* Ensure that it is a RSA key */ + if (mbedtls_pk_get_type(&pk) != MBEDTLS_PK_RSA) { + pr_err("Non-RSA keys are not supported\n"); + ret = -EKEYREJECTED; + goto clean_pubkey; + } + + /* Get RSA key context */ + rsa = mbedtls_pk_rsa(pk); + if (!rsa) { + pr_err("Failed to get RSA key context, ret:-0x%04x\n", -ret); + ret = -EINVAL; + goto clean_pubkey; + } + + /* Parse modulus (n) */ + rsa_key->n_sz = mbedtls_mpi_size(&rsa->N); + rsa_key->n = kzalloc(rsa_key->n_sz, GFP_KERNEL); + if (!rsa_key->n) { + ret = -ENOMEM; + goto clean_pubkey; + } + ret = mbedtls_mpi_write_binary(&rsa->N, (unsigned char *)rsa_key->n, + rsa_key->n_sz); + if (ret) { + pr_err("Failed to parse modulus (n), ret:-0x%04x\n", -ret); + ret = -EINVAL; + goto clean_modulus; + } + + /* Parse public exponent (e) */ + rsa_key->e_sz = mbedtls_mpi_size(&rsa->E); + rsa_key->e = kzalloc(rsa_key->e_sz, GFP_KERNEL); + if (!rsa_key->e) { + ret = -ENOMEM; + goto clean_modulus; + } + ret = mbedtls_mpi_write_binary(&rsa->E, (unsigned char *)rsa_key->e, + rsa_key->e_sz); + if (!ret) + return 0; + + pr_err("Failed to parse public exponent (e), ret:-0x%04x\n", -ret); + ret = -EINVAL; + + kfree(rsa_key->e); +clean_modulus: + kfree(rsa_key->n); +clean_pubkey: + mbedtls_pk_free(&pk); + return ret; +} From patchwork Tue Jul 2 18:23:02 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Raymond Mao X-Patchwork-Id: 1955575 X-Patchwork-Delegate: trini@ti.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.a=rsa-sha256 header.s=google header.b=yc5CRElY; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de (client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; helo=phobos.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=patchwork.ozlabs.org) Received: from phobos.denx.de (phobos.denx.de [IPv6:2a01:238:438b:c500:173d:9f52:ddab:ee01]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4WDBQD1DTXz1xqb for ; Wed, 3 Jul 2024 04:34:12 +1000 (AEST) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id B2302887FD; Tue, 2 Jul 2024 20:34:09 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="yc5CRElY"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 0C2DA887EB; Tue, 2 Jul 2024 20:34:08 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-qt1-x82a.google.com (mail-qt1-x82a.google.com [IPv6:2607:f8b0:4864:20::82a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id F064F87D74 for ; Tue, 2 Jul 2024 20:34:05 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=raymond.mao@linaro.org Received: by mail-qt1-x82a.google.com with SMTP id d75a77b69052e-4463682e944so28247101cf.1 for ; Tue, 02 Jul 2024 11:34:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1719945244; x=1720550044; darn=lists.denx.de; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=ZTzRGAJvdIxI+FMac7Nz5QcjSbOVqVOQLrl7Ib4m3j8=; b=yc5CRElYKOQH4r5HfRPI8RwwkkrVY8P9styXrJi94qe9QKh0bcfiMCrnGPr78YRn6O 36J+NofXmSYuYUUI6H5WuZDYzvUd/rKXN3pusdDkWNmg/isah1aGwdpJVyDx6ap4htXe c3BcX7N5MzJAoMBdxheUL3Jl1Wc2RxMEGQFmqkjRuQlfoMm7iYfs+vItpaor14iAbce5 ZFdktnt+x9yKjV11DjoQyf6jEPomhnV9aCyGwUqx4RRd+QSBCsMgtR/l8Mcf7nSPT1zv hoEnE0A44RDT/7cSN7UA2pCqXAIxe4dYBus57yoWqu61f626axJBtrZ+TBIjkkbc0YXs uQIQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1719945245; x=1720550045; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=ZTzRGAJvdIxI+FMac7Nz5QcjSbOVqVOQLrl7Ib4m3j8=; b=VCoaGKbjDLxUYt+09D1RBNTZajkUlD6x0VBL5+UzzJ6BTcebyjCwv9XJcKE8MHHz5v o1nNmy+KQu0fjrKMychLoMikNFetEGNCb0iFneB4Ti9Bi6V0al3pYMou16AehfCxPSc6 aJkFNF4AF5EDHppdaJo9/ZtFx/O9L6qKDvCefHaKLSwFIWygERDiqqCoOdbDEbE7jc9K AUIKOL8uWy9snRfVO+ZdCTghT8yLak5rjFT6JR1CI8H5ZtacofPEeX3wtvDlLsextHPP C0x5ebWiemCr0YjOyrFX+hFGcBmqIGEUUBxc8SE5OIVXlx1QRSr6LipjOabF6DLWNAcm YzWQ== X-Gm-Message-State: AOJu0YyLrkW6VLITwxX3hWIa/yQz3cTwOR+Lql41gqdv6HNy2yWiW/yU hQtwhdRyDgJiopWKT/ah128wla9MROJyliiN5mrLPAyioBO0eHge0fWekyUzrYEoRMGouoC/9Su 8 X-Google-Smtp-Source: AGHT+IF8IC7cqmqO0nWZGXqDEIt/jG/SzB7ywc1nEJELT7kFy5+wrt0AlZtfz/Hf6jaD7QFpSMH2Aw== X-Received: by 2002:a05:622a:1315:b0:446:5d60:5cff with SMTP id d75a77b69052e-44662dfd9a6mr125277241cf.10.1719945244705; Tue, 02 Jul 2024 11:34:04 -0700 (PDT) Received: from ubuntu.localdomain (pool-174-114-184-37.cpe.net.cable.rogers.com. [174.114.184.37]) by smtp.gmail.com with ESMTPSA id d75a77b69052e-446514b613dsm43316351cf.84.2024.07.02.11.34.02 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 02 Jul 2024 11:34:04 -0700 (PDT) From: Raymond Mao To: u-boot@lists.denx.de Cc: manish.pandey2@arm.com, Raymond Mao , Tom Rini , Stefan Bosch , Mario Six , Andy Shevchenko , Michal Simek , Tuomas Tynkkynen , Simon Glass , Ilias Apalodimas , Leo Yu-Chi Liang , Andrejs Cainikovs , Marek Vasut , Sean Anderson , Jesse Taube , Bryan Brattlof , "Leon M. Busch-George" , Ilya Lukin <4.shket@gmail.com>, Igor Opaniuk , Sergei Antonov , Heinrich Schuchardt , Alper Nebi Yasak , Bin Meng , Abdellatif El Khlifi , AKASHI Takahiro , Alexander Gendin , Manorit Chawdhry , Oleksandr Suvorov Subject: [PATCH v4 26/29] lib/rypto: Adapt rsa_helper to MbedTLS Date: Tue, 2 Jul 2024 11:23:02 -0700 Message-Id: <20240702182325.2904421-27-raymond.mao@linaro.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20240702182325.2904421-1-raymond.mao@linaro.org> References: <20240702182325.2904421-1-raymond.mao@linaro.org> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.8 at phobos.denx.de X-Virus-Status: Clean Previous patch has introduced MbedTLS porting layer for RSA helper, here to adjust the makefile accordingly. Signed-off-by: Raymond Mao Reviewed-by: Ilias Apalodimas --- Changes in v2 - Initial patch. Changes in v3 - Update commit message. Changes in v4 - Control building legacy library via '_LEGACY' Kconfig. lib/crypto/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/crypto/Makefile b/lib/crypto/Makefile index 9bbd8b48d77..281e507743a 100644 --- a/lib/crypto/Makefile +++ b/lib/crypto/Makefile @@ -13,7 +13,7 @@ obj-$(CONFIG_$(SPL_)ASYMMETRIC_PUBLIC_KEY_SUBTYPE_LEGACY) += public_key.o # # RSA public key parser # -obj-$(CONFIG_$(SPL_)RSA_PUBLIC_KEY_PARSER) += rsa_public_key.o +obj-$(CONFIG_$(SPL_)RSA_PUBLIC_KEY_PARSER_LEGACY) += rsa_public_key.o rsa_public_key-y := \ rsapubkey.asn1.o \ rsa_helper.o From patchwork Tue Jul 2 18:23:03 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Raymond Mao X-Patchwork-Id: 1955576 X-Patchwork-Delegate: trini@ti.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.a=rsa-sha256 header.s=google header.b=zT0ALUh/; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de (client-ip=85.214.62.61; helo=phobos.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=patchwork.ozlabs.org) Received: from phobos.denx.de (phobos.denx.de [85.214.62.61]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4WDBQf45Stz1xqb for ; Wed, 3 Jul 2024 04:34:34 +1000 (AEST) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 38EC788651; Tue, 2 Jul 2024 20:34:32 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="zT0ALUh/"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 4F939887E3; Tue, 2 Jul 2024 20:34:31 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-qt1-x82d.google.com (mail-qt1-x82d.google.com [IPv6:2607:f8b0:4864:20::82d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 1568187D74 for ; Tue, 2 Jul 2024 20:34:29 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=raymond.mao@linaro.org Received: by mail-qt1-x82d.google.com with SMTP id d75a77b69052e-445033fbc24so37891101cf.3 for ; Tue, 02 Jul 2024 11:34:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1719945268; x=1720550068; darn=lists.denx.de; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=l2jG28HQvrpdaLIv60CC5Z8Kits60c/nbSykyt6+Jmw=; b=zT0ALUh/xC7OUr5+//gqzg0lfpKi+QeQZPMQRfaaL79YlsUbZnbTxfe2dJfAVTX5Wt 8R9ffufp7I5d0X9EVBJJM3JMnZf4o3JvHl4Woa2olskzd2hNCvf6hKCFEsFKFoUZSqQw tGeFuI3NhBUrnU98/fnODLi0rknq+7ifp4AeEmVDdWRHa38gtJU7fVDIlqNSO59MZRAs 3l6WS7ykCE/PcTaRfgeTw8OpjMXczG89jjOJl4AMfkLmqdHw2nRl3+9gULEDDxtS3L6q TX+KQDrkT2oVIUyXhaTaG4+TAq6yCEkWqXM+u/yo9eIx4DgePrBOaVip8XeYPk2qgyWZ P3xA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1719945268; x=1720550068; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=l2jG28HQvrpdaLIv60CC5Z8Kits60c/nbSykyt6+Jmw=; b=Wpq/g2mUJYAPtTr4eo3t8jEWRWZ7AWXFb1V2pdVDbrL22e5j4AC7GaImEJzhlLGNqW yT7OFozDT3M1pivOkmMOXA63OnZKtHTZdCTh7djW/Eps2yTpopeyvAOdxhSbc48LCEaq t4d6Q9dje6cNzME6LUtV21qzq9Knr/GlENl2ZcWXAcydlG7eZEzNOCqk89ff2wj9eCaY pjlt8obVa/nAQrO9NdZiIenfQKVVdHB4C73P3Y4M2lc1uSc7kXU7mhZKZXxMyI32G3NX jg6vlfSfxjnxEgAaTH3uip6DkcY8i5EgycxhJQ69bfKXy8cnX5GX2ra14a4x3k6N61bF LtPg== X-Gm-Message-State: AOJu0YxuCqD2o2G64FKQXyI8coNSy/NaMVmvvP9rrDSc7f2tsrg3wr5M ZtpPWpJ29q5qd7NPGsVk3il9EUy7LdDUEC5vd5+1C3gn8RRy0qcK2dirtZHqTwBZRitTpJn4RsD Q X-Google-Smtp-Source: AGHT+IGNgk4ynfaFGb3ZPqzsQDiNTQB9A9Ba5jxcH/3El/d8+tR9xVdQAR5YqB/sQT44TYUXX6dK6g== X-Received: by 2002:ac8:5809:0:b0:446:4a6d:44aa with SMTP id d75a77b69052e-44662e481aamr102705821cf.52.1719945267730; Tue, 02 Jul 2024 11:34:27 -0700 (PDT) Received: from ubuntu.localdomain (pool-174-114-184-37.cpe.net.cable.rogers.com. [174.114.184.37]) by smtp.gmail.com with ESMTPSA id d75a77b69052e-446514b613dsm43316351cf.84.2024.07.02.11.34.25 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 02 Jul 2024 11:34:27 -0700 (PDT) From: Raymond Mao To: u-boot@lists.denx.de Cc: manish.pandey2@arm.com, Raymond Mao , Tom Rini , Stefan Bosch , Mario Six , Andy Shevchenko , Michal Simek , Tuomas Tynkkynen , Simon Glass , Leo Yu-Chi Liang , Ilias Apalodimas , Andrejs Cainikovs , Marek Vasut , Sean Anderson , Jesse Taube , Bryan Brattlof , "Leon M. Busch-George" , Igor Opaniuk , Sergei Antonov , Ilya Lukin <4.shket@gmail.com>, Heinrich Schuchardt , Alper Nebi Yasak , Abdellatif El Khlifi , AKASHI Takahiro , Alexander Gendin , Bin Meng , Eddie James , Manorit Chawdhry , Oleksandr Suvorov Subject: [PATCH v4 27/29] asn1_decoder: add build options for ASN1 decoder Date: Tue, 2 Jul 2024 11:23:03 -0700 Message-Id: <20240702182325.2904421-28-raymond.mao@linaro.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20240702182325.2904421-1-raymond.mao@linaro.org> References: <20240702182325.2904421-1-raymond.mao@linaro.org> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.8 at phobos.denx.de X-Virus-Status: Clean When building with MbedTLS, we are using MbedTLS to decode ASN1 data for x509, pkcs7 and mscode. Introduce _LEGACY and _MBEDTLS kconfigs for ASN1 decoder legacy and MbedTLS implementations respectively. Signed-off-by: Raymond Mao --- Changes in v2 - Initial patch. Changes in v3 - None. Changes in v4 - Introduce _LEGACY and _MBEDTLS kconfigs for ASN1 decoder legacy and MbedTLS implementations respectively. - Update the commit subject. lib/Makefile | 2 +- lib/mbedtls/Kconfig | 28 ++++++++++++++++++++++++++++ lib/mbedtls/Makefile | 2 +- 3 files changed, 30 insertions(+), 2 deletions(-) diff --git a/lib/Makefile b/lib/Makefile index f76af77a969..c3b44c3c9ae 100644 --- a/lib/Makefile +++ b/lib/Makefile @@ -80,7 +80,7 @@ obj-$(CONFIG_$(SPL_)SHA256_LEGACY) += sha256.o obj-$(CONFIG_$(SPL_)SHA512_LEGACY) += sha512.o obj-$(CONFIG_CRYPT_PW) += crypt/ -obj-$(CONFIG_$(SPL_)ASN1_DECODER) += asn1_decoder.o +obj-$(CONFIG_$(SPL_)ASN1_DECODER_LEGACY) += asn1_decoder.o obj-$(CONFIG_$(SPL_)ZLIB) += zlib/ obj-$(CONFIG_$(SPL_)ZSTD) += zstd/ diff --git a/lib/mbedtls/Kconfig b/lib/mbedtls/Kconfig index 87c500d6ca9..4dd2fe07a1f 100644 --- a/lib/mbedtls/Kconfig +++ b/lib/mbedtls/Kconfig @@ -122,12 +122,14 @@ endif # LEGACY_CRYPTO_BASIC config LEGACY_CRYPTO_CERT bool "legacy certificate libraries" + select ASN1_DECODER_LEGACY if ASN1_DECODER select ASYMMETRIC_PUBLIC_KEY_SUBTYPE_LEGACY if \ ASYMMETRIC_PUBLIC_KEY_SUBTYPE select RSA_PUBLIC_KEY_PARSER_LEGACY if RSA_PUBLIC_KEY_PARSER select X509_CERTIFICATE_PARSER_LEGACY if X509_CERTIFICATE_PARSER select PKCS7_MESSAGE_PARSER_LEGACY if PKCS7_MESSAGE_PARSER select MSCODE_PARSER_LEGACY if MSCODE_PARSER + select SPL_ASN1_DECODER_LEGACY if ASN1_DECODER && SPL select SPL_ASYMMETRIC_PUBLIC_KEY_SUBTYPE_LEGACY if \ ASYMMETRIC_PUBLIC_KEY_SUBTYPE && SPL select SPL_RSA_PUBLIC_KEY_PARSER_LEGACY if RSA_PUBLIC_KEY_PARSER && SPL @@ -136,6 +138,12 @@ config LEGACY_CRYPTO_CERT if LEGACY_CRYPTO_CERT +config ASN1_DECODER_LEGACY + bool "ASN1 decoder with legacy certificate library" + depends on LEGACY_CRYPTO_CERT && ASN1_DECODER + help + This option chooses legacy certificate library for ASN1 decoder. + config ASYMMETRIC_PUBLIC_KEY_SUBTYPE_LEGACY bool "Asymmetric public key crypto with legacy certificate library" depends on LEGACY_CRYPTO_CERT && ASYMMETRIC_PUBLIC_KEY_SUBTYPE @@ -177,6 +185,13 @@ config MSCODE_PARSER_LEGACY if SPL +config SPL_ASN1_DECODER_LEGACY + bool "ASN1 decoder with legacy certificate library in SPL" + depends on LEGACY_CRYPTO_CERT && SPL_ASN1_DECODER + help + This option chooses legacy certificate library for ASN1 decoder in + SPL. + config SPL_ASYMMETRIC_PUBLIC_KEY_SUBTYPE_LEGACY bool "Asymmetric public key crypto with legacy certificate library in SPL" depends on LEGACY_CRYPTO_CERT && SPL_ASYMMETRIC_PUBLIC_KEY_SUBTYPE @@ -303,12 +318,14 @@ endif # MBEDTLS_LIB_CRYPTO config MBEDTLS_LIB_X509 bool "MbedTLS certificate libraries" + select ASN1_DECODER_MBEDTLS if ASN1_DECODER select ASYMMETRIC_PUBLIC_KEY_SUBTYPE_MBEDTLS if \ ASYMMETRIC_PUBLIC_KEY_SUBTYPE select RSA_PUBLIC_KEY_PARSER_MBEDTLS if RSA_PUBLIC_KEY_PARSER select X509_CERTIFICATE_PARSER_MBEDTLS if X509_CERTIFICATE_PARSER select PKCS7_MESSAGE_PARSER_MBEDTLS if PKCS7_MESSAGE_PARSER select MSCODE_PARSER_MBEDTLS if MSCODE_PARSER + select SPL_ASN1_DECODER_MBEDTLS if ASN1_DECODER && SPL select SPL_ASYMMETRIC_PUBLIC_KEY_SUBTYPE_MBEDTLS if \ ASYMMETRIC_PUBLIC_KEY_SUBTYPE && SPL select SPL_RSA_PUBLIC_KEY_PARSER_MBEDTLS if RSA_PUBLIC_KEY_PARSER && SPL @@ -317,6 +334,11 @@ config MBEDTLS_LIB_X509 if MBEDTLS_LIB_X509 +config ASN1_DECODER_MBEDTLS + bool "ASN1 decoder with MbedTLS certificate library" + help + This option chooses MbedTLS certificate library for ASN1 decoder. + config ASYMMETRIC_PUBLIC_KEY_SUBTYPE_MBEDTLS bool "Asymmetric public key crypto with MbedTLS certificate library" help @@ -356,6 +378,12 @@ config MSCODE_PARSER_MBEDTLS if SPL +config SPL_ASN1_DECODER_MBEDTLS + bool "ASN1 decoder with MbedTLS certificate library in SPL" + help + This option chooses MbedTLS certificate library for ASN1 decoder in + SPL. + config SPL_ASYMMETRIC_PUBLIC_KEY_SUBTYPE_MBEDTLS bool "Asymmetric public key crypto with MbedTLS certificate library in SPL" help diff --git a/lib/mbedtls/Makefile b/lib/mbedtls/Makefile index 9c6991f8783..9b09fbcea28 100644 --- a/lib/mbedtls/Makefile +++ b/lib/mbedtls/Makefile @@ -46,7 +46,7 @@ mbedtls_lib_crypto-$(CONFIG_$(SPL_)SHA512_MBEDTLS) += \ # MbedTLS X509 library obj-$(CONFIG_MBEDTLS_LIB_X509) += mbedtls_lib_x509.o mbedtls_lib_x509-y += $(MBEDTLS_LIB_DIR)/x509.o -mbedtls_lib_x509-$(CONFIG_$(SPL_)ASN1_DECODER) += \ +mbedtls_lib_x509-$(CONFIG_$(SPL_)ASN1_DECODER_MBEDTLS) += \ $(MBEDTLS_LIB_DIR)/asn1parse.o \ $(MBEDTLS_LIB_DIR)/asn1write.o \ $(MBEDTLS_LIB_DIR)/oid.o From patchwork Tue Jul 2 18:23:04 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Raymond Mao X-Patchwork-Id: 1955577 X-Patchwork-Delegate: trini@ti.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.a=rsa-sha256 header.s=google header.b=w6lw3L3l; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de (client-ip=85.214.62.61; helo=phobos.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=patchwork.ozlabs.org) Received: from phobos.denx.de (phobos.denx.de [85.214.62.61]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4WDBR6261cz1xqb for ; Wed, 3 Jul 2024 04:34:58 +1000 (AEST) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id DBE4A887FB; Tue, 2 Jul 2024 20:34:55 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="w6lw3L3l"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 54026887FC; Tue, 2 Jul 2024 20:34:54 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-qt1-x82a.google.com (mail-qt1-x82a.google.com [IPv6:2607:f8b0:4864:20::82a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 46D8E87D74 for ; Tue, 2 Jul 2024 20:34:52 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=raymond.mao@linaro.org Received: by mail-qt1-x82a.google.com with SMTP id d75a77b69052e-4450187d3d4so34572651cf.2 for ; Tue, 02 Jul 2024 11:34:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1719945291; x=1720550091; darn=lists.denx.de; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=bClAxjOX1z9/6SjRkI1NBq6SuVwLan6aXwxvc3seIZQ=; b=w6lw3L3lW2qnduLB6GglUZ2/sKx1hlf6f3j6sJlAby4Xs6EETdoivr9Mad/eEQGCvW 3t5iTsAS31x/DzUaQdSfSH1Y3lnLonUV5v+FgkdJsdvf2MgeiTiqex/apxGsaagLhAp1 ew9+gborSPjd6SPS2tAaJDNJd5b1qGQAFbXRwtcnkSJ3Im++ZrW64uRaG0dld2GukuVT PQuL2G/S+53fF4i0U3tXkQT36Ittc137DQ5nA3TunQo9luK8PMyWrHqbTwcE6tFVy6rX 8mXg2LmnDt2tlcZ6JEOuTRYPA1lx6y2qILfCViuiVcRsDK8OoPLdZ/7jVjrRGyHcw9Dq abxg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1719945291; x=1720550091; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=bClAxjOX1z9/6SjRkI1NBq6SuVwLan6aXwxvc3seIZQ=; b=OP3dWQ1TwgYBCMMW/DK9mQE5UxDr+MiPs7Gm+eOjFcxZABox3P50pouQP2d1PRiYoO ZOMSffhbaJZle1Rr0t31hoN5kbF2ccqsP97RiQkeuN7QyC4cE+FW5R8pLc+senIU55oX E7VuTqn+PVRnefOh+dTRWlcuvNPbFAxMy1XPx2NGCXCSSmTGj2Vf4IBIGNyqagGOe8RH wkV5SMWyG72aw7C4g37nmWcHfCc13mrqTNWHK6ac35JJfOyCyf0vx269OCj4/Vuah0SZ DOIqzmjW36MuYxkKLhxUAzOw/AmG8A3nGYfUjV3YQfdUZY8WPH7T2k64YKJmR9+1hBDz 7l/Q== X-Gm-Message-State: AOJu0YwNNpw+4gUHAeg6crMz2Fj88LATJeI5LNczDvJNntW79FATVoq/ A6NRVx+g/Z0HGsCSm4mtOvjT2k0o6XFsm0L5C294LOdWB1gDBgoVvSOK8PM0bhSpvD6iguZccgw m X-Google-Smtp-Source: AGHT+IF/5xZGayTe+/uSt3nDF3V4E/kqshNxB8st1eFF6Oor2+Lif8KtQ34FRTcFAV/Df51CKEdTMA== X-Received: by 2002:a05:622a:47:b0:446:45f9:1fe7 with SMTP id d75a77b69052e-44662dff7d5mr118077351cf.2.1719945290738; Tue, 02 Jul 2024 11:34:50 -0700 (PDT) Received: from ubuntu.localdomain (pool-174-114-184-37.cpe.net.cable.rogers.com. [174.114.184.37]) by smtp.gmail.com with ESMTPSA id d75a77b69052e-446514b613dsm43316351cf.84.2024.07.02.11.34.49 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 02 Jul 2024 11:34:50 -0700 (PDT) From: Raymond Mao To: u-boot@lists.denx.de Cc: manish.pandey2@arm.com, Raymond Mao , Ilias Apalodimas , Tom Rini , Stefan Bosch , Mario Six , Andy Shevchenko , Michal Simek , Tuomas Tynkkynen , Simon Glass , Leo Yu-Chi Liang , Andrejs Cainikovs , Marek Vasut , Sean Anderson , Jesse Taube , Bryan Brattlof , "Leon M. Busch-George" , Sergei Antonov , Igor Opaniuk , Ilya Lukin <4.shket@gmail.com>, Heinrich Schuchardt , Bin Meng , Alper Nebi Yasak , Abdellatif El Khlifi , AKASHI Takahiro , Alexander Gendin , Oleksandr Suvorov Subject: [PATCH v4 28/29] test: Remove ASN1 library test Date: Tue, 2 Jul 2024 11:23:04 -0700 Message-Id: <20240702182325.2904421-29-raymond.mao@linaro.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20240702182325.2904421-1-raymond.mao@linaro.org> References: <20240702182325.2904421-1-raymond.mao@linaro.org> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.8 at phobos.denx.de X-Virus-Status: Clean With MBEDTLS_LIB_X509 enabled, we don't build the original ASN1 lib, So remove it from test. Signed-off-by: Raymond Mao Reviewed-by: Ilias Apalodimas --- Changes in v2 - Initial patch. Changes in v3 - None. Changes in v4 - None. test/Kconfig | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/Kconfig b/test/Kconfig index e2ec0994a2e..558a9cd49b4 100644 --- a/test/Kconfig +++ b/test/Kconfig @@ -32,7 +32,7 @@ if UT_LIB config UT_LIB_ASN1 bool "Unit test for asn1 compiler and decoder function" - depends on SANDBOX + depends on SANDBOX && !MBEDTLS_LIB_X509 default y imply ASYMMETRIC_KEY_TYPE imply ASYMMETRIC_PUBLIC_KEY_SUBTYPE From patchwork Tue Jul 2 18:23:05 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Raymond Mao X-Patchwork-Id: 1955578 X-Patchwork-Delegate: trini@ti.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.a=rsa-sha256 header.s=google header.b=ULHGlg9c; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de (client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; helo=phobos.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=patchwork.ozlabs.org) Received: from phobos.denx.de (phobos.denx.de [IPv6:2a01:238:438b:c500:173d:9f52:ddab:ee01]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4WDBRV5Vrkz1xpN for ; Wed, 3 Jul 2024 04:35:18 +1000 (AEST) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 5B4FB88809; Tue, 2 Jul 2024 20:35:16 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="ULHGlg9c"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id EFD5B8880B; Tue, 2 Jul 2024 20:35:15 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-qt1-x829.google.com (mail-qt1-x829.google.com [IPv6:2607:f8b0:4864:20::829]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id E127F88808 for ; Tue, 2 Jul 2024 20:35:13 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=raymond.mao@linaro.org Received: by mail-qt1-x829.google.com with SMTP id d75a77b69052e-445ae4cfe5aso29294341cf.0 for ; Tue, 02 Jul 2024 11:35:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1719945312; x=1720550112; darn=lists.denx.de; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=y5F1Ir437iEyPXb6NGp2Ypy8IpvZItoyXxHmvB284RQ=; b=ULHGlg9cZ5cP2HKzN228n1ostMRJpMO9wPv8YB0FcDFxIsOYQCJR/AvZT44dyallxu KxOClbLookx03pebwsN7mCOQK9HBXf3LXaK5aTCOraX7e0TfYVBNhyOXE65e2tJcMZK+ ep/+6z9PBC5cqf/V+xt/z2hmiIBvdEtppt7JIJPgRRcXFx6pRM2T6xrZlhFek+9SuLXt mEWM182rWywkAXzdYGLTkYgtEkkPV26ymSaPmCqTeewhftwMDwyUKYsDBnGw0bJK3N64 sN5Ys4rAmZJUQtf9enGFut/YJVd5HwfPrtqiUWtBhmBQEjGJ3VGDR7y2iXxBoOaPYPdR 1mqg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1719945312; x=1720550112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=y5F1Ir437iEyPXb6NGp2Ypy8IpvZItoyXxHmvB284RQ=; b=H8rKwRLWQ6H66znNayYeDTgzxxj6AJPEEMq/9uDSm5BM3i/KEUA4okGMxD3gPFxQKQ K9dx0sijFz5NMGyqQpcQZ5jDAXeXxgwkW/MgIlqH1wXbg1Pb9tovbkZBzAe2NxSPbvYp 2KjlL+6BpibNuyzw74THtKzSvSjJ6XNGXC4QqOn6Z2dgim0gEbMiKtbyrFqZz5Nm7dBT Rd0nUqFxq9Zsd9KRXK/D/j7N6YwpyNvLGOjKIyrg6b4f0SIvfKnbhonEGFeBH3FGABhH cfrsq/jjowB6of0q3YtQMM0M4/qCoEvmDrChEnPUGelOpSfnR2jmJNo8lRK4c8EQQgm7 tDiw== X-Gm-Message-State: AOJu0Yxe3JLWnPTfUT/oj6n+UH6wYgFV/15gCBFJ0Qnv0dtH2NGODTik 25tkWj47ji2ywQT/a2ksb5PfUERCM7otWWCCDPh2lL8knTy04P9tK6UnHrL/D4/QSO7MNOw4SrY 8 X-Google-Smtp-Source: AGHT+IFddS14qV21gOsf1H9IKZKaKX68PFcz495f8Un2cn2QDQ/dWgSKElIdNQ1IosVwqALi5Mwj2w== X-Received: by 2002:a05:622a:11c9:b0:445:9387:25f6 with SMTP id d75a77b69052e-44662e74a89mr131391501cf.50.1719945312578; Tue, 02 Jul 2024 11:35:12 -0700 (PDT) Received: from ubuntu.localdomain (pool-174-114-184-37.cpe.net.cable.rogers.com. [174.114.184.37]) by smtp.gmail.com with ESMTPSA id d75a77b69052e-446514b613dsm43316351cf.84.2024.07.02.11.35.10 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 02 Jul 2024 11:35:12 -0700 (PDT) From: Raymond Mao To: u-boot@lists.denx.de Cc: manish.pandey2@arm.com, Raymond Mao , Tom Rini , Stefan Bosch , Mario Six , Andy Shevchenko , Michal Simek , Tuomas Tynkkynen , Simon Glass , Leo Yu-Chi Liang , Ilias Apalodimas , Andrejs Cainikovs , Marek Vasut , Sean Anderson , Jesse Taube , Bryan Brattlof , "Leon M. Busch-George" , Igor Opaniuk , Ilya Lukin <4.shket@gmail.com>, Sergei Antonov , Heinrich Schuchardt , Alper Nebi Yasak , Bin Meng , AKASHI Takahiro , Abdellatif El Khlifi , Alexander Gendin , Oleksandr Suvorov Subject: [PATCH v4 29/29] configs: enable MbedTLS as default setting Date: Tue, 2 Jul 2024 11:23:05 -0700 Message-Id: <20240702182325.2904421-30-raymond.mao@linaro.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20240702182325.2904421-1-raymond.mao@linaro.org> References: <20240702182325.2904421-1-raymond.mao@linaro.org> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.8 at phobos.denx.de X-Virus-Status: Clean Enable MbedTLS as default setting for qemu arm64 Signed-off-by: Raymond Mao Reviewed-by: Ilias Apalodimas --- Changes in v2 - None. Changes in v3 - None. Changes in v4 - removed the unused CONFIG_MBEDTLS_LIB_TLS. configs/qemu_arm64_defconfig | 4 ++++ configs/sandbox_defconfig | 3 +++ 2 files changed, 7 insertions(+) diff --git a/configs/qemu_arm64_defconfig b/configs/qemu_arm64_defconfig index 7e166f43908..9e2c490192c 100644 --- a/configs/qemu_arm64_defconfig +++ b/configs/qemu_arm64_defconfig @@ -67,4 +67,8 @@ CONFIG_TPM2_MMIO=y CONFIG_USB_EHCI_HCD=y CONFIG_USB_EHCI_PCI=y CONFIG_SEMIHOSTING=y +CONFIG_MBEDTLS_LIB=y +CONFIG_MBEDTLS_LIB_CRYPTO=y +CONFIG_MBEDTLS_LIB_X509=y CONFIG_TPM=y +CONFIG_EFI_SECURE_BOOT=y diff --git a/configs/sandbox_defconfig b/configs/sandbox_defconfig index 93b52f2de5c..679bbf69936 100644 --- a/configs/sandbox_defconfig +++ b/configs/sandbox_defconfig @@ -343,6 +343,9 @@ CONFIG_FS_CBFS=y CONFIG_FS_CRAMFS=y CONFIG_ADDR_MAP=y CONFIG_CMD_DHRYSTONE=y +CONFIG_MBEDTLS_LIB=y +CONFIG_MBEDTLS_LIB_CRYPTO=y +CONFIG_MBEDTLS_LIB_X509=y CONFIG_ECDSA=y CONFIG_ECDSA_VERIFY=y CONFIG_TPM=y