From patchwork Thu Oct 3 21:50:14 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Raymond Mao X-Patchwork-Id: 1992585 X-Patchwork-Delegate: trini@ti.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.a=rsa-sha256 header.s=google header.b=Pz6WGuUe; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de (client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; helo=phobos.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=patchwork.ozlabs.org) Received: from phobos.denx.de (phobos.denx.de [IPv6:2a01:238:438b:c500:173d:9f52:ddab:ee01]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4XKbrm0L5yz1xt7 for ; Fri, 4 Oct 2024 14:57:44 +1000 (AEST) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id E577288D47; Fri, 4 Oct 2024 06:57:21 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="Pz6WGuUe"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 85DD288D1F; Thu, 3 Oct 2024 23:51:59 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.2 Received: from mail-qk1-x72d.google.com (mail-qk1-x72d.google.com [IPv6:2607:f8b0:4864:20::72d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 7074888CC5 for ; Thu, 3 Oct 2024 23:51:57 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=raymond.mao@linaro.org Received: by mail-qk1-x72d.google.com with SMTP id af79cd13be357-7ae6f8956baso15745385a.1 for ; Thu, 03 Oct 2024 14:51:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1727992316; x=1728597116; darn=lists.denx.de; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=rJrUom187vQ7D9xKVwXa8/EbksTH8ZlazMM4zq45vDE=; b=Pz6WGuUe9As9P6D6fVnlX3GbBaF1lgN8S3uF9H5uIflf/ml+AlsenBA0kUj8hOKWqb RAxM7/elwF3+e+CGXoX/APU9D5iK1ge/AeU3ly1rN7+v2aOE+Yf1gFITbialB4F/443G PnR5AeCbSyd8fGClu4bi+n6vzsWqeNK7xHminQBPmr0Ln6R95a8VmzZAdBnt+O9IIcq2 XPi20OETUUnvW98yaokJBmv7nbRD8c9bWvIlkCTcjnqCPKlJNkzhoHzbKtqlLWNd7dHe dCrzDTQ46o+KQJndxL0p1xN9nHGnx8G2+cUK0ZoX2iGPAonOmRtGFN0RrVv5FlBXoQji +olg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1727992316; x=1728597116; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=rJrUom187vQ7D9xKVwXa8/EbksTH8ZlazMM4zq45vDE=; b=YoFme37hebh9kY5+2yp3VdhYetvb2WpdEiU0V7CQ1hHvE117lCjiEiTKKo1Bu9nXgp BQ1//NUaxj1zdER6+F5z1ZDdpGPbDpC1TypMgqqa0LSrxj2fCSVLwNg8jj4m1iWfDk92 /3G/RS4egYPgxNxqnUAxmbWZzK4Iavb8zMyhvQscgFCS7zGOr+5zQdPveU8lK0BhUbYt x417vFEc66VlZEGwqVuPmYfOZL4GX4KK7UlFOP/yTSXWbvn65Ojbb2PCvePh+r1YfESk E9TRwNS06eDIUhO+mLTST3T3BN5tz8VPFVNo0nWgq58v7cOveVtDBBPEg5VnZYX4KAP8 fQcg== X-Gm-Message-State: AOJu0Yx30742ClF9imIwjuXDbosII1Mk2Q2Vatwt+e7qUBM21sR77z10 a6AsGmaNjJ/Lp/yQ5Jrm2qvrqG+w76d2jCKWHtozR/mOnWrtrzGkqmM0+ecC6Bw3q3JMBu8Er34 k X-Google-Smtp-Source: AGHT+IHwElwwGQJNcssgsluetgdPz+K6xdkvhmIEHtBJiMjxNVc2lRX0JdBQuLyjl9UmorFggxpZww== X-Received: by 2002:a05:622a:1310:b0:45d:9689:9dd5 with SMTP id d75a77b69052e-45d9ba5dcc8mr9163381cf.25.1727992316090; Thu, 03 Oct 2024 14:51:56 -0700 (PDT) Received: from ubuntu.localdomain (pool-174-114-184-37.cpe.net.cable.rogers.com. [174.114.184.37]) by smtp.gmail.com with ESMTPSA id d75a77b69052e-45d92ddf5c4sm9001541cf.18.2024.10.03.14.51.53 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 03 Oct 2024 14:51:55 -0700 (PDT) From: Raymond Mao To: u-boot@lists.denx.de Cc: manish.pandey2@arm.com, Raymond Mao , Tom Rini , Ilias Apalodimas , Stefan Bosch , Mario Six , Andy Shevchenko , Michal Simek , Tuomas Tynkkynen , Simon Glass , Peng Fan , Jaehoon Chung , Jiaxun Yang , Heinrich Schuchardt , Sumit Garg , Leo Yu-Chi Liang , Sean Anderson , Rasmus Villemoes , Andrew Davis , Bryan Brattlof , "Leon M. Busch-George" , AKASHI Takahiro , Alexander Gendin , Jonathan Humphreys , Mattijs Korpershoek , Paul Barker , Marek Vasut , Patrice Chotard , Jonas Karlman , Kongyang Liu , Greg Malysa , Sughosh Ganu Subject: [PATCH v8 01/27] CI: Exclude MbedTLS subtree for CONFIG checks Date: Thu, 3 Oct 2024 14:50:14 -0700 Message-Id: <20241003215112.3103601-2-raymond.mao@linaro.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20241003215112.3103601-1-raymond.mao@linaro.org> References: <20241003215112.3103601-1-raymond.mao@linaro.org> MIME-Version: 1.0 X-Mailman-Approved-At: Fri, 04 Oct 2024 06:57:18 +0200 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.8 at phobos.denx.de X-Virus-Status: Clean Since MbedTLS is an external repo with its own coding style, exclude it from Azure and gitlab CI CONFIG checks. Signed-off-by: Raymond Mao Reviewed-by: Tom Rini Reviewed-by: Ilias Apalodimas --- Changes in v2 - Initial patch. Changes in v3 - None. Changes in v4 - None. Changes in v5 - None. Changes in v6 - None. Changes in v7 - None. Changes in v8 - None. .azure-pipelines.yml | 3 ++- .gitlab-ci.yml | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/.azure-pipelines.yml b/.azure-pipelines.yml index 93111eb6127..b66d49a62ba 100644 --- a/.azure-pipelines.yml +++ b/.azure-pipelines.yml @@ -76,7 +76,8 @@ stages: # have no matches. - script: git grep -E '^#[[:blank:]]*(define|undef)[[:blank:]]*CONFIG_' :^doc/ :^arch/arm/dts/ :^scripts/kconfig/lkc.h - :^include/linux/kconfig.h :^tools/ :^dts/upstream/ && + :^include/linux/kconfig.h :^tools/ :^dts/upstream/ + :^lib/mbedtls/external :^lib/mbedtls/mbedtls_def_config.h && exit 1 || exit 0 - job: docs diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 7d621031b85..2a52e15d0fe 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -159,7 +159,8 @@ check for new CONFIG symbols outside Kconfig: # have no matches. - git grep -E '^#[[:blank:]]*(define|undef)[[:blank:]]*CONFIG_' :^doc/ :^arch/arm/dts/ :^scripts/kconfig/lkc.h - :^include/linux/kconfig.h :^tools/ :^dts/upstream/ && + :^include/linux/kconfig.h :^tools/ :^dts/upstream/ + :^lib/mbedtls/external :^lib/mbedtls/mbedtls_def_config.h && exit 1 || exit 0 # build documentation From patchwork Thu Oct 3 21:50:15 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Raymond Mao X-Patchwork-Id: 1992586 X-Patchwork-Delegate: trini@ti.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.a=rsa-sha256 header.s=google header.b=JohYVMUS; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de (client-ip=85.214.62.61; helo=phobos.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=patchwork.ozlabs.org) Received: from phobos.denx.de (phobos.denx.de [85.214.62.61]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4XKbrt0mHGz1xt7 for ; Fri, 4 Oct 2024 14:57:50 +1000 (AEST) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 4727788E7A; Fri, 4 Oct 2024 06:57:22 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="JohYVMUS"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id D9E7B88C6D; Thu, 3 Oct 2024 23:52:32 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.2 Received: from mail-qv1-xf34.google.com (mail-qv1-xf34.google.com [IPv6:2607:f8b0:4864:20::f34]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 01B9588CC5 for ; Thu, 3 Oct 2024 23:52:30 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=raymond.mao@linaro.org Received: by mail-qv1-xf34.google.com with SMTP id 6a1803df08f44-6cb3ba0a9a2so9785586d6.2 for ; Thu, 03 Oct 2024 14:52:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1727992349; x=1728597149; darn=lists.denx.de; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=V2fRE/Rkcy9aTWyu8IOFoqGQ59XthJUCI/RdUJYJKVI=; b=JohYVMUSNH64HoC04PbU6uQT54SPHjvl4eaS/mbdK76+g5XGGYU0keaLPyCWHP6xMo SFjvxm4Bxf51uhwfz9aOwa1WY/jVsZu2J80kT1hVJPzMlpSLRttZ5t2+84IOd7TcMu+B Z5OdFmrefUX/GV0Lxex5VllN+lOTMoKR9XjJvMtcVrO13YacBCK22qUoOqVr4T55wvPB tlfBmw4NHL2rvqZlUIF5d+A3OFWnV5elzq5s3ORvd8bcTvfK/Jd3jjoKeCL0fZDru5Xj i5teQJOTTAt9eu8S+IxaQenADlz7ldK3Ysy3xE5TYrrGpCGD8W29/4Eg1aHnYnFy8cPO hd9w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1727992349; x=1728597149; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=V2fRE/Rkcy9aTWyu8IOFoqGQ59XthJUCI/RdUJYJKVI=; b=Njr+F2r+8ok8EpFlVicwVoK47ckNbxemoGg4XFLpGVdW2ubCEqWdQzGSpZJOOd4+pP U8Z5a2ffzxzmwA27eWvG2f7ZsEEwD3hHq+IlGswkwJ9c/WZ9BZMMW5rVIpEFlup+I9fg 8GQTMuTfOTfLCRgN1mVwAPNHIgOo9EIftBy9UrDEbgjr1SFRjBMyQnkVxfALIrVvYzM3 LEh4fJt8fyS2IPEYG8oqYKOtiLiUoCho/AifDDbBQDrUoLWnxRRqCVg23/PxkTxU91LJ 1sIzIPcy+lI9hCZdkfP+5LsxPcs1Bci7BtIuTVsnoAEdgp8VWIoylLj3uLTRwisTAmyx /LWg== X-Gm-Message-State: AOJu0Ywc2/SNmBzXJKJ8Ymoa+/sRcPvW4J3oazHHbYDfQ/3Cq0FuMyGx GKJEkpb6U0AMtLHzvoXYrhPlQBE+8GdEI46p85uGqzE5kHHYg5+Pkt4Vk5pZhdB6eUJsA06X085 b X-Google-Smtp-Source: AGHT+IHsvqh6j0hKZgLSreKShw6N03IUhi1uzqAGyMdn8kBmbYDZz5bj2n0ooBN34pwRKgS32Qmjug== X-Received: by 2002:a05:6214:4987:b0:6cb:3a53:c549 with SMTP id 6a1803df08f44-6cb9a330870mr9878536d6.1.1727992348565; Thu, 03 Oct 2024 14:52:28 -0700 (PDT) Received: from ubuntu.localdomain (pool-174-114-184-37.cpe.net.cable.rogers.com. [174.114.184.37]) by smtp.gmail.com with ESMTPSA id d75a77b69052e-45d92ddf5c4sm9001541cf.18.2024.10.03.14.52.25 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 03 Oct 2024 14:52:27 -0700 (PDT) From: Raymond Mao To: u-boot@lists.denx.de Cc: manish.pandey2@arm.com, Raymond Mao , Tom Rini , Stefan Bosch , Mario Six , Andy Shevchenko , Michal Simek , Tuomas Tynkkynen , Simon Glass , Peng Fan , Jaehoon Chung , Jiaxun Yang , Ilias Apalodimas , Heinrich Schuchardt , Leo Yu-Chi Liang , Sean Anderson , Sumit Garg , Andrew Davis , Rasmus Villemoes , Bryan Brattlof , "Leon M. Busch-George" , AKASHI Takahiro , Alexander Gendin , Mattijs Korpershoek , Jonathan Humphreys , Paul Barker , Marek Vasut , Greg Malysa , Kongyang Liu , Jonas Karlman , Sughosh Ganu , Caleb Connolly , Eddie James Subject: [PATCH v8 02/27] mbedtls: add mbedtls into the build system Date: Thu, 3 Oct 2024 14:50:15 -0700 Message-Id: <20241003215112.3103601-3-raymond.mao@linaro.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20241003215112.3103601-1-raymond.mao@linaro.org> References: <20241003215112.3103601-1-raymond.mao@linaro.org> MIME-Version: 1.0 X-Mailman-Approved-At: Fri, 04 Oct 2024 06:57:18 +0200 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.8 at phobos.denx.de X-Virus-Status: Clean Port mbedtls with adapted libc header files. Add mbedtls default config header file. Optimize mbedtls default config by disabling unused features to reduce the target size. Add mbedtls kbuild makefile. Add Kconfig skeleton and config submenu entry for selecting crypto libraries between mbedtls and legacy ones. Add the mbedtls include directories into the build system. Port u-boot hash functions as MbedTLS crypto alternatives and set it as default. Subsequent patches will separate those Kconfigs into pairs of _LEGACY and _MBEDTLS for controlling the implementations of legacy crypto libraries and MbedTLS ones respectively. The motivation of moving and adapting *INT* macros from kernel.h to limits.h is to fullfill the MbedTLS building requirement. The conditional compilation statements in MbedTLS expects the *INT* macros as constant expressions, thus expressions like `((int)(~0U >> 1))` will not work. Prerequisite ------------ This patch series requires mbedtls git repo to be added as a subtree to the main U-Boot repo via: $ git subtree add --prefix lib/mbedtls/external/mbedtls \ https://github.com/Mbed-TLS/mbedtls.git \ v3.6.0 --squash Moreover, due to the Windows-style files from mbedtls git repo, we need to convert the CRLF endings to LF and do a commit manually: $ git add --renormalize . $ git commit Signed-off-by: Raymond Mao --- Changes in v2 - Disabled unused MbedTLS features to optimize the target size. Changes in v3 - Removed changes in stdio.h. Changes in v4 - Move limits.h as a common header file that is included by kernel.h. - Refactor the Kconfig to support legacy and MbedTLS options for each algorithm. - Refactor MbedTLS makefile and default config file to remove unused config options and objects. Changes in v5 - Merged patch #9 of v4 into this patch. - Removed unused config MBEDTLS_LIB_TLS. - Refactored MbedTLS Makefile and default config file. Changes in v6 - Fixed UINT64_MAX. - Removed copy right statement from limits.h Changes in v7 - Fixed CI world build failures due to config dependencies. - Fixed values of UINT_MAX and UINT32_MAX. Changes in v8 - Port u-boot hash functions as MbedTLS crypto alternatives and set it as default. Makefile | 6 +++ include/limits.h | 25 ++++++++++ include/linux/kernel.h | 13 +---- include/stdlib.h | 1 + lib/Kconfig | 4 ++ lib/Makefile | 2 + lib/mbedtls/Kconfig | 56 +++++++++++++++++++++ lib/mbedtls/Makefile | 41 ++++++++++++++++ lib/mbedtls/mbedtls_def_config.h | 84 ++++++++++++++++++++++++++++++++ lib/mbedtls/port/assert.h | 12 +++++ lib/mbedtls/port/md5_alt.h | 57 ++++++++++++++++++++++ lib/mbedtls/port/sha1_alt.h | 57 ++++++++++++++++++++++ lib/mbedtls/port/sha256_alt.h | 64 ++++++++++++++++++++++++ lib/mbedtls/port/sha512_alt.h | 78 +++++++++++++++++++++++++++++ 14 files changed, 488 insertions(+), 12 deletions(-) create mode 100644 include/limits.h create mode 100644 lib/mbedtls/Kconfig create mode 100644 lib/mbedtls/Makefile create mode 100644 lib/mbedtls/mbedtls_def_config.h create mode 100644 lib/mbedtls/port/assert.h create mode 100644 lib/mbedtls/port/md5_alt.h create mode 100644 lib/mbedtls/port/sha1_alt.h create mode 100644 lib/mbedtls/port/sha256_alt.h create mode 100644 lib/mbedtls/port/sha512_alt.h diff --git a/Makefile b/Makefile index 525576f987d..f4659f9493a 100644 --- a/Makefile +++ b/Makefile @@ -829,6 +829,12 @@ KBUILD_HOSTCFLAGS += $(if $(CONFIG_TOOLS_DEBUG),-g) UBOOTINCLUDE := \ -Iinclude \ $(if $(KBUILD_SRC), -I$(srctree)/include) \ + $(if $(CONFIG_MBEDTLS_LIB), \ + "-DMBEDTLS_CONFIG_FILE=\"mbedtls_def_config.h\"" \ + -I$(srctree)/lib/mbedtls \ + -I$(srctree)/lib/mbedtls/port \ + -I$(srctree)/lib/mbedtls/external/mbedtls \ + -I$(srctree)/lib/mbedtls/external/mbedtls/include) \ $(if $(CONFIG_$(SPL_)SYS_THUMB_BUILD), \ $(if $(CONFIG_HAS_THUMB2), \ $(if $(CONFIG_CPU_V7M), \ diff --git a/include/limits.h b/include/limits.h new file mode 100644 index 00000000000..4700cc7a59f --- /dev/null +++ b/include/limits.h @@ -0,0 +1,25 @@ +/* SPDX-License-Identifier: GPL-2.0+ */ + +#ifndef _LIMITS_H +#define _LIMITS_H + +#define INT_MAX 0x7fffffff +#define UINT_MAX 0xffffffffU +#define CHAR_BIT 8 +#define UINT32_MAX 0xffffffffU +#define UINT64_MAX 0xffffffffffffffffULL + +#ifdef CONFIG_64BIT + #define UINTPTR_MAX UINT64_MAX +#else + #define UINTPTR_MAX UINT32_MAX +#endif + +#ifndef SIZE_MAX +#define SIZE_MAX UINTPTR_MAX +#endif +#ifndef SSIZE_MAX +#define SSIZE_MAX ((ssize_t)(SIZE_MAX >> 1)) +#endif + +#endif /* _LIMITS_H */ diff --git a/include/linux/kernel.h b/include/linux/kernel.h index 939465f372b..9467edd65ab 100644 --- a/include/linux/kernel.h +++ b/include/linux/kernel.h @@ -3,25 +3,18 @@ #include #include /* for printf/pr_* utilities */ +#include #define USHRT_MAX ((u16)(~0U)) #define SHRT_MAX ((s16)(USHRT_MAX>>1)) #define SHRT_MIN ((s16)(-SHRT_MAX - 1)) -#define INT_MAX ((int)(~0U>>1)) #define INT_MIN (-INT_MAX - 1) -#define UINT_MAX (~0U) #define LONG_MAX ((long)(~0UL>>1)) #define LONG_MIN (-LONG_MAX - 1) #define ULONG_MAX (~0UL) #define LLONG_MAX ((long long)(~0ULL>>1)) #define LLONG_MIN (-LLONG_MAX - 1) #define ULLONG_MAX (~0ULL) -#ifndef SIZE_MAX -#define SIZE_MAX (~(size_t)0) -#endif -#ifndef SSIZE_MAX -#define SSIZE_MAX ((ssize_t)(SIZE_MAX >> 1)) -#endif #define U8_MAX ((u8)~0U) #define S8_MAX ((s8)(U8_MAX>>1)) @@ -36,10 +29,6 @@ #define S64_MAX ((s64)(U64_MAX>>1)) #define S64_MIN ((s64)(-S64_MAX - 1)) -/* Aliases defined by stdint.h */ -#define UINT32_MAX U32_MAX -#define UINT64_MAX U64_MAX - #define INT32_MAX S32_MAX #define STACK_MAGIC 0xdeadbeef diff --git a/include/stdlib.h b/include/stdlib.h index 9c175d4d74c..dedfd52a144 100644 --- a/include/stdlib.h +++ b/include/stdlib.h @@ -7,5 +7,6 @@ #define __STDLIB_H_ #include +#include #endif /* __STDLIB_H_ */ diff --git a/lib/Kconfig b/lib/Kconfig index 1dd4f271595..67a60160dac 100644 --- a/lib/Kconfig +++ b/lib/Kconfig @@ -419,6 +419,10 @@ config CIRCBUF source "lib/dhry/Kconfig" +menu "Alternative crypto libraries" +source lib/mbedtls/Kconfig +endmenu + menu "Security support" config AES diff --git a/lib/Makefile b/lib/Makefile index d300249f57c..c4950b78a29 100644 --- a/lib/Makefile +++ b/lib/Makefile @@ -96,6 +96,8 @@ obj-$(CONFIG_LIBAVB) += libavb/ obj-$(CONFIG_$(SPL_TPL_)OF_LIBFDT) += libfdt/ obj-$(CONFIG_$(SPL_TPL_)OF_REAL) += fdtdec_common.o fdtdec.o +obj-$(CONFIG_MBEDTLS_LIB) += mbedtls/ + ifdef CONFIG_SPL_BUILD obj-$(CONFIG_SPL_YMODEM_SUPPORT) += crc16-ccitt.o obj-$(CONFIG_$(SPL_TPL_)HASH) += crc16-ccitt.o diff --git a/lib/mbedtls/Kconfig b/lib/mbedtls/Kconfig new file mode 100644 index 00000000000..9d1a63c1ca6 --- /dev/null +++ b/lib/mbedtls/Kconfig @@ -0,0 +1,56 @@ +choice + prompt "Select crypto libraries" + default LEGACY_CRYPTO + help + Select crypto libraries. + LEGACY_CRYPTO for legacy crypto libraries, + MBEDTLS_LIB for MbedTLS libraries. + +config LEGACY_CRYPTO + bool "legacy crypto libraries" + select LEGACY_CRYPTO_BASIC + select LEGACY_CRYPTO_CERT + +config MBEDTLS_LIB + bool "MbedTLS libraries" + select MBEDTLS_LIB_X509 +endchoice + +if LEGACY_CRYPTO || MBEDTLS_LIB_CRYPTO_ALT + +config LEGACY_CRYPTO_BASIC + bool "legacy basic crypto libraries" + help + Enable legacy basic crypto libraries. + +config LEGACY_CRYPTO_CERT + bool "legacy certificate libraries" + help + Enable legacy certificate libraries. + +endif # LEGACY_CRYPTO + +if MBEDTLS_LIB + +config MBEDTLS_LIB_CRYPTO_ALT + bool "MbedTLS crypto alternatives" + depends on MBEDTLS_LIB && !MBEDTLS_LIB_CRYPTO + select LEGACY_CRYPTO_BASIC + default y if MBEDTLS_LIB && !MBEDTLS_LIB_CRYPTO + help + Enable MbedTLS crypto alternatives. + Mutually incompatible with MBEDTLS_LIB_CRYPTO. + +config MBEDTLS_LIB_CRYPTO + bool "MbedTLS crypto libraries" + help + Enable MbedTLS crypto libraries. + Mutually incompatible with MBEDTLS_LIB_CRYPTO_ALT. + + +config MBEDTLS_LIB_X509 + bool "MbedTLS certificate libraries" + help + Enable MbedTLS certificate libraries. + +endif # MBEDTLS_LIB diff --git a/lib/mbedtls/Makefile b/lib/mbedtls/Makefile new file mode 100644 index 00000000000..0b6d6ca808f --- /dev/null +++ b/lib/mbedtls/Makefile @@ -0,0 +1,41 @@ +# SPDX-License-Identifier: GPL-2.0+ +# +# Copyright (c) 2024 Linaro Limited +# Author: Raymond Mao + +MBEDTLS_LIB_DIR = external/mbedtls/library + +# MbedTLS crypto library +obj-$(CONFIG_MBEDTLS_LIB) += mbedtls_lib_crypto.o +mbedtls_lib_crypto-y := \ + $(MBEDTLS_LIB_DIR)/platform_util.o \ + $(MBEDTLS_LIB_DIR)/constant_time.o \ + $(MBEDTLS_LIB_DIR)/md.o +mbedtls_lib_crypto-$(CONFIG_$(SPL_)MD5) += $(MBEDTLS_LIB_DIR)/md5.o +mbedtls_lib_crypto-$(CONFIG_$(SPL_)SHA1) += $(MBEDTLS_LIB_DIR)/sha1.o +mbedtls_lib_crypto-$(CONFIG_$(SPL_)SHA256) += \ + $(MBEDTLS_LIB_DIR)/sha256.o +mbedtls_lib_crypto-$(CONFIG_$(SPL_)SHA512) += \ + $(MBEDTLS_LIB_DIR)/sha512.o + +# MbedTLS X509 library +obj-$(CONFIG_MBEDTLS_LIB_X509) += mbedtls_lib_x509.o +mbedtls_lib_x509-y := $(MBEDTLS_LIB_DIR)/x509.o +mbedtls_lib_x509-$(CONFIG_$(SPL_)ASN1_DECODER) += \ + $(MBEDTLS_LIB_DIR)/asn1parse.o \ + $(MBEDTLS_LIB_DIR)/asn1write.o \ + $(MBEDTLS_LIB_DIR)/oid.o +mbedtls_lib_x509-$(CONFIG_$(SPL_)RSA_PUBLIC_KEY_PARSER) += \ + $(MBEDTLS_LIB_DIR)/bignum.o \ + $(MBEDTLS_LIB_DIR)/bignum_core.o \ + $(MBEDTLS_LIB_DIR)/rsa.o \ + $(MBEDTLS_LIB_DIR)/rsa_alt_helpers.o +mbedtls_lib_x509-$(CONFIG_$(SPL_)ASYMMETRIC_PUBLIC_KEY_SUBTYPE) += \ + $(MBEDTLS_LIB_DIR)/pk.o \ + $(MBEDTLS_LIB_DIR)/pk_wrap.o \ + $(MBEDTLS_LIB_DIR)/pkparse.o +mbedtls_lib_x509-$(CONFIG_$(SPL_)X509_CERTIFICATE_PARSER) += \ + $(MBEDTLS_LIB_DIR)/x509_crl.o \ + $(MBEDTLS_LIB_DIR)/x509_crt.o +mbedtls_lib_x509-$(CONFIG_$(SPL_)PKCS7_MESSAGE_PARSER) += \ + $(MBEDTLS_LIB_DIR)/pkcs7.o diff --git a/lib/mbedtls/mbedtls_def_config.h b/lib/mbedtls/mbedtls_def_config.h new file mode 100644 index 00000000000..6fba053bd7c --- /dev/null +++ b/lib/mbedtls/mbedtls_def_config.h @@ -0,0 +1,84 @@ +/* SPDX-License-Identifier: GPL-2.0+ */ +/* + * MbedTLS config file + * + * Derived from the MbedTLS internal config file, + * for more information about each build option, + * please refer to: + * external/mbedtls/include/mbedtls/mbedtls_config.h + * + * Copyright (c) 2024 Linaro Limited + * Author: Raymond Mao + */ + +#if defined CONFIG_MBEDTLS_LIB + +#if CONFIG_IS_ENABLED(MD5) +#define MBEDTLS_MD_C +#define MBEDTLS_MD5_C +#if defined CONFIG_MBEDTLS_LIB_CRYPTO_ALT +#define MBEDTLS_MD5_ALT +#endif +#endif + +#if CONFIG_IS_ENABLED(SHA1) +#define MBEDTLS_MD_C +#define MBEDTLS_SHA1_C +#if defined CONFIG_MBEDTLS_LIB_CRYPTO_ALT +#define MBEDTLS_SHA1_ALT +#endif +#endif + +#if CONFIG_IS_ENABLED(SHA256) +#define MBEDTLS_MD_C +#define MBEDTLS_SHA256_C +#if defined CONFIG_MBEDTLS_LIB_CRYPTO_ALT +#define MBEDTLS_SHA256_ALT +#endif +#endif + +#if CONFIG_IS_ENABLED(SHA384) +#define MBEDTLS_MD_C +#define MBEDTLS_SHA384_C +#endif + +#if CONFIG_IS_ENABLED(SHA512) +#define MBEDTLS_MD_C +#define MBEDTLS_SHA512_C +#if defined CONFIG_MBEDTLS_LIB_CRYPTO_ALT +#define MBEDTLS_SHA512_ALT +#endif +#endif + +#if defined CONFIG_MBEDTLS_LIB_X509 + +#if CONFIG_IS_ENABLED(X509_CERTIFICATE_PARSER) +#define MBEDTLS_X509_USE_C +#define MBEDTLS_X509_CRT_PARSE_C +#define MBEDTLS_X509_CRL_PARSE_C +#endif + +#if CONFIG_IS_ENABLED(ASYMMETRIC_PUBLIC_KEY_SUBTYPE) +#define MBEDTLS_PK_C +#define MBEDTLS_PK_PARSE_C +#endif + +#if CONFIG_IS_ENABLED(RSA_PUBLIC_KEY_PARSER) +#define MBEDTLS_BIGNUM_C +#define MBEDTLS_RSA_C +#define MBEDTLS_PKCS1_V15 +#endif + +#if CONFIG_IS_ENABLED(PKCS7_MESSAGE_PARSER) +#define MBEDTLS_PKCS7_C +#endif + +#if CONFIG_IS_ENABLED(ASN1_DECODER) +#define MBEDTLS_OID_C +#define MBEDTLS_ASN1_PARSE_C +#define MBEDTLS_ASN1_WRITE_C +#endif + +#endif /* #if defined CONFIG_MBEDTLS_LIB_X509 */ + +#endif /* #if defined CONFIG_MBEDTLS_LIB */ diff --git a/lib/mbedtls/port/assert.h b/lib/mbedtls/port/assert.h new file mode 100644 index 00000000000..490701aa9d0 --- /dev/null +++ b/lib/mbedtls/port/assert.h @@ -0,0 +1,12 @@ +/* SPDX-License-Identifier: GPL-2.0+ */ +/* + * Dummy file to allow mbedtls linked with U-Boot to include assert.h + * + * Copyright (c) 2023 Linaro Limited + * Author: Raymond Mao + */ + +#ifndef _MBEDTLS_ASSERT_H +#define _MBEDTLS_ASSERT_H + +#endif /* _MBEDTLS_ASSERT_H */ diff --git a/lib/mbedtls/port/md5_alt.h b/lib/mbedtls/port/md5_alt.h new file mode 100644 index 00000000000..c6e8eabf68a --- /dev/null +++ b/lib/mbedtls/port/md5_alt.h @@ -0,0 +1,57 @@ +/* SPDX-License-Identifier: GPL-2.0+ */ +/* + * Copyright (c) 2024 Linaro Limited + * Author: Raymond Mao + */ +#ifndef MD5_ALT_H +#define MD5_ALT_H + +#include +#include + +typedef MD5Context mbedtls_md5_context; + +static inline void mbedtls_md5_init(mbedtls_md5_context *ctx) +{ +} + +static inline void mbedtls_md5_free(mbedtls_md5_context *ctx) +{ +} + +static inline void +mbedtls_md5_clone(mbedtls_md5_context *dst, const mbedtls_md5_context *src) +{ + *dst = *src; +} + +static inline int mbedtls_md5_starts(mbedtls_md5_context *ctx) +{ + MD5Init(ctx); + return 0; +} + +static inline int mbedtls_md5_update(mbedtls_md5_context *ctx, + const unsigned char *input, + size_t ilen) +{ + MD5Update(ctx, input, ilen); + return 0; +} + +static inline int mbedtls_md5_finish(mbedtls_md5_context *ctx, + unsigned char output[16]) +{ + MD5Final(output, ctx); + return 0; +} + +static inline int mbedtls_md5(const unsigned char *input, + size_t ilen, + unsigned char output[16]) +{ + md5_wd(input, ilen, output, CHUNKSZ_MD5); + return 0; +} + +#endif /* md5_alt.h */ diff --git a/lib/mbedtls/port/sha1_alt.h b/lib/mbedtls/port/sha1_alt.h new file mode 100644 index 00000000000..cbfe0ddc478 --- /dev/null +++ b/lib/mbedtls/port/sha1_alt.h @@ -0,0 +1,57 @@ +/* SPDX-License-Identifier: GPL-2.0+ */ +/* + * Copyright (c) 2024 Linaro Limited + * Author: Raymond Mao + */ +#ifndef SHA1_ALT_H +#define SHA1_ALT_H + +#include +#include + +typedef sha1_context mbedtls_sha1_context; + +static inline void mbedtls_sha1_init(mbedtls_sha1_context *ctx) +{ +} + +static inline void mbedtls_sha1_free(mbedtls_sha1_context *ctx) +{ +} + +static inline void mbedtls_sha1_clone(mbedtls_sha1_context *dst, + const mbedtls_sha1_context *src) +{ + *dst = *src; +} + +static inline int mbedtls_sha1_starts(mbedtls_sha1_context *ctx) +{ + sha1_starts(ctx); + return 0; +} + +static inline int mbedtls_sha1_update(mbedtls_sha1_context *ctx, + const unsigned char *input, + size_t ilen) +{ + sha1_update(ctx, input, ilen); + return 0; +} + +static inline int mbedtls_sha1_finish(mbedtls_sha1_context *ctx, + unsigned char output[20]) +{ + sha1_finish(ctx, output); + return 0; +} + +static inline int mbedtls_sha1(const unsigned char *input, + size_t ilen, + unsigned char output[20]) +{ + sha1_csum_wd(input, ilen, output, CHUNKSZ_SHA1); + return 0; +} + +#endif /* sha1_alt.h */ diff --git a/lib/mbedtls/port/sha256_alt.h b/lib/mbedtls/port/sha256_alt.h new file mode 100644 index 00000000000..80be94b0a06 --- /dev/null +++ b/lib/mbedtls/port/sha256_alt.h @@ -0,0 +1,64 @@ +/* SPDX-License-Identifier: GPL-2.0+ */ +/* + * Copyright (c) 2024 Linaro Limited + * Author: Raymond Mao + */ +#ifndef SHA256_ALT_H +#define SHA256_ALT_H + +#include +#include + +typedef sha256_context mbedtls_sha256_context; + +static inline void mbedtls_sha256_init(mbedtls_sha256_context *ctx) +{ +} + +static inline void mbedtls_sha256_free(mbedtls_sha256_context *ctx) +{ +} + +static inline void mbedtls_sha256_clone(mbedtls_sha256_context *dst, + const mbedtls_sha256_context *src) +{ + *dst = *src; +} + +static inline int mbedtls_sha256_starts(mbedtls_sha256_context *ctx, int is224) +{ + if (is224) + return -EOPNOTSUPP; + + sha256_starts(ctx); + return 0; +} + +static inline int mbedtls_sha256_update(mbedtls_sha256_context *ctx, + const unsigned char *input, + size_t ilen) +{ + sha256_update(ctx, input, ilen); + return 0; +} + +static inline int mbedtls_sha256_finish(mbedtls_sha256_context *ctx, + unsigned char *output) +{ + sha256_finish(ctx, output); + return 0; +} + +static inline int mbedtls_sha256(const unsigned char *input, + size_t ilen, + unsigned char *output, + int is224) +{ + if (is224) + return -EOPNOTSUPP; + + sha256_csum_wd(input, ilen, output, CHUNKSZ_SHA256); + return 0; +} + +#endif /* sha256_alt.h */ diff --git a/lib/mbedtls/port/sha512_alt.h b/lib/mbedtls/port/sha512_alt.h new file mode 100644 index 00000000000..596f17ae4da --- /dev/null +++ b/lib/mbedtls/port/sha512_alt.h @@ -0,0 +1,78 @@ +/* SPDX-License-Identifier: GPL-2.0+ */ +/* + * Copyright (c) 2024 Linaro Limited + * Author: Raymond Mao + */ +#ifndef SHA512_ALT_H +#define SHA512_ALT_H + +#include +#include + +typedef struct mbedtls_sha512_context { + sha512_context *ubctx; + bool is384; +} mbedtls_sha512_context; + +static inline void mbedtls_sha512_init(mbedtls_sha512_context *ctx) +{ +} + +static inline void mbedtls_sha512_free(mbedtls_sha512_context *ctx) +{ +} + +static inline void mbedtls_sha512_clone(mbedtls_sha512_context *dst, + const mbedtls_sha512_context *src) +{ + *dst = *src; +} + +static inline int mbedtls_sha512_starts(mbedtls_sha512_context *ctx, int is384) +{ + if (is384) + sha384_starts(ctx->ubctx); + else + sha512_starts(ctx->ubctx); + + ctx->is384 = is384; + return 0; +} + +static inline int mbedtls_sha512_update(mbedtls_sha512_context *ctx, + const unsigned char *input, + size_t ilen) +{ + if (ctx->is384) + sha384_update(ctx->ubctx, input, ilen); + else + sha512_update(ctx->ubctx, input, ilen); + + return 0; +} + +static inline int mbedtls_sha512_finish(mbedtls_sha512_context *ctx, + unsigned char *output) +{ + if (ctx->is384) + sha384_finish(ctx->ubctx, output); + else + sha512_finish(ctx->ubctx, output); + + return 0; +} + +static inline int mbedtls_sha512(const unsigned char *input, + size_t ilen, + unsigned char *output, + int is384) +{ + if (is384) + sha384_csum_wd(input, ilen, output, CHUNKSZ_SHA512); + else + sha512_csum_wd(input, ilen, output, CHUNKSZ_SHA512); + + return 0; +} + +#endif /* sha512_alt.h */ From patchwork Thu Oct 3 21:50:16 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Raymond Mao X-Patchwork-Id: 1992587 X-Patchwork-Delegate: trini@ti.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.a=rsa-sha256 header.s=google header.b=mPNdIOHV; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de (client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; helo=phobos.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=patchwork.ozlabs.org) Received: from phobos.denx.de (phobos.denx.de [IPv6:2a01:238:438b:c500:173d:9f52:ddab:ee01]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4XKbs55gzJz1xt7 for ; Fri, 4 Oct 2024 14:58:01 +1000 (AEST) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id A7DA988F5E; Fri, 4 Oct 2024 06:57:22 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="mPNdIOHV"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id B7E9E88C6D; Thu, 3 Oct 2024 23:53:05 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.2 Received: from mail-qt1-x82e.google.com (mail-qt1-x82e.google.com [IPv6:2607:f8b0:4864:20::82e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 5B13588CC5 for ; Thu, 3 Oct 2024 23:53:03 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=raymond.mao@linaro.org Received: by mail-qt1-x82e.google.com with SMTP id d75a77b69052e-4585e250f9dso9359181cf.1 for ; Thu, 03 Oct 2024 14:53:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1727992382; x=1728597182; darn=lists.denx.de; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=fGgn5wSXqnyYqEcK23LvGVEEDtYNT4QYpAtkr1maL10=; b=mPNdIOHVKAYOd4BpxX3hfI1VUTs7VBiK+hH9e9HIdx8s8Frg12fOJLkXQnriSua2c5 WuiWqqBndmZkuiDRKtDi/BhoYx2LwZjXkFfKkHwjUyoo4TZZqtUAxMtnd8GJ0rRfVqAC jLDB67P0ndrcbmLX6/ElMilGjfG5SEgktYQh6UVBjJ9UBsDlsK0SpWM8lOVMDnZfWlPS jWHWrDHE0PrNnjJVOx/uRZRpF4F95jzVXqeorfpqM81EbLuCUFB5InSCWG3bT6Ns8KXN B9xrbXZPaLfqgs99gW9wgNNTk+PHyOJQ/q0MIz24p1rXRmI4fr5kLY2HDIxUiWS4RHS4 oPpg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1727992382; x=1728597182; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=fGgn5wSXqnyYqEcK23LvGVEEDtYNT4QYpAtkr1maL10=; b=VTGGb+awDc6B9xNFLKIKEqJ3WHYIWqASAceO6spg2Nm2MX9qXCZF0WXgJX61ujuCXg L8MIzanW9AWoVfRYDP4WVd4SR5mctkeW0lPzPwYv/fuZYHRCm/WnoR7VUy4Z21L1zuZG k/jVgV4KDJkbsojU5jZTOhxR3hPCFLJVAHp6yjmTv+dvgRLrYtM+Nf4glY12g+so7//w DO9LSZgguZn99x/6ikafS8rOPY3MoVjm20Bexl2PxLe6bfoSe0RNvxqdAf9GjZLjSxfs zVuiDag7ZqZMWxaz/gAoX/aSJ2Q3o3XDTuien2zRTyziD7x3IyIt8WjBHlZkA29Y/rT/ xwJw== X-Gm-Message-State: AOJu0YzSIlIMDYHs9zud7TikoSiRnELkD37IV3hKGboSzQztykZeaRSm R0PlK6Jg95gZzPPNK8CyiaOBXjBaihJKty5D3dGGFER10sexhCZ8k82BSQ640Rro1rdJDmJOa4S p X-Google-Smtp-Source: AGHT+IHb260L4frukHHu94exRVHIci/gnWjE9Pt8ZO4ClMDY+kkKDM/L90EMeO2yivf61ZqYF7Gfcg== X-Received: by 2002:ac8:5a8b:0:b0:458:5fd0:964c with SMTP id d75a77b69052e-45d9bb0c0a8mr6292811cf.50.1727992381867; Thu, 03 Oct 2024 14:53:01 -0700 (PDT) Received: from ubuntu.localdomain (pool-174-114-184-37.cpe.net.cable.rogers.com. [174.114.184.37]) by smtp.gmail.com with ESMTPSA id d75a77b69052e-45d92ddf5c4sm9001541cf.18.2024.10.03.14.52.59 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 03 Oct 2024 14:53:01 -0700 (PDT) From: Raymond Mao To: u-boot@lists.denx.de Cc: manish.pandey2@arm.com, Raymond Mao , Ilias Apalodimas , Tom Rini , Stefan Bosch , Mario Six , Andy Shevchenko , Michal Simek , Tuomas Tynkkynen , Simon Glass , Peng Fan , Jaehoon Chung , Jiaxun Yang , Heinrich Schuchardt , Leo Yu-Chi Liang , Sumit Garg , Sean Anderson , Rasmus Villemoes , Andrew Davis , Bryan Brattlof , "Leon M. Busch-George" , AKASHI Takahiro , Alexander Gendin , Mattijs Korpershoek , Jonathan Humphreys , Marek Vasut , Paul Barker , Greg Malysa , Kever Yang , Kongyang Liu , Linus Walleij , Jonas Karlman , Sughosh Ganu Subject: [PATCH v8 03/27] lib: Adapt digest header files to MbedTLS Date: Thu, 3 Oct 2024 14:50:16 -0700 Message-Id: <20241003215112.3103601-4-raymond.mao@linaro.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20241003215112.3103601-1-raymond.mao@linaro.org> References: <20241003215112.3103601-1-raymond.mao@linaro.org> MIME-Version: 1.0 X-Mailman-Approved-At: Fri, 04 Oct 2024 06:57:18 +0200 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.8 at phobos.denx.de X-Virus-Status: Clean Adapt digest header files to support both original libs and MbedTLS by switching on/off MBEDTLS_LIB_CRYPTO. Introduce _LEGACY kconfig for legacy hash implementations. sha256.o should depend on SHA256 kconfig only but not SUPPORT_EMMC_RPMB, SHA256 should be selected when SUPPORT_EMMC_RPMB is enabled instead. `IS_ENABLED` or `CONFIG_IS_ENABLED` is not applicable here, since including causes undefined reference on schedule() with sandbox build, as includes which enables `CONFIG_HW_WATCHDOG` and `CONFIG_WATCHDOG` but no schedule() are defined in sandbox build, Thus we use `#if defined(CONFIG_MBEDTLS_LIB_CRYPTO)` instead. Signed-off-by: Raymond Mao Reviewed-by: Ilias Apalodimas --- Changes in v2 - Initial patch. Changes in v3 - Remove the changes that were done in previous clean-up patch set. Changes in v4 - Introduce _LEGACY kconfig for legacy hash implementations. Changes in v5 - Correct header file include directories. - Correct kconfig dependence. Changes in v6 - Update commit message. - Rebased on next branch. Changes in v7 - Fixed the dependency between SUPPORT_EMMC_RPMB and SHA256. Changes in v8 - None drivers/mmc/Kconfig | 1 + include/u-boot/md5.h | 7 ++++ include/u-boot/sha1.h | 21 +++++++++- include/u-boot/sha256.h | 20 +++++++++ include/u-boot/sha512.h | 9 ++++ lib/Makefile | 11 ++--- lib/mbedtls/Kconfig | 91 +++++++++++++++++++++++++++++++++++++++++ 7 files changed, 154 insertions(+), 6 deletions(-) diff --git a/drivers/mmc/Kconfig b/drivers/mmc/Kconfig index 982e84dc3bc..5d7fd904950 100644 --- a/drivers/mmc/Kconfig +++ b/drivers/mmc/Kconfig @@ -119,6 +119,7 @@ config MMC_HW_PARTITIONING config SUPPORT_EMMC_RPMB bool "Support eMMC replay protected memory block (RPMB)" imply CMD_MMC_RPMB + select SHA256 help Enable support for reading, writing and programming the key for the Replay Protection Memory Block partition in eMMC. diff --git a/include/u-boot/md5.h b/include/u-boot/md5.h index c465925ea8d..69898fcbe49 100644 --- a/include/u-boot/md5.h +++ b/include/u-boot/md5.h @@ -6,10 +6,16 @@ #ifndef _MD5_H #define _MD5_H +#if defined(CONFIG_MBEDTLS_LIB_CRYPTO) +#include +#endif #include "compiler.h" #define MD5_SUM_LEN 16 +#if defined(CONFIG_MBEDTLS_LIB_CRYPTO) +typedef mbedtls_md5_context MD5Context; +#else typedef struct MD5Context { __u32 buf[4]; __u32 bits[2]; @@ -18,6 +24,7 @@ typedef struct MD5Context { __u32 in32[16]; }; } MD5Context; +#endif void MD5Init(MD5Context *ctx); void MD5Update(MD5Context *ctx, unsigned char const *buf, unsigned int len); diff --git a/include/u-boot/sha1.h b/include/u-boot/sha1.h index c1e9f67068d..ab88134fb98 100644 --- a/include/u-boot/sha1.h +++ b/include/u-boot/sha1.h @@ -16,6 +16,21 @@ #include +#if defined(CONFIG_MBEDTLS_LIB_CRYPTO) +/* + * FIXME: + * MbedTLS define the members of "mbedtls_sha256_context" as private, + * but "state" needs to be access by arch/arm/cpu/armv8/sha1_ce_glue. + * MBEDTLS_ALLOW_PRIVATE_ACCESS needs to be enabled to allow the external + * access. + * Directly including is not allowed, + * since this will include and break the sandbox test. + */ +#define MBEDTLS_ALLOW_PRIVATE_ACCESS + +#include +#endif + #ifdef __cplusplus extern "C" { #endif @@ -26,6 +41,9 @@ extern "C" { extern const uint8_t sha1_der_prefix[]; +#if defined(CONFIG_MBEDTLS_LIB_CRYPTO) +typedef mbedtls_sha1_context sha1_context; +#else /** * \brief SHA-1 context structure */ @@ -36,13 +54,14 @@ typedef struct unsigned char buffer[64]; /*!< data block being processed */ } sha1_context; +#endif /** * \brief SHA-1 context setup * * \param ctx SHA-1 context to be initialized */ -void sha1_starts( sha1_context *ctx ); +void sha1_starts(sha1_context *ctx); /** * \brief SHA-1 process buffer diff --git a/include/u-boot/sha256.h b/include/u-boot/sha256.h index a4fe176c0b4..b58d5b58d39 100644 --- a/include/u-boot/sha256.h +++ b/include/u-boot/sha256.h @@ -3,6 +3,22 @@ #include +#if defined(CONFIG_MBEDTLS_LIB_CRYPTO) +/* + * FIXME: + * MbedTLS define the members of "mbedtls_sha256_context" as private, + * but "state" needs to be access by arch/arm/cpu/armv8/sha256_ce_glue. + * MBEDTLS_ALLOW_PRIVATE_ACCESS needs to be enabled to allow the external + * access. + * Directly including is not allowed, + * since this will include and break the sandbox test. + */ +#define MBEDTLS_ALLOW_PRIVATE_ACCESS + +#include +#endif + +#define SHA224_SUM_LEN 28 #define SHA256_SUM_LEN 32 #define SHA256_DER_LEN 19 @@ -11,11 +27,15 @@ extern const uint8_t sha256_der_prefix[]; /* Reset watchdog each time we process this many bytes */ #define CHUNKSZ_SHA256 (64 * 1024) +#if defined(CONFIG_MBEDTLS_LIB_CRYPTO) +typedef mbedtls_sha256_context sha256_context; +#else typedef struct { uint32_t total[2]; uint32_t state[8]; uint8_t buffer[64]; } sha256_context; +#endif void sha256_starts(sha256_context * ctx); void sha256_update(sha256_context *ctx, const uint8_t *input, uint32_t length); diff --git a/include/u-boot/sha512.h b/include/u-boot/sha512.h index 83c2119cd26..7e10f590a1d 100644 --- a/include/u-boot/sha512.h +++ b/include/u-boot/sha512.h @@ -3,6 +3,10 @@ #include +#if defined(CONFIG_MBEDTLS_LIB_CRYPTO) +#include +#endif + #define SHA384_SUM_LEN 48 #define SHA384_DER_LEN 19 #define SHA512_SUM_LEN 64 @@ -12,11 +16,16 @@ #define CHUNKSZ_SHA384 (16 * 1024) #define CHUNKSZ_SHA512 (16 * 1024) +#if defined(CONFIG_MBEDTLS_LIB_CRYPTO) +typedef mbedtls_sha512_context sha384_context; +typedef mbedtls_sha512_context sha512_context; +#else typedef struct { uint64_t state[SHA512_SUM_LEN / 8]; uint64_t count[2]; uint8_t buf[SHA512_BLOCK_SIZE]; } sha512_context; +#endif extern const uint8_t sha512_der_prefix[]; diff --git a/lib/Makefile b/lib/Makefile index c4950b78a29..33755778283 100644 --- a/lib/Makefile +++ b/lib/Makefile @@ -50,7 +50,6 @@ obj-$(CONFIG_XXHASH) += xxhash.o obj-y += net_utils.o obj-$(CONFIG_PHYSMEM) += physmem.o obj-y += rc4.o -obj-$(CONFIG_SUPPORT_EMMC_RPMB) += sha256.o obj-$(CONFIG_RBTREE) += rbtree.o obj-$(CONFIG_BITREVERSE) += bitrev.o obj-y += list_sort.o @@ -71,14 +70,16 @@ obj-$(CONFIG_$(SPL_TPL_)CRC16) += crc16.o obj-y += crypto/ obj-$(CONFIG_$(SPL_TPL_)ACPI) += acpi/ -obj-$(CONFIG_$(SPL_)MD5) += md5.o obj-$(CONFIG_ECDSA) += ecdsa/ obj-$(CONFIG_$(SPL_)RSA) += rsa/ obj-$(CONFIG_HASH) += hash-checksum.o obj-$(CONFIG_BLAKE2) += blake2/blake2b.o -obj-$(CONFIG_$(SPL_)SHA1) += sha1.o -obj-$(CONFIG_$(SPL_)SHA256) += sha256.o -obj-$(CONFIG_$(SPL_)SHA512) += sha512.o + +obj-$(CONFIG_$(SPL_)MD5_LEGACY) += md5.o +obj-$(CONFIG_$(SPL_)SHA1_LEGACY) += sha1.o +obj-$(CONFIG_$(SPL_)SHA256_LEGACY) += sha256.o +obj-$(CONFIG_$(SPL_)SHA512_LEGACY) += sha512.o + obj-$(CONFIG_CRYPT_PW) += crypt/ obj-$(CONFIG_$(SPL_)ASN1_DECODER) += asn1_decoder.o diff --git a/lib/mbedtls/Kconfig b/lib/mbedtls/Kconfig index 9d1a63c1ca6..8a7b3a30c04 100644 --- a/lib/mbedtls/Kconfig +++ b/lib/mbedtls/Kconfig @@ -20,9 +20,100 @@ if LEGACY_CRYPTO || MBEDTLS_LIB_CRYPTO_ALT config LEGACY_CRYPTO_BASIC bool "legacy basic crypto libraries" + select MD5_LEGACY if MD5 + select SHA1_LEGACY if SHA1 + select SHA256_LEGACY if SHA256 + select SHA512_LEGACY if SHA512 + select SHA384_LEGACY if SHA384 + select SPL_MD5_LEGACY if SPL_MD5 + select SPL_SHA1_LEGACY if SPL_SHA1 + select SPL_SHA256_LEGACY if SPL_SHA256 + select SPL_SHA512_LEGACY if SPL_SHA512 + select SPL_SHA384_LEGACY if SPL_SHA384 help Enable legacy basic crypto libraries. +if LEGACY_CRYPTO_BASIC + +config SHA1_LEGACY + bool "Enable SHA1 support with legacy crypto library" + depends on LEGACY_CRYPTO_BASIC && SHA1 + help + This option enables support of hashing using SHA1 algorithm + with legacy crypto library. + +config SHA256_LEGACY + bool "Enable SHA256 support with legacy crypto library" + depends on LEGACY_CRYPTO_BASIC && SHA256 + help + This option enables support of hashing using SHA256 algorithm + with legacy crypto library. + +config SHA512_LEGACY + bool "Enable SHA512 support with legacy crypto library" + depends on LEGACY_CRYPTO_BASIC && SHA512 + default y if TI_SECURE_DEVICE && FIT_SIGNATURE + help + This option enables support of hashing using SHA512 algorithm + with legacy crypto library. + +config SHA384_LEGACY + bool "Enable SHA384 support with legacy crypto library" + depends on LEGACY_CRYPTO_BASIC && SHA384 + select SHA512_LEGACY + help + This option enables support of hashing using SHA384 algorithm + with legacy crypto library. + +config MD5_LEGACY + bool "Enable MD5 support with legacy crypto library" + depends on LEGACY_CRYPTO_BASIC && MD5 + help + This option enables support of hashing using MD5 algorithm + with legacy crypto library. + +if SPL + +config SPL_SHA1_LEGACY + bool "Enable SHA1 support in SPL with legacy crypto library" + depends on LEGACY_CRYPTO_BASIC && SPL_SHA1 + help + This option enables support of hashing using SHA1 algorithm + with legacy crypto library. + +config SPL_SHA256_LEGACY + bool "Enable SHA256 support in SPL with legacy crypto library" + depends on LEGACY_CRYPTO_BASIC && SPL_SHA256 + help + This option enables support of hashing using SHA256 algorithm + with legacy crypto library. + +config SPL_SHA512_LEGACY + bool "Enable SHA512 support in SPL with legacy crypto library" + depends on LEGACY_CRYPTO_BASIC && SPL_SHA512 + help + This option enables support of hashing using SHA512 algorithm + with legacy crypto library. + +config SPL_SHA384_LEGACY + bool "Enable SHA384 support in SPL with legacy crypto library" + depends on LEGACY_CRYPTO_BASIC && SPL_SHA384 + select SPL_SHA512_LEGACY + help + This option enables support of hashing using SHA384 algorithm + with legacy crypto library. + +config SPL_MD5_LEGACY + bool "Enable MD5 support in SPL with legacy crypto library" + depends on LEGACY_CRYPTO_BASIC && SPL_MD5 + help + This option enables support of hashing using MD5 algorithm + with legacy crypto library. + +endif # SPL + +endif # LEGACY_CRYPTO_BASIC + config LEGACY_CRYPTO_CERT bool "legacy certificate libraries" help From patchwork Thu Oct 3 21:50:17 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Raymond Mao X-Patchwork-Id: 1992588 X-Patchwork-Delegate: trini@ti.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.a=rsa-sha256 header.s=google header.b=HwQA7fGZ; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de (client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; helo=phobos.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=patchwork.ozlabs.org) Received: from phobos.denx.de (phobos.denx.de [IPv6:2a01:238:438b:c500:173d:9f52:ddab:ee01]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4XKbsH6J6Kz1xt7 for ; Fri, 4 Oct 2024 14:58:11 +1000 (AEST) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 0807988FA5; Fri, 4 Oct 2024 06:57:23 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="HwQA7fGZ"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 534A988C6D; Thu, 3 Oct 2024 23:53:37 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.2 Received: from mail-qt1-x836.google.com (mail-qt1-x836.google.com [IPv6:2607:f8b0:4864:20::836]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 2781088D1F for ; Thu, 3 Oct 2024 23:53:35 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=raymond.mao@linaro.org Received: by mail-qt1-x836.google.com with SMTP id d75a77b69052e-4581d2b0fbaso10243061cf.1 for ; Thu, 03 Oct 2024 14:53:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1727992413; x=1728597213; darn=lists.denx.de; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=xnlItj8iQ/ioEQoXlxQqnOHbCjB5p0lZcRpLGyMwTiQ=; b=HwQA7fGZatGMfzwKwn5QFor+JINWomKrO8HrttAnROueslrjiak3ZZTy4QLO3Pyb6w HK7TOSVDXCYu51YlsoxVEFh/TYjOM9GSfMR8YnaTeIvJgjPYvVnvadHEjVARCjqw0jmR PAUbK/FVcRF9CCicrhr+7/XmOZpvVcRJZY79kbW6jszB8b9CrvKyUB/c1QiSSg8QdLaw tNDdAzXRR83RkPc2IDkjJpwgYUAEKpG2b6uYG+cxtFxpk0Oq1kiSAuXH9EpplBdkt5rc dvUQPPQG67rNeDFeRxCOJO8J0DHdVCRHWhYaJaI+mFQOmJ7apymvr58scKZWTlZCVxEt /jOQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1727992413; x=1728597213; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=xnlItj8iQ/ioEQoXlxQqnOHbCjB5p0lZcRpLGyMwTiQ=; b=p4CMtjRwyruVjhglPEep7lJCpnlpOkpvKnwXoQOjD1ZDlsuuESMDc5QhH3DpCQl8UH ro+gVUhJww9ckpjWZ94uiP6K/lNhon9uhMCswF75empd+AZIgeXJf2k/Ckxo8MCUlAsN fIgX0ejcp/nlRLFwWGQWuqaqVKIYuMjglSdI3HNZNIR53ksk4II+0r/wpRfac7hxkGxM mIVdHGyfHulOkZamUFQ8HS7otK4zxJyXdwGvjkpiz2GS8m63/XqmQM8yoR6j6sZ5VYHr Wf/b/QKNQcBCCEwpiFO7T86JOIjZ2A4Zi1aNTYJNroGknDwNBf/cSOItmAAZhFmaAHTl F2Dg== X-Gm-Message-State: AOJu0YyAKM/gPsK0Jew6P9iSCKSdwM0thc2y4qHcGScR1IvchWrpsVYW PXaclsBhboEaqCO32lHtMtrY4dM1KsawyjAJijqFyYfnBzHqR6OV9mb+6FpSY/CYbmqf843NTDp q X-Google-Smtp-Source: AGHT+IHyWZxYGqeAWPN0aU4YZENu8vdMnDQ05QuiSYAtdvvVhcFj9GPtj/mmZHIbRxOVwR0riGY7zg== X-Received: by 2002:a05:622a:5b8e:b0:458:2144:6977 with SMTP id d75a77b69052e-45d9bafb62bmr8464241cf.50.1727992413555; Thu, 03 Oct 2024 14:53:33 -0700 (PDT) Received: from ubuntu.localdomain (pool-174-114-184-37.cpe.net.cable.rogers.com. [174.114.184.37]) by smtp.gmail.com with ESMTPSA id d75a77b69052e-45d92ddf5c4sm9001541cf.18.2024.10.03.14.53.30 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 03 Oct 2024 14:53:32 -0700 (PDT) From: Raymond Mao To: u-boot@lists.denx.de Cc: manish.pandey2@arm.com, Raymond Mao , Ilias Apalodimas , Michal Simek , Tom Rini , Stefan Bosch , Mario Six , Andy Shevchenko , Tuomas Tynkkynen , Simon Glass , Peng Fan , Jaehoon Chung , Jiaxun Yang , Heinrich Schuchardt , Leo Yu-Chi Liang , Sean Anderson , Sumit Garg , Andrew Davis , Rasmus Villemoes , Bryan Brattlof , "Leon M. Busch-George" , AKASHI Takahiro , Alexander Gendin , Mattijs Korpershoek , Jonathan Humphreys , Paul Barker , Marek Vasut , Kongyang Liu , Oleksandr Suvorov , Jonas Karlman , Linus Walleij , Greg Malysa , Sughosh Ganu , Eddie James Subject: [PATCH v8 04/27] md5: Remove md5 non-watchdog API Date: Thu, 3 Oct 2024 14:50:17 -0700 Message-Id: <20241003215112.3103601-5-raymond.mao@linaro.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20241003215112.3103601-1-raymond.mao@linaro.org> References: <20241003215112.3103601-1-raymond.mao@linaro.org> MIME-Version: 1.0 X-Mailman-Approved-At: Fri, 04 Oct 2024 06:57:18 +0200 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.8 at phobos.denx.de X-Virus-Status: Clean We don't need an API specially for non-watchdog since md5_wd supports it by disabling CONFIG_HW_WATCHDOG and CONFIG_WATCHDOG. Set 0x10000 as default chunk size for MD5. Signed-off-by: Raymond Mao Reviewed-by: Ilias Apalodimas Reviewed-by: Michal Simek --- Changes in v3 - Initial patch. Changes in v4 - Update commit message. Changes in v5 - None. Changes in v6 - None. Changes in v7 - None. Changes in v8 - None board/friendlyarm/nanopi2/board.c | 3 ++- board/intel/edison/edison.c | 3 ++- board/xilinx/zynq/bootimg.c | 2 +- include/u-boot/md5.h | 7 +------ lib/md5.c | 14 -------------- 5 files changed, 6 insertions(+), 23 deletions(-) diff --git a/board/friendlyarm/nanopi2/board.c b/board/friendlyarm/nanopi2/board.c index b32dfc6b570..4dff32e10d6 100644 --- a/board/friendlyarm/nanopi2/board.c +++ b/board/friendlyarm/nanopi2/board.c @@ -264,7 +264,8 @@ static void make_ether_addr(u8 *addr) hash[6] = readl(PHY_BASEADDR_ECID + 0x08); hash[7] = readl(PHY_BASEADDR_ECID + 0x0c); - md5((unsigned char *)&hash[4], 64, (unsigned char *)hash); + md5_wd((unsigned char *)&hash[4], 64, (unsigned char *)hash, + MD5_DEF_CHUNK_SZ); hash[0] ^= hash[2]; hash[1] ^= hash[3]; diff --git a/board/intel/edison/edison.c b/board/intel/edison/edison.c index 911ffda2fc7..27fda3fc1d2 100644 --- a/board/intel/edison/edison.c +++ b/board/intel/edison/edison.c @@ -32,7 +32,8 @@ static void assign_serial(void) if (!mmc) return; - md5((unsigned char *)mmc->cid, sizeof(mmc->cid), ssn); + md5_wd((unsigned char *)mmc->cid, sizeof(mmc->cid), ssn, + MD5_DEF_CHUNK_SZ); snprintf(usb0addr, sizeof(usb0addr), "02:00:86:%02x:%02x:%02x", ssn[13], ssn[14], ssn[15]); diff --git a/board/xilinx/zynq/bootimg.c b/board/xilinx/zynq/bootimg.c index 79bec3a4cfb..9eb0735f55d 100644 --- a/board/xilinx/zynq/bootimg.c +++ b/board/xilinx/zynq/bootimg.c @@ -135,7 +135,7 @@ int zynq_validate_partition(u32 start_addr, u32 len, u32 chksum_off) memcpy(&checksum[0], (u32 *)chksum_off, MD5_CHECKSUM_SIZE); - md5_wd((u8 *)start_addr, len, &calchecksum[0], 0x10000); + md5_wd((u8 *)start_addr, len, &calchecksum[0], MD5_DEF_CHUNK_SZ); if (!memcmp(checksum, calchecksum, MD5_CHECKSUM_SIZE)) return 0; diff --git a/include/u-boot/md5.h b/include/u-boot/md5.h index 69898fcbe49..c98b1a58088 100644 --- a/include/u-boot/md5.h +++ b/include/u-boot/md5.h @@ -12,6 +12,7 @@ #include "compiler.h" #define MD5_SUM_LEN 16 +#define MD5_DEF_CHUNK_SZ 0x10000 #if defined(CONFIG_MBEDTLS_LIB_CRYPTO) typedef mbedtls_md5_context MD5Context; @@ -30,12 +31,6 @@ void MD5Init(MD5Context *ctx); void MD5Update(MD5Context *ctx, unsigned char const *buf, unsigned int len); void MD5Final(unsigned char digest[16], MD5Context *ctx); -/* - * Calculate and store in 'output' the MD5 digest of 'len' bytes at - * 'input'. 'output' must have enough space to hold 16 bytes. - */ -void md5 (unsigned char *input, int len, unsigned char output[16]); - /* * Calculate and store in 'output' the MD5 digest of 'len' bytes at 'input'. * 'output' must have enough space to hold 16 bytes. If 'chunk' Trigger the diff --git a/lib/md5.c b/lib/md5.c index 584463d55ca..2d8977b2e85 100644 --- a/lib/md5.c +++ b/lib/md5.c @@ -262,20 +262,6 @@ MD5Transform(__u32 buf[4], __u32 const in[16]) buf[3] += d; } -/* - * Calculate and store in 'output' the MD5 digest of 'len' bytes at - * 'input'. 'output' must have enough space to hold 16 bytes. - */ -void -md5 (unsigned char *input, int len, unsigned char output[16]) -{ - MD5Context context; - - MD5Init(&context); - MD5Update(&context, input, len); - MD5Final(output, &context); -} - /* * Calculate and store in 'output' the MD5 digest of 'len' bytes at 'input'. * 'output' must have enough space to hold 16 bytes. If 'chunk' Trigger the From patchwork Thu Oct 3 21:50:18 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Raymond Mao X-Patchwork-Id: 1992589 X-Patchwork-Delegate: trini@ti.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.a=rsa-sha256 header.s=google header.b=ooWjnZWN; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de (client-ip=85.214.62.61; helo=phobos.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=patchwork.ozlabs.org) Received: from phobos.denx.de (phobos.denx.de [85.214.62.61]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4XKbsV1fMmz1xt7 for ; Fri, 4 Oct 2024 14:58:22 +1000 (AEST) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 5B8C288FBB; Fri, 4 Oct 2024 06:57:23 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="ooWjnZWN"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id B411288C6D; Thu, 3 Oct 2024 23:54:11 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.2 Received: from mail-ua1-x929.google.com (mail-ua1-x929.google.com [IPv6:2607:f8b0:4864:20::929]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id E10A588D47 for ; Thu, 3 Oct 2024 23:54:07 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=raymond.mao@linaro.org Received: by mail-ua1-x929.google.com with SMTP id a1e0cc1a2514c-84ea1042bbeso480312241.0 for ; Thu, 03 Oct 2024 14:54:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1727992446; x=1728597246; darn=lists.denx.de; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=s5r+9tRB7APM2jiVAI+pmgct29TVYNYxqEGW8lH6YA8=; b=ooWjnZWNvnjUavENsXRAprwZ2K5EAtW9sEQcwkV3M203Db50fE6urJeTqs3A6ltsPr 9uSbOvWLvh8bgyE+8xkppY9YMwYoMPvnAObyvSpgQ5uDTnxQOMAy22sQHC+8y+nYEVxQ GK+LPeNbRoE2OSfs/BOmQykA+Uf4U0+X1EkLGrJ+bKRyl9FDsYxnAyb67LXv6f5NdkDN dNLMbVwyRoO4E2Pf4ora1/HyO1r3RuRIZkBIoDX0mvBzU/6RkXYgYPIWfmhBBqPN0S4w aTogZO5vETCjC6Q3lYZRQSb86/cpV7iVA3/PHFEgBZPjGVJw84Z0sqLYxR/efwNhf9k8 K7eQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1727992446; x=1728597246; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=s5r+9tRB7APM2jiVAI+pmgct29TVYNYxqEGW8lH6YA8=; b=mFWQQtanc4ruyaAoBcjJyg48oqincheFOutX3CUfa4gFhV14S5fiE9w8izJ3pmtIaA RhuMk90256Q+iRCSXhLXH4Bb1sIx8ekysEjueJXxoVecK3ASVJVWqHlKQE9pyvdtN92U yGYJPBMqBSEXoKfdh7K330Oic/lRglbP/rcAeTmabf4UzdR0rdkzzSYMbDWXlO8glOsw y4mPBQ1l+97HKK0soIxXWhPueLZydSsparwJL3+orSFOPoGyW52zvFi9MjjUGRYgRZwt Y10UVhACcPWP2B8F0W3JTk4+3Ol6Umw9SKl9+OwGn0u6MXzqoeO3NoaO1/2hZFU8TvBh r2aQ== X-Gm-Message-State: AOJu0YwkGMLHoG5wwulsNA8j4EnG58taq4xH/ujw4rr2JDG0/iCpKE6u BwTXUnaFgwXySXTCJjdcyB4qIH3YuDDY2mXW8mjCQZwnjvfJFcgesYKOZ0WxxtxPPhrfN9fe5tL i X-Google-Smtp-Source: AGHT+IGwo7dibjy30hDKnYDILUB2LD1g4efjJSKMC/Nq9AytbYkLLSO6WVurHDQka9a987jEwFKx3Q== X-Received: by 2002:a05:6102:a49:b0:4a3:3d4f:edd2 with SMTP id ada2fe7eead31-4a4057a029dmr920285137.17.1727992446429; Thu, 03 Oct 2024 14:54:06 -0700 (PDT) Received: from ubuntu.localdomain (pool-174-114-184-37.cpe.net.cable.rogers.com. [174.114.184.37]) by smtp.gmail.com with ESMTPSA id d75a77b69052e-45d92ddf5c4sm9001541cf.18.2024.10.03.14.54.03 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 03 Oct 2024 14:54:05 -0700 (PDT) From: Raymond Mao To: u-boot@lists.denx.de Cc: manish.pandey2@arm.com, Raymond Mao , Ilias Apalodimas , Tom Rini , Stefan Bosch , Mario Six , Andy Shevchenko , Michal Simek , Tuomas Tynkkynen , Simon Glass , Peng Fan , Jaehoon Chung , Jiaxun Yang , Heinrich Schuchardt , Sean Anderson , Leo Yu-Chi Liang , Sumit Garg , Rasmus Villemoes , Andrew Davis , Bryan Brattlof , "Leon M. Busch-George" , AKASHI Takahiro , Alexander Gendin , Jonathan Humphreys , Mattijs Korpershoek , Paul Barker , Marek Vasut , Oleksandr Suvorov , Greg Malysa , Kongyang Liu , Jonas Karlman , Sughosh Ganu , Anand Moon Subject: [PATCH v8 05/27] sha1: Remove sha1 non-watchdog API Date: Thu, 3 Oct 2024 14:50:18 -0700 Message-Id: <20241003215112.3103601-6-raymond.mao@linaro.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20241003215112.3103601-1-raymond.mao@linaro.org> References: <20241003215112.3103601-1-raymond.mao@linaro.org> MIME-Version: 1.0 X-Mailman-Approved-At: Fri, 04 Oct 2024 06:57:18 +0200 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.8 at phobos.denx.de X-Virus-Status: Clean We don't need an API specially for non-watchdog since sha1_csum_wd supports it by disabling CONFIG_HW_WATCHDOG and CONFIG_WATCHDOG. Set 0x10000 as default chunk size for SHA1. Signed-off-by: Raymond Mao Reviewed-by: Ilias Apalodimas --- Changes in v4 - Initial patch. Changes in v5 - None. Changes in v6 - None. Changes in v7 - None. Changes in v8 - None board/gdsys/a38x/hre.c | 2 +- include/u-boot/sha1.h | 12 ++---------- lib/sha1.c | 13 ------------- lib/tpm-v1.c | 2 +- 4 files changed, 4 insertions(+), 25 deletions(-) diff --git a/board/gdsys/a38x/hre.c b/board/gdsys/a38x/hre.c index f303793b63b..06856ea36d3 100644 --- a/board/gdsys/a38x/hre.c +++ b/board/gdsys/a38x/hre.c @@ -166,7 +166,7 @@ static int find_key(struct udevice *tpm, const uint8_t auth[20], return -1; if (err) continue; - sha1_csum(buf, buf_len, digest); + sha1_csum_wd(buf, buf_len, digest, SHA1_DEF_CHUNK_SZ); if (!memcmp(digest, pubkey_digest, 20)) { *handle = key_handles[i]; return 0; diff --git a/include/u-boot/sha1.h b/include/u-boot/sha1.h index ab88134fb98..36c3db15e22 100644 --- a/include/u-boot/sha1.h +++ b/include/u-boot/sha1.h @@ -39,6 +39,8 @@ extern "C" { #define SHA1_SUM_LEN 20 #define SHA1_DER_LEN 15 +#define SHA1_DEF_CHUNK_SZ 0x10000 + extern const uint8_t sha1_der_prefix[]; #if defined(CONFIG_MBEDTLS_LIB_CRYPTO) @@ -81,16 +83,6 @@ void sha1_update(sha1_context *ctx, const unsigned char *input, */ void sha1_finish( sha1_context *ctx, unsigned char output[20] ); -/** - * \brief Output = SHA-1( input buffer ) - * - * \param input buffer holding the data - * \param ilen length of the input data - * \param output SHA-1 checksum result - */ -void sha1_csum(const unsigned char *input, unsigned int ilen, - unsigned char *output); - /** * \brief Output = SHA-1( input buffer ), with watchdog triggering * diff --git a/lib/sha1.c b/lib/sha1.c index 7ef536f4b5d..81412283b49 100644 --- a/lib/sha1.c +++ b/lib/sha1.c @@ -304,19 +304,6 @@ void sha1_finish (sha1_context * ctx, unsigned char output[20]) PUT_UINT32_BE (ctx->state[4], output, 16); } -/* - * Output = SHA-1( input buffer ) - */ -void sha1_csum(const unsigned char *input, unsigned int ilen, - unsigned char *output) -{ - sha1_context ctx; - - sha1_starts (&ctx); - sha1_update (&ctx, input, ilen); - sha1_finish (&ctx, output); -} - /* * Output = SHA-1( input buffer ). Trigger the watchdog every 'chunk_sz' * bytes of input processed. diff --git a/lib/tpm-v1.c b/lib/tpm-v1.c index e66023da5e6..a6727c575fd 100644 --- a/lib/tpm-v1.c +++ b/lib/tpm-v1.c @@ -871,7 +871,7 @@ u32 tpm1_find_key_sha1(struct udevice *dev, const u8 auth[20], return -1; if (err) continue; - sha1_csum(buf, buf_len, digest); + sha1_csum_wd(buf, buf_len, digest, SHA1_DEF_CHUNK_SZ); if (!memcmp(digest, pubkey_digest, 20)) { *handle = key_handles[i]; return 0; From patchwork Thu Oct 3 21:50:19 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Raymond Mao X-Patchwork-Id: 1992590 X-Patchwork-Delegate: trini@ti.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.a=rsa-sha256 header.s=google header.b=TmlKMyoC; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de (client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; helo=phobos.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=patchwork.ozlabs.org) Received: from phobos.denx.de (phobos.denx.de [IPv6:2a01:238:438b:c500:173d:9f52:ddab:ee01]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4XKbsh01fBz1xt7 for ; Fri, 4 Oct 2024 14:58:31 +1000 (AEST) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id B55FF88FD0; Fri, 4 Oct 2024 06:57:23 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="TmlKMyoC"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 84E9588C6D; Thu, 3 Oct 2024 23:54:42 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.2 Received: from mail-qt1-x82a.google.com (mail-qt1-x82a.google.com [IPv6:2607:f8b0:4864:20::82a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 0DDBB88CC5 for ; Thu, 3 Oct 2024 23:54:40 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=raymond.mao@linaro.org Received: by mail-qt1-x82a.google.com with SMTP id d75a77b69052e-45d8f76eca7so12033921cf.2 for ; Thu, 03 Oct 2024 14:54:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1727992479; x=1728597279; darn=lists.denx.de; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=HWiLl4nDFvUgPbRtwuRMWJhubzPUdhqV7Ki44H16J5E=; b=TmlKMyoCmRuEPqeJqLsTEYDmjUJvkT1sTFTqiPhQoR1wAujwpcFBNCMF5tQECZ1MA4 qjmIsVAKm9bWBll9XJ6VjXguL0tiZIXOfS6MC6bnKxT2WEDrSlT+4jix/4nkmlHyb8AT IUwxo2SKhYWOe6OUT4C79hwm45M8OOfOAuvwegSQJqNY6BUir4PYYosmvd+D4OoCQeIn 4v1rNa+5HjYs1jHUgZLnaa7hN0XNb8DT1Zo71B74hZMDfadRgRZlBA6pEe6waCzjlesc lJsvSKJIRfMdDVUa3/jwXpkpd7oOzI2VrD2fgYHAFo+MXcbLx/ZEcSSGEitjhYRDR5YU ddXA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1727992479; x=1728597279; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=HWiLl4nDFvUgPbRtwuRMWJhubzPUdhqV7Ki44H16J5E=; b=Z/nyOnzgtbE9qF7xBBIoJFZkJigGYM2RClVms/WtZ8Zpc+ZQL4ap/8x1/xUBqVLUuo vG6ucpmPISdmlTpg7ymMhAMM2On9+jGZ0WrkJAo7ZpNodjLvqT+Jb6t1mTjajSO7zBH2 +4JtNy4b/4a5Q02Kb6XmWSx1atRoKsgnrZJfgVq1JZS8qiVVoGlTrmd+HndRCQk/xR8y +s5mwpfp9ttFNRvO+pwjogHbL36DRsFvhaYA1LwWJgXxzH56hvl4DpBZPIWq09Jz242y KRtreRi9CgmvDgFvPwaX8vj8b4knxQChLUElzLrruT2J8qnNvPN/I7NRXxjgdkcfV6ON 4QVQ== X-Gm-Message-State: AOJu0Yy0puZKHnIGLvboo8zWP57sBtKJqh+S9SNQdn8+zeThXVD2LeV4 C0T6sBwnHvAQJCpfwStNOUkTuyU9KENWbkHJBmzCBmCxBTBzDUC5MaF8dvkLimeLTDxbBX214v1 w X-Google-Smtp-Source: AGHT+IGEtXtoNNz5XBGloyhUZ7Y+tjtMIUY/7m4+S951QtyffU02rOzBXCrfBkqNqkAkzhF+b32WCA== X-Received: by 2002:a05:622a:148c:b0:458:4ac7:866b with SMTP id d75a77b69052e-45d9bb20777mr7218241cf.45.1727992478597; Thu, 03 Oct 2024 14:54:38 -0700 (PDT) Received: from ubuntu.localdomain (pool-174-114-184-37.cpe.net.cable.rogers.com. [174.114.184.37]) by smtp.gmail.com with ESMTPSA id d75a77b69052e-45d92ddf5c4sm9001541cf.18.2024.10.03.14.54.35 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 03 Oct 2024 14:54:37 -0700 (PDT) From: Raymond Mao To: u-boot@lists.denx.de Cc: manish.pandey2@arm.com, Raymond Mao , Tom Rini , Stefan Bosch , Mario Six , Andy Shevchenko , Michal Simek , Tuomas Tynkkynen , Simon Glass , Peng Fan , Jaehoon Chung , Jiaxun Yang , Ilias Apalodimas , Heinrich Schuchardt , Sumit Garg , Sean Anderson , Andrew Davis , Rasmus Villemoes , Bryan Brattlof , "Leon M. Busch-George" , AKASHI Takahiro , Alexander Gendin , Jonathan Humphreys , Mattijs Korpershoek , Marek Vasut , Paul Barker , Kongyang Liu , Jonas Karlman , Greg Malysa , Sughosh Ganu , =?utf-8?q?Vincent_Stehl=C3=A9?= , Anand Moon Subject: [PATCH v8 06/27] mbedtls: add digest shim layer for MbedTLS Date: Thu, 3 Oct 2024 14:50:19 -0700 Message-Id: <20241003215112.3103601-7-raymond.mao@linaro.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20241003215112.3103601-1-raymond.mao@linaro.org> References: <20241003215112.3103601-1-raymond.mao@linaro.org> MIME-Version: 1.0 X-Mailman-Approved-At: Fri, 04 Oct 2024 06:57:18 +0200 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.8 at phobos.denx.de X-Virus-Status: Clean Implement digest shim layer on top of MbedTLS crypto library. Introduce _MBEDTLS kconfig for MbedTLS crypto implementations. Signed-off-by: Raymond Mao --- Changes in v2 - Split the shim layer into separated files and use the original head files instead of creating new ones. Changes in v3 - Refactored sha1_hmac and removed non-watchdog md5 function. Changes in v4 - Refactored hash _wd functions. - Introduce _MBEDTLS kconfig for MbedTLS crypto implementations. Changes in v5 - Correct kconfig dependence. - Refactored MbedTLS makefile. Changes in v6 - None. Changes in v7 - None. Changes in v8 - None include/u-boot/sha1.h | 4 ++ lib/mbedtls/Kconfig | 90 +++++++++++++++++++++++++++++++++++++++ lib/mbedtls/Makefile | 14 ++++-- lib/mbedtls/md5.c | 57 +++++++++++++++++++++++++ lib/mbedtls/sha1.c | 99 +++++++++++++++++++++++++++++++++++++++++++ lib/mbedtls/sha256.c | 62 +++++++++++++++++++++++++++ lib/mbedtls/sha512.c | 93 ++++++++++++++++++++++++++++++++++++++++ 7 files changed, 415 insertions(+), 4 deletions(-) create mode 100644 lib/mbedtls/md5.c create mode 100644 lib/mbedtls/sha1.c create mode 100644 lib/mbedtls/sha256.c create mode 100644 lib/mbedtls/sha512.c diff --git a/include/u-boot/sha1.h b/include/u-boot/sha1.h index 36c3db15e22..2fca7f1be16 100644 --- a/include/u-boot/sha1.h +++ b/include/u-boot/sha1.h @@ -41,6 +41,10 @@ extern "C" { #define SHA1_DEF_CHUNK_SZ 0x10000 +#define K_IPAD_VAL 0x36 +#define K_OPAD_VAL 0x5C +#define K_PAD_LEN 64 + extern const uint8_t sha1_der_prefix[]; #if defined(CONFIG_MBEDTLS_LIB_CRYPTO) diff --git a/lib/mbedtls/Kconfig b/lib/mbedtls/Kconfig index 8a7b3a30c04..262abb2cec7 100644 --- a/lib/mbedtls/Kconfig +++ b/lib/mbedtls/Kconfig @@ -134,10 +134,100 @@ config MBEDTLS_LIB_CRYPTO_ALT config MBEDTLS_LIB_CRYPTO bool "MbedTLS crypto libraries" + select MD5_MBEDTLS if MD5 + select SHA1_MBEDTLS if SHA1 + select SHA256_MBEDTLS if SHA256 + select SHA512_MBEDTLS if SHA512 + select SHA384_MBEDTLS if SHA384 + select SPL_MD5_MBEDTLS if SPL_MD5 + select SPL_SHA1_MBEDTLS if SPL_SHA1 + select SPL_SHA256_MBEDTLS if SPL_SHA256 + select SPL_SHA512_MBEDTLS if SPL_SHA512 + select SPL_SHA384_MBEDTLS if SPL_SHA384 help Enable MbedTLS crypto libraries. Mutually incompatible with MBEDTLS_LIB_CRYPTO_ALT. +if MBEDTLS_LIB_CRYPTO + +config SHA1_MBEDTLS + bool "Enable SHA1 support with MbedTLS crypto library" + depends on MBEDTLS_LIB_CRYPTO && SHA1 + help + This option enables support of hashing using SHA1 algorithm + with MbedTLS crypto library. + +config SHA256_MBEDTLS + bool "Enable SHA256 support with MbedTLS crypto library" + depends on MBEDTLS_LIB_CRYPTO && SHA256 + help + This option enables support of hashing using SHA256 algorithm + with MbedTLS crypto library. + +config SHA512_MBEDTLS + bool "Enable SHA512 support with MbedTLS crypto library" + depends on MBEDTLS_LIB_CRYPTO && SHA512 + default y if TI_SECURE_DEVICE && FIT_SIGNATURE + help + This option enables support of hashing using SHA512 algorithm + with MbedTLS crypto library. + +config SHA384_MBEDTLS + bool "Enable SHA384 support with MbedTLS crypto library" + depends on MBEDTLS_LIB_CRYPTO && SHA384 + select SHA512_MBEDTLS + help + This option enables support of hashing using SHA384 algorithm + with MbedTLS crypto library. + +config MD5_MBEDTLS + bool "Enable MD5 support with MbedTLS crypto library" + depends on MBEDTLS_LIB_CRYPTO && MD5 + help + This option enables support of hashing using MD5 algorithm + with MbedTLS crypto library. + +if SPL + +config SPL_SHA1_MBEDTLS + bool "Enable SHA1 support in SPL with MbedTLS crypto library" + depends on MBEDTLS_LIB_CRYPTO && SPL_SHA1 + help + This option enables support of hashing using SHA1 algorithm + with MbedTLS crypto library. + +config SPL_SHA256_MBEDTLS + bool "Enable SHA256 support in SPL with MbedTLS crypto library" + depends on MBEDTLS_LIB_CRYPTO && SPL_SHA256 + help + This option enables support of hashing using SHA256 algorithm + with MbedTLS crypto library. + +config SPL_SHA512_MBEDTLS + bool "Enable SHA512 support in SPL with MbedTLS crypto library" + depends on MBEDTLS_LIB_CRYPTO && SPL_SHA512 + help + This option enables support of hashing using SHA512 algorithm + with MbedTLS crypto library. + +config SPL_SHA384_MBEDTLS + bool "Enable SHA384 support in SPL with MbedTLS crypto library" + depends on MBEDTLS_LIB_CRYPTO && SPL_SHA384 + select SPL_SHA512 + help + This option enables support of hashing using SHA384 algorithm + with MbedTLS crypto library. + +config SPL_MD5_MBEDTLS + bool "Enable MD5 support in SPL with MbedTLS crypto library" + depends on MBEDTLS_LIB_CRYPTO && SPL_MD5 + help + This option enables support of hashing using MD5 algorithm + with MbedTLS crypto library. + +endif # SPL + +endif # MBEDTLS_LIB_CRYPTO config MBEDTLS_LIB_X509 bool "MbedTLS certificate libraries" diff --git a/lib/mbedtls/Makefile b/lib/mbedtls/Makefile index 0b6d6ca808f..eeb28ec1557 100644 --- a/lib/mbedtls/Makefile +++ b/lib/mbedtls/Makefile @@ -5,17 +5,23 @@ MBEDTLS_LIB_DIR = external/mbedtls/library +# shim layer for hash +obj-$(CONFIG_$(SPL_)MD5_MBEDTLS) += md5.o +obj-$(CONFIG_$(SPL_)SHA1_MBEDTLS) += sha1.o +obj-$(CONFIG_$(SPL_)SHA256_MBEDTLS) += sha256.o +obj-$(CONFIG_$(SPL_)SHA512_MBEDTLS) += sha512.o + # MbedTLS crypto library obj-$(CONFIG_MBEDTLS_LIB) += mbedtls_lib_crypto.o mbedtls_lib_crypto-y := \ $(MBEDTLS_LIB_DIR)/platform_util.o \ $(MBEDTLS_LIB_DIR)/constant_time.o \ $(MBEDTLS_LIB_DIR)/md.o -mbedtls_lib_crypto-$(CONFIG_$(SPL_)MD5) += $(MBEDTLS_LIB_DIR)/md5.o -mbedtls_lib_crypto-$(CONFIG_$(SPL_)SHA1) += $(MBEDTLS_LIB_DIR)/sha1.o -mbedtls_lib_crypto-$(CONFIG_$(SPL_)SHA256) += \ +mbedtls_lib_crypto-$(CONFIG_$(SPL_)MD5_MBEDTLS) += $(MBEDTLS_LIB_DIR)/md5.o +mbedtls_lib_crypto-$(CONFIG_$(SPL_)SHA1_MBEDTLS) += $(MBEDTLS_LIB_DIR)/sha1.o +mbedtls_lib_crypto-$(CONFIG_$(SPL_)SHA256_MBEDTLS) += \ $(MBEDTLS_LIB_DIR)/sha256.o -mbedtls_lib_crypto-$(CONFIG_$(SPL_)SHA512) += \ +mbedtls_lib_crypto-$(CONFIG_$(SPL_)SHA512_MBEDTLS) += \ $(MBEDTLS_LIB_DIR)/sha512.o # MbedTLS X509 library diff --git a/lib/mbedtls/md5.c b/lib/mbedtls/md5.c new file mode 100644 index 00000000000..04388fce249 --- /dev/null +++ b/lib/mbedtls/md5.c @@ -0,0 +1,57 @@ +// SPDX-License-Identifier: GPL-2.0+ +/* + * Hash shim layer on MbedTLS Crypto library + * + * Copyright (c) 2024 Linaro Limited + * Author: Raymond Mao + */ +#include "compiler.h" + +#ifndef USE_HOSTCC +#include +#endif /* USE_HOSTCC */ +#include + +void MD5Init(MD5Context *ctx) +{ + mbedtls_md5_init(ctx); + mbedtls_md5_starts(ctx); +} + +void MD5Update(MD5Context *ctx, unsigned char const *buf, unsigned int len) +{ + mbedtls_md5_update(ctx, buf, len); +} + +void MD5Final(unsigned char digest[16], MD5Context *ctx) +{ + mbedtls_md5_finish(ctx, digest); + mbedtls_md5_free(ctx); +} + +void md5_wd(const unsigned char *input, unsigned int len, + unsigned char output[16], unsigned int chunk_sz) +{ + MD5Context context; + + MD5Init(&context); + + if (IS_ENABLED(CONFIG_HW_WATCHDOG) || IS_ENABLED(CONFIG_WATCHDOG)) { + const unsigned char *curr = input; + const unsigned char *end = input + len; + int chunk; + + while (curr < end) { + chunk = end - curr; + if (chunk > chunk_sz) + chunk = chunk_sz; + MD5Update(&context, curr, chunk); + curr += chunk; + schedule(); + } + } else { + MD5Update(&context, input, len); + } + + MD5Final(output, &context); +} diff --git a/lib/mbedtls/sha1.c b/lib/mbedtls/sha1.c new file mode 100644 index 00000000000..2aee5037795 --- /dev/null +++ b/lib/mbedtls/sha1.c @@ -0,0 +1,99 @@ +// SPDX-License-Identifier: GPL-2.0+ +/* + * Hash shim layer on MbedTLS Crypto library + * + * Copyright (c) 2024 Linaro Limited + * Author: Raymond Mao + */ +#ifndef USE_HOSTCC +#include +#endif /* USE_HOSTCC */ +#include +#include + +const u8 sha1_der_prefix[SHA1_DER_LEN] = { + 0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2b, 0x0e, + 0x03, 0x02, 0x1a, 0x05, 0x00, 0x04, 0x14 +}; + +void sha1_starts(sha1_context *ctx) +{ + mbedtls_sha1_init(ctx); + mbedtls_sha1_starts(ctx); +} + +void sha1_update(sha1_context *ctx, const unsigned char *input, + unsigned int length) +{ + mbedtls_sha1_update(ctx, input, length); +} + +void sha1_finish(sha1_context *ctx, unsigned char output[SHA1_SUM_LEN]) +{ + mbedtls_sha1_finish(ctx, output); + mbedtls_sha1_free(ctx); +} + +void sha1_csum_wd(const unsigned char *input, unsigned int ilen, + unsigned char *output, unsigned int chunk_sz) +{ + sha1_context ctx; + + sha1_starts(&ctx); + + if (IS_ENABLED(CONFIG_HW_WATCHDOG) || IS_ENABLED(CONFIG_WATCHDOG)) { + const unsigned char *curr = input; + const unsigned char *end = input + ilen; + int chunk; + + while (curr < end) { + chunk = end - curr; + if (chunk > chunk_sz) + chunk = chunk_sz; + sha1_update(&ctx, curr, chunk); + curr += chunk; + schedule(); + } + } else { + sha1_update(&ctx, input, ilen); + } + + sha1_finish(&ctx, output); +} + +void sha1_hmac(const unsigned char *key, int keylen, + const unsigned char *input, unsigned int ilen, + unsigned char *output) +{ + int i; + sha1_context ctx; + unsigned char k_ipad[K_PAD_LEN]; + unsigned char k_opad[K_PAD_LEN]; + unsigned char tmpbuf[20]; + + if (keylen > K_PAD_LEN) + return; + + memset(k_ipad, K_IPAD_VAL, sizeof(k_ipad)); + memset(k_opad, K_OPAD_VAL, sizeof(k_opad)); + + for (i = 0; i < keylen; i++) { + k_ipad[i] ^= key[i]; + k_opad[i] ^= key[i]; + } + + sha1_starts(&ctx); + sha1_update(&ctx, k_ipad, sizeof(k_ipad)); + sha1_update(&ctx, input, ilen); + sha1_finish(&ctx, tmpbuf); + + sha1_starts(&ctx); + sha1_update(&ctx, k_opad, sizeof(k_opad)); + sha1_update(&ctx, tmpbuf, sizeof(tmpbuf)); + sha1_finish(&ctx, output); + + memset(k_ipad, 0, sizeof(k_ipad)); + memset(k_opad, 0, sizeof(k_opad)); + memset(tmpbuf, 0, sizeof(tmpbuf)); + memset(&ctx, 0, sizeof(sha1_context)); +} diff --git a/lib/mbedtls/sha256.c b/lib/mbedtls/sha256.c new file mode 100644 index 00000000000..24aa58fa674 --- /dev/null +++ b/lib/mbedtls/sha256.c @@ -0,0 +1,62 @@ +// SPDX-License-Identifier: GPL-2.0+ +/* + * Hash shim layer on MbedTLS Crypto library + * + * Copyright (c) 2024 Linaro Limited + * Author: Raymond Mao + */ +#ifndef USE_HOSTCC +#include +#endif /* USE_HOSTCC */ +#include + +const u8 sha256_der_prefix[SHA256_DER_LEN] = { + 0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, + 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, + 0x00, 0x04, 0x20 +}; + +void sha256_starts(sha256_context *ctx) +{ + mbedtls_sha256_init(ctx); + mbedtls_sha256_starts(ctx, 0); +} + +void +sha256_update(sha256_context *ctx, const uint8_t *input, uint32_t length) +{ + mbedtls_sha256_update(ctx, input, length); +} + +void sha256_finish(sha256_context *ctx, uint8_t digest[SHA256_SUM_LEN]) +{ + mbedtls_sha256_finish(ctx, digest); + mbedtls_sha256_free(ctx); +} + +void sha256_csum_wd(const unsigned char *input, unsigned int ilen, + unsigned char *output, unsigned int chunk_sz) +{ + sha256_context ctx; + + sha256_starts(&ctx); + + if (IS_ENABLED(CONFIG_HW_WATCHDOG) || IS_ENABLED(CONFIG_WATCHDOG)) { + const unsigned char *curr = input; + const unsigned char *end = input + ilen; + int chunk; + + while (curr < end) { + chunk = end - curr; + if (chunk > chunk_sz) + chunk = chunk_sz; + sha256_update(&ctx, curr, chunk); + curr += chunk; + schedule(); + } + } else { + sha256_update(&ctx, input, ilen); + } + + sha256_finish(&ctx, output); +} diff --git a/lib/mbedtls/sha512.c b/lib/mbedtls/sha512.c new file mode 100644 index 00000000000..5615248cb91 --- /dev/null +++ b/lib/mbedtls/sha512.c @@ -0,0 +1,93 @@ +// SPDX-License-Identifier: GPL-2.0+ +/* + * Hash shim layer on MbedTLS Crypto library + * + * Copyright (c) 2024 Linaro Limited + * Author: Raymond Mao + */ +#ifndef USE_HOSTCC +#include +#endif /* USE_HOSTCC */ +#include +#include + +const u8 sha384_der_prefix[SHA384_DER_LEN] = { + 0x30, 0x41, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, + 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02, 0x05, + 0x00, 0x04, 0x30 +}; + +const u8 sha512_der_prefix[SHA512_DER_LEN] = { + 0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, + 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03, 0x05, + 0x00, 0x04, 0x40 +}; + +void sha384_starts(sha512_context *ctx) +{ + mbedtls_sha512_init(ctx); + mbedtls_sha512_starts(ctx, 1); +} + +void +sha384_update(sha512_context *ctx, const uint8_t *input, uint32_t length) +{ + mbedtls_sha512_update(ctx, input, length); +} + +void sha384_finish(sha512_context *ctx, uint8_t digest[SHA384_SUM_LEN]) +{ + mbedtls_sha512_finish(ctx, digest); + mbedtls_sha512_free(ctx); +} + +void sha384_csum_wd(const unsigned char *input, unsigned int length, + unsigned char *output, unsigned int chunk_sz) +{ + mbedtls_sha512(input, length, output, 1); +} + +void sha512_starts(sha512_context *ctx) +{ + mbedtls_sha512_init(ctx); + mbedtls_sha512_starts(ctx, 0); +} + +void +sha512_update(sha512_context *ctx, const uint8_t *input, uint32_t length) +{ + mbedtls_sha512_update(ctx, input, length); +} + +void sha512_finish(sha512_context *ctx, uint8_t digest[SHA512_SUM_LEN]) +{ + mbedtls_sha512_finish(ctx, digest); + mbedtls_sha512_free(ctx); +} + +void sha512_csum_wd(const unsigned char *input, unsigned int ilen, + unsigned char *output, unsigned int chunk_sz) +{ + sha512_context ctx; + + sha512_starts(&ctx); + + if (IS_ENABLED(CONFIG_HW_WATCHDOG) || IS_ENABLED(CONFIG_WATCHDOG)) { + const unsigned char *curr = input; + const unsigned char *end = input + ilen; + int chunk; + + while (curr < end) { + chunk = end - curr; + if (chunk > chunk_sz) + chunk = chunk_sz; + sha512_update(&ctx, curr, chunk); + curr += chunk; + schedule(); + } + } else { + sha512_update(&ctx, input, ilen); + } + + sha512_finish(&ctx, output); +} From patchwork Thu Oct 3 21:50:20 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Raymond Mao X-Patchwork-Id: 1992591 X-Patchwork-Delegate: trini@ti.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.a=rsa-sha256 header.s=google header.b=Aj5OZsVU; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de (client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; helo=phobos.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=patchwork.ozlabs.org) Received: from phobos.denx.de (phobos.denx.de [IPv6:2a01:238:438b:c500:173d:9f52:ddab:ee01]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4XKbst4RWYz1xt7 for ; Fri, 4 Oct 2024 14:58:42 +1000 (AEST) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 1C13888FEF; Fri, 4 Oct 2024 06:57:24 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="Aj5OZsVU"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id EF19288D1F; Thu, 3 Oct 2024 23:55:12 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.2 Received: from mail-qt1-x82c.google.com (mail-qt1-x82c.google.com [IPv6:2607:f8b0:4864:20::82c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id D21F488CC5 for ; Thu, 3 Oct 2024 23:55:10 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=raymond.mao@linaro.org Received: by mail-qt1-x82c.google.com with SMTP id d75a77b69052e-4582fb3822eso9120841cf.1 for ; Thu, 03 Oct 2024 14:55:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1727992509; x=1728597309; darn=lists.denx.de; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=xW/JZhwGDoLpOIoqDDm/SGBCGyyOZU5ATMcGuAzPexo=; b=Aj5OZsVUaWNxynwi5uI3BDJ17EcZHJ2XLjX3JVC3Bmx0mOnqy9xmE411TDbmwnVN+w YlLAM2SFfJ0h6SvzRTNm+XvmDUV44qY2nBIuHTyG1PV11YYy8kXDqZOgkbk1bP18uecw K9u1zaECEi/zjO+qvKNkFhmupOXpah2kjKVSWuHTs6NgxZ0IxJBJN8xuQ4eQS3BtPkhc b1pUNLCNKO8B2xKK5brVbEgX/NgoxHRNRntdvNzAITdwVk44yWBBKoWvA+EUCcYfSSeu izt2hcq449lM9XMjdzpcaeBKF8Q1XMCp/UxS3aPzjWINI6Bx/Zn9GxOhQIYL6ai14Ig4 CYFQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1727992509; x=1728597309; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=xW/JZhwGDoLpOIoqDDm/SGBCGyyOZU5ATMcGuAzPexo=; b=Dl9S0a7H7g75rcrLtols5fuHUURUVn6wOPCK3GvnZTM7pkuBQdAdGIDIY6PfgETmUr afH/iiAU+Mz2Rrdt4Q0R1llrLv3FThjxQDAzeFvc90SaywI9ZD8c0CWZADKLZ/T0D3+e lDklMNulpOZl3mUQA9UAw0gUJDn5fGXWjsmcKBdW5/9kShFRmmNiqro6hWzRdcPJUzel zg+AOWnlVkqgAN2oC4h5ChR59/oPyHxwlRXaqpfRGYZW7ei9dPZt9a2MvzoOk1x2J/P6 0OFuJ2xoFbM0v9tS16HxCWN1iETkyEywU2kHp7lo1QE9f0TMIdf48EuFGGZ3qfocYvI2 D97Q== X-Gm-Message-State: AOJu0YzEbwX5woblu2ewKajugbv0NPXoskd8E8ojOcgFh035gc72mPhg 1LH09xhrIEfDtheEBU24wJSKlvtnh4k+UuKGL+MJfPkTIxGKYRL5t5xWgDOtW9YJzL5Y8i5eq7+ 1 X-Google-Smtp-Source: AGHT+IFa89CpxyWSaUX7AGcMTRqKKNCu+N4lzJPJGO9iNqYUIbcK1DVk253Bs/3oXWYcB/6IepAi1A== X-Received: by 2002:a05:622a:1985:b0:45d:7ebd:43a4 with SMTP id d75a77b69052e-45d9bae7a8fmr8159291cf.58.1727992509461; Thu, 03 Oct 2024 14:55:09 -0700 (PDT) Received: from ubuntu.localdomain (pool-174-114-184-37.cpe.net.cable.rogers.com. [174.114.184.37]) by smtp.gmail.com with ESMTPSA id d75a77b69052e-45d92ddf5c4sm9001541cf.18.2024.10.03.14.55.07 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 03 Oct 2024 14:55:09 -0700 (PDT) From: Raymond Mao To: u-boot@lists.denx.de Cc: manish.pandey2@arm.com, Raymond Mao , Tom Rini , Stefan Bosch , Mario Six , Andy Shevchenko , Michal Simek , Tuomas Tynkkynen , Simon Glass , Peng Fan , Jaehoon Chung , Jiaxun Yang , Ilias Apalodimas , Heinrich Schuchardt , Leo Yu-Chi Liang , Sumit Garg , Sean Anderson , Andrew Davis , Rasmus Villemoes , Bryan Brattlof , "Leon M. Busch-George" , AKASHI Takahiro , Alexander Gendin , Jonathan Humphreys , Mattijs Korpershoek , Marek Vasut , Paul Barker , Oleksandr Suvorov , Linus Walleij , Jonas Karlman , Greg Malysa , Kongyang Liu , Sughosh Ganu , Eddie James Subject: [PATCH v8 07/27] mbedtls: Enable smaller implementation for SHA256/512 Date: Thu, 3 Oct 2024 14:50:20 -0700 Message-Id: <20241003215112.3103601-8-raymond.mao@linaro.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20241003215112.3103601-1-raymond.mao@linaro.org> References: <20241003215112.3103601-1-raymond.mao@linaro.org> MIME-Version: 1.0 X-Mailman-Approved-At: Fri, 04 Oct 2024 06:57:18 +0200 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.8 at phobos.denx.de X-Virus-Status: Clean Smaller implementation for SHA256 and SHA512 helps to reduce the ROM footprint though it has a certain impact on performance. As a trade-off, enable it as a default config when MbedTLS is enabled can reduce the target size significantly with acceptable performace loss. Signed-off-by: Raymond Mao --- Changes in v6 - Initial patch Changes in v7 - Fixed the config dependencies. Changes in v8 - None lib/mbedtls/Kconfig | 24 ++++++++++++++++++++++++ lib/mbedtls/mbedtls_def_config.h | 6 ++++++ 2 files changed, 30 insertions(+) diff --git a/lib/mbedtls/Kconfig b/lib/mbedtls/Kconfig index 262abb2cec7..8e3a94c6f2b 100644 --- a/lib/mbedtls/Kconfig +++ b/lib/mbedtls/Kconfig @@ -164,6 +164,18 @@ config SHA256_MBEDTLS This option enables support of hashing using SHA256 algorithm with MbedTLS crypto library. +if SHA256_MBEDTLS + +config SHA256_SMALLER + bool "Enable SHA256 smaller implementation with MbedTLS crypto library" + depends on SHA256_MBEDTLS + default y if SHA256_MBEDTLS + help + This option enables support of hashing using SHA256 algorithm + smaller implementation with MbedTLS crypto library. + +endif + config SHA512_MBEDTLS bool "Enable SHA512 support with MbedTLS crypto library" depends on MBEDTLS_LIB_CRYPTO && SHA512 @@ -172,6 +184,18 @@ config SHA512_MBEDTLS This option enables support of hashing using SHA512 algorithm with MbedTLS crypto library. +if SHA512_MBEDTLS + +config SHA512_SMALLER + bool "Enable SHA512 smaller implementation with MbedTLS crypto library" + depends on SHA512_MBEDTLS + default y if SHA512_MBEDTLS + help + This option enables support of hashing using SHA512 algorithm + smaller implementation with MbedTLS crypto library. + +endif + config SHA384_MBEDTLS bool "Enable SHA384 support with MbedTLS crypto library" depends on MBEDTLS_LIB_CRYPTO && SHA384 diff --git a/lib/mbedtls/mbedtls_def_config.h b/lib/mbedtls/mbedtls_def_config.h index 6fba053bd7c..1af911c2003 100644 --- a/lib/mbedtls/mbedtls_def_config.h +++ b/lib/mbedtls/mbedtls_def_config.h @@ -35,6 +35,9 @@ #if defined CONFIG_MBEDTLS_LIB_CRYPTO_ALT #define MBEDTLS_SHA256_ALT #endif +#if CONFIG_IS_ENABLED(SHA256_SMALLER) +#define MBEDTLS_SHA256_SMALLER +#endif #endif #if CONFIG_IS_ENABLED(SHA384) @@ -48,6 +51,9 @@ #if defined CONFIG_MBEDTLS_LIB_CRYPTO_ALT #define MBEDTLS_SHA512_ALT #endif +#if CONFIG_IS_ENABLED(SHA512_SMALLER) +#define MBEDTLS_SHA512_SMALLER +#endif #endif #if defined CONFIG_MBEDTLS_LIB_X509 From patchwork Thu Oct 3 21:50:21 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Raymond Mao X-Patchwork-Id: 1992592 X-Patchwork-Delegate: trini@ti.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.a=rsa-sha256 header.s=google header.b=NA8DaPdf; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de (client-ip=85.214.62.61; helo=phobos.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=patchwork.ozlabs.org) Received: from phobos.denx.de (phobos.denx.de [85.214.62.61]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4XKbt509yDz1xt7 for ; Fri, 4 Oct 2024 14:58:53 +1000 (AEST) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 7E44B88D16; Fri, 4 Oct 2024 06:57:24 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="NA8DaPdf"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 1504688C6D; Thu, 3 Oct 2024 23:55:45 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.2 Received: from mail-qv1-xf2d.google.com (mail-qv1-xf2d.google.com [IPv6:2607:f8b0:4864:20::f2d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 87EB888CC5 for ; Thu, 3 Oct 2024 23:55:42 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=raymond.mao@linaro.org Received: by mail-qv1-xf2d.google.com with SMTP id 6a1803df08f44-6cb7c312b6eso11618196d6.2 for ; Thu, 03 Oct 2024 14:55:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1727992541; x=1728597341; darn=lists.denx.de; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=CbVBpb4Q9xEtYm+OEj8G2pVocQ03S2IcfjvcYl8ejUM=; b=NA8DaPdf80qXr6M9U9FRP9qM/IF5oyYCyj0VMV78u3pO9NabR29nbr67BUjt3vR7Mh HeXBcmKJS3zHTsL3TGLFouwXWE4O9Q54P5ZmLOOE9uozT0+mOWuRKU45JB5lL0fquDjU 7UeuDXjIwwpjJem0TgfmPGpW9Yd32GdHPEft+ophurOWRwal4KkYi2SaOTXH1vx33O9b 2dg7zvqLugBOisHHaxdPfZ8pjdgvtHDd/n4Kh944gJHysx0m07xonCPZmjF2xawmFp1/ P0xabf+kOfB1Wdkyx2uer61O2727JOrDpcl1hONs/a+MQyR6LSBbp0YGuY4vRuu4BhYX YrGA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1727992541; x=1728597341; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=CbVBpb4Q9xEtYm+OEj8G2pVocQ03S2IcfjvcYl8ejUM=; b=X8VaZ26ea8tBXF/gBUdNASZ+NEtmXIHxtwiBoELDk1YN2JSOKeI+4WPeMJMKIxzsqH 52W3sKu9RSPHHUhLRO7bFARQxUPt9EVu3lg/QF30Fb3oSQexSJew84K9X9u46+zBhyBz Rqoyd+q4cKrVEGCW9IWEA2zTzCI4rV1RmqChBWKM8I5XkJMc8DP/4QFehcFBuiLYtAkn AJo7CWBrvtAGN6I2z69ue77hc3dV9ozXvk9hMWMuZ21N4K6jl3FzB271xsFCTrrbgAIN PKj4RaAJLKkOBJ+28yaKtTJjGbnWelp0d2C9ksblFLeVeH+FV2kWazq1ew6eVtvPcOBL SVOg== X-Gm-Message-State: AOJu0YxPgjwppfUOuAhbRQXv2Ka1PWOUV2Cs/gEr4LVG1UnQR27SHoYG fIXG3M9kr23bAkOoWq83BifeYHU8bqlXDsjYZu155/XC/xbPJIXvoRMpjqO9/rIPIy4k8y7YQn0 O X-Google-Smtp-Source: AGHT+IG+4Od/tLIvDlV9lkdf8qsn+uXclAgbLeVP+PQG/tEJubd8WyXAWs083jRv83d7dwnye5DASg== X-Received: by 2002:a05:6214:488d:b0:6cb:7104:f115 with SMTP id 6a1803df08f44-6cb9a1f83fbmr11689836d6.11.1727992541035; Thu, 03 Oct 2024 14:55:41 -0700 (PDT) Received: from ubuntu.localdomain (pool-174-114-184-37.cpe.net.cable.rogers.com. [174.114.184.37]) by smtp.gmail.com with ESMTPSA id d75a77b69052e-45d92ddf5c4sm9001541cf.18.2024.10.03.14.55.38 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 03 Oct 2024 14:55:40 -0700 (PDT) From: Raymond Mao To: u-boot@lists.denx.de Cc: manish.pandey2@arm.com, Raymond Mao , Ilias Apalodimas , Tom Rini , Stefan Bosch , Mario Six , Andy Shevchenko , Michal Simek , Tuomas Tynkkynen , Simon Glass , Peng Fan , Jaehoon Chung , Jiaxun Yang , Heinrich Schuchardt , Sumit Garg , Sean Anderson , Andrew Davis , Rasmus Villemoes , Bryan Brattlof , "Leon M. Busch-George" , AKASHI Takahiro , Alexander Gendin , Jonathan Humphreys , Mattijs Korpershoek , Paul Barker , Marek Vasut , Linus Walleij , Greg Malysa , Kongyang Liu , Jonas Karlman , Sughosh Ganu , =?utf-8?q?Vincent_Stehl=C3=A9?= , Eddie James Subject: [PATCH v8 08/27] mbedtls/external: support Microsoft Authentication Code Date: Thu, 3 Oct 2024 14:50:21 -0700 Message-Id: <20241003215112.3103601-9-raymond.mao@linaro.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20241003215112.3103601-1-raymond.mao@linaro.org> References: <20241003215112.3103601-1-raymond.mao@linaro.org> MIME-Version: 1.0 X-Mailman-Approved-At: Fri, 04 Oct 2024 06:57:18 +0200 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.8 at phobos.denx.de X-Virus-Status: Clean Populate Microsoft Authentication Code from the content data into PKCS7 decoding context if it exists in a PKCS7 message. Add OIDs for describing objects using for Microsoft Authentication Code. The PR for this patch is at: https://github.com/Mbed-TLS/mbedtls/pull/9001 For enabling EFI loader PKCS7 features with MbedTLS build, we need this patch on top of MbedTLS v3.6.0 before it is merged into the next MbedTLS LTS release. Signed-off-by: Raymond Mao Acked-by: Ilias Apalodimas --- Changes in v2 - None. Changes in v3 - Update commit message. Changes in v4 - None. Changes in v5 - None. Changes in v6 - None. Changes in v7 - None. Changes in v8 - None .../external/mbedtls/include/mbedtls/oid.h | 30 ++++++++++ .../external/mbedtls/include/mbedtls/pkcs7.h | 10 ++++ lib/mbedtls/external/mbedtls/library/pkcs7.c | 60 +++++++++++++++---- 3 files changed, 90 insertions(+), 10 deletions(-) diff --git a/lib/mbedtls/external/mbedtls/include/mbedtls/oid.h b/lib/mbedtls/external/mbedtls/include/mbedtls/oid.h index fdc25ebf885..2ee982808fa 100644 --- a/lib/mbedtls/external/mbedtls/include/mbedtls/oid.h +++ b/lib/mbedtls/external/mbedtls/include/mbedtls/oid.h @@ -352,6 +352,36 @@ #define MBEDTLS_OID_PKCS12_PBE_SHA1_RC2_128_CBC MBEDTLS_OID_PKCS12_PBE "\x05" /**< pbeWithSHAAnd128BitRC2-CBC OBJECT IDENTIFIER ::= {pkcs-12PbeIds 5} */ #define MBEDTLS_OID_PKCS12_PBE_SHA1_RC2_40_CBC MBEDTLS_OID_PKCS12_PBE "\x06" /**< pbeWithSHAAnd40BitRC2-CBC OBJECT IDENTIFIER ::= {pkcs-12PbeIds 6} */ +/* + * MicroSoft Authenticate Code OIDs + */ +#define MBEDTLS_OID_PRIVATE_ENTERPRISE MBEDTLS_OID_INTERNET "\x04\x01" /* {iso(1) identified-organization(3) dod(6) internet(1) private(4) enterprise(1) */ +#define MBEDTLS_OID_MICROSOFT "\x82\x37" /* {microsoft(311)} */ +/* + * OID_msIndirectData: (1.3.6.1.4.1.311.2.1.4) + * {iso(1) identified-organization(3) dod(6) internet(1) private(4) enterprise(1) microsoft(311) 2(2) 1(1) 4(4)} + */ +#define MBEDTLS_OID_MICROSOFT_INDIRECTDATA MBEDTLS_OID_PRIVATE_ENTERPRISE MBEDTLS_OID_MICROSOFT \ + "\x02\x01\x04" +/* + * OID_msStatementType: (1.3.6.1.4.1.311.2.1.11) + * {iso(1) identified-organization(3) dod(6) internet(1) private(4) enterprise(1) microsoft(311) 2(2) 1(1) 11(11)} + */ +#define MBEDTLS_OID_MICROSOFT_STATETYPE MBEDTLS_OID_PRIVATE_ENTERPRISE MBEDTLS_OID_MICROSOFT \ + "\x02\x01\x0b" +/* + * OID_msSpOpusInfo: (1.3.6.1.4.1.311.2.1.12) + * {iso(1) identified-organization(3) dod(6) internet(1) private(4) enterprise(1) microsoft(311) 2(2) 1(1) 12(12)} + */ +#define MBEDTLS_OID_MICROSOFT_SPOPUSINFO MBEDTLS_OID_PRIVATE_ENTERPRISE MBEDTLS_OID_MICROSOFT \ + "\x02\x01\x0b" +/* + * OID_msPeImageDataObjId: (1.3.6.1.4.1.311.2.1.15) + * {iso(1) identified-organization(3) dod(6) internet(1) private(4) enterprise(1) microsoft(311) 2(2) 1(1) 15(15)} + */ +#define MBEDTLS_OID_MICROSOFT_PEIMAGEDATA MBEDTLS_OID_PRIVATE_ENTERPRISE MBEDTLS_OID_MICROSOFT \ + "\x02\x01\x0f" + /* * EC key algorithms from RFC 5480 */ diff --git a/lib/mbedtls/external/mbedtls/include/mbedtls/pkcs7.h b/lib/mbedtls/external/mbedtls/include/mbedtls/pkcs7.h index e9b482208e6..9e29b74af70 100644 --- a/lib/mbedtls/external/mbedtls/include/mbedtls/pkcs7.h +++ b/lib/mbedtls/external/mbedtls/include/mbedtls/pkcs7.h @@ -132,12 +132,22 @@ typedef struct mbedtls_pkcs7_signed_data { } mbedtls_pkcs7_signed_data; +/* Content Data for MicroSoft Authentication Code using in U-Boot Secure Boot */ +typedef struct mbedtls_pkcs7_conten_data { + int data_type; /* Type of Data */ + size_t data_len; /* Length of Data */ + size_t data_hdrlen; /* Length of Data ASN.1 header */ + void *data; /* Content Data */ +} +mbedtls_pkcs7_conten_data; + /** * Structure holding PKCS #7 structure, only signed data for now */ typedef struct mbedtls_pkcs7 { mbedtls_pkcs7_buf MBEDTLS_PRIVATE(raw); mbedtls_pkcs7_signed_data MBEDTLS_PRIVATE(signed_data); + mbedtls_pkcs7_conten_data content_data; } mbedtls_pkcs7; diff --git a/lib/mbedtls/external/mbedtls/library/pkcs7.c b/lib/mbedtls/external/mbedtls/library/pkcs7.c index 3aac662ba69..0c2436b56b7 100644 --- a/lib/mbedtls/external/mbedtls/library/pkcs7.c +++ b/lib/mbedtls/external/mbedtls/library/pkcs7.c @@ -29,6 +29,13 @@ #include #endif +enum OID { + /* PKCS#7 {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-7(7)} */ + MBEDTLS_OID_DATA = 13, /* 1.2.840.113549.1.7.1 */ + /* Microsoft Authenticode & Software Publishing */ + MBEDTLS_OID_MS_INDIRECTDATA = 24, /* 1.3.6.1.4.1.311.2.1.4 */ +}; + /** * Initializes the mbedtls_pkcs7 structure. */ @@ -449,7 +456,7 @@ cleanup: * signerInfos SignerInfos } */ static int pkcs7_get_signed_data(unsigned char *buf, size_t buflen, - mbedtls_pkcs7_signed_data *signed_data) + mbedtls_pkcs7 *pkcs7) { unsigned char *p = buf; unsigned char *end = buf + buflen; @@ -457,6 +464,7 @@ static int pkcs7_get_signed_data(unsigned char *buf, size_t buflen, size_t len = 0; int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; mbedtls_md_type_t md_alg; + mbedtls_pkcs7_signed_data *signed_data = &pkcs7->signed_data; ret = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE); @@ -493,25 +501,57 @@ static int pkcs7_get_signed_data(unsigned char *buf, size_t buflen, if (ret != 0) { return ret; } - if (MBEDTLS_OID_CMP(MBEDTLS_OID_PKCS7_DATA, &content_type)) { + + /* + * We should only support 1.2.840.113549.1.7.1 (PKCS7 DATA) and + * 1.3.6.1.4.1.311.2.1.4 (MicroSoft Authentication Code) that is for + * U-Boot Secure Boot + */ + if (!MBEDTLS_OID_CMP(MBEDTLS_OID_PKCS7_DATA, &content_type)) { + pkcs7->content_data.data_type = MBEDTLS_OID_DATA; + } else if (!MBEDTLS_OID_CMP(MBEDTLS_OID_MICROSOFT_INDIRECTDATA, + &content_type)) { + pkcs7->content_data.data_type = MBEDTLS_OID_MS_INDIRECTDATA; + } else { return MBEDTLS_ERR_PKCS7_INVALID_CONTENT_INFO; } if (p != end_content_info) { + unsigned char *tmp_p = p; + /* Determine if valid content is present */ ret = mbedtls_asn1_get_tag(&p, end_content_info, &len, - MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_CONTEXT_SPECIFIC); + MBEDTLS_ASN1_CONSTRUCTED | + MBEDTLS_ASN1_CONTEXT_SPECIFIC); + if (ret != 0 || p + len != end_content_info) { + return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS7_INVALID_CONTENT_INFO, + ret); + } + + /* + * U-Boot Secure Boot needs to calculate the digest of MicroSoft + * Authentication Code during verifying an EFI image. + * Thus we need to save the context of Content Data. + */ + pkcs7->content_data.data_hdrlen = p - tmp_p; + /* Parse the content data from a sequence */ + ret = mbedtls_asn1_get_tag(&p, end_content_info, &len, + MBEDTLS_ASN1_CONSTRUCTED | + MBEDTLS_ASN1_SEQUENCE); if (ret != 0) { - return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS7_INVALID_CONTENT_INFO, ret); + /* TODO: Other Content Data formats are not supported at the moment */ + return MBEDTLS_ERR_PKCS7_FEATURE_UNAVAILABLE; + } else if (p + len != end_content_info) { + return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS7_INVALID_CONTENT_INFO, + ret); } + + pkcs7->content_data.data = p; + pkcs7->content_data.data_len = len; + p += len; - if (p != end_content_info) { - return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS7_INVALID_CONTENT_INFO, ret); - } - /* Valid content is present - this is not supported */ - return MBEDTLS_ERR_PKCS7_FEATURE_UNAVAILABLE; } /* Look for certificates, there may or may not be any */ @@ -624,7 +664,7 @@ int mbedtls_pkcs7_parse_der(mbedtls_pkcs7 *pkcs7, const unsigned char *buf, } try_data: - ret = pkcs7_get_signed_data(p, len, &pkcs7->signed_data); + ret = pkcs7_get_signed_data(p, len, pkcs7); if (ret != 0) { goto out; } From patchwork Thu Oct 3 21:50:22 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Raymond Mao X-Patchwork-Id: 1992593 X-Patchwork-Delegate: trini@ti.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.a=rsa-sha256 header.s=google header.b=nS88a+QZ; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de (client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; helo=phobos.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=patchwork.ozlabs.org) Received: from phobos.denx.de (phobos.denx.de [IPv6:2a01:238:438b:c500:173d:9f52:ddab:ee01]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4XKbtH4xcQz1xt7 for ; Fri, 4 Oct 2024 14:59:03 +1000 (AEST) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id D3A2D89011; Fri, 4 Oct 2024 06:57:24 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="nS88a+QZ"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 8892688C6D; Thu, 3 Oct 2024 23:56:17 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.2 Received: from mail-qk1-x736.google.com (mail-qk1-x736.google.com [IPv6:2607:f8b0:4864:20::736]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 1E01F88CC5 for ; Thu, 3 Oct 2024 23:56:15 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=raymond.mao@linaro.org Received: by mail-qk1-x736.google.com with SMTP id af79cd13be357-7a9b72749bcso118887185a.0 for ; Thu, 03 Oct 2024 14:56:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1727992573; x=1728597373; darn=lists.denx.de; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=wU8cz5C2EERQekGe3HHWTVaOT5KYHOnwkPcDrmMHPTQ=; b=nS88a+QZ6LvPvhiJJ7rEGiivUZlCe1YKDr2/6w6E2TWgftXbfWpsODG3d1zBjZy/eX Ale72A2d1xdpky2ynVAYBDtxaK+VdN8vnzvcA8uWzSMRDuyTgb3PgTdXeM/25uQPVBN5 GLPl70Wtdmn8QkdA2ZBkAVwasCovstzZxRic8Za3KmNwngZVmzmemeELOddMO6iWXFmU eEhPYCzmKAtqRgntLtypgLtSI0esmcUPYm09489UYRAFva8aXcKhTyYikAfN7LGy742s xWtyi/HJxNaruUSdKedjdbM+CahwAqXzeFrqP+OxE4knWfXa660Ko6IMAjhdbWOLLX0L 4tHg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1727992573; x=1728597373; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=wU8cz5C2EERQekGe3HHWTVaOT5KYHOnwkPcDrmMHPTQ=; b=ZOaXCgOFTiDhPmDYSRrTUsbJMBO3reTGk39KlWGeYyQOinznsulStaDjbag35beFyr IhnSgU5vY6y3+1XMhnHrYB2xQqiiU3F9Mt9GCK1soe0goidssy57C73M5DVc7nZEd+W+ bTWwYhehCRLuM1bxQPEZOR4ktlkaOozEPeX5s8PaIuj6mCwT5EU+q0peIoeV/h7wIQnG vOP1lB5yuF2TUprNVuftuHKfWWH8xfvgx7VrRQNNZuSnt7NvyLWEByaYgMcxosoHqFhH 15qC4LW8jUvDs0eB5q5MF55ddsyjl01SCunKWCpVkwy1beWVBDsd5vVikqibcAlTVR4P roDg== X-Gm-Message-State: AOJu0YxrG/w1iPU70At9NH0+myqI0TTxKJMUk4ZfPg3vrcX9L+3HA/oO 9OMTEIxaGujxOLWDAMDEG8fNh0uurlUpzeyjz0wUgok9f80iuNiASqU2o8h/fFwSqJBWO7aBhWx B X-Google-Smtp-Source: AGHT+IHkNwpKdlOOE1TjZhyHOPpWGa1Mw7bxI6QfWJTUuAy/HixPjDqKi0TqIQT4KKzri8PdBr7jpA== X-Received: by 2002:a05:620a:4002:b0:7a9:bc9b:b48 with SMTP id af79cd13be357-7ae6f486937mr109846185a.52.1727992573563; Thu, 03 Oct 2024 14:56:13 -0700 (PDT) Received: from ubuntu.localdomain (pool-174-114-184-37.cpe.net.cable.rogers.com. [174.114.184.37]) by smtp.gmail.com with ESMTPSA id d75a77b69052e-45d92ddf5c4sm9001541cf.18.2024.10.03.14.56.10 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 03 Oct 2024 14:56:12 -0700 (PDT) From: Raymond Mao To: u-boot@lists.denx.de Cc: manish.pandey2@arm.com, Raymond Mao , Ilias Apalodimas , Tom Rini , Stefan Bosch , Mario Six , Andy Shevchenko , Michal Simek , Tuomas Tynkkynen , Simon Glass , Peng Fan , Jaehoon Chung , Jiaxun Yang , Heinrich Schuchardt , Sumit Garg , Sean Anderson , Rasmus Villemoes , Andrew Davis , Bryan Brattlof , "Leon M. Busch-George" , AKASHI Takahiro , Alexander Gendin , Jonathan Humphreys , Mattijs Korpershoek , Marek Vasut , Paul Barker , Nathan Barrett-Morrison , Greg Malysa , Kongyang Liu , Jonas Karlman , Sughosh Ganu , Anand Moon Subject: [PATCH v8 09/27] mbedtls/external: support PKCS9 Authenticate Attributes Date: Thu, 3 Oct 2024 14:50:22 -0700 Message-Id: <20241003215112.3103601-10-raymond.mao@linaro.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20241003215112.3103601-1-raymond.mao@linaro.org> References: <20241003215112.3103601-1-raymond.mao@linaro.org> MIME-Version: 1.0 X-Mailman-Approved-At: Fri, 04 Oct 2024 06:57:18 +0200 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.8 at phobos.denx.de X-Virus-Status: Clean Populate PKCS9 Authenticate Attributes from signer info if it exists in a PKCS7 message. Add OIDs for describing objects using for Authenticate Attributes. The PR for this patch is at: https://github.com/Mbed-TLS/mbedtls/pull/9001 For enabling EFI loader PKCS7 features with MbedTLS build, we need this patch on top of MbedTLS v3.6.0 before it is merged into the next MbedTLS LTS release. Signed-off-by: Raymond Mao Acked-by: Ilias Apalodimas --- Changes in v2 - None. Changes in v3 - Update commit message. Changes in v4 - None. Changes in v5 - None. Changes in v6 - None. Changes in v7 - None. Changes in v8 - None .../external/mbedtls/include/mbedtls/oid.h | 5 +++++ .../external/mbedtls/include/mbedtls/pkcs7.h | 11 +++++++++++ lib/mbedtls/external/mbedtls/library/pkcs7.c | 19 ++++++++++++++++++- 3 files changed, 34 insertions(+), 1 deletion(-) diff --git a/lib/mbedtls/external/mbedtls/include/mbedtls/oid.h b/lib/mbedtls/external/mbedtls/include/mbedtls/oid.h index 2ee982808fa..43cef99f1e3 100644 --- a/lib/mbedtls/external/mbedtls/include/mbedtls/oid.h +++ b/lib/mbedtls/external/mbedtls/include/mbedtls/oid.h @@ -238,6 +238,11 @@ #define MBEDTLS_OID_RSA_SHA_OBS "\x2B\x0E\x03\x02\x1D" #define MBEDTLS_OID_PKCS9_EMAIL MBEDTLS_OID_PKCS9 "\x01" /**< emailAddress AttributeType ::= { pkcs-9 1 } */ +#define MBEDTLS_OID_PKCS9_CONTENTTYPE MBEDTLS_OID_PKCS9 "\x03" /**< contentType AttributeType ::= { pkcs-9 3 } */ +#define MBEDTLS_OID_PKCS9_MESSAGEDIGEST MBEDTLS_OID_PKCS9 "\x04" /**< messageDigest AttributeType ::= { pkcs-9 4 } */ +#define MBEDTLS_OID_PKCS9_SIGNINGTIME MBEDTLS_OID_PKCS9 "\x05" /**< signingTime AttributeType ::= { pkcs-9 5 } */ +#define MBEDTLS_OID_PKCS9_SMIMECAP MBEDTLS_OID_PKCS9 "\x0f" /**< smimeCapabilites AttributeType ::= { pkcs-9 15 } */ +#define MBEDTLS_OID_PKCS9_SMIMEAA MBEDTLS_OID_PKCS9 "\x10\x02\x0b" /**< smimeCapabilites AttributeType ::= { pkcs-9 16 2 11} */ /* RFC 4055 */ #define MBEDTLS_OID_RSASSA_PSS MBEDTLS_OID_PKCS1 "\x0a" /**< id-RSASSA-PSS ::= { pkcs-1 10 } */ diff --git a/lib/mbedtls/external/mbedtls/include/mbedtls/pkcs7.h b/lib/mbedtls/external/mbedtls/include/mbedtls/pkcs7.h index 9e29b74af70..a88a5e858fc 100644 --- a/lib/mbedtls/external/mbedtls/include/mbedtls/pkcs7.h +++ b/lib/mbedtls/external/mbedtls/include/mbedtls/pkcs7.h @@ -102,6 +102,16 @@ typedef enum { } mbedtls_pkcs7_type; +/* + * Authenticate Attributes for MicroSoft Authentication Code using in U-Boot + * Secure Boot + */ +typedef struct mbedtls_pkcs7_authattrs { + size_t data_len; + void *data; +} +mbedtls_pkcs7_authattrs; + /** * Structure holding PKCS #7 signer info */ @@ -113,6 +123,7 @@ typedef struct mbedtls_pkcs7_signer_info { mbedtls_x509_buf MBEDTLS_PRIVATE(alg_identifier); mbedtls_x509_buf MBEDTLS_PRIVATE(sig_alg_identifier); mbedtls_x509_buf MBEDTLS_PRIVATE(sig); + mbedtls_pkcs7_authattrs authattrs; struct mbedtls_pkcs7_signer_info *MBEDTLS_PRIVATE(next); } mbedtls_pkcs7_signer_info; diff --git a/lib/mbedtls/external/mbedtls/library/pkcs7.c b/lib/mbedtls/external/mbedtls/library/pkcs7.c index 0c2436b56b7..da73fb341d6 100644 --- a/lib/mbedtls/external/mbedtls/library/pkcs7.c +++ b/lib/mbedtls/external/mbedtls/library/pkcs7.c @@ -288,6 +288,7 @@ static int pkcs7_get_signer_info(unsigned char **p, unsigned char *end, unsigned char *end_signer, *end_issuer_and_sn; int asn1_ret = 0, ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; size_t len = 0; + unsigned char *tmp_p; asn1_ret = mbedtls_asn1_get_tag(p, end, &len, MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE); @@ -349,7 +350,23 @@ static int pkcs7_get_signer_info(unsigned char **p, unsigned char *end, goto out; } - /* Assume authenticatedAttributes is nonexistent */ + /* Save authenticatedAttributes if present */ + if (*p < end_signer && + **p == (MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_ASN1_CONSTRUCTED | 0)) { + tmp_p = *p; + + ret = mbedtls_asn1_get_tag(p, end_signer, &len, + MBEDTLS_ASN1_CONTEXT_SPECIFIC | + MBEDTLS_ASN1_CONSTRUCTED | 0); + if (ret != 0) { + goto out; + } + + signer->authattrs.data = tmp_p; + signer->authattrs.data_len = len + *p - tmp_p; + *p += len; + } + ret = pkcs7_get_digest_algorithm(p, end_signer, &signer->sig_alg_identifier); if (ret != 0) { goto out; From patchwork Thu Oct 3 21:50:23 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Raymond Mao X-Patchwork-Id: 1992594 X-Patchwork-Delegate: trini@ti.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.a=rsa-sha256 header.s=google header.b=kYagFT13; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de (client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; helo=phobos.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=patchwork.ozlabs.org) Received: from phobos.denx.de (phobos.denx.de [IPv6:2a01:238:438b:c500:173d:9f52:ddab:ee01]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4XKbtR270vz1xt7 for ; Fri, 4 Oct 2024 14:59:11 +1000 (AEST) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 1560A89032; Fri, 4 Oct 2024 06:57:26 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="kYagFT13"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 9E67788C6D; Thu, 3 Oct 2024 23:56:49 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.2 Received: from mail-qt1-x82a.google.com (mail-qt1-x82a.google.com [IPv6:2607:f8b0:4864:20::82a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 3A90788CC5 for ; Thu, 3 Oct 2024 23:56:47 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=raymond.mao@linaro.org Received: by mail-qt1-x82a.google.com with SMTP id d75a77b69052e-4581ec0e00eso10080721cf.3 for ; Thu, 03 Oct 2024 14:56:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1727992606; x=1728597406; darn=lists.denx.de; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=plX8z+lM00jEYmi/LyzdwvevYUziuvwO8TwHiALzRtc=; b=kYagFT13iDa74eL3d5IwZeYwZG18FYEvbS1+Z72/W0SIymWjIEuTEM13isly9ZqRnq VD1zMGd7QJiISd0BvTSeXISdQDRAgzk/aMHvsgbrBDc/dsRMWZl+LFbou0oWm+J9aB1z SIr+KvhrMs63yt+e/Lfy0OJsz3ewUGfdnwleU3kgmNcUH80IWWaD0Ek6GaDdj5C+0aB2 xUoRPnuBjvoFHw3sAxuGEFiaeS0Nf1GqBS/VpMoVmQoYM1LtaFQxrkJglJQTsYTODj6T I0pssE04O3DZelvpaibDdF3DFpxfJz7WzEmuPuu8jylopSptTNzDlUuZEjUkcdm2yJvS ZcyQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1727992606; x=1728597406; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=plX8z+lM00jEYmi/LyzdwvevYUziuvwO8TwHiALzRtc=; b=jX2Zqi2ie4QLv5OelT2EdBQY+xQkWvcMhqXIs0cr9fqYfFKQ5VJUVN8RZ0VJhKWgld mCpVS77MWdEoUkWZaVrU5dygXQXp0JOTwPyGBgEJHq8KFMJe7JyHricbPR1wpvlnoqzq 3cRD7xu4neZfdQVSPrqWU8PzQs7TMRZTxI8Di7itV+woG1Nyt+ERJu0ZIgYZ3ecUJp43 WHPApnIL2fDFYg0D8MwsMS+wq2CapLYRQzUnuDZyaJT/ULBxh/so52rqqYabUhyih4Vm ux58gqk6k7lIcIWGeWd1FxqFamWApZEgFXLtpCHjtnJxDacYc0B0K3TR/bdkc6M22gsd bqwg== X-Gm-Message-State: AOJu0YwbEcY2ELdqJWSHDow96PXqTLY/P73kNOMfnvFglh2a+4b7h7uG c02G3n8BJvQlGGOtwJQHkdPXGhB/7rIRHNeGS/sv3/yeiepKW/Ptr4kOGTq689BgdlaMvyTW4tD R X-Google-Smtp-Source: AGHT+IFn4beaupUelTlMFIFW98h9exGoG2wv4Pa6NkT89ejPGsmcPLjtidkUZIaFbx4a6bJO6swWyg== X-Received: by 2002:a05:622a:229b:b0:458:534f:fa06 with SMTP id d75a77b69052e-45d9baf4333mr9406801cf.50.1727992605877; Thu, 03 Oct 2024 14:56:45 -0700 (PDT) Received: from ubuntu.localdomain (pool-174-114-184-37.cpe.net.cable.rogers.com. [174.114.184.37]) by smtp.gmail.com with ESMTPSA id d75a77b69052e-45d92ddf5c4sm9001541cf.18.2024.10.03.14.56.42 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 03 Oct 2024 14:56:45 -0700 (PDT) From: Raymond Mao To: u-boot@lists.denx.de Cc: manish.pandey2@arm.com, Raymond Mao , Tom Rini , Stefan Bosch , Mario Six , Andy Shevchenko , Michal Simek , Tuomas Tynkkynen , Simon Glass , Peng Fan , Jaehoon Chung , Ilias Apalodimas , Jiaxun Yang , Heinrich Schuchardt , Sean Anderson , Sumit Garg , Andrew Davis , Rasmus Villemoes , Bryan Brattlof , "Leon M. Busch-George" , AKASHI Takahiro , Alexander Gendin , Mattijs Korpershoek , Jonathan Humphreys , Marek Vasut , Paul Barker , Greg Malysa , Linus Walleij , Kongyang Liu , Jonas Karlman , Sughosh Ganu , Anand Moon , Eddie James Subject: [PATCH v8 10/27] mbedtls/external: support decoding multiple signer's cert Date: Thu, 3 Oct 2024 14:50:23 -0700 Message-Id: <20241003215112.3103601-11-raymond.mao@linaro.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20241003215112.3103601-1-raymond.mao@linaro.org> References: <20241003215112.3103601-1-raymond.mao@linaro.org> MIME-Version: 1.0 X-Mailman-Approved-At: Fri, 04 Oct 2024 06:57:18 +0200 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.8 at phobos.denx.de X-Virus-Status: Clean Support decoding multiple signer's cert in the signed data within a PKCS7 message. The PR for this patch is at: https://github.com/Mbed-TLS/mbedtls/pull/9001 For enabling EFI loader PKCS7 features with MbedTLS build, we need this patch on top of MbedTLS v3.6.0 before it is merged into the next MbedTLS LTS release. Signed-off-by: Raymond Mao --- Changes in v2 - None. Changes in v3 - Update commit message. Changes in v4 - None. Changes in v5 - None. Changes in v6 - None. Changes in v7 - None. Changes in v8 - None lib/mbedtls/external/mbedtls/library/pkcs7.c | 75 ++++++++++++-------- 1 file changed, 47 insertions(+), 28 deletions(-) diff --git a/lib/mbedtls/external/mbedtls/library/pkcs7.c b/lib/mbedtls/external/mbedtls/library/pkcs7.c index da73fb341d6..01105227d7a 100644 --- a/lib/mbedtls/external/mbedtls/library/pkcs7.c +++ b/lib/mbedtls/external/mbedtls/library/pkcs7.c @@ -61,6 +61,36 @@ static int pkcs7_get_next_content_len(unsigned char **p, unsigned char *end, return ret; } +/** + * Get and decode one cert from a sequence. + * Return 0 for success, + * Return negative error code for failure. + **/ +static int pkcs7_get_one_cert(unsigned char **p, unsigned char *end, + mbedtls_x509_crt *certs) +{ + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + size_t len = 0; + unsigned char *start = *p; + unsigned char *end_cert; + + ret = mbedtls_asn1_get_tag(p, end, &len, MBEDTLS_ASN1_CONSTRUCTED + | MBEDTLS_ASN1_SEQUENCE); + if (ret != 0) { + return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS7_INVALID_CERT, ret); + } + + end_cert = *p + len; + + if ((ret = mbedtls_x509_crt_parse_der(certs, start, end_cert - start)) < 0) { + return MBEDTLS_ERR_PKCS7_INVALID_CERT; + } + + *p = end_cert; + + return 0; +} + /** * version Version * Version ::= INTEGER @@ -178,11 +208,12 @@ static int pkcs7_get_certificates(unsigned char **p, unsigned char *end, mbedtls_x509_crt *certs) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - size_t len1 = 0; - size_t len2 = 0; - unsigned char *end_set, *end_cert, *start; + size_t len = 0; + unsigned char *end_set; + int num_of_certs = 0; - ret = mbedtls_asn1_get_tag(p, end, &len1, MBEDTLS_ASN1_CONSTRUCTED + /* Get the set of certs */ + ret = mbedtls_asn1_get_tag(p, end, &len, MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_CONTEXT_SPECIFIC); if (ret == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG) { return 0; @@ -190,38 +221,26 @@ static int pkcs7_get_certificates(unsigned char **p, unsigned char *end, if (ret != 0) { return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS7_INVALID_FORMAT, ret); } - start = *p; - end_set = *p + len1; + end_set = *p + len; - ret = mbedtls_asn1_get_tag(p, end_set, &len2, MBEDTLS_ASN1_CONSTRUCTED - | MBEDTLS_ASN1_SEQUENCE); + ret = pkcs7_get_one_cert(p, end_set, certs); if (ret != 0) { - return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS7_INVALID_CERT, ret); + return ret; } - end_cert = *p + len2; + num_of_certs++; - /* - * This is to verify that there is only one signer certificate. It seems it is - * not easy to differentiate between the chain vs different signer's certificate. - * So, we support only the root certificate and the single signer. - * The behaviour would be improved with addition of multiple signer support. - */ - if (end_cert != end_set) { - return MBEDTLS_ERR_PKCS7_FEATURE_UNAVAILABLE; - } - - if ((ret = mbedtls_x509_crt_parse_der(certs, start, len1)) < 0) { - return MBEDTLS_ERR_PKCS7_INVALID_CERT; + while (*p != end_set) { + ret = pkcs7_get_one_cert(p, end_set, certs); + if (ret != 0) { + return ret; + } + num_of_certs++; } - *p = end_cert; + *p = end_set; - /* - * Since in this version we strictly support single certificate, and reaching - * here implies we have parsed successfully, we return 1. - */ - return 1; + return num_of_certs; } /** From patchwork Thu Oct 3 21:50:24 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Raymond Mao X-Patchwork-Id: 1992595 X-Patchwork-Delegate: trini@ti.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.a=rsa-sha256 header.s=google header.b=eVHGWf/V; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de (client-ip=85.214.62.61; helo=phobos.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=patchwork.ozlabs.org) Received: from phobos.denx.de (phobos.denx.de [85.214.62.61]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4XKbtg61kCz1xt7 for ; Fri, 4 Oct 2024 14:59:23 +1000 (AEST) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 7016E8903C; Fri, 4 Oct 2024 06:57:26 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="eVHGWf/V"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id EF75388C6D; Thu, 3 Oct 2024 23:57:21 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.2 Received: from mail-qt1-x82a.google.com (mail-qt1-x82a.google.com [IPv6:2607:f8b0:4864:20::82a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 8D2D288CC5 for ; Thu, 3 Oct 2024 23:57:19 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=raymond.mao@linaro.org Received: by mail-qt1-x82a.google.com with SMTP id d75a77b69052e-45d8f76eca7so12057271cf.2 for ; Thu, 03 Oct 2024 14:57:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1727992638; x=1728597438; darn=lists.denx.de; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=Tqmn+/zhCD7YZVVa3S6riumt5e0ThDRhzu/1y1KfKds=; b=eVHGWf/V7jbj4QE9vSEBYbGjTe0YODqdtxFDxgYNK4OAMWFbIjy0TpHZv7vzXe338t wW5RlGRlHbSF+dddilEHq5TRgEDaz5ycRRw46bQWwW0HrEbW2vFPS2FH67DsegsVYPdY FCexlZ/aKuvaQTcxDOa2+OGcjrasbySL33o9ySRPveETC3t8Yd1Ui3DLf2kvIDxFGNhJ YvTx+0GHkU6KrrpI5g8jC5HFnwpZuz8+yYZ1YNqZRQLfdR8SE4baFAbAQE8GsI8Yibdz 0/e2Vhs+Br5bv+YL5PWElOLs0BybBWEBSK6yST5rMXcP46qIVol5gousvr3IG7sLLjm1 /p3Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1727992638; x=1728597438; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=Tqmn+/zhCD7YZVVa3S6riumt5e0ThDRhzu/1y1KfKds=; b=b9DseHTj79RQ0IsMvMEou9wZv8qbY5O/TRlYFxbT6U8gR9rVPUXgjrXlJGTVfwQLF+ e2jaOedbSjEmMTYlrBeSXCkG9cWb4K6+LhsNLXlyNbKNU4SywQHB6ed9FdLGCKLyTBY2 XA3AB3mvEriN501sPz3nk43YgIrSrzvJ9RIoBCHT4DLKA+8fPlM4EdNqPBOH3Z4n0s/f BW/60sbMkLnpLImivUGGy9M87juKjhpKxoT0q6EhRgsKJVfSmYx86l8GuCmcfeI+jJP9 nMZ2bNIbTulKQd5jast/si0EClONbeQN809EvqHVL+m9fIw8IhGBs6gMayugBFFlscop Zjkw== X-Gm-Message-State: AOJu0YzZKqqH4xGgaDus4M5HSwhQpJCNXl6v8AoAxMJa7Gi0/Uz1WYyZ yuQjTx2HiokNfU4RGP+2v9YLghbRZ++pvyLvlEvHacTdYJzlpl13px5fdcXKIF2dJashKqVI5SY G X-Google-Smtp-Source: AGHT+IEZN3K/O3fQ2XTwgzRLDEPVvfpqj3Iu3RXmAfR7h5p9WyxmVFSBglsAcRsr29gNX4Tkhibfnw== X-Received: by 2002:a05:622a:1345:b0:458:3215:960c with SMTP id d75a77b69052e-45d9ba82d2amr9261841cf.29.1727992638158; Thu, 03 Oct 2024 14:57:18 -0700 (PDT) Received: from ubuntu.localdomain (pool-174-114-184-37.cpe.net.cable.rogers.com. [174.114.184.37]) by smtp.gmail.com with ESMTPSA id d75a77b69052e-45d92ddf5c4sm9001541cf.18.2024.10.03.14.57.15 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 03 Oct 2024 14:57:17 -0700 (PDT) From: Raymond Mao To: u-boot@lists.denx.de Cc: manish.pandey2@arm.com, Raymond Mao , Ilias Apalodimas , Tom Rini , Stefan Bosch , Mario Six , Andy Shevchenko , Michal Simek , Tuomas Tynkkynen , Simon Glass , Peng Fan , Jaehoon Chung , Jiaxun Yang , Heinrich Schuchardt , Leo Yu-Chi Liang , Sumit Garg , Sean Anderson , Rasmus Villemoes , Andrew Davis , Bryan Brattlof , "Leon M. Busch-George" , AKASHI Takahiro , Alexander Gendin , Jonathan Humphreys , Mattijs Korpershoek , Marek Vasut , Paul Barker , Linus Walleij , Neil Armstrong , Oleksandr Suvorov , Jonas Karlman , Greg Malysa , Kongyang Liu , Sughosh Ganu Subject: [PATCH v8 11/27] mbedtls/external: update MbedTLS PKCS7 test suites Date: Thu, 3 Oct 2024 14:50:24 -0700 Message-Id: <20241003215112.3103601-12-raymond.mao@linaro.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20241003215112.3103601-1-raymond.mao@linaro.org> References: <20241003215112.3103601-1-raymond.mao@linaro.org> MIME-Version: 1.0 X-Mailman-Approved-At: Fri, 04 Oct 2024 06:57:18 +0200 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.8 at phobos.denx.de X-Virus-Status: Clean Update the PKCS7 test suites for multiple certs. The PR for this patch is at: https://github.com/Mbed-TLS/mbedtls/pull/9001 For enabling EFI loader PKCS7 features with MbedTLS build, we need this patch on top of MbedTLS v3.6.0 before it is merged into the next MbedTLS LTS release. Signed-off-by: Raymond Mao Acked-by: Ilias Apalodimas --- Changes in v2 - None. Changes in v3 - Update commit message. Changes in v4 - None. Changes in v5 - None. Changes in v6 - None. Changes in v7 - None. Changes in v8 - None .../external/mbedtls/tests/suites/test_suite_pkcs7.data | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/mbedtls/external/mbedtls/tests/suites/test_suite_pkcs7.data b/lib/mbedtls/external/mbedtls/tests/suites/test_suite_pkcs7.data index d3b83cdf0aa..2dd1c56109f 100644 --- a/lib/mbedtls/external/mbedtls/tests/suites/test_suite_pkcs7.data +++ b/lib/mbedtls/external/mbedtls/tests/suites/test_suite_pkcs7.data @@ -14,9 +14,9 @@ PKCS7 Signed Data Parse with zero signers depends_on:MBEDTLS_MD_CAN_SHA256 pkcs7_parse:"data_files/pkcs7_data_no_signers.der":MBEDTLS_PKCS7_SIGNED_DATA -PKCS7 Signed Data Parse Fail with multiple certs #4 +PKCS7 Signed Data Parse Pass with multiple certs #4 depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C -pkcs7_parse:"data_files/pkcs7_data_multiple_certs_signed.der":MBEDTLS_ERR_PKCS7_FEATURE_UNAVAILABLE +pkcs7_parse:"data_files/pkcs7_data_multiple_certs_signed.der":MBEDTLS_PKCS7_SIGNED_DATA PKCS7 Signed Data Parse Fail with corrupted cert #5.0 depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C From patchwork Thu Oct 3 21:50:25 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Raymond Mao X-Patchwork-Id: 1992596 X-Patchwork-Delegate: trini@ti.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.a=rsa-sha256 header.s=google header.b=GirikEDM; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de (client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; helo=phobos.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=patchwork.ozlabs.org) Received: from phobos.denx.de (phobos.denx.de [IPv6:2a01:238:438b:c500:173d:9f52:ddab:ee01]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4XKbtr1TB4z1xt7 for ; Fri, 4 Oct 2024 14:59:32 +1000 (AEST) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id D1A3E8901D; Fri, 4 Oct 2024 06:57:26 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="GirikEDM"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id CC8FC88D8F; Thu, 3 Oct 2024 23:57:53 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.2 Received: from mail-qt1-x833.google.com (mail-qt1-x833.google.com [IPv6:2607:f8b0:4864:20::833]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 8AF7A88C6D for ; Thu, 3 Oct 2024 23:57:51 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=raymond.mao@linaro.org Received: by mail-qt1-x833.google.com with SMTP id d75a77b69052e-4582f9abb43so9834031cf.2 for ; Thu, 03 Oct 2024 14:57:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1727992670; x=1728597470; darn=lists.denx.de; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=PkPWAznF12MpobvBhfpS2LY6JX1lTBHDNTnBRZ9Q+9g=; b=GirikEDMc9SzYF9eluREi3OJuhxYBbq8X7vTivczmVWhAykWWrZqsYxX6WxuMQTUzb AsDId6+qRgx8XIQGYOrODMKSAWqzO2vvnMxrXKvAo7UhimjdfqoxCrCKyHTvu7AUkbRQ 7kXmNJiKNnqHHqvrSDt0NX6yFVrk+x97zD4aJz2Dt+UF7sMSpY/GE92evh3jZLHgEqev fXmsP5WX3KYjNmt9ZunB8CalwZ2TPLK33KdWLDYKScta0egSVNeZHRX+lKkFTNWS3fK6 99sQxB6WB8PXrXIe3X6HeuS9mABnLvd0kjuNgkXtF+g1Wjg7tKZPsGJTZp8sI5WIUpwd oj0w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1727992670; x=1728597470; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=PkPWAznF12MpobvBhfpS2LY6JX1lTBHDNTnBRZ9Q+9g=; b=VH5ARKeu0sf+X2DuXOdmBNdLzeFbEGVmoUzL3xIABTAL2pASbWtgrvNVAcTtC1L/lF 76j1K0FgkjrDPH77Yyc5bOBWXACcD3jlgzDHq6JKkc6Wv1v3BY3iL0JfabHyXgueRjOV WkCo9+x3iLm1Dj8D1MzfwK/XzN0K6LnGnOnktUE///MUNqmNA6w7ZZkNHLeu57HCFAaY B+8VYM4Hi+yUFYsCkqRTc83ykh+EVnpTUXhB7izAKBAb3ai0rIlFoF95leI9xd6O/wP1 fxsc5ysNMuTqwP1N1lfY+MDZtOP1cNEnL4Eik6dhBVVR9Y+26F4sm47+eqtWlN0lJrJZ XPYQ== X-Gm-Message-State: AOJu0YzcK2R/wT4LpH6gwShsdlmDAfDL1xL8C/rc84XgiZrsu6RA7DdO WESvdEILF5AF2caxdmXZQl2eLnwa3vIf6UxNh0dle18+4yoZMUgkYGFREhQtN1mPSESCzrDLEPa x X-Google-Smtp-Source: AGHT+IEqOeGkgdjgFhbbWAusNRQcFEXPcrAcHSQmjV1equS5r+55lHJBYd7U/ad2K8HOYHSwiNCC8A== X-Received: by 2002:a05:622a:1998:b0:453:5cb9:51a9 with SMTP id d75a77b69052e-45d9ba9ceecmr9432491cf.14.1727992669975; Thu, 03 Oct 2024 14:57:49 -0700 (PDT) Received: from ubuntu.localdomain (pool-174-114-184-37.cpe.net.cable.rogers.com. [174.114.184.37]) by smtp.gmail.com with ESMTPSA id d75a77b69052e-45d92ddf5c4sm9001541cf.18.2024.10.03.14.57.46 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 03 Oct 2024 14:57:49 -0700 (PDT) From: Raymond Mao To: u-boot@lists.denx.de Cc: manish.pandey2@arm.com, Raymond Mao , Ilias Apalodimas , Tom Rini , Stefan Bosch , Mario Six , Andy Shevchenko , Michal Simek , Tuomas Tynkkynen , Simon Glass , Peng Fan , Jaehoon Chung , Jiaxun Yang , Heinrich Schuchardt , Sumit Garg , Sean Anderson , Andrew Davis , Rasmus Villemoes , Bryan Brattlof , "Leon M. Busch-George" , AKASHI Takahiro , Alexander Gendin , Mattijs Korpershoek , Jonathan Humphreys , Marek Vasut , Paul Barker , Ian Roberts , Jonas Karlman , Oleksandr Suvorov , Linus Walleij , Greg Malysa , Kongyang Liu , Sughosh Ganu , Eddie James Subject: [PATCH v8 12/27] public_key: move common functions to public key helper Date: Thu, 3 Oct 2024 14:50:25 -0700 Message-Id: <20241003215112.3103601-13-raymond.mao@linaro.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20241003215112.3103601-1-raymond.mao@linaro.org> References: <20241003215112.3103601-1-raymond.mao@linaro.org> MIME-Version: 1.0 X-Mailman-Approved-At: Fri, 04 Oct 2024 06:57:18 +0200 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.8 at phobos.denx.de X-Virus-Status: Clean Move public_key_free and public_key_signature_free as helper functions that can be shared by legacy crypto lib and MbedTLS implementation. Signed-off-by: Raymond Mao Reviewed-by: Ilias Apalodimas --- Changes in v4 - Initial patch. Changes in v5 - Removed authorship. Changes in v6 - None. Changes in v7 - None. Changes in v8 - None lib/crypto/Makefile | 4 +++- lib/crypto/public_key.c | 31 --------------------------- lib/crypto/public_key_helper.c | 39 ++++++++++++++++++++++++++++++++++ 3 files changed, 42 insertions(+), 32 deletions(-) create mode 100644 lib/crypto/public_key_helper.c diff --git a/lib/crypto/Makefile b/lib/crypto/Makefile index bec1bc95a65..4ad1849040d 100644 --- a/lib/crypto/Makefile +++ b/lib/crypto/Makefile @@ -7,7 +7,9 @@ obj-$(CONFIG_$(SPL_)ASYMMETRIC_KEY_TYPE) += asymmetric_keys.o asymmetric_keys-y := asymmetric_type.o -obj-$(CONFIG_$(SPL_)ASYMMETRIC_PUBLIC_KEY_SUBTYPE) += public_key.o +obj-$(CONFIG_$(SPL_)ASYMMETRIC_PUBLIC_KEY_SUBTYPE) += \ + public_key_helper.o \ + public_key.o # # RSA public key parser diff --git a/lib/crypto/public_key.c b/lib/crypto/public_key.c index 6efe951c057..408742907f1 100644 --- a/lib/crypto/public_key.c +++ b/lib/crypto/public_key.c @@ -51,38 +51,7 @@ static void public_key_describe(const struct key *asymmetric_key, } #endif -/* - * Destroy a public key algorithm key. - */ -void public_key_free(struct public_key *key) -{ - if (key) { - kfree(key->key); - kfree(key->params); - kfree(key); - } -} -EXPORT_SYMBOL_GPL(public_key_free); - #ifdef __UBOOT__ -/* - * from /crypto/asymmetric_keys/signature.c - * - * Destroy a public key signature. - */ -void public_key_signature_free(struct public_key_signature *sig) -{ - int i; - - if (sig) { - for (i = 0; i < ARRAY_SIZE(sig->auth_ids); i++) - free(sig->auth_ids[i]); - free(sig->s); - free(sig->digest); - free(sig); - } -} -EXPORT_SYMBOL_GPL(public_key_signature_free); /** * public_key_verify_signature - Verify a signature using a public key. diff --git a/lib/crypto/public_key_helper.c b/lib/crypto/public_key_helper.c new file mode 100644 index 00000000000..2c55922bdcb --- /dev/null +++ b/lib/crypto/public_key_helper.c @@ -0,0 +1,39 @@ +// SPDX-License-Identifier: GPL-2.0+ +/* + * X509 helper functions + * + * Copyright (c) 2012 Red Hat, Inc. All Rights Reserved. + * Written by David Howells (dhowells@redhat.com) + */ +#include +#include + +/* + * Destroy a public key algorithm key. + */ +void public_key_free(struct public_key *key) +{ + if (key) { + kfree(key->key); + kfree(key->params); + kfree(key); + } +} + +/* + * from /crypto/asymmetric_keys/signature.c + * + * Destroy a public key signature. + */ +void public_key_signature_free(struct public_key_signature *sig) +{ + int i; + + if (sig) { + for (i = 0; i < ARRAY_SIZE(sig->auth_ids); i++) + kfree(sig->auth_ids[i]); + kfree(sig->s); + kfree(sig->digest); + kfree(sig); + } +} From patchwork Thu Oct 3 21:50:26 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Raymond Mao X-Patchwork-Id: 1992597 X-Patchwork-Delegate: trini@ti.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.a=rsa-sha256 header.s=google header.b=HN6mVnpS; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de (client-ip=85.214.62.61; helo=phobos.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=patchwork.ozlabs.org) Received: from phobos.denx.de (phobos.denx.de [85.214.62.61]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4XKbv45ZWNz1xv1 for ; Fri, 4 Oct 2024 14:59:44 +1000 (AEST) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 48C0C89051; Fri, 4 Oct 2024 06:57:27 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="HN6mVnpS"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id A4F0888C6D; Thu, 3 Oct 2024 23:58:25 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.2 Received: from mail-qt1-x82f.google.com (mail-qt1-x82f.google.com [IPv6:2607:f8b0:4864:20::82f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 79A2288CC5 for ; Thu, 3 Oct 2024 23:58:23 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=raymond.mao@linaro.org Received: by mail-qt1-x82f.google.com with SMTP id d75a77b69052e-45aeed46f5eso7192281cf.3 for ; Thu, 03 Oct 2024 14:58:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1727992702; x=1728597502; darn=lists.denx.de; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=u5eBTRw7307Fu1Y+274QcTRFVeiGoUy0zoTb4jHMxBE=; b=HN6mVnpSw/k/+zh2UFlIB1O/2UEQVV4wH9+kVsEjNpIrnaXUqlNN0bAvbw5s4ZA8V2 oifPFWse2a4nHM2xyY02z4HEAxrcz0Mcs2diakVJqZAZUHXqavg+IHz0bRA6uA10nK+f D9OHbWbe6Ql/vS/gYgP3W+55GIoDUk70480+wI39ye+JtUbWf+pPK8AkJiBNQHo/VXC7 I5+fdMfaBlVTfdomSdq312W1tj9+W88JkIAceivPWLEp2i6jo6GM7RgnxeTlknJ0hiAO d1TNiZ7+MsIcx6PY6NSCOWgLvYFxL8Aa4HGU4alxqFNYmaVzxmDgP2+5kEYIkLRH9OEn fP1g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1727992702; x=1728597502; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=u5eBTRw7307Fu1Y+274QcTRFVeiGoUy0zoTb4jHMxBE=; b=oq2ksbPpOF+r0dK0C9WJoQ5z9Qbp0DprL6Up5ZywC8crRW1GBW+9Hc8nwxrCdn5mw4 oWmB5up9aqqmqLArpg1vGSFpYEPt2Z+Bxgl5joKryT4QXdemC///z9TAKsmE/05g8fxa 9k4o/sg7qwQqNUmT7+7Yperc6DAu+7fvJ/9CcqvmDmEDwSzb9ptrPkFwLdn2c3RdB8vU 1nLfQGl22sggscP2j2z8KVImUc0Zjv5qgZ8g8fbfmSk+HKN3R1zldJAKZ9zVktSosMvi UaU8l+KVxjI2RqiSIzdXxeYu7SZahXfrgltL+WoQgMSpPLmWCiuv1TW3WMH60mSguRRg T9wg== X-Gm-Message-State: AOJu0YwueLQJb3vkBOkJNiqWFE/WpSgbmpRIEz/ntPL/XKHI1mMQ4bwM aRlfhawMISZRB4/Wam0o2l0ckAlTjSCALxEJt50bJMadb1kjRnOkT49dwabsscIh+HVdBwFjkZx 4 X-Google-Smtp-Source: AGHT+IF24ZsG9rN3ca/AbMRouwOoQJbTz5wMaks4aEWkaa0Nx7YIFK7cZ/XsN3F8Sf8cD5HQK9tBAA== X-Received: by 2002:ac8:5a46:0:b0:45d:5786:80b4 with SMTP id d75a77b69052e-45d9ba6449bmr8964251cf.26.1727992702010; Thu, 03 Oct 2024 14:58:22 -0700 (PDT) Received: from ubuntu.localdomain (pool-174-114-184-37.cpe.net.cable.rogers.com. [174.114.184.37]) by smtp.gmail.com with ESMTPSA id d75a77b69052e-45d92ddf5c4sm9001541cf.18.2024.10.03.14.58.19 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 03 Oct 2024 14:58:21 -0700 (PDT) From: Raymond Mao To: u-boot@lists.denx.de Cc: manish.pandey2@arm.com, Raymond Mao , Ilias Apalodimas , Tom Rini , Stefan Bosch , Mario Six , Andy Shevchenko , Michal Simek , Tuomas Tynkkynen , Simon Glass , Peng Fan , Jaehoon Chung , Jiaxun Yang , Heinrich Schuchardt , Sean Anderson , Sumit Garg , Rasmus Villemoes , Andrew Davis , Bryan Brattlof , "Leon M. Busch-George" , AKASHI Takahiro , Alexander Gendin , Mattijs Korpershoek , Jonathan Humphreys , Marek Vasut , Paul Barker , Oleksandr Suvorov , Linus Walleij , Jonas Karlman , Kongyang Liu , Greg Malysa , Sughosh Ganu , Caleb Connolly Subject: [PATCH v8 13/27] x509: move common functions to x509 helper Date: Thu, 3 Oct 2024 14:50:26 -0700 Message-Id: <20241003215112.3103601-14-raymond.mao@linaro.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20241003215112.3103601-1-raymond.mao@linaro.org> References: <20241003215112.3103601-1-raymond.mao@linaro.org> MIME-Version: 1.0 X-Mailman-Approved-At: Fri, 04 Oct 2024 06:57:18 +0200 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.8 at phobos.denx.de X-Virus-Status: Clean Move x509_check_for_self_signed as a common helper function that can be shared by legacy crypto lib and MbedTLS implementation. Signed-off-by: Raymond Mao Reviewed-by: Ilias Apalodimas --- Changes in v4 - Initial patch. Changes in v5 - Removed authorship. Changes in v6 - None. Changes in v7 - None. Changes in v8 - None lib/crypto/Makefile | 1 + lib/crypto/x509_helper.c | 64 ++++++++++++++++++++++++++++++++++++ lib/crypto/x509_public_key.c | 56 +------------------------------ 3 files changed, 66 insertions(+), 55 deletions(-) create mode 100644 lib/crypto/x509_helper.c diff --git a/lib/crypto/Makefile b/lib/crypto/Makefile index 4ad1849040d..946cc3a7b59 100644 --- a/lib/crypto/Makefile +++ b/lib/crypto/Makefile @@ -37,6 +37,7 @@ x509_key_parser-y := \ x509.asn1.o \ x509_akid.asn1.o \ x509_cert_parser.o \ + x509_helper.o \ x509_public_key.o $(obj)/x509_cert_parser.o: \ diff --git a/lib/crypto/x509_helper.c b/lib/crypto/x509_helper.c new file mode 100644 index 00000000000..87e8ff67ae1 --- /dev/null +++ b/lib/crypto/x509_helper.c @@ -0,0 +1,64 @@ +// SPDX-License-Identifier: GPL-2.0+ +/* + * X509 helper functions + * + * Copyright (C) 2012 Red Hat, Inc. All Rights Reserved. + * Written by David Howells (dhowells@redhat.com) + */ +#include +#include +#include + +/* + * Check for self-signedness in an X.509 cert and if found, check the signature + * immediately if we can. + */ +int x509_check_for_self_signed(struct x509_certificate *cert) +{ + int ret = 0; + + if (cert->raw_subject_size != cert->raw_issuer_size || + memcmp(cert->raw_subject, cert->raw_issuer, + cert->raw_issuer_size)) + goto not_self_signed; + + if (cert->sig->auth_ids[0] || cert->sig->auth_ids[1]) { + /* + * If the AKID is present it may have one or two parts. If + * both are supplied, both must match. + */ + bool a = asymmetric_key_id_same(cert->skid, + cert->sig->auth_ids[1]); + bool b = asymmetric_key_id_same(cert->id, + cert->sig->auth_ids[0]); + + if (!a && !b) + goto not_self_signed; + + ret = -EKEYREJECTED; + if (((a && !b) || (b && !a)) && + cert->sig->auth_ids[0] && cert->sig->auth_ids[1]) + goto out; + } + + ret = -EKEYREJECTED; + if (strcmp(cert->pub->pkey_algo, cert->sig->pkey_algo)) + goto out; + + ret = public_key_verify_signature(cert->pub, cert->sig); + if (ret == -ENOPKG) { + cert->unsupported_sig = true; + goto not_self_signed; + } + if (ret < 0) + goto out; + + pr_devel("Cert Self-signature verified"); + cert->self_signed = true; + +out: + return ret; + +not_self_signed: + return 0; +} diff --git a/lib/crypto/x509_public_key.c b/lib/crypto/x509_public_key.c index a10145a7cdc..4ba13c1adc3 100644 --- a/lib/crypto/x509_public_key.c +++ b/lib/crypto/x509_public_key.c @@ -139,61 +139,7 @@ error: return ret; } -/* - * Check for self-signedness in an X.509 cert and if found, check the signature - * immediately if we can. - */ -int x509_check_for_self_signed(struct x509_certificate *cert) -{ - int ret = 0; - - pr_devel("==>%s()\n", __func__); - - if (cert->raw_subject_size != cert->raw_issuer_size || - memcmp(cert->raw_subject, cert->raw_issuer, - cert->raw_issuer_size) != 0) - goto not_self_signed; - - if (cert->sig->auth_ids[0] || cert->sig->auth_ids[1]) { - /* If the AKID is present it may have one or two parts. If - * both are supplied, both must match. - */ - bool a = asymmetric_key_id_same(cert->skid, cert->sig->auth_ids[1]); - bool b = asymmetric_key_id_same(cert->id, cert->sig->auth_ids[0]); - - if (!a && !b) - goto not_self_signed; - - ret = -EKEYREJECTED; - if (((a && !b) || (b && !a)) && - cert->sig->auth_ids[0] && cert->sig->auth_ids[1]) - goto out; - } - - ret = -EKEYREJECTED; - if (strcmp(cert->pub->pkey_algo, cert->sig->pkey_algo) != 0) - goto out; - - ret = public_key_verify_signature(cert->pub, cert->sig); - if (ret < 0) { - if (ret == -ENOPKG) { - cert->unsupported_sig = true; - ret = 0; - } - goto out; - } - - pr_devel("Cert Self-signature verified"); - cert->self_signed = true; - -out: - pr_devel("<==%s() = %d\n", __func__, ret); - return ret; - -not_self_signed: - pr_devel("<==%s() = 0 [not]\n", __func__); - return 0; -} +#endif /* !CONFIG_IS_ENABLED(MBEDTLS_LIB_X509) */ #ifndef __UBOOT__ /* From patchwork Thu Oct 3 21:50:27 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Raymond Mao X-Patchwork-Id: 1992598 X-Patchwork-Delegate: trini@ti.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.a=rsa-sha256 header.s=google header.b=wqqlExQg; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de (client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; helo=phobos.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=patchwork.ozlabs.org) Received: from phobos.denx.de (phobos.denx.de [IPv6:2a01:238:438b:c500:173d:9f52:ddab:ee01]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4XKbvH2jNSz1xv1 for ; Fri, 4 Oct 2024 14:59:55 +1000 (AEST) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id AE68F8905F; Fri, 4 Oct 2024 06:57:27 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="wqqlExQg"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 7DF1888C6D; Thu, 3 Oct 2024 23:58:59 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.2 Received: from mail-qt1-x834.google.com (mail-qt1-x834.google.com [IPv6:2607:f8b0:4864:20::834]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 5354F88D7F for ; Thu, 3 Oct 2024 23:58:56 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=raymond.mao@linaro.org Received: by mail-qt1-x834.google.com with SMTP id d75a77b69052e-4581e0ed0f2so20805211cf.1 for ; Thu, 03 Oct 2024 14:58:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1727992735; x=1728597535; darn=lists.denx.de; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=t2RSn2HlFuhWVc0QgU3RLs99TwPJdYZTazen7HknIRc=; b=wqqlExQgxAcT2KJ0GgjAv42mIqLaftuI/vTVKdy3mhtUqxESFLoWosspSqnjHMtsNz AfJdw78ybROCy0FIDJguA0usXA9itJG1ZhdjHzBgR5SCEDeGAghoWKbhUwL8iVPfl5oD P9e9I8+WjRqITmElMJg5CiOziQzVhq9wqoZxkNPfBVZc3wRTvA35KfRdPqBM+7PB7Vjp BKGdypjncHAZ2PG81sskAGf7OrNQRvMiOXi0ixLsEhl1F1LYuGouAtmkeiuXDPdjWxMx BFco7pEANQNXEcgcy+hJ/xl6bdWmD9CTbMbprH9Q7068+sULh09EsT1lVMEEbBn2AOBr nhag== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1727992735; x=1728597535; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=t2RSn2HlFuhWVc0QgU3RLs99TwPJdYZTazen7HknIRc=; b=BDzSXrXF2KUc6o4+HI6xM0XKLPXxvMj8Pj6mzCEFVI9sE2YLhvidOc+l0wt3iV2StX UshqrdbdWJq8klCvcmRLq2YIWp5L3RO9LWxWcpvypPaMUUFDhTr5YbSXQfC9UzcVgjUu /CobsZMjq2IPqmiNP3Jh9Xm51x9uMeRGkURemw2Z1KnZUnccy3ORlhkVMaSa9Tn7vR0Z PaAPtTMRkPThnAOGf/4w0Mua6zf1/aQN3Ah9fA4QbCkRlqyBIG9EOtJuDcL9oWc39JDV 8bULmVhyuosAF24qrUglZmTJlscKPUT9Val/zMr3581ZzDMknrzMl5ttxqOuCuy0rC9v MlIA== X-Gm-Message-State: AOJu0Yx9ybiedhohH3PpXDZbgwi9wShAZIL2N159MJJC+y3iF2mJZaFd 9Qy1I0plYozCtPa0CtzDBfx0X3x8jRbk+cRrQLgQDKbx8O8N8MKQZuzgoAyr6uTzj7fhJwovVga D X-Google-Smtp-Source: AGHT+IEcQ4Dpu6wjB4rck9EkQ/XQ8qGYipothyNjbD5ApeAIGOHvSUOVTJF36zbDEjuPRI34v1oY7Q== X-Received: by 2002:a05:622a:13d3:b0:45b:39a7:1d84 with SMTP id d75a77b69052e-45d9ba2fe08mr10162661cf.5.1727992734716; Thu, 03 Oct 2024 14:58:54 -0700 (PDT) Received: from ubuntu.localdomain (pool-174-114-184-37.cpe.net.cable.rogers.com. [174.114.184.37]) by smtp.gmail.com with ESMTPSA id d75a77b69052e-45d92ddf5c4sm9001541cf.18.2024.10.03.14.58.51 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 03 Oct 2024 14:58:53 -0700 (PDT) From: Raymond Mao To: u-boot@lists.denx.de Cc: manish.pandey2@arm.com, Raymond Mao , Ilias Apalodimas , Tom Rini , Stefan Bosch , Mario Six , Andy Shevchenko , Michal Simek , Tuomas Tynkkynen , Simon Glass , Peng Fan , Jaehoon Chung , Jiaxun Yang , Heinrich Schuchardt , Sumit Garg , Sean Anderson , Rasmus Villemoes , Andrew Davis , Bryan Brattlof , "Leon M. Busch-George" , AKASHI Takahiro , Alexander Gendin , Mattijs Korpershoek , Jonathan Humphreys , Paul Barker , Marek Vasut , Jonas Karlman , Greg Malysa , Kongyang Liu , Sughosh Ganu , Anand Moon , =?utf-8?q?Vincent_Stehl=C3=A9?= Subject: [PATCH v8 14/27] pkcs7: move common functions to PKCS7 helper Date: Thu, 3 Oct 2024 14:50:27 -0700 Message-Id: <20241003215112.3103601-15-raymond.mao@linaro.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20241003215112.3103601-1-raymond.mao@linaro.org> References: <20241003215112.3103601-1-raymond.mao@linaro.org> MIME-Version: 1.0 X-Mailman-Approved-At: Fri, 04 Oct 2024 06:57:18 +0200 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.8 at phobos.denx.de X-Virus-Status: Clean Move pkcs7_get_content_data as a helper function that can be shared by legacy crypto lib and MbedTLS implementation. Signed-off-by: Raymond Mao Reviewed-by: Ilias Apalodimas --- Changes in v4 - Initial patch. Changes in v5 - Remove authorship. Changes in v6 - None. Changes in v7 - None. Changes in v8 - None lib/crypto/Makefile | 1 + lib/crypto/pkcs7_helper.c | 37 +++++++++++++++++++++++++++++++++++++ lib/crypto/pkcs7_parser.c | 28 ---------------------------- 3 files changed, 38 insertions(+), 28 deletions(-) create mode 100644 lib/crypto/pkcs7_helper.c diff --git a/lib/crypto/Makefile b/lib/crypto/Makefile index 946cc3a7b59..16059088f26 100644 --- a/lib/crypto/Makefile +++ b/lib/crypto/Makefile @@ -53,6 +53,7 @@ $(obj)/x509_akid.asn1.o: $(obj)/x509_akid.asn1.c $(obj)/x509_akid.asn1.h obj-$(CONFIG_$(SPL_)PKCS7_MESSAGE_PARSER) += pkcs7_message.o pkcs7_message-y := \ pkcs7.asn1.o \ + pkcs7_helper.o \ pkcs7_parser.o obj-$(CONFIG_$(SPL_)PKCS7_VERIFY) += pkcs7_verify.o diff --git a/lib/crypto/pkcs7_helper.c b/lib/crypto/pkcs7_helper.c new file mode 100644 index 00000000000..bb3b9d1354f --- /dev/null +++ b/lib/crypto/pkcs7_helper.c @@ -0,0 +1,37 @@ +// SPDX-License-Identifier: GPL-2.0+ +/* + * PKCS7 helper functions + * + * Copyright (c) 2012 Red Hat, Inc. All Rights Reserved. + * Written by David Howells (dhowells@redhat.com) + */ +#include +#include +#include + +/** + * pkcs7_get_content_data - Get access to the PKCS#7 content + * @pkcs7: The preparsed PKCS#7 message to access + * @_data: Place to return a pointer to the data + * @_data_len: Place to return the data length + * @_headerlen: Size of ASN.1 header not included in _data + * + * Get access to the data content of the PKCS#7 message. The size of the + * header of the ASN.1 object that contains it is also provided and can be used + * to adjust *_data and *_data_len to get the entire object. + * + * Returns -ENODATA if the data object was missing from the message. + */ +int pkcs7_get_content_data(const struct pkcs7_message *pkcs7, + const void **_data, size_t *_data_len, + size_t *_headerlen) +{ + if (!pkcs7->data) + return -ENODATA; + + *_data = pkcs7->data; + *_data_len = pkcs7->data_len; + if (_headerlen) + *_headerlen = pkcs7->data_hdrlen; + return 0; +} diff --git a/lib/crypto/pkcs7_parser.c b/lib/crypto/pkcs7_parser.c index d5efa828d6a..c849dc0d92d 100644 --- a/lib/crypto/pkcs7_parser.c +++ b/lib/crypto/pkcs7_parser.c @@ -182,34 +182,6 @@ out_no_ctx: } EXPORT_SYMBOL_GPL(pkcs7_parse_message); -/** - * pkcs7_get_content_data - Get access to the PKCS#7 content - * @pkcs7: The preparsed PKCS#7 message to access - * @_data: Place to return a pointer to the data - * @_data_len: Place to return the data length - * @_headerlen: Size of ASN.1 header not included in _data - * - * Get access to the data content of the PKCS#7 message. The size of the - * header of the ASN.1 object that contains it is also provided and can be used - * to adjust *_data and *_data_len to get the entire object. - * - * Returns -ENODATA if the data object was missing from the message. - */ -int pkcs7_get_content_data(const struct pkcs7_message *pkcs7, - const void **_data, size_t *_data_len, - size_t *_headerlen) -{ - if (!pkcs7->data) - return -ENODATA; - - *_data = pkcs7->data; - *_data_len = pkcs7->data_len; - if (_headerlen) - *_headerlen = pkcs7->data_hdrlen; - return 0; -} -EXPORT_SYMBOL_GPL(pkcs7_get_content_data); - /* * Note an OID when we find one for later processing when we know how * to interpret it. From patchwork Thu Oct 3 21:50:28 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Raymond Mao X-Patchwork-Id: 1992599 X-Patchwork-Delegate: trini@ti.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.a=rsa-sha256 header.s=google header.b=lIpFUzlz; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de (client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; helo=phobos.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=patchwork.ozlabs.org) Received: from phobos.denx.de (phobos.denx.de [IPv6:2a01:238:438b:c500:173d:9f52:ddab:ee01]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4XKbvg1sm9z1xv1 for ; Fri, 4 Oct 2024 15:00:15 +1000 (AEST) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 4221C88FAB; Fri, 4 Oct 2024 06:57:28 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="lIpFUzlz"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id F110588D8F; Thu, 3 Oct 2024 23:59:29 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.2 Received: from mail-qk1-x736.google.com (mail-qk1-x736.google.com [IPv6:2607:f8b0:4864:20::736]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id B8BD088D7F for ; Thu, 3 Oct 2024 23:59:27 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=raymond.mao@linaro.org Received: by mail-qk1-x736.google.com with SMTP id af79cd13be357-7a9b3cd75e5so135953285a.0 for ; Thu, 03 Oct 2024 14:59:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1727992766; x=1728597566; darn=lists.denx.de; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=IPGMrLU9ZTLeL/7hr3BCsyjnnGC74f/FoiuUJ6eejPY=; b=lIpFUzlzOKot8//8/t2ATGEDUxyV3YV251+cgk4UHo0+VqD+dSnINjJOwSp8t6SOtC IK5wvdA6wmsu+FXPVLnPuUBcnIu6GDRPtjzktwzxmDoQYhPqLUrwboIWenAZrA/SGuGm nFaGaZ6DaKLHGtlQp5QJ9pqRFP92VheChCuyFVHwuLIw6dc/La9dbTjsf/FMoF5KdNx4 wMWAnyOsizAsDdP/vwuZJSmTJWfhQVebZL4k41DZixa4cmlfgf8UGS65IGV4VYsv7W18 /eSIi2GF/Q7OwN+lwX8Cz2+gKXc/hihvnpOHl05848mPDyucBANc29M1uXcxUHWEqR4K TBCA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1727992766; x=1728597566; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=IPGMrLU9ZTLeL/7hr3BCsyjnnGC74f/FoiuUJ6eejPY=; b=PJK6pYt/dU/KlXtKq6ePl+xi97t5V3M90GQS3LGF6zmMMrPJ1M4CCW9F4qmqaIfoeP x3kJho/y0wj1ceVWDvR35tUqbye3ERGXQtexdo5lkHsMME+kkbi6VYEEsx1KGuNstqrm walSBPZDkrvnvMjiwHgtaxc8jy5uQlXQ6xfZ2Y1VIjiKlQla8cW4a5wrkB6bMpZGw5Rk h12tQg+PKyuu8cdx7GEkGl1xUfD2EZV8rjvzJIZcsotWnLYxvCHd6fI0WYfHAr24SzFY UfmILa3pzu/G5X96RFSV9jYSf/GDU57SCsW5TAWNz76V1R/hTxOKZKi9xYs5Xvy7dzQE jpQw== X-Gm-Message-State: AOJu0Ywa/hhRCC8tBBilF/Zuv5T/bYRfrFB3rqJQe5mR922+sB56vPLS 1WWvnelK5KM1zZwLSZFPm6WtDvmE5olOtKVTC1WX31q/S0xc3ojFotkaK4ZPC0xNVl55zG2jWLd o X-Google-Smtp-Source: AGHT+IE/OCyYBSFmnpOAshxoEik6JL7qfxPaimZ+fbLKiXN7dv1Pa/OAJz25FTCii/AKyg5hYpWlpw== X-Received: by 2002:a05:622a:509:b0:458:2a4f:c206 with SMTP id d75a77b69052e-45d9bb2ed3dmr8108621cf.57.1727992766345; Thu, 03 Oct 2024 14:59:26 -0700 (PDT) Received: from ubuntu.localdomain (pool-174-114-184-37.cpe.net.cable.rogers.com. [174.114.184.37]) by smtp.gmail.com with ESMTPSA id d75a77b69052e-45d92ddf5c4sm9001541cf.18.2024.10.03.14.59.23 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 03 Oct 2024 14:59:25 -0700 (PDT) From: Raymond Mao To: u-boot@lists.denx.de Cc: manish.pandey2@arm.com, Raymond Mao , Ilias Apalodimas , Tom Rini , Stefan Bosch , Mario Six , Andy Shevchenko , Michal Simek , Tuomas Tynkkynen , Simon Glass , Peng Fan , Jaehoon Chung , Jiaxun Yang , Heinrich Schuchardt , Sumit Garg , Sean Anderson , Andrew Davis , Rasmus Villemoes , Bryan Brattlof , "Leon M. Busch-George" , AKASHI Takahiro , Alexander Gendin , Mattijs Korpershoek , Jonathan Humphreys , Marek Vasut , Paul Barker , Neil Armstrong , Leo Yu-Chi Liang , Jonas Karlman , Greg Malysa , Kongyang Liu , Sughosh Ganu , Anand Moon , Caleb Connolly Subject: [PATCH v8 15/27] mbedtls: add public key porting layer Date: Thu, 3 Oct 2024 14:50:28 -0700 Message-Id: <20241003215112.3103601-16-raymond.mao@linaro.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20241003215112.3103601-1-raymond.mao@linaro.org> References: <20241003215112.3103601-1-raymond.mao@linaro.org> MIME-Version: 1.0 X-Mailman-Approved-At: Fri, 04 Oct 2024 06:57:18 +0200 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.8 at phobos.denx.de X-Virus-Status: Clean Add porting layer for public key on top of MbedTLS X509 library. Introduce _LEGACY and _MBEDTLS kconfigs for public key legacy and MbedTLS implementations respectively. Signed-off-by: Raymond Mao Reviewed-by: Ilias Apalodimas --- Changes in v2 - Move the porting layer to MbedTLS dir. Changes in v3 - None. Changes in v4 - Introduce _LEGACY and _MBEDTLS kconfigs for public key legacy and MbedTLS implementations respectively. - Move common functions to helper. Changes in v5 - Correct kconfig dependence. - Kconfig rename. - Refactored MbedTLS makefile. - Adjust a few inline comments. Changes in v6 - None. Changes in v7 - None. Changes in v8 - None lib/mbedtls/Kconfig | 52 +++++++++++++++++++++++++ lib/mbedtls/Makefile | 6 ++- lib/mbedtls/public_key.c | 82 ++++++++++++++++++++++++++++++++++++++++ 3 files changed, 139 insertions(+), 1 deletion(-) create mode 100644 lib/mbedtls/public_key.c diff --git a/lib/mbedtls/Kconfig b/lib/mbedtls/Kconfig index 8e3a94c6f2b..e81d14505ff 100644 --- a/lib/mbedtls/Kconfig +++ b/lib/mbedtls/Kconfig @@ -116,9 +116,35 @@ endif # LEGACY_CRYPTO_BASIC config LEGACY_CRYPTO_CERT bool "legacy certificate libraries" + select ASYMMETRIC_PUBLIC_KEY_LEGACY if \ + ASYMMETRIC_PUBLIC_KEY_SUBTYPE + select SPL_ASYMMETRIC_PUBLIC_KEY_LEGACY if \ + SPL_ASYMMETRIC_PUBLIC_KEY_SUBTYPE help Enable legacy certificate libraries. +if LEGACY_CRYPTO_CERT + +config ASYMMETRIC_PUBLIC_KEY_LEGACY + bool "Asymmetric public key crypto with legacy certificate library" + depends on LEGACY_CRYPTO_CERT && ASYMMETRIC_PUBLIC_KEY_SUBTYPE + help + This option chooses legacy certificate library for asymmetric public + key crypto algorithm. + +if SPL + +config SPL_ASYMMETRIC_PUBLIC_KEY_LEGACY + bool "Asymmetric public key crypto with legacy certificate library in SPL" + depends on LEGACY_CRYPTO_CERT && SPL_ASYMMETRIC_PUBLIC_KEY_SUBTYPE + help + This option chooses legacy certificate library for asymmetric public + key crypto algorithm in SPL. + +endif # SPL + +endif # LEGACY_CRYPTO_CERT + endif # LEGACY_CRYPTO if MBEDTLS_LIB @@ -255,7 +281,33 @@ endif # MBEDTLS_LIB_CRYPTO config MBEDTLS_LIB_X509 bool "MbedTLS certificate libraries" + select ASYMMETRIC_PUBLIC_KEY_MBEDTLS if \ + ASYMMETRIC_PUBLIC_KEY_SUBTYPE + select SPL_ASYMMETRIC_PUBLIC_KEY_MBEDTLS if \ + SPL_ASYMMETRIC_PUBLIC_KEY_SUBTYPE help Enable MbedTLS certificate libraries. +if MBEDTLS_LIB_X509 + +config ASYMMETRIC_PUBLIC_KEY_MBEDTLS + bool "Asymmetric public key crypto with MbedTLS certificate library" + depends on MBEDTLS_LIB_X509 && ASYMMETRIC_PUBLIC_KEY_SUBTYPE + help + This option chooses MbedTLS certificate library for asymmetric public + key crypto algorithm. + +if SPL + +config SPL_ASYMMETRIC_PUBLIC_KEY_MBEDTLS + bool "Asymmetric public key crypto with MbedTLS certificate library in SPL" + depends on MBEDTLS_LIB_X509 && SPL_ASYMMETRIC_PUBLIC_KEY_SUBTYPE + help + This option chooses MbedTLS certificate library for asymmetric public + key crypto algorithm in SPL. + +endif # SPL + +endif # MBEDTLS_LIB_X509 + endif # MBEDTLS_LIB diff --git a/lib/mbedtls/Makefile b/lib/mbedtls/Makefile index eeb28ec1557..d3f566d0c91 100644 --- a/lib/mbedtls/Makefile +++ b/lib/mbedtls/Makefile @@ -11,6 +11,10 @@ obj-$(CONFIG_$(SPL_)SHA1_MBEDTLS) += sha1.o obj-$(CONFIG_$(SPL_)SHA256_MBEDTLS) += sha256.o obj-$(CONFIG_$(SPL_)SHA512_MBEDTLS) += sha512.o +# x509 libraries +obj-$(CONFIG_$(SPL_)ASYMMETRIC_PUBLIC_KEY_MBEDTLS) += \ + public_key.o + # MbedTLS crypto library obj-$(CONFIG_MBEDTLS_LIB) += mbedtls_lib_crypto.o mbedtls_lib_crypto-y := \ @@ -36,7 +40,7 @@ mbedtls_lib_x509-$(CONFIG_$(SPL_)RSA_PUBLIC_KEY_PARSER) += \ $(MBEDTLS_LIB_DIR)/bignum_core.o \ $(MBEDTLS_LIB_DIR)/rsa.o \ $(MBEDTLS_LIB_DIR)/rsa_alt_helpers.o -mbedtls_lib_x509-$(CONFIG_$(SPL_)ASYMMETRIC_PUBLIC_KEY_SUBTYPE) += \ +mbedtls_lib_x509-$(CONFIG_$(SPL_)ASYMMETRIC_PUBLIC_KEY_MBEDTLS) += \ $(MBEDTLS_LIB_DIR)/pk.o \ $(MBEDTLS_LIB_DIR)/pk_wrap.o \ $(MBEDTLS_LIB_DIR)/pkparse.o diff --git a/lib/mbedtls/public_key.c b/lib/mbedtls/public_key.c new file mode 100644 index 00000000000..5f73b99d4f2 --- /dev/null +++ b/lib/mbedtls/public_key.c @@ -0,0 +1,82 @@ +// SPDX-License-Identifier: GPL-2.0+ +/* + * Public key helper functions using MbedTLS X509 library + * + * Copyright (c) 2024 Linaro Limited + * Author: Raymond Mao + */ + +#include +#include + +int public_key_verify_signature(const struct public_key *pkey, + const struct public_key_signature *sig) +{ + mbedtls_md_type_t mb_hash_algo; + mbedtls_pk_context pk_ctx; + int ret; + + if (!pkey || !sig || pkey->key_is_private) + return -EINVAL; + + /* + * ECRDSA (Elliptic Curve Russian Digital Signature Algorithm) is not + * supported by MbedTLS. + */ + if (strcmp(pkey->pkey_algo, "rsa")) { + pr_err("Encryption is not RSA: %s\n", sig->pkey_algo); + return -EINVAL; + } + + /* + * Can be pkcs1 or raw, but pkcs1 is expected. + * This is just for argument checking, not necessarily passed to MbedTLS, + * For RSA signatures, MbedTLS typically supports the PKCS#1 v1.5 + * (aka. pkcs1) encoding by default. + * The library internally handles the details of decoding and verifying + * the signature according to the expected encoding for the specified algorithm. + */ + if (strcmp(sig->encoding, "pkcs1")) { + pr_err("Encoding %s is not supported, only supports pkcs1\n", + sig->encoding); + return -EINVAL; + } + + if (!strcmp(sig->hash_algo, "sha1")) + mb_hash_algo = MBEDTLS_MD_SHA1; + else if (!strcmp(sig->hash_algo, "sha224")) + mb_hash_algo = MBEDTLS_MD_SHA224; + else if (!strcmp(sig->hash_algo, "sha256")) + mb_hash_algo = MBEDTLS_MD_SHA256; + else if (!strcmp(sig->hash_algo, "sha384")) + mb_hash_algo = MBEDTLS_MD_SHA384; + else if (!strcmp(sig->hash_algo, "sha512")) + mb_hash_algo = MBEDTLS_MD_SHA512; + else /* Unknown or unsupported hash algorithm */ + return -EINVAL; + /* Initialize the mbedtls_pk_context with RSA key type */ + mbedtls_pk_init(&pk_ctx); + + /* Parse the DER-encoded public key */ + ret = mbedtls_pk_parse_public_key(&pk_ctx, pkey->key, pkey->keylen); + if (ret) { + pr_err("Failed to parse public key, ret:-0x%04x\n", -ret); + ret = -EINVAL; + goto err_key; + } + + /* Ensure that it is a RSA key */ + if (mbedtls_pk_get_type(&pk_ctx) != MBEDTLS_PK_RSA) { + pr_err("Only RSA keys are supported\n"); + ret = -EKEYREJECTED; + goto err_key; + } + + /* Verify the hash */ + ret = mbedtls_pk_verify(&pk_ctx, mb_hash_algo, sig->digest, + sig->digest_size, sig->s, sig->s_size); + +err_key: + mbedtls_pk_free(&pk_ctx); + return ret; +} From patchwork Thu Oct 3 21:50:29 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Raymond Mao X-Patchwork-Id: 1992600 X-Patchwork-Delegate: trini@ti.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.a=rsa-sha256 header.s=google header.b=JqH2rOLt; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de (client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; helo=phobos.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=patchwork.ozlabs.org) Received: from phobos.denx.de (phobos.denx.de [IPv6:2a01:238:438b:c500:173d:9f52:ddab:ee01]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4XKbvm16sFz1xv1 for ; Fri, 4 Oct 2024 15:00:20 +1000 (AEST) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id BC0AE8908A; Fri, 4 Oct 2024 06:57:28 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="JqH2rOLt"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 9926288ED2; Fri, 4 Oct 2024 00:00:07 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_BLOCKED, SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.2 Received: from mail-qt1-x833.google.com (mail-qt1-x833.google.com [IPv6:2607:f8b0:4864:20::833]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 57BDF88F6B for ; Thu, 3 Oct 2024 23:59:59 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=raymond.mao@linaro.org Received: by mail-qt1-x833.google.com with SMTP id d75a77b69052e-458320b30e7so10146381cf.0 for ; Thu, 03 Oct 2024 14:59:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1727992798; x=1728597598; darn=lists.denx.de; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=PCVLaJeosaE+jxxfKDUCKZqXpFmc7t9eWVJ9QN6YMLs=; b=JqH2rOLtEg/SWCQD0bzgwKv535v7Rh15k6/Dw+yMZB359KdZFmxpAMD7FmjF5h6q+n xxhecqWcSLff7dyt1J8byTSvT4uu2/sI7Rvgk1BfFK5DB3Pqsm8fdED5FAb8xUyFQ81U 9xMeEqu245PFHiZCX+Bt6dgrDAjgLrW9ZWCVMQrouL3Y1Zb0nh7qJTOJRmt99xQpMkg+ A3bOGZ4fx6lzA0uRMY150ZO41mLCOFHPGygJqR8MQP+F9Zog2nnSXYAyiQCXWJW/V3Qr WEFUB8BMjco0jQAb4TsrwqwqAOU+G8SOd5yEXCZi3c6C/pHeLYeAfrdk+2Zq6NMZfYiV MVjA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1727992798; x=1728597598; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=PCVLaJeosaE+jxxfKDUCKZqXpFmc7t9eWVJ9QN6YMLs=; b=Mbf/cVWXAYkCfpXIEpCWzhBnRg6usRqa0gZqyx7t0e5Uvq2rNX1hvh7rDGtrmV4XcE fesp5oNKjd7zBQnoT2YFIAmGNnIxW9+oLaZEA8d9IYF4CbFmLDzU+1RwlnS1bDy4aggA Br/OfIIenqREwQ4OKQdssVnQ3hxMK9CtIuhlRhUwDTnFxGv5GPtEtyYDhxlJKqgTqbSp rKh0iMmaFlfEQwViBcNarS1eiCOCtI7Ln1lTkYVLXPF/e+feW6JfHWNV0eexRZlc9AXu w/w++AR1BAtAIA5daGWmfGrs/VYZrrWfY9aOOBbQMDlKOe3Zjg7ijPK+5ehb0FpU/Sdt 5D9g== X-Gm-Message-State: AOJu0YxcH57cIVY9VivHqRQ1kWvXsU5MOwIIE3A1aJmY7ZOXaSOA3wRw YplaKeh0uUaSi4iyBfXubJhoeLLoMVDtKq50QVts3stxXYRp9MbYwi6c/roX8YNphIiJVnk0c+5 w X-Google-Smtp-Source: AGHT+IGpI2kputNwQfBjzNxMa4b3/hDxXuoka6c4ZL/lmaJaleWOcrNa/qxCYPJsFS5Iurxsngc9Rg== X-Received: by 2002:a05:622a:8c:b0:458:53b3:7a01 with SMTP id d75a77b69052e-45d9ba9eaf7mr9366531cf.18.1727992798027; Thu, 03 Oct 2024 14:59:58 -0700 (PDT) Received: from ubuntu.localdomain (pool-174-114-184-37.cpe.net.cable.rogers.com. [174.114.184.37]) by smtp.gmail.com with ESMTPSA id d75a77b69052e-45d92ddf5c4sm9001541cf.18.2024.10.03.14.59.55 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 03 Oct 2024 14:59:57 -0700 (PDT) From: Raymond Mao To: u-boot@lists.denx.de Cc: manish.pandey2@arm.com, Raymond Mao , Ilias Apalodimas , Tom Rini , Stefan Bosch , Mario Six , Andy Shevchenko , Michal Simek , Tuomas Tynkkynen , Simon Glass , Peng Fan , Jaehoon Chung , Jiaxun Yang , Heinrich Schuchardt , Leo Yu-Chi Liang , Sumit Garg , Sean Anderson , Rasmus Villemoes , Andrew Davis , Bryan Brattlof , "Leon M. Busch-George" , AKASHI Takahiro , Alexander Gendin , Mattijs Korpershoek , Jonathan Humphreys , Paul Barker , Marek Vasut , Jonas Karlman , Kongyang Liu , Greg Malysa , Oleksandr Suvorov , Sughosh Ganu Subject: [PATCH v8 16/27] lib/crypto: Adapt public_key header with MbedTLS Date: Thu, 3 Oct 2024 14:50:29 -0700 Message-Id: <20241003215112.3103601-17-raymond.mao@linaro.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20241003215112.3103601-1-raymond.mao@linaro.org> References: <20241003215112.3103601-1-raymond.mao@linaro.org> MIME-Version: 1.0 X-Mailman-Approved-At: Fri, 04 Oct 2024 06:57:18 +0200 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.8 at phobos.denx.de X-Virus-Status: Clean Previous patch has introduced MbedTLS porting layer for public key, here to adjust the header and makefiles accordingly. Signed-off-by: Raymond Mao Reviewed-by: Ilias Apalodimas --- Changes in v2 - Move the porting layer to MbedTLS dir. Changes in v3 - Update commit message. Changes in v4 - Control building legacy library via '_LEGACY' Kconfig. Changes in v5 - Correct header file include directories. - Kconfig rename. Changes in v6 - None. Changes in v7 - None. Changes in v8 - None include/crypto/public_key.h | 6 ++++++ lib/crypto/Makefile | 5 ++--- lib/crypto/asymmetric_type.c | 2 +- 3 files changed, 9 insertions(+), 4 deletions(-) diff --git a/include/crypto/public_key.h b/include/crypto/public_key.h index 3ba90fcc348..25cfb68adce 100644 --- a/include/crypto/public_key.h +++ b/include/crypto/public_key.h @@ -12,6 +12,12 @@ #ifdef __UBOOT__ #include +#if CONFIG_IS_ENABLED(MBEDTLS_LIB_X509) +#include +#include +#include +#include +#endif #else #include #endif diff --git a/lib/crypto/Makefile b/lib/crypto/Makefile index 16059088f26..7e877214aa8 100644 --- a/lib/crypto/Makefile +++ b/lib/crypto/Makefile @@ -7,9 +7,8 @@ obj-$(CONFIG_$(SPL_)ASYMMETRIC_KEY_TYPE) += asymmetric_keys.o asymmetric_keys-y := asymmetric_type.o -obj-$(CONFIG_$(SPL_)ASYMMETRIC_PUBLIC_KEY_SUBTYPE) += \ - public_key_helper.o \ - public_key.o +obj-$(CONFIG_$(SPL_)ASYMMETRIC_PUBLIC_KEY_SUBTYPE) += public_key_helper.o +obj-$(CONFIG_$(SPL_)ASYMMETRIC_PUBLIC_KEY_LEGACY) += public_key.o # # RSA public key parser diff --git a/lib/crypto/asymmetric_type.c b/lib/crypto/asymmetric_type.c index 24c2d15ef97..95b82cd8e84 100644 --- a/lib/crypto/asymmetric_type.c +++ b/lib/crypto/asymmetric_type.c @@ -12,7 +12,6 @@ #include #include #endif -#include #ifdef __UBOOT__ #include #include @@ -26,6 +25,7 @@ #include #include #endif +#include #ifdef __UBOOT__ #include #else From patchwork Thu Oct 3 21:50:30 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Raymond Mao X-Patchwork-Id: 1992601 X-Patchwork-Delegate: trini@ti.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.a=rsa-sha256 header.s=google header.b=QN8KLt/A; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de (client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; helo=phobos.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=patchwork.ozlabs.org) Received: from phobos.denx.de (phobos.denx.de [IPv6:2a01:238:438b:c500:173d:9f52:ddab:ee01]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4XKbw01PdSz1xv1 for ; Fri, 4 Oct 2024 15:00:32 +1000 (AEST) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 3671D890C5; Fri, 4 Oct 2024 06:57:29 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="QN8KLt/A"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id A684288CC5; Fri, 4 Oct 2024 00:00:34 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_BLOCKED, SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.2 Received: from mail-qt1-x829.google.com (mail-qt1-x829.google.com [IPv6:2607:f8b0:4864:20::829]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 24E6E88E7A for ; Fri, 4 Oct 2024 00:00:32 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=raymond.mao@linaro.org Received: by mail-qt1-x829.google.com with SMTP id d75a77b69052e-4581e0ed0f2so20814801cf.1 for ; Thu, 03 Oct 2024 15:00:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1727992831; x=1728597631; darn=lists.denx.de; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=QYAi8z/+/99J9sKgon44nt3TZlg6xwQT68l9bnrMNuE=; b=QN8KLt/AAjTLDpEP+pbJktMYJW9mNdUCPNOoZJfiR93bNDbjyDk8gMnI3Lnr3U3irm a+Qq7EqBUahqw6lJb9OaOapdB2cnpmBkLYovG2R/YSDLNjdg4L5egi2B+Ls7x/NiEngx 2WfPaU3NT3nk0EzA1+13SMVz/8IqyWnYBAnEWxqT482YdHblYABs3jmiG/J26nqHM7aF icqiZvBgFRcRgMt++L75eyqd96SBJ5Rh8kiZM9Ge2Bgz7SUkhti7H2fUzc9nbToL2Hgx srdMeVN7O9OM9q9TlWhjad0LNkWeT0p8hlqTiMOupLvhTTLg5KWf1lWklrFOr03qu4Qq n4OA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1727992831; x=1728597631; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=QYAi8z/+/99J9sKgon44nt3TZlg6xwQT68l9bnrMNuE=; b=G9j3//q/F1WuRo4zg1958sNRAE59w8R+M14QEjsxUs35NSOJVVMpob3oZaig9gKyTV 53vP8S1803MLnBppfSU3U/d9GCdTCklObwYfjwBA8w0AIgAxr377KnhnEK5HxEjoUwtT UxYRzYbkmAV8si7kR+mlXBFWYwECEkwFdmmtCpgMfnj4PA4JU7ugkCi1HCEZJIu0K65o lGc8jz3YUyRI7OOPy0y1JWvyw1/+E20w4sgHZ3fiq8IxHaJeToPvE3NMmZQPyDIhpBq7 gQtOwnK+oDUo1VVXsaTHSK1BgOmCL9M2J4Gz2oF77OPnjdHrwZJDIUVbGuvTReiVDL0F tqPQ== X-Gm-Message-State: AOJu0YwCoNlUS3c9ClN1eBYhhp+YjixiLcgbCfUusEDF6E58NkNkPEQS 11JIwKut6Znwr63tPDMEcp8G8699X5XTSFE63+vVcHGIu4CKCwRXVnPqCnVN/WMvAx+CY7XlJeh L X-Google-Smtp-Source: AGHT+IF+7Md/c1d5YCMKXJbATrAdb6m/RK8iCzCynY7XXBi26R0Vrpus5VIDuCqNk9CgQ6hG8jA/5Q== X-Received: by 2002:ac8:7f83:0:b0:45d:7eba:af80 with SMTP id d75a77b69052e-45d9bb1008amr11725211cf.25.1727992830660; Thu, 03 Oct 2024 15:00:30 -0700 (PDT) Received: from ubuntu.localdomain (pool-174-114-184-37.cpe.net.cable.rogers.com. [174.114.184.37]) by smtp.gmail.com with ESMTPSA id d75a77b69052e-45d92ddf5c4sm9001541cf.18.2024.10.03.15.00.27 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 03 Oct 2024 15:00:29 -0700 (PDT) From: Raymond Mao To: u-boot@lists.denx.de Cc: manish.pandey2@arm.com, Raymond Mao , Tom Rini , Stefan Bosch , Mario Six , Andy Shevchenko , Michal Simek , Tuomas Tynkkynen , Simon Glass , Peng Fan , Jaehoon Chung , Jiaxun Yang , Ilias Apalodimas , Heinrich Schuchardt , Sumit Garg , Leo Yu-Chi Liang , Sean Anderson , Andrew Davis , Rasmus Villemoes , Bryan Brattlof , "Leon M. Busch-George" , AKASHI Takahiro , Alexander Gendin , Mattijs Korpershoek , Jonathan Humphreys , Marek Vasut , Paul Barker , Neil Armstrong , Oleksandr Suvorov , Greg Malysa , Kongyang Liu , Jonas Karlman , Sughosh Ganu , Caleb Connolly Subject: [PATCH v8 17/27] mbedtls: add X509 cert parser porting layer Date: Thu, 3 Oct 2024 14:50:30 -0700 Message-Id: <20241003215112.3103601-18-raymond.mao@linaro.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20241003215112.3103601-1-raymond.mao@linaro.org> References: <20241003215112.3103601-1-raymond.mao@linaro.org> MIME-Version: 1.0 X-Mailman-Approved-At: Fri, 04 Oct 2024 06:57:18 +0200 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.8 at phobos.denx.de X-Virus-Status: Clean Add porting layer for X509 cert parser on top of MbedTLS X509 library. Introduce _LEGACY and _MBEDTLS kconfigs for X509 cert parser legacy and MbedTLS implementations respectively. Signed-off-by: Raymond Mao --- Changes in v2 - Move the porting layer to MbedTLS dir. Changes in v3 - None. Changes in v4 - Introduce _LEGACY and _MBEDTLS kconfigs for X509 cert parser legacy and MbedTLS implementations respectively. - Move common functions to helper. Changes in v5 - Kconfig rename. - Adjust a few inline comments. Changes in v6 - None. Changes in v7 - None. Changes in v8 - None lib/mbedtls/Kconfig | 18 ++ lib/mbedtls/Makefile | 4 +- lib/mbedtls/x509_cert_parser.c | 447 +++++++++++++++++++++++++++++++++ 3 files changed, 468 insertions(+), 1 deletion(-) create mode 100644 lib/mbedtls/x509_cert_parser.c diff --git a/lib/mbedtls/Kconfig b/lib/mbedtls/Kconfig index e81d14505ff..abdafd04e89 100644 --- a/lib/mbedtls/Kconfig +++ b/lib/mbedtls/Kconfig @@ -118,6 +118,7 @@ config LEGACY_CRYPTO_CERT bool "legacy certificate libraries" select ASYMMETRIC_PUBLIC_KEY_LEGACY if \ ASYMMETRIC_PUBLIC_KEY_SUBTYPE + select X509_CERTIFICATE_PARSER_LEGACY if X509_CERTIFICATE_PARSER select SPL_ASYMMETRIC_PUBLIC_KEY_LEGACY if \ SPL_ASYMMETRIC_PUBLIC_KEY_SUBTYPE help @@ -132,6 +133,14 @@ config ASYMMETRIC_PUBLIC_KEY_LEGACY This option chooses legacy certificate library for asymmetric public key crypto algorithm. +config X509_CERTIFICATE_PARSER_LEGACY + bool "X.509 certificate parser with legacy certificate library" + depends on ASYMMETRIC_PUBLIC_KEY_LEGACY + select ASN1_DECODER_LEGACY + help + This option chooses legacy certificate library for X509 certificate + parser. + if SPL config SPL_ASYMMETRIC_PUBLIC_KEY_LEGACY @@ -283,6 +292,7 @@ config MBEDTLS_LIB_X509 bool "MbedTLS certificate libraries" select ASYMMETRIC_PUBLIC_KEY_MBEDTLS if \ ASYMMETRIC_PUBLIC_KEY_SUBTYPE + select X509_CERTIFICATE_PARSER_MBEDTLS if X509_CERTIFICATE_PARSER select SPL_ASYMMETRIC_PUBLIC_KEY_MBEDTLS if \ SPL_ASYMMETRIC_PUBLIC_KEY_SUBTYPE help @@ -297,6 +307,14 @@ config ASYMMETRIC_PUBLIC_KEY_MBEDTLS This option chooses MbedTLS certificate library for asymmetric public key crypto algorithm. +config X509_CERTIFICATE_PARSER_MBEDTLS + bool "X.509 certificate parser with MbedTLS certificate library" + depends on ASYMMETRIC_PUBLIC_KEY_MBEDTLS + select ASN1_DECODER_MBEDTLS + help + This option chooses MbedTLS certificate library for X509 certificate + parser. + if SPL config SPL_ASYMMETRIC_PUBLIC_KEY_MBEDTLS diff --git a/lib/mbedtls/Makefile b/lib/mbedtls/Makefile index d3f566d0c91..29653323279 100644 --- a/lib/mbedtls/Makefile +++ b/lib/mbedtls/Makefile @@ -14,6 +14,8 @@ obj-$(CONFIG_$(SPL_)SHA512_MBEDTLS) += sha512.o # x509 libraries obj-$(CONFIG_$(SPL_)ASYMMETRIC_PUBLIC_KEY_MBEDTLS) += \ public_key.o +obj-$(CONFIG_$(SPL_)X509_CERTIFICATE_PARSER_MBEDTLS) += \ + x509_cert_parser.o # MbedTLS crypto library obj-$(CONFIG_MBEDTLS_LIB) += mbedtls_lib_crypto.o @@ -44,7 +46,7 @@ mbedtls_lib_x509-$(CONFIG_$(SPL_)ASYMMETRIC_PUBLIC_KEY_MBEDTLS) += \ $(MBEDTLS_LIB_DIR)/pk.o \ $(MBEDTLS_LIB_DIR)/pk_wrap.o \ $(MBEDTLS_LIB_DIR)/pkparse.o -mbedtls_lib_x509-$(CONFIG_$(SPL_)X509_CERTIFICATE_PARSER) += \ +mbedtls_lib_x509-$(CONFIG_$(SPL_)X509_CERTIFICATE_PARSER_MBEDTLS) += \ $(MBEDTLS_LIB_DIR)/x509_crl.o \ $(MBEDTLS_LIB_DIR)/x509_crt.o mbedtls_lib_x509-$(CONFIG_$(SPL_)PKCS7_MESSAGE_PARSER) += \ diff --git a/lib/mbedtls/x509_cert_parser.c b/lib/mbedtls/x509_cert_parser.c new file mode 100644 index 00000000000..cb42018695c --- /dev/null +++ b/lib/mbedtls/x509_cert_parser.c @@ -0,0 +1,447 @@ +// SPDX-License-Identifier: GPL-2.0+ +/* + * X509 cert parser using MbedTLS X509 library + * + * Copyright (c) 2024 Linaro Limited + * Author: Raymond Mao + */ + +#include +#include +#include + +static void x509_free_mbedtls_ctx(struct x509_cert_mbedtls_ctx *ctx) +{ + if (!ctx) + return; + + kfree(ctx->tbs); + kfree(ctx->raw_serial); + kfree(ctx->raw_issuer); + kfree(ctx->raw_subject); + kfree(ctx->raw_skid); + kfree(ctx); +} + +static int x509_set_cert_flags(struct x509_certificate *cert) +{ + struct public_key_signature *sig = cert->sig; + + if (!sig || !cert->pub) { + pr_err("Signature or public key is not initialized\n"); + return -ENOPKG; + } + + if (!cert->pub->pkey_algo) + cert->unsupported_key = true; + + if (!sig->pkey_algo) + cert->unsupported_sig = true; + + if (!sig->hash_algo) + cert->unsupported_sig = true; + + /* TODO: is_hash_blacklisted()? */ + + /* Detect self-signed certificates and set self_signed flag */ + return x509_check_for_self_signed(cert); +} + +time64_t x509_get_timestamp(const mbedtls_x509_time *x509_time) +{ + unsigned int year, mon, day, hour, min, sec; + + /* Adjust for year since 1900 */ + year = x509_time->year - 1900; + /* Adjust for 0-based month */ + mon = x509_time->mon - 1; + day = x509_time->day; + hour = x509_time->hour; + min = x509_time->min; + sec = x509_time->sec; + + return (time64_t)mktime64(year, mon, day, hour, min, sec); +} + +static char *x509_populate_dn_name_string(const mbedtls_x509_name *name) +{ + size_t len = 256; + size_t wb; + char *name_str; + + do { + name_str = kzalloc(len, GFP_KERNEL); + if (!name_str) + return NULL; + + wb = mbedtls_x509_dn_gets(name_str, len, name); + if (wb < 0) { + pr_err("Get DN string failed, ret:-0x%04x\n", + (unsigned int)-wb); + kfree(name_str); + len = len * 2; /* Try with a bigger buffer */ + } + } while (wb < 0); + + name_str[wb] = '\0'; /* add the terminator */ + + return name_str; +} + +static int x509_populate_signature_params(const mbedtls_x509_crt *cert, + struct public_key_signature **sig) +{ + struct public_key_signature *s; + struct image_region region; + size_t akid_len; + unsigned char *akid_data; + int ret; + + /* Check if signed data exist */ + if (!cert->tbs.p || !cert->tbs.len) + return -EINVAL; + + region.data = cert->tbs.p; + region.size = cert->tbs.len; + + s = kzalloc(sizeof(*s), GFP_KERNEL); + if (!s) + return -ENOMEM; + + /* + * Get the public key algorithm. + * Note: + * ECRDSA (Elliptic Curve Russian Digital Signature Algorithm) is not + * supported by MbedTLS. + */ + switch (cert->sig_pk) { + case MBEDTLS_PK_RSA: + s->pkey_algo = "rsa"; + break; + default: + ret = -EINVAL; + goto error_sig; + } + + /* Get the hash algorithm */ + switch (cert->sig_md) { + case MBEDTLS_MD_SHA1: + s->hash_algo = "sha1"; + s->digest_size = SHA1_SUM_LEN; + break; + case MBEDTLS_MD_SHA256: + s->hash_algo = "sha256"; + s->digest_size = SHA256_SUM_LEN; + break; + case MBEDTLS_MD_SHA384: + s->hash_algo = "sha384"; + s->digest_size = SHA384_SUM_LEN; + break; + case MBEDTLS_MD_SHA512: + s->hash_algo = "sha512"; + s->digest_size = SHA512_SUM_LEN; + break; + /* Unsupported algo */ + case MBEDTLS_MD_MD5: + case MBEDTLS_MD_SHA224: + default: + ret = -EINVAL; + goto error_sig; + } + + /* + * Optional attributes: + * auth_ids holds AuthorityKeyIdentifier (information of issuer), + * aka akid, which is used to match with a cert's id or skid to + * indicate that is the issuer when we lookup a cert chain. + * + * auth_ids[0]: + * [PKCS#7 or CMS ver 1] - generated from "Issuer + Serial number" + * [CMS ver 3] - generated from skid (subjectKeyId) + * auth_ids[1]: generated from skid (subjectKeyId) + * + * Assume that we are using PKCS#7 (msg->version=1), + * not CMS ver 3 (msg->version=3). + */ + akid_len = cert->authority_key_id.authorityCertSerialNumber.len; + akid_data = cert->authority_key_id.authorityCertSerialNumber.p; + + /* Check if serial number exists */ + if (akid_len && akid_data) { + s->auth_ids[0] = asymmetric_key_generate_id(akid_data, + akid_len, + cert->issuer_raw.p, + cert->issuer_raw.len); + if (!s->auth_ids[0]) { + ret = -ENOMEM; + goto error_sig; + } + } + + akid_len = cert->authority_key_id.keyIdentifier.len; + akid_data = cert->authority_key_id.keyIdentifier.p; + + /* Check if subjectKeyId exists */ + if (akid_len && akid_data) { + s->auth_ids[1] = asymmetric_key_generate_id(akid_data, + akid_len, + "", 0); + if (!s->auth_ids[1]) { + ret = -ENOMEM; + goto error_sig; + } + } + + /* + * Encoding can be pkcs1 or raw, but only pkcs1 is supported. + * Set the encoding explicitly to pkcs1. + */ + s->encoding = "pkcs1"; + + /* Copy the signature data */ + s->s = kmemdup(cert->sig.p, cert->sig.len, GFP_KERNEL); + if (!s->s) { + ret = -ENOMEM; + goto error_sig; + } + s->s_size = cert->sig.len; + + /* Calculate the digest of signed data (tbs) */ + s->digest = kzalloc(s->digest_size, GFP_KERNEL); + if (!s->digest) { + ret = -ENOMEM; + goto error_sig; + } + + ret = hash_calculate(s->hash_algo, ®ion, 1, s->digest); + if (!ret) + *sig = s; + + return ret; + +error_sig: + public_key_signature_free(s); + return ret; +} + +static int x509_save_mbedtls_ctx(const mbedtls_x509_crt *cert, + struct x509_cert_mbedtls_ctx **pctx) +{ + struct x509_cert_mbedtls_ctx *ctx; + + ctx = kzalloc(sizeof(*ctx), GFP_KERNEL); + if (!ctx) + return -ENOMEM; + + /* Signed data (tbs - The part that is To Be Signed)*/ + ctx->tbs = kmemdup(cert->tbs.p, cert->tbs.len, + GFP_KERNEL); + if (!ctx->tbs) + goto error_ctx; + + /* Raw serial number */ + ctx->raw_serial = kmemdup(cert->serial.p, + cert->serial.len, GFP_KERNEL); + if (!ctx->raw_serial) + goto error_ctx; + + /* Raw issuer */ + ctx->raw_issuer = kmemdup(cert->issuer_raw.p, + cert->issuer_raw.len, GFP_KERNEL); + if (!ctx->raw_issuer) + goto error_ctx; + + /* Raw subject */ + ctx->raw_subject = kmemdup(cert->subject_raw.p, + cert->subject_raw.len, GFP_KERNEL); + if (!ctx->raw_subject) + goto error_ctx; + + /* Raw subjectKeyId */ + ctx->raw_skid = kmemdup(cert->subject_key_id.p, + cert->subject_key_id.len, GFP_KERNEL); + if (!ctx->raw_skid) + goto error_ctx; + + *pctx = ctx; + + return 0; + +error_ctx: + x509_free_mbedtls_ctx(ctx); + return -ENOMEM; +} + +/* + * Free an X.509 certificate + */ +void x509_free_certificate(struct x509_certificate *cert) +{ + if (cert) { + public_key_free(cert->pub); + public_key_signature_free(cert->sig); + kfree(cert->issuer); + kfree(cert->subject); + kfree(cert->id); + kfree(cert->skid); + x509_free_mbedtls_ctx(cert->mbedtls_ctx); + kfree(cert); + } +} + +int x509_populate_pubkey(mbedtls_x509_crt *cert, struct public_key **pub_key) +{ + struct public_key *pk; + + pk = kzalloc(sizeof(*pk), GFP_KERNEL); + if (!pk) + return -ENOMEM; + + pk->key = kzalloc(cert->pk_raw.len, GFP_KERNEL); + if (!pk->key) { + kfree(pk); + return -ENOMEM; + } + memcpy(pk->key, cert->pk_raw.p, cert->pk_raw.len); + pk->keylen = cert->pk_raw.len; + + /* + * For ECC keys, params field might include information about the curve used, + * the generator point, or other algorithm-specific parameters. + * For RSA keys, it's common for the params field to be NULL. + * FIXME: Assume that we just support RSA keys with id_type X509. + */ + pk->params = NULL; + pk->paramlen = 0; + + pk->key_is_private = false; + pk->id_type = "X509"; + pk->pkey_algo = "rsa"; + pk->algo = OID_rsaEncryption; + + *pub_key = pk; + + return 0; +} + +int x509_populate_cert(mbedtls_x509_crt *mbedtls_cert, + struct x509_certificate **pcert) +{ + struct x509_certificate *cert; + struct asymmetric_key_id *kid; + struct asymmetric_key_id *skid; + int ret; + + cert = kzalloc(sizeof(*cert), GFP_KERNEL); + if (!cert) + return -ENOMEM; + + /* Public key details */ + ret = x509_populate_pubkey(mbedtls_cert, &cert->pub); + if (ret) + goto error_cert_pop; + + /* Signature parameters */ + ret = x509_populate_signature_params(mbedtls_cert, &cert->sig); + if (ret) + goto error_cert_pop; + + ret = -ENOMEM; + + /* Name of certificate issuer */ + cert->issuer = x509_populate_dn_name_string(&mbedtls_cert->issuer); + if (!cert->issuer) + goto error_cert_pop; + + /* Name of certificate subject */ + cert->subject = x509_populate_dn_name_string(&mbedtls_cert->subject); + if (!cert->subject) + goto error_cert_pop; + + /* Certificate validity */ + cert->valid_from = x509_get_timestamp(&mbedtls_cert->valid_from); + cert->valid_to = x509_get_timestamp(&mbedtls_cert->valid_to); + + /* Save mbedtls context we need */ + ret = x509_save_mbedtls_ctx(mbedtls_cert, &cert->mbedtls_ctx); + if (ret) + goto error_cert_pop; + + /* Signed data (tbs - The part that is To Be Signed)*/ + cert->tbs = cert->mbedtls_ctx->tbs; + cert->tbs_size = mbedtls_cert->tbs.len; + + /* Raw serial number */ + cert->raw_serial = cert->mbedtls_ctx->raw_serial; + cert->raw_serial_size = mbedtls_cert->serial.len; + + /* Raw issuer */ + cert->raw_issuer = cert->mbedtls_ctx->raw_issuer; + cert->raw_issuer_size = mbedtls_cert->issuer_raw.len; + + /* Raw subject */ + cert->raw_subject = cert->mbedtls_ctx->raw_subject; + cert->raw_subject_size = mbedtls_cert->subject_raw.len; + + /* Raw subjectKeyId */ + cert->raw_skid = cert->mbedtls_ctx->raw_skid; + cert->raw_skid_size = mbedtls_cert->subject_key_id.len; + + /* Generate cert issuer + serial number key ID */ + kid = asymmetric_key_generate_id(cert->raw_serial, + cert->raw_serial_size, + cert->raw_issuer, + cert->raw_issuer_size); + if (IS_ERR(kid)) { + ret = PTR_ERR(kid); + goto error_cert_pop; + } + cert->id = kid; + + /* Generate subject + subjectKeyId */ + skid = asymmetric_key_generate_id(cert->raw_skid, cert->raw_skid_size, "", 0); + if (IS_ERR(skid)) { + ret = PTR_ERR(skid); + goto error_cert_pop; + } + cert->skid = skid; + + /* + * Set the certificate flags: + * self_signed, unsupported_key, unsupported_sig, blacklisted + */ + ret = x509_set_cert_flags(cert); + if (!ret) { + *pcert = cert; + return 0; + } + +error_cert_pop: + x509_free_certificate(cert); + return ret; +} + +struct x509_certificate *x509_cert_parse(const void *data, size_t datalen) +{ + mbedtls_x509_crt mbedtls_cert; + struct x509_certificate *cert = NULL; + long ret; + + /* Parse DER encoded certificate */ + mbedtls_x509_crt_init(&mbedtls_cert); + ret = mbedtls_x509_crt_parse_der(&mbedtls_cert, data, datalen); + if (ret) + goto clean_up_ctx; + + /* Populate x509_certificate from mbedtls_x509_crt */ + ret = x509_populate_cert(&mbedtls_cert, &cert); + if (ret) + goto clean_up_ctx; + +clean_up_ctx: + mbedtls_x509_crt_free(&mbedtls_cert); + if (!ret) + return cert; + + return ERR_PTR(ret); +} From patchwork Thu Oct 3 21:50:31 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Raymond Mao X-Patchwork-Id: 1992602 X-Patchwork-Delegate: trini@ti.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.a=rsa-sha256 header.s=google header.b=hyoW9IVj; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de (client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; helo=phobos.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=patchwork.ozlabs.org) Received: from phobos.denx.de (phobos.denx.de [IPv6:2a01:238:438b:c500:173d:9f52:ddab:ee01]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4XKbw871MHz1xv1 for ; Fri, 4 Oct 2024 15:00:40 +1000 (AEST) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 9367F890BE; Fri, 4 Oct 2024 06:57:29 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="hyoW9IVj"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id E19DA88CC5; Fri, 4 Oct 2024 00:01:06 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_BLOCKED, SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.2 Received: from mail-qt1-x834.google.com (mail-qt1-x834.google.com [IPv6:2607:f8b0:4864:20::834]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id A2C3288D94 for ; Fri, 4 Oct 2024 00:01:04 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=raymond.mao@linaro.org Received: by mail-qt1-x834.google.com with SMTP id d75a77b69052e-4582a0b438aso10973861cf.0 for ; Thu, 03 Oct 2024 15:01:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1727992863; x=1728597663; darn=lists.denx.de; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=R4PRLmgfWGtyip0K/VS+OKGmjGKhDIHYu9eP1SXY52o=; b=hyoW9IVjEC1H+LeRHGRa0Tv9LgmiLqc1V+vDeN1eLuZfhuPdOEPKYaXjmn/abunFm0 jL/2BI7IlfRe+vHB97UY299a6/n8Y+wXQlNT0+XPssPRU4zjT9VIRBEzIuwuJHla96UJ XScGQ9A4pSrCGpd6ya62fp7fqwV8Co3CL+eDKehog1Oii5CoOM+M5RvX08ZsL+bTx7+T 2wO0JgNROAOh+qHj6EpajEID+EwoAG37Z7fzvTJ9fPoraCCZOPp6kACV7CUIQXfNtbw3 XnYJb2XR8J69apqBfqWVDKagEMH7xj3XfMj+jFnR5u0+IkhqDNQCGphX/d8+docb6Tf3 lPlA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1727992863; x=1728597663; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=R4PRLmgfWGtyip0K/VS+OKGmjGKhDIHYu9eP1SXY52o=; b=qozLNQvmFso3tGtA+FQUnzC1OMVxJiNv6EEuiascQwqOV6B+tWCHO8fVkzQrRNdnOG EvACEyddysMvXxjFNaQ6IYoXWRMw6f0X5dqgTAzvlq35+l8em5lfls6n680NCgWqcWq/ BvRZmbekI++Dw7be3hfZsX1hDoovfYyWMbT9rh4ko4Fvbk55bmaGgUrxbLd8p64SqwWk EC8XjVgEzPgZamBkh1Mo16R7AYkeDTeZkCvi3jp+eyD053mplFYfqX1ZmpWIQPDHT5cL TPNfbWO3JY+pl9TriR5a/2WKgjY+v+aTKYlcjDvZi/gqvdkQrlNOYIUu28+XVE8zPhF+ X6EA== X-Gm-Message-State: AOJu0YyPqcrsfujq5qVXnDFZJ3SgxKT8fCRL6cRfDQny53olN6Z0CA5H mylFL5174vsuwQiAf+yAJ0wy+8IGLbNhQ2mXmbbrFGI9zLmKG+FVwKwtDV06vdboaLUi3zgNERJ q X-Google-Smtp-Source: AGHT+IHrZbXLMB7nQQRPH/E7MjV3LWaVsbLZbK2KbxVYtlenuMHGePqa+CV2M9CIJR1ppQb69HiQGw== X-Received: by 2002:ac8:7d92:0:b0:458:4aec:2749 with SMTP id d75a77b69052e-45d9bafd280mr9872151cf.57.1727992863086; Thu, 03 Oct 2024 15:01:03 -0700 (PDT) Received: from ubuntu.localdomain (pool-174-114-184-37.cpe.net.cable.rogers.com. [174.114.184.37]) by smtp.gmail.com with ESMTPSA id d75a77b69052e-45d92ddf5c4sm9001541cf.18.2024.10.03.15.00.59 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 03 Oct 2024 15:01:02 -0700 (PDT) From: Raymond Mao To: u-boot@lists.denx.de Cc: manish.pandey2@arm.com, Raymond Mao , Tom Rini , Stefan Bosch , Mario Six , Andy Shevchenko , Michal Simek , Tuomas Tynkkynen , Simon Glass , Peng Fan , Jaehoon Chung , Ilias Apalodimas , Jiaxun Yang , Heinrich Schuchardt , Sean Anderson , Leo Yu-Chi Liang , Sumit Garg , Andrew Davis , Rasmus Villemoes , Bryan Brattlof , "Leon M. Busch-George" , AKASHI Takahiro , Alexander Gendin , Mattijs Korpershoek , Jonathan Humphreys , Marek Vasut , Paul Barker , Nathan Barrett-Morrison , Ian Roberts , Linus Walleij , Kongyang Liu , Oleksandr Suvorov , Greg Malysa , Jonas Karlman , Sughosh Ganu , =?utf-8?q?Vincent_Stehl=C3=A9?= , Eddie James Subject: [PATCH v8 18/27] lib/crypto: Adapt x509_cert_parser to MbedTLS Date: Thu, 3 Oct 2024 14:50:31 -0700 Message-Id: <20241003215112.3103601-19-raymond.mao@linaro.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20241003215112.3103601-1-raymond.mao@linaro.org> References: <20241003215112.3103601-1-raymond.mao@linaro.org> MIME-Version: 1.0 X-Mailman-Approved-At: Fri, 04 Oct 2024 06:57:18 +0200 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.8 at phobos.denx.de X-Virus-Status: Clean Previous patch has introduced MbedTLS porting layer for x509 cert parser, here to adjust the header and makefiles accordingly. Signed-off-by: Raymond Mao --- Changes in v2 - Move the porting layer to MbedTLS dir. Changes in v3 - Update commit message. Changes in v4 - Control building legacy library via '_LEGACY' Kconfig. - Add function comments for the new APIs. Changes in v5 - Correct kconfig dependence. - Correct header file include directories. - Adjust a few inline comments. Changes in v6 - None. Changes in v7 - Drop the changes in kconfig. Changes in v8 - None include/crypto/x509_parser.h | 55 ++++++++++++++++++++++++++++++++++++ lib/crypto/Makefile | 4 +-- lib/crypto/x509_public_key.c | 2 ++ 3 files changed, 59 insertions(+), 2 deletions(-) diff --git a/include/crypto/x509_parser.h b/include/crypto/x509_parser.h index 4cbdc1d6612..0e22e33f66b 100644 --- a/include/crypto/x509_parser.h +++ b/include/crypto/x509_parser.h @@ -11,8 +11,35 @@ #include #include #include +#if CONFIG_IS_ENABLED(MBEDTLS_LIB_X509) +#include +#include +#include +#endif +#if CONFIG_IS_ENABLED(MBEDTLS_LIB_X509) +struct x509_cert_mbedtls_ctx { + void *tbs; /* Signed data */ + void *raw_serial; /* Raw serial number in ASN.1 */ + void *raw_issuer; /* Raw issuer name in ASN.1 */ + void *raw_subject; /* Raw subject name in ASN.1 */ + void *raw_skid; /* Raw subjectKeyId in ASN.1 */ +}; +#endif + +/* + * MbedTLS integration Notes: + * + * Fields we don't need to populate from MbedTLS context: + * 'raw_sig' and 'raw_sig_size' are buffer for x509_parse_context, + * not needed for MbedTLS. + * 'signer' and 'seen' are used internally by pkcs7_verify. + * 'verified' is not in use. + */ struct x509_certificate { +#if CONFIG_IS_ENABLED(MBEDTLS_LIB_X509) + struct x509_cert_mbedtls_ctx *mbedtls_ctx; +#endif struct x509_certificate *next; struct x509_certificate *signer; /* Certificate that signed this one */ struct public_key *pub; /* Public key details */ @@ -48,6 +75,32 @@ struct x509_certificate { * x509_cert_parser.c */ extern void x509_free_certificate(struct x509_certificate *cert); +#if CONFIG_IS_ENABLED(MBEDTLS_LIB_X509) +/** + * x509_populate_pubkey() - Populate public key from MbedTLS context + * + * @cert: Pointer to MbedTLS X509 cert + * @pub_key: Pointer to the populated public key handle + * Return: 0 on succcess, error code on failure + */ +int x509_populate_pubkey(mbedtls_x509_crt *cert, struct public_key **pub_key); +/** + * x509_populate_cert() - Populate X509 cert from MbedTLS context + * + * @mbedtls_cert: Pointer to MbedTLS X509 cert + * @pcert: Pointer to the populated X509 cert handle + * Return: 0 on succcess, error code on failure + */ +int x509_populate_cert(mbedtls_x509_crt *mbedtls_cert, + struct x509_certificate **pcert); +/** + * x509_get_timestamp() - Translate timestamp from MbedTLS context + * + * @x509_time: Pointer to MbedTLS time + * Return: Time in time64_t format + */ +time64_t x509_get_timestamp(const mbedtls_x509_time *x509_time); +#endif extern struct x509_certificate *x509_cert_parse(const void *data, size_t datalen); extern int x509_decode_time(time64_t *_t, size_t hdrlen, unsigned char tag, @@ -56,6 +109,8 @@ extern int x509_decode_time(time64_t *_t, size_t hdrlen, /* * x509_public_key.c */ +#if !CONFIG_IS_ENABLED(MBEDTLS_LIB_X509) extern int x509_get_sig_params(struct x509_certificate *cert); +#endif extern int x509_check_for_self_signed(struct x509_certificate *cert); #endif /* _X509_PARSER_H */ diff --git a/lib/crypto/Makefile b/lib/crypto/Makefile index 7e877214aa8..4302f197297 100644 --- a/lib/crypto/Makefile +++ b/lib/crypto/Makefile @@ -32,11 +32,11 @@ endif # X.509 Certificate handling # obj-$(CONFIG_$(SPL_)X509_CERTIFICATE_PARSER) += x509_key_parser.o -x509_key_parser-y := \ +x509_key_parser-y := x509_helper.o +x509_key_parser-$(CONFIG_$(SPL_)X509_CERTIFICATE_PARSER_LEGACY) += \ x509.asn1.o \ x509_akid.asn1.o \ x509_cert_parser.o \ - x509_helper.o \ x509_public_key.o $(obj)/x509_cert_parser.o: \ diff --git a/lib/crypto/x509_public_key.c b/lib/crypto/x509_public_key.c index 4ba13c1adc3..310edbd21be 100644 --- a/lib/crypto/x509_public_key.c +++ b/lib/crypto/x509_public_key.c @@ -30,6 +30,8 @@ #include "x509_parser.h" #endif +#if !CONFIG_IS_ENABLED(MBEDTLS_LIB_X509) + /* * Set up the signature parameters in an X.509 certificate. This involves * digesting the signed data and extracting the signature. From patchwork Thu Oct 3 21:50:32 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Raymond Mao X-Patchwork-Id: 1992603 X-Patchwork-Delegate: trini@ti.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.a=rsa-sha256 header.s=google header.b=lXrW9RwE; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de (client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; helo=phobos.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=patchwork.ozlabs.org) Received: from phobos.denx.de (phobos.denx.de [IPv6:2a01:238:438b:c500:173d:9f52:ddab:ee01]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4XKbwM1K0Qz1xv1 for ; Fri, 4 Oct 2024 15:00:50 +1000 (AEST) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id F1B14890D9; Fri, 4 Oct 2024 06:57:29 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="lXrW9RwE"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id B2C2F88CC5; Fri, 4 Oct 2024 00:01:38 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_BLOCKED, SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.2 Received: from mail-qt1-x82a.google.com (mail-qt1-x82a.google.com [IPv6:2607:f8b0:4864:20::82a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 266AF88D7F for ; Fri, 4 Oct 2024 00:01:36 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=raymond.mao@linaro.org Received: by mail-qt1-x82a.google.com with SMTP id d75a77b69052e-4582c4aa2c2so9486031cf.0 for ; Thu, 03 Oct 2024 15:01:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1727992895; x=1728597695; darn=lists.denx.de; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=/UYTZ2uanjGUEs2i3EmSKWPL2ErdEB760J5AZaF1RZw=; b=lXrW9RwE+pNp/x8N6TgUs+/6SaaqhDP4ziNEKKhz128Sb2aFZPhYZLXHk/NAkkCXGH 5N4k3jtvXsVWv3RYARz6b4zoRoN9f8Ib+qRSnlluAmalZoX6ZC9lpmLIW05GHshpFYCs yCmqeiV0l1Mv0MA/lTDqcieFcA3vrkk5OUvhRT9nSrmKDJKyd03pXa8plCIP+vvpA2ZL zeBT8ai4LVx+vwvARehmDTJ0xpQoduzjsQ+t+9r67nX2vBATSjsVuOxB3GnssZkS0vO+ Vp2UPRUKwQhAerGIaN1V66q6diIl7WOFdEPkuo9DlG/KNacMwJ0xBZGGJRavUXQFKhAL wjfg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1727992895; x=1728597695; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=/UYTZ2uanjGUEs2i3EmSKWPL2ErdEB760J5AZaF1RZw=; b=uYGPO8WKArsMaXcc3uQJviZb1PvFsBzruOP+3tFFW01lOVuNmtCTX+ZGZF2gtn1P0N Nv0G1MYa4jhrLmil6GG4fzlOC7dwZ6dsYMgGg2ItF1cYs8oiwzy2P3u6Uf9BerxDKtAq irhs3JqLUdcmAQAyYnVHmIZwZMjRVMa2zEeHRTSC6fo+Mq9qauoUgkXuwvr8/eQkvCDN 92vMJl7sTOWPimnK8Gg6AiMP+8LWuqDLqLinjNomloy3W2oJLtSojbln9SM2+s+mdnhQ YSkVtNgoB3rtYlHunqqGgIM2X5LQ6geprWfhuve9cJ94ZKYQhhFm/598KwITalw+rRZP 6VhA== X-Gm-Message-State: AOJu0Yw5Cjd9baNubqvearUfx2Gct+tbSInYDyDWv7OqriRqyISo9RHl j6QsGQOn2pI00hmu7lNBd8KIq8zMDR7orc+qsIPWZS4z78ADzBMi00i3M8vQ9RmrInafCB66b3d Y X-Google-Smtp-Source: AGHT+IHZW5te7AHYU6aT0PmSB7dQtdrwfgjIrNOHzM6bwUSMmzwcVIkZiOI1zrJWIqg6jTF0sGAy2g== X-Received: by 2002:a05:622a:341:b0:44f:feb5:b2fe with SMTP id d75a77b69052e-45d9ba4b3d1mr8269871cf.19.1727992894610; Thu, 03 Oct 2024 15:01:34 -0700 (PDT) Received: from ubuntu.localdomain (pool-174-114-184-37.cpe.net.cable.rogers.com. [174.114.184.37]) by smtp.gmail.com with ESMTPSA id d75a77b69052e-45d92ddf5c4sm9001541cf.18.2024.10.03.15.01.31 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 03 Oct 2024 15:01:33 -0700 (PDT) From: Raymond Mao To: u-boot@lists.denx.de Cc: manish.pandey2@arm.com, Raymond Mao , Tom Rini , Stefan Bosch , Mario Six , Andy Shevchenko , Michal Simek , Tuomas Tynkkynen , Simon Glass , Peng Fan , Jaehoon Chung , Ilias Apalodimas , Jiaxun Yang , Heinrich Schuchardt , Sumit Garg , Sean Anderson , Rasmus Villemoes , Andrew Davis , Bryan Brattlof , "Leon M. Busch-George" , AKASHI Takahiro , Alexander Gendin , Mattijs Korpershoek , Jonathan Humphreys , Paul Barker , Marek Vasut , Oleksandr Suvorov , Patrice Chotard , Kongyang Liu , Greg Malysa , Jonas Karlman , Sughosh Ganu , Anand Moon , Eddie James Subject: [PATCH v8 19/27] mbedtls: add PKCS7 parser porting layer Date: Thu, 3 Oct 2024 14:50:32 -0700 Message-Id: <20241003215112.3103601-20-raymond.mao@linaro.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20241003215112.3103601-1-raymond.mao@linaro.org> References: <20241003215112.3103601-1-raymond.mao@linaro.org> MIME-Version: 1.0 X-Mailman-Approved-At: Fri, 04 Oct 2024 06:57:18 +0200 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.8 at phobos.denx.de X-Virus-Status: Clean Add porting layer for PKCS7 parser on top of MbedTLS PKCS7 library. Introduce _LEGACY and _MBEDTLS kconfigs for PKCS7 parser legacy and MbedTLS implementations respectively. Signed-off-by: Raymond Mao --- Changes in v2 - Move the porting layer to MbedTLS dir. - Fix EFI Capsule CI test failures. Changes in v3 - None. Changes in v4 - Introduce _LEGACY and _MBEDTLS kconfigs for PKCS7 parser legacy and MbedTLS implementations respectively. - Move common functions to helper. - Fix an unnecessary pointer casting. Changes in v5 - Refactored MbedTLS makefile. Changes in v6 - None. Changes in v7 - None. Changes in v8 - None lib/mbedtls/Kconfig | 18 ++ lib/mbedtls/Makefile | 3 +- lib/mbedtls/pkcs7_parser.c | 506 +++++++++++++++++++++++++++++++++++++ 3 files changed, 526 insertions(+), 1 deletion(-) create mode 100644 lib/mbedtls/pkcs7_parser.c diff --git a/lib/mbedtls/Kconfig b/lib/mbedtls/Kconfig index abdafd04e89..189bb3186b6 100644 --- a/lib/mbedtls/Kconfig +++ b/lib/mbedtls/Kconfig @@ -119,6 +119,7 @@ config LEGACY_CRYPTO_CERT select ASYMMETRIC_PUBLIC_KEY_LEGACY if \ ASYMMETRIC_PUBLIC_KEY_SUBTYPE select X509_CERTIFICATE_PARSER_LEGACY if X509_CERTIFICATE_PARSER + select PKCS7_MESSAGE_PARSER_LEGACY if PKCS7_MESSAGE_PARSER select SPL_ASYMMETRIC_PUBLIC_KEY_LEGACY if \ SPL_ASYMMETRIC_PUBLIC_KEY_SUBTYPE help @@ -141,6 +142,14 @@ config X509_CERTIFICATE_PARSER_LEGACY This option chooses legacy certificate library for X509 certificate parser. +config PKCS7_MESSAGE_PARSER_LEGACY + bool "PKCS#7 message parser with legacy certificate library" + depends on X509_CERTIFICATE_PARSER_LEGACY + select ASN1_DECODER_LEGACY + help + This option chooses legacy certificate library for PKCS7 message + parser. + if SPL config SPL_ASYMMETRIC_PUBLIC_KEY_LEGACY @@ -293,6 +302,7 @@ config MBEDTLS_LIB_X509 select ASYMMETRIC_PUBLIC_KEY_MBEDTLS if \ ASYMMETRIC_PUBLIC_KEY_SUBTYPE select X509_CERTIFICATE_PARSER_MBEDTLS if X509_CERTIFICATE_PARSER + select PKCS7_MESSAGE_PARSER_MBEDTLS if PKCS7_MESSAGE_PARSER select SPL_ASYMMETRIC_PUBLIC_KEY_MBEDTLS if \ SPL_ASYMMETRIC_PUBLIC_KEY_SUBTYPE help @@ -315,6 +325,14 @@ config X509_CERTIFICATE_PARSER_MBEDTLS This option chooses MbedTLS certificate library for X509 certificate parser. +config PKCS7_MESSAGE_PARSER_MBEDTLS + bool "PKCS#7 message parser with MbedTLS certificate library" + depends on X509_CERTIFICATE_PARSER_MBEDTLS + select ASN1_DECODER_MBEDTLS + help + This option chooses MbedTLS certificate library for PKCS7 message + parser. + if SPL config SPL_ASYMMETRIC_PUBLIC_KEY_MBEDTLS diff --git a/lib/mbedtls/Makefile b/lib/mbedtls/Makefile index 29653323279..128a29c512f 100644 --- a/lib/mbedtls/Makefile +++ b/lib/mbedtls/Makefile @@ -16,6 +16,7 @@ obj-$(CONFIG_$(SPL_)ASYMMETRIC_PUBLIC_KEY_MBEDTLS) += \ public_key.o obj-$(CONFIG_$(SPL_)X509_CERTIFICATE_PARSER_MBEDTLS) += \ x509_cert_parser.o +obj-$(CONFIG_$(SPL_)PKCS7_MESSAGE_PARSER_MBEDTLS) += pkcs7_parser.o # MbedTLS crypto library obj-$(CONFIG_MBEDTLS_LIB) += mbedtls_lib_crypto.o @@ -49,5 +50,5 @@ mbedtls_lib_x509-$(CONFIG_$(SPL_)ASYMMETRIC_PUBLIC_KEY_MBEDTLS) += \ mbedtls_lib_x509-$(CONFIG_$(SPL_)X509_CERTIFICATE_PARSER_MBEDTLS) += \ $(MBEDTLS_LIB_DIR)/x509_crl.o \ $(MBEDTLS_LIB_DIR)/x509_crt.o -mbedtls_lib_x509-$(CONFIG_$(SPL_)PKCS7_MESSAGE_PARSER) += \ +mbedtls_lib_x509-$(CONFIG_$(SPL_)PKCS7_MESSAGE_PARSER_MBEDTLS) += \ $(MBEDTLS_LIB_DIR)/pkcs7.o diff --git a/lib/mbedtls/pkcs7_parser.c b/lib/mbedtls/pkcs7_parser.c new file mode 100644 index 00000000000..69ca784858e --- /dev/null +++ b/lib/mbedtls/pkcs7_parser.c @@ -0,0 +1,506 @@ +// SPDX-License-Identifier: GPL-2.0+ +/* + * PKCS#7 parser using MbedTLS PKCS#7 library + * + * Copyright (c) 2024 Linaro Limited + * Author: Raymond Mao + */ + +#include +#include +#include +#include +#include + +static void pkcs7_free_mbedtls_ctx(struct pkcs7_mbedtls_ctx *ctx) +{ + if (ctx) { + kfree(ctx->content_data); + kfree(ctx); + } +} + +static void pkcs7_free_sinfo_mbedtls_ctx(struct pkcs7_sinfo_mbedtls_ctx *ctx) +{ + if (ctx) { + kfree(ctx->authattrs_data); + kfree(ctx->content_data_digest); + kfree(ctx); + } +} + +/* + * Parse Authenticate Attributes + * TODO: Shall we consider to integrate decoding of authenticate attribute into + * MbedTLS library? + * + * There are two kinds of structure for the Authenticate Attributes being used + * in U-Boot. + * + * Type 1 - contains in a PE/COFF EFI image: + * + * [C.P.0] { + * U.P.SEQUENCE { + * U.P.OBJECTIDENTIFIER 1.2.840.113549.1.9.3 (OID_contentType) + * U.P.SET { + * U.P.OBJECTIDENTIFIER 1.3.6.1.4.1.311.2.1.4 (OID_msIndirectData) + * } + * } + * U.P.SEQUENCE { + * U.P.OBJECTIDENTIFIER 1.2.840.113549.1.9.5 (OID_signingTime) + * U.P.SET { + * U.P.UTCTime '' + * } + * } + * U.P.SEQUENCE { + * U.P.OBJECTIDENTIFIER 1.2.840.113549.1.9.4 (OID_messageDigest) + * U.P.SET { + * U.P.OCTETSTRING + * } + * } + * U.P.SEQUENCE { + * U.P.OBJECTIDENTIFIER 1.2.840.113549.1.9.15 (OID_smimeCapabilites) + * U.P.SET { + * U.P.SEQUENCE { + * <...> + * } + * } + * } + * } + * + * Type 2 - contains in an EFI Capsule: + * + * [C.P.0] { + * U.P.SEQUENCE { + * U.P.OBJECTIDENTIFIER 1.2.840.113549.1.9.3 (OID_contentType) + * U.P.SET { + * U.P.OBJECTIDENTIFIER 1.2.840.113549.1.7.1 (OID_data) + * } + * } + * U.P.SEQUENCE { + * U.P.OBJECTIDENTIFIER 1.2.840.113549.1.9.5 (OID_signingTime) + * U.P.SET { + * U.P.UTCTime '' + * } + * } + * U.P.SEQUENCE { + * U.P.OBJECTIDENTIFIER 1.2.840.113549.1.9.4 (OID_messageDigest) + * U.P.SET { + * U.P.OCTETSTRING + * } + * } + *} + * + * Note: + * They have different Content Type (OID_msIndirectData or OID_data). + * OID_smimeCapabilites only exists in a PE/COFF EFI image. + */ +static int authattrs_parse(struct pkcs7_message *msg, void *aa, size_t aa_len, + struct pkcs7_signed_info *sinfo) +{ + unsigned char *p = aa; + unsigned char *end = (unsigned char *)aa + aa_len; + size_t len = 0; + int ret; + unsigned char *inner_p; + size_t seq_len = 0; + + ret = mbedtls_asn1_get_tag(&p, end, &seq_len, + MBEDTLS_ASN1_CONTEXT_SPECIFIC | + MBEDTLS_ASN1_CONSTRUCTED); + if (ret) + return ret; + + while (!mbedtls_asn1_get_tag(&p, end, &seq_len, + MBEDTLS_ASN1_CONSTRUCTED | + MBEDTLS_ASN1_SEQUENCE)) { + inner_p = p; + ret = mbedtls_asn1_get_tag(&inner_p, p + seq_len, &len, + MBEDTLS_ASN1_OID); + if (ret) + return ret; + + if (!MBEDTLS_OID_CMP_RAW(MBEDTLS_OID_PKCS9_CONTENTTYPE, inner_p, len)) { + inner_p += len; + ret = mbedtls_asn1_get_tag(&inner_p, p + seq_len, &len, + MBEDTLS_ASN1_CONSTRUCTED | + MBEDTLS_ASN1_SET); + if (ret) + return ret; + + ret = mbedtls_asn1_get_tag(&inner_p, p + seq_len, &len, + MBEDTLS_ASN1_OID); + if (ret) + return ret; + + /* + * We should only support 1.2.840.113549.1.7.1 (OID_data) + * for PKCS7 DATA that is used in EFI Capsule and + * 1.3.6.1.4.1.311.2.1.4 (OID_msIndirectData) for + * MicroSoft Authentication Code that is used in EFI + * Secure Boot. + */ + if (MBEDTLS_OID_CMP_RAW(MBEDTLS_OID_MICROSOFT_INDIRECTDATA, + inner_p, len) && + MBEDTLS_OID_CMP_RAW(MBEDTLS_OID_PKCS7_DATA, + inner_p, len)) + return -EINVAL; + + if (__test_and_set_bit(sinfo_has_content_type, &sinfo->aa_set)) + return -EINVAL; + } else if (!MBEDTLS_OID_CMP_RAW(MBEDTLS_OID_PKCS9_MESSAGEDIGEST, inner_p, + len)) { + inner_p += len; + ret = mbedtls_asn1_get_tag(&inner_p, p + seq_len, &len, + MBEDTLS_ASN1_CONSTRUCTED | + MBEDTLS_ASN1_SET); + if (ret) + return ret; + + ret = mbedtls_asn1_get_tag(&inner_p, p + seq_len, &len, + MBEDTLS_ASN1_OCTET_STRING); + if (ret) + return ret; + + sinfo->msgdigest = inner_p; + sinfo->msgdigest_len = len; + + if (__test_and_set_bit(sinfo_has_message_digest, &sinfo->aa_set)) + return -EINVAL; + } else if (!MBEDTLS_OID_CMP_RAW(MBEDTLS_OID_PKCS9_SIGNINGTIME, inner_p, + len)) { + mbedtls_x509_time st; + + inner_p += len; + ret = mbedtls_asn1_get_tag(&inner_p, p + seq_len, &len, + MBEDTLS_ASN1_CONSTRUCTED | + MBEDTLS_ASN1_SET); + if (ret) + return ret; + + ret = mbedtls_x509_get_time(&inner_p, p + seq_len, &st); + if (ret) + return ret; + sinfo->signing_time = x509_get_timestamp(&st); + + if (__test_and_set_bit(sinfo_has_signing_time, &sinfo->aa_set)) + return -EINVAL; + } else if (!MBEDTLS_OID_CMP_RAW(MBEDTLS_OID_PKCS9_SMIMECAP, inner_p, + len)) { + if (__test_and_set_bit(sinfo_has_smime_caps, &sinfo->aa_set)) + return -EINVAL; + + if (msg->data_type != OID_msIndirectData && + msg->data_type != OID_data) + return -EINVAL; + } else if (!MBEDTLS_OID_CMP_RAW(MBEDTLS_OID_MICROSOFT_SPOPUSINFO, inner_p, + len)) { + if (__test_and_set_bit(sinfo_has_ms_opus_info, &sinfo->aa_set)) + return -EINVAL; + } else if (!MBEDTLS_OID_CMP_RAW(MBEDTLS_OID_MICROSOFT_STATETYPE, inner_p, + len)) { + if (__test_and_set_bit(sinfo_has_ms_statement_type, &sinfo->aa_set)) + return -EINVAL; + } + + p += seq_len; + } + + if (ret && ret != MBEDTLS_ERR_ASN1_OUT_OF_DATA) + return ret; + + msg->have_authattrs = true; + + /* + * Skip the leading tag byte (MBEDTLS_ASN1_CONTEXT_SPECIFIC | + * MBEDTLS_ASN1_CONSTRUCTED) to satisfy pkcs7_digest() when calculating + * the digest of authattrs. + */ + sinfo->authattrs = aa + 1; + sinfo->authattrs_len = aa_len - 1; + + return 0; +} + +static int x509_populate_content_data(struct pkcs7_message *msg, + mbedtls_pkcs7 *pkcs7_ctx) +{ + struct pkcs7_mbedtls_ctx *mctx; + + if (!pkcs7_ctx->content_data.data || + !pkcs7_ctx->content_data.data_len) + return 0; + + mctx = kzalloc(sizeof(*mctx), GFP_KERNEL); + if (!mctx) + return -ENOMEM; + + mctx->content_data = kmemdup(pkcs7_ctx->content_data.data, + pkcs7_ctx->content_data.data_len, + GFP_KERNEL); + if (!mctx->content_data) { + pkcs7_free_mbedtls_ctx(mctx); + return -ENOMEM; + } + + msg->data = mctx->content_data; + msg->data_len = pkcs7_ctx->content_data.data_len; + msg->data_hdrlen = pkcs7_ctx->content_data.data_hdrlen; + msg->data_type = pkcs7_ctx->content_data.data_type; + + msg->mbedtls_ctx = mctx; + return 0; +} + +static int x509_populate_sinfo(struct pkcs7_message *msg, + mbedtls_pkcs7_signer_info *mb_sinfo, + struct pkcs7_signed_info **sinfo) +{ + struct pkcs7_signed_info *signed_info; + struct public_key_signature *s; + mbedtls_md_type_t md_alg; + struct pkcs7_sinfo_mbedtls_ctx *mctx; + int ret; + + signed_info = kzalloc(sizeof(*signed_info), GFP_KERNEL); + if (!signed_info) + return -ENOMEM; + + s = kzalloc(sizeof(*s), GFP_KERNEL); + if (!s) { + ret = -ENOMEM; + goto out_no_sig; + } + + mctx = kzalloc(sizeof(*mctx), GFP_KERNEL); + if (!mctx) { + ret = -ENOMEM; + goto out_no_mctx; + } + + /* + * Hash algorithm: + * + * alg_identifier = digestAlgorithm (DigestAlgorithmIdentifier) + * MbedTLS internally checks this field to ensure + * it is the same as digest_alg_identifiers. + * sig_alg_identifier = digestEncryptionAlgorithm + * (DigestEncryptionAlgorithmIdentifier) + * MbedTLS just saves this field without any actions. + * See function pkcs7_get_signer_info() for reference. + * + * Public key algorithm: + * No information related to public key algorithm under MbedTLS signer + * info. Assume that we are using RSA. + */ + ret = mbedtls_oid_get_md_alg(&mb_sinfo->alg_identifier, &md_alg); + if (ret) + goto out_err_sinfo; + s->pkey_algo = "rsa"; + + /* Translate the hash algorithm */ + switch (md_alg) { + case MBEDTLS_MD_SHA1: + s->hash_algo = "sha1"; + s->digest_size = SHA1_SUM_LEN; + break; + case MBEDTLS_MD_SHA256: + s->hash_algo = "sha256"; + s->digest_size = SHA256_SUM_LEN; + break; + case MBEDTLS_MD_SHA384: + s->hash_algo = "sha384"; + s->digest_size = SHA384_SUM_LEN; + break; + case MBEDTLS_MD_SHA512: + s->hash_algo = "sha512"; + s->digest_size = SHA512_SUM_LEN; + break; + /* Unsupported algo */ + case MBEDTLS_MD_MD5: + case MBEDTLS_MD_SHA224: + default: + ret = -EINVAL; + goto out_err_sinfo; + } + + /* + * auth_ids holds AuthorityKeyIdentifier, aka akid + * auth_ids[0]: + * [PKCS#7 or CMS ver 1] - generated from "Issuer + Serial number" + * [CMS ver 3] - generated from skid (subjectKeyId) + * auth_ids[1]: generated from skid (subjectKeyId) + * + * Assume that we are using PKCS#7 (msg->version=1), + * not CMS ver 3 (msg->version=3). + */ + s->auth_ids[0] = asymmetric_key_generate_id(mb_sinfo->serial.p, + mb_sinfo->serial.len, + mb_sinfo->issuer_raw.p, + mb_sinfo->issuer_raw.len); + if (!s->auth_ids[0]) { + ret = -ENOMEM; + goto out_err_sinfo; + } + + /* skip s->auth_ids[1], no subjectKeyId in MbedTLS signer info ctx */ + + /* + * Encoding can be pkcs1 or raw, but only pkcs1 is supported. + * Set the encoding explicitly to pkcs1. + */ + s->encoding = "pkcs1"; + + /* Copy the signature data */ + s->s = kmemdup(mb_sinfo->sig.p, mb_sinfo->sig.len, GFP_KERNEL); + if (!s->s) { + ret = -ENOMEM; + goto out_err_sinfo; + } + s->s_size = mb_sinfo->sig.len; + signed_info->sig = s; + + /* Save the Authenticate Attributes data if exists */ + if (!mb_sinfo->authattrs.data || !mb_sinfo->authattrs.data_len) + goto no_authattrs; + + mctx->authattrs_data = kmemdup(mb_sinfo->authattrs.data, + mb_sinfo->authattrs.data_len, + GFP_KERNEL); + if (!mctx->authattrs_data) { + ret = -ENOMEM; + goto out_err_sinfo; + } + signed_info->mbedtls_ctx = mctx; + + /* If authattrs exists, decode it and parse msgdigest from it */ + ret = authattrs_parse(msg, mctx->authattrs_data, + mb_sinfo->authattrs.data_len, + signed_info); + if (ret) + goto out_err_sinfo; + +no_authattrs: + *sinfo = signed_info; + return 0; + +out_err_sinfo: + pkcs7_free_sinfo_mbedtls_ctx(mctx); +out_no_mctx: + public_key_signature_free(s); +out_no_sig: + kfree(signed_info); + return ret; +} + +/* + * Free a signed information block. + */ +static void pkcs7_free_signed_info(struct pkcs7_signed_info *sinfo) +{ + if (sinfo) { + public_key_signature_free(sinfo->sig); + pkcs7_free_sinfo_mbedtls_ctx(sinfo->mbedtls_ctx); + kfree(sinfo); + } +} + +/** + * pkcs7_free_message - Free a PKCS#7 message + * @pkcs7: The PKCS#7 message to free + */ +void pkcs7_free_message(struct pkcs7_message *pkcs7) +{ + struct x509_certificate *cert; + struct pkcs7_signed_info *sinfo; + + if (pkcs7) { + while (pkcs7->certs) { + cert = pkcs7->certs; + pkcs7->certs = cert->next; + x509_free_certificate(cert); + } + while (pkcs7->crl) { + cert = pkcs7->crl; + pkcs7->crl = cert->next; + x509_free_certificate(cert); + } + while (pkcs7->signed_infos) { + sinfo = pkcs7->signed_infos; + pkcs7->signed_infos = sinfo->next; + pkcs7_free_signed_info(sinfo); + } + pkcs7_free_mbedtls_ctx(pkcs7->mbedtls_ctx); + kfree(pkcs7); + } +} + +struct pkcs7_message *pkcs7_parse_message(const void *data, size_t datalen) +{ + int i; + int ret; + mbedtls_pkcs7 pkcs7_ctx; + mbedtls_pkcs7_signer_info *mb_sinfos; + mbedtls_x509_crt *mb_certs; + struct pkcs7_message *msg; + struct x509_certificate **cert; + struct pkcs7_signed_info **sinfos; + + msg = kzalloc(sizeof(*msg), GFP_KERNEL); + if (!msg) { + ret = -ENOMEM; + goto out_no_msg; + } + + /* Parse the DER encoded PKCS#7 message using MbedTLS */ + mbedtls_pkcs7_init(&pkcs7_ctx); + ret = mbedtls_pkcs7_parse_der(&pkcs7_ctx, data, datalen); + /* Check if it is a PKCS#7 message with signed data */ + if (ret != MBEDTLS_PKCS7_SIGNED_DATA) + goto parse_fail; + + /* Assume that we are using PKCS#7, not CMS ver 3 */ + msg->version = 1; /* 1 for [PKCS#7 or CMS ver 1] */ + + /* Populate the certs to msg->certs */ + for (i = 0, cert = &msg->certs, mb_certs = &pkcs7_ctx.signed_data.certs; + i < pkcs7_ctx.signed_data.no_of_certs && mb_certs; + i++, cert = &(*cert)->next, mb_certs = mb_certs->next) { + ret = x509_populate_cert(mb_certs, cert); + if (ret) + goto parse_fail; + + (*cert)->index = i + 1; + } + + /* + * Skip populating crl, that is not currently in-use. + */ + + /* Populate content data */ + ret = x509_populate_content_data(msg, &pkcs7_ctx); + if (ret) + goto parse_fail; + + /* Populate signed info to msg->signed_infos */ + for (i = 0, sinfos = &msg->signed_infos, + mb_sinfos = &pkcs7_ctx.signed_data.signers; + i < pkcs7_ctx.signed_data.no_of_signers && mb_sinfos; + i++, sinfos = &(*sinfos)->next, mb_sinfos = mb_sinfos->next) { + ret = x509_populate_sinfo(msg, mb_sinfos, sinfos); + if (ret) + goto parse_fail; + + (*sinfos)->index = i + 1; + } + + mbedtls_pkcs7_free(&pkcs7_ctx); + return msg; + +parse_fail: + mbedtls_pkcs7_free(&pkcs7_ctx); + pkcs7_free_message(msg); +out_no_msg: + msg = ERR_PTR(ret); + return msg; +} From patchwork Thu Oct 3 21:50:33 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Raymond Mao X-Patchwork-Id: 1992604 X-Patchwork-Delegate: trini@ti.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.a=rsa-sha256 header.s=google header.b=GyLjfTcR; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de (client-ip=85.214.62.61; helo=phobos.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=patchwork.ozlabs.org) Received: from phobos.denx.de (phobos.denx.de [85.214.62.61]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4XKbwX6207z1xv1 for ; Fri, 4 Oct 2024 15:01:00 +1000 (AEST) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 5E45589102; Fri, 4 Oct 2024 06:57:30 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="GyLjfTcR"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id E12D688D94; Fri, 4 Oct 2024 00:02:14 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_BLOCKED, SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.2 Received: from mail-qt1-x831.google.com (mail-qt1-x831.google.com [IPv6:2607:f8b0:4864:20::831]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 4E8D588D7F for ; Fri, 4 Oct 2024 00:02:11 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=raymond.mao@linaro.org Received: by mail-qt1-x831.google.com with SMTP id d75a77b69052e-4582fb3822eso9148141cf.1 for ; Thu, 03 Oct 2024 15:02:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1727992930; x=1728597730; darn=lists.denx.de; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=64WYRDaWZqgIUhzWRHn3CoboqnHReneHNUWCSfbty9s=; b=GyLjfTcRjZ8Dqa6+Z0VuVwD3V33zoet6cWKAZzFmKNqzEENLGYuRMPdiWkRDw2aU4Q XdytlEq+n0SMTPs8ncSQHzDR1zREqBOe8ArmTlS37Lc/y/WiKswPzuwM830ZpZSlOM9V RFfyvJmVHDEd+6M2EINyLN59APCmVSXp6Vg04n4RCbOwLFnUKkjE3ScYFhNlMmcNWrEi ECX93SdH8s9aApnCO2mbSISYWQ2InZWDnhD6Q7tCNe6MipvHQ8s+uz3mm+6Wj2qAcLUn QoiDlo04lfvz7pqMGYmTa604rHrJPWaNnzmVkXBr8a394horv3WaFjkoOuAHnpRkldNi cSSg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1727992930; x=1728597730; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=64WYRDaWZqgIUhzWRHn3CoboqnHReneHNUWCSfbty9s=; b=my62MUqvDzMqBCDlwdb1avJbzTeP7ZAk4eKBrAjHyWKcGzvQ1LhwJbSD1yKuZcXSet mR2cIe+WmsJbTi2xbBOf1Agw4PNEjG01qS9vqbsMoTtrcPv6GmpDSVwK9KvOOIfUBGdz QEBUz5vhkyVdn6mbz3UKiTuC9iCqk3zqV0z+SBoMxj/v/YfSBfrQq+kC15Pe6jFMy8cr uPX2vc2F4k1PEdVfSY1LSzacNsg9jQMNbJ6Tfh23BadA198nSJRIqakRZSE62a+0E7bj sA5kyZkQJsEnU90WgU+wrZXy6HUO2zq9eWDYq4eSZlER7U6efdzraArF25H++2TzGlpS otLg== X-Gm-Message-State: AOJu0YxirFcwDfgk8JgNLqQ6qbRZPigpw2olE/Qnyf6L3NeQVH8OJ29L aZ2m8r0B3jaXV/wb2sbFPqtjsNgS8WOH96nwXjGWqB+M2SAtWqXcVsBBaGmQjBixIztfhOxhbnw 0 X-Google-Smtp-Source: AGHT+IGBEDP4uH7PT2WyYllQFBKjhaxJwspU9x4RbA0V5vxyQrsAAEjcdGO4+gEhdMgTGoGoiHX9eQ== X-Received: by 2002:a05:622a:3c6:b0:458:4412:fd06 with SMTP id d75a77b69052e-45d9bab9416mr8053291cf.45.1727992929833; Thu, 03 Oct 2024 15:02:09 -0700 (PDT) Received: from ubuntu.localdomain (pool-174-114-184-37.cpe.net.cable.rogers.com. [174.114.184.37]) by smtp.gmail.com with ESMTPSA id d75a77b69052e-45d92ddf5c4sm9001541cf.18.2024.10.03.15.02.06 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 03 Oct 2024 15:02:09 -0700 (PDT) From: Raymond Mao To: u-boot@lists.denx.de Cc: manish.pandey2@arm.com, Raymond Mao , Tom Rini , Stefan Bosch , Mario Six , Andy Shevchenko , Michal Simek , Tuomas Tynkkynen , Simon Glass , Peng Fan , Jaehoon Chung , Ilias Apalodimas , Jiaxun Yang , Heinrich Schuchardt , Leo Yu-Chi Liang , Sumit Garg , Sean Anderson , Andrew Davis , Rasmus Villemoes , Bryan Brattlof , "Leon M. Busch-George" , AKASHI Takahiro , Alexander Gendin , Mattijs Korpershoek , Jonathan Humphreys , Marek Vasut , Paul Barker , Neil Armstrong , Ferass El Hafidi , Greg Malysa , Jonas Karlman , Kongyang Liu , Sughosh Ganu , Eddie James Subject: [PATCH v8 20/27] lib/crypto: Adapt PKCS7 parser to MbedTLS Date: Thu, 3 Oct 2024 14:50:33 -0700 Message-Id: <20241003215112.3103601-21-raymond.mao@linaro.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20241003215112.3103601-1-raymond.mao@linaro.org> References: <20241003215112.3103601-1-raymond.mao@linaro.org> MIME-Version: 1.0 X-Mailman-Approved-At: Fri, 04 Oct 2024 06:57:18 +0200 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.8 at phobos.denx.de X-Virus-Status: Clean Previous patch has introduced MbedTLS porting layer for PKCS7 parser, here to adjust the header and makefiles accordingly. Signed-off-by: Raymond Mao --- Changes in v2 - Move the porting layer to MbedTLS dir. Changes in v3 - Update commit message. Changes in v4 - Control building legacy library via '_LEGACY' Kconfig. Changes in v5 - Correct header file include directories. Changes in v6 - None. Changes in v7 - None. Changes in v8 - None include/crypto/pkcs7_parser.h | 56 +++++++++++++++++++++++++++++++++++ lib/crypto/Makefile | 7 +++-- 2 files changed, 60 insertions(+), 3 deletions(-) diff --git a/include/crypto/pkcs7_parser.h b/include/crypto/pkcs7_parser.h index 2c45cce5234..469c2711fa6 100644 --- a/include/crypto/pkcs7_parser.h +++ b/include/crypto/pkcs7_parser.h @@ -11,6 +11,12 @@ #include #include #include +#if CONFIG_IS_ENABLED(MBEDTLS_LIB_X509) +#include +#include +#include +#include +#endif #include #define kenter(FMT, ...) \ @@ -18,7 +24,54 @@ #define kleave(FMT, ...) \ pr_devel("<== %s()"FMT"\n", __func__, ##__VA_ARGS__) +/* Backup the parsed MedTLS context that we need */ +#if CONFIG_IS_ENABLED(MBEDTLS_LIB_X509) +struct pkcs7_mbedtls_ctx { + void *content_data; +}; + +struct pkcs7_sinfo_mbedtls_ctx { + void *authattrs_data; + void *content_data_digest; +}; +#endif + +/* + * MbedTLS integration Notes: + * + * MbedTLS PKCS#7 library does not originally support parsing MicroSoft + * Authentication Code which is used for verifying the PE image digest. + * + * 1. Authenticated Attributes (authenticatedAttributes) + * MbedTLS assumes unauthenticatedAttributes and authenticatedAttributes + * fields not exist. + * See MbedTLS function 'pkcs7_get_signer_info' for details. + * + * 2. MicroSoft Authentication Code (mscode) + * MbedTLS only supports Content Data type defined as 1.2.840.113549.1.7.1 + * (MBEDTLS_OID_PKCS7_DATA, aka OID_data). + * 1.3.6.1.4.1.311.2.1.4 (MicroSoft Authentication Code, aka + * OID_msIndirectData) is not supported. + * See MbedTLS function 'pkcs7_get_content_info_type' for details. + * + * But the EFI loader assumes that a PKCS#7 message with an EFI image always + * contains MicroSoft Authentication Code as Content Data (msg->data is NOT + * NULL), see function 'efi_signature_verify'. + * + * MbedTLS patch "0002-support-MicroSoft-authentication-code-in-PKCS7-lib.patch" + * is to support both above features by parsing the Content Data and + * Authenticate Attributes from a given PKCS#7 message. + * + * Other fields we don't need to populate from MbedTLS, which are used + * internally by pkcs7_verify: + * 'signer', 'unsupported_crypto', 'blacklisted' + * 'sig->digest' is used internally by pkcs7_digest to calculate the hash of + * Content Data or Authenticate Attributes. + */ struct pkcs7_signed_info { +#if CONFIG_IS_ENABLED(MBEDTLS_LIB_X509) + struct pkcs7_sinfo_mbedtls_ctx *mbedtls_ctx; +#endif struct pkcs7_signed_info *next; struct x509_certificate *signer; /* Signing certificate (in msg->certs) */ unsigned index; @@ -55,6 +108,9 @@ struct pkcs7_signed_info { }; struct pkcs7_message { +#if CONFIG_IS_ENABLED(MBEDTLS_LIB_X509) + struct pkcs7_mbedtls_ctx *mbedtls_ctx; +#endif struct x509_certificate *certs; /* Certificate list */ struct x509_certificate *crl; /* Revocation list */ struct pkcs7_signed_info *signed_infos; diff --git a/lib/crypto/Makefile b/lib/crypto/Makefile index 4302f197297..7129315393f 100644 --- a/lib/crypto/Makefile +++ b/lib/crypto/Makefile @@ -50,15 +50,16 @@ $(obj)/x509_akid.asn1.o: $(obj)/x509_akid.asn1.c $(obj)/x509_akid.asn1.h # PKCS#7 message handling # obj-$(CONFIG_$(SPL_)PKCS7_MESSAGE_PARSER) += pkcs7_message.o -pkcs7_message-y := \ +pkcs7_message-y := pkcs7_helper.o +pkcs7_message-$(CONFIG_$(SPL_)PKCS7_MESSAGE_PARSER_LEGACY) += \ pkcs7.asn1.o \ - pkcs7_helper.o \ pkcs7_parser.o -obj-$(CONFIG_$(SPL_)PKCS7_VERIFY) += pkcs7_verify.o $(obj)/pkcs7_parser.o: $(obj)/pkcs7.asn1.h $(obj)/pkcs7.asn1.o: $(obj)/pkcs7.asn1.c $(obj)/pkcs7.asn1.h +obj-$(CONFIG_$(SPL_)PKCS7_VERIFY) += pkcs7_verify.o + # # Signed PE binary-wrapped key handling # From patchwork Thu Oct 3 21:50:34 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Raymond Mao X-Patchwork-Id: 1992605 X-Patchwork-Delegate: trini@ti.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.a=rsa-sha256 header.s=google header.b=WkjGxAhG; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de (client-ip=85.214.62.61; helo=phobos.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=patchwork.ozlabs.org) Received: from phobos.denx.de (phobos.denx.de [85.214.62.61]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4XKbwm3txpz1xv1 for ; Fri, 4 Oct 2024 15:01:12 +1000 (AEST) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id BA2358911E; Fri, 4 Oct 2024 06:57:30 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="WkjGxAhG"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id ACB0387BF4; Fri, 4 Oct 2024 00:02:45 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_BLOCKED, SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.2 Received: from mail-qk1-x732.google.com (mail-qk1-x732.google.com [IPv6:2607:f8b0:4864:20::732]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 71CF188CC5 for ; Fri, 4 Oct 2024 00:02:43 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=raymond.mao@linaro.org Received: by mail-qk1-x732.google.com with SMTP id af79cd13be357-7ae3e3db294so84764585a.2 for ; Thu, 03 Oct 2024 15:02:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1727992962; x=1728597762; darn=lists.denx.de; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=ogpAL5OWdHqEz0W+SP94H3IGBFnb9UrrFaQ9n/v5a8s=; b=WkjGxAhGw2Q9weJRuoXX3vDZNP19COxGaYywwoGRfgU7vb/besMEzsv3ouiix4d9/A GbgDSB033qjz4gTfb0hOGSjebIc/QPtPPQcUxp1FNMXfdZ1tDbIbLHzIS+6ZMG793Tf5 EDOtTzdf0jnXOQ8hJzrhWuCvs2SVMjVwPOGLTfGl6MajQPvrdPL5r9mZetc7LyEXsCqb XV0ik9XUUmE/R8LbzEYdpn2B1oAYxlyZhQkifUEsTQMR/kWHj1adxj626QlHv4muVO6v UgEU0Exl2QyrxIuUmNbThtRqRgcW9GQktvOG5CQZ1fQIb4C9UAgX9x6KWCvcshocTjHm P0DQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1727992962; x=1728597762; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=ogpAL5OWdHqEz0W+SP94H3IGBFnb9UrrFaQ9n/v5a8s=; b=WOzpUTuK+q0vt/9N7mA3F8xq3U7GRy4m1RmPzw+limRGpccf8x8Ntvk/0c/Af7mAMY VIPnGAPe15I0LTACXTttSPFYGXgqPqhvE626rz8Bnp7f9HQ3woj2AwM8dZ51iYuIiXdJ hYF9/Sw8XGxtQzhT0X9CtPRoUug6HZ89W8/tLt+67UESlbizSKl++HAC5AQNyccuqaeU RJVeMBfZtxMhQdb2e6ZODUmETh3QZOXhl7M8OK1S5PckRHofgTsOo2wWyz8Pd+V0eoKf UQI3eW6nJ6HhM9qtzaADxzUEWleAg3wpiOclLh0P/x0pGCYVBuc5TBkg4/WCDOLSI7lK nr9Q== X-Gm-Message-State: AOJu0Yxqfy58JJbPOyX7VmCD5krP4zXkbIiJyCwLWhXBCKpePotVu2TS UN7M2vrDQr29BdbaJrLPz5AfQgJep/e9wmengiAL14HhqqPdy2sszvXEzNi3TE8Nzt8kQIn4p9R 1 X-Google-Smtp-Source: AGHT+IGsoDxxFMAHMQyPuNxZ00XO5py1yoPe3l2uTjWtl1E8pOu5Duef3s1Gs/LpcZwPRhWGBxH62g== X-Received: by 2002:a05:620a:31a5:b0:7a9:c129:297a with SMTP id af79cd13be357-7ae6f44cb1fmr122149985a.32.1727992961972; Thu, 03 Oct 2024 15:02:41 -0700 (PDT) Received: from ubuntu.localdomain (pool-174-114-184-37.cpe.net.cable.rogers.com. [174.114.184.37]) by smtp.gmail.com with ESMTPSA id d75a77b69052e-45d92ddf5c4sm9001541cf.18.2024.10.03.15.02.39 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 03 Oct 2024 15:02:41 -0700 (PDT) From: Raymond Mao To: u-boot@lists.denx.de Cc: manish.pandey2@arm.com, Raymond Mao , Ilias Apalodimas , Tom Rini , Stefan Bosch , Mario Six , Andy Shevchenko , Michal Simek , Tuomas Tynkkynen , Simon Glass , Peng Fan , Jaehoon Chung , Jiaxun Yang , Heinrich Schuchardt , Sean Anderson , Sumit Garg , Rasmus Villemoes , Andrew Davis , Bryan Brattlof , "Leon M. Busch-George" , AKASHI Takahiro , Alexander Gendin , Jonathan Humphreys , Mattijs Korpershoek , Paul Barker , Marek Vasut , Oleksandr Suvorov , Linus Walleij , Kongyang Liu , Greg Malysa , Jonas Karlman , Sughosh Ganu , =?utf-8?q?Vincent_Stehl=C3=A9?= , Caleb Connolly , Eddie James Subject: [PATCH v8 21/27] mbedtls: add MSCode parser porting layer Date: Thu, 3 Oct 2024 14:50:34 -0700 Message-Id: <20241003215112.3103601-22-raymond.mao@linaro.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20241003215112.3103601-1-raymond.mao@linaro.org> References: <20241003215112.3103601-1-raymond.mao@linaro.org> MIME-Version: 1.0 X-Mailman-Approved-At: Fri, 04 Oct 2024 06:57:18 +0200 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.8 at phobos.denx.de X-Virus-Status: Clean Add porting layer for MSCode on top of MbedTLS ASN1 library. Introduce _MBEDTLS kconfigs for MSCode MbedTLS implementation. Signed-off-by: Raymond Mao Acked-by: Ilias Apalodimas --- Changes in v2 - Move the porting layer to MbedTLS dir. Changes in v3 - None. Changes in v4 - Introduce _LEGACY and _MBEDTLS kconfigs for MSCode legacy and MbedTLS implementations respectively. - Fix a few code style. Changes in v5 - Correct kconfig dependence. - Refactored MbedTLS makefile. - Move mscode legacy kconfig to the next patch. Changes in v6 - None. Changes in v7 - None. Changes in v8 - None lib/mbedtls/Kconfig | 9 +++ lib/mbedtls/Makefile | 1 + lib/mbedtls/mscode_parser.c | 123 ++++++++++++++++++++++++++++++++++++ 3 files changed, 133 insertions(+) create mode 100644 lib/mbedtls/mscode_parser.c diff --git a/lib/mbedtls/Kconfig b/lib/mbedtls/Kconfig index 189bb3186b6..fd7263f9616 100644 --- a/lib/mbedtls/Kconfig +++ b/lib/mbedtls/Kconfig @@ -303,6 +303,7 @@ config MBEDTLS_LIB_X509 ASYMMETRIC_PUBLIC_KEY_SUBTYPE select X509_CERTIFICATE_PARSER_MBEDTLS if X509_CERTIFICATE_PARSER select PKCS7_MESSAGE_PARSER_MBEDTLS if PKCS7_MESSAGE_PARSER + select MSCODE_PARSER_MBEDTLS if MSCODE_PARSER select SPL_ASYMMETRIC_PUBLIC_KEY_MBEDTLS if \ SPL_ASYMMETRIC_PUBLIC_KEY_SUBTYPE help @@ -333,6 +334,14 @@ config PKCS7_MESSAGE_PARSER_MBEDTLS This option chooses MbedTLS certificate library for PKCS7 message parser. +config MSCODE_PARSER_MBEDTLS + bool "MS authenticode parser with MbedTLS certificate library" + depends on MBEDTLS_LIB_X509 && MSCODE_PARSER + select ASN1_DECODER_MBEDTLS + help + This option chooses MbedTLS certificate library for MS authenticode + parser. + if SPL config SPL_ASYMMETRIC_PUBLIC_KEY_MBEDTLS diff --git a/lib/mbedtls/Makefile b/lib/mbedtls/Makefile index 128a29c512f..488b66402b3 100644 --- a/lib/mbedtls/Makefile +++ b/lib/mbedtls/Makefile @@ -17,6 +17,7 @@ obj-$(CONFIG_$(SPL_)ASYMMETRIC_PUBLIC_KEY_MBEDTLS) += \ obj-$(CONFIG_$(SPL_)X509_CERTIFICATE_PARSER_MBEDTLS) += \ x509_cert_parser.o obj-$(CONFIG_$(SPL_)PKCS7_MESSAGE_PARSER_MBEDTLS) += pkcs7_parser.o +obj-$(CONFIG_$(SPL_)MSCODE_PARSER_MBEDTLS) += mscode_parser.o # MbedTLS crypto library obj-$(CONFIG_MBEDTLS_LIB) += mbedtls_lib_crypto.o diff --git a/lib/mbedtls/mscode_parser.c b/lib/mbedtls/mscode_parser.c new file mode 100644 index 00000000000..c3805c6503c --- /dev/null +++ b/lib/mbedtls/mscode_parser.c @@ -0,0 +1,123 @@ +// SPDX-License-Identifier: GPL-2.0+ +/* + * MSCode parser using MbedTLS ASN1 library + * + * Copyright (c) 2024 Linaro Limited + * Author: Raymond Mao + */ + +#include +#include +#include +#include + +/* + * Parse a Microsoft Individual Code Signing blob + * + * U.P.SEQUENCE { + * U.P.OBJECTIDENTIFIER 1.3.6.1.4.1.311.2.1.15 (SPC_PE_IMAGE_DATA_OBJID) + * U.P.SEQUENCE { + * U.P.BITSTRING NaN : 0 unused bit(s); + * [C.P.0] { + * [C.P.2] { + * [C.P.0] + * } + * } + * } + * } + * U.P.SEQUENCE { + * U.P.SEQUENCE { + * U.P.OBJECTIDENTIFIER + * U.P.NULL + * } + * U.P.OCTETSTRING + * } + * + * @ctx: PE file context. + * @content_data: content data pointer. + * @data_len: content data length. + * @asn1hdrlen: ASN1 header length. + */ +int mscode_parse(void *ctx, const void *content_data, size_t data_len, + size_t asn1hdrlen) +{ + struct pefile_context *_ctx = ctx; + unsigned char *p = (unsigned char *)content_data; + unsigned char *end = (unsigned char *)content_data + data_len; + size_t len = 0; + int ret; + unsigned char *inner_p; + size_t seq_len = 0; + + ret = mbedtls_asn1_get_tag(&p, end, &seq_len, + MBEDTLS_ASN1_CONSTRUCTED | + MBEDTLS_ASN1_SEQUENCE); + if (ret) + return ret; + + inner_p = p; + ret = mbedtls_asn1_get_tag(&inner_p, inner_p + seq_len, &len, + MBEDTLS_ASN1_OID); + if (ret) + return ret; + + /* Sanity check on the PE Image Data OID (1.3.6.1.4.1.311.2.1.15) */ + if (MBEDTLS_OID_CMP_RAW(MBEDTLS_OID_MICROSOFT_PEIMAGEDATA, inner_p, + len)) + return -EINVAL; + + p += seq_len; + ret = mbedtls_asn1_get_tag(&p, end, &seq_len, + MBEDTLS_ASN1_CONSTRUCTED | + MBEDTLS_ASN1_SEQUENCE); + if (ret) + return ret; + + ret = mbedtls_asn1_get_tag(&p, p + seq_len, &seq_len, + MBEDTLS_ASN1_CONSTRUCTED | + MBEDTLS_ASN1_SEQUENCE); + if (ret) + return ret; + + inner_p = p; + + /* + * Check if the inner sequence contains a supported hash + * algorithm OID + */ + ret = mbedtls_asn1_get_tag(&inner_p, inner_p + seq_len, &len, + MBEDTLS_ASN1_OID); + if (ret) + return ret; + + if (!MBEDTLS_OID_CMP_RAW(MBEDTLS_OID_DIGEST_ALG_MD5, inner_p, len)) + _ctx->digest_algo = "md5"; + else if (!MBEDTLS_OID_CMP_RAW(MBEDTLS_OID_DIGEST_ALG_SHA1, inner_p, + len)) + _ctx->digest_algo = "sha1"; + else if (!MBEDTLS_OID_CMP_RAW(MBEDTLS_OID_DIGEST_ALG_SHA224, inner_p, + len)) + _ctx->digest_algo = "sha224"; + else if (!MBEDTLS_OID_CMP_RAW(MBEDTLS_OID_DIGEST_ALG_SHA256, inner_p, + len)) + _ctx->digest_algo = "sha256"; + else if (!MBEDTLS_OID_CMP_RAW(MBEDTLS_OID_DIGEST_ALG_SHA384, inner_p, + len)) + _ctx->digest_algo = "sha384"; + else if (!MBEDTLS_OID_CMP_RAW(MBEDTLS_OID_DIGEST_ALG_SHA512, inner_p, + len)) + _ctx->digest_algo = "sha512"; + + if (!_ctx->digest_algo) + return -EINVAL; + + p += seq_len; + ret = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_OCTET_STRING); + if (ret) + return ret; + + _ctx->digest = p; + _ctx->digest_len = len; + + return 0; +} From patchwork Thu Oct 3 21:50:35 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Raymond Mao X-Patchwork-Id: 1992606 X-Patchwork-Delegate: trini@ti.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.a=rsa-sha256 header.s=google header.b=hK7Hvrho; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de (client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; helo=phobos.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=patchwork.ozlabs.org) Received: from phobos.denx.de (phobos.denx.de [IPv6:2a01:238:438b:c500:173d:9f52:ddab:ee01]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4XKbwz2Vqxz1xv1 for ; Fri, 4 Oct 2024 15:01:23 +1000 (AEST) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 435F98911B; Fri, 4 Oct 2024 06:57:31 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="hK7Hvrho"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 2858187BF4; Fri, 4 Oct 2024 00:03:18 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_BLOCKED, SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.2 Received: from mail-qt1-x82f.google.com (mail-qt1-x82f.google.com [IPv6:2607:f8b0:4864:20::82f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 2DEC188D94 for ; Fri, 4 Oct 2024 00:03:14 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=raymond.mao@linaro.org Received: by mail-qt1-x82f.google.com with SMTP id d75a77b69052e-45d8f781d05so14235301cf.2 for ; Thu, 03 Oct 2024 15:03:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1727992993; x=1728597793; darn=lists.denx.de; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=g33bt9BCdR+eNArNjlr8skVBpdilcPL72pJ6E/NWBmk=; b=hK7Hvrhocz+WkW3AMhSqKHn/mm2+x2CjQudmXYL9DVxgU8ffNq+LC+PBPNIWo/912n QzIAOINeAj4ntigIGEzMqNxfD90A/AmW1Fnp/Oqm8GyvRET2Se7ftYRAGYyJ0cM8DZ6u m7ZWnsFFo/V1cssvRah5rlKJqjtkoIyLZGmjIR3xeDtkqJvB7bP+PPZPzGrLyZPZwpl0 j5htfeZz0UkNyg6gxf7sG5I1MDbnqSGC9CxwM0ABvsLmt6g9QGXtM0v+qy1TNz7Gmi9V 60SDxMzzaJqmXJiF1DyOM3QiVs0we7oina0HLY/JDdo4/RxtV5QM3KJjwnwpxirq3boD WBRw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1727992993; x=1728597793; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=g33bt9BCdR+eNArNjlr8skVBpdilcPL72pJ6E/NWBmk=; b=sE7elxlpyPtoRbd/oJomCF69ETfeh+G28071qY2PA4XOc2Ujd8gJU9d/Ihi+nFkTVI dpYr6ENicDjINleHq3qVeoahfkw6Lna2fwPi2u+eeeyZ5bDB2Pu+26b9yB1lhgTm0bpI 0FMN2ir7QKWtA6GHI+4rRh51CToNRLtInz02ySYcLUtJd0/V3bRSuhAktA7XegX7/izF mlcMZUn/8E4lNeNuB3B1pDk+81moU7DjeqWf5tjnZDXqqjHMql2Vtq/U6ScmXG15Z6w1 F/dZnsLHrMjLUU/ZbjW9t8QCyAgsus/+SuEJBBjZK+1DgsPUMN/+x9FbQbEM8BKeU+hZ w0LQ== X-Gm-Message-State: AOJu0YxXzxn+I5hHCnzERII08+mJkPWt6GXns7Of0J9Zxq1+3QZEKKrA FpbK/a2J3T/ANEn1y3btzK4jDjcp3+5qK41QakSKzDsa28nr27qbx8VRf2wjut+CkGBL9GNr0Kb X X-Google-Smtp-Source: AGHT+IG+Rzxl1TnqEf6HAbzUla1a6OI+n8oGfYwsEZv7/3l3SH6Xm13BxX/3G1cDt7LNh9ZOHr/uIg== X-Received: by 2002:ac8:5715:0:b0:458:2479:b599 with SMTP id d75a77b69052e-45d9ba7b2f0mr8480151cf.36.1727992992812; Thu, 03 Oct 2024 15:03:12 -0700 (PDT) Received: from ubuntu.localdomain (pool-174-114-184-37.cpe.net.cable.rogers.com. [174.114.184.37]) by smtp.gmail.com with ESMTPSA id d75a77b69052e-45d92ddf5c4sm9001541cf.18.2024.10.03.15.03.10 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 03 Oct 2024 15:03:12 -0700 (PDT) From: Raymond Mao To: u-boot@lists.denx.de Cc: manish.pandey2@arm.com, Raymond Mao , Tom Rini , Stefan Bosch , Mario Six , Andy Shevchenko , Michal Simek , Tuomas Tynkkynen , Simon Glass , Peng Fan , Jaehoon Chung , Ilias Apalodimas , Jiaxun Yang , Heinrich Schuchardt , Sean Anderson , Andrew Davis , Rasmus Villemoes , Sumit Garg , Bryan Brattlof , "Leon M. Busch-George" , AKASHI Takahiro , Alexander Gendin , Mattijs Korpershoek , Jonathan Humphreys , Marek Vasut , Paul Barker , Nathan Barrett-Morrison , Greg Malysa , Kongyang Liu , Jonas Karlman , Sughosh Ganu , Eddie James Subject: [PATCH v8 22/27] lib/crypto: Adapt mscode_parser to MbedTLS Date: Thu, 3 Oct 2024 14:50:35 -0700 Message-Id: <20241003215112.3103601-23-raymond.mao@linaro.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20241003215112.3103601-1-raymond.mao@linaro.org> References: <20241003215112.3103601-1-raymond.mao@linaro.org> MIME-Version: 1.0 X-Mailman-Approved-At: Fri, 04 Oct 2024 06:57:18 +0200 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.8 at phobos.denx.de X-Virus-Status: Clean Previous patch has introduced MbedTLS porting layer for mscode parser, here to adjust the header and makefiles accordingly. Adding _LEGACY Kconfig for legacy mscode implementation. Signed-off-by: Raymond Mao --- Changes in v2 - Move the porting layer to MbedTLS dir. Changes in v3 - Update commit message. Changes in v4 - Control building legacy library via '_LEGACY' Kconfig. Changes in v5 - Add kconfig for legacy mscode parser. - Correct header file include directories. Changes in v6 - None. Changes in v7 - None. Changes in v8 - None include/crypto/mscode.h | 4 ++++ lib/crypto/Makefile | 2 +- lib/mbedtls/Kconfig | 9 +++++++++ 3 files changed, 14 insertions(+), 1 deletion(-) diff --git a/include/crypto/mscode.h b/include/crypto/mscode.h index 551058b96e6..678e69001b9 100644 --- a/include/crypto/mscode.h +++ b/include/crypto/mscode.h @@ -9,6 +9,10 @@ #ifndef __UBOOT__ #include #endif +#if CONFIG_IS_ENABLED(MBEDTLS_LIB_X509) +#include +#include +#endif struct pefile_context { #ifndef __UBOOT__ diff --git a/lib/crypto/Makefile b/lib/crypto/Makefile index 7129315393f..3caa45dc2a8 100644 --- a/lib/crypto/Makefile +++ b/lib/crypto/Makefile @@ -63,7 +63,7 @@ obj-$(CONFIG_$(SPL_)PKCS7_VERIFY) += pkcs7_verify.o # # Signed PE binary-wrapped key handling # -obj-$(CONFIG_$(SPL_)MSCODE_PARSER) += mscode.o +obj-$(CONFIG_$(SPL_)MSCODE_PARSER_LEGACY) += mscode.o mscode-y := \ mscode_parser.o \ diff --git a/lib/mbedtls/Kconfig b/lib/mbedtls/Kconfig index fd7263f9616..efeaed50385 100644 --- a/lib/mbedtls/Kconfig +++ b/lib/mbedtls/Kconfig @@ -120,6 +120,7 @@ config LEGACY_CRYPTO_CERT ASYMMETRIC_PUBLIC_KEY_SUBTYPE select X509_CERTIFICATE_PARSER_LEGACY if X509_CERTIFICATE_PARSER select PKCS7_MESSAGE_PARSER_LEGACY if PKCS7_MESSAGE_PARSER + select MSCODE_PARSER_LEGACY if MSCODE_PARSER select SPL_ASYMMETRIC_PUBLIC_KEY_LEGACY if \ SPL_ASYMMETRIC_PUBLIC_KEY_SUBTYPE help @@ -150,6 +151,14 @@ config PKCS7_MESSAGE_PARSER_LEGACY This option chooses legacy certificate library for PKCS7 message parser. +config MSCODE_PARSER_LEGACY + bool "MS authenticode parser with legacy certificate library" + depends on LEGACY_CRYPTO_CERT && MSCODE_PARSER + select ASN1_DECODER_LEGACY + help + This option chooses legacy certificate library for MS authenticode + parser. + if SPL config SPL_ASYMMETRIC_PUBLIC_KEY_LEGACY From patchwork Thu Oct 3 21:50:36 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Raymond Mao X-Patchwork-Id: 1992607 X-Patchwork-Delegate: trini@ti.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.a=rsa-sha256 header.s=google header.b=Ua8nUhCS; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de (client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; helo=phobos.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=patchwork.ozlabs.org) Received: from phobos.denx.de (phobos.denx.de [IPv6:2a01:238:438b:c500:173d:9f52:ddab:ee01]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4XKbxB1jQJz1xv1 for ; Fri, 4 Oct 2024 15:01:34 +1000 (AEST) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 9F7AE8912E; Fri, 4 Oct 2024 06:57:31 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="Ua8nUhCS"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 4A9E287BF4; Fri, 4 Oct 2024 00:03:52 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_BLOCKED, SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.2 Received: from mail-qt1-x82c.google.com (mail-qt1-x82c.google.com [IPv6:2607:f8b0:4864:20::82c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 3BE6388ED2 for ; Fri, 4 Oct 2024 00:03:48 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=raymond.mao@linaro.org Received: by mail-qt1-x82c.google.com with SMTP id d75a77b69052e-4582f9abb43so9868921cf.2 for ; Thu, 03 Oct 2024 15:03:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1727993027; x=1728597827; darn=lists.denx.de; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=JTr113vVrdomQhXIdWvbhTV2ppfH9FCIzHZq+dkXUXw=; b=Ua8nUhCS0LsoMIOqFdME07tHkKaKY4AyQwmEYVSxScsbz2N20tIS6nwq9fHzsE0ymu J5I4RlaYJsuZb1uOIJi5fBDzBxg69+qbp55b+KjwhX5jaCKt7tFPZiQCqgstvJpKUtiS kDKb7dfXUWpIPq+wB84kWK/PlOw7K6PuZIDp5BFzfOay09prtb1XTs6D4caDtvqVRhvu lUVF93TPjvnvEZEw1fTRGgKyzzIpV7TqtXNm7BIM/eAud7pndnNc9hzQHmbjahtpZU3L gYiMgxr1pWnV5oY8XONKz3CLY2TB5ydtyMO47ExgeeZioRvQQvRewiYq37G0mpTVP5+j Dbhg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1727993027; x=1728597827; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=JTr113vVrdomQhXIdWvbhTV2ppfH9FCIzHZq+dkXUXw=; b=nj11hDvESQ4gtPnjJWZgV60UzK6rnuGgBScmo67NSvS3da5HTp5Sv4FlaG1R2H6Bnp 54khm1E48C8GvVCWq155Y2tpge7olVIL1+03H0zES4zdDPLLqlBtQgx0j4CXpEB4hNKl N+jZNAFPH/hLegjLeYHgvf0apZnftIQp7GQQ6drAffAcGKvdr2AkkQxASgUUd6tEXDXO ZLHwDIA+ki1joPn9dKyNDNqvzSA1LkMkHHMZ39cVx0j8VpfQoWidY1DrPGOZpvtdB2Nk 9LvqY8LR4446G6o7SYrG2ER/UeDnRaLGZUaZilsL919M7K9mKVdwI7xwckQjAeAbxWSV Z5fw== X-Gm-Message-State: AOJu0YyaZBnpeqxrOORufLYNEzr8lgYWXWAexmj2CHvUVQZAMaXatSb5 qq0id4KgGQJ/uv0kCT4s74yeqWW8YuiHnqJA0K0Vco8FgGzdc3dsusLYBGwBsAmOpDezDgVlp9H T X-Google-Smtp-Source: AGHT+IEWZILBeOeJFYeBRxuJf7sWk3OJtD0p0NCd6kvoaI79Rit6mGHPKVIOuE7/GxHLncxb2tSgqw== X-Received: by 2002:a05:622a:18a7:b0:45b:5cdf:54b8 with SMTP id d75a77b69052e-45d9ba9fa48mr9702551cf.19.1727993026662; Thu, 03 Oct 2024 15:03:46 -0700 (PDT) Received: from ubuntu.localdomain (pool-174-114-184-37.cpe.net.cable.rogers.com. [174.114.184.37]) by smtp.gmail.com with ESMTPSA id d75a77b69052e-45d92ddf5c4sm9001541cf.18.2024.10.03.15.03.43 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 03 Oct 2024 15:03:45 -0700 (PDT) From: Raymond Mao To: u-boot@lists.denx.de Cc: manish.pandey2@arm.com, Raymond Mao , Ilias Apalodimas , Tom Rini , Stefan Bosch , Mario Six , Andy Shevchenko , Michal Simek , Tuomas Tynkkynen , Simon Glass , Peng Fan , Jaehoon Chung , Jiaxun Yang , Heinrich Schuchardt , Sean Anderson , Sumit Garg , Rasmus Villemoes , Andrew Davis , Bryan Brattlof , "Leon M. Busch-George" , AKASHI Takahiro , Alexander Gendin , Mattijs Korpershoek , Jonathan Humphreys , Marek Vasut , Paul Barker , Patrice Chotard , Kongyang Liu , Jonas Karlman , Greg Malysa , Sughosh Ganu , Caleb Connolly , Eddie James Subject: [PATCH v8 23/27] mbedtls: add RSA helper layer on MbedTLS Date: Thu, 3 Oct 2024 14:50:36 -0700 Message-Id: <20241003215112.3103601-24-raymond.mao@linaro.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20241003215112.3103601-1-raymond.mao@linaro.org> References: <20241003215112.3103601-1-raymond.mao@linaro.org> MIME-Version: 1.0 X-Mailman-Approved-At: Fri, 04 Oct 2024 06:57:18 +0200 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.8 at phobos.denx.de X-Virus-Status: Clean Add RSA helper layer on top on MbedTLS PK and RSA library. Introduce _LEGACY and _MBEDTLS kconfigs for RSA helper legacy and MbedTLS implementations respectively. Signed-off-by: Raymond Mao Acked-by: Ilias Apalodimas --- Changes in v2 - Initial patch. Changes in v3 - None. Changes in v4 - Introduce _LEGACY and _MBEDTLS kconfigs for RSA helper legacy and MbedTLS implementations respectively. - Remove unnecessary type casting. Changes in v5 - Correct header file include directories. - Correct kconfig dependence. - Kconfig rename. - Refactored MbedTLS makefile. Changes in v6 - None. Changes in v7 - None. Changes in v8 - None lib/mbedtls/Kconfig | 36 +++++++++++++++ lib/mbedtls/Makefile | 3 +- lib/mbedtls/rsa_helper.c | 95 ++++++++++++++++++++++++++++++++++++++++ 3 files changed, 133 insertions(+), 1 deletion(-) create mode 100644 lib/mbedtls/rsa_helper.c diff --git a/lib/mbedtls/Kconfig b/lib/mbedtls/Kconfig index efeaed50385..ab50ad4ebe9 100644 --- a/lib/mbedtls/Kconfig +++ b/lib/mbedtls/Kconfig @@ -118,11 +118,13 @@ config LEGACY_CRYPTO_CERT bool "legacy certificate libraries" select ASYMMETRIC_PUBLIC_KEY_LEGACY if \ ASYMMETRIC_PUBLIC_KEY_SUBTYPE + select RSA_PUBLIC_KEY_PARSER_LEGACY if RSA_PUBLIC_KEY_PARSER select X509_CERTIFICATE_PARSER_LEGACY if X509_CERTIFICATE_PARSER select PKCS7_MESSAGE_PARSER_LEGACY if PKCS7_MESSAGE_PARSER select MSCODE_PARSER_LEGACY if MSCODE_PARSER select SPL_ASYMMETRIC_PUBLIC_KEY_LEGACY if \ SPL_ASYMMETRIC_PUBLIC_KEY_SUBTYPE + select SPL_RSA_PUBLIC_KEY_PARSER_LEGACY if SPL_RSA_PUBLIC_KEY_PARSER help Enable legacy certificate libraries. @@ -135,6 +137,14 @@ config ASYMMETRIC_PUBLIC_KEY_LEGACY This option chooses legacy certificate library for asymmetric public key crypto algorithm. +config RSA_PUBLIC_KEY_PARSER_LEGACY + bool "RSA public key parser with legacy certificate library" + depends on ASYMMETRIC_PUBLIC_KEY_LEGACY + select ASN1_DECODER_LEGACY + help + This option chooses legacy certificate library for RSA public key + parser. + config X509_CERTIFICATE_PARSER_LEGACY bool "X.509 certificate parser with legacy certificate library" depends on ASYMMETRIC_PUBLIC_KEY_LEGACY @@ -168,6 +178,14 @@ config SPL_ASYMMETRIC_PUBLIC_KEY_LEGACY This option chooses legacy certificate library for asymmetric public key crypto algorithm in SPL. +config SPL_RSA_PUBLIC_KEY_PARSER_LEGACY + bool "RSA public key parser with legacy certificate library in SPL" + depends on SPL_ASYMMETRIC_PUBLIC_KEY_LEGACY + select SPL_ASN1_DECODER_LEGACY + help + This option chooses legacy certificate library for RSA public key + parser in SPL. + endif # SPL endif # LEGACY_CRYPTO_CERT @@ -310,11 +328,13 @@ config MBEDTLS_LIB_X509 bool "MbedTLS certificate libraries" select ASYMMETRIC_PUBLIC_KEY_MBEDTLS if \ ASYMMETRIC_PUBLIC_KEY_SUBTYPE + select RSA_PUBLIC_KEY_PARSER_MBEDTLS if RSA_PUBLIC_KEY_PARSER select X509_CERTIFICATE_PARSER_MBEDTLS if X509_CERTIFICATE_PARSER select PKCS7_MESSAGE_PARSER_MBEDTLS if PKCS7_MESSAGE_PARSER select MSCODE_PARSER_MBEDTLS if MSCODE_PARSER select SPL_ASYMMETRIC_PUBLIC_KEY_MBEDTLS if \ SPL_ASYMMETRIC_PUBLIC_KEY_SUBTYPE + select SPL_RSA_PUBLIC_KEY_PARSER_MBEDTLS if SPL_RSA_PUBLIC_KEY_PARSER help Enable MbedTLS certificate libraries. @@ -327,6 +347,14 @@ config ASYMMETRIC_PUBLIC_KEY_MBEDTLS This option chooses MbedTLS certificate library for asymmetric public key crypto algorithm. +config RSA_PUBLIC_KEY_PARSER_MBEDTLS + bool "RSA public key parser with MbedTLS certificate library" + depends on ASYMMETRIC_PUBLIC_KEY_MBEDTLS + select ASN1_DECODER_MBEDTLS + help + This option chooses MbedTLS certificate library for RSA public key + parser. + config X509_CERTIFICATE_PARSER_MBEDTLS bool "X.509 certificate parser with MbedTLS certificate library" depends on ASYMMETRIC_PUBLIC_KEY_MBEDTLS @@ -360,6 +388,14 @@ config SPL_ASYMMETRIC_PUBLIC_KEY_MBEDTLS This option chooses MbedTLS certificate library for asymmetric public key crypto algorithm in SPL. +config SPL_RSA_PUBLIC_KEY_PARSER_MBEDTLS + bool "RSA public key parser with MbedTLS certificate library in SPL" + depends on SPL_ASYMMETRIC_PUBLIC_KEY_MBEDTLS + select SPL_ASN1_DECODER_MBEDTLS + help + This option chooses MbedTLS certificate library for RSA public key + parser in SPL. + endif # SPL endif # MBEDTLS_LIB_X509 diff --git a/lib/mbedtls/Makefile b/lib/mbedtls/Makefile index 488b66402b3..04d450afd82 100644 --- a/lib/mbedtls/Makefile +++ b/lib/mbedtls/Makefile @@ -18,6 +18,7 @@ obj-$(CONFIG_$(SPL_)X509_CERTIFICATE_PARSER_MBEDTLS) += \ x509_cert_parser.o obj-$(CONFIG_$(SPL_)PKCS7_MESSAGE_PARSER_MBEDTLS) += pkcs7_parser.o obj-$(CONFIG_$(SPL_)MSCODE_PARSER_MBEDTLS) += mscode_parser.o +obj-$(CONFIG_$(SPL_)RSA_PUBLIC_KEY_PARSER_MBEDTLS) += rsa_helper.o # MbedTLS crypto library obj-$(CONFIG_MBEDTLS_LIB) += mbedtls_lib_crypto.o @@ -39,7 +40,7 @@ mbedtls_lib_x509-$(CONFIG_$(SPL_)ASN1_DECODER) += \ $(MBEDTLS_LIB_DIR)/asn1parse.o \ $(MBEDTLS_LIB_DIR)/asn1write.o \ $(MBEDTLS_LIB_DIR)/oid.o -mbedtls_lib_x509-$(CONFIG_$(SPL_)RSA_PUBLIC_KEY_PARSER) += \ +mbedtls_lib_x509-$(CONFIG_$(SPL_)RSA_PUBLIC_KEY_PARSER_MBEDTLS) += \ $(MBEDTLS_LIB_DIR)/bignum.o \ $(MBEDTLS_LIB_DIR)/bignum_core.o \ $(MBEDTLS_LIB_DIR)/rsa.o \ diff --git a/lib/mbedtls/rsa_helper.c b/lib/mbedtls/rsa_helper.c new file mode 100644 index 00000000000..3d94eee9954 --- /dev/null +++ b/lib/mbedtls/rsa_helper.c @@ -0,0 +1,95 @@ +// SPDX-License-Identifier: GPL-2.0+ +/* + * RSA helper functions using MbedTLS + * + * Copyright (c) 2024 Linaro Limited + * Author: Raymond Mao + */ + +#include +#include +#include +#include +#include +#include + +/** + * rsa_parse_pub_key() - decodes the BER encoded buffer and stores in the + * provided struct rsa_key, pointers to the raw key as is, + * so that the caller can copy it or MPI parse it, etc. + * + * @rsa_key: struct rsa_key key representation + * @key: key in BER format + * @key_len: length of key + * + * Return: 0 on success or error code in case of error + */ +int rsa_parse_pub_key(struct rsa_key *rsa_key, const void *key, + unsigned int key_len) +{ + int ret = 0; + mbedtls_pk_context pk; + mbedtls_rsa_context *rsa; + + mbedtls_pk_init(&pk); + + ret = mbedtls_pk_parse_public_key(&pk, (const unsigned char *)key, + key_len); + if (ret) { + pr_err("Failed to parse public key, ret:-0x%04x\n", -ret); + ret = -EINVAL; + goto clean_pubkey; + } + + /* Ensure that it is a RSA key */ + if (mbedtls_pk_get_type(&pk) != MBEDTLS_PK_RSA) { + pr_err("Non-RSA keys are not supported\n"); + ret = -EKEYREJECTED; + goto clean_pubkey; + } + + /* Get RSA key context */ + rsa = mbedtls_pk_rsa(pk); + if (!rsa) { + pr_err("Failed to get RSA key context, ret:-0x%04x\n", -ret); + ret = -EINVAL; + goto clean_pubkey; + } + + /* Parse modulus (n) */ + rsa_key->n_sz = mbedtls_mpi_size(&rsa->N); + rsa_key->n = kzalloc(rsa_key->n_sz, GFP_KERNEL); + if (!rsa_key->n) { + ret = -ENOMEM; + goto clean_pubkey; + } + ret = mbedtls_mpi_write_binary(&rsa->N, (unsigned char *)rsa_key->n, + rsa_key->n_sz); + if (ret) { + pr_err("Failed to parse modulus (n), ret:-0x%04x\n", -ret); + ret = -EINVAL; + goto clean_modulus; + } + + /* Parse public exponent (e) */ + rsa_key->e_sz = mbedtls_mpi_size(&rsa->E); + rsa_key->e = kzalloc(rsa_key->e_sz, GFP_KERNEL); + if (!rsa_key->e) { + ret = -ENOMEM; + goto clean_modulus; + } + ret = mbedtls_mpi_write_binary(&rsa->E, (unsigned char *)rsa_key->e, + rsa_key->e_sz); + if (!ret) + return 0; + + pr_err("Failed to parse public exponent (e), ret:-0x%04x\n", -ret); + ret = -EINVAL; + + kfree(rsa_key->e); +clean_modulus: + kfree(rsa_key->n); +clean_pubkey: + mbedtls_pk_free(&pk); + return ret; +} From patchwork Thu Oct 3 21:50:37 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Raymond Mao X-Patchwork-Id: 1992608 X-Patchwork-Delegate: trini@ti.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.a=rsa-sha256 header.s=google header.b=jdteHBGb; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de (client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; helo=phobos.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=patchwork.ozlabs.org) Received: from phobos.denx.de (phobos.denx.de [IPv6:2a01:238:438b:c500:173d:9f52:ddab:ee01]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4XKbxN6zL0z1xv1 for ; Fri, 4 Oct 2024 15:01:44 +1000 (AEST) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 2689C888B2; Fri, 4 Oct 2024 06:57:32 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="jdteHBGb"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 767C588D7F; Fri, 4 Oct 2024 00:04:23 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_BLOCKED, SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.2 Received: from mail-qt1-x829.google.com (mail-qt1-x829.google.com [IPv6:2607:f8b0:4864:20::829]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 64B2888E65 for ; Fri, 4 Oct 2024 00:04:21 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=raymond.mao@linaro.org Received: by mail-qt1-x829.google.com with SMTP id d75a77b69052e-4581e0ed0f2so20845041cf.1 for ; Thu, 03 Oct 2024 15:04:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1727993060; x=1728597860; darn=lists.denx.de; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=8InG811eKkOPHB8uyl0AASUpYOZA2KGrZ9I8lcvdh8o=; b=jdteHBGbW1W/b4mqUC/WnoBJKjC3TXVUZ8P3MmnxDv6/RBVXn3EtW8bCgVVKzZbbp6 GwxRWWVX5zyibA7Ob3/1YCIQbfIXab8N5uM9RRbjC/eeTLaKXgJSeV71kkXzeEWbn+Mu P5lZsNoXyl6adHG8a3KaAwbhmqH6ioxiD2CyUabsOR2vWWD7KfamBTR54u+3WUh5ea60 A0fv0Q3mRcn2RBW5kmV5GzQ7T7qjxlihqXEEWCQ2ny9eZ3QHpxcoGY8fmNu5OtcMn5Ks WZMpu69fBfms47GtYtg1/B+xw7W2MEL6H3OQXPGZPe7ucvDj7BVuWQksKyNN9PqoParj MacQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1727993060; x=1728597860; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=8InG811eKkOPHB8uyl0AASUpYOZA2KGrZ9I8lcvdh8o=; b=RTOrCZJ9ZH9QrIAyRFPmTPb4dK/+UV3CdWmIIzXeXkaBuiv6CB6FJm3Iqy2Iwiri37 VEDDAaFa2xsoaH5fyJp0bKa9tijA9Acesca7wgYXZeyAc/feXYN5h5RRrmh+4vxuhD7S jfOlynWXmTfxWgTwdP6OeV+oitPNlP32BSyEz8tjK8TbNbakXkzqHHS9kLXmoGAO66Pv kq9NOMr8A2ePVLBTSascOSO7KbdWjBCUZjRsKnRVDcY6Q72qKYk7gSn35w5T4vFB66ch F2tXLHbFvwusy5EfJDWD74RIZk4iUUrvM0CD2J1IMYzE8py0JQnHFMEKkG+2tOZvWfM8 ix0A== X-Gm-Message-State: AOJu0YzxbX/nj0kmnCVX4z/FeT0ZE70FXb+n0RXI17j5DX8s7sFnwhYk 9Z9Wvs45zBqCGZceVdWDDF5ZgAWppalGK/7eGuDj8u7+1wUrFUju1wgwZwIXZ475Pjs09k0OG0n 9 X-Google-Smtp-Source: AGHT+IGl4HHRKXPY+bjzKiBawtmZQmxQYCgHstWuEIuuDLfctQMaVQ1ym/xo95uq1dU8WEFUFnceEA== X-Received: by 2002:ac8:6881:0:b0:45d:8e3c:288 with SMTP id d75a77b69052e-45d8e3c02e7mr57619251cf.28.1727993060075; Thu, 03 Oct 2024 15:04:20 -0700 (PDT) Received: from ubuntu.localdomain (pool-174-114-184-37.cpe.net.cable.rogers.com. [174.114.184.37]) by smtp.gmail.com with ESMTPSA id d75a77b69052e-45d92ddf5c4sm9001541cf.18.2024.10.03.15.04.16 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 03 Oct 2024 15:04:18 -0700 (PDT) From: Raymond Mao To: u-boot@lists.denx.de Cc: manish.pandey2@arm.com, Raymond Mao , Ilias Apalodimas , Tom Rini , Stefan Bosch , Mario Six , Andy Shevchenko , Michal Simek , Tuomas Tynkkynen , Simon Glass , Peng Fan , Jaehoon Chung , Jiaxun Yang , Heinrich Schuchardt , Sean Anderson , Leo Yu-Chi Liang , Sumit Garg , Andrew Davis , Rasmus Villemoes , Bryan Brattlof , "Leon M. Busch-George" , AKASHI Takahiro , Alexander Gendin , Jonathan Humphreys , Mattijs Korpershoek , Marek Vasut , Paul Barker , Patrice Chotard , Kongyang Liu , Greg Malysa , Jonas Karlman , Sughosh Ganu , Anand Moon , Eddie James Subject: [PATCH v8 24/27] lib/rypto: Adapt rsa_helper to MbedTLS Date: Thu, 3 Oct 2024 14:50:37 -0700 Message-Id: <20241003215112.3103601-25-raymond.mao@linaro.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20241003215112.3103601-1-raymond.mao@linaro.org> References: <20241003215112.3103601-1-raymond.mao@linaro.org> MIME-Version: 1.0 X-Mailman-Approved-At: Fri, 04 Oct 2024 06:57:18 +0200 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.8 at phobos.denx.de X-Virus-Status: Clean Previous patch has introduced MbedTLS porting layer for RSA helper, here to adjust the makefile accordingly. Signed-off-by: Raymond Mao Reviewed-by: Ilias Apalodimas --- Changes in v2 - Initial patch. Changes in v3 - Update commit message. Changes in v4 - Control building legacy library via '_LEGACY' Kconfig. Changes in v5 - None. Changes in v6 - None. Changes in v7 - None. Changes in v8 - None lib/crypto/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/crypto/Makefile b/lib/crypto/Makefile index 3caa45dc2a8..72b413d85a9 100644 --- a/lib/crypto/Makefile +++ b/lib/crypto/Makefile @@ -13,7 +13,7 @@ obj-$(CONFIG_$(SPL_)ASYMMETRIC_PUBLIC_KEY_LEGACY) += public_key.o # # RSA public key parser # -obj-$(CONFIG_$(SPL_)RSA_PUBLIC_KEY_PARSER) += rsa_public_key.o +obj-$(CONFIG_$(SPL_)RSA_PUBLIC_KEY_PARSER_LEGACY) += rsa_public_key.o rsa_public_key-y := \ rsapubkey.asn1.o \ rsa_helper.o From patchwork Thu Oct 3 21:50:38 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Raymond Mao X-Patchwork-Id: 1992609 X-Patchwork-Delegate: trini@ti.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.a=rsa-sha256 header.s=google header.b=IY0SI+bK; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de (client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; helo=phobos.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=patchwork.ozlabs.org) Received: from phobos.denx.de (phobos.denx.de [IPv6:2a01:238:438b:c500:173d:9f52:ddab:ee01]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4XKbxb598Fz1xv1 for ; Fri, 4 Oct 2024 15:01:55 +1000 (AEST) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 78C2E8914C; Fri, 4 Oct 2024 06:57:32 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="IY0SI+bK"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id ACC6888D7F; Fri, 4 Oct 2024 00:04:58 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_BLOCKED, SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.2 Received: from mail-qk1-x72f.google.com (mail-qk1-x72f.google.com [IPv6:2607:f8b0:4864:20::72f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id D527C88D94 for ; Fri, 4 Oct 2024 00:04:55 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=raymond.mao@linaro.org Received: by mail-qk1-x72f.google.com with SMTP id af79cd13be357-7a9aec89347so93590485a.0 for ; Thu, 03 Oct 2024 15:04:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1727993094; x=1728597894; darn=lists.denx.de; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=F4ap8kl7kPPIp9BjPt3nlYqSldtHzIqGBmfNID5Z+/Q=; b=IY0SI+bKwSyUgVxu/Ej717D8BXO/7y4mwVwwgWN5aRflwSrzeTt7ZOofkyfssudNOs Ds9NFHeD8LINeHzhSqKH215RFSudA8lyTteBI43VpHhZMQHE4t/QJ6ldZY58HBQiAGMT d2a+PM8y5eTBulKaOHjS4OL/he+ZK96sEKIlxeHbPrt681xm05BPO2tF3t2rwbEuTW1I OuoC2ZWbJ+1WC5CVn/rsDSPG5TOuQ/T7KaHbWgwoKQTMfj60UDZu2ciHdLtkGpCCXvz5 Ji7PFZxmnLVD6QYsO9npN9SUBciyOm2mQQlZFqD6H5dsWK1I9TnlFsyFxz8N2CK6U7Uf nBHQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1727993094; x=1728597894; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=F4ap8kl7kPPIp9BjPt3nlYqSldtHzIqGBmfNID5Z+/Q=; b=f2L2zGQUtAgquuJocMODQic8Jdk5M8e2ZxBTzo4qPrVQq6ZwH8UiQbK4eGwAoPEIA8 mgVRRnGkGwslsWsAO0KrKlEn4GE2IkfXv1eod/jYyQ6XVWI/GH3zZ0N9N4GPjgOCg9u+ dSSBUecmH718IIExFt15T5OC9P+Z5IS2qmx06PoaH7g/WWpBsm1LBAfXftBvdbZXk2j5 PrK6MmbqvnfSnmypSPuatoh+lnzx2o9RtaxnDQPY2/TKEPhFjD8Cov2Dru6lNQXCmEUd QHBrmlFgKr+u9l8Pxg8OppFWE/RyQ0bDnF1W6f8OK2lt6KxyUeOBeNPRfx+JOhWq3VUa DyZg== X-Gm-Message-State: AOJu0YzCqop+z0NPzP5PJ1O06YhrxObcF9aK/tdzx98Nai/EGrH26pig Eey3rfY/kUbwksdAImQ0WbgkHiDMrgoqGDNVbGEi7JwkPF40itthB70ylA5pXLOR6itjhOKMD3D D X-Google-Smtp-Source: AGHT+IFFrm88f9VLZoQS/bWzF6/kLZitk02C8qu6WIZjJxAAUChrwskOkaaYv/mykpgoZWXzLuDhGQ== X-Received: by 2002:ac8:58d0:0:b0:45d:9357:1cca with SMTP id d75a77b69052e-45d9ba46f56mr9843291cf.14.1727993094495; Thu, 03 Oct 2024 15:04:54 -0700 (PDT) Received: from ubuntu.localdomain (pool-174-114-184-37.cpe.net.cable.rogers.com. [174.114.184.37]) by smtp.gmail.com with ESMTPSA id d75a77b69052e-45d92ddf5c4sm9001541cf.18.2024.10.03.15.04.51 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 03 Oct 2024 15:04:54 -0700 (PDT) From: Raymond Mao To: u-boot@lists.denx.de Cc: manish.pandey2@arm.com, Raymond Mao , Ilias Apalodimas , Tom Rini , Stefan Bosch , Mario Six , Andy Shevchenko , Michal Simek , Tuomas Tynkkynen , Simon Glass , Peng Fan , Jaehoon Chung , Jiaxun Yang , Heinrich Schuchardt , Sean Anderson , Sumit Garg , Rasmus Villemoes , Andrew Davis , Bryan Brattlof , "Leon M. Busch-George" , AKASHI Takahiro , Alexander Gendin , Mattijs Korpershoek , Jonathan Humphreys , Paul Barker , Marek Vasut , Greg Malysa , Jonas Karlman , Kongyang Liu , Oleksandr Suvorov , Sughosh Ganu , =?utf-8?q?Vincent_Stehl=C3=A9?= , Caleb Connolly , Eddie James Subject: [PATCH v8 25/27] asn1_decoder: add build options for ASN1 decoder Date: Thu, 3 Oct 2024 14:50:38 -0700 Message-Id: <20241003215112.3103601-26-raymond.mao@linaro.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20241003215112.3103601-1-raymond.mao@linaro.org> References: <20241003215112.3103601-1-raymond.mao@linaro.org> MIME-Version: 1.0 X-Mailman-Approved-At: Fri, 04 Oct 2024 06:57:18 +0200 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.8 at phobos.denx.de X-Virus-Status: Clean When building with MbedTLS, we are using MbedTLS to decode ASN1 data for x509, pkcs7 and mscode. Introduce _LEGACY and _MBEDTLS kconfigs for ASN1 decoder legacy and MbedTLS implementations respectively. Signed-off-by: Raymond Mao Reviewed-by: Ilias Apalodimas --- Changes in v2 - Initial patch. Changes in v3 - None. Changes in v4 - Introduce _LEGACY and _MBEDTLS kconfigs for ASN1 decoder legacy and MbedTLS implementations respectively. - Update the commit subject. Changes in v5 - Correct kconfig dependence. - Refactored MbedTLS makefile. Changes in v6 - None. Changes in v7 - None. Changes in v8 - None lib/Makefile | 2 +- lib/mbedtls/Kconfig | 30 ++++++++++++++++++++++++++++++ lib/mbedtls/Makefile | 2 +- 3 files changed, 32 insertions(+), 2 deletions(-) diff --git a/lib/Makefile b/lib/Makefile index 33755778283..561e0d44a16 100644 --- a/lib/Makefile +++ b/lib/Makefile @@ -81,7 +81,7 @@ obj-$(CONFIG_$(SPL_)SHA256_LEGACY) += sha256.o obj-$(CONFIG_$(SPL_)SHA512_LEGACY) += sha512.o obj-$(CONFIG_CRYPT_PW) += crypt/ -obj-$(CONFIG_$(SPL_)ASN1_DECODER) += asn1_decoder.o +obj-$(CONFIG_$(SPL_)ASN1_DECODER_LEGACY) += asn1_decoder.o obj-$(CONFIG_$(SPL_)ZLIB) += zlib/ obj-$(CONFIG_$(SPL_)ZSTD) += zstd/ diff --git a/lib/mbedtls/Kconfig b/lib/mbedtls/Kconfig index ab50ad4ebe9..d71adc3648a 100644 --- a/lib/mbedtls/Kconfig +++ b/lib/mbedtls/Kconfig @@ -116,12 +116,14 @@ endif # LEGACY_CRYPTO_BASIC config LEGACY_CRYPTO_CERT bool "legacy certificate libraries" + select ASN1_DECODER_LEGACY if ASN1_DECODER select ASYMMETRIC_PUBLIC_KEY_LEGACY if \ ASYMMETRIC_PUBLIC_KEY_SUBTYPE select RSA_PUBLIC_KEY_PARSER_LEGACY if RSA_PUBLIC_KEY_PARSER select X509_CERTIFICATE_PARSER_LEGACY if X509_CERTIFICATE_PARSER select PKCS7_MESSAGE_PARSER_LEGACY if PKCS7_MESSAGE_PARSER select MSCODE_PARSER_LEGACY if MSCODE_PARSER + select SPL_ASN1_DECODER_LEGACY if SPL_ASN1_DECODER select SPL_ASYMMETRIC_PUBLIC_KEY_LEGACY if \ SPL_ASYMMETRIC_PUBLIC_KEY_SUBTYPE select SPL_RSA_PUBLIC_KEY_PARSER_LEGACY if SPL_RSA_PUBLIC_KEY_PARSER @@ -130,6 +132,12 @@ config LEGACY_CRYPTO_CERT if LEGACY_CRYPTO_CERT +config ASN1_DECODER_LEGACY + bool "ASN1 decoder with legacy certificate library" + depends on LEGACY_CRYPTO_CERT && ASN1_DECODER + help + This option chooses legacy certificate library for ASN1 decoder. + config ASYMMETRIC_PUBLIC_KEY_LEGACY bool "Asymmetric public key crypto with legacy certificate library" depends on LEGACY_CRYPTO_CERT && ASYMMETRIC_PUBLIC_KEY_SUBTYPE @@ -171,6 +179,13 @@ config MSCODE_PARSER_LEGACY if SPL +config SPL_ASN1_DECODER_LEGACY + bool "ASN1 decoder with legacy certificate library in SPL" + depends on LEGACY_CRYPTO_CERT && SPL_ASN1_DECODER + help + This option chooses legacy certificate library for ASN1 decoder in + SPL. + config SPL_ASYMMETRIC_PUBLIC_KEY_LEGACY bool "Asymmetric public key crypto with legacy certificate library in SPL" depends on LEGACY_CRYPTO_CERT && SPL_ASYMMETRIC_PUBLIC_KEY_SUBTYPE @@ -326,12 +341,14 @@ endif # MBEDTLS_LIB_CRYPTO config MBEDTLS_LIB_X509 bool "MbedTLS certificate libraries" + select ASN1_DECODER_MBEDTLS if ASN1_DECODER select ASYMMETRIC_PUBLIC_KEY_MBEDTLS if \ ASYMMETRIC_PUBLIC_KEY_SUBTYPE select RSA_PUBLIC_KEY_PARSER_MBEDTLS if RSA_PUBLIC_KEY_PARSER select X509_CERTIFICATE_PARSER_MBEDTLS if X509_CERTIFICATE_PARSER select PKCS7_MESSAGE_PARSER_MBEDTLS if PKCS7_MESSAGE_PARSER select MSCODE_PARSER_MBEDTLS if MSCODE_PARSER + select SPL_ASN1_DECODER_MBEDTLS if SPL_ASN1_DECODER select SPL_ASYMMETRIC_PUBLIC_KEY_MBEDTLS if \ SPL_ASYMMETRIC_PUBLIC_KEY_SUBTYPE select SPL_RSA_PUBLIC_KEY_PARSER_MBEDTLS if SPL_RSA_PUBLIC_KEY_PARSER @@ -340,6 +357,12 @@ config MBEDTLS_LIB_X509 if MBEDTLS_LIB_X509 +config ASN1_DECODER_MBEDTLS + bool "ASN1 decoder with MbedTLS certificate library" + depends on MBEDTLS_LIB_X509 && ASN1_DECODER + help + This option chooses MbedTLS certificate library for ASN1 decoder. + config ASYMMETRIC_PUBLIC_KEY_MBEDTLS bool "Asymmetric public key crypto with MbedTLS certificate library" depends on MBEDTLS_LIB_X509 && ASYMMETRIC_PUBLIC_KEY_SUBTYPE @@ -381,6 +404,13 @@ config MSCODE_PARSER_MBEDTLS if SPL +config SPL_ASN1_DECODER_MBEDTLS + bool "ASN1 decoder with MbedTLS certificate library in SPL" + depends on MBEDTLS_LIB_X509 && SPL_ASN1_DECODER + help + This option chooses MbedTLS certificate library for ASN1 decoder in + SPL. + config SPL_ASYMMETRIC_PUBLIC_KEY_MBEDTLS bool "Asymmetric public key crypto with MbedTLS certificate library in SPL" depends on MBEDTLS_LIB_X509 && SPL_ASYMMETRIC_PUBLIC_KEY_SUBTYPE diff --git a/lib/mbedtls/Makefile b/lib/mbedtls/Makefile index 04d450afd82..83cb3c2fa70 100644 --- a/lib/mbedtls/Makefile +++ b/lib/mbedtls/Makefile @@ -36,7 +36,7 @@ mbedtls_lib_crypto-$(CONFIG_$(SPL_)SHA512_MBEDTLS) += \ # MbedTLS X509 library obj-$(CONFIG_MBEDTLS_LIB_X509) += mbedtls_lib_x509.o mbedtls_lib_x509-y := $(MBEDTLS_LIB_DIR)/x509.o -mbedtls_lib_x509-$(CONFIG_$(SPL_)ASN1_DECODER) += \ +mbedtls_lib_x509-$(CONFIG_$(SPL_)ASN1_DECODER_MBEDTLS) += \ $(MBEDTLS_LIB_DIR)/asn1parse.o \ $(MBEDTLS_LIB_DIR)/asn1write.o \ $(MBEDTLS_LIB_DIR)/oid.o From patchwork Thu Oct 3 21:50:39 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Raymond Mao X-Patchwork-Id: 1992610 X-Patchwork-Delegate: trini@ti.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.a=rsa-sha256 header.s=google header.b=WoZp1V+C; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de (client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; helo=phobos.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=patchwork.ozlabs.org) Received: from phobos.denx.de (phobos.denx.de [IPv6:2a01:238:438b:c500:173d:9f52:ddab:ee01]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4XKbxp3st5z1xv1 for ; Fri, 4 Oct 2024 15:02:06 +1000 (AEST) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 742B588F95; Fri, 4 Oct 2024 06:57:33 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="WoZp1V+C"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id CBCDD88D7F; Fri, 4 Oct 2024 00:05:40 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_BLOCKED, SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.2 Received: from mail-qt1-x829.google.com (mail-qt1-x829.google.com [IPv6:2607:f8b0:4864:20::829]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id BD46488D94 for ; Fri, 4 Oct 2024 00:05:38 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=raymond.mao@linaro.org Received: by mail-qt1-x829.google.com with SMTP id d75a77b69052e-4581e7f31eeso11112221cf.0 for ; Thu, 03 Oct 2024 15:05:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1727993137; x=1728597937; darn=lists.denx.de; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=UP2fvAgPN+fmqR4PGJist9b0sruintAhJQAjyc30bWE=; b=WoZp1V+CSosjSMbu8q+AbiO+CnAcwkSAEqE0qLvcnLRVNrU7xfryD8AdgxPfB82/AR +EeqCcFJVYyFfKUsDP49MJZeTnPq9VzspfL9hg0QfhrBed0D1rZ7ev0VuayrJUGJm+hI 93vgY08/TkcUrBEZhJIYG/xeZB5v5p9oyGKWcIVnd8TPQMAscLKOua3zExxUQmTqRdkj +pliIdQaXFAktxmskiur6O9DvXSmfzR93TuU4Rlg3aXZZtUYhMOAS0VcGDPd3b+b4s/2 JclzDs1LkeNWGa8FWlZqSxB5h+a8PZTfjzhx+0EoI58RDYT62uqilon/D/6fhJwVynDz P88A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1727993137; x=1728597937; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=UP2fvAgPN+fmqR4PGJist9b0sruintAhJQAjyc30bWE=; b=IHQWCanzkw4TUBgQUjiO62KJ64s3gKWWs2Ht31HPz8YZC+IkmI6YdCR9esalXx/rqU VwbGc6tdKJwOH1V1KEcuZFp5RFV3gIwL/KCN1n97BRqYfjugEd67nwjSoAA37jr+1PF7 KrM8MyoTmPap7YGYr9TBNS+XqJYYhrfeL5FlurJanc9+mO712IOHJHCvXSvZGsWfQ7Fr e36dGltgDm5tDRa3Mb9E9LGVsVvmjaobexv4LpymZIo6+9Q7HBBVy30MhctDYalf+wN8 yz3xROwRKPrZT0yOAmjEJZ02MNcZzJodXPx7wHc56Ku2UfZ9svRAPAAxZkzW8h7uk3MR Fgmg== X-Gm-Message-State: AOJu0YxWg6+9b8NrgGeLyhYLtCNc/R6A91lThTd10vWHRiXlD8Kg84fh 1cOucPw+AxTvOSo7N8bjyXD5WNDPuwlam82tf63D5VIK1ho/O+Uml9US1k+ScDByIsAtru7Wxvz o X-Google-Smtp-Source: AGHT+IFz5iQJlRsyHJXggGj4JDBCkZOzgRAQkj0i6YXbJUYBFHLa+WqiqrY74WZVmxUgd3abldOoIA== X-Received: by 2002:ac8:5792:0:b0:45b:1d3:d9a8 with SMTP id d75a77b69052e-45d9ba85fdcmr10226361cf.27.1727993137251; Thu, 03 Oct 2024 15:05:37 -0700 (PDT) Received: from ubuntu.localdomain (pool-174-114-184-37.cpe.net.cable.rogers.com. [174.114.184.37]) by smtp.gmail.com with ESMTPSA id d75a77b69052e-45d92ddf5c4sm9001541cf.18.2024.10.03.15.05.33 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 03 Oct 2024 15:05:36 -0700 (PDT) From: Raymond Mao To: u-boot@lists.denx.de Cc: manish.pandey2@arm.com, Raymond Mao , Ilias Apalodimas , Tom Rini , Stefan Bosch , Mario Six , Andy Shevchenko , Michal Simek , Tuomas Tynkkynen , Simon Glass , Peng Fan , Jaehoon Chung , Jiaxun Yang , Heinrich Schuchardt , Sean Anderson , Sumit Garg , Rasmus Villemoes , Andrew Davis , Bryan Brattlof , "Leon M. Busch-George" , AKASHI Takahiro , Alexander Gendin , Jonathan Humphreys , Mattijs Korpershoek , Marek Vasut , Paul Barker , Patrice Chotard , Jonas Karlman , Kongyang Liu , Greg Malysa , Sughosh Ganu , Eddie James Subject: [PATCH v8 26/27] test: Remove ASN1 library test Date: Thu, 3 Oct 2024 14:50:39 -0700 Message-Id: <20241003215112.3103601-27-raymond.mao@linaro.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20241003215112.3103601-1-raymond.mao@linaro.org> References: <20241003215112.3103601-1-raymond.mao@linaro.org> MIME-Version: 1.0 X-Mailman-Approved-At: Fri, 04 Oct 2024 06:57:18 +0200 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.8 at phobos.denx.de X-Virus-Status: Clean With MBEDTLS_LIB_X509 enabled, we don't build the original ASN1 lib, So remove it from test. Signed-off-by: Raymond Mao Reviewed-by: Ilias Apalodimas --- Changes in v2 - Initial patch. Changes in v3 - None. Changes in v4 - None. Changes in v5 - None. Changes in v6 - None. Changes in v7 - None. Changes in v8 - None test/Kconfig | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/Kconfig b/test/Kconfig index e2ec0994a2e..558a9cd49b4 100644 --- a/test/Kconfig +++ b/test/Kconfig @@ -32,7 +32,7 @@ if UT_LIB config UT_LIB_ASN1 bool "Unit test for asn1 compiler and decoder function" - depends on SANDBOX + depends on SANDBOX && !MBEDTLS_LIB_X509 default y imply ASYMMETRIC_KEY_TYPE imply ASYMMETRIC_PUBLIC_KEY_SUBTYPE From patchwork Thu Oct 3 21:50:40 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Raymond Mao X-Patchwork-Id: 1992611 X-Patchwork-Delegate: trini@ti.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.a=rsa-sha256 header.s=google header.b=YfuBA6oD; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de (client-ip=85.214.62.61; helo=phobos.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=patchwork.ozlabs.org) Received: from phobos.denx.de (phobos.denx.de [85.214.62.61]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4XKby35HGBz1xv1 for ; Fri, 4 Oct 2024 15:02:19 +1000 (AEST) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id C839C890AD; Fri, 4 Oct 2024 06:57:33 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="YfuBA6oD"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 9D71288D7F; Fri, 4 Oct 2024 00:06:18 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_BLOCKED, SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.2 Received: from mail-qv1-xf34.google.com (mail-qv1-xf34.google.com [IPv6:2607:f8b0:4864:20::f34]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 6DEFB88D94 for ; Fri, 4 Oct 2024 00:06:16 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=raymond.mao@linaro.org Received: by mail-qv1-xf34.google.com with SMTP id 6a1803df08f44-6cb399056b4so11302616d6.0 for ; Thu, 03 Oct 2024 15:06:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1727993175; x=1728597975; darn=lists.denx.de; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=NNNpZDhxGI6dxoYja7UkxJFzNuRudv341H/vEtfWniU=; b=YfuBA6oDccJGSJavI/VFoknMDIO+LycORI1W8ks3w1JpJ+vEtc4N6FoP/xFcRRw0lL TgO7m18mIl3iH5CQWRV9OHyjvNoMzgaPeBRykI6dSr28lleNPBevZuxIMd0eZYlJlSoe B5JT6PBi6QSLyZCaaasOY16fgWR2FH1rRp5hure0Uml+Fq/pSQcvf7/4m3kdzF0KeWpq tbSLEVsp92l4Ys+CYhvecNvz0nIx/SvgTfLBFZUCYCWTFqnr3+GHRybNKolsM4TRF4uK KwWNI3L/McXJ0ILtYxICm3CHJIiGqdG8bmd6uFqGbXOgIF0MlK3ELDkrOsBx9lG4szog cTFw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1727993175; x=1728597975; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=NNNpZDhxGI6dxoYja7UkxJFzNuRudv341H/vEtfWniU=; b=Gx0LbEtDStRHoM4F3W8XBQtaHzAzrtmuKK2gug6Bdmp2AD66/Hdp06HgHVJGWHI2PZ 35qnoYoNO5eoph0NUS21Mgae0gq5+uVd5nMejt5NAQEUSMYzLrSdlcIuqQsvw9B2Af1w gI8knIWI8xaOlMSW5vY5AYLMeiZXmn/wHNgnpzEaHCRoS/Nql+FUDmTLTIRvOaeJzF1H o7mTo7P94xB0jIfR1tM/W8Botg+d7T/D4hL6o1a2H9Q+gf4wkogt1q19OPTvHBlPZ522 qpCG9P9zkVu5J4y7pllct4boyo2zOK94MbGmIcHYHO/VOp28aYLI0diA5W7GhoVxHQ4M bBBA== X-Gm-Message-State: AOJu0YxAbogoA+fZ0B2ncrOawXYvD5eXd/WRcz1+Xod3aMayr+Gkn7m2 3AXegRzEqpGeMIQ4ld0H+wA9McJCWjihNfrxIyrrViYzuWzqYI3g4Y3ffnN0CJZqB3wDex7HnML + X-Google-Smtp-Source: AGHT+IGGzMSqpj987GOKDYGILzhRlGO2O2MeZNYVKopKQ3250xs0/QUT9a5eTPus6TdMZ7txxQMbIw== X-Received: by 2002:a05:6214:588a:b0:6cb:5aa6:97a with SMTP id 6a1803df08f44-6cb9a30ce97mr11829056d6.24.1727993175135; Thu, 03 Oct 2024 15:06:15 -0700 (PDT) Received: from ubuntu.localdomain (pool-174-114-184-37.cpe.net.cable.rogers.com. [174.114.184.37]) by smtp.gmail.com with ESMTPSA id d75a77b69052e-45d92ddf5c4sm9001541cf.18.2024.10.03.15.06.12 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 03 Oct 2024 15:06:14 -0700 (PDT) From: Raymond Mao To: u-boot@lists.denx.de Cc: manish.pandey2@arm.com, Raymond Mao , Ilias Apalodimas , Tom Rini , Stefan Bosch , Mario Six , Andy Shevchenko , Michal Simek , Tuomas Tynkkynen , Simon Glass , Peng Fan , Jaehoon Chung , Jiaxun Yang , Heinrich Schuchardt , Leo Yu-Chi Liang , Sumit Garg , Sean Anderson , Andrew Davis , Rasmus Villemoes , Bryan Brattlof , "Leon M. Busch-George" , AKASHI Takahiro , Alexander Gendin , Mattijs Korpershoek , Jonathan Humphreys , Paul Barker , Marek Vasut , Linus Walleij , Kongyang Liu , Greg Malysa , Jonas Karlman , Sughosh Ganu , Anand Moon Subject: [PATCH v8 27/27] configs: enable MbedTLS as default setting Date: Thu, 3 Oct 2024 14:50:40 -0700 Message-Id: <20241003215112.3103601-28-raymond.mao@linaro.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20241003215112.3103601-1-raymond.mao@linaro.org> References: <20241003215112.3103601-1-raymond.mao@linaro.org> MIME-Version: 1.0 X-Mailman-Approved-At: Fri, 04 Oct 2024 06:57:18 +0200 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.8 at phobos.denx.de X-Virus-Status: Clean Enable MbedTLS as default setting for qemu arm64 and sandbox. Signed-off-by: Raymond Mao Reviewed-by: Ilias Apalodimas --- Changes in v2 - None. Changes in v3 - None. Changes in v4 - None. Changes in v5 - Remove unused config MBEDTLS_LIB_TLS. - Remove EFI_SECURE_BOOT from the default config. Changes in v6 - Remove MBEDTLS_LIB_CRYPTO and MBEDTLS_LIB_X509. Changes in v7 - None. Changes in v8 - None configs/qemu_arm64_defconfig | 1 + configs/sandbox_defconfig | 1 + 2 files changed, 2 insertions(+) diff --git a/configs/qemu_arm64_defconfig b/configs/qemu_arm64_defconfig index 088ba39f18e..6d18a8571ca 100644 --- a/configs/qemu_arm64_defconfig +++ b/configs/qemu_arm64_defconfig @@ -68,5 +68,6 @@ CONFIG_TPM2_MMIO=y CONFIG_USB_EHCI_HCD=y CONFIG_USB_EHCI_PCI=y CONFIG_SEMIHOSTING=y +CONFIG_MBEDTLS_LIB=y CONFIG_TPM=y CONFIG_EFI_HTTP_BOOT=y diff --git a/configs/sandbox_defconfig b/configs/sandbox_defconfig index a50fbce8d06..0ecdeebb45f 100644 --- a/configs/sandbox_defconfig +++ b/configs/sandbox_defconfig @@ -345,6 +345,7 @@ CONFIG_FS_CBFS=y CONFIG_FS_CRAMFS=y CONFIG_ADDR_MAP=y CONFIG_CMD_DHRYSTONE=y +CONFIG_MBEDTLS_LIB=y CONFIG_ECDSA=y CONFIG_ECDSA_VERIFY=y CONFIG_TPM=y