I appreciate and really like this work to enable mbedtls but I don't
like the idea of adding another submodule to edk2.
For a long time there has been discussion about formalizing the
abstraction of the edk2 crypto api so that it would be practical to
implement edk2's crypto using various libraries. I propose we remove
openssl from the edk2 CryptoPkg and into the OpenSslCryptoPkg in another
new tianocore repository dedicated to OpenSsl. MbedTls could then be
checked into the MbedTlsCryptoPkg and added to another new repository.
This would also have the benefit of breaking the tight coupling of edk2
stable tags from the crypto used in the code base (crypto has more
widely tracked vulnerabilities).
Happy to discuss more if others have different ideas.
Thanks
Sean
On 8/30/2023 12:52 AM, Wenxing Hou wrote:
*** Add BaseCryptLibMbedTls for CryptoPkg, which can be an alternative to
OpenSSL in some scenarios. There are four features in the patch:
HMAC/HKDF/RSA/HASH.***
Wenxing Hou (9):
CryptoPkg: Add mbedtls submodule for EDKII
CryptoPkg: Add mbedtls_config and MbedTlsLib.inf
CryptoPkg: Add HMAC functions based on Mbedtls
CryptoPkg: Add HKDF functions based on Mbedtls
CryptoPkg: Add RSA functions based on Mbedtls
CryptoPkg: Add all .inf files for BaseCryptLibMbedTls
CryptoPkg: Add Null functions for building pass
CryptoPkg: Add MD5/SHA1/SHA2 functions based on Mbedtls
CryptoPkg: Add Mbedtls submodule in CI
.gitmodules | 3 +
.pytool/CISettings.py | 2 +
CryptoPkg/CryptoPkg.ci.yaml | 66 +-
CryptoPkg/CryptoPkg.dec | 4 +
CryptoPkg/CryptoPkgMbedTls.dsc | 280 ++
.../BaseCryptLibMbedTls/BaseCryptLib.inf | 81 +
.../BaseCryptLibMbedTls/Bn/CryptBnNull.c | 520 +++
.../Cipher/CryptAeadAesGcmNull.c | 100 +
.../BaseCryptLibMbedTls/Cipher/CryptAesNull.c | 159 +
.../BaseCryptLibMbedTls/Hash/CryptMd5.c | 234 +
.../BaseCryptLibMbedTls/Hash/CryptMd5Null.c | 163 +
.../Hash/CryptParallelHashNull.c | 40 +
.../BaseCryptLibMbedTls/Hash/CryptSha1.c | 234 +
.../BaseCryptLibMbedTls/Hash/CryptSha1Null.c | 166 +
.../BaseCryptLibMbedTls/Hash/CryptSha256.c | 227 +
.../Hash/CryptSha256Null.c | 162 +
.../BaseCryptLibMbedTls/Hash/CryptSha512.c | 447 ++
.../Hash/CryptSha512Null.c | 275 ++
.../BaseCryptLibMbedTls/Hash/CryptSm3Null.c | 164 +
.../BaseCryptLibMbedTls/Hmac/CryptHmac.c | 620 +++
.../BaseCryptLibMbedTls/Hmac/CryptHmacNull.c | 359 ++
.../BaseCryptLibMbedTls/InternalCryptLib.h | 44 +
.../BaseCryptLibMbedTls/Kdf/CryptHkdf.c | 372 ++
.../BaseCryptLibMbedTls/Kdf/CryptHkdfNull.c | 192 +
.../BaseCryptLibMbedTls/PeiCryptLib.inf | 101 +
.../BaseCryptLibMbedTls/PeiCryptLib.uni | 25 +
.../BaseCryptLibMbedTls/Pem/CryptPemNull.c | 69 +
.../Pk/CryptAuthenticodeNull.c | 45 +
.../BaseCryptLibMbedTls/Pk/CryptDhNull.c | 150 +
.../BaseCryptLibMbedTls/Pk/CryptEcNull.c | 578 +++
.../Pk/CryptPkcs1OaepNull.c | 51 +
.../Pk/CryptPkcs5Pbkdf2Null.c | 48 +
.../Pk/CryptPkcs7Internal.h | 83 +
.../Pk/CryptPkcs7SignNull.c | 53 +
.../Pk/CryptPkcs7VerifyEkuNull.c | 152 +
.../Pk/CryptPkcs7VerifyEkuRuntime.c | 56 +
.../Pk/CryptPkcs7VerifyNull.c | 163 +
.../Pk/CryptPkcs7VerifyRuntime.c | 38 +
.../BaseCryptLibMbedTls/Pk/CryptRsaBasic.c | 268 ++
.../Pk/CryptRsaBasicNull.c | 121 +
.../BaseCryptLibMbedTls/Pk/CryptRsaExt.c | 337 ++
.../BaseCryptLibMbedTls/Pk/CryptRsaExtNull.c | 117 +
.../BaseCryptLibMbedTls/Pk/CryptRsaPss.c | 164 +
.../BaseCryptLibMbedTls/Pk/CryptRsaPssNull.c | 46 +
.../BaseCryptLibMbedTls/Pk/CryptRsaPssSign.c | 231 +
.../Pk/CryptRsaPssSignNull.c | 60 +
.../BaseCryptLibMbedTls/Pk/CryptTsNull.c | 42 +
.../BaseCryptLibMbedTls/Pk/CryptX509Null.c | 753 ++++
.../BaseCryptLibMbedTls/Rand/CryptRandNull.c | 56 +
.../BaseCryptLibMbedTls/RuntimeCryptLib.inf | 92 +
.../BaseCryptLibMbedTls/RuntimeCryptLib.uni | 22 +
.../BaseCryptLibMbedTls/SecCryptLib.inf | 84 +
.../BaseCryptLibMbedTls/SecCryptLib.uni | 17 +
.../BaseCryptLibMbedTls/SmmCryptLib.inf | 92 +
.../BaseCryptLibMbedTls/SmmCryptLib.uni | 22 +
.../SysCall/ConstantTimeClock.c | 75 +
.../BaseCryptLibMbedTls/SysCall/CrtWrapper.c | 58 +
.../SysCall/RuntimeMemAllocation.c | 462 ++
.../SysCall/TimerWrapper.c | 198 +
.../BaseCryptLibMbedTls/TestBaseCryptLib.inf | 78 +
CryptoPkg/Library/MbedTlsLib/CrtWrapper.c | 96 +
CryptoPkg/Library/MbedTlsLib/EcSm2Null.c | 495 +++
.../Include/mbedtls/mbedtls_config.h | 3823 +++++++++++++++++
CryptoPkg/Library/MbedTlsLib/MbedTlsLib.inf | 173 +
.../Library/MbedTlsLib/MbedTlsLibFull.inf | 177 +
CryptoPkg/Library/MbedTlsLib/mbedtls | 1 +
66 files changed, 14683 insertions(+), 3 deletions(-)
create mode 100644 CryptoPkg/CryptoPkgMbedTls.dsc
create mode 100644 CryptoPkg/Library/BaseCryptLibMbedTls/BaseCryptLib.inf
create mode 100644 CryptoPkg/Library/BaseCryptLibMbedTls/Bn/CryptBnNull.c
create mode 100644
CryptoPkg/Library/BaseCryptLibMbedTls/Cipher/CryptAeadAesGcmNull.c
create mode 100644 CryptoPkg/Library/BaseCryptLibMbedTls/Cipher/CryptAesNull.c
create mode 100644 CryptoPkg/Library/BaseCryptLibMbedTls/Hash/CryptMd5.c
create mode 100644 CryptoPkg/Library/BaseCryptLibMbedTls/Hash/CryptMd5Null.c
create mode 100644
CryptoPkg/Library/BaseCryptLibMbedTls/Hash/CryptParallelHashNull.c
create mode 100644 CryptoPkg/Library/BaseCryptLibMbedTls/Hash/CryptSha1.c
create mode 100644 CryptoPkg/Library/BaseCryptLibMbedTls/Hash/CryptSha1Null.c
create mode 100644 CryptoPkg/Library/BaseCryptLibMbedTls/Hash/CryptSha256.c
create mode 100644
CryptoPkg/Library/BaseCryptLibMbedTls/Hash/CryptSha256Null.c
create mode 100644 CryptoPkg/Library/BaseCryptLibMbedTls/Hash/CryptSha512.c
create mode 100644
CryptoPkg/Library/BaseCryptLibMbedTls/Hash/CryptSha512Null.c
create mode 100644 CryptoPkg/Library/BaseCryptLibMbedTls/Hash/CryptSm3Null.c
create mode 100644 CryptoPkg/Library/BaseCryptLibMbedTls/Hmac/CryptHmac.c
create mode 100644 CryptoPkg/Library/BaseCryptLibMbedTls/Hmac/CryptHmacNull.c
create mode 100644 CryptoPkg/Library/BaseCryptLibMbedTls/InternalCryptLib.h
create mode 100644 CryptoPkg/Library/BaseCryptLibMbedTls/Kdf/CryptHkdf.c
create mode 100644 CryptoPkg/Library/BaseCryptLibMbedTls/Kdf/CryptHkdfNull.c
create mode 100644 CryptoPkg/Library/BaseCryptLibMbedTls/PeiCryptLib.inf
create mode 100644 CryptoPkg/Library/BaseCryptLibMbedTls/PeiCryptLib.uni
create mode 100644 CryptoPkg/Library/BaseCryptLibMbedTls/Pem/CryptPemNull.c
create mode 100644
CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptAuthenticodeNull.c
create mode 100644 CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptDhNull.c
create mode 100644 CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptEcNull.c
create mode 100644
CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptPkcs1OaepNull.c
create mode 100644
CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptPkcs5Pbkdf2Null.c
create mode 100644
CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptPkcs7Internal.h
create mode 100644
CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptPkcs7SignNull.c
create mode 100644
CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptPkcs7VerifyEkuNull.c
create mode 100644
CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptPkcs7VerifyEkuRuntime.c
create mode 100644
CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptPkcs7VerifyNull.c
create mode 100644
CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptPkcs7VerifyRuntime.c
create mode 100644 CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptRsaBasic.c
create mode 100644
CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptRsaBasicNull.c
create mode 100644 CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptRsaExt.c
create mode 100644 CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptRsaExtNull.c
create mode 100644 CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptRsaPss.c
create mode 100644 CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptRsaPssNull.c
create mode 100644 CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptRsaPssSign.c
create mode 100644
CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptRsaPssSignNull.c
create mode 100644 CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptTsNull.c
create mode 100644 CryptoPkg/Library/BaseCryptLibMbedTls/Pk/CryptX509Null.c
create mode 100644 CryptoPkg/Library/BaseCryptLibMbedTls/Rand/CryptRandNull.c
create mode 100644 CryptoPkg/Library/BaseCryptLibMbedTls/RuntimeCryptLib.inf
create mode 100644 CryptoPkg/Library/BaseCryptLibMbedTls/RuntimeCryptLib.uni
create mode 100644 CryptoPkg/Library/BaseCryptLibMbedTls/SecCryptLib.inf
create mode 100644 CryptoPkg/Library/BaseCryptLibMbedTls/SecCryptLib.uni
create mode 100644 CryptoPkg/Library/BaseCryptLibMbedTls/SmmCryptLib.inf
create mode 100644 CryptoPkg/Library/BaseCryptLibMbedTls/SmmCryptLib.uni
create mode 100644
CryptoPkg/Library/BaseCryptLibMbedTls/SysCall/ConstantTimeClock.c
create mode 100644 CryptoPkg/Library/BaseCryptLibMbedTls/SysCall/CrtWrapper.c
create mode 100644
CryptoPkg/Library/BaseCryptLibMbedTls/SysCall/RuntimeMemAllocation.c
create mode 100644
CryptoPkg/Library/BaseCryptLibMbedTls/SysCall/TimerWrapper.c
create mode 100644 CryptoPkg/Library/BaseCryptLibMbedTls/TestBaseCryptLib.inf
create mode 100644 CryptoPkg/Library/MbedTlsLib/CrtWrapper.c
create mode 100644 CryptoPkg/Library/MbedTlsLib/EcSm2Null.c
create mode 100644
CryptoPkg/Library/MbedTlsLib/Include/mbedtls/mbedtls_config.h
create mode 100644 CryptoPkg/Library/MbedTlsLib/MbedTlsLib.inf
create mode 100644 CryptoPkg/Library/MbedTlsLib/MbedTlsLibFull.inf
create mode 160000 CryptoPkg/Library/MbedTlsLib/mbedtls
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#108152): https://edk2.groups.io/g/devel/message/108152
Mute This Topic: https://groups.io/mt/101048094/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-