Re: [PATCH v6 07/28] hash: integrate hash on mbedtls
Hi Ilias, On Fri, 13 Sept 2024 at 11:04, Ilias Apalodimas wrote: > > Hi Simon, > > Apologies lost that email > > > On Sun, Sep 01, 2024 at 02:09:44PM -0600, Simon Glass wrote: > > Hi Ilias, > > > > On Fri, 30 Aug 2024 at 03:37, Ilias Apalodimas > > wrote: > > > > > > Hi Simon, > > > > > > On Thu, 29 Aug 2024 at 18:01, Simon Glass wrote: > > > > > > > > Hi Raymond, > > > > > > > > On Fri, 16 Aug 2024 at 15:47, Raymond Mao > wrote: > > > > > > > > > > Integrate common/hash.c on the hash shim layer so that hash APIs > > > > > from mbedtls can be leveraged by boot/image and efi_loader. > > > > > > > > > > Signed-off-by: Raymond Mao > > > > > --- > > > > > Changes in v2 > > > > > - Use the original head files instead of creating new ones. > > > > > Changes in v3 > > > > > - Add handle checkers for malloc. > > > > > Changes in v4 > > > > > - None. > > > > > Changes in v5 > > > > > - Add __maybe_unused to solve linker errors in some platforms. > > > > > - replace malloc with calloc. > > > > > Changes in v6 > > > > > - None. > > > > > > > > > > common/hash.c | 146 > ++ > > > > > 1 file changed, 146 insertions(+) > > > > > > > > I am not seeing the benefit of replacing U-Boot's hashing algorithms. > > > > They work well and don't change. Also it seems to be making the code > a > > > > lot uglier, with an uncertain timeline for clean-up. > > > > > > A lot uglier where? It adds a few wrappers that fit into the current > > > design and callbacks. > > > I don't think what you are asking is possible. To do assymetric > > > crypto, signatures etc -- and in the future add TLS support in wget > > > mbedTLS relies on its internal hashing functions for the cipher suites > > > it supports. So what you are asking would just make the code even > > > larger. Raymond can you please double check? > > > > It's really just a case of dropping the hash calls. It should not > > cause any other problems, so far as I can see, but I have not dug in > > in detail. > > > > Re TLS is relying on its internal hashing functions, is this what you > > are talking about? > > > > $ git grep mbedtls_sha1_free > > common/hash.c: mbedtls_sha1_free(ctx); > > common/hash.c: mbedtls_sha1_free((mbedtls_sha1_context *)ctx); > > lib/mbedtls/external/mbedtls/include/mbedtls/sha1.h:void > > mbedtls_sha1_free(mbedtls_sha1_context *ctx); > > lib/mbedtls/external/mbedtls/library/md.c: > > mbedtls_sha1_free(ctx->md_ctx); > > lib/mbedtls/external/mbedtls/library/psa_crypto_hash.c: > > mbedtls_sha1_free(&operation->ctx.sha1); > > lib/mbedtls/external/mbedtls/library/sha1.c:void > > mbedtls_sha1_free(mbedtls_sha1_context *ctx) > > lib/mbedtls/external/mbedtls/library/sha1.c:mbedtls_sha1_free(ctx); > > lib/mbedtls/external/mbedtls/library/sha1.c:mbedtls_sha1_free(&ctx); > > lib/mbedtls/external/mbedtls/library/sha1.c:mbedtls_sha1_free(&ctx); > > lib/mbedtls/sha1.c: mbedtls_sha1_free(ctx); > > > > I see this in psa_crypto_hash.c (not sure what that is though). > PSA is Platform Security Architecture for Arm. They define APIs etc and > some crypto ops can move to the Secure World. > > As I responded later down the thread, mbedTLS config.h file allows you to > define > alternative implementations. The benefit that I see by using mbedTLS > hashing, > is that we can switch on new algorithms by enabling an option in mbedTLS. > OTOH some work will be needed to plug new algorithms in U-Boot and as you > point out HW accel will not work -- Unless we define the accelerator > functions in the config file above. But that doesn't solve your problem of > having one extra ifdef in hash.c > > > > > > > Can you do the rest of the integration first? > > > > I believe this is the best approach. We need to permit using crypto > > acceleration too (via driver model), which is obviously impossible if > > mbed algorithms are using built-in hashing. > > > > Look on the response above, we can, but I don't love the solution. > > > The biggest challenge here is that common/hash.c needs some love, as I > > mentioned in an earlier version. > > Fair
[PATCH v7 27/27] configs: enable MbedTLS as default setting
Enable MbedTLS as default setting for qemu arm64 and sandbox. Signed-off-by: Raymond Mao Reviewed-by: Ilias Apalodimas --- Changes in v2 - None. Changes in v3 - None. Changes in v4 - None. Changes in v5 - Remove unused config MBEDTLS_LIB_TLS. - Remove EFI_SECURE_BOOT from the default config. Changes in v6 - Remove MBEDTLS_LIB_CRYPTO and MBEDTLS_LIB_X509. Changes in v7 - None. configs/qemu_arm64_defconfig | 1 + configs/sandbox_defconfig| 1 + 2 files changed, 2 insertions(+) diff --git a/configs/qemu_arm64_defconfig b/configs/qemu_arm64_defconfig index 088ba39f18e..6d18a8571ca 100644 --- a/configs/qemu_arm64_defconfig +++ b/configs/qemu_arm64_defconfig @@ -68,5 +68,6 @@ CONFIG_TPM2_MMIO=y CONFIG_USB_EHCI_HCD=y CONFIG_USB_EHCI_PCI=y CONFIG_SEMIHOSTING=y +CONFIG_MBEDTLS_LIB=y CONFIG_TPM=y CONFIG_EFI_HTTP_BOOT=y diff --git a/configs/sandbox_defconfig b/configs/sandbox_defconfig index a50fbce8d06..0ecdeebb45f 100644 --- a/configs/sandbox_defconfig +++ b/configs/sandbox_defconfig @@ -345,6 +345,7 @@ CONFIG_FS_CBFS=y CONFIG_FS_CRAMFS=y CONFIG_ADDR_MAP=y CONFIG_CMD_DHRYSTONE=y +CONFIG_MBEDTLS_LIB=y CONFIG_ECDSA=y CONFIG_ECDSA_VERIFY=y CONFIG_TPM=y -- 2.25.1
[PATCH v7 26/27] test: Remove ASN1 library test
With MBEDTLS_LIB_X509 enabled, we don't build the original ASN1 lib, So remove it from test. Signed-off-by: Raymond Mao Reviewed-by: Ilias Apalodimas --- Changes in v2 - Initial patch. Changes in v3 - None. Changes in v4 - None. Changes in v5 - None. Changes in v6 - None. Changes in v7 - None. test/Kconfig | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/Kconfig b/test/Kconfig index e2ec0994a2e..558a9cd49b4 100644 --- a/test/Kconfig +++ b/test/Kconfig @@ -32,7 +32,7 @@ if UT_LIB config UT_LIB_ASN1 bool "Unit test for asn1 compiler and decoder function" - depends on SANDBOX + depends on SANDBOX && !MBEDTLS_LIB_X509 default y imply ASYMMETRIC_KEY_TYPE imply ASYMMETRIC_PUBLIC_KEY_SUBTYPE -- 2.25.1
[PATCH v7 25/27] asn1_decoder: add build options for ASN1 decoder
When building with MbedTLS, we are using MbedTLS to decode ASN1 data for x509, pkcs7 and mscode. Introduce _LEGACY and _MBEDTLS kconfigs for ASN1 decoder legacy and MbedTLS implementations respectively. Signed-off-by: Raymond Mao Reviewed-by: Ilias Apalodimas --- Changes in v2 - Initial patch. Changes in v3 - None. Changes in v4 - Introduce _LEGACY and _MBEDTLS kconfigs for ASN1 decoder legacy and MbedTLS implementations respectively. - Update the commit subject. Changes in v5 - Correct kconfig dependence. - Refactored MbedTLS makefile. Changes in v6 - None. Changes in v7 - None. lib/Makefile | 2 +- lib/mbedtls/Kconfig | 30 ++ lib/mbedtls/Makefile | 2 +- 3 files changed, 32 insertions(+), 2 deletions(-) diff --git a/lib/Makefile b/lib/Makefile index 33755778283..561e0d44a16 100644 --- a/lib/Makefile +++ b/lib/Makefile @@ -81,7 +81,7 @@ obj-$(CONFIG_$(SPL_)SHA256_LEGACY) += sha256.o obj-$(CONFIG_$(SPL_)SHA512_LEGACY) += sha512.o obj-$(CONFIG_CRYPT_PW) += crypt/ -obj-$(CONFIG_$(SPL_)ASN1_DECODER) += asn1_decoder.o +obj-$(CONFIG_$(SPL_)ASN1_DECODER_LEGACY) += asn1_decoder.o obj-$(CONFIG_$(SPL_)ZLIB) += zlib/ obj-$(CONFIG_$(SPL_)ZSTD) += zstd/ diff --git a/lib/mbedtls/Kconfig b/lib/mbedtls/Kconfig index 77959f01fdd..6dbf1898d12 100644 --- a/lib/mbedtls/Kconfig +++ b/lib/mbedtls/Kconfig @@ -117,12 +117,14 @@ endif # LEGACY_CRYPTO_BASIC config LEGACY_CRYPTO_CERT bool "legacy certificate libraries" + select ASN1_DECODER_LEGACY if ASN1_DECODER select ASYMMETRIC_PUBLIC_KEY_LEGACY if \ ASYMMETRIC_PUBLIC_KEY_SUBTYPE select RSA_PUBLIC_KEY_PARSER_LEGACY if RSA_PUBLIC_KEY_PARSER select X509_CERTIFICATE_PARSER_LEGACY if X509_CERTIFICATE_PARSER select PKCS7_MESSAGE_PARSER_LEGACY if PKCS7_MESSAGE_PARSER select MSCODE_PARSER_LEGACY if MSCODE_PARSER + select SPL_ASN1_DECODER_LEGACY if SPL_ASN1_DECODER select SPL_ASYMMETRIC_PUBLIC_KEY_LEGACY if \ SPL_ASYMMETRIC_PUBLIC_KEY_SUBTYPE select SPL_RSA_PUBLIC_KEY_PARSER_LEGACY if SPL_RSA_PUBLIC_KEY_PARSER @@ -131,6 +133,12 @@ config LEGACY_CRYPTO_CERT if LEGACY_CRYPTO_CERT +config ASN1_DECODER_LEGACY + bool "ASN1 decoder with legacy certificate library" + depends on LEGACY_CRYPTO_CERT && ASN1_DECODER + help + This option chooses legacy certificate library for ASN1 decoder. + config ASYMMETRIC_PUBLIC_KEY_LEGACY bool "Asymmetric public key crypto with legacy certificate library" depends on LEGACY_CRYPTO_CERT && ASYMMETRIC_PUBLIC_KEY_SUBTYPE @@ -172,6 +180,13 @@ config MSCODE_PARSER_LEGACY if SPL +config SPL_ASN1_DECODER_LEGACY + bool "ASN1 decoder with legacy certificate library in SPL" + depends on LEGACY_CRYPTO_CERT && SPL_ASN1_DECODER + help + This option chooses legacy certificate library for ASN1 decoder in + SPL. + config SPL_ASYMMETRIC_PUBLIC_KEY_LEGACY bool "Asymmetric public key crypto with legacy certificate library in SPL" depends on LEGACY_CRYPTO_CERT && SPL_ASYMMETRIC_PUBLIC_KEY_SUBTYPE @@ -317,12 +332,14 @@ endif # MBEDTLS_LIB_CRYPTO config MBEDTLS_LIB_X509 bool "MbedTLS certificate libraries" + select ASN1_DECODER_MBEDTLS if ASN1_DECODER select ASYMMETRIC_PUBLIC_KEY_MBEDTLS if \ ASYMMETRIC_PUBLIC_KEY_SUBTYPE select RSA_PUBLIC_KEY_PARSER_MBEDTLS if RSA_PUBLIC_KEY_PARSER select X509_CERTIFICATE_PARSER_MBEDTLS if X509_CERTIFICATE_PARSER select PKCS7_MESSAGE_PARSER_MBEDTLS if PKCS7_MESSAGE_PARSER select MSCODE_PARSER_MBEDTLS if MSCODE_PARSER + select SPL_ASN1_DECODER_MBEDTLS if SPL_ASN1_DECODER select SPL_ASYMMETRIC_PUBLIC_KEY_MBEDTLS if \ SPL_ASYMMETRIC_PUBLIC_KEY_SUBTYPE select SPL_RSA_PUBLIC_KEY_PARSER_MBEDTLS if SPL_RSA_PUBLIC_KEY_PARSER @@ -331,6 +348,12 @@ config MBEDTLS_LIB_X509 if MBEDTLS_LIB_X509 +config ASN1_DECODER_MBEDTLS + bool "ASN1 decoder with MbedTLS certificate library" + depends on MBEDTLS_LIB_X509 && ASN1_DECODER + help + This option chooses MbedTLS certificate library for ASN1 decoder. + config ASYMMETRIC_PUBLIC_KEY_MBEDTLS bool "Asymmetric public key crypto with MbedTLS certificate library" depends on MBEDTLS_LIB_X509 && ASYMMETRIC_PUBLIC_KEY_SUBTYPE @@ -372,6 +395,13 @@ config MSCODE_PARSER_MBEDTLS if SPL +config SPL_ASN1_DECODER_MBEDTLS + bool "ASN1 decoder with MbedTLS certificate library in SPL" + depends on MBEDTLS_LIB_X509 && SPL_ASN1_DECODER + help + This option chooses MbedTLS certificate library for ASN1 decoder in + SPL. + config SPL_ASYMMETRIC_PUBLIC_KEY_MBEDTLS bool "Asymmetric public key crypto with MbedTLS certifi
[PATCH v7 24/27] lib/rypto: Adapt rsa_helper to MbedTLS
Previous patch has introduced MbedTLS porting layer for RSA helper, here to adjust the makefile accordingly. Signed-off-by: Raymond Mao Reviewed-by: Ilias Apalodimas --- Changes in v2 - Initial patch. Changes in v3 - Update commit message. Changes in v4 - Control building legacy library via '_LEGACY' Kconfig. Changes in v5 - None. Changes in v6 - None. Changes in v7 - None. lib/crypto/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/crypto/Makefile b/lib/crypto/Makefile index 3caa45dc2a8..72b413d85a9 100644 --- a/lib/crypto/Makefile +++ b/lib/crypto/Makefile @@ -13,7 +13,7 @@ obj-$(CONFIG_$(SPL_)ASYMMETRIC_PUBLIC_KEY_LEGACY) += public_key.o # # RSA public key parser # -obj-$(CONFIG_$(SPL_)RSA_PUBLIC_KEY_PARSER) += rsa_public_key.o +obj-$(CONFIG_$(SPL_)RSA_PUBLIC_KEY_PARSER_LEGACY) += rsa_public_key.o rsa_public_key-y := \ rsapubkey.asn1.o \ rsa_helper.o -- 2.25.1
[PATCH v7 23/27] mbedtls: add RSA helper layer on MbedTLS
Add RSA helper layer on top on MbedTLS PK and RSA library. Introduce _LEGACY and _MBEDTLS kconfigs for RSA helper legacy and MbedTLS implementations respectively. Signed-off-by: Raymond Mao Acked-by: Ilias Apalodimas --- Changes in v2 - Initial patch. Changes in v3 - None. Changes in v4 - Introduce _LEGACY and _MBEDTLS kconfigs for RSA helper legacy and MbedTLS implementations respectively. - Remove unnecessary type casting. Changes in v5 - Correct header file include directories. - Correct kconfig dependence. - Kconfig rename. - Refactored MbedTLS makefile. Changes in v6 - None. Changes in v7 - None. lib/mbedtls/Kconfig | 36 +++ lib/mbedtls/Makefile | 3 +- lib/mbedtls/rsa_helper.c | 95 3 files changed, 133 insertions(+), 1 deletion(-) create mode 100644 lib/mbedtls/rsa_helper.c diff --git a/lib/mbedtls/Kconfig b/lib/mbedtls/Kconfig index f60bb140bd9..77959f01fdd 100644 --- a/lib/mbedtls/Kconfig +++ b/lib/mbedtls/Kconfig @@ -119,11 +119,13 @@ config LEGACY_CRYPTO_CERT bool "legacy certificate libraries" select ASYMMETRIC_PUBLIC_KEY_LEGACY if \ ASYMMETRIC_PUBLIC_KEY_SUBTYPE + select RSA_PUBLIC_KEY_PARSER_LEGACY if RSA_PUBLIC_KEY_PARSER select X509_CERTIFICATE_PARSER_LEGACY if X509_CERTIFICATE_PARSER select PKCS7_MESSAGE_PARSER_LEGACY if PKCS7_MESSAGE_PARSER select MSCODE_PARSER_LEGACY if MSCODE_PARSER select SPL_ASYMMETRIC_PUBLIC_KEY_LEGACY if \ SPL_ASYMMETRIC_PUBLIC_KEY_SUBTYPE + select SPL_RSA_PUBLIC_KEY_PARSER_LEGACY if SPL_RSA_PUBLIC_KEY_PARSER help Enable legacy certificate libraries. @@ -136,6 +138,14 @@ config ASYMMETRIC_PUBLIC_KEY_LEGACY This option chooses legacy certificate library for asymmetric public key crypto algorithm. +config RSA_PUBLIC_KEY_PARSER_LEGACY + bool "RSA public key parser with legacy certificate library" + depends on ASYMMETRIC_PUBLIC_KEY_LEGACY + select ASN1_DECODER_LEGACY + help + This option chooses legacy certificate library for RSA public key + parser. + config X509_CERTIFICATE_PARSER_LEGACY bool "X.509 certificate parser with legacy certificate library" depends on ASYMMETRIC_PUBLIC_KEY_LEGACY @@ -169,6 +179,14 @@ config SPL_ASYMMETRIC_PUBLIC_KEY_LEGACY This option chooses legacy certificate library for asymmetric public key crypto algorithm in SPL. +config SPL_RSA_PUBLIC_KEY_PARSER_LEGACY + bool "RSA public key parser with legacy certificate library in SPL" + depends on SPL_ASYMMETRIC_PUBLIC_KEY_LEGACY + select SPL_ASN1_DECODER_LEGACY + help + This option chooses legacy certificate library for RSA public key + parser in SPL. + endif # SPL endif # LEGACY_CRYPTO_CERT @@ -301,11 +319,13 @@ config MBEDTLS_LIB_X509 bool "MbedTLS certificate libraries" select ASYMMETRIC_PUBLIC_KEY_MBEDTLS if \ ASYMMETRIC_PUBLIC_KEY_SUBTYPE + select RSA_PUBLIC_KEY_PARSER_MBEDTLS if RSA_PUBLIC_KEY_PARSER select X509_CERTIFICATE_PARSER_MBEDTLS if X509_CERTIFICATE_PARSER select PKCS7_MESSAGE_PARSER_MBEDTLS if PKCS7_MESSAGE_PARSER select MSCODE_PARSER_MBEDTLS if MSCODE_PARSER select SPL_ASYMMETRIC_PUBLIC_KEY_MBEDTLS if \ SPL_ASYMMETRIC_PUBLIC_KEY_SUBTYPE + select SPL_RSA_PUBLIC_KEY_PARSER_MBEDTLS if SPL_RSA_PUBLIC_KEY_PARSER help Enable MbedTLS certificate libraries. @@ -318,6 +338,14 @@ config ASYMMETRIC_PUBLIC_KEY_MBEDTLS This option chooses MbedTLS certificate library for asymmetric public key crypto algorithm. +config RSA_PUBLIC_KEY_PARSER_MBEDTLS + bool "RSA public key parser with MbedTLS certificate library" + depends on ASYMMETRIC_PUBLIC_KEY_MBEDTLS + select ASN1_DECODER_MBEDTLS + help + This option chooses MbedTLS certificate library for RSA public key + parser. + config X509_CERTIFICATE_PARSER_MBEDTLS bool "X.509 certificate parser with MbedTLS certificate library" depends on ASYMMETRIC_PUBLIC_KEY_MBEDTLS @@ -351,6 +379,14 @@ config SPL_ASYMMETRIC_PUBLIC_KEY_MBEDTLS This option chooses MbedTLS certificate library for asymmetric public key crypto algorithm in SPL. +config SPL_RSA_PUBLIC_KEY_PARSER_MBEDTLS + bool "RSA public key parser with MbedTLS certificate library in SPL" + depends on SPL_ASYMMETRIC_PUBLIC_KEY_MBEDTLS + select SPL_ASN1_DECODER_MBEDTLS + help + This option chooses MbedTLS certificate library for RSA public key + parser in SPL. + endif # SPL endif # MBEDTLS_LIB_X509 diff --git a/lib/mbedtls/Makefile b/lib/mbedtls/Makefile index 8b1b6a5..40031994708 100644 --- a/lib/mbedtls/Makefile +++ b/lib/mbedtl
[PATCH v7 22/27] lib/crypto: Adapt mscode_parser to MbedTLS
Previous patch has introduced MbedTLS porting layer for mscode parser,
here to adjust the header and makefiles accordingly.
Adding _LEGACY Kconfig for legacy mscode implementation.
Signed-off-by: Raymond Mao
---
Changes in v2
- Move the porting layer to MbedTLS dir.
Changes in v3
- Update commit message.
Changes in v4
- Control building legacy library via '_LEGACY' Kconfig.
Changes in v5
- Add kconfig for legacy mscode parser.
- Correct header file include directories.
Changes in v6
- None.
Changes in v7
- None.
include/crypto/mscode.h | 4
lib/crypto/Makefile | 2 +-
lib/mbedtls/Kconfig | 9 +
3 files changed, 14 insertions(+), 1 deletion(-)
diff --git a/include/crypto/mscode.h b/include/crypto/mscode.h
index 551058b96e6..678e69001b9 100644
--- a/include/crypto/mscode.h
+++ b/include/crypto/mscode.h
@@ -9,6 +9,10 @@
#ifndef __UBOOT__
#include
#endif
+#if CONFIG_IS_ENABLED(MBEDTLS_LIB_X509)
+#include
+#include
+#endif
struct pefile_context {
#ifndef __UBOOT__
diff --git a/lib/crypto/Makefile b/lib/crypto/Makefile
index 7129315393f..3caa45dc2a8 100644
--- a/lib/crypto/Makefile
+++ b/lib/crypto/Makefile
@@ -63,7 +63,7 @@ obj-$(CONFIG_$(SPL_)PKCS7_VERIFY) += pkcs7_verify.o
#
# Signed PE binary-wrapped key handling
#
-obj-$(CONFIG_$(SPL_)MSCODE_PARSER) += mscode.o
+obj-$(CONFIG_$(SPL_)MSCODE_PARSER_LEGACY) += mscode.o
mscode-y := \
mscode_parser.o \
diff --git a/lib/mbedtls/Kconfig b/lib/mbedtls/Kconfig
index e6139eb8f8b..f60bb140bd9 100644
--- a/lib/mbedtls/Kconfig
+++ b/lib/mbedtls/Kconfig
@@ -121,6 +121,7 @@ config LEGACY_CRYPTO_CERT
ASYMMETRIC_PUBLIC_KEY_SUBTYPE
select X509_CERTIFICATE_PARSER_LEGACY if X509_CERTIFICATE_PARSER
select PKCS7_MESSAGE_PARSER_LEGACY if PKCS7_MESSAGE_PARSER
+ select MSCODE_PARSER_LEGACY if MSCODE_PARSER
select SPL_ASYMMETRIC_PUBLIC_KEY_LEGACY if \
SPL_ASYMMETRIC_PUBLIC_KEY_SUBTYPE
help
@@ -151,6 +152,14 @@ config PKCS7_MESSAGE_PARSER_LEGACY
This option chooses legacy certificate library for PKCS7 message
parser.
+config MSCODE_PARSER_LEGACY
+ bool "MS authenticode parser with legacy certificate library"
+ depends on LEGACY_CRYPTO_CERT && MSCODE_PARSER
+ select ASN1_DECODER_LEGACY
+ help
+ This option chooses legacy certificate library for MS authenticode
+ parser.
+
if SPL
config SPL_ASYMMETRIC_PUBLIC_KEY_LEGACY
--
2.25.1
[PATCH v7 21/27] mbedtls: add MSCode parser porting layer
Add porting layer for MSCode on top of MbedTLS ASN1 library.
Introduce _MBEDTLS kconfigs for MSCode MbedTLS implementation.
Signed-off-by: Raymond Mao
Acked-by: Ilias Apalodimas
---
Changes in v2
- Move the porting layer to MbedTLS dir.
Changes in v3
- None.
Changes in v4
- Introduce _LEGACY and _MBEDTLS kconfigs for MSCode legacy and
MbedTLS implementations respectively.
- Fix a few code style.
Changes in v5
- Correct kconfig dependence.
- Refactored MbedTLS makefile.
- Move mscode legacy kconfig to the next patch.
Changes in v6
- None.
Changes in v7
- None.
lib/mbedtls/Kconfig | 9 +++
lib/mbedtls/Makefile| 1 +
lib/mbedtls/mscode_parser.c | 123
3 files changed, 133 insertions(+)
create mode 100644 lib/mbedtls/mscode_parser.c
diff --git a/lib/mbedtls/Kconfig b/lib/mbedtls/Kconfig
index 950c2f457d7..e6139eb8f8b 100644
--- a/lib/mbedtls/Kconfig
+++ b/lib/mbedtls/Kconfig
@@ -294,6 +294,7 @@ config MBEDTLS_LIB_X509
ASYMMETRIC_PUBLIC_KEY_SUBTYPE
select X509_CERTIFICATE_PARSER_MBEDTLS if X509_CERTIFICATE_PARSER
select PKCS7_MESSAGE_PARSER_MBEDTLS if PKCS7_MESSAGE_PARSER
+ select MSCODE_PARSER_MBEDTLS if MSCODE_PARSER
select SPL_ASYMMETRIC_PUBLIC_KEY_MBEDTLS if \
SPL_ASYMMETRIC_PUBLIC_KEY_SUBTYPE
help
@@ -324,6 +325,14 @@ config PKCS7_MESSAGE_PARSER_MBEDTLS
This option chooses MbedTLS certificate library for PKCS7 message
parser.
+config MSCODE_PARSER_MBEDTLS
+ bool "MS authenticode parser with MbedTLS certificate library"
+ depends on MBEDTLS_LIB_X509 && MSCODE_PARSER
+ select ASN1_DECODER_MBEDTLS
+ help
+ This option chooses MbedTLS certificate library for MS authenticode
+ parser.
+
if SPL
config SPL_ASYMMETRIC_PUBLIC_KEY_MBEDTLS
diff --git a/lib/mbedtls/Makefile b/lib/mbedtls/Makefile
index 36eba07bf43..8b1b6a5 100644
--- a/lib/mbedtls/Makefile
+++ b/lib/mbedtls/Makefile
@@ -17,6 +17,7 @@ obj-$(CONFIG_$(SPL_)ASYMMETRIC_PUBLIC_KEY_MBEDTLS) += \
obj-$(CONFIG_$(SPL_)X509_CERTIFICATE_PARSER_MBEDTLS) += \
x509_cert_parser.o
obj-$(CONFIG_$(SPL_)PKCS7_MESSAGE_PARSER_MBEDTLS) += pkcs7_parser.o
+obj-$(CONFIG_$(SPL_)MSCODE_PARSER_MBEDTLS) += mscode_parser.o
# MbedTLS crypto library
obj-$(CONFIG_MBEDTLS_LIB_CRYPTO) += mbedtls_lib_crypto.o
diff --git a/lib/mbedtls/mscode_parser.c b/lib/mbedtls/mscode_parser.c
new file mode 100644
index 000..c3805c6503c
--- /dev/null
+++ b/lib/mbedtls/mscode_parser.c
@@ -0,0 +1,123 @@
+// SPDX-License-Identifier: GPL-2.0+
+/*
+ * MSCode parser using MbedTLS ASN1 library
+ *
+ * Copyright (c) 2024 Linaro Limited
+ * Author: Raymond Mao
+ */
+
+#include
+#include
+#include
+#include
+
+/*
+ * Parse a Microsoft Individual Code Signing blob
+ *
+ * U.P.SEQUENCE {
+ *U.P.OBJECTIDENTIFIER 1.3.6.1.4.1.311.2.1.15 (SPC_PE_IMAGE_DATA_OBJID)
+ *U.P.SEQUENCE {
+ * U.P.BITSTRING NaN : 0 unused bit(s);
+ * [C.P.0] {
+ * [C.P.2] {
+ * [C.P.0]
+ * }
+ * }
+ *}
+ * }
+ * U.P.SEQUENCE {
+ *U.P.SEQUENCE {
+ * U.P.OBJECTIDENTIFIER
+ * U.P.NULL
+ *}
+ *U.P.OCTETSTRING
+ * }
+ *
+ * @ctx: PE file context.
+ * @content_data: content data pointer.
+ * @data_len: content data length.
+ * @asn1hdrlen: ASN1 header length.
+ */
+int mscode_parse(void *ctx, const void *content_data, size_t data_len,
+size_t asn1hdrlen)
+{
+ struct pefile_context *_ctx = ctx;
+ unsigned char *p = (unsigned char *)content_data;
+ unsigned char *end = (unsigned char *)content_data + data_len;
+ size_t len = 0;
+ int ret;
+ unsigned char *inner_p;
+ size_t seq_len = 0;
+
+ ret = mbedtls_asn1_get_tag(&p, end, &seq_len,
+ MBEDTLS_ASN1_CONSTRUCTED |
+ MBEDTLS_ASN1_SEQUENCE);
+ if (ret)
+ return ret;
+
+ inner_p = p;
+ ret = mbedtls_asn1_get_tag(&inner_p, inner_p + seq_len, &len,
+ MBEDTLS_ASN1_OID);
+ if (ret)
+ return ret;
+
+ /* Sanity check on the PE Image Data OID (1.3.6.1.4.1.311.2.1.15) */
+ if (MBEDTLS_OID_CMP_RAW(MBEDTLS_OID_MICROSOFT_PEIMAGEDATA, inner_p,
+ len))
+ return -EINVAL;
+
+ p += seq_len;
+ ret = mbedtls_asn1_get_tag(&p, end, &seq_len,
+ MBEDTLS_ASN1_CONSTRUCTED |
+ MBEDTLS_ASN1_SEQUENCE);
+ if (ret)
+ return ret;
+
+ ret = mbedtls_asn1_get_tag(&p, p + seq_len, &seq_len,
+ MBEDTLS_ASN1_CONSTRUCTED |
+ MBEDTLS_ASN1_SEQUENCE);
+ if (ret)
+ return ret;
+
+ inner_p = p;
+
+ /*
+* Che
[PATCH v7 20/27] lib/crypto: Adapt PKCS7 parser to MbedTLS
Previous patch has introduced MbedTLS porting layer for PKCS7 parser,
here to adjust the header and makefiles accordingly.
Signed-off-by: Raymond Mao
---
Changes in v2
- Move the porting layer to MbedTLS dir.
Changes in v3
- Update commit message.
Changes in v4
- Control building legacy library via '_LEGACY' Kconfig.
Changes in v5
- Correct header file include directories.
Changes in v6
- None.
Changes in v7
- None.
include/crypto/pkcs7_parser.h | 56 +++
lib/crypto/Makefile | 7 +++--
2 files changed, 60 insertions(+), 3 deletions(-)
diff --git a/include/crypto/pkcs7_parser.h b/include/crypto/pkcs7_parser.h
index 2c45cce5234..469c2711fa6 100644
--- a/include/crypto/pkcs7_parser.h
+++ b/include/crypto/pkcs7_parser.h
@@ -11,6 +11,12 @@
#include
#include
#include
+#if CONFIG_IS_ENABLED(MBEDTLS_LIB_X509)
+#include
+#include
+#include
+#include
+#endif
#include
#define kenter(FMT, ...) \
@@ -18,7 +24,54 @@
#define kleave(FMT, ...) \
pr_devel("<== %s()"FMT"\n", __func__, ##__VA_ARGS__)
+/* Backup the parsed MedTLS context that we need */
+#if CONFIG_IS_ENABLED(MBEDTLS_LIB_X509)
+struct pkcs7_mbedtls_ctx {
+ void *content_data;
+};
+
+struct pkcs7_sinfo_mbedtls_ctx {
+ void *authattrs_data;
+ void *content_data_digest;
+};
+#endif
+
+/*
+ * MbedTLS integration Notes:
+ *
+ * MbedTLS PKCS#7 library does not originally support parsing MicroSoft
+ * Authentication Code which is used for verifying the PE image digest.
+ *
+ * 1. Authenticated Attributes (authenticatedAttributes)
+ * MbedTLS assumes unauthenticatedAttributes and authenticatedAttributes
+ * fields not exist.
+ * See MbedTLS function 'pkcs7_get_signer_info' for details.
+ *
+ * 2. MicroSoft Authentication Code (mscode)
+ * MbedTLS only supports Content Data type defined as 1.2.840.113549.1.7.1
+ * (MBEDTLS_OID_PKCS7_DATA, aka OID_data).
+ * 1.3.6.1.4.1.311.2.1.4 (MicroSoft Authentication Code, aka
+ * OID_msIndirectData) is not supported.
+ * See MbedTLS function 'pkcs7_get_content_info_type' for details.
+ *
+ * But the EFI loader assumes that a PKCS#7 message with an EFI image always
+ * contains MicroSoft Authentication Code as Content Data (msg->data is NOT
+ * NULL), see function 'efi_signature_verify'.
+ *
+ * MbedTLS patch
"0002-support-MicroSoft-authentication-code-in-PKCS7-lib.patch"
+ * is to support both above features by parsing the Content Data and
+ * Authenticate Attributes from a given PKCS#7 message.
+ *
+ * Other fields we don't need to populate from MbedTLS, which are used
+ * internally by pkcs7_verify:
+ * 'signer', 'unsupported_crypto', 'blacklisted'
+ * 'sig->digest' is used internally by pkcs7_digest to calculate the hash of
+ * Content Data or Authenticate Attributes.
+ */
struct pkcs7_signed_info {
+#if CONFIG_IS_ENABLED(MBEDTLS_LIB_X509)
+ struct pkcs7_sinfo_mbedtls_ctx *mbedtls_ctx;
+#endif
struct pkcs7_signed_info *next;
struct x509_certificate *signer; /* Signing certificate (in msg->certs)
*/
unsignedindex;
@@ -55,6 +108,9 @@ struct pkcs7_signed_info {
};
struct pkcs7_message {
+#if CONFIG_IS_ENABLED(MBEDTLS_LIB_X509)
+ struct pkcs7_mbedtls_ctx *mbedtls_ctx;
+#endif
struct x509_certificate *certs; /* Certificate list */
struct x509_certificate *crl; /* Revocation list */
struct pkcs7_signed_info *signed_infos;
diff --git a/lib/crypto/Makefile b/lib/crypto/Makefile
index 4302f197297..7129315393f 100644
--- a/lib/crypto/Makefile
+++ b/lib/crypto/Makefile
@@ -50,15 +50,16 @@ $(obj)/x509_akid.asn1.o: $(obj)/x509_akid.asn1.c
$(obj)/x509_akid.asn1.h
# PKCS#7 message handling
#
obj-$(CONFIG_$(SPL_)PKCS7_MESSAGE_PARSER) += pkcs7_message.o
-pkcs7_message-y := \
+pkcs7_message-y := pkcs7_helper.o
+pkcs7_message-$(CONFIG_$(SPL_)PKCS7_MESSAGE_PARSER_LEGACY) += \
pkcs7.asn1.o \
- pkcs7_helper.o \
pkcs7_parser.o
-obj-$(CONFIG_$(SPL_)PKCS7_VERIFY) += pkcs7_verify.o
$(obj)/pkcs7_parser.o: $(obj)/pkcs7.asn1.h
$(obj)/pkcs7.asn1.o: $(obj)/pkcs7.asn1.c $(obj)/pkcs7.asn1.h
+obj-$(CONFIG_$(SPL_)PKCS7_VERIFY) += pkcs7_verify.o
+
#
# Signed PE binary-wrapped key handling
#
--
2.25.1
[PATCH v7 19/27] mbedtls: add PKCS7 parser porting layer
Add porting layer for PKCS7 parser on top of MbedTLS PKCS7 library.
Introduce _LEGACY and _MBEDTLS kconfigs for PKCS7 parser legacy and
MbedTLS implementations respectively.
Signed-off-by: Raymond Mao
---
Changes in v2
- Move the porting layer to MbedTLS dir.
- Fix EFI Capsule CI test failures.
Changes in v3
- None.
Changes in v4
- Introduce _LEGACY and _MBEDTLS kconfigs for PKCS7 parser legacy and
MbedTLS implementations respectively.
- Move common functions to helper.
- Fix an unnecessary pointer casting.
Changes in v5
- Refactored MbedTLS makefile.
Changes in v6
- None.
Changes in v7
- None.
lib/mbedtls/Kconfig| 18 ++
lib/mbedtls/Makefile | 3 +-
lib/mbedtls/pkcs7_parser.c | 506 +
3 files changed, 526 insertions(+), 1 deletion(-)
create mode 100644 lib/mbedtls/pkcs7_parser.c
diff --git a/lib/mbedtls/Kconfig b/lib/mbedtls/Kconfig
index 7c298b66855..950c2f457d7 100644
--- a/lib/mbedtls/Kconfig
+++ b/lib/mbedtls/Kconfig
@@ -120,6 +120,7 @@ config LEGACY_CRYPTO_CERT
select ASYMMETRIC_PUBLIC_KEY_LEGACY if \
ASYMMETRIC_PUBLIC_KEY_SUBTYPE
select X509_CERTIFICATE_PARSER_LEGACY if X509_CERTIFICATE_PARSER
+ select PKCS7_MESSAGE_PARSER_LEGACY if PKCS7_MESSAGE_PARSER
select SPL_ASYMMETRIC_PUBLIC_KEY_LEGACY if \
SPL_ASYMMETRIC_PUBLIC_KEY_SUBTYPE
help
@@ -142,6 +143,14 @@ config X509_CERTIFICATE_PARSER_LEGACY
This option chooses legacy certificate library for X509 certificate
parser.
+config PKCS7_MESSAGE_PARSER_LEGACY
+ bool "PKCS#7 message parser with legacy certificate library"
+ depends on X509_CERTIFICATE_PARSER_LEGACY
+ select ASN1_DECODER_LEGACY
+ help
+ This option chooses legacy certificate library for PKCS7 message
+ parser.
+
if SPL
config SPL_ASYMMETRIC_PUBLIC_KEY_LEGACY
@@ -284,6 +293,7 @@ config MBEDTLS_LIB_X509
select ASYMMETRIC_PUBLIC_KEY_MBEDTLS if \
ASYMMETRIC_PUBLIC_KEY_SUBTYPE
select X509_CERTIFICATE_PARSER_MBEDTLS if X509_CERTIFICATE_PARSER
+ select PKCS7_MESSAGE_PARSER_MBEDTLS if PKCS7_MESSAGE_PARSER
select SPL_ASYMMETRIC_PUBLIC_KEY_MBEDTLS if \
SPL_ASYMMETRIC_PUBLIC_KEY_SUBTYPE
help
@@ -306,6 +316,14 @@ config X509_CERTIFICATE_PARSER_MBEDTLS
This option chooses MbedTLS certificate library for X509 certificate
parser.
+config PKCS7_MESSAGE_PARSER_MBEDTLS
+ bool "PKCS#7 message parser with MbedTLS certificate library"
+ depends on X509_CERTIFICATE_PARSER_MBEDTLS
+ select ASN1_DECODER_MBEDTLS
+ help
+ This option chooses MbedTLS certificate library for PKCS7 message
+ parser.
+
if SPL
config SPL_ASYMMETRIC_PUBLIC_KEY_MBEDTLS
diff --git a/lib/mbedtls/Makefile b/lib/mbedtls/Makefile
index ab64365a99a..36eba07bf43 100644
--- a/lib/mbedtls/Makefile
+++ b/lib/mbedtls/Makefile
@@ -16,6 +16,7 @@ obj-$(CONFIG_$(SPL_)ASYMMETRIC_PUBLIC_KEY_MBEDTLS) += \
public_key.o
obj-$(CONFIG_$(SPL_)X509_CERTIFICATE_PARSER_MBEDTLS) += \
x509_cert_parser.o
+obj-$(CONFIG_$(SPL_)PKCS7_MESSAGE_PARSER_MBEDTLS) += pkcs7_parser.o
# MbedTLS crypto library
obj-$(CONFIG_MBEDTLS_LIB_CRYPTO) += mbedtls_lib_crypto.o
@@ -49,5 +50,5 @@
mbedtls_lib_x509-$(CONFIG_$(SPL_)ASYMMETRIC_PUBLIC_KEY_MBEDTLS) += \
mbedtls_lib_x509-$(CONFIG_$(SPL_)X509_CERTIFICATE_PARSER_MBEDTLS) += \
$(MBEDTLS_LIB_DIR)/x509_crl.o \
$(MBEDTLS_LIB_DIR)/x509_crt.o
-mbedtls_lib_x509-$(CONFIG_$(SPL_)PKCS7_MESSAGE_PARSER) += \
+mbedtls_lib_x509-$(CONFIG_$(SPL_)PKCS7_MESSAGE_PARSER_MBEDTLS) += \
$(MBEDTLS_LIB_DIR)/pkcs7.o
diff --git a/lib/mbedtls/pkcs7_parser.c b/lib/mbedtls/pkcs7_parser.c
new file mode 100644
index 000..69ca784858e
--- /dev/null
+++ b/lib/mbedtls/pkcs7_parser.c
@@ -0,0 +1,506 @@
+// SPDX-License-Identifier: GPL-2.0+
+/*
+ * PKCS#7 parser using MbedTLS PKCS#7 library
+ *
+ * Copyright (c) 2024 Linaro Limited
+ * Author: Raymond Mao
+ */
+
+#include
+#include
+#include
+#include
+#include
+
+static void pkcs7_free_mbedtls_ctx(struct pkcs7_mbedtls_ctx *ctx)
+{
+ if (ctx) {
+ kfree(ctx->content_data);
+ kfree(ctx);
+ }
+}
+
+static void pkcs7_free_sinfo_mbedtls_ctx(struct pkcs7_sinfo_mbedtls_ctx *ctx)
+{
+ if (ctx) {
+ kfree(ctx->authattrs_data);
+ kfree(ctx->content_data_digest);
+ kfree(ctx);
+ }
+}
+
+/*
+ * Parse Authenticate Attributes
+ * TODO: Shall we consider to integrate decoding of authenticate attribute into
+ * MbedTLS library?
+ *
+ * There are two kinds of structure for the Authenticate Attributes being used
+ * in U-Boot.
+ *
+ * Type 1 - contains in a PE/COFF EFI image:
+ *
+ * [C.P.0] {
+ * U.P.SEQUENCE {
+ * U.P.OBJECTIDENTIFIER 1.2.840.113549.1.9.3 (OID_contentType)
+ * U.P.SET {
+ *U.P.OBJECTIDE
[PATCH v7 18/27] lib/crypto: Adapt x509_cert_parser to MbedTLS
Previous patch has introduced MbedTLS porting layer for x509 cert parser,
here to adjust the header and makefiles accordingly.
Signed-off-by: Raymond Mao
---
Changes in v2
- Move the porting layer to MbedTLS dir.
Changes in v3
- Update commit message.
Changes in v4
- Control building legacy library via '_LEGACY' Kconfig.
- Add function comments for the new APIs.
Changes in v5
- Correct kconfig dependence.
- Correct header file include directories.
- Adjust a few inline comments.
Changes in v6
- None.
Changes in v7
- Drop the changes in kconfig.
include/crypto/x509_parser.h | 55
lib/crypto/Makefile | 4 +--
lib/crypto/x509_public_key.c | 2 ++
3 files changed, 59 insertions(+), 2 deletions(-)
diff --git a/include/crypto/x509_parser.h b/include/crypto/x509_parser.h
index 4cbdc1d6612..0e22e33f66b 100644
--- a/include/crypto/x509_parser.h
+++ b/include/crypto/x509_parser.h
@@ -11,8 +11,35 @@
#include
#include
#include
+#if CONFIG_IS_ENABLED(MBEDTLS_LIB_X509)
+#include
+#include
+#include
+#endif
+#if CONFIG_IS_ENABLED(MBEDTLS_LIB_X509)
+struct x509_cert_mbedtls_ctx {
+ void*tbs; /* Signed data */
+ void*raw_serial;/* Raw serial number in ASN.1 */
+ void*raw_issuer;/* Raw issuer name in ASN.1 */
+ void*raw_subject; /* Raw subject name in ASN.1 */
+ void*raw_skid; /* Raw subjectKeyId in ASN.1 */
+};
+#endif
+
+/*
+ * MbedTLS integration Notes:
+ *
+ * Fields we don't need to populate from MbedTLS context:
+ * 'raw_sig' and 'raw_sig_size' are buffer for x509_parse_context,
+ * not needed for MbedTLS.
+ * 'signer' and 'seen' are used internally by pkcs7_verify.
+ * 'verified' is not in use.
+ */
struct x509_certificate {
+#if CONFIG_IS_ENABLED(MBEDTLS_LIB_X509)
+ struct x509_cert_mbedtls_ctx *mbedtls_ctx;
+#endif
struct x509_certificate *next;
struct x509_certificate *signer;/* Certificate that signed this
one */
struct public_key *pub; /* Public key details */
@@ -48,6 +75,32 @@ struct x509_certificate {
* x509_cert_parser.c
*/
extern void x509_free_certificate(struct x509_certificate *cert);
+#if CONFIG_IS_ENABLED(MBEDTLS_LIB_X509)
+/**
+ * x509_populate_pubkey() - Populate public key from MbedTLS context
+ *
+ * @cert: Pointer to MbedTLS X509 cert
+ * @pub_key: Pointer to the populated public key handle
+ * Return: 0 on succcess, error code on failure
+ */
+int x509_populate_pubkey(mbedtls_x509_crt *cert, struct public_key **pub_key);
+/**
+ * x509_populate_cert() - Populate X509 cert from MbedTLS context
+ *
+ * @mbedtls_cert: Pointer to MbedTLS X509 cert
+ * @pcert: Pointer to the populated X509 cert handle
+ * Return: 0 on succcess, error code on failure
+ */
+int x509_populate_cert(mbedtls_x509_crt *mbedtls_cert,
+ struct x509_certificate **pcert);
+/**
+ * x509_get_timestamp() - Translate timestamp from MbedTLS context
+ *
+ * @x509_time: Pointer to MbedTLS time
+ * Return: Time in time64_t format
+ */
+time64_t x509_get_timestamp(const mbedtls_x509_time *x509_time);
+#endif
extern struct x509_certificate *x509_cert_parse(const void *data, size_t
datalen);
extern int x509_decode_time(time64_t *_t, size_t hdrlen,
unsigned char tag,
@@ -56,6 +109,8 @@ extern int x509_decode_time(time64_t *_t, size_t hdrlen,
/*
* x509_public_key.c
*/
+#if !CONFIG_IS_ENABLED(MBEDTLS_LIB_X509)
extern int x509_get_sig_params(struct x509_certificate *cert);
+#endif
extern int x509_check_for_self_signed(struct x509_certificate *cert);
#endif /* _X509_PARSER_H */
diff --git a/lib/crypto/Makefile b/lib/crypto/Makefile
index 7e877214aa8..4302f197297 100644
--- a/lib/crypto/Makefile
+++ b/lib/crypto/Makefile
@@ -32,11 +32,11 @@ endif
# X.509 Certificate handling
#
obj-$(CONFIG_$(SPL_)X509_CERTIFICATE_PARSER) += x509_key_parser.o
-x509_key_parser-y := \
+x509_key_parser-y := x509_helper.o
+x509_key_parser-$(CONFIG_$(SPL_)X509_CERTIFICATE_PARSER_LEGACY) += \
x509.asn1.o \
x509_akid.asn1.o \
x509_cert_parser.o \
- x509_helper.o \
x509_public_key.o
$(obj)/x509_cert_parser.o: \
diff --git a/lib/crypto/x509_public_key.c b/lib/crypto/x509_public_key.c
index 4ba13c1adc3..310edbd21be 100644
--- a/lib/crypto/x509_public_key.c
+++ b/lib/crypto/x509_public_key.c
@@ -30,6 +30,8 @@
#include "x509_parser.h"
#endif
+#if !CONFIG_IS_ENABLED(MBEDTLS_LIB_X509)
+
/*
* Set up the signature parameters in an X.509 certificate. This involves
* digesting the signed data and extracting the signature.
--
2.25.1
[PATCH v7 17/27] mbedtls: add X509 cert parser porting layer
Add porting layer for X509 cert parser on top of MbedTLS X509
library.
Introduce _LEGACY and _MBEDTLS kconfigs for X509 cert parser legacy
and MbedTLS implementations respectively.
Signed-off-by: Raymond Mao
---
Changes in v2
- Move the porting layer to MbedTLS dir.
Changes in v3
- None.
Changes in v4
- Introduce _LEGACY and _MBEDTLS kconfigs for X509 cert parser legacy
and MbedTLS implementations respectively.
- Move common functions to helper.
Changes in v5
- Kconfig rename.
- Adjust a few inline comments.
Changes in v6
- None.
Changes in v7
- None.
lib/mbedtls/Kconfig| 18 ++
lib/mbedtls/Makefile | 4 +-
lib/mbedtls/x509_cert_parser.c | 447 +
3 files changed, 468 insertions(+), 1 deletion(-)
create mode 100644 lib/mbedtls/x509_cert_parser.c
diff --git a/lib/mbedtls/Kconfig b/lib/mbedtls/Kconfig
index 4f710640885..7c298b66855 100644
--- a/lib/mbedtls/Kconfig
+++ b/lib/mbedtls/Kconfig
@@ -119,6 +119,7 @@ config LEGACY_CRYPTO_CERT
bool "legacy certificate libraries"
select ASYMMETRIC_PUBLIC_KEY_LEGACY if \
ASYMMETRIC_PUBLIC_KEY_SUBTYPE
+ select X509_CERTIFICATE_PARSER_LEGACY if X509_CERTIFICATE_PARSER
select SPL_ASYMMETRIC_PUBLIC_KEY_LEGACY if \
SPL_ASYMMETRIC_PUBLIC_KEY_SUBTYPE
help
@@ -133,6 +134,14 @@ config ASYMMETRIC_PUBLIC_KEY_LEGACY
This option chooses legacy certificate library for asymmetric public
key crypto algorithm.
+config X509_CERTIFICATE_PARSER_LEGACY
+ bool "X.509 certificate parser with legacy certificate library"
+ depends on ASYMMETRIC_PUBLIC_KEY_LEGACY
+ select ASN1_DECODER_LEGACY
+ help
+ This option chooses legacy certificate library for X509 certificate
+ parser.
+
if SPL
config SPL_ASYMMETRIC_PUBLIC_KEY_LEGACY
@@ -274,6 +283,7 @@ config MBEDTLS_LIB_X509
bool "MbedTLS certificate libraries"
select ASYMMETRIC_PUBLIC_KEY_MBEDTLS if \
ASYMMETRIC_PUBLIC_KEY_SUBTYPE
+ select X509_CERTIFICATE_PARSER_MBEDTLS if X509_CERTIFICATE_PARSER
select SPL_ASYMMETRIC_PUBLIC_KEY_MBEDTLS if \
SPL_ASYMMETRIC_PUBLIC_KEY_SUBTYPE
help
@@ -288,6 +298,14 @@ config ASYMMETRIC_PUBLIC_KEY_MBEDTLS
This option chooses MbedTLS certificate library for asymmetric public
key crypto algorithm.
+config X509_CERTIFICATE_PARSER_MBEDTLS
+ bool "X.509 certificate parser with MbedTLS certificate library"
+ depends on ASYMMETRIC_PUBLIC_KEY_MBEDTLS
+ select ASN1_DECODER_MBEDTLS
+ help
+ This option chooses MbedTLS certificate library for X509 certificate
+ parser.
+
if SPL
config SPL_ASYMMETRIC_PUBLIC_KEY_MBEDTLS
diff --git a/lib/mbedtls/Makefile b/lib/mbedtls/Makefile
index 2d2220dd4fd..ab64365a99a 100644
--- a/lib/mbedtls/Makefile
+++ b/lib/mbedtls/Makefile
@@ -14,6 +14,8 @@ obj-$(CONFIG_$(SPL_)SHA512_MBEDTLS) += sha512.o
# x509 libraries
obj-$(CONFIG_$(SPL_)ASYMMETRIC_PUBLIC_KEY_MBEDTLS) += \
public_key.o
+obj-$(CONFIG_$(SPL_)X509_CERTIFICATE_PARSER_MBEDTLS) += \
+ x509_cert_parser.o
# MbedTLS crypto library
obj-$(CONFIG_MBEDTLS_LIB_CRYPTO) += mbedtls_lib_crypto.o
@@ -44,7 +46,7 @@
mbedtls_lib_x509-$(CONFIG_$(SPL_)ASYMMETRIC_PUBLIC_KEY_MBEDTLS) += \
$(MBEDTLS_LIB_DIR)/pk.o \
$(MBEDTLS_LIB_DIR)/pk_wrap.o \
$(MBEDTLS_LIB_DIR)/pkparse.o
-mbedtls_lib_x509-$(CONFIG_$(SPL_)X509_CERTIFICATE_PARSER) += \
+mbedtls_lib_x509-$(CONFIG_$(SPL_)X509_CERTIFICATE_PARSER_MBEDTLS) += \
$(MBEDTLS_LIB_DIR)/x509_crl.o \
$(MBEDTLS_LIB_DIR)/x509_crt.o
mbedtls_lib_x509-$(CONFIG_$(SPL_)PKCS7_MESSAGE_PARSER) += \
diff --git a/lib/mbedtls/x509_cert_parser.c b/lib/mbedtls/x509_cert_parser.c
new file mode 100644
index 000..cb42018695c
--- /dev/null
+++ b/lib/mbedtls/x509_cert_parser.c
@@ -0,0 +1,447 @@
+// SPDX-License-Identifier: GPL-2.0+
+/*
+ * X509 cert parser using MbedTLS X509 library
+ *
+ * Copyright (c) 2024 Linaro Limited
+ * Author: Raymond Mao
+ */
+
+#include
+#include
+#include
+
+static void x509_free_mbedtls_ctx(struct x509_cert_mbedtls_ctx *ctx)
+{
+ if (!ctx)
+ return;
+
+ kfree(ctx->tbs);
+ kfree(ctx->raw_serial);
+ kfree(ctx->raw_issuer);
+ kfree(ctx->raw_subject);
+ kfree(ctx->raw_skid);
+ kfree(ctx);
+}
+
+static int x509_set_cert_flags(struct x509_certificate *cert)
+{
+ struct public_key_signature *sig = cert->sig;
+
+ if (!sig || !cert->pub) {
+ pr_err("Signature or public key is not initialized\n");
+ return -ENOPKG;
+ }
+
+ if (!cert->pub->pkey_algo)
+ cert->unsupported_key = true;
+
+ if (!sig->pkey_algo)
+ cert->unsupported_sig = true;
+
+ if (!sig->hash_algo)
+ cert->u
[PATCH v7 16/27] lib/crypto: Adapt public_key header with MbedTLS
Previous patch has introduced MbedTLS porting layer for public key, here to adjust the header and makefiles accordingly. Signed-off-by: Raymond Mao Reviewed-by: Ilias Apalodimas --- Changes in v2 - Move the porting layer to MbedTLS dir. Changes in v3 - Update commit message. Changes in v4 - Control building legacy library via '_LEGACY' Kconfig. Changes in v5 - Correct header file include directories. - Kconfig rename. Changes in v6 - None. Changes in v7 - None. include/crypto/public_key.h | 6 ++ lib/crypto/Makefile | 5 ++--- lib/crypto/asymmetric_type.c | 2 +- 3 files changed, 9 insertions(+), 4 deletions(-) diff --git a/include/crypto/public_key.h b/include/crypto/public_key.h index 3ba90fcc348..25cfb68adce 100644 --- a/include/crypto/public_key.h +++ b/include/crypto/public_key.h @@ -12,6 +12,12 @@ #ifdef __UBOOT__ #include +#if CONFIG_IS_ENABLED(MBEDTLS_LIB_X509) +#include +#include +#include +#include +#endif #else #include #endif diff --git a/lib/crypto/Makefile b/lib/crypto/Makefile index 16059088f26..7e877214aa8 100644 --- a/lib/crypto/Makefile +++ b/lib/crypto/Makefile @@ -7,9 +7,8 @@ obj-$(CONFIG_$(SPL_)ASYMMETRIC_KEY_TYPE) += asymmetric_keys.o asymmetric_keys-y := asymmetric_type.o -obj-$(CONFIG_$(SPL_)ASYMMETRIC_PUBLIC_KEY_SUBTYPE) += \ - public_key_helper.o \ - public_key.o +obj-$(CONFIG_$(SPL_)ASYMMETRIC_PUBLIC_KEY_SUBTYPE) += public_key_helper.o +obj-$(CONFIG_$(SPL_)ASYMMETRIC_PUBLIC_KEY_LEGACY) += public_key.o # # RSA public key parser diff --git a/lib/crypto/asymmetric_type.c b/lib/crypto/asymmetric_type.c index 24c2d15ef97..95b82cd8e84 100644 --- a/lib/crypto/asymmetric_type.c +++ b/lib/crypto/asymmetric_type.c @@ -12,7 +12,6 @@ #include #include #endif -#include #ifdef __UBOOT__ #include #include @@ -26,6 +25,7 @@ #include #include #endif +#include #ifdef __UBOOT__ #include #else -- 2.25.1
[PATCH v7 15/27] mbedtls: add public key porting layer
Add porting layer for public key on top of MbedTLS X509 library.
Introduce _LEGACY and _MBEDTLS kconfigs for public key legacy and
MbedTLS implementations respectively.
Signed-off-by: Raymond Mao
Reviewed-by: Ilias Apalodimas
---
Changes in v2
- Move the porting layer to MbedTLS dir.
Changes in v3
- None.
Changes in v4
- Introduce _LEGACY and _MBEDTLS kconfigs for public key legacy and
MbedTLS implementations respectively.
- Move common functions to helper.
Changes in v5
- Correct kconfig dependence.
- Kconfig rename.
- Refactored MbedTLS makefile.
- Adjust a few inline comments.
Changes in v6
- None.
Changes in v7
- None.
lib/mbedtls/Kconfig | 52 +
lib/mbedtls/Makefile | 6 ++-
lib/mbedtls/public_key.c | 82
3 files changed, 139 insertions(+), 1 deletion(-)
create mode 100644 lib/mbedtls/public_key.c
diff --git a/lib/mbedtls/Kconfig b/lib/mbedtls/Kconfig
index 7ee1139568b..4f710640885 100644
--- a/lib/mbedtls/Kconfig
+++ b/lib/mbedtls/Kconfig
@@ -117,9 +117,35 @@ endif # LEGACY_CRYPTO_BASIC
config LEGACY_CRYPTO_CERT
bool "legacy certificate libraries"
+ select ASYMMETRIC_PUBLIC_KEY_LEGACY if \
+ ASYMMETRIC_PUBLIC_KEY_SUBTYPE
+ select SPL_ASYMMETRIC_PUBLIC_KEY_LEGACY if \
+ SPL_ASYMMETRIC_PUBLIC_KEY_SUBTYPE
help
Enable legacy certificate libraries.
+if LEGACY_CRYPTO_CERT
+
+config ASYMMETRIC_PUBLIC_KEY_LEGACY
+ bool "Asymmetric public key crypto with legacy certificate library"
+ depends on LEGACY_CRYPTO_CERT && ASYMMETRIC_PUBLIC_KEY_SUBTYPE
+ help
+ This option chooses legacy certificate library for asymmetric public
+ key crypto algorithm.
+
+if SPL
+
+config SPL_ASYMMETRIC_PUBLIC_KEY_LEGACY
+ bool "Asymmetric public key crypto with legacy certificate library in
SPL"
+ depends on LEGACY_CRYPTO_CERT && SPL_ASYMMETRIC_PUBLIC_KEY_SUBTYPE
+ help
+ This option chooses legacy certificate library for asymmetric public
+ key crypto algorithm in SPL.
+
+endif # SPL
+
+endif # LEGACY_CRYPTO_CERT
+
endif # LEGACY_CRYPTO
if MBEDTLS_LIB
@@ -246,7 +272,33 @@ endif # MBEDTLS_LIB_CRYPTO
config MBEDTLS_LIB_X509
bool "MbedTLS certificate libraries"
+ select ASYMMETRIC_PUBLIC_KEY_MBEDTLS if \
+ ASYMMETRIC_PUBLIC_KEY_SUBTYPE
+ select SPL_ASYMMETRIC_PUBLIC_KEY_MBEDTLS if \
+ SPL_ASYMMETRIC_PUBLIC_KEY_SUBTYPE
help
Enable MbedTLS certificate libraries.
+if MBEDTLS_LIB_X509
+
+config ASYMMETRIC_PUBLIC_KEY_MBEDTLS
+ bool "Asymmetric public key crypto with MbedTLS certificate library"
+ depends on MBEDTLS_LIB_X509 && ASYMMETRIC_PUBLIC_KEY_SUBTYPE
+ help
+ This option chooses MbedTLS certificate library for asymmetric public
+ key crypto algorithm.
+
+if SPL
+
+config SPL_ASYMMETRIC_PUBLIC_KEY_MBEDTLS
+ bool "Asymmetric public key crypto with MbedTLS certificate library in
SPL"
+ depends on MBEDTLS_LIB_X509 && SPL_ASYMMETRIC_PUBLIC_KEY_SUBTYPE
+ help
+ This option chooses MbedTLS certificate library for asymmetric public
+ key crypto algorithm in SPL.
+
+endif # SPL
+
+endif # MBEDTLS_LIB_X509
+
endif # MBEDTLS_LIB
diff --git a/lib/mbedtls/Makefile b/lib/mbedtls/Makefile
index 50c1ba5f88e..2d2220dd4fd 100644
--- a/lib/mbedtls/Makefile
+++ b/lib/mbedtls/Makefile
@@ -11,6 +11,10 @@ obj-$(CONFIG_$(SPL_)SHA1_MBEDTLS) += sha1.o
obj-$(CONFIG_$(SPL_)SHA256_MBEDTLS) += sha256.o
obj-$(CONFIG_$(SPL_)SHA512_MBEDTLS) += sha512.o
+# x509 libraries
+obj-$(CONFIG_$(SPL_)ASYMMETRIC_PUBLIC_KEY_MBEDTLS) += \
+ public_key.o
+
# MbedTLS crypto library
obj-$(CONFIG_MBEDTLS_LIB_CRYPTO) += mbedtls_lib_crypto.o
mbedtls_lib_crypto-y := \
@@ -36,7 +40,7 @@ mbedtls_lib_x509-$(CONFIG_$(SPL_)RSA_PUBLIC_KEY_PARSER) += \
$(MBEDTLS_LIB_DIR)/bignum_core.o \
$(MBEDTLS_LIB_DIR)/rsa.o \
$(MBEDTLS_LIB_DIR)/rsa_alt_helpers.o
-mbedtls_lib_x509-$(CONFIG_$(SPL_)ASYMMETRIC_PUBLIC_KEY_SUBTYPE) += \
+mbedtls_lib_x509-$(CONFIG_$(SPL_)ASYMMETRIC_PUBLIC_KEY_MBEDTLS) += \
$(MBEDTLS_LIB_DIR)/pk.o \
$(MBEDTLS_LIB_DIR)/pk_wrap.o \
$(MBEDTLS_LIB_DIR)/pkparse.o
diff --git a/lib/mbedtls/public_key.c b/lib/mbedtls/public_key.c
new file mode 100644
index 000..5f73b99d4f2
--- /dev/null
+++ b/lib/mbedtls/public_key.c
@@ -0,0 +1,82 @@
+// SPDX-License-Identifier: GPL-2.0+
+/*
+ * Public key helper functions using MbedTLS X509 library
+ *
+ * Copyright (c) 2024 Linaro Limited
+ * Author: Raymond Mao
+ */
+
+#include
+#include
+
+int public_key_verify_signature(const struct public_key *pkey,
+ const struct public_key_signature *sig)
+{
+ mbedtls_md_type_t mb_hash_algo;
+ mbedtls_pk_context pk_ctx;
+
[PATCH v7 14/27] pkcs7: move common functions to PKCS7 helper
Move pkcs7_get_content_data as a helper function that can be
shared by legacy crypto lib and MbedTLS implementation.
Signed-off-by: Raymond Mao
Reviewed-by: Ilias Apalodimas
---
Changes in v4
- Initial patch.
Changes in v5
- Remove authorship.
Changes in v6
- None.
Changes in v7
- None.
lib/crypto/Makefile | 1 +
lib/crypto/pkcs7_helper.c | 37 +
lib/crypto/pkcs7_parser.c | 28
3 files changed, 38 insertions(+), 28 deletions(-)
create mode 100644 lib/crypto/pkcs7_helper.c
diff --git a/lib/crypto/Makefile b/lib/crypto/Makefile
index 946cc3a7b59..16059088f26 100644
--- a/lib/crypto/Makefile
+++ b/lib/crypto/Makefile
@@ -53,6 +53,7 @@ $(obj)/x509_akid.asn1.o: $(obj)/x509_akid.asn1.c
$(obj)/x509_akid.asn1.h
obj-$(CONFIG_$(SPL_)PKCS7_MESSAGE_PARSER) += pkcs7_message.o
pkcs7_message-y := \
pkcs7.asn1.o \
+ pkcs7_helper.o \
pkcs7_parser.o
obj-$(CONFIG_$(SPL_)PKCS7_VERIFY) += pkcs7_verify.o
diff --git a/lib/crypto/pkcs7_helper.c b/lib/crypto/pkcs7_helper.c
new file mode 100644
index 000..bb3b9d1354f
--- /dev/null
+++ b/lib/crypto/pkcs7_helper.c
@@ -0,0 +1,37 @@
+// SPDX-License-Identifier: GPL-2.0+
+/*
+ * PKCS7 helper functions
+ *
+ * Copyright (c) 2012 Red Hat, Inc. All Rights Reserved.
+ * Written by David Howells (dhowe...@redhat.com)
+ */
+#include
+#include
+#include
+
+/**
+ * pkcs7_get_content_data - Get access to the PKCS#7 content
+ * @pkcs7: The preparsed PKCS#7 message to access
+ * @_data: Place to return a pointer to the data
+ * @_data_len: Place to return the data length
+ * @_headerlen: Size of ASN.1 header not included in _data
+ *
+ * Get access to the data content of the PKCS#7 message. The size of the
+ * header of the ASN.1 object that contains it is also provided and can be used
+ * to adjust *_data and *_data_len to get the entire object.
+ *
+ * Returns -ENODATA if the data object was missing from the message.
+ */
+int pkcs7_get_content_data(const struct pkcs7_message *pkcs7,
+ const void **_data, size_t *_data_len,
+ size_t *_headerlen)
+{
+ if (!pkcs7->data)
+ return -ENODATA;
+
+ *_data = pkcs7->data;
+ *_data_len = pkcs7->data_len;
+ if (_headerlen)
+ *_headerlen = pkcs7->data_hdrlen;
+ return 0;
+}
diff --git a/lib/crypto/pkcs7_parser.c b/lib/crypto/pkcs7_parser.c
index d5efa828d6a..c849dc0d92d 100644
--- a/lib/crypto/pkcs7_parser.c
+++ b/lib/crypto/pkcs7_parser.c
@@ -182,34 +182,6 @@ out_no_ctx:
}
EXPORT_SYMBOL_GPL(pkcs7_parse_message);
-/**
- * pkcs7_get_content_data - Get access to the PKCS#7 content
- * @pkcs7: The preparsed PKCS#7 message to access
- * @_data: Place to return a pointer to the data
- * @_data_len: Place to return the data length
- * @_headerlen: Size of ASN.1 header not included in _data
- *
- * Get access to the data content of the PKCS#7 message. The size of the
- * header of the ASN.1 object that contains it is also provided and can be used
- * to adjust *_data and *_data_len to get the entire object.
- *
- * Returns -ENODATA if the data object was missing from the message.
- */
-int pkcs7_get_content_data(const struct pkcs7_message *pkcs7,
- const void **_data, size_t *_data_len,
- size_t *_headerlen)
-{
- if (!pkcs7->data)
- return -ENODATA;
-
- *_data = pkcs7->data;
- *_data_len = pkcs7->data_len;
- if (_headerlen)
- *_headerlen = pkcs7->data_hdrlen;
- return 0;
-}
-EXPORT_SYMBOL_GPL(pkcs7_get_content_data);
-
/*
* Note an OID when we find one for later processing when we know how
* to interpret it.
--
2.25.1
[PATCH v7 13/27] x509: move common functions to x509 helper
Move x509_check_for_self_signed as a common helper function
that can be shared by legacy crypto lib and MbedTLS implementation.
Signed-off-by: Raymond Mao
Reviewed-by: Ilias Apalodimas
---
Changes in v4
- Initial patch.
Changes in v5
- Removed authorship.
Changes in v6
- None.
Changes in v7
- None.
lib/crypto/Makefile | 1 +
lib/crypto/x509_helper.c | 64
lib/crypto/x509_public_key.c | 56 +--
3 files changed, 66 insertions(+), 55 deletions(-)
create mode 100644 lib/crypto/x509_helper.c
diff --git a/lib/crypto/Makefile b/lib/crypto/Makefile
index 4ad1849040d..946cc3a7b59 100644
--- a/lib/crypto/Makefile
+++ b/lib/crypto/Makefile
@@ -37,6 +37,7 @@ x509_key_parser-y := \
x509.asn1.o \
x509_akid.asn1.o \
x509_cert_parser.o \
+ x509_helper.o \
x509_public_key.o
$(obj)/x509_cert_parser.o: \
diff --git a/lib/crypto/x509_helper.c b/lib/crypto/x509_helper.c
new file mode 100644
index 000..87e8ff67ae1
--- /dev/null
+++ b/lib/crypto/x509_helper.c
@@ -0,0 +1,64 @@
+// SPDX-License-Identifier: GPL-2.0+
+/*
+ * X509 helper functions
+ *
+ * Copyright (C) 2012 Red Hat, Inc. All Rights Reserved.
+ * Written by David Howells (dhowe...@redhat.com)
+ */
+#include
+#include
+#include
+
+/*
+ * Check for self-signedness in an X.509 cert and if found, check the signature
+ * immediately if we can.
+ */
+int x509_check_for_self_signed(struct x509_certificate *cert)
+{
+ int ret = 0;
+
+ if (cert->raw_subject_size != cert->raw_issuer_size ||
+ memcmp(cert->raw_subject, cert->raw_issuer,
+ cert->raw_issuer_size))
+ goto not_self_signed;
+
+ if (cert->sig->auth_ids[0] || cert->sig->auth_ids[1]) {
+ /*
+* If the AKID is present it may have one or two parts. If
+* both are supplied, both must match.
+*/
+ bool a = asymmetric_key_id_same(cert->skid,
+ cert->sig->auth_ids[1]);
+ bool b = asymmetric_key_id_same(cert->id,
+ cert->sig->auth_ids[0]);
+
+ if (!a && !b)
+ goto not_self_signed;
+
+ ret = -EKEYREJECTED;
+ if (((a && !b) || (b && !a)) &&
+ cert->sig->auth_ids[0] && cert->sig->auth_ids[1])
+ goto out;
+ }
+
+ ret = -EKEYREJECTED;
+ if (strcmp(cert->pub->pkey_algo, cert->sig->pkey_algo))
+ goto out;
+
+ ret = public_key_verify_signature(cert->pub, cert->sig);
+ if (ret == -ENOPKG) {
+ cert->unsupported_sig = true;
+ goto not_self_signed;
+ }
+ if (ret < 0)
+ goto out;
+
+ pr_devel("Cert Self-signature verified");
+ cert->self_signed = true;
+
+out:
+ return ret;
+
+not_self_signed:
+ return 0;
+}
diff --git a/lib/crypto/x509_public_key.c b/lib/crypto/x509_public_key.c
index a10145a7cdc..4ba13c1adc3 100644
--- a/lib/crypto/x509_public_key.c
+++ b/lib/crypto/x509_public_key.c
@@ -139,61 +139,7 @@ error:
return ret;
}
-/*
- * Check for self-signedness in an X.509 cert and if found, check the signature
- * immediately if we can.
- */
-int x509_check_for_self_signed(struct x509_certificate *cert)
-{
- int ret = 0;
-
- pr_devel("==>%s()\n", __func__);
-
- if (cert->raw_subject_size != cert->raw_issuer_size ||
- memcmp(cert->raw_subject, cert->raw_issuer,
- cert->raw_issuer_size) != 0)
- goto not_self_signed;
-
- if (cert->sig->auth_ids[0] || cert->sig->auth_ids[1]) {
- /* If the AKID is present it may have one or two parts. If
-* both are supplied, both must match.
-*/
- bool a = asymmetric_key_id_same(cert->skid,
cert->sig->auth_ids[1]);
- bool b = asymmetric_key_id_same(cert->id,
cert->sig->auth_ids[0]);
-
- if (!a && !b)
- goto not_self_signed;
-
- ret = -EKEYREJECTED;
- if (((a && !b) || (b && !a)) &&
- cert->sig->auth_ids[0] && cert->sig->auth_ids[1])
- goto out;
- }
-
- ret = -EKEYREJECTED;
- if (strcmp(cert->pub->pkey_algo, cert->sig->pkey_algo) != 0)
- goto out;
-
- ret = public_key_verify_signature(cert->pub, cert->sig);
- if (ret < 0) {
- if (ret == -ENOPKG) {
- cert->unsupported_sig = true;
- ret = 0;
-
[PATCH v7 12/27] public_key: move common functions to public key helper
Move public_key_free and public_key_signature_free as helper
functions that can be shared by legacy crypto lib and MbedTLS
implementation.
Signed-off-by: Raymond Mao
Reviewed-by: Ilias Apalodimas
---
Changes in v4
- Initial patch.
Changes in v5
- Removed authorship.
Changes in v6
- None.
Changes in v7
- None.
lib/crypto/Makefile| 4 +++-
lib/crypto/public_key.c| 31 ---
lib/crypto/public_key_helper.c | 39 ++
3 files changed, 42 insertions(+), 32 deletions(-)
create mode 100644 lib/crypto/public_key_helper.c
diff --git a/lib/crypto/Makefile b/lib/crypto/Makefile
index bec1bc95a65..4ad1849040d 100644
--- a/lib/crypto/Makefile
+++ b/lib/crypto/Makefile
@@ -7,7 +7,9 @@ obj-$(CONFIG_$(SPL_)ASYMMETRIC_KEY_TYPE) += asymmetric_keys.o
asymmetric_keys-y := asymmetric_type.o
-obj-$(CONFIG_$(SPL_)ASYMMETRIC_PUBLIC_KEY_SUBTYPE) += public_key.o
+obj-$(CONFIG_$(SPL_)ASYMMETRIC_PUBLIC_KEY_SUBTYPE) += \
+ public_key_helper.o \
+ public_key.o
#
# RSA public key parser
diff --git a/lib/crypto/public_key.c b/lib/crypto/public_key.c
index 6efe951c057..408742907f1 100644
--- a/lib/crypto/public_key.c
+++ b/lib/crypto/public_key.c
@@ -51,38 +51,7 @@ static void public_key_describe(const struct key
*asymmetric_key,
}
#endif
-/*
- * Destroy a public key algorithm key.
- */
-void public_key_free(struct public_key *key)
-{
- if (key) {
- kfree(key->key);
- kfree(key->params);
- kfree(key);
- }
-}
-EXPORT_SYMBOL_GPL(public_key_free);
-
#ifdef __UBOOT__
-/*
- * from /crypto/asymmetric_keys/signature.c
- *
- * Destroy a public key signature.
- */
-void public_key_signature_free(struct public_key_signature *sig)
-{
- int i;
-
- if (sig) {
- for (i = 0; i < ARRAY_SIZE(sig->auth_ids); i++)
- free(sig->auth_ids[i]);
- free(sig->s);
- free(sig->digest);
- free(sig);
- }
-}
-EXPORT_SYMBOL_GPL(public_key_signature_free);
/**
* public_key_verify_signature - Verify a signature using a public key.
diff --git a/lib/crypto/public_key_helper.c b/lib/crypto/public_key_helper.c
new file mode 100644
index 000..2c55922bdcb
--- /dev/null
+++ b/lib/crypto/public_key_helper.c
@@ -0,0 +1,39 @@
+// SPDX-License-Identifier: GPL-2.0+
+/*
+ * X509 helper functions
+ *
+ * Copyright (c) 2012 Red Hat, Inc. All Rights Reserved.
+ * Written by David Howells (dhowe...@redhat.com)
+ */
+#include
+#include
+
+/*
+ * Destroy a public key algorithm key.
+ */
+void public_key_free(struct public_key *key)
+{
+ if (key) {
+ kfree(key->key);
+ kfree(key->params);
+ kfree(key);
+ }
+}
+
+/*
+ * from /crypto/asymmetric_keys/signature.c
+ *
+ * Destroy a public key signature.
+ */
+void public_key_signature_free(struct public_key_signature *sig)
+{
+ int i;
+
+ if (sig) {
+ for (i = 0; i < ARRAY_SIZE(sig->auth_ids); i++)
+ kfree(sig->auth_ids[i]);
+ kfree(sig->s);
+ kfree(sig->digest);
+ kfree(sig);
+ }
+}
--
2.25.1
[PATCH v7 11/27] mbedtls/external: update MbedTLS PKCS7 test suites
Update the PKCS7 test suites for multiple certs. The PR for this patch is at: https://github.com/Mbed-TLS/mbedtls/pull/9001 For enabling EFI loader PKCS7 features with MbedTLS build, we need this patch on top of MbedTLS v3.6.0 before it is merged into the next MbedTLS LTS release. Signed-off-by: Raymond Mao Acked-by: Ilias Apalodimas --- Changes in v2 - None. Changes in v3 - Update commit message. Changes in v4 - None. Changes in v5 - None. Changes in v6 - None. Changes in v7 - None. .../external/mbedtls/tests/suites/test_suite_pkcs7.data | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/mbedtls/external/mbedtls/tests/suites/test_suite_pkcs7.data b/lib/mbedtls/external/mbedtls/tests/suites/test_suite_pkcs7.data index d3b83cdf0aa..2dd1c56109f 100644 --- a/lib/mbedtls/external/mbedtls/tests/suites/test_suite_pkcs7.data +++ b/lib/mbedtls/external/mbedtls/tests/suites/test_suite_pkcs7.data @@ -14,9 +14,9 @@ PKCS7 Signed Data Parse with zero signers depends_on:MBEDTLS_MD_CAN_SHA256 pkcs7_parse:"data_files/pkcs7_data_no_signers.der":MBEDTLS_PKCS7_SIGNED_DATA -PKCS7 Signed Data Parse Fail with multiple certs #4 +PKCS7 Signed Data Parse Pass with multiple certs #4 depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C -pkcs7_parse:"data_files/pkcs7_data_multiple_certs_signed.der":MBEDTLS_ERR_PKCS7_FEATURE_UNAVAILABLE +pkcs7_parse:"data_files/pkcs7_data_multiple_certs_signed.der":MBEDTLS_PKCS7_SIGNED_DATA PKCS7 Signed Data Parse Fail with corrupted cert #5.0 depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C -- 2.25.1
[PATCH v7 10/27] mbedtls/external: support decoding multiple signer's cert
Support decoding multiple signer's cert in the signed data within
a PKCS7 message.
The PR for this patch is at:
https://github.com/Mbed-TLS/mbedtls/pull/9001
For enabling EFI loader PKCS7 features with MbedTLS build,
we need this patch on top of MbedTLS v3.6.0 before it is merged into
the next MbedTLS LTS release.
Signed-off-by: Raymond Mao
---
Changes in v2
- None.
Changes in v3
- Update commit message.
Changes in v4
- None.
Changes in v5
- None.
Changes in v6
- None.
Changes in v7
- None.
lib/mbedtls/external/mbedtls/library/pkcs7.c | 75
1 file changed, 47 insertions(+), 28 deletions(-)
diff --git a/lib/mbedtls/external/mbedtls/library/pkcs7.c
b/lib/mbedtls/external/mbedtls/library/pkcs7.c
index da73fb341d6..01105227d7a 100644
--- a/lib/mbedtls/external/mbedtls/library/pkcs7.c
+++ b/lib/mbedtls/external/mbedtls/library/pkcs7.c
@@ -61,6 +61,36 @@ static int pkcs7_get_next_content_len(unsigned char **p,
unsigned char *end,
return ret;
}
+/**
+ * Get and decode one cert from a sequence.
+ * Return 0 for success,
+ * Return negative error code for failure.
+ **/
+static int pkcs7_get_one_cert(unsigned char **p, unsigned char *end,
+ mbedtls_x509_crt *certs)
+{
+int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+size_t len = 0;
+unsigned char *start = *p;
+unsigned char *end_cert;
+
+ret = mbedtls_asn1_get_tag(p, end, &len, MBEDTLS_ASN1_CONSTRUCTED
+ | MBEDTLS_ASN1_SEQUENCE);
+if (ret != 0) {
+return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS7_INVALID_CERT, ret);
+}
+
+end_cert = *p + len;
+
+if ((ret = mbedtls_x509_crt_parse_der(certs, start, end_cert - start)) <
0) {
+return MBEDTLS_ERR_PKCS7_INVALID_CERT;
+}
+
+*p = end_cert;
+
+return 0;
+}
+
/**
* version Version
* Version ::= INTEGER
@@ -178,11 +208,12 @@ static int pkcs7_get_certificates(unsigned char **p,
unsigned char *end,
mbedtls_x509_crt *certs)
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-size_t len1 = 0;
-size_t len2 = 0;
-unsigned char *end_set, *end_cert, *start;
+size_t len = 0;
+unsigned char *end_set;
+int num_of_certs = 0;
-ret = mbedtls_asn1_get_tag(p, end, &len1, MBEDTLS_ASN1_CONSTRUCTED
+/* Get the set of certs */
+ret = mbedtls_asn1_get_tag(p, end, &len, MBEDTLS_ASN1_CONSTRUCTED
| MBEDTLS_ASN1_CONTEXT_SPECIFIC);
if (ret == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG) {
return 0;
@@ -190,38 +221,26 @@ static int pkcs7_get_certificates(unsigned char **p,
unsigned char *end,
if (ret != 0) {
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS7_INVALID_FORMAT, ret);
}
-start = *p;
-end_set = *p + len1;
+end_set = *p + len;
-ret = mbedtls_asn1_get_tag(p, end_set, &len2, MBEDTLS_ASN1_CONSTRUCTED
- | MBEDTLS_ASN1_SEQUENCE);
+ret = pkcs7_get_one_cert(p, end_set, certs);
if (ret != 0) {
-return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS7_INVALID_CERT, ret);
+return ret;
}
-end_cert = *p + len2;
+num_of_certs++;
-/*
- * This is to verify that there is only one signer certificate. It seems
it is
- * not easy to differentiate between the chain vs different signer's
certificate.
- * So, we support only the root certificate and the single signer.
- * The behaviour would be improved with addition of multiple signer
support.
- */
-if (end_cert != end_set) {
-return MBEDTLS_ERR_PKCS7_FEATURE_UNAVAILABLE;
-}
-
-if ((ret = mbedtls_x509_crt_parse_der(certs, start, len1)) < 0) {
-return MBEDTLS_ERR_PKCS7_INVALID_CERT;
+while (*p != end_set) {
+ret = pkcs7_get_one_cert(p, end_set, certs);
+if (ret != 0) {
+return ret;
+}
+num_of_certs++;
}
-*p = end_cert;
+*p = end_set;
-/*
- * Since in this version we strictly support single certificate, and
reaching
- * here implies we have parsed successfully, we return 1.
- */
-return 1;
+return num_of_certs;
}
/**
--
2.25.1
[PATCH v7 09/27] mbedtls/external: support PKCS9 Authenticate Attributes
Populate PKCS9 Authenticate Attributes from signer info if it exists
in a PKCS7 message.
Add OIDs for describing objects using for Authenticate Attributes.
The PR for this patch is at:
https://github.com/Mbed-TLS/mbedtls/pull/9001
For enabling EFI loader PKCS7 features with MbedTLS build,
we need this patch on top of MbedTLS v3.6.0 before it is merged into
the next MbedTLS LTS release.
Signed-off-by: Raymond Mao
Acked-by: Ilias Apalodimas
---
Changes in v2
- None.
Changes in v3
- Update commit message.
Changes in v4
- None.
Changes in v5
- None.
Changes in v6
- None.
Changes in v7
- None.
.../external/mbedtls/include/mbedtls/oid.h| 5 +
.../external/mbedtls/include/mbedtls/pkcs7.h | 11 +++
lib/mbedtls/external/mbedtls/library/pkcs7.c | 19 ++-
3 files changed, 34 insertions(+), 1 deletion(-)
diff --git a/lib/mbedtls/external/mbedtls/include/mbedtls/oid.h
b/lib/mbedtls/external/mbedtls/include/mbedtls/oid.h
index 2ee982808fa..43cef99f1e3 100644
--- a/lib/mbedtls/external/mbedtls/include/mbedtls/oid.h
+++ b/lib/mbedtls/external/mbedtls/include/mbedtls/oid.h
@@ -238,6 +238,11 @@
#define MBEDTLS_OID_RSA_SHA_OBS "\x2B\x0E\x03\x02\x1D"
#define MBEDTLS_OID_PKCS9_EMAIL MBEDTLS_OID_PKCS9 "\x01" /**<
emailAddress AttributeType ::= { pkcs-9 1 } */
+#define MBEDTLS_OID_PKCS9_CONTENTTYPE MBEDTLS_OID_PKCS9 "\x03" /**<
contentType AttributeType ::= { pkcs-9 3 } */
+#define MBEDTLS_OID_PKCS9_MESSAGEDIGEST MBEDTLS_OID_PKCS9 "\x04" /**<
messageDigest AttributeType ::= { pkcs-9 4 } */
+#define MBEDTLS_OID_PKCS9_SIGNINGTIME MBEDTLS_OID_PKCS9 "\x05" /**<
signingTime AttributeType ::= { pkcs-9 5 } */
+#define MBEDTLS_OID_PKCS9_SMIMECAP MBEDTLS_OID_PKCS9 "\x0f" /**<
smimeCapabilites AttributeType ::= { pkcs-9 15 } */
+#define MBEDTLS_OID_PKCS9_SMIMEAA MBEDTLS_OID_PKCS9 "\x10\x02\x0b" /**<
smimeCapabilites AttributeType ::= { pkcs-9 16 2 11} */
/* RFC 4055 */
#define MBEDTLS_OID_RSASSA_PSS MBEDTLS_OID_PKCS1 "\x0a" /**<
id-RSASSA-PSS ::= { pkcs-1 10 } */
diff --git a/lib/mbedtls/external/mbedtls/include/mbedtls/pkcs7.h
b/lib/mbedtls/external/mbedtls/include/mbedtls/pkcs7.h
index 9e29b74af70..a88a5e858fc 100644
--- a/lib/mbedtls/external/mbedtls/include/mbedtls/pkcs7.h
+++ b/lib/mbedtls/external/mbedtls/include/mbedtls/pkcs7.h
@@ -102,6 +102,16 @@ typedef enum {
}
mbedtls_pkcs7_type;
+/*
+ * Authenticate Attributes for MicroSoft Authentication Code using in U-Boot
+ * Secure Boot
+ */
+typedef struct mbedtls_pkcs7_authattrs {
+size_t data_len;
+void *data;
+}
+mbedtls_pkcs7_authattrs;
+
/**
* Structure holding PKCS #7 signer info
*/
@@ -113,6 +123,7 @@ typedef struct mbedtls_pkcs7_signer_info {
mbedtls_x509_buf MBEDTLS_PRIVATE(alg_identifier);
mbedtls_x509_buf MBEDTLS_PRIVATE(sig_alg_identifier);
mbedtls_x509_buf MBEDTLS_PRIVATE(sig);
+mbedtls_pkcs7_authattrs authattrs;
struct mbedtls_pkcs7_signer_info *MBEDTLS_PRIVATE(next);
}
mbedtls_pkcs7_signer_info;
diff --git a/lib/mbedtls/external/mbedtls/library/pkcs7.c
b/lib/mbedtls/external/mbedtls/library/pkcs7.c
index 0c2436b56b7..da73fb341d6 100644
--- a/lib/mbedtls/external/mbedtls/library/pkcs7.c
+++ b/lib/mbedtls/external/mbedtls/library/pkcs7.c
@@ -288,6 +288,7 @@ static int pkcs7_get_signer_info(unsigned char **p,
unsigned char *end,
unsigned char *end_signer, *end_issuer_and_sn;
int asn1_ret = 0, ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
size_t len = 0;
+unsigned char *tmp_p;
asn1_ret = mbedtls_asn1_get_tag(p, end, &len, MBEDTLS_ASN1_CONSTRUCTED
| MBEDTLS_ASN1_SEQUENCE);
@@ -349,7 +350,23 @@ static int pkcs7_get_signer_info(unsigned char **p,
unsigned char *end,
goto out;
}
-/* Assume authenticatedAttributes is nonexistent */
+/* Save authenticatedAttributes if present */
+if (*p < end_signer &&
+**p == (MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_ASN1_CONSTRUCTED | 0))
{
+tmp_p = *p;
+
+ret = mbedtls_asn1_get_tag(p, end_signer, &len,
+ MBEDTLS_ASN1_CONTEXT_SPECIFIC |
+ MBEDTLS_ASN1_CONSTRUCTED | 0);
+if (ret != 0) {
+goto out;
+}
+
+signer->authattrs.data = tmp_p;
+signer->authattrs.data_len = len + *p - tmp_p;
+*p += len;
+}
+
ret = pkcs7_get_digest_algorithm(p, end_signer,
&signer->sig_alg_identifier);
if (ret != 0) {
goto out;
--
2.25.1
[PATCH v7 08/27] mbedtls/external: support Microsoft Authentication Code
Populate Microsoft Authentication Code from the content data
into PKCS7 decoding context if it exists in a PKCS7 message.
Add OIDs for describing objects using for Microsoft Authentication
Code.
The PR for this patch is at:
https://github.com/Mbed-TLS/mbedtls/pull/9001
For enabling EFI loader PKCS7 features with MbedTLS build,
we need this patch on top of MbedTLS v3.6.0 before it is merged into
the next MbedTLS LTS release.
Signed-off-by: Raymond Mao
Acked-by: Ilias Apalodimas
---
Changes in v2
- None.
Changes in v3
- Update commit message.
Changes in v4
- None.
Changes in v5
- None.
Changes in v6
- None.
Changes in v7
- None.
.../external/mbedtls/include/mbedtls/oid.h| 30 ++
.../external/mbedtls/include/mbedtls/pkcs7.h | 10
lib/mbedtls/external/mbedtls/library/pkcs7.c | 60 +++
3 files changed, 90 insertions(+), 10 deletions(-)
diff --git a/lib/mbedtls/external/mbedtls/include/mbedtls/oid.h
b/lib/mbedtls/external/mbedtls/include/mbedtls/oid.h
index fdc25ebf885..2ee982808fa 100644
--- a/lib/mbedtls/external/mbedtls/include/mbedtls/oid.h
+++ b/lib/mbedtls/external/mbedtls/include/mbedtls/oid.h
@@ -352,6 +352,36 @@
#define MBEDTLS_OID_PKCS12_PBE_SHA1_RC2_128_CBC MBEDTLS_OID_PKCS12_PBE
"\x05" /**< pbeWithSHAAnd128BitRC2-CBC OBJECT IDENTIFIER ::= {pkcs-12PbeIds 5}
*/
#define MBEDTLS_OID_PKCS12_PBE_SHA1_RC2_40_CBC MBEDTLS_OID_PKCS12_PBE
"\x06" /**< pbeWithSHAAnd40BitRC2-CBC OBJECT IDENTIFIER ::= {pkcs-12PbeIds 6} */
+/*
+ * MicroSoft Authenticate Code OIDs
+ */
+#define MBEDTLS_OID_PRIVATE_ENTERPRISE MBEDTLS_OID_INTERNET
"\x04\x01" /* {iso(1) identified-organization(3) dod(6) internet(1) private(4)
enterprise(1) */
+#define MBEDTLS_OID_MICROSOFT "\x82\x37" /*
{microsoft(311)} */
+/*
+ * OID_msIndirectData: (1.3.6.1.4.1.311.2.1.4)
+ * {iso(1) identified-organization(3) dod(6) internet(1) private(4)
enterprise(1) microsoft(311) 2(2) 1(1) 4(4)}
+ */
+#define MBEDTLS_OID_MICROSOFT_INDIRECTDATA MBEDTLS_OID_PRIVATE_ENTERPRISE
MBEDTLS_OID_MICROSOFT \
+"\x02\x01\x04"
+/*
+ * OID_msStatementType: (1.3.6.1.4.1.311.2.1.11)
+ * {iso(1) identified-organization(3) dod(6) internet(1) private(4)
enterprise(1) microsoft(311) 2(2) 1(1) 11(11)}
+ */
+#define MBEDTLS_OID_MICROSOFT_STATETYPE MBEDTLS_OID_PRIVATE_ENTERPRISE
MBEDTLS_OID_MICROSOFT \
+"\x02\x01\x0b"
+/*
+ * OID_msSpOpusInfo: (1.3.6.1.4.1.311.2.1.12)
+ * {iso(1) identified-organization(3) dod(6) internet(1) private(4)
enterprise(1) microsoft(311) 2(2) 1(1) 12(12)}
+ */
+#define MBEDTLS_OID_MICROSOFT_SPOPUSINFO MBEDTLS_OID_PRIVATE_ENTERPRISE
MBEDTLS_OID_MICROSOFT \
+"\x02\x01\x0b"
+/*
+ * OID_msPeImageDataObjId: (1.3.6.1.4.1.311.2.1.15)
+ * {iso(1) identified-organization(3) dod(6) internet(1) private(4)
enterprise(1) microsoft(311) 2(2) 1(1) 15(15)}
+ */
+#define MBEDTLS_OID_MICROSOFT_PEIMAGEDATA MBEDTLS_OID_PRIVATE_ENTERPRISE
MBEDTLS_OID_MICROSOFT \
+"\x02\x01\x0f"
+
/*
* EC key algorithms from RFC 5480
*/
diff --git a/lib/mbedtls/external/mbedtls/include/mbedtls/pkcs7.h
b/lib/mbedtls/external/mbedtls/include/mbedtls/pkcs7.h
index e9b482208e6..9e29b74af70 100644
--- a/lib/mbedtls/external/mbedtls/include/mbedtls/pkcs7.h
+++ b/lib/mbedtls/external/mbedtls/include/mbedtls/pkcs7.h
@@ -132,12 +132,22 @@ typedef struct mbedtls_pkcs7_signed_data {
}
mbedtls_pkcs7_signed_data;
+/* Content Data for MicroSoft Authentication Code using in U-Boot Secure Boot
*/
+typedef struct mbedtls_pkcs7_conten_data {
+int data_type; /* Type of Data */
+size_t data_len;/* Length of Data */
+size_t data_hdrlen; /* Length of Data ASN.1 header */
+void *data; /* Content Data */
+}
+mbedtls_pkcs7_conten_data;
+
/**
* Structure holding PKCS #7 structure, only signed data for now
*/
typedef struct mbedtls_pkcs7 {
mbedtls_pkcs7_buf MBEDTLS_PRIVATE(raw);
mbedtls_pkcs7_signed_data MBEDTLS_PRIVATE(signed_data);
+mbedtls_pkcs7_conten_data content_data;
}
mbedtls_pkcs7;
diff --git a/lib/mbedtls/external/mbedtls/library/pkcs7.c
b/lib/mbedtls/external/mbedtls/library/pkcs7.c
index 3aac662ba69..0c2436b56b7 100644
--- a/lib/mbedtls/external/mbedtls/library/pkcs7.c
+++ b/lib/mbedtls/external/mbedtls/library/pkcs7.c
@@ -29,6 +29,13 @@
#include
#endif
+enum OID {
+/* PKCS#7 {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-7(7)}
*/
+MBEDTLS_OID_DATA = 13, /* 1.2.840.113549.1.7.1 */
+/* Microsoft Authenticode & Software Publishing */
+MBEDTLS_OID_MS_INDIRECTDATA = 24,/* 1.3.6.1.4.1.311.2.1.4 */
+};
+
/**
* Initializes the mbedtls_pkcs7 structure.
*/
@@ -449,7 +456,7 @@ cleanup:
* signerInfos SignerInfos }
*/
static int pkcs7_get_signed_data(unsigned char *buf, size_t buflen,
- mbedtls_pkcs7_signed_data *signed_data)
+
[PATCH v7 07/27] mbedtls: Enable smaller implementation for SHA256/512
Smaller implementation for SHA256 and SHA512 helps to reduce the ROM footprint though it has a certain impact on performance. As a trade-off, enable it as a default config when MbedTLS is enabled can reduce the target size significantly with acceptable performace loss. Signed-off-by: Raymond Mao --- Changes in v6 - Initial patch Changes in v7 - Fixed the config dependencies. lib/mbedtls/Kconfig | 24 lib/mbedtls/mbedtls_def_config.h | 6 ++ 2 files changed, 30 insertions(+) diff --git a/lib/mbedtls/Kconfig b/lib/mbedtls/Kconfig index 12f8c965f5a..7ee1139568b 100644 --- a/lib/mbedtls/Kconfig +++ b/lib/mbedtls/Kconfig @@ -155,6 +155,18 @@ config SHA256_MBEDTLS This option enables support of hashing using SHA256 algorithm with MbedTLS crypto library. +if SHA256_MBEDTLS + +config SHA256_SMALLER + bool "Enable SHA256 smaller implementation with MbedTLS crypto library" + depends on SHA256_MBEDTLS + default y if SHA256_MBEDTLS + help + This option enables support of hashing using SHA256 algorithm + smaller implementation with MbedTLS crypto library. + +endif + config SHA512_MBEDTLS bool "Enable SHA512 support with MbedTLS crypto library" depends on MBEDTLS_LIB_CRYPTO && SHA512 @@ -163,6 +175,18 @@ config SHA512_MBEDTLS This option enables support of hashing using SHA512 algorithm with MbedTLS crypto library. +if SHA512_MBEDTLS + +config SHA512_SMALLER + bool "Enable SHA512 smaller implementation with MbedTLS crypto library" + depends on SHA512_MBEDTLS + default y if SHA512_MBEDTLS + help + This option enables support of hashing using SHA512 algorithm + smaller implementation with MbedTLS crypto library. + +endif + config SHA384_MBEDTLS bool "Enable SHA384 support with MbedTLS crypto library" depends on MBEDTLS_LIB_CRYPTO && SHA384 diff --git a/lib/mbedtls/mbedtls_def_config.h b/lib/mbedtls/mbedtls_def_config.h index be619f5b838..47918e3f4a6 100644 --- a/lib/mbedtls/mbedtls_def_config.h +++ b/lib/mbedtls/mbedtls_def_config.h @@ -26,6 +26,9 @@ #if CONFIG_IS_ENABLED(SHA256) #define MBEDTLS_MD_C #define MBEDTLS_SHA256_C +#if CONFIG_IS_ENABLED(SHA256_SMALLER) +#define MBEDTLS_SHA256_SMALLER +#endif #endif #if CONFIG_IS_ENABLED(SHA384) @@ -36,6 +39,9 @@ #if CONFIG_IS_ENABLED(SHA512) #define MBEDTLS_MD_C #define MBEDTLS_SHA512_C +#if CONFIG_IS_ENABLED(SHA512_SMALLER) +#define MBEDTLS_SHA512_SMALLER +#endif #endif #endif /* #if defined CONFIG_MBEDTLS_LIB_CRYPTO */ -- 2.25.1
[PATCH v7 06/27] mbedtls: add digest shim layer for MbedTLS
Implement digest shim layer on top of MbedTLS crypto library.
Introduce _MBEDTLS kconfig for MbedTLS crypto implementations.
Signed-off-by: Raymond Mao
---
Changes in v2
- Split the shim layer into separated files and use the original head
files instead of creating new ones.
Changes in v3
- Refactored sha1_hmac and removed non-watchdog md5 function.
Changes in v4
- Refactored hash _wd functions.
- Introduce _MBEDTLS kconfig for MbedTLS crypto implementations.
Changes in v5
- Correct kconfig dependence.
- Refactored MbedTLS makefile.
Changes in v6
- None.
Changes in v7
- None.
include/u-boot/sha1.h | 4 ++
lib/mbedtls/Kconfig | 90 +++
lib/mbedtls/Makefile | 14 --
lib/mbedtls/md5.c | 57 +
lib/mbedtls/sha1.c| 99 +++
lib/mbedtls/sha256.c | 62 +++
lib/mbedtls/sha512.c | 93
7 files changed, 415 insertions(+), 4 deletions(-)
create mode 100644 lib/mbedtls/md5.c
create mode 100644 lib/mbedtls/sha1.c
create mode 100644 lib/mbedtls/sha256.c
create mode 100644 lib/mbedtls/sha512.c
diff --git a/include/u-boot/sha1.h b/include/u-boot/sha1.h
index 36c3db15e22..2fca7f1be16 100644
--- a/include/u-boot/sha1.h
+++ b/include/u-boot/sha1.h
@@ -41,6 +41,10 @@ extern "C" {
#define SHA1_DEF_CHUNK_SZ 0x1
+#define K_IPAD_VAL 0x36
+#define K_OPAD_VAL 0x5C
+#define K_PAD_LEN 64
+
extern const uint8_t sha1_der_prefix[];
#if defined(CONFIG_MBEDTLS_LIB_CRYPTO)
diff --git a/lib/mbedtls/Kconfig b/lib/mbedtls/Kconfig
index efae2c4fd72..12f8c965f5a 100644
--- a/lib/mbedtls/Kconfig
+++ b/lib/mbedtls/Kconfig
@@ -126,9 +126,99 @@ if MBEDTLS_LIB
config MBEDTLS_LIB_CRYPTO
bool "MbedTLS crypto libraries"
+ select MD5_MBEDTLS if MD5
+ select SHA1_MBEDTLS if SHA1
+ select SHA256_MBEDTLS if SHA256
+ select SHA512_MBEDTLS if SHA512
+ select SHA384_MBEDTLS if SHA384
+ select SPL_MD5_MBEDTLS if SPL_MD5
+ select SPL_SHA1_MBEDTLS if SPL_SHA1
+ select SPL_SHA256_MBEDTLS if SPL_SHA256
+ select SPL_SHA512_MBEDTLS if SPL_SHA512
+ select SPL_SHA384_MBEDTLS if SPL_SHA384
help
Enable MbedTLS crypto libraries.
+if MBEDTLS_LIB_CRYPTO
+
+config SHA1_MBEDTLS
+ bool "Enable SHA1 support with MbedTLS crypto library"
+ depends on MBEDTLS_LIB_CRYPTO && SHA1
+ help
+ This option enables support of hashing using SHA1 algorithm
+ with MbedTLS crypto library.
+
+config SHA256_MBEDTLS
+ bool "Enable SHA256 support with MbedTLS crypto library"
+ depends on MBEDTLS_LIB_CRYPTO && SHA256
+ help
+ This option enables support of hashing using SHA256 algorithm
+ with MbedTLS crypto library.
+
+config SHA512_MBEDTLS
+ bool "Enable SHA512 support with MbedTLS crypto library"
+ depends on MBEDTLS_LIB_CRYPTO && SHA512
+ default y if TI_SECURE_DEVICE && FIT_SIGNATURE
+ help
+ This option enables support of hashing using SHA512 algorithm
+ with MbedTLS crypto library.
+
+config SHA384_MBEDTLS
+ bool "Enable SHA384 support with MbedTLS crypto library"
+ depends on MBEDTLS_LIB_CRYPTO && SHA384
+ select SHA512_MBEDTLS
+ help
+ This option enables support of hashing using SHA384 algorithm
+ with MbedTLS crypto library.
+
+config MD5_MBEDTLS
+ bool "Enable MD5 support with MbedTLS crypto library"
+ depends on MBEDTLS_LIB_CRYPTO && MD5
+ help
+ This option enables support of hashing using MD5 algorithm
+ with MbedTLS crypto library.
+
+if SPL
+
+config SPL_SHA1_MBEDTLS
+ bool "Enable SHA1 support in SPL with MbedTLS crypto library"
+ depends on MBEDTLS_LIB_CRYPTO && SPL_SHA1
+ help
+ This option enables support of hashing using SHA1 algorithm
+ with MbedTLS crypto library.
+
+config SPL_SHA256_MBEDTLS
+ bool "Enable SHA256 support in SPL with MbedTLS crypto library"
+ depends on MBEDTLS_LIB_CRYPTO && SPL_SHA256
+ help
+ This option enables support of hashing using SHA256 algorithm
+ with MbedTLS crypto library.
+
+config SPL_SHA512_MBEDTLS
+ bool "Enable SHA512 support in SPL with MbedTLS crypto library"
+ depends on MBEDTLS_LIB_CRYPTO && SPL_SHA512
+ help
+ This option enables support of hashing using SHA512 algorithm
+ with MbedTLS crypto library.
+
+config SPL_SHA384_MBEDTLS
+ bool "Enable SHA384 support in SPL with MbedTLS crypto library"
+ depends on MBEDTLS_LIB_CRYPTO && SPL_SHA384
+ select SPL_SHA512
+ help
+ This option enables support of hashing using SHA384 algorithm
+
[PATCH v7 05/27] sha1: Remove sha1 non-watchdog API
We don't need an API specially for non-watchdog since sha1_csum_wd
supports it by disabling CONFIG_HW_WATCHDOG and CONFIG_WATCHDOG.
Set 0x1 as default chunk size for SHA1.
Signed-off-by: Raymond Mao
Reviewed-by: Ilias Apalodimas
---
Changes in v4
- Initial patch.
Changes in v5
- None.
Changes in v6
- None.
Changes in v7
- None.
board/gdsys/a38x/hre.c | 2 +-
include/u-boot/sha1.h | 12 ++--
lib/sha1.c | 13 -
lib/tpm-v1.c | 2 +-
4 files changed, 4 insertions(+), 25 deletions(-)
diff --git a/board/gdsys/a38x/hre.c b/board/gdsys/a38x/hre.c
index f303793b63b..06856ea36d3 100644
--- a/board/gdsys/a38x/hre.c
+++ b/board/gdsys/a38x/hre.c
@@ -166,7 +166,7 @@ static int find_key(struct udevice *tpm, const uint8_t
auth[20],
return -1;
if (err)
continue;
- sha1_csum(buf, buf_len, digest);
+ sha1_csum_wd(buf, buf_len, digest, SHA1_DEF_CHUNK_SZ);
if (!memcmp(digest, pubkey_digest, 20)) {
*handle = key_handles[i];
return 0;
diff --git a/include/u-boot/sha1.h b/include/u-boot/sha1.h
index ab88134fb98..36c3db15e22 100644
--- a/include/u-boot/sha1.h
+++ b/include/u-boot/sha1.h
@@ -39,6 +39,8 @@ extern "C" {
#define SHA1_SUM_LEN 20
#define SHA1_DER_LEN 15
+#define SHA1_DEF_CHUNK_SZ 0x1
+
extern const uint8_t sha1_der_prefix[];
#if defined(CONFIG_MBEDTLS_LIB_CRYPTO)
@@ -81,16 +83,6 @@ void sha1_update(sha1_context *ctx, const unsigned char
*input,
*/
void sha1_finish( sha1_context *ctx, unsigned char output[20] );
-/**
- * \brief Output = SHA-1( input buffer )
- *
- * \param inputbuffer holding the data
- * \param ilenlength of the input data
- * \param output SHA-1 checksum result
- */
-void sha1_csum(const unsigned char *input, unsigned int ilen,
- unsigned char *output);
-
/**
* \brief Output = SHA-1( input buffer ), with watchdog triggering
*
diff --git a/lib/sha1.c b/lib/sha1.c
index 7ef536f4b5d..81412283b49 100644
--- a/lib/sha1.c
+++ b/lib/sha1.c
@@ -304,19 +304,6 @@ void sha1_finish (sha1_context * ctx, unsigned char
output[20])
PUT_UINT32_BE (ctx->state[4], output, 16);
}
-/*
- * Output = SHA-1( input buffer )
- */
-void sha1_csum(const unsigned char *input, unsigned int ilen,
- unsigned char *output)
-{
- sha1_context ctx;
-
- sha1_starts (&ctx);
- sha1_update (&ctx, input, ilen);
- sha1_finish (&ctx, output);
-}
-
/*
* Output = SHA-1( input buffer ). Trigger the watchdog every 'chunk_sz'
* bytes of input processed.
diff --git a/lib/tpm-v1.c b/lib/tpm-v1.c
index e66023da5e6..a6727c575fd 100644
--- a/lib/tpm-v1.c
+++ b/lib/tpm-v1.c
@@ -871,7 +871,7 @@ u32 tpm1_find_key_sha1(struct udevice *dev, const u8
auth[20],
return -1;
if (err)
continue;
- sha1_csum(buf, buf_len, digest);
+ sha1_csum_wd(buf, buf_len, digest, SHA1_DEF_CHUNK_SZ);
if (!memcmp(digest, pubkey_digest, 20)) {
*handle = key_handles[i];
return 0;
--
2.25.1
[PATCH v7 04/27] md5: Remove md5 non-watchdog API
We don't need an API specially for non-watchdog since md5_wd supports
it by disabling CONFIG_HW_WATCHDOG and CONFIG_WATCHDOG.
Set 0x1 as default chunk size for MD5.
Signed-off-by: Raymond Mao
Reviewed-by: Ilias Apalodimas
Reviewed-by: Michal Simek
---
Changes in v3
- Initial patch.
Changes in v4
- Update commit message.
Changes in v5
- None.
Changes in v6
- None.
Changes in v7
- None.
board/friendlyarm/nanopi2/board.c | 3 ++-
board/intel/edison/edison.c | 3 ++-
board/xilinx/zynq/bootimg.c | 2 +-
include/u-boot/md5.h | 7 +--
lib/md5.c | 14 --
5 files changed, 6 insertions(+), 23 deletions(-)
diff --git a/board/friendlyarm/nanopi2/board.c
b/board/friendlyarm/nanopi2/board.c
index b32dfc6b570..4dff32e10d6 100644
--- a/board/friendlyarm/nanopi2/board.c
+++ b/board/friendlyarm/nanopi2/board.c
@@ -264,7 +264,8 @@ static void make_ether_addr(u8 *addr)
hash[6] = readl(PHY_BASEADDR_ECID + 0x08);
hash[7] = readl(PHY_BASEADDR_ECID + 0x0c);
- md5((unsigned char *)&hash[4], 64, (unsigned char *)hash);
+ md5_wd((unsigned char *)&hash[4], 64, (unsigned char *)hash,
+ MD5_DEF_CHUNK_SZ);
hash[0] ^= hash[2];
hash[1] ^= hash[3];
diff --git a/board/intel/edison/edison.c b/board/intel/edison/edison.c
index 911ffda2fc7..27fda3fc1d2 100644
--- a/board/intel/edison/edison.c
+++ b/board/intel/edison/edison.c
@@ -32,7 +32,8 @@ static void assign_serial(void)
if (!mmc)
return;
- md5((unsigned char *)mmc->cid, sizeof(mmc->cid), ssn);
+ md5_wd((unsigned char *)mmc->cid, sizeof(mmc->cid), ssn,
+ MD5_DEF_CHUNK_SZ);
snprintf(usb0addr, sizeof(usb0addr), "02:00:86:%02x:%02x:%02x",
ssn[13], ssn[14], ssn[15]);
diff --git a/board/xilinx/zynq/bootimg.c b/board/xilinx/zynq/bootimg.c
index 79bec3a4cfb..9eb0735f55d 100644
--- a/board/xilinx/zynq/bootimg.c
+++ b/board/xilinx/zynq/bootimg.c
@@ -135,7 +135,7 @@ int zynq_validate_partition(u32 start_addr, u32 len, u32
chksum_off)
memcpy(&checksum[0], (u32 *)chksum_off, MD5_CHECKSUM_SIZE);
- md5_wd((u8 *)start_addr, len, &calchecksum[0], 0x1);
+ md5_wd((u8 *)start_addr, len, &calchecksum[0], MD5_DEF_CHUNK_SZ);
if (!memcmp(checksum, calchecksum, MD5_CHECKSUM_SIZE))
return 0;
diff --git a/include/u-boot/md5.h b/include/u-boot/md5.h
index 69898fcbe49..c98b1a58088 100644
--- a/include/u-boot/md5.h
+++ b/include/u-boot/md5.h
@@ -12,6 +12,7 @@
#include "compiler.h"
#define MD5_SUM_LEN16
+#define MD5_DEF_CHUNK_SZ 0x1
#if defined(CONFIG_MBEDTLS_LIB_CRYPTO)
typedef mbedtls_md5_context MD5Context;
@@ -30,12 +31,6 @@ void MD5Init(MD5Context *ctx);
void MD5Update(MD5Context *ctx, unsigned char const *buf, unsigned int len);
void MD5Final(unsigned char digest[16], MD5Context *ctx);
-/*
- * Calculate and store in 'output' the MD5 digest of 'len' bytes at
- * 'input'. 'output' must have enough space to hold 16 bytes.
- */
-void md5 (unsigned char *input, int len, unsigned char output[16]);
-
/*
* Calculate and store in 'output' the MD5 digest of 'len' bytes at 'input'.
* 'output' must have enough space to hold 16 bytes. If 'chunk' Trigger the
diff --git a/lib/md5.c b/lib/md5.c
index 584463d55ca..2d8977b2e85 100644
--- a/lib/md5.c
+++ b/lib/md5.c
@@ -262,20 +262,6 @@ MD5Transform(__u32 buf[4], __u32 const in[16])
buf[3] += d;
}
-/*
- * Calculate and store in 'output' the MD5 digest of 'len' bytes at
- * 'input'. 'output' must have enough space to hold 16 bytes.
- */
-void
-md5 (unsigned char *input, int len, unsigned char output[16])
-{
- MD5Context context;
-
- MD5Init(&context);
- MD5Update(&context, input, len);
- MD5Final(output, &context);
-}
-
/*
* Calculate and store in 'output' the MD5 digest of 'len' bytes at 'input'.
* 'output' must have enough space to hold 16 bytes. If 'chunk' Trigger the
--
2.25.1
[PATCH v7 03/27] lib: Adapt digest header files to MbedTLS
Adapt digest header files to support both original libs and MbedTLS
by switching on/off MBEDTLS_LIB_CRYPTO.
Introduce _LEGACY kconfig for legacy hash implementations.
sha256.o should depend on SHA256 kconfig only but not SUPPORT_EMMC_RPMB,
SHA256 should be selected when SUPPORT_EMMC_RPMB is enabled instead.
`IS_ENABLED` or `CONFIG_IS_ENABLED` is not applicable here, since
including causes undefined reference on schedule()
with sandbox build, as includes
which enables `CONFIG_HW_WATCHDOG` and `CONFIG_WATCHDOG` but no schedule()
are defined in sandbox build,
Thus we use `#if defined(CONFIG_MBEDTLS_LIB_CRYPTO)` instead.
Signed-off-by: Raymond Mao
Reviewed-by: Ilias Apalodimas
---
Changes in v2
- Initial patch.
Changes in v3
- Remove the changes that were done in previous clean-up patch set.
Changes in v4
- Introduce _LEGACY kconfig for legacy hash implementations.
Changes in v5
- Correct header file include directories.
- Correct kconfig dependence.
Changes in v6
- Update commit message.
- Rebased on next branch.
Changes in v7
- Fixed the dependency between SUPPORT_EMMC_RPMB and SHA256.
drivers/mmc/Kconfig | 1 +
include/u-boot/md5.h| 7
include/u-boot/sha1.h | 21 +-
include/u-boot/sha256.h | 20 +
include/u-boot/sha512.h | 9
lib/Makefile| 11 ++---
lib/mbedtls/Kconfig | 91 +
7 files changed, 154 insertions(+), 6 deletions(-)
diff --git a/drivers/mmc/Kconfig b/drivers/mmc/Kconfig
index 982e84dc3bc..5d7fd904950 100644
--- a/drivers/mmc/Kconfig
+++ b/drivers/mmc/Kconfig
@@ -119,6 +119,7 @@ config MMC_HW_PARTITIONING
config SUPPORT_EMMC_RPMB
bool "Support eMMC replay protected memory block (RPMB)"
imply CMD_MMC_RPMB
+ select SHA256
help
Enable support for reading, writing and programming the
key for the Replay Protection Memory Block partition in eMMC.
diff --git a/include/u-boot/md5.h b/include/u-boot/md5.h
index c465925ea8d..69898fcbe49 100644
--- a/include/u-boot/md5.h
+++ b/include/u-boot/md5.h
@@ -6,10 +6,16 @@
#ifndef _MD5_H
#define _MD5_H
+#if defined(CONFIG_MBEDTLS_LIB_CRYPTO)
+#include
+#endif
#include "compiler.h"
#define MD5_SUM_LEN16
+#if defined(CONFIG_MBEDTLS_LIB_CRYPTO)
+typedef mbedtls_md5_context MD5Context;
+#else
typedef struct MD5Context {
__u32 buf[4];
__u32 bits[2];
@@ -18,6 +24,7 @@ typedef struct MD5Context {
__u32 in32[16];
};
} MD5Context;
+#endif
void MD5Init(MD5Context *ctx);
void MD5Update(MD5Context *ctx, unsigned char const *buf, unsigned int len);
diff --git a/include/u-boot/sha1.h b/include/u-boot/sha1.h
index c1e9f67068d..ab88134fb98 100644
--- a/include/u-boot/sha1.h
+++ b/include/u-boot/sha1.h
@@ -16,6 +16,21 @@
#include
+#if defined(CONFIG_MBEDTLS_LIB_CRYPTO)
+/*
+ * FIXME:
+ * MbedTLS define the members of "mbedtls_sha256_context" as private,
+ * but "state" needs to be access by arch/arm/cpu/armv8/sha1_ce_glue.
+ * MBEDTLS_ALLOW_PRIVATE_ACCESS needs to be enabled to allow the external
+ * access.
+ * Directly including is not allowed,
+ * since this will include and break the sandbox test.
+ */
+#define MBEDTLS_ALLOW_PRIVATE_ACCESS
+
+#include
+#endif
+
#ifdef __cplusplus
extern "C" {
#endif
@@ -26,6 +41,9 @@ extern "C" {
extern const uint8_t sha1_der_prefix[];
+#if defined(CONFIG_MBEDTLS_LIB_CRYPTO)
+typedef mbedtls_sha1_context sha1_context;
+#else
/**
* \brief SHA-1 context structure
*/
@@ -36,13 +54,14 @@ typedef struct
unsigned char buffer[64]; /*!< data block being processed */
}
sha1_context;
+#endif
/**
* \brief SHA-1 context setup
*
* \param ctx SHA-1 context to be initialized
*/
-void sha1_starts( sha1_context *ctx );
+void sha1_starts(sha1_context *ctx);
/**
* \brief SHA-1 process buffer
diff --git a/include/u-boot/sha256.h b/include/u-boot/sha256.h
index a4fe176c0b4..b58d5b58d39 100644
--- a/include/u-boot/sha256.h
+++ b/include/u-boot/sha256.h
@@ -3,6 +3,22 @@
#include
+#if defined(CONFIG_MBEDTLS_LIB_CRYPTO)
+/*
+ * FIXME:
+ * MbedTLS define the members of "mbedtls_sha256_context" as private,
+ * but "state" needs to be access by arch/arm/cpu/armv8/sha256_ce_glue.
+ * MBEDTLS_ALLOW_PRIVATE_ACCESS needs to be enabled to allow the external
+ * access.
+ * Directly including is not allowed,
+ * since this will include and break the sandbox test.
+ */
+#define MBEDTLS_ALLOW_PRIVATE_ACCESS
+
+#include
+#endif
+
+#define SHA224_SUM_LEN 28
#define SHA256_SUM_LEN 32
#define SHA256_DER_LEN 19
@@ -11,11 +27,15 @@ extern const uint8_t sha256_der_prefix[];
/* Reset watchdog each time we process this many bytes */
#define CHUNKSZ_SHA256 (64 * 1024)
+#if defined(CONFIG_MBEDTLS_LIB_CRYPTO)
+typedef mbedtls_sha256_context sha256_context;
+#else
typedef struct {
uint32_t total[2]
[PATCH v7 02/27] mbedtls: add mbedtls into the build system
Port mbedtls with adapted libc header files. Add mbedtls default config header file. Optimize mbedtls default config by disabling unused features to reduce the target size. Add mbedtls kbuild makefile. Add Kconfig skeleton and config submenu entry for selecting crypto libraries between mbedtls and legacy ones. Add the mbedtls include directories into the build system. Subsequent patches will separate those Kconfigs into pairs of _LEGACY and _MBEDTLS for controlling the implementations of legacy crypto libraries and MbedTLS ones respectively. The motivation of moving and adapting *INT* macros from kernel.h to limits.h is to fullfill the MbedTLS building requirement. The conditional compilation statements in MbedTLS expects the *INT* macros as constant expressions, thus expressions like `((int)(~0U >> 1))` will not work. Prerequisite This patch series requires mbedtls git repo to be added as a subtree to the main U-Boot repo via: $ git subtree add --prefix lib/mbedtls/external/mbedtls \ https://github.com/Mbed-TLS/mbedtls.git \ v3.6.0 --squash Moreover, due to the Windows-style files from mbedtls git repo, we need to convert the CRLF endings to LF and do a commit manually: $ git add --renormalize . $ git commit Signed-off-by: Raymond Mao --- Changes in v2 - Disabled unused MbedTLS features to optimize the target size. Changes in v3 - Removed changes in stdio.h. Changes in v4 - Move limits.h as a common header file that is included by kernel.h. - Refactor the Kconfig to support legacy and MbedTLS options for each algorithm. - Refactor MbedTLS makefile and default config file to remove unused config options and objects. Changes in v5 - Merged patch #9 of v4 into this patch. - Removed unused config MBEDTLS_LIB_TLS. - Refactored MbedTLS Makefile and default config file. Changes in v6 - Fixed UINT64_MAX. - Removed copy right statement from limits.h Changes in v7 - Fixed CI world build failures due to config dependencies. - Fixed values of UINT_MAX and UINT32_MAX. Makefile | 6 +++ include/limits.h | 25 +++ include/linux/kernel.h | 13 +- include/stdlib.h | 1 + lib/Kconfig | 4 ++ lib/Makefile | 2 + lib/mbedtls/Kconfig | 47 + lib/mbedtls/Makefile | 41 ++ lib/mbedtls/mbedtls_def_config.h | 72 lib/mbedtls/port/assert.h| 12 ++ 10 files changed, 211 insertions(+), 12 deletions(-) create mode 100644 include/limits.h create mode 100644 lib/mbedtls/Kconfig create mode 100644 lib/mbedtls/Makefile create mode 100644 lib/mbedtls/mbedtls_def_config.h create mode 100644 lib/mbedtls/port/assert.h diff --git a/Makefile b/Makefile index f23554da4c1..2eace6ad197 100644 --- a/Makefile +++ b/Makefile @@ -829,6 +829,12 @@ KBUILD_HOSTCFLAGS += $(if $(CONFIG_TOOLS_DEBUG),-g) UBOOTINCLUDE:= \ -Iinclude \ $(if $(KBUILD_SRC), -I$(srctree)/include) \ + $(if $(CONFIG_MBEDTLS_LIB), \ + "-DMBEDTLS_CONFIG_FILE=\"mbedtls_def_config.h\"" \ + -I$(srctree)/lib/mbedtls \ + -I$(srctree)/lib/mbedtls/port \ + -I$(srctree)/lib/mbedtls/external/mbedtls \ + -I$(srctree)/lib/mbedtls/external/mbedtls/include) \ $(if $(CONFIG_$(SPL_)SYS_THUMB_BUILD), \ $(if $(CONFIG_HAS_THUMB2), \ $(if $(CONFIG_CPU_V7M), \ diff --git a/include/limits.h b/include/limits.h new file mode 100644 index 000..4700cc7a59f --- /dev/null +++ b/include/limits.h @@ -0,0 +1,25 @@ +/* SPDX-License-Identifier: GPL-2.0+ */ + +#ifndef _LIMITS_H +#define _LIMITS_H + +#define INT_MAX 0x7fff +#define UINT_MAX0xU +#define CHAR_BIT8 +#define UINT32_MAX 0xU +#define UINT64_MAX 0xULL + +#ifdef CONFIG_64BIT +#define UINTPTR_MAX UINT64_MAX +#else +#define UINTPTR_MAX UINT32_MAX +#endif + +#ifndef SIZE_MAX +#define SIZE_MAXUINTPTR_MAX +#endif +#ifndef SSIZE_MAX +#define SSIZE_MAX ((ssize_t)(SIZE_MAX >> 1)) +#endif + +#endif /* _LIMITS_H */ diff --git a/include/linux/kernel.h b/include/linux/kernel.h index 939465f372b..9467edd65ab 100644 --- a/include/linux/kernel.h +++ b/include/linux/kernel.h @@ -3,25 +3,18 @@ #include #include /* for printf/pr_* utilities */ +#include #define USHRT_MAX ((u16)(~0U)) #define SHRT_MAX ((s16)(USHRT_MAX>>1)) #define SHRT_MIN ((s16)(-SHRT_MAX - 1)) -#define INT_MAX((int)(~0U>>1)) #define INT_MIN(-INT_MAX - 1) -#define UINT_MAX (~0U) #define LONG_MAX ((long)(~0UL>>1)) #define LONG_MIN (-LONG_MAX - 1) #define ULONG_MAX (~0UL) #define LLONG_MAX ((long long)(~0ULL>>1)) #define LLONG_MIN (-LLONG_MAX - 1) #define ULLONG_MAX (~0
[PATCH v7 01/27] CI: Exclude MbedTLS subtree for CONFIG checks
Since MbedTLS is an external repo with its own coding style, exclude it from Azure and gitlab CI CONFIG checks. Signed-off-by: Raymond Mao Reviewed-by: Tom Rini Reviewed-by: Ilias Apalodimas --- Changes in v2 - Initial patch. Changes in v3 - None. Changes in v4 - None. Changes in v5 - None. Changes in v6 - None. Changes in v7 - None. .azure-pipelines.yml | 3 ++- .gitlab-ci.yml | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/.azure-pipelines.yml b/.azure-pipelines.yml index 93111eb6127..b66d49a62ba 100644 --- a/.azure-pipelines.yml +++ b/.azure-pipelines.yml @@ -76,7 +76,8 @@ stages: # have no matches. - script: git grep -E '^#[[:blank:]]*(define|undef)[[:blank:]]*CONFIG_' :^doc/ :^arch/arm/dts/ :^scripts/kconfig/lkc.h - :^include/linux/kconfig.h :^tools/ :^dts/upstream/ && + :^include/linux/kconfig.h :^tools/ :^dts/upstream/ + :^lib/mbedtls/external :^lib/mbedtls/mbedtls_def_config.h && exit 1 || exit 0 - job: docs diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 7d621031b85..2a52e15d0fe 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -159,7 +159,8 @@ check for new CONFIG symbols outside Kconfig: # have no matches. - git grep -E '^#[[:blank:]]*(define|undef)[[:blank:]]*CONFIG_' :^doc/ :^arch/arm/dts/ :^scripts/kconfig/lkc.h -:^include/linux/kconfig.h :^tools/ :^dts/upstream/ && +:^include/linux/kconfig.h :^tools/ :^dts/upstream/ +:^lib/mbedtls/external :^lib/mbedtls/mbedtls_def_config.h && exit 1 || exit 0 # build documentation -- 2.25.1
[PATCH v7 00/27] Integrate MbedTLS v3.6 LTS with U-Boot
Integrate MbedTLS v3.6 LTS (currently v3.6.0) with U-Boot. Motivations: 1. MbedTLS is well maintained with LTS versions. 2. LWIP is integrated with MbedTLS and easily to enable HTTPS. 3. MbedTLS recently switched license back to GPLv2. Prerequisite: - This patch series requires mbedtls git repo to be added as a subtree to the main U-Boot repo via: $ git subtree add --prefix lib/mbedtls/external/mbedtls \ https://github.com/Mbed-TLS/mbedtls.git \ v3.6.0 --squash Moreover, due to the Windows-style files from mbedtls git repo, we need to convert the CRLF endings to LF and do a commit manually: $ git add --renormalize . $ git commit New Kconfig options: `MBEDTLS_LIB` is for MbedTLS general switch. `MBEDTLS_LIB_CRYPTO` is for replacing original digest and crypto libs with MbedTLS. `MBEDTLS_LIB_X509` is for replacing original X509, PKCS7, MSCode, ASN1, and Pubkey parser with MbedTLS. `LEGACY_CRYPTO` is introduced as a main switch for legacy crypto library. `LEGACY_CRYPTO_BASIC` is for the basic crypto functionalities and `LEGACY_CRYPTO_CERT` is for the certificate related functionalities. For each of the algorithm, a pair of `_LEGACY` and `_MBEDTLS` Kconfig options are introduced. Meanwhile, `SPL_` Kconfig options are introduced. In this patch set, MBEDTLS_LIB, MBEDTLS_LIB_CRYPTO and MBEDTLS_LIB_X509 are by default enabled in qemu_arm64_defconfig and sandbox_defconfig for testing purpose. Patches for external MbedTLS project: - Since U-Boot uses Microsoft Authentication Code to verify PE/COFFs executables which is not supported by MbedTLS at the moment, addtional patches for MbedTLS are created to adapt with the EFI loader: 1. Decoding of Microsoft Authentication Code. 2. Decoding of PKCS#9 Authenticate Attributes. 3. Extending MbedTLS PKCS#7 lib to support multiple signer's certificates. 4. MbedTLS native test suites for PKCS#7 signer's info. All above 4 patches (tagged with `mbedtls/external`) are submitted to MbedTLS project and being reviewed, eventually they should be part of MbedTLS LTS release. But before that, please merge them into U-Boot, otherwise the building will be broken when MBEDTLS_LIB_X509 is enabled. See below PR link for the reference: https://github.com/Mbed-TLS/mbedtls/pull/9001 Miscellaneous: -- Optimized MbedTLS library size by tailoring the config file and disabling all unnecessary features for EFI loader. >From v2, original libs (rsa, asn1_decoder, rsa_helper, md5, sha1, sha256, sha512) are completely replaced when MbedTLS is enabled. >From v3, the size-growth is slightly reduced by refactoring Hash functions. >From v6, smaller implementations for SHA256 and SHA512 are enabled and target size reduce significantly. Target(QEMU arm64) size-growth when enabling MbedTLS: v1: 6.03% v2: 4.66% v3 - v5: 4.55% v6: 2.90% Please see the latest output from buildman for size-growth on QEMU arm64, Sandbox and Nanopi A64. [1] Tests done: --- EFI Secure Boot test (EFI variables loading and verifying, EFI signed image verifying and booting) via U-Boot console. EFI Secure Boot and Capsule sandbox test passed. Known issues: - None. [1]: buildman output for size comparison (qemu_arm64, sandbox and nanopi_a64) ``` aarch64: (for 2/2 boards) all -1568.0 bss -8.0 data -64.0 rodata +200.0 text -1696.0 qemu_arm64 : all +4472 bss -16 data -64 rodata +200 text +4352 u-boot: add: 29/-14, grow: 6/-13 bytes: 12812/-8084 (4728) function old new delta mbedtls_internal_sha1_process-4540 +4540 mbedtls_internal_md5_process -2928 +2928 K- 896+896 mbedtls_sha256_finish- 484+484 mbedtls_internal_sha256_process - 432+432 mbedtls_sha1_finish - 420+420 mbedtls_internal_sha512_process - 412+412 mbedtls_sha512_finish- 360+360 mbedtls_sha512_starts- 340+340 mbedtls_md5_finish - 336+336 mbedtls_sha512_update- 264+264 mbedtls_sha256_update- 252+252 mbedtls_sha1_update - 236+236 mbedtls_md5_update - 236+236 mbedtls_sha512 - 148+148 mbedtls_sha256_starts- 124+124 mbedtls_sha1_starts
Re: [PATCH v6 00/28] Integrate MbedTLS v3.6 LTS with U-Boot
Hi Tom, On Tue, 3 Sept 2024 at 11:03, Raymond Mao wrote: > Hi Tom, > > On Mon, 19 Aug 2024 at 17:04, Tom Rini wrote: > >> On Fri, Aug 16, 2024 at 02:43:49PM -0700, Raymond Mao wrote: >> >> > Integrate MbedTLS v3.6 LTS (currently v3.6.0) with U-Boot. >> > >> > Motivations: >> > >> > >> > 1. MbedTLS is well maintained with LTS versions. >> > 2. LWIP is integrated with MbedTLS and easily to enable HTTPS. >> > 3. MbedTLS recently switched license back to GPLv2. >> >> Whereas I think v5 did well with global build with mbedTLS being the >> default option, v6 blows up so many places. >> > > I didn't enable it except qemu_arm64, sandbox and nanopi_a64, I will run > it on more platforms via CI. > > Just a follow-up: I made a few changes to fix the kconfig dependency issues which only can be reproduced by a few of the world build platforms. My latest PR passed all CI world builds with MbedTLS enabled at: https://github.com/u-boot/u-boot/pull/642 I will include all the fixes in v7. Regards, Raymond >
Re: [PATCH v6 00/28] Integrate MbedTLS v3.6 LTS with U-Boot
Hi Simon, On Tue, 10 Sept 2024 at 14:44, Simon Glass wrote: > Hi Raymond, > > On Fri, 6 Sept 2024 at 08:50, Raymond Mao wrote: > > > > Hi Simon, > > > > On Thu, 5 Sept 2024 at 20:43, Simon Glass wrote: > >> > >> Hi Raymond, > >> > >> On Tue, 3 Sept 2024 at 08:59, Raymond Mao > wrote: > >> > > >> > Hi Simon, > >> > > >> > On Sat, 17 Aug 2024 at 11:58, Simon Glass wrote: > >> >> > >> >> Hi Raymond, > >> >> > >> >> On Fri, 16 Aug 2024 at 15:44, Raymond Mao > wrote: > >> >> > > >> >> > Integrate MbedTLS v3.6 LTS (currently v3.6.0) with U-Boot. > >> >> > > >> >> > Motivations: > >> >> > > >> >> > > >> >> > 1. MbedTLS is well maintained with LTS versions. > >> >> > 2. LWIP is integrated with MbedTLS and easily to enable HTTPS. > >> >> > 3. MbedTLS recently switched license back to GPLv2. > >> >> > > >> >> > Prerequisite: > >> >> > - > >> >> > > >> >> > This patch series requires mbedtls git repo to be added as a > >> >> > subtree to the main U-Boot repo via: > >> >> > $ git subtree add --prefix lib/mbedtls/external/mbedtls \ > >> >> > https://github.com/Mbed-TLS/mbedtls.git \ > >> >> > v3.6.0 --squash > >> >> > Moreover, due to the Windows-style files from mbedtls git repo, > >> >> > we need to convert the CRLF endings to LF and do a commit manually: > >> >> > $ git add --renormalize . > >> >> > $ git commit > >> >> > > >> >> > New Kconfig options: > >> >> > > >> >> > > >> >> > `MBEDTLS_LIB` is for MbedTLS general switch. > >> >> > `MBEDTLS_LIB_CRYPTO` is for replacing original digest and crypto > libs with > >> >> > MbedTLS. > >> >> > `MBEDTLS_LIB_X509` is for replacing original X509, PKCS7, MSCode, > ASN1, > >> >> > and Pubkey parser with MbedTLS. > >> >> > `LEGACY_CRYPTO` is introduced as a main switch for legacy crypto > library. > >> >> > `LEGACY_CRYPTO_BASIC` is for the basic crypto functionalities and > >> >> > `LEGACY_CRYPTO_CERT` is for the certificate related > functionalities. > >> >> > For each of the algorithm, a pair of `_LEGACY` and > `_MBEDTLS` > >> >> > Kconfig options are introduced. Meanwhile, `SPL_` Kconfig options > are > >> >> > introduced. > >> >> > > >> >> > In this patch set, MBEDTLS_LIB, MBEDTLS_LIB_CRYPTO and > MBEDTLS_LIB_X509 > >> >> > are by default enabled in qemu_arm64_defconfig and > sandbox_defconfig > >> >> > for testing purpose. > >> >> > > >> >> > Patches for external MbedTLS project: > >> >> > - > >> >> > > >> >> > Since U-Boot uses Microsoft Authentication Code to verify PE/COFFs > >> >> > executables which is not supported by MbedTLS at the moment, > >> >> > addtional patches for MbedTLS are created to adapt with the EFI > loader: > >> >> > 1. Decoding of Microsoft Authentication Code. > >> >> > 2. Decoding of PKCS#9 Authenticate Attributes. > >> >> > 3. Extending MbedTLS PKCS#7 lib to support multiple signer's > certificates. > >> >> > 4. MbedTLS native test suites for PKCS#7 signer's info. > >> >> > > >> >> > All above 4 patches (tagged with `mbedtls/external`) are submitted > to > >> >> > MbedTLS project and being reviewed, eventually they should be part > of > >> >> > MbedTLS LTS release. > >> >> > But before that, please merge them into U-Boot, otherwise the > building > >> >> > will be broken when MBEDTLS_LIB_X509 is enabled. > >> >> > > >> >> > See below PR link for the reference: > >> >> > https://github.com/Mbed-TLS/mbedtls/pull/9001 > >> >> > > >> >> > Miscellaneous: > >> >> > -- > >> >> > > >> >> > Optimized MbedTLS library size by tai
Re: [PATCH 00/10] SMBIOS improvements
Hi Simon, On Tue, 10 Sept 2024 at 14:44, Simon Glass wrote: > Hi Raymond, > > On Tue, 3 Sept 2024 at 10:07, Raymond Mao wrote: > > > > Hi Simon, > > > > On Sat, 17 Aug 2024 at 11:58, Simon Glass wrote: > >> > >> Hi Raymond, > >> > >> On Fri, 16 Aug 2024 at 09:47, Raymond Mao > wrote: > >> > > >> > Motivations for changes: > >> > Current SMBIOS library and command-line tool is not fully matching > with > >> > the requirements: > >> > 1. Missing support for other mandatory types (#7, #9, #16, #17, #19). > >> > 2. Only a few platforms support SMBIOS node from the device tree. > >> > 3. Values of some fields are hardcoded in the library other than > fetching > >> >from the device hardware. > >> > 4. Embedded data with dynamic length is not supported (E.g. Contained > >> >Object Handles in Type #2 and Contained Elements in Type #3) > >> > > >> > Changes: > >> > 1. Refactor the SMBIOS library and command-line tool to better align > with > >> >the SMBIOS spec. > >> > 2. Create an arch-specific driver for all aarch64-based platforms to > fetch > >> >SMBIOS private data from the device hardware. > >> > 3. Create a sysinfo driver to poppulate platform SMBIOS private data. > >> > 4. Put device tree SMBIOS node as a fallback solution when SMBIOS > data is > >> >missing from sysinfo driver. > >> > 5. Add support for Type #7 (Cache Information) and link its handles to > >> >Type #4. > >> > > >> > Once this patch is acceptted, subsequent patch sets will add other > missing > >> > types (#9, #16, #17, #19). > >> > > >> > Raymond Mao (10): > >> > sysinfo: Add sysinfo API for accessing data area > >> > sysinfo: Add sysinfo driver and data structure for SMBIOS > >> > smbios: Refactor SMBIOS library > >> > smbios: ignore the non-existence of platform sysinfo detect > >> > armv8: Add arch-specific sysinfo driver > >> > sysinfo: Add sysinfo driver for SMBIOS type 7 > >> > smbios: Add support to SMBIOS type 7 > >> > armv8: Add sysinfo driver for cache information > >> > configs: Enable sysinfo for QEMU Arm64 > >> > tests: update smbios pytest > >> > > >> > arch/arm/cpu/armv8/Makefile | 5 + > >> > arch/arm/cpu/armv8/sysinfo.c | 391 ++ > >> > cmd/smbios.c | 350 ++- > >> > configs/qemu_arm64_defconfig | 2 + > >> > drivers/misc/Kconfig | 2 +- > >> > drivers/sysinfo/Makefile | 1 + > >> > drivers/sysinfo/smbios_plat.c| 442 + > >> > drivers/sysinfo/smbios_plat.h| 131 + > >> > drivers/sysinfo/sysinfo-uclass.c | 20 ++ > >> > include/smbios.h | 240 ++-- > >> > include/sysinfo.h| 124 - > >> > lib/Makefile | 2 + > >> > lib/smbios.c | 461 > ++- > >> > test/py/tests/test_smbios.py | 2 +- > >> > 14 files changed, 2058 insertions(+), 115 deletions(-) > >> > create mode 100644 arch/arm/cpu/armv8/sysinfo.c > >> > create mode 100644 drivers/sysinfo/smbios_plat.c > >> > create mode 100644 drivers/sysinfo/smbios_plat.h > >> > > >> > -- > >> > 2.25.1 > >> > > >> > >> As a general comment, this is adding a load of code which is used by a > >> lot of platforms. As more and more aarch64 platforms are created, this > >> data grows. Why not use the devicetree for this hardware information? > >> That is what it is for. > >> > >> Some of the information detected makes sense, such as cache setup, but > >> some of it seems like an approximation, or is missing, but suggests it > >> is authoritative. > >> > > The idea is that precise information can still come from dt (if the node > exists, > > but as a fact, not many platforms have it up to now). > > When it does not exist, system drivers provides the information as much > as > > it can (some comes from registers, some comes from generic > strings/enums). > > So it is not assumed that each vendor to add their code but just uses the > > arch-s
Re: [PATCH 00/10] SMBIOS improvements
Hi Caleb, On Mon, 19 Aug 2024 at 07:56, Caleb Connolly wrote: > Hi Raymond, > > I haven't managed to root cause it yet, but this series seems to make > the RB3 Gen 2 Qualcomm board hang during relocation. > > How early post-relocation does any code here get called? > > Does it have permission to access MIDR_EL1, MPIDR_EL1 or CLIDR_EL1? I don't have a Qualcomm board in hand but can you try if the hang still appears if we comment out the reg access lines in patch #5 and #8? I guess just about 3 lines. [snip] Regards, Raymond
Re: [PATCH v6 00/28] Integrate MbedTLS v3.6 LTS with U-Boot
Hi Tom, On Fri, 6 Sept 2024 at 11:27, Tom Rini wrote: > On Fri, Sep 06, 2024 at 10:50:15AM -0400, Raymond Mao wrote: > > Hi Simon, > > > > On Thu, 5 Sept 2024 at 20:43, Simon Glass wrote: > > > > > Hi Raymond, > > > > > > On Tue, 3 Sept 2024 at 08:59, Raymond Mao > wrote: > > > > > > > > Hi Simon, > > > > > > > > On Sat, 17 Aug 2024 at 11:58, Simon Glass wrote: > > > >> > > > >> Hi Raymond, > > > >> > > > >> On Fri, 16 Aug 2024 at 15:44, Raymond Mao > > > wrote: > > > >> > > > > >> > Integrate MbedTLS v3.6 LTS (currently v3.6.0) with U-Boot. > > > >> > > > > >> > Motivations: > > > >> > > > > >> > > > > >> > 1. MbedTLS is well maintained with LTS versions. > > > >> > 2. LWIP is integrated with MbedTLS and easily to enable HTTPS. > > > >> > 3. MbedTLS recently switched license back to GPLv2. > > > >> > > > > >> > Prerequisite: > > > >> > - > > > >> > > > > >> > This patch series requires mbedtls git repo to be added as a > > > >> > subtree to the main U-Boot repo via: > > > >> > $ git subtree add --prefix lib/mbedtls/external/mbedtls \ > > > >> > https://github.com/Mbed-TLS/mbedtls.git \ > > > >> > v3.6.0 --squash > > > >> > Moreover, due to the Windows-style files from mbedtls git repo, > > > >> > we need to convert the CRLF endings to LF and do a commit > manually: > > > >> > $ git add --renormalize . > > > >> > $ git commit > > > >> > > > > >> > New Kconfig options: > > > >> > > > > >> > > > > >> > `MBEDTLS_LIB` is for MbedTLS general switch. > > > >> > `MBEDTLS_LIB_CRYPTO` is for replacing original digest and crypto > libs > > > with > > > >> > MbedTLS. > > > >> > `MBEDTLS_LIB_X509` is for replacing original X509, PKCS7, MSCode, > > > ASN1, > > > >> > and Pubkey parser with MbedTLS. > > > >> > `LEGACY_CRYPTO` is introduced as a main switch for legacy crypto > > > library. > > > >> > `LEGACY_CRYPTO_BASIC` is for the basic crypto functionalities and > > > >> > `LEGACY_CRYPTO_CERT` is for the certificate related > functionalities. > > > >> > For each of the algorithm, a pair of `_LEGACY` and > > > `_MBEDTLS` > > > >> > Kconfig options are introduced. Meanwhile, `SPL_` Kconfig options > are > > > >> > introduced. > > > >> > > > > >> > In this patch set, MBEDTLS_LIB, MBEDTLS_LIB_CRYPTO and > > > MBEDTLS_LIB_X509 > > > >> > are by default enabled in qemu_arm64_defconfig and > sandbox_defconfig > > > >> > for testing purpose. > > > >> > > > > >> > Patches for external MbedTLS project: > > > >> > - > > > >> > > > > >> > Since U-Boot uses Microsoft Authentication Code to verify PE/COFFs > > > >> > executables which is not supported by MbedTLS at the moment, > > > >> > addtional patches for MbedTLS are created to adapt with the EFI > > > loader: > > > >> > 1. Decoding of Microsoft Authentication Code. > > > >> > 2. Decoding of PKCS#9 Authenticate Attributes. > > > >> > 3. Extending MbedTLS PKCS#7 lib to support multiple signer's > > > certificates. > > > >> > 4. MbedTLS native test suites for PKCS#7 signer's info. > > > >> > > > > >> > All above 4 patches (tagged with `mbedtls/external`) are > submitted to > > > >> > MbedTLS project and being reviewed, eventually they should be > part of > > > >> > MbedTLS LTS release. > > > >> > But before that, please merge them into U-Boot, otherwise the > building > > > >> > will be broken when MBEDTLS_LIB_X509 is enabled. > > > >> > > > > >> > See below PR link for the reference: > > > >> > https://github.com/Mbed-TLS/mbedtls/pull/9001 > > > >> > > > > >> > Miscellaneous: &g
Re: [PATCH v6 00/28] Integrate MbedTLS v3.6 LTS with U-Boot
Hi Simon, On Thu, 5 Sept 2024 at 20:43, Simon Glass wrote: > Hi Raymond, > > On Tue, 3 Sept 2024 at 08:59, Raymond Mao wrote: > > > > Hi Simon, > > > > On Sat, 17 Aug 2024 at 11:58, Simon Glass wrote: > >> > >> Hi Raymond, > >> > >> On Fri, 16 Aug 2024 at 15:44, Raymond Mao > wrote: > >> > > >> > Integrate MbedTLS v3.6 LTS (currently v3.6.0) with U-Boot. > >> > > >> > Motivations: > >> > > >> > > >> > 1. MbedTLS is well maintained with LTS versions. > >> > 2. LWIP is integrated with MbedTLS and easily to enable HTTPS. > >> > 3. MbedTLS recently switched license back to GPLv2. > >> > > >> > Prerequisite: > >> > - > >> > > >> > This patch series requires mbedtls git repo to be added as a > >> > subtree to the main U-Boot repo via: > >> > $ git subtree add --prefix lib/mbedtls/external/mbedtls \ > >> > https://github.com/Mbed-TLS/mbedtls.git \ > >> > v3.6.0 --squash > >> > Moreover, due to the Windows-style files from mbedtls git repo, > >> > we need to convert the CRLF endings to LF and do a commit manually: > >> > $ git add --renormalize . > >> > $ git commit > >> > > >> > New Kconfig options: > >> > > >> > > >> > `MBEDTLS_LIB` is for MbedTLS general switch. > >> > `MBEDTLS_LIB_CRYPTO` is for replacing original digest and crypto libs > with > >> > MbedTLS. > >> > `MBEDTLS_LIB_X509` is for replacing original X509, PKCS7, MSCode, > ASN1, > >> > and Pubkey parser with MbedTLS. > >> > `LEGACY_CRYPTO` is introduced as a main switch for legacy crypto > library. > >> > `LEGACY_CRYPTO_BASIC` is for the basic crypto functionalities and > >> > `LEGACY_CRYPTO_CERT` is for the certificate related functionalities. > >> > For each of the algorithm, a pair of `_LEGACY` and > `_MBEDTLS` > >> > Kconfig options are introduced. Meanwhile, `SPL_` Kconfig options are > >> > introduced. > >> > > >> > In this patch set, MBEDTLS_LIB, MBEDTLS_LIB_CRYPTO and > MBEDTLS_LIB_X509 > >> > are by default enabled in qemu_arm64_defconfig and sandbox_defconfig > >> > for testing purpose. > >> > > >> > Patches for external MbedTLS project: > >> > - > >> > > >> > Since U-Boot uses Microsoft Authentication Code to verify PE/COFFs > >> > executables which is not supported by MbedTLS at the moment, > >> > addtional patches for MbedTLS are created to adapt with the EFI > loader: > >> > 1. Decoding of Microsoft Authentication Code. > >> > 2. Decoding of PKCS#9 Authenticate Attributes. > >> > 3. Extending MbedTLS PKCS#7 lib to support multiple signer's > certificates. > >> > 4. MbedTLS native test suites for PKCS#7 signer's info. > >> > > >> > All above 4 patches (tagged with `mbedtls/external`) are submitted to > >> > MbedTLS project and being reviewed, eventually they should be part of > >> > MbedTLS LTS release. > >> > But before that, please merge them into U-Boot, otherwise the building > >> > will be broken when MBEDTLS_LIB_X509 is enabled. > >> > > >> > See below PR link for the reference: > >> > https://github.com/Mbed-TLS/mbedtls/pull/9001 > >> > > >> > Miscellaneous: > >> > -- > >> > > >> > Optimized MbedTLS library size by tailoring the config file > >> > and disabling all unnecessary features for EFI loader. > >> > From v2, original libs (rsa, asn1_decoder, rsa_helper, md5, sha1, > sha256, > >> > sha512) are completely replaced when MbedTLS is enabled. > >> > From v3, the size-growth is slightly reduced by refactoring Hash > functions. > >> > From v6, smaller implementations for SHA256 and SHA512 are enabled and > >> > target size reduce significantly. > >> > Target(QEMU arm64) size-growth when enabling MbedTLS: > >> > v1: 6.03% > >> > v2: 4.66% > >> > v3 - v5: 4.55% > >> > v6: 2.90% > >> > > >> > Please see the latest output from buildman for size-growth on QEMU > arm64, > >> > Sandbox and Nanopi A64. [1] > >> > > >> > Tests do
Re: [PATCH v6 07/28] hash: integrate hash on mbedtls
Hi Ilias, On Fri, 6 Sept 2024 at 03:36, Ilias Apalodimas wrote: > Hi Raymond, > > On Tue, 3 Sept 2024 at 18:54, Raymond Mao wrote: > > > > Hi Ilias, > > > > On Fri, 30 Aug 2024 at 05:37, Ilias Apalodimas < > ilias.apalodi...@linaro.org> wrote: > >> > >> Hi Simon, > >> > >> On Thu, 29 Aug 2024 at 18:01, Simon Glass wrote: > >> > > >> > Hi Raymond, > >> > > >> > On Fri, 16 Aug 2024 at 15:47, Raymond Mao > wrote: > >> > > > >> > > Integrate common/hash.c on the hash shim layer so that hash APIs > >> > > from mbedtls can be leveraged by boot/image and efi_loader. > >> > > > >> > > Signed-off-by: Raymond Mao > >> > > --- > >> > > Changes in v2 > >> > > - Use the original head files instead of creating new ones. > >> > > Changes in v3 > >> > > - Add handle checkers for malloc. > >> > > Changes in v4 > >> > > - None. > >> > > Changes in v5 > >> > > - Add __maybe_unused to solve linker errors in some platforms. > >> > > - replace malloc with calloc. > >> > > Changes in v6 > >> > > - None. > >> > > > >> > > common/hash.c | 146 > ++ > >> > > 1 file changed, 146 insertions(+) > >> > > >> > I am not seeing the benefit of replacing U-Boot's hashing algorithms. > >> > They work well and don't change. Also it seems to be making the code a > >> > lot uglier, with an uncertain timeline for clean-up. > >> > >> A lot uglier where? It adds a few wrappers that fit into the current > >> design and callbacks. > >> I don't think what you are asking is possible. To do assymetric > >> crypto, signatures etc -- and in the future add TLS support in wget > >> mbedTLS relies on its internal hashing functions for the cipher suites > >> it supports. So what you are asking would just make the code even > >> larger. Raymond can you please double check? > >> > > Digest is the basic library of MbedTLS, I don't believe we can disable it > > but only use the ones for certificates, unless MbedTLS makes changes > > to allow hooking external digest libraries - as I mentioned in a > previous reply, > > I don't think this is what MbedTLS wants. > > There's a config option on config.h we could use to override shaXXX, > but given that mbedTLS can be used to add more hashing alogorithms, I > dont think we should do that > > If you mean the _ALT macros, they are used for porting HW acceleration. Maybe we can point this to the original U-Boot ones, but I didn't try. Raymond
Re: [PATCH 00/10] SMBIOS improvements
Hi Simon, On Sat, 17 Aug 2024 at 11:58, Simon Glass wrote: > Hi Raymond, > > On Fri, 16 Aug 2024 at 09:47, Raymond Mao wrote: > > > > Motivations for changes: > > Current SMBIOS library and command-line tool is not fully matching with > > the requirements: > > 1. Missing support for other mandatory types (#7, #9, #16, #17, #19). > > 2. Only a few platforms support SMBIOS node from the device tree. > > 3. Values of some fields are hardcoded in the library other than fetching > >from the device hardware. > > 4. Embedded data with dynamic length is not supported (E.g. Contained > >Object Handles in Type #2 and Contained Elements in Type #3) > > > > Changes: > > 1. Refactor the SMBIOS library and command-line tool to better align with > >the SMBIOS spec. > > 2. Create an arch-specific driver for all aarch64-based platforms to > fetch > >SMBIOS private data from the device hardware. > > 3. Create a sysinfo driver to poppulate platform SMBIOS private data. > > 4. Put device tree SMBIOS node as a fallback solution when SMBIOS data is > >missing from sysinfo driver. > > 5. Add support for Type #7 (Cache Information) and link its handles to > >Type #4. > > > > Once this patch is acceptted, subsequent patch sets will add other > missing > > types (#9, #16, #17, #19). > > > > Raymond Mao (10): > > sysinfo: Add sysinfo API for accessing data area > > sysinfo: Add sysinfo driver and data structure for SMBIOS > > smbios: Refactor SMBIOS library > > smbios: ignore the non-existence of platform sysinfo detect > > armv8: Add arch-specific sysinfo driver > > sysinfo: Add sysinfo driver for SMBIOS type 7 > > smbios: Add support to SMBIOS type 7 > > armv8: Add sysinfo driver for cache information > > configs: Enable sysinfo for QEMU Arm64 > > tests: update smbios pytest > > > > arch/arm/cpu/armv8/Makefile | 5 + > > arch/arm/cpu/armv8/sysinfo.c | 391 ++ > > cmd/smbios.c | 350 ++- > > configs/qemu_arm64_defconfig | 2 + > > drivers/misc/Kconfig | 2 +- > > drivers/sysinfo/Makefile | 1 + > > drivers/sysinfo/smbios_plat.c| 442 + > > drivers/sysinfo/smbios_plat.h| 131 + > > drivers/sysinfo/sysinfo-uclass.c | 20 ++ > > include/smbios.h | 240 ++-- > > include/sysinfo.h| 124 - > > lib/Makefile | 2 + > > lib/smbios.c | 461 ++- > > test/py/tests/test_smbios.py | 2 +- > > 14 files changed, 2058 insertions(+), 115 deletions(-) > > create mode 100644 arch/arm/cpu/armv8/sysinfo.c > > create mode 100644 drivers/sysinfo/smbios_plat.c > > create mode 100644 drivers/sysinfo/smbios_plat.h > > > > -- > > 2.25.1 > > > > As a general comment, this is adding a load of code which is used by a > lot of platforms. As more and more aarch64 platforms are created, this > data grows. Why not use the devicetree for this hardware information? > That is what it is for. > > Some of the information detected makes sense, such as cache setup, but > some of it seems like an approximation, or is missing, but suggests it > is authoritative. > > The idea is that precise information can still come from dt (if the node exists, but as a fact, not many platforms have it up to now). When it does not exist, system drivers provides the information as much as it can (some comes from registers, some comes from generic strings/enums). So it is not assumed that each vendor to add their code but just uses the arch-specific code in this series - if vendors want precise information they can still add into the dt. Regards, Raymond
Re: [PATCH v6 07/28] hash: integrate hash on mbedtls
Hi Ilias, On Fri, 30 Aug 2024 at 05:37, Ilias Apalodimas wrote: > Hi Simon, > > On Thu, 29 Aug 2024 at 18:01, Simon Glass wrote: > > > > Hi Raymond, > > > > On Fri, 16 Aug 2024 at 15:47, Raymond Mao > wrote: > > > > > > Integrate common/hash.c on the hash shim layer so that hash APIs > > > from mbedtls can be leveraged by boot/image and efi_loader. > > > > > > Signed-off-by: Raymond Mao > > > --- > > > Changes in v2 > > > - Use the original head files instead of creating new ones. > > > Changes in v3 > > > - Add handle checkers for malloc. > > > Changes in v4 > > > - None. > > > Changes in v5 > > > - Add __maybe_unused to solve linker errors in some platforms. > > > - replace malloc with calloc. > > > Changes in v6 > > > - None. > > > > > > common/hash.c | 146 ++ > > > 1 file changed, 146 insertions(+) > > > > I am not seeing the benefit of replacing U-Boot's hashing algorithms. > > They work well and don't change. Also it seems to be making the code a > > lot uglier, with an uncertain timeline for clean-up. > > A lot uglier where? It adds a few wrappers that fit into the current > design and callbacks. > I don't think what you are asking is possible. To do assymetric > crypto, signatures etc -- and in the future add TLS support in wget > mbedTLS relies on its internal hashing functions for the cipher suites > it supports. So what you are asking would just make the code even > larger. Raymond can you please double check? > > Digest is the basic library of MbedTLS, I don't believe we can disable it but only use the ones for certificates, unless MbedTLS makes changes to allow hooking external digest libraries - as I mentioned in a previous reply, I don't think this is what MbedTLS wants. Regards, Raymond
Re: [PATCH v6 07/28] hash: integrate hash on mbedtls
Hi Ilias,
On Wed, 28 Aug 2024 at 05:54, Ilias Apalodimas
wrote:
> Hi Raymond
>
> On Sat, 17 Aug 2024 at 00:47, Raymond Mao wrote:
> >
> > Integrate common/hash.c on the hash shim layer so that hash APIs
> > from mbedtls can be leveraged by boot/image and efi_loader.
> >
> > Signed-off-by: Raymond Mao
> > ---
> > Changes in v2
> > - Use the original head files instead of creating new ones.
> > Changes in v3
> > - Add handle checkers for malloc.
> > Changes in v4
> > - None.
> > Changes in v5
> > - Add __maybe_unused to solve linker errors in some platforms.
> > - replace malloc with calloc.
> > Changes in v6
> > - None.
> >
> > common/hash.c | 146 ++
> > 1 file changed, 146 insertions(+)
> >
> > diff --git a/common/hash.c b/common/hash.c
> > index ac63803fed9..d25fc4854c7 100644
> > --- a/common/hash.c
> > +++ b/common/hash.c
> > @@ -35,6 +35,144 @@
> > #include
> > #include
> >
> > +#if CONFIG_IS_ENABLED(MBEDTLS_LIB_CRYPTO)
> > +
> > +static int __maybe_unused hash_init_sha1(struct hash_algo *algo, void
> **ctxp)
> > +{
> > + int ret;
> > + mbedtls_sha1_context *ctx = calloc(1, sizeof(*ctx));
> > +
> > + if (!ctx)
> > + return -ENOMEM;
> > +
> > + mbedtls_sha1_init(ctx);
> > + ret = mbedtls_sha1_starts(ctx);
> > + if (!ret) {
> > + *ctxp = ctx;
> > + } else {
> > + mbedtls_sha1_free(ctx);
> > + free(ctx);
> > + }
> > +
> > + return ret;
> > +}
> > +
> > +static int __maybe_unused hash_update_sha1(struct hash_algo *algo, void
> *ctx,
> > + const void *buf, unsigned int
> size,
> > + int is_last)
> > +{
> > + return mbedtls_sha1_update((mbedtls_sha1_context *)ctx, buf,
> size);
> > +}
> > +
> > +static int __maybe_unused
> > +hash_finish_sha1(struct hash_algo *algo, void *ctx, void *dest_buf, int
> size)
> > +{
> > + int ret;
> > +
> > + if (size < algo->digest_size)
> > + return -1;
> > +
> > + ret = mbedtls_sha1_finish((mbedtls_sha1_context *)ctx, dest_buf);
> > + if (!ret) {
>
> patch # calls finish & free regardless of the return result of
> mbedtls__finish().
> I think this should happen here as well
>
> Unlike the other one who returns void, this API returns int.
Why don't we check the result here and return the error code when it exists?
[snip]
Regards,
Raymond
Re: [PATCH v6 07/28] hash: integrate hash on mbedtls
Hi Simon, On Thu, 29 Aug 2024 at 11:01, Simon Glass wrote: > Hi Raymond, > > On Fri, 16 Aug 2024 at 15:47, Raymond Mao wrote: > > > > Integrate common/hash.c on the hash shim layer so that hash APIs > > from mbedtls can be leveraged by boot/image and efi_loader. > > > > Signed-off-by: Raymond Mao > > --- > > Changes in v2 > > - Use the original head files instead of creating new ones. > > Changes in v3 > > - Add handle checkers for malloc. > > Changes in v4 > > - None. > > Changes in v5 > > - Add __maybe_unused to solve linker errors in some platforms. > > - replace malloc with calloc. > > Changes in v6 > > - None. > > > > common/hash.c | 146 ++ > > 1 file changed, 146 insertions(+) > > I am not seeing the benefit of replacing U-Boot's hashing algorithms. > They work well and don't change. Also it seems to be making the code a > lot uglier, with an uncertain timeline for clean-up. > > The truth is that other MbedTLS modules e.g. x509, pkcs7 all depend on its own digest library and there is no option for MbedTLS to depend on an external digest library. Unless a refactoring in MbedTLS itself - I believe this is difficult for the MbedTLS project to adopt as it is aimed to be an all-in-one crypto solution. Regards, Raymond
Re: [PATCH v6 06/28] mbedtls: add digest shim layer for MbedTLS
Hi Ilias,
On Wed, 28 Aug 2024 at 06:37, Ilias Apalodimas
wrote:
> Hi Raymond,
>
> [...]
>
> > --- a/lib/mbedtls/Makefile
> > +++ b/lib/mbedtls/Makefile
> > @@ -5,17 +5,23 @@
> >
> > MBEDTLS_LIB_DIR = external/mbedtls/library
> >
> > +# shim layer for hash
> > +obj-$(CONFIG_$(SPL_)MD5_MBEDTLS) += md5.o
> > +obj-$(CONFIG_$(SPL_)SHA1_MBEDTLS) += sha1.o
> > +obj-$(CONFIG_$(SPL_)SHA256_MBEDTLS) += sha256.o
> > +obj-$(CONFIG_$(SPL_)SHA512_MBEDTLS) += sha512.o
> > +
> > # MbedTLS crypto library
> > obj-$(CONFIG_MBEDTLS_LIB_CRYPTO) += mbedtls_lib_crypto.o
> > mbedtls_lib_crypto-y := \
> > $(MBEDTLS_LIB_DIR)/platform_util.o \
> > $(MBEDTLS_LIB_DIR)/constant_time.o \
> > $(MBEDTLS_LIB_DIR)/md.o
> > -mbedtls_lib_crypto-$(CONFIG_$(SPL_)MD5) += $(MBEDTLS_LIB_DIR)/md5.o
> > -mbedtls_lib_crypto-$(CONFIG_$(SPL_)SHA1) += $(MBEDTLS_LIB_DIR)/sha1.o
> > -mbedtls_lib_crypto-$(CONFIG_$(SPL_)SHA256) += \
> > +mbedtls_lib_crypto-$(CONFIG_$(SPL_)MD5_MBEDTLS) +=
> $(MBEDTLS_LIB_DIR)/md5.o
> > +mbedtls_lib_crypto-$(CONFIG_$(SPL_)SHA1_MBEDTLS) +=
> $(MBEDTLS_LIB_DIR)/sha1.o
> > +mbedtls_lib_crypto-$(CONFIG_$(SPL_)SHA256_MBEDTLS) += \
>
> Why do we need to rename these here? Can't you add them with the _MBEDTLS
> suffix on the patch that introduced them?
>
> Patch #2 introduced the digest library but set it as default. And this
patch moves it under _MBEDTLS kconfig.
I have to separate into two otherwise patch #3 will be too huge and hard to
be reviewed.
> > $(MBEDTLS_LIB_DIR)/sha256.o
> > -mbedtls_lib_crypto-$(CONFIG_$(SPL_)SHA512) += \
> > +mbedtls_lib_crypto-$(CONFIG_$(SPL_)SHA512_MBEDTLS) += \
> > $(MBEDTLS_LIB_DIR)/sha512.o
> >
> > # MbedTLS X509 library
> > diff --git a/lib/mbedtls/md5.c b/lib/mbedtls/md5.c
> > new file mode 100644
> > index 000..04388fce249
> > --- /dev/null
> > +++ b/lib/mbedtls/md5.c
> > @@ -0,0 +1,57 @@
> > +// SPDX-License-Identifier: GPL-2.0+
> > +/*
> > + * Hash shim layer on MbedTLS Crypto library
> > + *
> > + * Copyright (c) 2024 Linaro Limited
> > + * Author: Raymond Mao
> > + */
> > +#include "compiler.h"
> > +
> > +#ifndef USE_HOSTCC
> > +#include
> > +#endif /* USE_HOSTCC */
> > +#include
> > +
> > +void MD5Init(MD5Context *ctx)
> > +{
> > + mbedtls_md5_init(ctx);
> > + mbedtls_md5_starts(ctx);
> > +}
> > +
> > +void MD5Update(MD5Context *ctx, unsigned char const *buf, unsigned int
> len)
> > +{
> > + mbedtls_md5_update(ctx, buf, len);
> > +}
> > +
> > +void MD5Final(unsigned char digest[16], MD5Context *ctx)
> > +{
> > + mbedtls_md5_finish(ctx, digest);
> > + mbedtls_md5_free(ctx);
> > +}
> > +
> > +void md5_wd(const unsigned char *input, unsigned int len,
> > + unsigned char output[16], unsigned int chunk_sz)
> > +{
> > + MD5Context context;
> > +
> > + MD5Init(&context);
> > +
> > + if (IS_ENABLED(CONFIG_HW_WATCHDOG) || IS_ENABLED(CONFIG_WATCHDOG))
> {
> > + const unsigned char *curr = input;
> > + const unsigned char *end = input + len;
> > + int chunk;
> > +
> > + while (curr < end) {
> > + chunk = end - curr;
> > + if (chunk > chunk_sz)
> > + chunk = chunk_sz;
> > + MD5Update(&context, curr, chunk);
> > + curr += chunk;
> > + schedule();
> > + }
> > + } else {
> > + MD5Update(&context, input, len);
> > + }
> > +
> > + MD5Final(output, &context);
> > +}
> > diff --git a/lib/mbedtls/sha1.c b/lib/mbedtls/sha1.c
> > new file mode 100644
> > index 000..2aee5037795
> > --- /dev/null
> > +++ b/lib/mbedtls/sha1.c
> > @@ -0,0 +1,99 @@
> > +// SPDX-License-Identifier: GPL-2.0+
> > +/*
> > + * Hash shim layer on MbedTLS Crypto library
> > + *
> > + * Copyright (c) 2024 Linaro Limited
> > + * Author: Raymond Mao
> > + */
> > +#ifndef USE_HOSTCC
> > +#include
> > +#endif /* USE_HOSTCC */
> > +#include
> > +#include
> > +
> > +const u8 sha1_der_prefix[SHA1_DER_LEN] = {
> > + 0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2b, 0x0e,
> > + 0x03, 0x02, 0x1a, 0x05, 0x00, 0x04, 0x14
> > +};
> > +
> > +void sha1_starts(sha1_context *ct
Re: [PATCH v6 03/28] lib: Adapt digest header files to MbedTLS
Hi Ilias,
On Wed, 28 Aug 2024 at 05:25, Ilias Apalodimas
wrote:
> On Sat, 17 Aug 2024 at 00:46, Raymond Mao wrote:
> >
> > Adapt digest header files to support both original libs and MbedTLS
> > by switching on/off MBEDTLS_LIB_CRYPTO.
> > Introduce _LEGACY kconfig for legacy hash implementations.
> >
> > `IS_ENABLED` or `CONFIG_IS_ENABLED` is not applicable here, since
> > including causes undefined reference on schedule()
> > with sandbox build, as includes
> > which enables `CONFIG_HW_WATCHDOG` and `CONFIG_WATCHDOG` but no
> schedule()
> > are defined in sandbox build,
> > Thus we use `#if defined(CONFIG_MBEDTLS_LIB_CRYPTO)` instead.
> >
> > Signed-off-by: Raymond Mao
> > ---
> > Changes in v2
> > - Initial patch.
> > Changes in v3
> > - Remove the changes that were done in previous clean-up patch set.
> > Changes in v4
> > - Introduce _LEGACY kconfig for legacy hash implementations.
> > Changes in v5
> > - Correct header file include directories.
> > - Correct kconfig dependence.
> > Changes in v6
> > - Update commit message.
> > - Rebased on next branch.
> >
> > include/u-boot/md5.h| 7
> > include/u-boot/sha1.h | 21 +-
> > include/u-boot/sha256.h | 20 +
> > include/u-boot/sha512.h | 9
> > lib/Makefile| 10 +++--
> > lib/mbedtls/Kconfig | 91 +
> > 6 files changed, 153 insertions(+), 5 deletions(-)
> >
> > diff --git a/include/u-boot/md5.h b/include/u-boot/md5.h
> > index c465925ea8d..69898fcbe49 100644
> > --- a/include/u-boot/md5.h
> > +++ b/include/u-boot/md5.h
> > @@ -6,10 +6,16 @@
> > #ifndef _MD5_H
> > #define _MD5_H
> >
> > +#if defined(CONFIG_MBEDTLS_LIB_CRYPTO)
> > +#include
> > +#endif
> > #include "compiler.h"
> >
> > #define MD5_SUM_LEN16
> >
> > +#if defined(CONFIG_MBEDTLS_LIB_CRYPTO)
> > +typedef mbedtls_md5_context MD5Context;
> > +#else
> > typedef struct MD5Context {
> > __u32 buf[4];
> > __u32 bits[2];
> > @@ -18,6 +24,7 @@ typedef struct MD5Context {
> > __u32 in32[16];
> > };
> > } MD5Context;
> > +#endif
> >
> > void MD5Init(MD5Context *ctx);
> > void MD5Update(MD5Context *ctx, unsigned char const *buf, unsigned int
> len);
> > diff --git a/include/u-boot/sha1.h b/include/u-boot/sha1.h
> > index c1e9f67068d..ab88134fb98 100644
> > --- a/include/u-boot/sha1.h
> > +++ b/include/u-boot/sha1.h
> > @@ -16,6 +16,21 @@
> >
> > #include
> >
> > +#if defined(CONFIG_MBEDTLS_LIB_CRYPTO)
> > +/*
> > + * FIXME:
> > + * MbedTLS define the members of "mbedtls_sha256_context" as private,
> > + * but "state" needs to be access by arch/arm/cpu/armv8/sha1_ce_glue.
> > + * MBEDTLS_ALLOW_PRIVATE_ACCESS needs to be enabled to allow the
> external
> > + * access.
> > + * Directly including is not
> allowed,
> > + * since this will include and break the sandbox test.
> > + */
> > +#define MBEDTLS_ALLOW_PRIVATE_ACCESS
>
> nit, this probably belongs on the mbedTLS config file, so you wont
> have to define for all checksum algorithms
>
> Have to keep it here to avoid changes to the library,
as the macro belongs to the common header file but not the custom config.
Regards,
Raymond
[snip]
Re: [PATCH v6 00/28] Integrate MbedTLS v3.6 LTS with U-Boot
Hi Tom, On Mon, 19 Aug 2024 at 17:04, Tom Rini wrote: > On Fri, Aug 16, 2024 at 02:43:49PM -0700, Raymond Mao wrote: > > > Integrate MbedTLS v3.6 LTS (currently v3.6.0) with U-Boot. > > > > Motivations: > > > > > > 1. MbedTLS is well maintained with LTS versions. > > 2. LWIP is integrated with MbedTLS and easily to enable HTTPS. > > 3. MbedTLS recently switched license back to GPLv2. > > Whereas I think v5 did well with global build with mbedTLS being the > default option, v6 blows up so many places. > I didn't enable it except qemu_arm64, sandbox and nanopi_a64, I will run it on more platforms via CI. Regards, Raymond
Re: [PATCH v6 00/28] Integrate MbedTLS v3.6 LTS with U-Boot
Hi Simon, On Sat, 17 Aug 2024 at 11:58, Simon Glass wrote: > Hi Raymond, > > On Fri, 16 Aug 2024 at 15:44, Raymond Mao wrote: > > > > Integrate MbedTLS v3.6 LTS (currently v3.6.0) with U-Boot. > > > > Motivations: > > > > > > 1. MbedTLS is well maintained with LTS versions. > > 2. LWIP is integrated with MbedTLS and easily to enable HTTPS. > > 3. MbedTLS recently switched license back to GPLv2. > > > > Prerequisite: > > - > > > > This patch series requires mbedtls git repo to be added as a > > subtree to the main U-Boot repo via: > > $ git subtree add --prefix lib/mbedtls/external/mbedtls \ > > https://github.com/Mbed-TLS/mbedtls.git \ > > v3.6.0 --squash > > Moreover, due to the Windows-style files from mbedtls git repo, > > we need to convert the CRLF endings to LF and do a commit manually: > > $ git add --renormalize . > > $ git commit > > > > New Kconfig options: > > > > > > `MBEDTLS_LIB` is for MbedTLS general switch. > > `MBEDTLS_LIB_CRYPTO` is for replacing original digest and crypto libs > with > > MbedTLS. > > `MBEDTLS_LIB_X509` is for replacing original X509, PKCS7, MSCode, ASN1, > > and Pubkey parser with MbedTLS. > > `LEGACY_CRYPTO` is introduced as a main switch for legacy crypto library. > > `LEGACY_CRYPTO_BASIC` is for the basic crypto functionalities and > > `LEGACY_CRYPTO_CERT` is for the certificate related functionalities. > > For each of the algorithm, a pair of `_LEGACY` and `_MBEDTLS` > > Kconfig options are introduced. Meanwhile, `SPL_` Kconfig options are > > introduced. > > > > In this patch set, MBEDTLS_LIB, MBEDTLS_LIB_CRYPTO and MBEDTLS_LIB_X509 > > are by default enabled in qemu_arm64_defconfig and sandbox_defconfig > > for testing purpose. > > > > Patches for external MbedTLS project: > > - > > > > Since U-Boot uses Microsoft Authentication Code to verify PE/COFFs > > executables which is not supported by MbedTLS at the moment, > > addtional patches for MbedTLS are created to adapt with the EFI loader: > > 1. Decoding of Microsoft Authentication Code. > > 2. Decoding of PKCS#9 Authenticate Attributes. > > 3. Extending MbedTLS PKCS#7 lib to support multiple signer's > certificates. > > 4. MbedTLS native test suites for PKCS#7 signer's info. > > > > All above 4 patches (tagged with `mbedtls/external`) are submitted to > > MbedTLS project and being reviewed, eventually they should be part of > > MbedTLS LTS release. > > But before that, please merge them into U-Boot, otherwise the building > > will be broken when MBEDTLS_LIB_X509 is enabled. > > > > See below PR link for the reference: > > https://github.com/Mbed-TLS/mbedtls/pull/9001 > > > > Miscellaneous: > > -- > > > > Optimized MbedTLS library size by tailoring the config file > > and disabling all unnecessary features for EFI loader. > > From v2, original libs (rsa, asn1_decoder, rsa_helper, md5, sha1, sha256, > > sha512) are completely replaced when MbedTLS is enabled. > > From v3, the size-growth is slightly reduced by refactoring Hash > functions. > > From v6, smaller implementations for SHA256 and SHA512 are enabled and > > target size reduce significantly. > > Target(QEMU arm64) size-growth when enabling MbedTLS: > > v1: 6.03% > > v2: 4.66% > > v3 - v5: 4.55% > > v6: 2.90% > > > > Please see the latest output from buildman for size-growth on QEMU arm64, > > Sandbox and Nanopi A64. [1] > > > > Tests done: > > --- > > > > EFI Secure Boot test (EFI variables loading and verifying, EFI signed > image > > verifying and booting) via U-Boot console. > > EFI Secure Boot and Capsule sandbox test passed. > > > > Known issues: > > - > > > > None. > > I wonder if we could leave out the SHA stuff? The algorithms are > stable and this would seem to avoid much of the size growth, and all > the pain of trying to integrate another yet another hashing layer (we > already have normal, progressive and h/w acceleration, plus > UCLASS_HASH which h/w acceleration should use but that migration never > happened). I struggle to see any benefit in replacing U-Boot's very > solid hashing infra with something else, particularly as this series > adds yet another. Better to invest the time to refactor it. I asked > about this before and was told that it would happen 'later'. Let's > just not change it at all, then it is more likely someone will sort it > out. > > Unfortunately, MbedTLS depends on its own digest layer. Unless we patch MbedTLS to allow an external digest library from U-Boot ... > Also, if MbedTLS is wanting to be a general library for TLS (I assume > transport-local security, not thread-local storage) perhaps it might > consider changing to non-Windows newlines, or perhaps even kernel code > style? > > We can feedback this to the MbedTLS project when the first series are accepted. Regards, Raymond
[PATCH v6 28/28] configs: enable MbedTLS as default setting
Enable MbedTLS as default setting for qemu arm64 and sandbox. Signed-off-by: Raymond Mao --- Changes in v2 - None. Changes in v3 - None. Changes in v4 - None. Changes in v5 - Remove unused config MBEDTLS_LIB_TLS. - Remove EFI_SECURE_BOOT from the default config. Changes in v6 - Remove MBEDTLS_LIB_CRYPTO and MBEDTLS_LIB_X509. configs/qemu_arm64_defconfig | 1 + configs/sandbox_defconfig| 1 + 2 files changed, 2 insertions(+) diff --git a/configs/qemu_arm64_defconfig b/configs/qemu_arm64_defconfig index 7e166f43908..2a7885d2a68 100644 --- a/configs/qemu_arm64_defconfig +++ b/configs/qemu_arm64_defconfig @@ -67,4 +67,5 @@ CONFIG_TPM2_MMIO=y CONFIG_USB_EHCI_HCD=y CONFIG_USB_EHCI_PCI=y CONFIG_SEMIHOSTING=y +CONFIG_MBEDTLS_LIB=y CONFIG_TPM=y diff --git a/configs/sandbox_defconfig b/configs/sandbox_defconfig index 484f9e1bf8d..2ca2e66d1de 100644 --- a/configs/sandbox_defconfig +++ b/configs/sandbox_defconfig @@ -344,6 +344,7 @@ CONFIG_FS_CBFS=y CONFIG_FS_CRAMFS=y CONFIG_ADDR_MAP=y CONFIG_CMD_DHRYSTONE=y +CONFIG_MBEDTLS_LIB=y CONFIG_ECDSA=y CONFIG_ECDSA_VERIFY=y CONFIG_TPM=y -- 2.25.1
[PATCH v6 25/28] lib/rypto: Adapt rsa_helper to MbedTLS
Previous patch has introduced MbedTLS porting layer for RSA helper, here to adjust the makefile accordingly. Signed-off-by: Raymond Mao Reviewed-by: Ilias Apalodimas --- Changes in v2 - Initial patch. Changes in v3 - Update commit message. Changes in v4 - Control building legacy library via '_LEGACY' Kconfig. Changes in v5 - None. Changes in v6 - None. lib/crypto/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/crypto/Makefile b/lib/crypto/Makefile index 3caa45dc2a8..72b413d85a9 100644 --- a/lib/crypto/Makefile +++ b/lib/crypto/Makefile @@ -13,7 +13,7 @@ obj-$(CONFIG_$(SPL_)ASYMMETRIC_PUBLIC_KEY_LEGACY) += public_key.o # # RSA public key parser # -obj-$(CONFIG_$(SPL_)RSA_PUBLIC_KEY_PARSER) += rsa_public_key.o +obj-$(CONFIG_$(SPL_)RSA_PUBLIC_KEY_PARSER_LEGACY) += rsa_public_key.o rsa_public_key-y := \ rsapubkey.asn1.o \ rsa_helper.o -- 2.25.1
[PATCH v6 22/28] mbedtls: add MSCode parser porting layer
Add porting layer for MSCode on top of MbedTLS ASN1 library.
Introduce _MBEDTLS kconfigs for MSCode MbedTLS implementation.
Signed-off-by: Raymond Mao
---
Changes in v2
- Move the porting layer to MbedTLS dir.
Changes in v3
- None.
Changes in v4
- Introduce _LEGACY and _MBEDTLS kconfigs for MSCode legacy and
MbedTLS implementations respectively.
- Fix a few code style.
Changes in v5
- Correct kconfig dependence.
- Refactored MbedTLS makefile.
- Move mscode legacy kconfig to the next patch.
Changes in v6
- None.
lib/mbedtls/Kconfig | 9 +++
lib/mbedtls/Makefile| 1 +
lib/mbedtls/mscode_parser.c | 123
3 files changed, 133 insertions(+)
create mode 100644 lib/mbedtls/mscode_parser.c
diff --git a/lib/mbedtls/Kconfig b/lib/mbedtls/Kconfig
index e759cc20832..f03fb752d3f 100644
--- a/lib/mbedtls/Kconfig
+++ b/lib/mbedtls/Kconfig
@@ -294,6 +294,7 @@ config MBEDTLS_LIB_X509
ASYMMETRIC_PUBLIC_KEY_SUBTYPE
select X509_CERTIFICATE_PARSER_MBEDTLS if X509_CERTIFICATE_PARSER
select PKCS7_MESSAGE_PARSER_MBEDTLS if PKCS7_MESSAGE_PARSER
+ select MSCODE_PARSER_MBEDTLS if MSCODE_PARSER
select SPL_ASYMMETRIC_PUBLIC_KEY_MBEDTLS if \
SPL_ASYMMETRIC_PUBLIC_KEY_SUBTYPE
help
@@ -324,6 +325,14 @@ config PKCS7_MESSAGE_PARSER_MBEDTLS
This option chooses MbedTLS certificate library for PKCS7 message
parser.
+config MSCODE_PARSER_MBEDTLS
+ bool "MS authenticode parser with MbedTLS certificate library"
+ depends on MBEDTLS_LIB_X509 && MSCODE_PARSER
+ select ASN1_DECODER_MBEDTLS
+ help
+ This option chooses MbedTLS certificate library for MS authenticode
+ parser.
+
if SPL
config SPL_ASYMMETRIC_PUBLIC_KEY_MBEDTLS
diff --git a/lib/mbedtls/Makefile b/lib/mbedtls/Makefile
index 36eba07bf43..8b1b6a5 100644
--- a/lib/mbedtls/Makefile
+++ b/lib/mbedtls/Makefile
@@ -17,6 +17,7 @@ obj-$(CONFIG_$(SPL_)ASYMMETRIC_PUBLIC_KEY_MBEDTLS) += \
obj-$(CONFIG_$(SPL_)X509_CERTIFICATE_PARSER_MBEDTLS) += \
x509_cert_parser.o
obj-$(CONFIG_$(SPL_)PKCS7_MESSAGE_PARSER_MBEDTLS) += pkcs7_parser.o
+obj-$(CONFIG_$(SPL_)MSCODE_PARSER_MBEDTLS) += mscode_parser.o
# MbedTLS crypto library
obj-$(CONFIG_MBEDTLS_LIB_CRYPTO) += mbedtls_lib_crypto.o
diff --git a/lib/mbedtls/mscode_parser.c b/lib/mbedtls/mscode_parser.c
new file mode 100644
index 000..c3805c6503c
--- /dev/null
+++ b/lib/mbedtls/mscode_parser.c
@@ -0,0 +1,123 @@
+// SPDX-License-Identifier: GPL-2.0+
+/*
+ * MSCode parser using MbedTLS ASN1 library
+ *
+ * Copyright (c) 2024 Linaro Limited
+ * Author: Raymond Mao
+ */
+
+#include
+#include
+#include
+#include
+
+/*
+ * Parse a Microsoft Individual Code Signing blob
+ *
+ * U.P.SEQUENCE {
+ *U.P.OBJECTIDENTIFIER 1.3.6.1.4.1.311.2.1.15 (SPC_PE_IMAGE_DATA_OBJID)
+ *U.P.SEQUENCE {
+ * U.P.BITSTRING NaN : 0 unused bit(s);
+ * [C.P.0] {
+ * [C.P.2] {
+ * [C.P.0]
+ * }
+ * }
+ *}
+ * }
+ * U.P.SEQUENCE {
+ *U.P.SEQUENCE {
+ * U.P.OBJECTIDENTIFIER
+ * U.P.NULL
+ *}
+ *U.P.OCTETSTRING
+ * }
+ *
+ * @ctx: PE file context.
+ * @content_data: content data pointer.
+ * @data_len: content data length.
+ * @asn1hdrlen: ASN1 header length.
+ */
+int mscode_parse(void *ctx, const void *content_data, size_t data_len,
+size_t asn1hdrlen)
+{
+ struct pefile_context *_ctx = ctx;
+ unsigned char *p = (unsigned char *)content_data;
+ unsigned char *end = (unsigned char *)content_data + data_len;
+ size_t len = 0;
+ int ret;
+ unsigned char *inner_p;
+ size_t seq_len = 0;
+
+ ret = mbedtls_asn1_get_tag(&p, end, &seq_len,
+ MBEDTLS_ASN1_CONSTRUCTED |
+ MBEDTLS_ASN1_SEQUENCE);
+ if (ret)
+ return ret;
+
+ inner_p = p;
+ ret = mbedtls_asn1_get_tag(&inner_p, inner_p + seq_len, &len,
+ MBEDTLS_ASN1_OID);
+ if (ret)
+ return ret;
+
+ /* Sanity check on the PE Image Data OID (1.3.6.1.4.1.311.2.1.15) */
+ if (MBEDTLS_OID_CMP_RAW(MBEDTLS_OID_MICROSOFT_PEIMAGEDATA, inner_p,
+ len))
+ return -EINVAL;
+
+ p += seq_len;
+ ret = mbedtls_asn1_get_tag(&p, end, &seq_len,
+ MBEDTLS_ASN1_CONSTRUCTED |
+ MBEDTLS_ASN1_SEQUENCE);
+ if (ret)
+ return ret;
+
+ ret = mbedtls_asn1_get_tag(&p, p + seq_len, &seq_len,
+ MBEDTLS_ASN1_CONSTRUCTED |
+ MBEDTLS_ASN1_SEQUENCE);
+ if (ret)
+ return ret;
+
+ inner_p = p;
+
+ /*
+* Check if the inner sequence contains a supported has
[PATCH v6 19/28] lib/crypto: Adapt x509_cert_parser to MbedTLS
Previous patch has introduced MbedTLS porting layer for x509 cert parser,
here to adjust the header and makefiles accordingly.
Signed-off-by: Raymond Mao
---
Changes in v2
- Move the porting layer to MbedTLS dir.
Changes in v3
- Update commit message.
Changes in v4
- Control building legacy library via '_LEGACY' Kconfig.
- Add function comments for the new APIs.
Changes in v5
- Correct kconfig dependence.
- Correct header file include directories.
- Adjust a few inline comments.
Changes in v6
- None.
include/crypto/x509_parser.h | 55
lib/crypto/Kconfig | 2 +-
lib/crypto/Makefile | 4 +--
lib/crypto/x509_public_key.c | 2 ++
4 files changed, 60 insertions(+), 3 deletions(-)
diff --git a/include/crypto/x509_parser.h b/include/crypto/x509_parser.h
index 4cbdc1d6612..0e22e33f66b 100644
--- a/include/crypto/x509_parser.h
+++ b/include/crypto/x509_parser.h
@@ -11,8 +11,35 @@
#include
#include
#include
+#if CONFIG_IS_ENABLED(MBEDTLS_LIB_X509)
+#include
+#include
+#include
+#endif
+#if CONFIG_IS_ENABLED(MBEDTLS_LIB_X509)
+struct x509_cert_mbedtls_ctx {
+ void*tbs; /* Signed data */
+ void*raw_serial;/* Raw serial number in ASN.1 */
+ void*raw_issuer;/* Raw issuer name in ASN.1 */
+ void*raw_subject; /* Raw subject name in ASN.1 */
+ void*raw_skid; /* Raw subjectKeyId in ASN.1 */
+};
+#endif
+
+/*
+ * MbedTLS integration Notes:
+ *
+ * Fields we don't need to populate from MbedTLS context:
+ * 'raw_sig' and 'raw_sig_size' are buffer for x509_parse_context,
+ * not needed for MbedTLS.
+ * 'signer' and 'seen' are used internally by pkcs7_verify.
+ * 'verified' is not in use.
+ */
struct x509_certificate {
+#if CONFIG_IS_ENABLED(MBEDTLS_LIB_X509)
+ struct x509_cert_mbedtls_ctx *mbedtls_ctx;
+#endif
struct x509_certificate *next;
struct x509_certificate *signer;/* Certificate that signed this
one */
struct public_key *pub; /* Public key details */
@@ -48,6 +75,32 @@ struct x509_certificate {
* x509_cert_parser.c
*/
extern void x509_free_certificate(struct x509_certificate *cert);
+#if CONFIG_IS_ENABLED(MBEDTLS_LIB_X509)
+/**
+ * x509_populate_pubkey() - Populate public key from MbedTLS context
+ *
+ * @cert: Pointer to MbedTLS X509 cert
+ * @pub_key: Pointer to the populated public key handle
+ * Return: 0 on succcess, error code on failure
+ */
+int x509_populate_pubkey(mbedtls_x509_crt *cert, struct public_key **pub_key);
+/**
+ * x509_populate_cert() - Populate X509 cert from MbedTLS context
+ *
+ * @mbedtls_cert: Pointer to MbedTLS X509 cert
+ * @pcert: Pointer to the populated X509 cert handle
+ * Return: 0 on succcess, error code on failure
+ */
+int x509_populate_cert(mbedtls_x509_crt *mbedtls_cert,
+ struct x509_certificate **pcert);
+/**
+ * x509_get_timestamp() - Translate timestamp from MbedTLS context
+ *
+ * @x509_time: Pointer to MbedTLS time
+ * Return: Time in time64_t format
+ */
+time64_t x509_get_timestamp(const mbedtls_x509_time *x509_time);
+#endif
extern struct x509_certificate *x509_cert_parse(const void *data, size_t
datalen);
extern int x509_decode_time(time64_t *_t, size_t hdrlen,
unsigned char tag,
@@ -56,6 +109,8 @@ extern int x509_decode_time(time64_t *_t, size_t hdrlen,
/*
* x509_public_key.c
*/
+#if !CONFIG_IS_ENABLED(MBEDTLS_LIB_X509)
extern int x509_get_sig_params(struct x509_certificate *cert);
+#endif
extern int x509_check_for_self_signed(struct x509_certificate *cert);
#endif /* _X509_PARSER_H */
diff --git a/lib/crypto/Kconfig b/lib/crypto/Kconfig
index 6e0656ad1c5..6106190677e 100644
--- a/lib/crypto/Kconfig
+++ b/lib/crypto/Kconfig
@@ -1,6 +1,6 @@
menuconfig ASYMMETRIC_KEY_TYPE
bool "Asymmetric (public-key cryptographic) key Support"
- depends on FIT_SIGNATURE
+ depends on LEGACY_CRYPTO_CERT || MBEDTLS_LIB_X509
help
This option provides support for a key type that holds the data for
the asymmetric keys used for public key cryptographic operations such
diff --git a/lib/crypto/Makefile b/lib/crypto/Makefile
index 7e877214aa8..4302f197297 100644
--- a/lib/crypto/Makefile
+++ b/lib/crypto/Makefile
@@ -32,11 +32,11 @@ endif
# X.509 Certificate handling
#
obj-$(CONFIG_$(SPL_)X509_CERTIFICATE_PARSER) += x509_key_parser.o
-x509_key_parser-y := \
+x509_key_parser-y := x509_helper.o
+x509_key_parser-$(CONFIG_$(SPL_)X509_CERTIFICATE_PARSER_LEGACY) += \
x509.asn1.o \
x509_akid.asn1.o \
x509_cert_parser.o \
- x509_helper.o \
x509_public_key.o
$(obj)/x509_cert_parser.o: \
diff --git a/lib/crypto/x509_public_key.c b/lib/crypto/x509_public_key.c
index 4ba13c1adc3..310edbd21be 100644
--- a/lib
[PATCH v6 18/28] mbedtls: add X509 cert parser porting layer
Add porting layer for X509 cert parser on top of MbedTLS X509
library.
Introduce _LEGACY and _MBEDTLS kconfigs for X509 cert parser legacy
and MbedTLS implementations respectively.
Signed-off-by: Raymond Mao
---
Changes in v2
- Move the porting layer to MbedTLS dir.
Changes in v3
- None.
Changes in v4
- Introduce _LEGACY and _MBEDTLS kconfigs for X509 cert parser legacy
and MbedTLS implementations respectively.
- Move common functions to helper.
Changes in v5
- Kconfig rename.
- Adjust a few inline comments.
Changes in v6
- None.
lib/mbedtls/Kconfig| 18 ++
lib/mbedtls/Makefile | 4 +-
lib/mbedtls/x509_cert_parser.c | 447 +
3 files changed, 468 insertions(+), 1 deletion(-)
create mode 100644 lib/mbedtls/x509_cert_parser.c
diff --git a/lib/mbedtls/Kconfig b/lib/mbedtls/Kconfig
index dbbcdba8bc6..6a0008df71c 100644
--- a/lib/mbedtls/Kconfig
+++ b/lib/mbedtls/Kconfig
@@ -119,6 +119,7 @@ config LEGACY_CRYPTO_CERT
bool "legacy certificate libraries"
select ASYMMETRIC_PUBLIC_KEY_LEGACY if \
ASYMMETRIC_PUBLIC_KEY_SUBTYPE
+ select X509_CERTIFICATE_PARSER_LEGACY if X509_CERTIFICATE_PARSER
select SPL_ASYMMETRIC_PUBLIC_KEY_LEGACY if \
SPL_ASYMMETRIC_PUBLIC_KEY_SUBTYPE
help
@@ -133,6 +134,14 @@ config ASYMMETRIC_PUBLIC_KEY_LEGACY
This option chooses legacy certificate library for asymmetric public
key crypto algorithm.
+config X509_CERTIFICATE_PARSER_LEGACY
+ bool "X.509 certificate parser with legacy certificate library"
+ depends on ASYMMETRIC_PUBLIC_KEY_LEGACY
+ select ASN1_DECODER_LEGACY
+ help
+ This option chooses legacy certificate library for X509 certificate
+ parser.
+
if SPL
config SPL_ASYMMETRIC_PUBLIC_KEY_LEGACY
@@ -274,6 +283,7 @@ config MBEDTLS_LIB_X509
bool "MbedTLS certificate libraries"
select ASYMMETRIC_PUBLIC_KEY_MBEDTLS if \
ASYMMETRIC_PUBLIC_KEY_SUBTYPE
+ select X509_CERTIFICATE_PARSER_MBEDTLS if X509_CERTIFICATE_PARSER
select SPL_ASYMMETRIC_PUBLIC_KEY_MBEDTLS if \
SPL_ASYMMETRIC_PUBLIC_KEY_SUBTYPE
help
@@ -288,6 +298,14 @@ config ASYMMETRIC_PUBLIC_KEY_MBEDTLS
This option chooses MbedTLS certificate library for asymmetric public
key crypto algorithm.
+config X509_CERTIFICATE_PARSER_MBEDTLS
+ bool "X.509 certificate parser with MbedTLS certificate library"
+ depends on ASYMMETRIC_PUBLIC_KEY_MBEDTLS
+ select ASN1_DECODER_MBEDTLS
+ help
+ This option chooses MbedTLS certificate library for X509 certificate
+ parser.
+
if SPL
config SPL_ASYMMETRIC_PUBLIC_KEY_MBEDTLS
diff --git a/lib/mbedtls/Makefile b/lib/mbedtls/Makefile
index 2d2220dd4fd..ab64365a99a 100644
--- a/lib/mbedtls/Makefile
+++ b/lib/mbedtls/Makefile
@@ -14,6 +14,8 @@ obj-$(CONFIG_$(SPL_)SHA512_MBEDTLS) += sha512.o
# x509 libraries
obj-$(CONFIG_$(SPL_)ASYMMETRIC_PUBLIC_KEY_MBEDTLS) += \
public_key.o
+obj-$(CONFIG_$(SPL_)X509_CERTIFICATE_PARSER_MBEDTLS) += \
+ x509_cert_parser.o
# MbedTLS crypto library
obj-$(CONFIG_MBEDTLS_LIB_CRYPTO) += mbedtls_lib_crypto.o
@@ -44,7 +46,7 @@
mbedtls_lib_x509-$(CONFIG_$(SPL_)ASYMMETRIC_PUBLIC_KEY_MBEDTLS) += \
$(MBEDTLS_LIB_DIR)/pk.o \
$(MBEDTLS_LIB_DIR)/pk_wrap.o \
$(MBEDTLS_LIB_DIR)/pkparse.o
-mbedtls_lib_x509-$(CONFIG_$(SPL_)X509_CERTIFICATE_PARSER) += \
+mbedtls_lib_x509-$(CONFIG_$(SPL_)X509_CERTIFICATE_PARSER_MBEDTLS) += \
$(MBEDTLS_LIB_DIR)/x509_crl.o \
$(MBEDTLS_LIB_DIR)/x509_crt.o
mbedtls_lib_x509-$(CONFIG_$(SPL_)PKCS7_MESSAGE_PARSER) += \
diff --git a/lib/mbedtls/x509_cert_parser.c b/lib/mbedtls/x509_cert_parser.c
new file mode 100644
index 000..cb42018695c
--- /dev/null
+++ b/lib/mbedtls/x509_cert_parser.c
@@ -0,0 +1,447 @@
+// SPDX-License-Identifier: GPL-2.0+
+/*
+ * X509 cert parser using MbedTLS X509 library
+ *
+ * Copyright (c) 2024 Linaro Limited
+ * Author: Raymond Mao
+ */
+
+#include
+#include
+#include
+
+static void x509_free_mbedtls_ctx(struct x509_cert_mbedtls_ctx *ctx)
+{
+ if (!ctx)
+ return;
+
+ kfree(ctx->tbs);
+ kfree(ctx->raw_serial);
+ kfree(ctx->raw_issuer);
+ kfree(ctx->raw_subject);
+ kfree(ctx->raw_skid);
+ kfree(ctx);
+}
+
+static int x509_set_cert_flags(struct x509_certificate *cert)
+{
+ struct public_key_signature *sig = cert->sig;
+
+ if (!sig || !cert->pub) {
+ pr_err("Signature or public key is not initialized\n");
+ return -ENOPKG;
+ }
+
+ if (!cert->pub->pkey_algo)
+ cert->unsupported_key = true;
+
+ if (!sig->pkey_algo)
+ cert->unsupported_sig = true;
+
+ if (!sig->hash_algo)
+ cert->unsupported_sig = tru
[PATCH v6 17/28] lib/crypto: Adapt public_key header with MbedTLS
Previous patch has introduced MbedTLS porting layer for public key, here to adjust the header and makefiles accordingly. Signed-off-by: Raymond Mao Reviewed-by: Ilias Apalodimas --- Changes in v2 - Move the porting layer to MbedTLS dir. Changes in v3 - Update commit message. Changes in v4 - Control building legacy library via '_LEGACY' Kconfig. Changes in v5 - Correct header file include directories. - Kconfig rename. Changes in v6 - None. include/crypto/public_key.h | 6 ++ lib/crypto/Makefile | 5 ++--- lib/crypto/asymmetric_type.c | 2 +- 3 files changed, 9 insertions(+), 4 deletions(-) diff --git a/include/crypto/public_key.h b/include/crypto/public_key.h index 3ba90fcc348..25cfb68adce 100644 --- a/include/crypto/public_key.h +++ b/include/crypto/public_key.h @@ -12,6 +12,12 @@ #ifdef __UBOOT__ #include +#if CONFIG_IS_ENABLED(MBEDTLS_LIB_X509) +#include +#include +#include +#include +#endif #else #include #endif diff --git a/lib/crypto/Makefile b/lib/crypto/Makefile index 16059088f26..7e877214aa8 100644 --- a/lib/crypto/Makefile +++ b/lib/crypto/Makefile @@ -7,9 +7,8 @@ obj-$(CONFIG_$(SPL_)ASYMMETRIC_KEY_TYPE) += asymmetric_keys.o asymmetric_keys-y := asymmetric_type.o -obj-$(CONFIG_$(SPL_)ASYMMETRIC_PUBLIC_KEY_SUBTYPE) += \ - public_key_helper.o \ - public_key.o +obj-$(CONFIG_$(SPL_)ASYMMETRIC_PUBLIC_KEY_SUBTYPE) += public_key_helper.o +obj-$(CONFIG_$(SPL_)ASYMMETRIC_PUBLIC_KEY_LEGACY) += public_key.o # # RSA public key parser diff --git a/lib/crypto/asymmetric_type.c b/lib/crypto/asymmetric_type.c index 24c2d15ef97..95b82cd8e84 100644 --- a/lib/crypto/asymmetric_type.c +++ b/lib/crypto/asymmetric_type.c @@ -12,7 +12,6 @@ #include #include #endif -#include #ifdef __UBOOT__ #include #include @@ -26,6 +25,7 @@ #include #include #endif +#include #ifdef __UBOOT__ #include #else -- 2.25.1
[PATCH v6 16/28] mbedtls: add public key porting layer
Add porting layer for public key on top of MbedTLS X509 library.
Introduce _LEGACY and _MBEDTLS kconfigs for public key legacy and
MbedTLS implementations respectively.
Signed-off-by: Raymond Mao
---
Changes in v2
- Move the porting layer to MbedTLS dir.
Changes in v3
- None.
Changes in v4
- Introduce _LEGACY and _MBEDTLS kconfigs for public key legacy and
MbedTLS implementations respectively.
- Move common functions to helper.
Changes in v5
- Correct kconfig dependence.
- Kconfig rename.
- Refactored MbedTLS makefile.
- Adjust a few inline comments.
Changes in v6
- None.
lib/mbedtls/Kconfig | 52 +
lib/mbedtls/Makefile | 6 ++-
lib/mbedtls/public_key.c | 82
3 files changed, 139 insertions(+), 1 deletion(-)
create mode 100644 lib/mbedtls/public_key.c
diff --git a/lib/mbedtls/Kconfig b/lib/mbedtls/Kconfig
index 0e22edf1b6c..dbbcdba8bc6 100644
--- a/lib/mbedtls/Kconfig
+++ b/lib/mbedtls/Kconfig
@@ -117,9 +117,35 @@ endif # LEGACY_CRYPTO_BASIC
config LEGACY_CRYPTO_CERT
bool "legacy certificate libraries"
+ select ASYMMETRIC_PUBLIC_KEY_LEGACY if \
+ ASYMMETRIC_PUBLIC_KEY_SUBTYPE
+ select SPL_ASYMMETRIC_PUBLIC_KEY_LEGACY if \
+ SPL_ASYMMETRIC_PUBLIC_KEY_SUBTYPE
help
Enable legacy certificate libraries.
+if LEGACY_CRYPTO_CERT
+
+config ASYMMETRIC_PUBLIC_KEY_LEGACY
+ bool "Asymmetric public key crypto with legacy certificate library"
+ depends on LEGACY_CRYPTO_CERT && ASYMMETRIC_PUBLIC_KEY_SUBTYPE
+ help
+ This option chooses legacy certificate library for asymmetric public
+ key crypto algorithm.
+
+if SPL
+
+config SPL_ASYMMETRIC_PUBLIC_KEY_LEGACY
+ bool "Asymmetric public key crypto with legacy certificate library in
SPL"
+ depends on LEGACY_CRYPTO_CERT && SPL_ASYMMETRIC_PUBLIC_KEY_SUBTYPE
+ help
+ This option chooses legacy certificate library for asymmetric public
+ key crypto algorithm in SPL.
+
+endif # SPL
+
+endif # LEGACY_CRYPTO_CERT
+
endif # LEGACY_CRYPTO
if MBEDTLS_LIB
@@ -246,7 +272,33 @@ endif # MBEDTLS_LIB_CRYPTO
config MBEDTLS_LIB_X509
bool "MbedTLS certificate libraries"
+ select ASYMMETRIC_PUBLIC_KEY_MBEDTLS if \
+ ASYMMETRIC_PUBLIC_KEY_SUBTYPE
+ select SPL_ASYMMETRIC_PUBLIC_KEY_MBEDTLS if \
+ SPL_ASYMMETRIC_PUBLIC_KEY_SUBTYPE
help
Enable MbedTLS certificate libraries.
+if MBEDTLS_LIB_X509
+
+config ASYMMETRIC_PUBLIC_KEY_MBEDTLS
+ bool "Asymmetric public key crypto with MbedTLS certificate library"
+ depends on MBEDTLS_LIB_X509 && ASYMMETRIC_PUBLIC_KEY_SUBTYPE
+ help
+ This option chooses MbedTLS certificate library for asymmetric public
+ key crypto algorithm.
+
+if SPL
+
+config SPL_ASYMMETRIC_PUBLIC_KEY_MBEDTLS
+ bool "Asymmetric public key crypto with MbedTLS certificate library in
SPL"
+ depends on MBEDTLS_LIB_X509 && SPL_ASYMMETRIC_PUBLIC_KEY_SUBTYPE
+ help
+ This option chooses MbedTLS certificate library for asymmetric public
+ key crypto algorithm in SPL.
+
+endif # SPL
+
+endif # MBEDTLS_LIB_X509
+
endif # MBEDTLS_LIB
diff --git a/lib/mbedtls/Makefile b/lib/mbedtls/Makefile
index 50c1ba5f88e..2d2220dd4fd 100644
--- a/lib/mbedtls/Makefile
+++ b/lib/mbedtls/Makefile
@@ -11,6 +11,10 @@ obj-$(CONFIG_$(SPL_)SHA1_MBEDTLS) += sha1.o
obj-$(CONFIG_$(SPL_)SHA256_MBEDTLS) += sha256.o
obj-$(CONFIG_$(SPL_)SHA512_MBEDTLS) += sha512.o
+# x509 libraries
+obj-$(CONFIG_$(SPL_)ASYMMETRIC_PUBLIC_KEY_MBEDTLS) += \
+ public_key.o
+
# MbedTLS crypto library
obj-$(CONFIG_MBEDTLS_LIB_CRYPTO) += mbedtls_lib_crypto.o
mbedtls_lib_crypto-y := \
@@ -36,7 +40,7 @@ mbedtls_lib_x509-$(CONFIG_$(SPL_)RSA_PUBLIC_KEY_PARSER) += \
$(MBEDTLS_LIB_DIR)/bignum_core.o \
$(MBEDTLS_LIB_DIR)/rsa.o \
$(MBEDTLS_LIB_DIR)/rsa_alt_helpers.o
-mbedtls_lib_x509-$(CONFIG_$(SPL_)ASYMMETRIC_PUBLIC_KEY_SUBTYPE) += \
+mbedtls_lib_x509-$(CONFIG_$(SPL_)ASYMMETRIC_PUBLIC_KEY_MBEDTLS) += \
$(MBEDTLS_LIB_DIR)/pk.o \
$(MBEDTLS_LIB_DIR)/pk_wrap.o \
$(MBEDTLS_LIB_DIR)/pkparse.o
diff --git a/lib/mbedtls/public_key.c b/lib/mbedtls/public_key.c
new file mode 100644
index 000..5f73b99d4f2
--- /dev/null
+++ b/lib/mbedtls/public_key.c
@@ -0,0 +1,82 @@
+// SPDX-License-Identifier: GPL-2.0+
+/*
+ * Public key helper functions using MbedTLS X509 library
+ *
+ * Copyright (c) 2024 Linaro Limited
+ * Author: Raymond Mao
+ */
+
+#include
+#include
+
+int public_key_verify_signature(const struct public_key *pkey,
+ const struct public_key_signature *sig)
+{
+ mbedtls_md_type_t mb_hash_algo;
+ mbedtls_pk_context pk_ctx;
+ int ret;
+
+ if (!pkey || !sig || pkey->key_is_private)
[PATCH v6 15/28] pkcs7: move common functions to PKCS7 helper
Move pkcs7_get_content_data as a helper function that can be
shared by legacy crypto lib and MbedTLS implementation.
Signed-off-by: Raymond Mao
Reviewed-by: Ilias Apalodimas
---
Changes in v4
- Initial patch.
Changes in v5
- Remove authorship.
Changes in v6
- None.
lib/crypto/Makefile | 1 +
lib/crypto/pkcs7_helper.c | 37 +
lib/crypto/pkcs7_parser.c | 28
3 files changed, 38 insertions(+), 28 deletions(-)
create mode 100644 lib/crypto/pkcs7_helper.c
diff --git a/lib/crypto/Makefile b/lib/crypto/Makefile
index 946cc3a7b59..16059088f26 100644
--- a/lib/crypto/Makefile
+++ b/lib/crypto/Makefile
@@ -53,6 +53,7 @@ $(obj)/x509_akid.asn1.o: $(obj)/x509_akid.asn1.c
$(obj)/x509_akid.asn1.h
obj-$(CONFIG_$(SPL_)PKCS7_MESSAGE_PARSER) += pkcs7_message.o
pkcs7_message-y := \
pkcs7.asn1.o \
+ pkcs7_helper.o \
pkcs7_parser.o
obj-$(CONFIG_$(SPL_)PKCS7_VERIFY) += pkcs7_verify.o
diff --git a/lib/crypto/pkcs7_helper.c b/lib/crypto/pkcs7_helper.c
new file mode 100644
index 000..bb3b9d1354f
--- /dev/null
+++ b/lib/crypto/pkcs7_helper.c
@@ -0,0 +1,37 @@
+// SPDX-License-Identifier: GPL-2.0+
+/*
+ * PKCS7 helper functions
+ *
+ * Copyright (c) 2012 Red Hat, Inc. All Rights Reserved.
+ * Written by David Howells (dhowe...@redhat.com)
+ */
+#include
+#include
+#include
+
+/**
+ * pkcs7_get_content_data - Get access to the PKCS#7 content
+ * @pkcs7: The preparsed PKCS#7 message to access
+ * @_data: Place to return a pointer to the data
+ * @_data_len: Place to return the data length
+ * @_headerlen: Size of ASN.1 header not included in _data
+ *
+ * Get access to the data content of the PKCS#7 message. The size of the
+ * header of the ASN.1 object that contains it is also provided and can be used
+ * to adjust *_data and *_data_len to get the entire object.
+ *
+ * Returns -ENODATA if the data object was missing from the message.
+ */
+int pkcs7_get_content_data(const struct pkcs7_message *pkcs7,
+ const void **_data, size_t *_data_len,
+ size_t *_headerlen)
+{
+ if (!pkcs7->data)
+ return -ENODATA;
+
+ *_data = pkcs7->data;
+ *_data_len = pkcs7->data_len;
+ if (_headerlen)
+ *_headerlen = pkcs7->data_hdrlen;
+ return 0;
+}
diff --git a/lib/crypto/pkcs7_parser.c b/lib/crypto/pkcs7_parser.c
index d5efa828d6a..c849dc0d92d 100644
--- a/lib/crypto/pkcs7_parser.c
+++ b/lib/crypto/pkcs7_parser.c
@@ -182,34 +182,6 @@ out_no_ctx:
}
EXPORT_SYMBOL_GPL(pkcs7_parse_message);
-/**
- * pkcs7_get_content_data - Get access to the PKCS#7 content
- * @pkcs7: The preparsed PKCS#7 message to access
- * @_data: Place to return a pointer to the data
- * @_data_len: Place to return the data length
- * @_headerlen: Size of ASN.1 header not included in _data
- *
- * Get access to the data content of the PKCS#7 message. The size of the
- * header of the ASN.1 object that contains it is also provided and can be used
- * to adjust *_data and *_data_len to get the entire object.
- *
- * Returns -ENODATA if the data object was missing from the message.
- */
-int pkcs7_get_content_data(const struct pkcs7_message *pkcs7,
- const void **_data, size_t *_data_len,
- size_t *_headerlen)
-{
- if (!pkcs7->data)
- return -ENODATA;
-
- *_data = pkcs7->data;
- *_data_len = pkcs7->data_len;
- if (_headerlen)
- *_headerlen = pkcs7->data_hdrlen;
- return 0;
-}
-EXPORT_SYMBOL_GPL(pkcs7_get_content_data);
-
/*
* Note an OID when we find one for later processing when we know how
* to interpret it.
--
2.25.1
[PATCH v6 13/28] public_key: move common functions to public key helper
Move public_key_free and public_key_signature_free as helper
functions that can be shared by legacy crypto lib and MbedTLS
implementation.
Signed-off-by: Raymond Mao
Reviewed-by: Ilias Apalodimas
---
Changes in v4
- Initial patch.
Changes in v5
- Removed authorship.
Changes in v6
- None.
lib/crypto/Makefile| 4 +++-
lib/crypto/public_key.c| 31 ---
lib/crypto/public_key_helper.c | 39 ++
3 files changed, 42 insertions(+), 32 deletions(-)
create mode 100644 lib/crypto/public_key_helper.c
diff --git a/lib/crypto/Makefile b/lib/crypto/Makefile
index bec1bc95a65..4ad1849040d 100644
--- a/lib/crypto/Makefile
+++ b/lib/crypto/Makefile
@@ -7,7 +7,9 @@ obj-$(CONFIG_$(SPL_)ASYMMETRIC_KEY_TYPE) += asymmetric_keys.o
asymmetric_keys-y := asymmetric_type.o
-obj-$(CONFIG_$(SPL_)ASYMMETRIC_PUBLIC_KEY_SUBTYPE) += public_key.o
+obj-$(CONFIG_$(SPL_)ASYMMETRIC_PUBLIC_KEY_SUBTYPE) += \
+ public_key_helper.o \
+ public_key.o
#
# RSA public key parser
diff --git a/lib/crypto/public_key.c b/lib/crypto/public_key.c
index 6efe951c057..408742907f1 100644
--- a/lib/crypto/public_key.c
+++ b/lib/crypto/public_key.c
@@ -51,38 +51,7 @@ static void public_key_describe(const struct key
*asymmetric_key,
}
#endif
-/*
- * Destroy a public key algorithm key.
- */
-void public_key_free(struct public_key *key)
-{
- if (key) {
- kfree(key->key);
- kfree(key->params);
- kfree(key);
- }
-}
-EXPORT_SYMBOL_GPL(public_key_free);
-
#ifdef __UBOOT__
-/*
- * from /crypto/asymmetric_keys/signature.c
- *
- * Destroy a public key signature.
- */
-void public_key_signature_free(struct public_key_signature *sig)
-{
- int i;
-
- if (sig) {
- for (i = 0; i < ARRAY_SIZE(sig->auth_ids); i++)
- free(sig->auth_ids[i]);
- free(sig->s);
- free(sig->digest);
- free(sig);
- }
-}
-EXPORT_SYMBOL_GPL(public_key_signature_free);
/**
* public_key_verify_signature - Verify a signature using a public key.
diff --git a/lib/crypto/public_key_helper.c b/lib/crypto/public_key_helper.c
new file mode 100644
index 000..2c55922bdcb
--- /dev/null
+++ b/lib/crypto/public_key_helper.c
@@ -0,0 +1,39 @@
+// SPDX-License-Identifier: GPL-2.0+
+/*
+ * X509 helper functions
+ *
+ * Copyright (c) 2012 Red Hat, Inc. All Rights Reserved.
+ * Written by David Howells (dhowe...@redhat.com)
+ */
+#include
+#include
+
+/*
+ * Destroy a public key algorithm key.
+ */
+void public_key_free(struct public_key *key)
+{
+ if (key) {
+ kfree(key->key);
+ kfree(key->params);
+ kfree(key);
+ }
+}
+
+/*
+ * from /crypto/asymmetric_keys/signature.c
+ *
+ * Destroy a public key signature.
+ */
+void public_key_signature_free(struct public_key_signature *sig)
+{
+ int i;
+
+ if (sig) {
+ for (i = 0; i < ARRAY_SIZE(sig->auth_ids); i++)
+ kfree(sig->auth_ids[i]);
+ kfree(sig->s);
+ kfree(sig->digest);
+ kfree(sig);
+ }
+}
--
2.25.1
[PATCH v6 12/28] mbedtls/external: update MbedTLS PKCS7 test suites
Update the PKCS7 test suites for multiple certs. The PR for this patch is at: https://github.com/Mbed-TLS/mbedtls/pull/9001 For enabling EFI loader PKCS7 features with MbedTLS build, we need this patch on top of MbedTLS v3.6.0 before it is merged into the next MbedTLS LTS release. Signed-off-by: Raymond Mao --- Changes in v2 - None. Changes in v3 - Update commit message. Changes in v4 - None. Changes in v5 - None. Changes in v6 - None. .../external/mbedtls/tests/suites/test_suite_pkcs7.data | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/mbedtls/external/mbedtls/tests/suites/test_suite_pkcs7.data b/lib/mbedtls/external/mbedtls/tests/suites/test_suite_pkcs7.data index d3b83cdf0aa..2dd1c56109f 100644 --- a/lib/mbedtls/external/mbedtls/tests/suites/test_suite_pkcs7.data +++ b/lib/mbedtls/external/mbedtls/tests/suites/test_suite_pkcs7.data @@ -14,9 +14,9 @@ PKCS7 Signed Data Parse with zero signers depends_on:MBEDTLS_MD_CAN_SHA256 pkcs7_parse:"data_files/pkcs7_data_no_signers.der":MBEDTLS_PKCS7_SIGNED_DATA -PKCS7 Signed Data Parse Fail with multiple certs #4 +PKCS7 Signed Data Parse Pass with multiple certs #4 depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C -pkcs7_parse:"data_files/pkcs7_data_multiple_certs_signed.der":MBEDTLS_ERR_PKCS7_FEATURE_UNAVAILABLE +pkcs7_parse:"data_files/pkcs7_data_multiple_certs_signed.der":MBEDTLS_PKCS7_SIGNED_DATA PKCS7 Signed Data Parse Fail with corrupted cert #5.0 depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C -- 2.25.1
[PATCH v6 10/28] mbedtls/external: support PKCS9 Authenticate Attributes
Populate PKCS9 Authenticate Attributes from signer info if it exists
in a PKCS7 message.
Add OIDs for describing objects using for Authenticate Attributes.
The PR for this patch is at:
https://github.com/Mbed-TLS/mbedtls/pull/9001
For enabling EFI loader PKCS7 features with MbedTLS build,
we need this patch on top of MbedTLS v3.6.0 before it is merged into
the next MbedTLS LTS release.
Signed-off-by: Raymond Mao
---
Changes in v2
- None.
Changes in v3
- Update commit message.
Changes in v4
- None.
Changes in v5
- None.
Changes in v6
- None.
.../external/mbedtls/include/mbedtls/oid.h| 5 +
.../external/mbedtls/include/mbedtls/pkcs7.h | 11 +++
lib/mbedtls/external/mbedtls/library/pkcs7.c | 19 ++-
3 files changed, 34 insertions(+), 1 deletion(-)
diff --git a/lib/mbedtls/external/mbedtls/include/mbedtls/oid.h
b/lib/mbedtls/external/mbedtls/include/mbedtls/oid.h
index 2ee982808fa..43cef99f1e3 100644
--- a/lib/mbedtls/external/mbedtls/include/mbedtls/oid.h
+++ b/lib/mbedtls/external/mbedtls/include/mbedtls/oid.h
@@ -238,6 +238,11 @@
#define MBEDTLS_OID_RSA_SHA_OBS "\x2B\x0E\x03\x02\x1D"
#define MBEDTLS_OID_PKCS9_EMAIL MBEDTLS_OID_PKCS9 "\x01" /**<
emailAddress AttributeType ::= { pkcs-9 1 } */
+#define MBEDTLS_OID_PKCS9_CONTENTTYPE MBEDTLS_OID_PKCS9 "\x03" /**<
contentType AttributeType ::= { pkcs-9 3 } */
+#define MBEDTLS_OID_PKCS9_MESSAGEDIGEST MBEDTLS_OID_PKCS9 "\x04" /**<
messageDigest AttributeType ::= { pkcs-9 4 } */
+#define MBEDTLS_OID_PKCS9_SIGNINGTIME MBEDTLS_OID_PKCS9 "\x05" /**<
signingTime AttributeType ::= { pkcs-9 5 } */
+#define MBEDTLS_OID_PKCS9_SMIMECAP MBEDTLS_OID_PKCS9 "\x0f" /**<
smimeCapabilites AttributeType ::= { pkcs-9 15 } */
+#define MBEDTLS_OID_PKCS9_SMIMEAA MBEDTLS_OID_PKCS9 "\x10\x02\x0b" /**<
smimeCapabilites AttributeType ::= { pkcs-9 16 2 11} */
/* RFC 4055 */
#define MBEDTLS_OID_RSASSA_PSS MBEDTLS_OID_PKCS1 "\x0a" /**<
id-RSASSA-PSS ::= { pkcs-1 10 } */
diff --git a/lib/mbedtls/external/mbedtls/include/mbedtls/pkcs7.h
b/lib/mbedtls/external/mbedtls/include/mbedtls/pkcs7.h
index 9e29b74af70..a88a5e858fc 100644
--- a/lib/mbedtls/external/mbedtls/include/mbedtls/pkcs7.h
+++ b/lib/mbedtls/external/mbedtls/include/mbedtls/pkcs7.h
@@ -102,6 +102,16 @@ typedef enum {
}
mbedtls_pkcs7_type;
+/*
+ * Authenticate Attributes for MicroSoft Authentication Code using in U-Boot
+ * Secure Boot
+ */
+typedef struct mbedtls_pkcs7_authattrs {
+size_t data_len;
+void *data;
+}
+mbedtls_pkcs7_authattrs;
+
/**
* Structure holding PKCS #7 signer info
*/
@@ -113,6 +123,7 @@ typedef struct mbedtls_pkcs7_signer_info {
mbedtls_x509_buf MBEDTLS_PRIVATE(alg_identifier);
mbedtls_x509_buf MBEDTLS_PRIVATE(sig_alg_identifier);
mbedtls_x509_buf MBEDTLS_PRIVATE(sig);
+mbedtls_pkcs7_authattrs authattrs;
struct mbedtls_pkcs7_signer_info *MBEDTLS_PRIVATE(next);
}
mbedtls_pkcs7_signer_info;
diff --git a/lib/mbedtls/external/mbedtls/library/pkcs7.c
b/lib/mbedtls/external/mbedtls/library/pkcs7.c
index 0c2436b56b7..da73fb341d6 100644
--- a/lib/mbedtls/external/mbedtls/library/pkcs7.c
+++ b/lib/mbedtls/external/mbedtls/library/pkcs7.c
@@ -288,6 +288,7 @@ static int pkcs7_get_signer_info(unsigned char **p,
unsigned char *end,
unsigned char *end_signer, *end_issuer_and_sn;
int asn1_ret = 0, ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
size_t len = 0;
+unsigned char *tmp_p;
asn1_ret = mbedtls_asn1_get_tag(p, end, &len, MBEDTLS_ASN1_CONSTRUCTED
| MBEDTLS_ASN1_SEQUENCE);
@@ -349,7 +350,23 @@ static int pkcs7_get_signer_info(unsigned char **p,
unsigned char *end,
goto out;
}
-/* Assume authenticatedAttributes is nonexistent */
+/* Save authenticatedAttributes if present */
+if (*p < end_signer &&
+**p == (MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_ASN1_CONSTRUCTED | 0))
{
+tmp_p = *p;
+
+ret = mbedtls_asn1_get_tag(p, end_signer, &len,
+ MBEDTLS_ASN1_CONTEXT_SPECIFIC |
+ MBEDTLS_ASN1_CONSTRUCTED | 0);
+if (ret != 0) {
+goto out;
+}
+
+signer->authattrs.data = tmp_p;
+signer->authattrs.data_len = len + *p - tmp_p;
+*p += len;
+}
+
ret = pkcs7_get_digest_algorithm(p, end_signer,
&signer->sig_alg_identifier);
if (ret != 0) {
goto out;
--
2.25.1
[PATCH v6 08/28] mbedtls: Enable smaller implementation for SHA256/512
Smaller implementation for SHA256 and SHA512 helps to reduce the ROM footprint though it has a certain impact on performance. As a trade-off, enable it as a default config when MbedTLS is enabled can reduce the target size significantly with acceptable performace loss. Signed-off-by: Raymond Mao --- Changes in v6 - Initial patch lib/mbedtls/Kconfig | 24 lib/mbedtls/mbedtls_def_config.h | 6 ++ 2 files changed, 30 insertions(+) diff --git a/lib/mbedtls/Kconfig b/lib/mbedtls/Kconfig index 12f8c965f5a..0e22edf1b6c 100644 --- a/lib/mbedtls/Kconfig +++ b/lib/mbedtls/Kconfig @@ -151,18 +151,42 @@ config SHA1_MBEDTLS config SHA256_MBEDTLS bool "Enable SHA256 support with MbedTLS crypto library" depends on MBEDTLS_LIB_CRYPTO && SHA256 + select SHA256_SMALLER help This option enables support of hashing using SHA256 algorithm with MbedTLS crypto library. +if SHA256_MBEDTLS + +config SHA256_SMALLER + bool "Enable SHA256 smaller implementation with MbedTLS crypto library" + depends on SHA256_MBEDTLS + help + This option enables support of hashing using SHA256 algorithm + smaller implementation with MbedTLS crypto library. + +endif + config SHA512_MBEDTLS bool "Enable SHA512 support with MbedTLS crypto library" depends on MBEDTLS_LIB_CRYPTO && SHA512 default y if TI_SECURE_DEVICE && FIT_SIGNATURE + select SHA512_SMALLER help This option enables support of hashing using SHA512 algorithm with MbedTLS crypto library. +if SHA512_MBEDTLS + +config SHA512_SMALLER + bool "Enable SHA512 smaller implementation with MbedTLS crypto library" + depends on SHA512_MBEDTLS + help + This option enables support of hashing using SHA512 algorithm + smaller implementation with MbedTLS crypto library. + +endif + config SHA384_MBEDTLS bool "Enable SHA384 support with MbedTLS crypto library" depends on MBEDTLS_LIB_CRYPTO && SHA384 diff --git a/lib/mbedtls/mbedtls_def_config.h b/lib/mbedtls/mbedtls_def_config.h index 38de6b0b9af..750db8705e8 100644 --- a/lib/mbedtls/mbedtls_def_config.h +++ b/lib/mbedtls/mbedtls_def_config.h @@ -25,6 +25,9 @@ #if CONFIG_IS_ENABLED(SHA256) #define MBEDTLS_SHA256_C +#if CONFIG_IS_ENABLED(SHA256_SMALLER) +#define MBEDTLS_SHA256_SMALLER +#endif #endif #if CONFIG_IS_ENABLED(SHA384) @@ -33,6 +36,9 @@ #if CONFIG_IS_ENABLED(SHA512) #define MBEDTLS_SHA512_C +#if CONFIG_IS_ENABLED(SHA512_SMALLER) +#define MBEDTLS_SHA512_SMALLER +#endif #endif #endif /* CONFIG_IS_ENABLED(MBEDTLS_LIB_CRYPTO) */ -- 2.25.1
[PATCH v6 01/28] CI: Exclude MbedTLS subtree for CONFIG checks
Since MbedTLS is an external repo with its own coding style, exclude it from Azure and gitlab CI CONFIG checks. Signed-off-by: Raymond Mao Reviewed-by: Tom Rini Reviewed-by: Ilias Apalodimas --- Changes in v2 - Initial patch. Changes in v3 - None. Changes in v4 - None. Changes in v5 - None. Changes in v6 - None. .azure-pipelines.yml | 3 ++- .gitlab-ci.yml | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/.azure-pipelines.yml b/.azure-pipelines.yml index e1b2f87b974..17dc6398e66 100644 --- a/.azure-pipelines.yml +++ b/.azure-pipelines.yml @@ -76,7 +76,8 @@ stages: # have no matches. - script: git grep -E '^#[[:blank:]]*(define|undef)[[:blank:]]*CONFIG_' :^doc/ :^arch/arm/dts/ :^scripts/kconfig/lkc.h - :^include/linux/kconfig.h :^tools/ :^dts/upstream/ && + :^include/linux/kconfig.h :^tools/ :^dts/upstream/ + :^lib/mbedtls/external :^lib/mbedtls/mbedtls_def_config.h && exit 1 || exit 0 - job: docs diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 0a15b7352cd..c04aa8dbad4 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -159,7 +159,8 @@ check for new CONFIG symbols outside Kconfig: # have no matches. - git grep -E '^#[[:blank:]]*(define|undef)[[:blank:]]*CONFIG_' :^doc/ :^arch/arm/dts/ :^scripts/kconfig/lkc.h -:^include/linux/kconfig.h :^tools/ :^dts/upstream/ && +:^include/linux/kconfig.h :^tools/ :^dts/upstream/ +:^lib/mbedtls/external :^lib/mbedtls/mbedtls_def_config.h && exit 1 || exit 0 # build documentation -- 2.25.1
[PATCH v6 27/28] test: Remove ASN1 library test
With MBEDTLS_LIB_X509 enabled, we don't build the original ASN1 lib, So remove it from test. Signed-off-by: Raymond Mao Reviewed-by: Ilias Apalodimas --- Changes in v2 - Initial patch. Changes in v3 - None. Changes in v4 - None. Changes in v5 - None. Changes in v6 - None. test/Kconfig | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/Kconfig b/test/Kconfig index e2ec0994a2e..558a9cd49b4 100644 --- a/test/Kconfig +++ b/test/Kconfig @@ -32,7 +32,7 @@ if UT_LIB config UT_LIB_ASN1 bool "Unit test for asn1 compiler and decoder function" - depends on SANDBOX + depends on SANDBOX && !MBEDTLS_LIB_X509 default y imply ASYMMETRIC_KEY_TYPE imply ASYMMETRIC_PUBLIC_KEY_SUBTYPE -- 2.25.1
[PATCH v6 26/28] asn1_decoder: add build options for ASN1 decoder
When building with MbedTLS, we are using MbedTLS to decode ASN1 data for x509, pkcs7 and mscode. Introduce _LEGACY and _MBEDTLS kconfigs for ASN1 decoder legacy and MbedTLS implementations respectively. Signed-off-by: Raymond Mao --- Changes in v2 - Initial patch. Changes in v3 - None. Changes in v4 - Introduce _LEGACY and _MBEDTLS kconfigs for ASN1 decoder legacy and MbedTLS implementations respectively. - Update the commit subject. Changes in v5 - Correct kconfig dependence. - Refactored MbedTLS makefile. Changes in v6 - None. lib/Makefile | 2 +- lib/mbedtls/Kconfig | 30 ++ lib/mbedtls/Makefile | 2 +- 3 files changed, 32 insertions(+), 2 deletions(-) diff --git a/lib/Makefile b/lib/Makefile index 617f5a55de0..2f5c0a01b9a 100644 --- a/lib/Makefile +++ b/lib/Makefile @@ -82,7 +82,7 @@ obj-$(CONFIG_$(SPL_)SHA256_LEGACY) += sha256.o obj-$(CONFIG_$(SPL_)SHA512_LEGACY) += sha512.o obj-$(CONFIG_CRYPT_PW) += crypt/ -obj-$(CONFIG_$(SPL_)ASN1_DECODER) += asn1_decoder.o +obj-$(CONFIG_$(SPL_)ASN1_DECODER_LEGACY) += asn1_decoder.o obj-$(CONFIG_$(SPL_)ZLIB) += zlib/ obj-$(CONFIG_$(SPL_)ZSTD) += zstd/ diff --git a/lib/mbedtls/Kconfig b/lib/mbedtls/Kconfig index 797da0df938..b51f46014a7 100644 --- a/lib/mbedtls/Kconfig +++ b/lib/mbedtls/Kconfig @@ -117,12 +117,14 @@ endif # LEGACY_CRYPTO_BASIC config LEGACY_CRYPTO_CERT bool "legacy certificate libraries" + select ASN1_DECODER_LEGACY if ASN1_DECODER select ASYMMETRIC_PUBLIC_KEY_LEGACY if \ ASYMMETRIC_PUBLIC_KEY_SUBTYPE select RSA_PUBLIC_KEY_PARSER_LEGACY if RSA_PUBLIC_KEY_PARSER select X509_CERTIFICATE_PARSER_LEGACY if X509_CERTIFICATE_PARSER select PKCS7_MESSAGE_PARSER_LEGACY if PKCS7_MESSAGE_PARSER select MSCODE_PARSER_LEGACY if MSCODE_PARSER + select SPL_ASN1_DECODER_LEGACY if SPL_ASN1_DECODER select SPL_ASYMMETRIC_PUBLIC_KEY_LEGACY if \ SPL_ASYMMETRIC_PUBLIC_KEY_SUBTYPE select SPL_RSA_PUBLIC_KEY_PARSER_LEGACY if SPL_RSA_PUBLIC_KEY_PARSER @@ -131,6 +133,12 @@ config LEGACY_CRYPTO_CERT if LEGACY_CRYPTO_CERT +config ASN1_DECODER_LEGACY + bool "ASN1 decoder with legacy certificate library" + depends on LEGACY_CRYPTO_CERT && ASN1_DECODER + help + This option chooses legacy certificate library for ASN1 decoder. + config ASYMMETRIC_PUBLIC_KEY_LEGACY bool "Asymmetric public key crypto with legacy certificate library" depends on LEGACY_CRYPTO_CERT && ASYMMETRIC_PUBLIC_KEY_SUBTYPE @@ -172,6 +180,13 @@ config MSCODE_PARSER_LEGACY if SPL +config SPL_ASN1_DECODER_LEGACY + bool "ASN1 decoder with legacy certificate library in SPL" + depends on LEGACY_CRYPTO_CERT && SPL_ASN1_DECODER + help + This option chooses legacy certificate library for ASN1 decoder in + SPL. + config SPL_ASYMMETRIC_PUBLIC_KEY_LEGACY bool "Asymmetric public key crypto with legacy certificate library in SPL" depends on LEGACY_CRYPTO_CERT && SPL_ASYMMETRIC_PUBLIC_KEY_SUBTYPE @@ -317,12 +332,14 @@ endif # MBEDTLS_LIB_CRYPTO config MBEDTLS_LIB_X509 bool "MbedTLS certificate libraries" + select ASN1_DECODER_MBEDTLS if ASN1_DECODER select ASYMMETRIC_PUBLIC_KEY_MBEDTLS if \ ASYMMETRIC_PUBLIC_KEY_SUBTYPE select RSA_PUBLIC_KEY_PARSER_MBEDTLS if RSA_PUBLIC_KEY_PARSER select X509_CERTIFICATE_PARSER_MBEDTLS if X509_CERTIFICATE_PARSER select PKCS7_MESSAGE_PARSER_MBEDTLS if PKCS7_MESSAGE_PARSER select MSCODE_PARSER_MBEDTLS if MSCODE_PARSER + select SPL_ASN1_DECODER_MBEDTLS if SPL_ASN1_DECODER select SPL_ASYMMETRIC_PUBLIC_KEY_MBEDTLS if \ SPL_ASYMMETRIC_PUBLIC_KEY_SUBTYPE select SPL_RSA_PUBLIC_KEY_PARSER_MBEDTLS if SPL_RSA_PUBLIC_KEY_PARSER @@ -331,6 +348,12 @@ config MBEDTLS_LIB_X509 if MBEDTLS_LIB_X509 +config ASN1_DECODER_MBEDTLS + bool "ASN1 decoder with MbedTLS certificate library" + depends on MBEDTLS_LIB_X509 && ASN1_DECODER + help + This option chooses MbedTLS certificate library for ASN1 decoder. + config ASYMMETRIC_PUBLIC_KEY_MBEDTLS bool "Asymmetric public key crypto with MbedTLS certificate library" depends on MBEDTLS_LIB_X509 && ASYMMETRIC_PUBLIC_KEY_SUBTYPE @@ -372,6 +395,13 @@ config MSCODE_PARSER_MBEDTLS if SPL +config SPL_ASN1_DECODER_MBEDTLS + bool "ASN1 decoder with MbedTLS certificate library in SPL" + depends on MBEDTLS_LIB_X509 && SPL_ASN1_DECODER + help + This option chooses MbedTLS certificate library for ASN1 decoder in + SPL. + config SPL_ASYMMETRIC_PUBLIC_KEY_MBEDTLS bool "Asymmetric public key crypto with MbedTLS certificate library in SPL" depends on MBEDTLS_LI
[PATCH v6 24/28] mbedtls: add RSA helper layer on MbedTLS
Add RSA helper layer on top on MbedTLS PK and RSA library. Introduce _LEGACY and _MBEDTLS kconfigs for RSA helper legacy and MbedTLS implementations respectively. Signed-off-by: Raymond Mao --- Changes in v2 - Initial patch. Changes in v3 - None. Changes in v4 - Introduce _LEGACY and _MBEDTLS kconfigs for RSA helper legacy and MbedTLS implementations respectively. - Remove unnecessary type casting. Changes in v5 - Correct header file include directories. - Correct kconfig dependence. - Kconfig rename. - Refactored MbedTLS makefile. Changes in v6 - None. lib/mbedtls/Kconfig | 36 +++ lib/mbedtls/Makefile | 3 +- lib/mbedtls/rsa_helper.c | 95 3 files changed, 133 insertions(+), 1 deletion(-) create mode 100644 lib/mbedtls/rsa_helper.c diff --git a/lib/mbedtls/Kconfig b/lib/mbedtls/Kconfig index ecdf4d3008f..797da0df938 100644 --- a/lib/mbedtls/Kconfig +++ b/lib/mbedtls/Kconfig @@ -119,11 +119,13 @@ config LEGACY_CRYPTO_CERT bool "legacy certificate libraries" select ASYMMETRIC_PUBLIC_KEY_LEGACY if \ ASYMMETRIC_PUBLIC_KEY_SUBTYPE + select RSA_PUBLIC_KEY_PARSER_LEGACY if RSA_PUBLIC_KEY_PARSER select X509_CERTIFICATE_PARSER_LEGACY if X509_CERTIFICATE_PARSER select PKCS7_MESSAGE_PARSER_LEGACY if PKCS7_MESSAGE_PARSER select MSCODE_PARSER_LEGACY if MSCODE_PARSER select SPL_ASYMMETRIC_PUBLIC_KEY_LEGACY if \ SPL_ASYMMETRIC_PUBLIC_KEY_SUBTYPE + select SPL_RSA_PUBLIC_KEY_PARSER_LEGACY if SPL_RSA_PUBLIC_KEY_PARSER help Enable legacy certificate libraries. @@ -136,6 +138,14 @@ config ASYMMETRIC_PUBLIC_KEY_LEGACY This option chooses legacy certificate library for asymmetric public key crypto algorithm. +config RSA_PUBLIC_KEY_PARSER_LEGACY + bool "RSA public key parser with legacy certificate library" + depends on ASYMMETRIC_PUBLIC_KEY_LEGACY + select ASN1_DECODER_LEGACY + help + This option chooses legacy certificate library for RSA public key + parser. + config X509_CERTIFICATE_PARSER_LEGACY bool "X.509 certificate parser with legacy certificate library" depends on ASYMMETRIC_PUBLIC_KEY_LEGACY @@ -169,6 +179,14 @@ config SPL_ASYMMETRIC_PUBLIC_KEY_LEGACY This option chooses legacy certificate library for asymmetric public key crypto algorithm in SPL. +config SPL_RSA_PUBLIC_KEY_PARSER_LEGACY + bool "RSA public key parser with legacy certificate library in SPL" + depends on SPL_ASYMMETRIC_PUBLIC_KEY_LEGACY + select SPL_ASN1_DECODER_LEGACY + help + This option chooses legacy certificate library for RSA public key + parser in SPL. + endif # SPL endif # LEGACY_CRYPTO_CERT @@ -301,11 +319,13 @@ config MBEDTLS_LIB_X509 bool "MbedTLS certificate libraries" select ASYMMETRIC_PUBLIC_KEY_MBEDTLS if \ ASYMMETRIC_PUBLIC_KEY_SUBTYPE + select RSA_PUBLIC_KEY_PARSER_MBEDTLS if RSA_PUBLIC_KEY_PARSER select X509_CERTIFICATE_PARSER_MBEDTLS if X509_CERTIFICATE_PARSER select PKCS7_MESSAGE_PARSER_MBEDTLS if PKCS7_MESSAGE_PARSER select MSCODE_PARSER_MBEDTLS if MSCODE_PARSER select SPL_ASYMMETRIC_PUBLIC_KEY_MBEDTLS if \ SPL_ASYMMETRIC_PUBLIC_KEY_SUBTYPE + select SPL_RSA_PUBLIC_KEY_PARSER_MBEDTLS if SPL_RSA_PUBLIC_KEY_PARSER help Enable MbedTLS certificate libraries. @@ -318,6 +338,14 @@ config ASYMMETRIC_PUBLIC_KEY_MBEDTLS This option chooses MbedTLS certificate library for asymmetric public key crypto algorithm. +config RSA_PUBLIC_KEY_PARSER_MBEDTLS + bool "RSA public key parser with MbedTLS certificate library" + depends on ASYMMETRIC_PUBLIC_KEY_MBEDTLS + select ASN1_DECODER_MBEDTLS + help + This option chooses MbedTLS certificate library for RSA public key + parser. + config X509_CERTIFICATE_PARSER_MBEDTLS bool "X.509 certificate parser with MbedTLS certificate library" depends on ASYMMETRIC_PUBLIC_KEY_MBEDTLS @@ -351,6 +379,14 @@ config SPL_ASYMMETRIC_PUBLIC_KEY_MBEDTLS This option chooses MbedTLS certificate library for asymmetric public key crypto algorithm in SPL. +config SPL_RSA_PUBLIC_KEY_PARSER_MBEDTLS + bool "RSA public key parser with MbedTLS certificate library in SPL" + depends on SPL_ASYMMETRIC_PUBLIC_KEY_MBEDTLS + select SPL_ASN1_DECODER_MBEDTLS + help + This option chooses MbedTLS certificate library for RSA public key + parser in SPL. + endif # SPL endif # MBEDTLS_LIB_X509 diff --git a/lib/mbedtls/Makefile b/lib/mbedtls/Makefile index 8b1b6a5..40031994708 100644 --- a/lib/mbedtls/Makefile +++ b/lib/mbedtls/Makefile @@ -18,6 +18,7 @@ obj-$(CONFIG_$(SPL_)X509_
[PATCH v6 23/28] lib/crypto: Adapt mscode_parser to MbedTLS
Previous patch has introduced MbedTLS porting layer for mscode parser,
here to adjust the header and makefiles accordingly.
Adding _LEGACY Kconfig for legacy mscode implementation.
Signed-off-by: Raymond Mao
---
Changes in v2
- Move the porting layer to MbedTLS dir.
Changes in v3
- Update commit message.
Changes in v4
- Control building legacy library via '_LEGACY' Kconfig.
Changes in v5
- Add kconfig for legacy mscode parser.
- Correct header file include directories.
Changes in v6
- None.
include/crypto/mscode.h | 4
lib/crypto/Makefile | 2 +-
lib/mbedtls/Kconfig | 9 +
3 files changed, 14 insertions(+), 1 deletion(-)
diff --git a/include/crypto/mscode.h b/include/crypto/mscode.h
index 551058b96e6..678e69001b9 100644
--- a/include/crypto/mscode.h
+++ b/include/crypto/mscode.h
@@ -9,6 +9,10 @@
#ifndef __UBOOT__
#include
#endif
+#if CONFIG_IS_ENABLED(MBEDTLS_LIB_X509)
+#include
+#include
+#endif
struct pefile_context {
#ifndef __UBOOT__
diff --git a/lib/crypto/Makefile b/lib/crypto/Makefile
index 7129315393f..3caa45dc2a8 100644
--- a/lib/crypto/Makefile
+++ b/lib/crypto/Makefile
@@ -63,7 +63,7 @@ obj-$(CONFIG_$(SPL_)PKCS7_VERIFY) += pkcs7_verify.o
#
# Signed PE binary-wrapped key handling
#
-obj-$(CONFIG_$(SPL_)MSCODE_PARSER) += mscode.o
+obj-$(CONFIG_$(SPL_)MSCODE_PARSER_LEGACY) += mscode.o
mscode-y := \
mscode_parser.o \
diff --git a/lib/mbedtls/Kconfig b/lib/mbedtls/Kconfig
index f03fb752d3f..ecdf4d3008f 100644
--- a/lib/mbedtls/Kconfig
+++ b/lib/mbedtls/Kconfig
@@ -121,6 +121,7 @@ config LEGACY_CRYPTO_CERT
ASYMMETRIC_PUBLIC_KEY_SUBTYPE
select X509_CERTIFICATE_PARSER_LEGACY if X509_CERTIFICATE_PARSER
select PKCS7_MESSAGE_PARSER_LEGACY if PKCS7_MESSAGE_PARSER
+ select MSCODE_PARSER_LEGACY if MSCODE_PARSER
select SPL_ASYMMETRIC_PUBLIC_KEY_LEGACY if \
SPL_ASYMMETRIC_PUBLIC_KEY_SUBTYPE
help
@@ -151,6 +152,14 @@ config PKCS7_MESSAGE_PARSER_LEGACY
This option chooses legacy certificate library for PKCS7 message
parser.
+config MSCODE_PARSER_LEGACY
+ bool "MS authenticode parser with legacy certificate library"
+ depends on LEGACY_CRYPTO_CERT && MSCODE_PARSER
+ select ASN1_DECODER_LEGACY
+ help
+ This option chooses legacy certificate library for MS authenticode
+ parser.
+
if SPL
config SPL_ASYMMETRIC_PUBLIC_KEY_LEGACY
--
2.25.1
[PATCH v6 21/28] lib/crypto: Adapt PKCS7 parser to MbedTLS
Previous patch has introduced MbedTLS porting layer for PKCS7 parser,
here to adjust the header and makefiles accordingly.
Signed-off-by: Raymond Mao
---
Changes in v2
- Move the porting layer to MbedTLS dir.
Changes in v3
- Update commit message.
Changes in v4
- Control building legacy library via '_LEGACY' Kconfig.
Changes in v5
- Correct header file include directories.
Changes in v6
- None.
include/crypto/pkcs7_parser.h | 56 +++
lib/crypto/Makefile | 7 +++--
2 files changed, 60 insertions(+), 3 deletions(-)
diff --git a/include/crypto/pkcs7_parser.h b/include/crypto/pkcs7_parser.h
index 2c45cce5234..469c2711fa6 100644
--- a/include/crypto/pkcs7_parser.h
+++ b/include/crypto/pkcs7_parser.h
@@ -11,6 +11,12 @@
#include
#include
#include
+#if CONFIG_IS_ENABLED(MBEDTLS_LIB_X509)
+#include
+#include
+#include
+#include
+#endif
#include
#define kenter(FMT, ...) \
@@ -18,7 +24,54 @@
#define kleave(FMT, ...) \
pr_devel("<== %s()"FMT"\n", __func__, ##__VA_ARGS__)
+/* Backup the parsed MedTLS context that we need */
+#if CONFIG_IS_ENABLED(MBEDTLS_LIB_X509)
+struct pkcs7_mbedtls_ctx {
+ void *content_data;
+};
+
+struct pkcs7_sinfo_mbedtls_ctx {
+ void *authattrs_data;
+ void *content_data_digest;
+};
+#endif
+
+/*
+ * MbedTLS integration Notes:
+ *
+ * MbedTLS PKCS#7 library does not originally support parsing MicroSoft
+ * Authentication Code which is used for verifying the PE image digest.
+ *
+ * 1. Authenticated Attributes (authenticatedAttributes)
+ * MbedTLS assumes unauthenticatedAttributes and authenticatedAttributes
+ * fields not exist.
+ * See MbedTLS function 'pkcs7_get_signer_info' for details.
+ *
+ * 2. MicroSoft Authentication Code (mscode)
+ * MbedTLS only supports Content Data type defined as 1.2.840.113549.1.7.1
+ * (MBEDTLS_OID_PKCS7_DATA, aka OID_data).
+ * 1.3.6.1.4.1.311.2.1.4 (MicroSoft Authentication Code, aka
+ * OID_msIndirectData) is not supported.
+ * See MbedTLS function 'pkcs7_get_content_info_type' for details.
+ *
+ * But the EFI loader assumes that a PKCS#7 message with an EFI image always
+ * contains MicroSoft Authentication Code as Content Data (msg->data is NOT
+ * NULL), see function 'efi_signature_verify'.
+ *
+ * MbedTLS patch
"0002-support-MicroSoft-authentication-code-in-PKCS7-lib.patch"
+ * is to support both above features by parsing the Content Data and
+ * Authenticate Attributes from a given PKCS#7 message.
+ *
+ * Other fields we don't need to populate from MbedTLS, which are used
+ * internally by pkcs7_verify:
+ * 'signer', 'unsupported_crypto', 'blacklisted'
+ * 'sig->digest' is used internally by pkcs7_digest to calculate the hash of
+ * Content Data or Authenticate Attributes.
+ */
struct pkcs7_signed_info {
+#if CONFIG_IS_ENABLED(MBEDTLS_LIB_X509)
+ struct pkcs7_sinfo_mbedtls_ctx *mbedtls_ctx;
+#endif
struct pkcs7_signed_info *next;
struct x509_certificate *signer; /* Signing certificate (in msg->certs)
*/
unsignedindex;
@@ -55,6 +108,9 @@ struct pkcs7_signed_info {
};
struct pkcs7_message {
+#if CONFIG_IS_ENABLED(MBEDTLS_LIB_X509)
+ struct pkcs7_mbedtls_ctx *mbedtls_ctx;
+#endif
struct x509_certificate *certs; /* Certificate list */
struct x509_certificate *crl; /* Revocation list */
struct pkcs7_signed_info *signed_infos;
diff --git a/lib/crypto/Makefile b/lib/crypto/Makefile
index 4302f197297..7129315393f 100644
--- a/lib/crypto/Makefile
+++ b/lib/crypto/Makefile
@@ -50,15 +50,16 @@ $(obj)/x509_akid.asn1.o: $(obj)/x509_akid.asn1.c
$(obj)/x509_akid.asn1.h
# PKCS#7 message handling
#
obj-$(CONFIG_$(SPL_)PKCS7_MESSAGE_PARSER) += pkcs7_message.o
-pkcs7_message-y := \
+pkcs7_message-y := pkcs7_helper.o
+pkcs7_message-$(CONFIG_$(SPL_)PKCS7_MESSAGE_PARSER_LEGACY) += \
pkcs7.asn1.o \
- pkcs7_helper.o \
pkcs7_parser.o
-obj-$(CONFIG_$(SPL_)PKCS7_VERIFY) += pkcs7_verify.o
$(obj)/pkcs7_parser.o: $(obj)/pkcs7.asn1.h
$(obj)/pkcs7.asn1.o: $(obj)/pkcs7.asn1.c $(obj)/pkcs7.asn1.h
+obj-$(CONFIG_$(SPL_)PKCS7_VERIFY) += pkcs7_verify.o
+
#
# Signed PE binary-wrapped key handling
#
--
2.25.1
[PATCH v6 20/28] mbedtls: add PKCS7 parser porting layer
Add porting layer for PKCS7 parser on top of MbedTLS PKCS7 library.
Introduce _LEGACY and _MBEDTLS kconfigs for PKCS7 parser legacy and
MbedTLS implementations respectively.
Signed-off-by: Raymond Mao
---
Changes in v2
- Move the porting layer to MbedTLS dir.
- Fix EFI Capsule CI test failures.
Changes in v3
- None.
Changes in v4
- Introduce _LEGACY and _MBEDTLS kconfigs for PKCS7 parser legacy and
MbedTLS implementations respectively.
- Move common functions to helper.
- Fix an unnecessary pointer casting.
Changes in v5
- Refactored MbedTLS makefile.
Changes in v6
- None.
lib/mbedtls/Kconfig| 18 ++
lib/mbedtls/Makefile | 3 +-
lib/mbedtls/pkcs7_parser.c | 506 +
3 files changed, 526 insertions(+), 1 deletion(-)
create mode 100644 lib/mbedtls/pkcs7_parser.c
diff --git a/lib/mbedtls/Kconfig b/lib/mbedtls/Kconfig
index 6a0008df71c..e759cc20832 100644
--- a/lib/mbedtls/Kconfig
+++ b/lib/mbedtls/Kconfig
@@ -120,6 +120,7 @@ config LEGACY_CRYPTO_CERT
select ASYMMETRIC_PUBLIC_KEY_LEGACY if \
ASYMMETRIC_PUBLIC_KEY_SUBTYPE
select X509_CERTIFICATE_PARSER_LEGACY if X509_CERTIFICATE_PARSER
+ select PKCS7_MESSAGE_PARSER_LEGACY if PKCS7_MESSAGE_PARSER
select SPL_ASYMMETRIC_PUBLIC_KEY_LEGACY if \
SPL_ASYMMETRIC_PUBLIC_KEY_SUBTYPE
help
@@ -142,6 +143,14 @@ config X509_CERTIFICATE_PARSER_LEGACY
This option chooses legacy certificate library for X509 certificate
parser.
+config PKCS7_MESSAGE_PARSER_LEGACY
+ bool "PKCS#7 message parser with legacy certificate library"
+ depends on X509_CERTIFICATE_PARSER_LEGACY
+ select ASN1_DECODER_LEGACY
+ help
+ This option chooses legacy certificate library for PKCS7 message
+ parser.
+
if SPL
config SPL_ASYMMETRIC_PUBLIC_KEY_LEGACY
@@ -284,6 +293,7 @@ config MBEDTLS_LIB_X509
select ASYMMETRIC_PUBLIC_KEY_MBEDTLS if \
ASYMMETRIC_PUBLIC_KEY_SUBTYPE
select X509_CERTIFICATE_PARSER_MBEDTLS if X509_CERTIFICATE_PARSER
+ select PKCS7_MESSAGE_PARSER_MBEDTLS if PKCS7_MESSAGE_PARSER
select SPL_ASYMMETRIC_PUBLIC_KEY_MBEDTLS if \
SPL_ASYMMETRIC_PUBLIC_KEY_SUBTYPE
help
@@ -306,6 +316,14 @@ config X509_CERTIFICATE_PARSER_MBEDTLS
This option chooses MbedTLS certificate library for X509 certificate
parser.
+config PKCS7_MESSAGE_PARSER_MBEDTLS
+ bool "PKCS#7 message parser with MbedTLS certificate library"
+ depends on X509_CERTIFICATE_PARSER_MBEDTLS
+ select ASN1_DECODER_MBEDTLS
+ help
+ This option chooses MbedTLS certificate library for PKCS7 message
+ parser.
+
if SPL
config SPL_ASYMMETRIC_PUBLIC_KEY_MBEDTLS
diff --git a/lib/mbedtls/Makefile b/lib/mbedtls/Makefile
index ab64365a99a..36eba07bf43 100644
--- a/lib/mbedtls/Makefile
+++ b/lib/mbedtls/Makefile
@@ -16,6 +16,7 @@ obj-$(CONFIG_$(SPL_)ASYMMETRIC_PUBLIC_KEY_MBEDTLS) += \
public_key.o
obj-$(CONFIG_$(SPL_)X509_CERTIFICATE_PARSER_MBEDTLS) += \
x509_cert_parser.o
+obj-$(CONFIG_$(SPL_)PKCS7_MESSAGE_PARSER_MBEDTLS) += pkcs7_parser.o
# MbedTLS crypto library
obj-$(CONFIG_MBEDTLS_LIB_CRYPTO) += mbedtls_lib_crypto.o
@@ -49,5 +50,5 @@
mbedtls_lib_x509-$(CONFIG_$(SPL_)ASYMMETRIC_PUBLIC_KEY_MBEDTLS) += \
mbedtls_lib_x509-$(CONFIG_$(SPL_)X509_CERTIFICATE_PARSER_MBEDTLS) += \
$(MBEDTLS_LIB_DIR)/x509_crl.o \
$(MBEDTLS_LIB_DIR)/x509_crt.o
-mbedtls_lib_x509-$(CONFIG_$(SPL_)PKCS7_MESSAGE_PARSER) += \
+mbedtls_lib_x509-$(CONFIG_$(SPL_)PKCS7_MESSAGE_PARSER_MBEDTLS) += \
$(MBEDTLS_LIB_DIR)/pkcs7.o
diff --git a/lib/mbedtls/pkcs7_parser.c b/lib/mbedtls/pkcs7_parser.c
new file mode 100644
index 000..69ca784858e
--- /dev/null
+++ b/lib/mbedtls/pkcs7_parser.c
@@ -0,0 +1,506 @@
+// SPDX-License-Identifier: GPL-2.0+
+/*
+ * PKCS#7 parser using MbedTLS PKCS#7 library
+ *
+ * Copyright (c) 2024 Linaro Limited
+ * Author: Raymond Mao
+ */
+
+#include
+#include
+#include
+#include
+#include
+
+static void pkcs7_free_mbedtls_ctx(struct pkcs7_mbedtls_ctx *ctx)
+{
+ if (ctx) {
+ kfree(ctx->content_data);
+ kfree(ctx);
+ }
+}
+
+static void pkcs7_free_sinfo_mbedtls_ctx(struct pkcs7_sinfo_mbedtls_ctx *ctx)
+{
+ if (ctx) {
+ kfree(ctx->authattrs_data);
+ kfree(ctx->content_data_digest);
+ kfree(ctx);
+ }
+}
+
+/*
+ * Parse Authenticate Attributes
+ * TODO: Shall we consider to integrate decoding of authenticate attribute into
+ * MbedTLS library?
+ *
+ * There are two kinds of structure for the Authenticate Attributes being used
+ * in U-Boot.
+ *
+ * Type 1 - contains in a PE/COFF EFI image:
+ *
+ * [C.P.0] {
+ * U.P.SEQUENCE {
+ * U.P.OBJECTIDENTIFIER 1.2.840.113549.1.9.3 (OID_contentType)
+ * U.P.SET {
+ *U.P.OBJECTIDENTIFIER 1.3.6.1.4.1.
[PATCH v6 14/28] x509: move common functions to x509 helper
Move x509_check_for_self_signed as a common helper function
that can be shared by legacy crypto lib and MbedTLS implementation.
Signed-off-by: Raymond Mao
Reviewed-by: Ilias Apalodimas
---
Changes in v4
- Initial patch.
Changes in v5
- Removed authorship.
Changes in v6
- None.
lib/crypto/Makefile | 1 +
lib/crypto/x509_helper.c | 64
lib/crypto/x509_public_key.c | 56 +--
3 files changed, 66 insertions(+), 55 deletions(-)
create mode 100644 lib/crypto/x509_helper.c
diff --git a/lib/crypto/Makefile b/lib/crypto/Makefile
index 4ad1849040d..946cc3a7b59 100644
--- a/lib/crypto/Makefile
+++ b/lib/crypto/Makefile
@@ -37,6 +37,7 @@ x509_key_parser-y := \
x509.asn1.o \
x509_akid.asn1.o \
x509_cert_parser.o \
+ x509_helper.o \
x509_public_key.o
$(obj)/x509_cert_parser.o: \
diff --git a/lib/crypto/x509_helper.c b/lib/crypto/x509_helper.c
new file mode 100644
index 000..87e8ff67ae1
--- /dev/null
+++ b/lib/crypto/x509_helper.c
@@ -0,0 +1,64 @@
+// SPDX-License-Identifier: GPL-2.0+
+/*
+ * X509 helper functions
+ *
+ * Copyright (C) 2012 Red Hat, Inc. All Rights Reserved.
+ * Written by David Howells (dhowe...@redhat.com)
+ */
+#include
+#include
+#include
+
+/*
+ * Check for self-signedness in an X.509 cert and if found, check the signature
+ * immediately if we can.
+ */
+int x509_check_for_self_signed(struct x509_certificate *cert)
+{
+ int ret = 0;
+
+ if (cert->raw_subject_size != cert->raw_issuer_size ||
+ memcmp(cert->raw_subject, cert->raw_issuer,
+ cert->raw_issuer_size))
+ goto not_self_signed;
+
+ if (cert->sig->auth_ids[0] || cert->sig->auth_ids[1]) {
+ /*
+* If the AKID is present it may have one or two parts. If
+* both are supplied, both must match.
+*/
+ bool a = asymmetric_key_id_same(cert->skid,
+ cert->sig->auth_ids[1]);
+ bool b = asymmetric_key_id_same(cert->id,
+ cert->sig->auth_ids[0]);
+
+ if (!a && !b)
+ goto not_self_signed;
+
+ ret = -EKEYREJECTED;
+ if (((a && !b) || (b && !a)) &&
+ cert->sig->auth_ids[0] && cert->sig->auth_ids[1])
+ goto out;
+ }
+
+ ret = -EKEYREJECTED;
+ if (strcmp(cert->pub->pkey_algo, cert->sig->pkey_algo))
+ goto out;
+
+ ret = public_key_verify_signature(cert->pub, cert->sig);
+ if (ret == -ENOPKG) {
+ cert->unsupported_sig = true;
+ goto not_self_signed;
+ }
+ if (ret < 0)
+ goto out;
+
+ pr_devel("Cert Self-signature verified");
+ cert->self_signed = true;
+
+out:
+ return ret;
+
+not_self_signed:
+ return 0;
+}
diff --git a/lib/crypto/x509_public_key.c b/lib/crypto/x509_public_key.c
index a10145a7cdc..4ba13c1adc3 100644
--- a/lib/crypto/x509_public_key.c
+++ b/lib/crypto/x509_public_key.c
@@ -139,61 +139,7 @@ error:
return ret;
}
-/*
- * Check for self-signedness in an X.509 cert and if found, check the signature
- * immediately if we can.
- */
-int x509_check_for_self_signed(struct x509_certificate *cert)
-{
- int ret = 0;
-
- pr_devel("==>%s()\n", __func__);
-
- if (cert->raw_subject_size != cert->raw_issuer_size ||
- memcmp(cert->raw_subject, cert->raw_issuer,
- cert->raw_issuer_size) != 0)
- goto not_self_signed;
-
- if (cert->sig->auth_ids[0] || cert->sig->auth_ids[1]) {
- /* If the AKID is present it may have one or two parts. If
-* both are supplied, both must match.
-*/
- bool a = asymmetric_key_id_same(cert->skid,
cert->sig->auth_ids[1]);
- bool b = asymmetric_key_id_same(cert->id,
cert->sig->auth_ids[0]);
-
- if (!a && !b)
- goto not_self_signed;
-
- ret = -EKEYREJECTED;
- if (((a && !b) || (b && !a)) &&
- cert->sig->auth_ids[0] && cert->sig->auth_ids[1])
- goto out;
- }
-
- ret = -EKEYREJECTED;
- if (strcmp(cert->pub->pkey_algo, cert->sig->pkey_algo) != 0)
- goto out;
-
- ret = public_key_verify_signature(cert->pub, cert->sig);
- if (ret < 0) {
- if (ret == -ENOPKG) {
- cert->unsupported_sig = true;
- ret = 0;
- }
-
[PATCH v6 11/28] mbedtls/external: support decoding multiple signer's cert
Support decoding multiple signer's cert in the signed data within
a PKCS7 message.
The PR for this patch is at:
https://github.com/Mbed-TLS/mbedtls/pull/9001
For enabling EFI loader PKCS7 features with MbedTLS build,
we need this patch on top of MbedTLS v3.6.0 before it is merged into
the next MbedTLS LTS release.
Signed-off-by: Raymond Mao
---
Changes in v2
- None.
Changes in v3
- Update commit message.
Changes in v4
- None.
Changes in v5
- None.
Changes in v6
- None.
lib/mbedtls/external/mbedtls/library/pkcs7.c | 75
1 file changed, 47 insertions(+), 28 deletions(-)
diff --git a/lib/mbedtls/external/mbedtls/library/pkcs7.c
b/lib/mbedtls/external/mbedtls/library/pkcs7.c
index da73fb341d6..01105227d7a 100644
--- a/lib/mbedtls/external/mbedtls/library/pkcs7.c
+++ b/lib/mbedtls/external/mbedtls/library/pkcs7.c
@@ -61,6 +61,36 @@ static int pkcs7_get_next_content_len(unsigned char **p,
unsigned char *end,
return ret;
}
+/**
+ * Get and decode one cert from a sequence.
+ * Return 0 for success,
+ * Return negative error code for failure.
+ **/
+static int pkcs7_get_one_cert(unsigned char **p, unsigned char *end,
+ mbedtls_x509_crt *certs)
+{
+int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+size_t len = 0;
+unsigned char *start = *p;
+unsigned char *end_cert;
+
+ret = mbedtls_asn1_get_tag(p, end, &len, MBEDTLS_ASN1_CONSTRUCTED
+ | MBEDTLS_ASN1_SEQUENCE);
+if (ret != 0) {
+return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS7_INVALID_CERT, ret);
+}
+
+end_cert = *p + len;
+
+if ((ret = mbedtls_x509_crt_parse_der(certs, start, end_cert - start)) <
0) {
+return MBEDTLS_ERR_PKCS7_INVALID_CERT;
+}
+
+*p = end_cert;
+
+return 0;
+}
+
/**
* version Version
* Version ::= INTEGER
@@ -178,11 +208,12 @@ static int pkcs7_get_certificates(unsigned char **p,
unsigned char *end,
mbedtls_x509_crt *certs)
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-size_t len1 = 0;
-size_t len2 = 0;
-unsigned char *end_set, *end_cert, *start;
+size_t len = 0;
+unsigned char *end_set;
+int num_of_certs = 0;
-ret = mbedtls_asn1_get_tag(p, end, &len1, MBEDTLS_ASN1_CONSTRUCTED
+/* Get the set of certs */
+ret = mbedtls_asn1_get_tag(p, end, &len, MBEDTLS_ASN1_CONSTRUCTED
| MBEDTLS_ASN1_CONTEXT_SPECIFIC);
if (ret == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG) {
return 0;
@@ -190,38 +221,26 @@ static int pkcs7_get_certificates(unsigned char **p,
unsigned char *end,
if (ret != 0) {
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS7_INVALID_FORMAT, ret);
}
-start = *p;
-end_set = *p + len1;
+end_set = *p + len;
-ret = mbedtls_asn1_get_tag(p, end_set, &len2, MBEDTLS_ASN1_CONSTRUCTED
- | MBEDTLS_ASN1_SEQUENCE);
+ret = pkcs7_get_one_cert(p, end_set, certs);
if (ret != 0) {
-return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS7_INVALID_CERT, ret);
+return ret;
}
-end_cert = *p + len2;
+num_of_certs++;
-/*
- * This is to verify that there is only one signer certificate. It seems
it is
- * not easy to differentiate between the chain vs different signer's
certificate.
- * So, we support only the root certificate and the single signer.
- * The behaviour would be improved with addition of multiple signer
support.
- */
-if (end_cert != end_set) {
-return MBEDTLS_ERR_PKCS7_FEATURE_UNAVAILABLE;
-}
-
-if ((ret = mbedtls_x509_crt_parse_der(certs, start, len1)) < 0) {
-return MBEDTLS_ERR_PKCS7_INVALID_CERT;
+while (*p != end_set) {
+ret = pkcs7_get_one_cert(p, end_set, certs);
+if (ret != 0) {
+return ret;
+}
+num_of_certs++;
}
-*p = end_cert;
+*p = end_set;
-/*
- * Since in this version we strictly support single certificate, and
reaching
- * here implies we have parsed successfully, we return 1.
- */
-return 1;
+return num_of_certs;
}
/**
--
2.25.1
[PATCH v6 09/28] mbedtls/external: support Microsoft Authentication Code
Populate Microsoft Authentication Code from the content data
into PKCS7 decoding context if it exists in a PKCS7 message.
Add OIDs for describing objects using for Microsoft Authentication
Code.
The PR for this patch is at:
https://github.com/Mbed-TLS/mbedtls/pull/9001
For enabling EFI loader PKCS7 features with MbedTLS build,
we need this patch on top of MbedTLS v3.6.0 before it is merged into
the next MbedTLS LTS release.
Signed-off-by: Raymond Mao
---
Changes in v2
- None.
Changes in v3
- Update commit message.
Changes in v4
- None.
Changes in v5
- None.
Changes in v6
- None.
.../external/mbedtls/include/mbedtls/oid.h| 30 ++
.../external/mbedtls/include/mbedtls/pkcs7.h | 10
lib/mbedtls/external/mbedtls/library/pkcs7.c | 60 +++
3 files changed, 90 insertions(+), 10 deletions(-)
diff --git a/lib/mbedtls/external/mbedtls/include/mbedtls/oid.h
b/lib/mbedtls/external/mbedtls/include/mbedtls/oid.h
index fdc25ebf885..2ee982808fa 100644
--- a/lib/mbedtls/external/mbedtls/include/mbedtls/oid.h
+++ b/lib/mbedtls/external/mbedtls/include/mbedtls/oid.h
@@ -352,6 +352,36 @@
#define MBEDTLS_OID_PKCS12_PBE_SHA1_RC2_128_CBC MBEDTLS_OID_PKCS12_PBE
"\x05" /**< pbeWithSHAAnd128BitRC2-CBC OBJECT IDENTIFIER ::= {pkcs-12PbeIds 5}
*/
#define MBEDTLS_OID_PKCS12_PBE_SHA1_RC2_40_CBC MBEDTLS_OID_PKCS12_PBE
"\x06" /**< pbeWithSHAAnd40BitRC2-CBC OBJECT IDENTIFIER ::= {pkcs-12PbeIds 6} */
+/*
+ * MicroSoft Authenticate Code OIDs
+ */
+#define MBEDTLS_OID_PRIVATE_ENTERPRISE MBEDTLS_OID_INTERNET
"\x04\x01" /* {iso(1) identified-organization(3) dod(6) internet(1) private(4)
enterprise(1) */
+#define MBEDTLS_OID_MICROSOFT "\x82\x37" /*
{microsoft(311)} */
+/*
+ * OID_msIndirectData: (1.3.6.1.4.1.311.2.1.4)
+ * {iso(1) identified-organization(3) dod(6) internet(1) private(4)
enterprise(1) microsoft(311) 2(2) 1(1) 4(4)}
+ */
+#define MBEDTLS_OID_MICROSOFT_INDIRECTDATA MBEDTLS_OID_PRIVATE_ENTERPRISE
MBEDTLS_OID_MICROSOFT \
+"\x02\x01\x04"
+/*
+ * OID_msStatementType: (1.3.6.1.4.1.311.2.1.11)
+ * {iso(1) identified-organization(3) dod(6) internet(1) private(4)
enterprise(1) microsoft(311) 2(2) 1(1) 11(11)}
+ */
+#define MBEDTLS_OID_MICROSOFT_STATETYPE MBEDTLS_OID_PRIVATE_ENTERPRISE
MBEDTLS_OID_MICROSOFT \
+"\x02\x01\x0b"
+/*
+ * OID_msSpOpusInfo: (1.3.6.1.4.1.311.2.1.12)
+ * {iso(1) identified-organization(3) dod(6) internet(1) private(4)
enterprise(1) microsoft(311) 2(2) 1(1) 12(12)}
+ */
+#define MBEDTLS_OID_MICROSOFT_SPOPUSINFO MBEDTLS_OID_PRIVATE_ENTERPRISE
MBEDTLS_OID_MICROSOFT \
+"\x02\x01\x0b"
+/*
+ * OID_msPeImageDataObjId: (1.3.6.1.4.1.311.2.1.15)
+ * {iso(1) identified-organization(3) dod(6) internet(1) private(4)
enterprise(1) microsoft(311) 2(2) 1(1) 15(15)}
+ */
+#define MBEDTLS_OID_MICROSOFT_PEIMAGEDATA MBEDTLS_OID_PRIVATE_ENTERPRISE
MBEDTLS_OID_MICROSOFT \
+"\x02\x01\x0f"
+
/*
* EC key algorithms from RFC 5480
*/
diff --git a/lib/mbedtls/external/mbedtls/include/mbedtls/pkcs7.h
b/lib/mbedtls/external/mbedtls/include/mbedtls/pkcs7.h
index e9b482208e6..9e29b74af70 100644
--- a/lib/mbedtls/external/mbedtls/include/mbedtls/pkcs7.h
+++ b/lib/mbedtls/external/mbedtls/include/mbedtls/pkcs7.h
@@ -132,12 +132,22 @@ typedef struct mbedtls_pkcs7_signed_data {
}
mbedtls_pkcs7_signed_data;
+/* Content Data for MicroSoft Authentication Code using in U-Boot Secure Boot
*/
+typedef struct mbedtls_pkcs7_conten_data {
+int data_type; /* Type of Data */
+size_t data_len;/* Length of Data */
+size_t data_hdrlen; /* Length of Data ASN.1 header */
+void *data; /* Content Data */
+}
+mbedtls_pkcs7_conten_data;
+
/**
* Structure holding PKCS #7 structure, only signed data for now
*/
typedef struct mbedtls_pkcs7 {
mbedtls_pkcs7_buf MBEDTLS_PRIVATE(raw);
mbedtls_pkcs7_signed_data MBEDTLS_PRIVATE(signed_data);
+mbedtls_pkcs7_conten_data content_data;
}
mbedtls_pkcs7;
diff --git a/lib/mbedtls/external/mbedtls/library/pkcs7.c
b/lib/mbedtls/external/mbedtls/library/pkcs7.c
index 3aac662ba69..0c2436b56b7 100644
--- a/lib/mbedtls/external/mbedtls/library/pkcs7.c
+++ b/lib/mbedtls/external/mbedtls/library/pkcs7.c
@@ -29,6 +29,13 @@
#include
#endif
+enum OID {
+/* PKCS#7 {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-7(7)}
*/
+MBEDTLS_OID_DATA = 13, /* 1.2.840.113549.1.7.1 */
+/* Microsoft Authenticode & Software Publishing */
+MBEDTLS_OID_MS_INDIRECTDATA = 24,/* 1.3.6.1.4.1.311.2.1.4 */
+};
+
/**
* Initializes the mbedtls_pkcs7 structure.
*/
@@ -449,7 +456,7 @@ cleanup:
* signerInfos SignerInfos }
*/
static int pkcs7_get_signed_data(unsigned char *buf, size_t buflen,
- mbedtls_pkcs7_signed_data *signed_data)
+ mbedtls_pkcs7 *pkcs7)
{
unsi
[PATCH v6 07/28] hash: integrate hash on mbedtls
Integrate common/hash.c on the hash shim layer so that hash APIs
from mbedtls can be leveraged by boot/image and efi_loader.
Signed-off-by: Raymond Mao
---
Changes in v2
- Use the original head files instead of creating new ones.
Changes in v3
- Add handle checkers for malloc.
Changes in v4
- None.
Changes in v5
- Add __maybe_unused to solve linker errors in some platforms.
- replace malloc with calloc.
Changes in v6
- None.
common/hash.c | 146 ++
1 file changed, 146 insertions(+)
diff --git a/common/hash.c b/common/hash.c
index ac63803fed9..d25fc4854c7 100644
--- a/common/hash.c
+++ b/common/hash.c
@@ -35,6 +35,144 @@
#include
#include
+#if CONFIG_IS_ENABLED(MBEDTLS_LIB_CRYPTO)
+
+static int __maybe_unused hash_init_sha1(struct hash_algo *algo, void **ctxp)
+{
+ int ret;
+ mbedtls_sha1_context *ctx = calloc(1, sizeof(*ctx));
+
+ if (!ctx)
+ return -ENOMEM;
+
+ mbedtls_sha1_init(ctx);
+ ret = mbedtls_sha1_starts(ctx);
+ if (!ret) {
+ *ctxp = ctx;
+ } else {
+ mbedtls_sha1_free(ctx);
+ free(ctx);
+ }
+
+ return ret;
+}
+
+static int __maybe_unused hash_update_sha1(struct hash_algo *algo, void *ctx,
+ const void *buf, unsigned int size,
+ int is_last)
+{
+ return mbedtls_sha1_update((mbedtls_sha1_context *)ctx, buf, size);
+}
+
+static int __maybe_unused
+hash_finish_sha1(struct hash_algo *algo, void *ctx, void *dest_buf, int size)
+{
+ int ret;
+
+ if (size < algo->digest_size)
+ return -1;
+
+ ret = mbedtls_sha1_finish((mbedtls_sha1_context *)ctx, dest_buf);
+ if (!ret) {
+ mbedtls_sha1_free((mbedtls_sha1_context *)ctx);
+ free(ctx);
+ }
+
+ return ret;
+}
+
+static int __maybe_unused hash_init_sha256(struct hash_algo *algo, void **ctxp)
+{
+ int ret;
+ int is224 = algo->digest_size == SHA224_SUM_LEN ? 1 : 0;
+ mbedtls_sha256_context *ctx = calloc(1, sizeof(*ctx));
+
+ if (!ctx)
+ return -ENOMEM;
+
+ mbedtls_sha256_init(ctx);
+ ret = mbedtls_sha256_starts(ctx, is224);
+ if (!ret) {
+ *ctxp = ctx;
+ } else {
+ mbedtls_sha256_free(ctx);
+ free(ctx);
+ }
+
+ return ret;
+}
+
+static int __maybe_unused hash_update_sha256(struct hash_algo *algo, void *ctx,
+const void *buf, uint size,
+int is_last)
+{
+ return mbedtls_sha256_update((mbedtls_sha256_context *)ctx, buf, size);
+}
+
+static int __maybe_unused
+hash_finish_sha256(struct hash_algo *algo, void *ctx, void *dest_buf, int size)
+{
+ int ret;
+
+ if (size < algo->digest_size)
+ return -1;
+
+ ret = mbedtls_sha256_finish((mbedtls_sha256_context *)ctx, dest_buf);
+ if (!ret) {
+ mbedtls_sha256_free((mbedtls_sha256_context *)ctx);
+ free(ctx);
+ }
+
+ return ret;
+}
+
+static int __maybe_unused hash_init_sha512(struct hash_algo *algo, void **ctxp)
+{
+ int ret;
+ int is384 = algo->digest_size == SHA384_SUM_LEN ? 1 : 0;
+ mbedtls_sha512_context *ctx = calloc(1, sizeof(*ctx));
+
+ if (!ctx)
+ return -ENOMEM;
+
+ mbedtls_sha512_init(ctx);
+ ret = mbedtls_sha512_starts(ctx, is384);
+ if (!ret) {
+ *ctxp = ctx;
+ } else {
+ mbedtls_sha512_free(ctx);
+ free(ctx);
+ }
+
+ return ret;
+}
+
+static int __maybe_unused hash_update_sha512(struct hash_algo *algo, void *ctx,
+const void *buf, uint size,
+int is_last)
+{
+ return mbedtls_sha512_update((mbedtls_sha512_context *)ctx, buf, size);
+}
+
+static int __maybe_unused
+hash_finish_sha512(struct hash_algo *algo, void *ctx, void *dest_buf, int size)
+{
+ int ret;
+
+ if (size < algo->digest_size)
+ return -1;
+
+ ret = mbedtls_sha512_finish((mbedtls_sha512_context *)ctx, dest_buf);
+ if (!ret) {
+ mbedtls_sha512_free((mbedtls_sha512_context *)ctx);
+ free(ctx);
+ }
+
+ return ret;
+}
+
+#else /* CONFIG_IS_ENABLED(MBEDTLS_LIB_CRYPTO) */
+
static int __maybe_unused hash_init_sha1(struct hash_algo *algo, void **ctxp)
{
sha1_context *ctx = malloc(sizeof(sha1_context));
@@ -143,6 +281,8 @@ static int __maybe_unused hash_finish_sha512(struct
hash_algo *algo, void *ctx,
return 0;
}
+#endif /* CONFIG_IS_ENABLED(MBEDTLS_LIB_CRYPTO) */
+
static int hash_init_crc16_ccitt(struct hash_algo *algo, void **ctxp)
{
uint16_t *ctx = malloc(sizeof(uint16_t));
@@ -267,10 +407,16 @@
[PATCH v6 06/28] mbedtls: add digest shim layer for MbedTLS
Implement digest shim layer on top of MbedTLS crypto library.
Introduce _MBEDTLS kconfig for MbedTLS crypto implementations.
Signed-off-by: Raymond Mao
---
Changes in v2
- Split the shim layer into separated files and use the original head
files instead of creating new ones.
Changes in v3
- Refactored sha1_hmac and removed non-watchdog md5 function.
Changes in v4
- Refactored hash _wd functions.
- Introduce _MBEDTLS kconfig for MbedTLS crypto implementations.
Changes in v5
- Correct kconfig dependence.
- Refactored MbedTLS makefile.
Changes in v6
- None.
include/u-boot/sha1.h | 4 ++
lib/mbedtls/Kconfig | 90 +++
lib/mbedtls/Makefile | 14 --
lib/mbedtls/md5.c | 57 +
lib/mbedtls/sha1.c| 99 +++
lib/mbedtls/sha256.c | 62 +++
lib/mbedtls/sha512.c | 93
7 files changed, 415 insertions(+), 4 deletions(-)
create mode 100644 lib/mbedtls/md5.c
create mode 100644 lib/mbedtls/sha1.c
create mode 100644 lib/mbedtls/sha256.c
create mode 100644 lib/mbedtls/sha512.c
diff --git a/include/u-boot/sha1.h b/include/u-boot/sha1.h
index 36c3db15e22..2fca7f1be16 100644
--- a/include/u-boot/sha1.h
+++ b/include/u-boot/sha1.h
@@ -41,6 +41,10 @@ extern "C" {
#define SHA1_DEF_CHUNK_SZ 0x1
+#define K_IPAD_VAL 0x36
+#define K_OPAD_VAL 0x5C
+#define K_PAD_LEN 64
+
extern const uint8_t sha1_der_prefix[];
#if defined(CONFIG_MBEDTLS_LIB_CRYPTO)
diff --git a/lib/mbedtls/Kconfig b/lib/mbedtls/Kconfig
index efae2c4fd72..12f8c965f5a 100644
--- a/lib/mbedtls/Kconfig
+++ b/lib/mbedtls/Kconfig
@@ -126,9 +126,99 @@ if MBEDTLS_LIB
config MBEDTLS_LIB_CRYPTO
bool "MbedTLS crypto libraries"
+ select MD5_MBEDTLS if MD5
+ select SHA1_MBEDTLS if SHA1
+ select SHA256_MBEDTLS if SHA256
+ select SHA512_MBEDTLS if SHA512
+ select SHA384_MBEDTLS if SHA384
+ select SPL_MD5_MBEDTLS if SPL_MD5
+ select SPL_SHA1_MBEDTLS if SPL_SHA1
+ select SPL_SHA256_MBEDTLS if SPL_SHA256
+ select SPL_SHA512_MBEDTLS if SPL_SHA512
+ select SPL_SHA384_MBEDTLS if SPL_SHA384
help
Enable MbedTLS crypto libraries.
+if MBEDTLS_LIB_CRYPTO
+
+config SHA1_MBEDTLS
+ bool "Enable SHA1 support with MbedTLS crypto library"
+ depends on MBEDTLS_LIB_CRYPTO && SHA1
+ help
+ This option enables support of hashing using SHA1 algorithm
+ with MbedTLS crypto library.
+
+config SHA256_MBEDTLS
+ bool "Enable SHA256 support with MbedTLS crypto library"
+ depends on MBEDTLS_LIB_CRYPTO && SHA256
+ help
+ This option enables support of hashing using SHA256 algorithm
+ with MbedTLS crypto library.
+
+config SHA512_MBEDTLS
+ bool "Enable SHA512 support with MbedTLS crypto library"
+ depends on MBEDTLS_LIB_CRYPTO && SHA512
+ default y if TI_SECURE_DEVICE && FIT_SIGNATURE
+ help
+ This option enables support of hashing using SHA512 algorithm
+ with MbedTLS crypto library.
+
+config SHA384_MBEDTLS
+ bool "Enable SHA384 support with MbedTLS crypto library"
+ depends on MBEDTLS_LIB_CRYPTO && SHA384
+ select SHA512_MBEDTLS
+ help
+ This option enables support of hashing using SHA384 algorithm
+ with MbedTLS crypto library.
+
+config MD5_MBEDTLS
+ bool "Enable MD5 support with MbedTLS crypto library"
+ depends on MBEDTLS_LIB_CRYPTO && MD5
+ help
+ This option enables support of hashing using MD5 algorithm
+ with MbedTLS crypto library.
+
+if SPL
+
+config SPL_SHA1_MBEDTLS
+ bool "Enable SHA1 support in SPL with MbedTLS crypto library"
+ depends on MBEDTLS_LIB_CRYPTO && SPL_SHA1
+ help
+ This option enables support of hashing using SHA1 algorithm
+ with MbedTLS crypto library.
+
+config SPL_SHA256_MBEDTLS
+ bool "Enable SHA256 support in SPL with MbedTLS crypto library"
+ depends on MBEDTLS_LIB_CRYPTO && SPL_SHA256
+ help
+ This option enables support of hashing using SHA256 algorithm
+ with MbedTLS crypto library.
+
+config SPL_SHA512_MBEDTLS
+ bool "Enable SHA512 support in SPL with MbedTLS crypto library"
+ depends on MBEDTLS_LIB_CRYPTO && SPL_SHA512
+ help
+ This option enables support of hashing using SHA512 algorithm
+ with MbedTLS crypto library.
+
+config SPL_SHA384_MBEDTLS
+ bool "Enable SHA384 support in SPL with MbedTLS crypto library"
+ depends on MBEDTLS_LIB_CRYPTO && SPL_SHA384
+ select SPL_SHA512
+ help
+ This option enables support of hashing using SHA384 algorithm
+ with MbedTLS crypto libra
[PATCH v6 05/28] sha1: Remove sha1 non-watchdog API
We don't need an API specially for non-watchdog since sha1_csum_wd
supports it by disabling CONFIG_HW_WATCHDOG and CONFIG_WATCHDOG.
Set 0x1 as default chunk size for SHA1.
Signed-off-by: Raymond Mao
Reviewed-by: Ilias Apalodimas
---
Changes in v4
- Initial patch.
Changes in v5
- None.
Changes in v6
- None.
board/gdsys/a38x/hre.c | 2 +-
include/u-boot/sha1.h | 12 ++--
lib/sha1.c | 13 -
lib/tpm-v1.c | 2 +-
4 files changed, 4 insertions(+), 25 deletions(-)
diff --git a/board/gdsys/a38x/hre.c b/board/gdsys/a38x/hre.c
index f303793b63b..06856ea36d3 100644
--- a/board/gdsys/a38x/hre.c
+++ b/board/gdsys/a38x/hre.c
@@ -166,7 +166,7 @@ static int find_key(struct udevice *tpm, const uint8_t
auth[20],
return -1;
if (err)
continue;
- sha1_csum(buf, buf_len, digest);
+ sha1_csum_wd(buf, buf_len, digest, SHA1_DEF_CHUNK_SZ);
if (!memcmp(digest, pubkey_digest, 20)) {
*handle = key_handles[i];
return 0;
diff --git a/include/u-boot/sha1.h b/include/u-boot/sha1.h
index ab88134fb98..36c3db15e22 100644
--- a/include/u-boot/sha1.h
+++ b/include/u-boot/sha1.h
@@ -39,6 +39,8 @@ extern "C" {
#define SHA1_SUM_LEN 20
#define SHA1_DER_LEN 15
+#define SHA1_DEF_CHUNK_SZ 0x1
+
extern const uint8_t sha1_der_prefix[];
#if defined(CONFIG_MBEDTLS_LIB_CRYPTO)
@@ -81,16 +83,6 @@ void sha1_update(sha1_context *ctx, const unsigned char
*input,
*/
void sha1_finish( sha1_context *ctx, unsigned char output[20] );
-/**
- * \brief Output = SHA-1( input buffer )
- *
- * \param inputbuffer holding the data
- * \param ilenlength of the input data
- * \param output SHA-1 checksum result
- */
-void sha1_csum(const unsigned char *input, unsigned int ilen,
- unsigned char *output);
-
/**
* \brief Output = SHA-1( input buffer ), with watchdog triggering
*
diff --git a/lib/sha1.c b/lib/sha1.c
index 7ef536f4b5d..81412283b49 100644
--- a/lib/sha1.c
+++ b/lib/sha1.c
@@ -304,19 +304,6 @@ void sha1_finish (sha1_context * ctx, unsigned char
output[20])
PUT_UINT32_BE (ctx->state[4], output, 16);
}
-/*
- * Output = SHA-1( input buffer )
- */
-void sha1_csum(const unsigned char *input, unsigned int ilen,
- unsigned char *output)
-{
- sha1_context ctx;
-
- sha1_starts (&ctx);
- sha1_update (&ctx, input, ilen);
- sha1_finish (&ctx, output);
-}
-
/*
* Output = SHA-1( input buffer ). Trigger the watchdog every 'chunk_sz'
* bytes of input processed.
diff --git a/lib/tpm-v1.c b/lib/tpm-v1.c
index e66023da5e6..a6727c575fd 100644
--- a/lib/tpm-v1.c
+++ b/lib/tpm-v1.c
@@ -871,7 +871,7 @@ u32 tpm1_find_key_sha1(struct udevice *dev, const u8
auth[20],
return -1;
if (err)
continue;
- sha1_csum(buf, buf_len, digest);
+ sha1_csum_wd(buf, buf_len, digest, SHA1_DEF_CHUNK_SZ);
if (!memcmp(digest, pubkey_digest, 20)) {
*handle = key_handles[i];
return 0;
--
2.25.1
[PATCH v6 04/28] md5: Remove md5 non-watchdog API
We don't need an API specially for non-watchdog since md5_wd supports
it by disabling CONFIG_HW_WATCHDOG and CONFIG_WATCHDOG.
Set 0x1 as default chunk size for MD5.
Signed-off-by: Raymond Mao
Reviewed-by: Ilias Apalodimas
Reviewed-by: Michal Simek
---
Changes in v3
- Initial patch.
Changes in v4
- Update commit message.
Changes in v5
- None.
Changes in v6
- None.
board/friendlyarm/nanopi2/board.c | 3 ++-
board/intel/edison/edison.c | 3 ++-
board/xilinx/zynq/bootimg.c | 2 +-
include/u-boot/md5.h | 7 +--
lib/md5.c | 14 --
5 files changed, 6 insertions(+), 23 deletions(-)
diff --git a/board/friendlyarm/nanopi2/board.c
b/board/friendlyarm/nanopi2/board.c
index c8cbc5a15fa..2d764e8eef3 100644
--- a/board/friendlyarm/nanopi2/board.c
+++ b/board/friendlyarm/nanopi2/board.c
@@ -263,7 +263,8 @@ static void make_ether_addr(u8 *addr)
hash[6] = readl(PHY_BASEADDR_ECID + 0x08);
hash[7] = readl(PHY_BASEADDR_ECID + 0x0c);
- md5((unsigned char *)&hash[4], 64, (unsigned char *)hash);
+ md5_wd((unsigned char *)&hash[4], 64, (unsigned char *)hash,
+ MD5_DEF_CHUNK_SZ);
hash[0] ^= hash[2];
hash[1] ^= hash[3];
diff --git a/board/intel/edison/edison.c b/board/intel/edison/edison.c
index 911ffda2fc7..27fda3fc1d2 100644
--- a/board/intel/edison/edison.c
+++ b/board/intel/edison/edison.c
@@ -32,7 +32,8 @@ static void assign_serial(void)
if (!mmc)
return;
- md5((unsigned char *)mmc->cid, sizeof(mmc->cid), ssn);
+ md5_wd((unsigned char *)mmc->cid, sizeof(mmc->cid), ssn,
+ MD5_DEF_CHUNK_SZ);
snprintf(usb0addr, sizeof(usb0addr), "02:00:86:%02x:%02x:%02x",
ssn[13], ssn[14], ssn[15]);
diff --git a/board/xilinx/zynq/bootimg.c b/board/xilinx/zynq/bootimg.c
index 79bec3a4cfb..9eb0735f55d 100644
--- a/board/xilinx/zynq/bootimg.c
+++ b/board/xilinx/zynq/bootimg.c
@@ -135,7 +135,7 @@ int zynq_validate_partition(u32 start_addr, u32 len, u32
chksum_off)
memcpy(&checksum[0], (u32 *)chksum_off, MD5_CHECKSUM_SIZE);
- md5_wd((u8 *)start_addr, len, &calchecksum[0], 0x1);
+ md5_wd((u8 *)start_addr, len, &calchecksum[0], MD5_DEF_CHUNK_SZ);
if (!memcmp(checksum, calchecksum, MD5_CHECKSUM_SIZE))
return 0;
diff --git a/include/u-boot/md5.h b/include/u-boot/md5.h
index 69898fcbe49..c98b1a58088 100644
--- a/include/u-boot/md5.h
+++ b/include/u-boot/md5.h
@@ -12,6 +12,7 @@
#include "compiler.h"
#define MD5_SUM_LEN16
+#define MD5_DEF_CHUNK_SZ 0x1
#if defined(CONFIG_MBEDTLS_LIB_CRYPTO)
typedef mbedtls_md5_context MD5Context;
@@ -30,12 +31,6 @@ void MD5Init(MD5Context *ctx);
void MD5Update(MD5Context *ctx, unsigned char const *buf, unsigned int len);
void MD5Final(unsigned char digest[16], MD5Context *ctx);
-/*
- * Calculate and store in 'output' the MD5 digest of 'len' bytes at
- * 'input'. 'output' must have enough space to hold 16 bytes.
- */
-void md5 (unsigned char *input, int len, unsigned char output[16]);
-
/*
* Calculate and store in 'output' the MD5 digest of 'len' bytes at 'input'.
* 'output' must have enough space to hold 16 bytes. If 'chunk' Trigger the
diff --git a/lib/md5.c b/lib/md5.c
index 584463d55ca..2d8977b2e85 100644
--- a/lib/md5.c
+++ b/lib/md5.c
@@ -262,20 +262,6 @@ MD5Transform(__u32 buf[4], __u32 const in[16])
buf[3] += d;
}
-/*
- * Calculate and store in 'output' the MD5 digest of 'len' bytes at
- * 'input'. 'output' must have enough space to hold 16 bytes.
- */
-void
-md5 (unsigned char *input, int len, unsigned char output[16])
-{
- MD5Context context;
-
- MD5Init(&context);
- MD5Update(&context, input, len);
- MD5Final(output, &context);
-}
-
/*
* Calculate and store in 'output' the MD5 digest of 'len' bytes at 'input'.
* 'output' must have enough space to hold 16 bytes. If 'chunk' Trigger the
--
2.25.1
[PATCH v6 03/28] lib: Adapt digest header files to MbedTLS
Adapt digest header files to support both original libs and MbedTLS
by switching on/off MBEDTLS_LIB_CRYPTO.
Introduce _LEGACY kconfig for legacy hash implementations.
`IS_ENABLED` or `CONFIG_IS_ENABLED` is not applicable here, since
including causes undefined reference on schedule()
with sandbox build, as includes
which enables `CONFIG_HW_WATCHDOG` and `CONFIG_WATCHDOG` but no schedule()
are defined in sandbox build,
Thus we use `#if defined(CONFIG_MBEDTLS_LIB_CRYPTO)` instead.
Signed-off-by: Raymond Mao
---
Changes in v2
- Initial patch.
Changes in v3
- Remove the changes that were done in previous clean-up patch set.
Changes in v4
- Introduce _LEGACY kconfig for legacy hash implementations.
Changes in v5
- Correct header file include directories.
- Correct kconfig dependence.
Changes in v6
- Update commit message.
- Rebased on next branch.
include/u-boot/md5.h| 7
include/u-boot/sha1.h | 21 +-
include/u-boot/sha256.h | 20 +
include/u-boot/sha512.h | 9
lib/Makefile| 10 +++--
lib/mbedtls/Kconfig | 91 +
6 files changed, 153 insertions(+), 5 deletions(-)
diff --git a/include/u-boot/md5.h b/include/u-boot/md5.h
index c465925ea8d..69898fcbe49 100644
--- a/include/u-boot/md5.h
+++ b/include/u-boot/md5.h
@@ -6,10 +6,16 @@
#ifndef _MD5_H
#define _MD5_H
+#if defined(CONFIG_MBEDTLS_LIB_CRYPTO)
+#include
+#endif
#include "compiler.h"
#define MD5_SUM_LEN16
+#if defined(CONFIG_MBEDTLS_LIB_CRYPTO)
+typedef mbedtls_md5_context MD5Context;
+#else
typedef struct MD5Context {
__u32 buf[4];
__u32 bits[2];
@@ -18,6 +24,7 @@ typedef struct MD5Context {
__u32 in32[16];
};
} MD5Context;
+#endif
void MD5Init(MD5Context *ctx);
void MD5Update(MD5Context *ctx, unsigned char const *buf, unsigned int len);
diff --git a/include/u-boot/sha1.h b/include/u-boot/sha1.h
index c1e9f67068d..ab88134fb98 100644
--- a/include/u-boot/sha1.h
+++ b/include/u-boot/sha1.h
@@ -16,6 +16,21 @@
#include
+#if defined(CONFIG_MBEDTLS_LIB_CRYPTO)
+/*
+ * FIXME:
+ * MbedTLS define the members of "mbedtls_sha256_context" as private,
+ * but "state" needs to be access by arch/arm/cpu/armv8/sha1_ce_glue.
+ * MBEDTLS_ALLOW_PRIVATE_ACCESS needs to be enabled to allow the external
+ * access.
+ * Directly including is not allowed,
+ * since this will include and break the sandbox test.
+ */
+#define MBEDTLS_ALLOW_PRIVATE_ACCESS
+
+#include
+#endif
+
#ifdef __cplusplus
extern "C" {
#endif
@@ -26,6 +41,9 @@ extern "C" {
extern const uint8_t sha1_der_prefix[];
+#if defined(CONFIG_MBEDTLS_LIB_CRYPTO)
+typedef mbedtls_sha1_context sha1_context;
+#else
/**
* \brief SHA-1 context structure
*/
@@ -36,13 +54,14 @@ typedef struct
unsigned char buffer[64]; /*!< data block being processed */
}
sha1_context;
+#endif
/**
* \brief SHA-1 context setup
*
* \param ctx SHA-1 context to be initialized
*/
-void sha1_starts( sha1_context *ctx );
+void sha1_starts(sha1_context *ctx);
/**
* \brief SHA-1 process buffer
diff --git a/include/u-boot/sha256.h b/include/u-boot/sha256.h
index a4fe176c0b4..b58d5b58d39 100644
--- a/include/u-boot/sha256.h
+++ b/include/u-boot/sha256.h
@@ -3,6 +3,22 @@
#include
+#if defined(CONFIG_MBEDTLS_LIB_CRYPTO)
+/*
+ * FIXME:
+ * MbedTLS define the members of "mbedtls_sha256_context" as private,
+ * but "state" needs to be access by arch/arm/cpu/armv8/sha256_ce_glue.
+ * MBEDTLS_ALLOW_PRIVATE_ACCESS needs to be enabled to allow the external
+ * access.
+ * Directly including is not allowed,
+ * since this will include and break the sandbox test.
+ */
+#define MBEDTLS_ALLOW_PRIVATE_ACCESS
+
+#include
+#endif
+
+#define SHA224_SUM_LEN 28
#define SHA256_SUM_LEN 32
#define SHA256_DER_LEN 19
@@ -11,11 +27,15 @@ extern const uint8_t sha256_der_prefix[];
/* Reset watchdog each time we process this many bytes */
#define CHUNKSZ_SHA256 (64 * 1024)
+#if defined(CONFIG_MBEDTLS_LIB_CRYPTO)
+typedef mbedtls_sha256_context sha256_context;
+#else
typedef struct {
uint32_t total[2];
uint32_t state[8];
uint8_t buffer[64];
} sha256_context;
+#endif
void sha256_starts(sha256_context * ctx);
void sha256_update(sha256_context *ctx, const uint8_t *input, uint32_t length);
diff --git a/include/u-boot/sha512.h b/include/u-boot/sha512.h
index 83c2119cd26..7e10f590a1d 100644
--- a/include/u-boot/sha512.h
+++ b/include/u-boot/sha512.h
@@ -3,6 +3,10 @@
#include
+#if defined(CONFIG_MBEDTLS_LIB_CRYPTO)
+#include
+#endif
+
#define SHA384_SUM_LEN 48
#define SHA384_DER_LEN 19
#define SHA512_SUM_LEN 64
@@ -12,11 +16,16 @@
#define CHUNKSZ_SHA384 (16 * 1024)
#define CHUNKSZ_SHA512 (16 * 1024)
+#if defined(CONFIG_MBEDTLS_LIB_CRYPTO)
+typedef mbedtls_sha512_context sha384_context;
+typedef mbedtls
[PATCH v6 02/28] mbedtls: add mbedtls into the build system
Port mbedtls with adapted libc header files. Add mbedtls default config header file. Optimize mbedtls default config by disabling unused features to reduce the target size. Add mbedtls kbuild makefile. Add Kconfig skeleton and config submenu entry for selecting crypto libraries between mbedtls and legacy ones. Add the mbedtls include directories into the build system. Subsequent patches will separate those Kconfigs into pairs of _LEGACY and _MBEDTLS for controlling the implementations of legacy crypto libraries and MbedTLS ones respectively. The motivation of moving and adapting *INT* macros from kernel.h to limits.h is to fullfill the MbedTLS building requirement. The conditional compilation statements in MbedTLS expects the *INT* macros as constant expressions, thus expressions like `((int)(~0U >> 1))` will not work. Prerequisite This patch series requires mbedtls git repo to be added as a subtree to the main U-Boot repo via: $ git subtree add --prefix lib/mbedtls/external/mbedtls \ https://github.com/Mbed-TLS/mbedtls.git \ v3.6.0 --squash Moreover, due to the Windows-style files from mbedtls git repo, we need to convert the CRLF endings to LF and do a commit manually: $ git add --renormalize . $ git commit Signed-off-by: Raymond Mao --- Changes in v2 - Disabled unused MbedTLS features to optimize the target size. Changes in v3 - Removed changes in stdio.h. Changes in v4 - Move limits.h as a common header file that is included by kernel.h. - Refactor the Kconfig to support legacy and MbedTLS options for each algorithm. - Refactor MbedTLS makefile and default config file to remove unused config options and objects. Changes in v5 - Merged patch #9 of v4 into this patch. - Removed unused config MBEDTLS_LIB_TLS. - Refactored MbedTLS Makefile and default config file. Changes in v6 - Fixed UINT64_MAX. - Removed copy right statement from limits.h Makefile | 6 +++ include/limits.h | 25 include/linux/kernel.h | 13 +- include/stdlib.h | 1 + lib/Kconfig | 4 ++ lib/Makefile | 2 + lib/mbedtls/Kconfig | 47 ++ lib/mbedtls/Makefile | 41 +++ lib/mbedtls/mbedtls_def_config.h | 69 lib/mbedtls/port/assert.h| 12 ++ 10 files changed, 208 insertions(+), 12 deletions(-) create mode 100644 include/limits.h create mode 100644 lib/mbedtls/Kconfig create mode 100644 lib/mbedtls/Makefile create mode 100644 lib/mbedtls/mbedtls_def_config.h create mode 100644 lib/mbedtls/port/assert.h diff --git a/Makefile b/Makefile index b35a472d9be..3c506c299a1 100644 --- a/Makefile +++ b/Makefile @@ -829,6 +829,12 @@ KBUILD_HOSTCFLAGS += $(if $(CONFIG_TOOLS_DEBUG),-g) UBOOTINCLUDE:= \ -Iinclude \ $(if $(KBUILD_SRC), -I$(srctree)/include) \ + $(if $(CONFIG_MBEDTLS_LIB), \ + "-DMBEDTLS_CONFIG_FILE=\"mbedtls_def_config.h\"" \ + -I$(srctree)/lib/mbedtls \ + -I$(srctree)/lib/mbedtls/port \ + -I$(srctree)/lib/mbedtls/external/mbedtls \ + -I$(srctree)/lib/mbedtls/external/mbedtls/include) \ $(if $(CONFIG_$(SPL_)SYS_THUMB_BUILD), \ $(if $(CONFIG_HAS_THUMB2), \ $(if $(CONFIG_CPU_V7M), \ diff --git a/include/limits.h b/include/limits.h new file mode 100644 index 000..be219ddbfca --- /dev/null +++ b/include/limits.h @@ -0,0 +1,25 @@ +/* SPDX-License-Identifier: GPL-2.0+ */ + +#ifndef _LIMITS_H +#define _LIMITS_H + +#define INT_MAX 0x7fff +#define UINT_MAX0xUL +#define CHAR_BIT8 +#define UINT32_MAX 0xUL +#define UINT64_MAX 0xULL + +#ifdef CONFIG_64BIT +#define UINTPTR_MAX UINT64_MAX +#else +#define UINTPTR_MAX UINT32_MAX +#endif + +#ifndef SIZE_MAX +#define SIZE_MAXUINTPTR_MAX +#endif +#ifndef SSIZE_MAX +#define SSIZE_MAX ((ssize_t)(SIZE_MAX >> 1)) +#endif + +#endif /* _LIMITS_H */ diff --git a/include/linux/kernel.h b/include/linux/kernel.h index 939465f372b..9467edd65ab 100644 --- a/include/linux/kernel.h +++ b/include/linux/kernel.h @@ -3,25 +3,18 @@ #include #include /* for printf/pr_* utilities */ +#include #define USHRT_MAX ((u16)(~0U)) #define SHRT_MAX ((s16)(USHRT_MAX>>1)) #define SHRT_MIN ((s16)(-SHRT_MAX - 1)) -#define INT_MAX((int)(~0U>>1)) #define INT_MIN(-INT_MAX - 1) -#define UINT_MAX (~0U) #define LONG_MAX ((long)(~0UL>>1)) #define LONG_MIN (-LONG_MAX - 1) #define ULONG_MAX (~0UL) #define LLONG_MAX ((long long)(~0ULL>>1)) #define LLONG_MIN (-LLONG_MAX - 1) #define ULLONG_MAX (~0ULL) -#ifndef SIZE_MAX -#define SIZE_MAX (~(size_t)0) -#endif -#ifndef SSIZE_MAX -#define SSIZE_MAX
[PATCH v6 00/28] Integrate MbedTLS v3.6 LTS with U-Boot
Integrate MbedTLS v3.6 LTS (currently v3.6.0) with U-Boot. Motivations: 1. MbedTLS is well maintained with LTS versions. 2. LWIP is integrated with MbedTLS and easily to enable HTTPS. 3. MbedTLS recently switched license back to GPLv2. Prerequisite: - This patch series requires mbedtls git repo to be added as a subtree to the main U-Boot repo via: $ git subtree add --prefix lib/mbedtls/external/mbedtls \ https://github.com/Mbed-TLS/mbedtls.git \ v3.6.0 --squash Moreover, due to the Windows-style files from mbedtls git repo, we need to convert the CRLF endings to LF and do a commit manually: $ git add --renormalize . $ git commit New Kconfig options: `MBEDTLS_LIB` is for MbedTLS general switch. `MBEDTLS_LIB_CRYPTO` is for replacing original digest and crypto libs with MbedTLS. `MBEDTLS_LIB_X509` is for replacing original X509, PKCS7, MSCode, ASN1, and Pubkey parser with MbedTLS. `LEGACY_CRYPTO` is introduced as a main switch for legacy crypto library. `LEGACY_CRYPTO_BASIC` is for the basic crypto functionalities and `LEGACY_CRYPTO_CERT` is for the certificate related functionalities. For each of the algorithm, a pair of `_LEGACY` and `_MBEDTLS` Kconfig options are introduced. Meanwhile, `SPL_` Kconfig options are introduced. In this patch set, MBEDTLS_LIB, MBEDTLS_LIB_CRYPTO and MBEDTLS_LIB_X509 are by default enabled in qemu_arm64_defconfig and sandbox_defconfig for testing purpose. Patches for external MbedTLS project: - Since U-Boot uses Microsoft Authentication Code to verify PE/COFFs executables which is not supported by MbedTLS at the moment, addtional patches for MbedTLS are created to adapt with the EFI loader: 1. Decoding of Microsoft Authentication Code. 2. Decoding of PKCS#9 Authenticate Attributes. 3. Extending MbedTLS PKCS#7 lib to support multiple signer's certificates. 4. MbedTLS native test suites for PKCS#7 signer's info. All above 4 patches (tagged with `mbedtls/external`) are submitted to MbedTLS project and being reviewed, eventually they should be part of MbedTLS LTS release. But before that, please merge them into U-Boot, otherwise the building will be broken when MBEDTLS_LIB_X509 is enabled. See below PR link for the reference: https://github.com/Mbed-TLS/mbedtls/pull/9001 Miscellaneous: -- Optimized MbedTLS library size by tailoring the config file and disabling all unnecessary features for EFI loader. >From v2, original libs (rsa, asn1_decoder, rsa_helper, md5, sha1, sha256, sha512) are completely replaced when MbedTLS is enabled. >From v3, the size-growth is slightly reduced by refactoring Hash functions. >From v6, smaller implementations for SHA256 and SHA512 are enabled and target size reduce significantly. Target(QEMU arm64) size-growth when enabling MbedTLS: v1: 6.03% v2: 4.66% v3 - v5: 4.55% v6: 2.90% Please see the latest output from buildman for size-growth on QEMU arm64, Sandbox and Nanopi A64. [1] Tests done: --- EFI Secure Boot test (EFI variables loading and verifying, EFI signed image verifying and booting) via U-Boot console. EFI Secure Boot and Capsule sandbox test passed. Known issues: - None. [1]: buildman output for size comparison (qemu_arm64, sandbox and nanopi_a64) ``` aarch64: (for 2/2 boards) all -1468.0 bss +16.0 data -64.0 rodata +200.0 text -1620.0 qemu_arm64 : all +4608 bss +80 data -64 rodata +200 text +4392 u-boot: add: 29/-17, grow: 12/-16 bytes: 13072/-8304 (4768) function old new delta mbedtls_internal_sha1_process-4540 +4540 mbedtls_internal_md5_process -2928 +2928 K- 896+896 mbedtls_sha256_finish- 484+484 mbedtls_internal_sha256_process - 432+432 mbedtls_sha1_finish - 420+420 mbedtls_internal_sha512_process - 412+412 mbedtls_sha512_finish- 360+360 mbedtls_sha512_starts- 340+340 mbedtls_md5_finish - 336+336 mbedtls_sha512_update- 264+264 mbedtls_sha256_update- 252+252 mbedtls_sha1_update - 236+236 mbedtls_md5_update - 236+236 mbedtls_sha512 - 148+148 mbedtls_sha256_starts- 124+124 hash_init_sha512
[PATCH 10/10] tests: update smbios pytest
Update the expected test result to align with the smbios library changes.
Signed-off-by: Raymond Mao
---
test/py/tests/test_smbios.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/test/py/tests/test_smbios.py b/test/py/tests/test_smbios.py
index 82b0b689830..ffa4ea795ec 100644
--- a/test/py/tests/test_smbios.py
+++ b/test/py/tests/test_smbios.py
@@ -32,7 +32,7 @@ def test_cmd_smbios_sandbox(u_boot_console):
"""Run the smbios command on the sandbox"""
output = u_boot_console.run_command('smbios')
assert 'DMI type 0,' in output
-assert 'String 1: U-Boot' in output
+assert 'Vendor: U-Boot' in output
assert 'DMI type 1,' in output
assert 'Manufacturer: sandbox' in output
assert 'DMI type 2,' in output
--
2.25.1
[PATCH 09/10] configs: Enable sysinfo for QEMU Arm64
Enable sysinfo smbios by default for Arm64. When SYSINFO_SMBIOS is enabled, disable QFW_SMBIOS. Signed-off-by: Raymond Mao --- configs/qemu_arm64_defconfig | 2 ++ drivers/misc/Kconfig | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/configs/qemu_arm64_defconfig b/configs/qemu_arm64_defconfig index 7e166f43908..dac656f5c88 100644 --- a/configs/qemu_arm64_defconfig +++ b/configs/qemu_arm64_defconfig @@ -60,6 +60,8 @@ CONFIG_PCIE_ECAM_GENERIC=y CONFIG_SCSI=y CONFIG_DEBUG_UART_PL011=y CONFIG_DEBUG_UART_SHIFT=2 +CONFIG_SYSINFO=y +CONFIG_SYSINFO_SMBIOS=y CONFIG_SYSRESET=y CONFIG_SYSRESET_CMD_POWEROFF=y CONFIG_SYSRESET_PSCI=y diff --git a/drivers/misc/Kconfig b/drivers/misc/Kconfig index 6009d55f400..da84b35e804 100644 --- a/drivers/misc/Kconfig +++ b/drivers/misc/Kconfig @@ -568,7 +568,7 @@ config QFW_MMIO config QFW_SMBIOS bool default y - depends on QFW && SMBIOS && !SANDBOX + depends on QFW && SMBIOS && !SANDBOX && !SYSINFO_SMBIOS help Hidden option to read SMBIOS tables from QEMU. -- 2.25.1
[PATCH 08/10] armv8: Add sysinfo driver for cache information
Add cache information sysinfo driver containing necessary information
required by SMBIOS type 7 for all armv8 platforms.
Signed-off-by: Raymond Mao
---
arch/arm/cpu/armv8/sysinfo.c | 188 +++
1 file changed, 188 insertions(+)
diff --git a/arch/arm/cpu/armv8/sysinfo.c b/arch/arm/cpu/armv8/sysinfo.c
index a8e17d654be..73e071212ae 100644
--- a/arch/arm/cpu/armv8/sysinfo.c
+++ b/arch/arm/cpu/armv8/sysinfo.c
@@ -13,6 +13,30 @@
#define ELEMENT_RECORD_DATA_LEN 8
#define ELEMENT_RECORD_NUM 2
+union ccsidr_el1 {
+ struct {
+ u64 linesize:3;
+ u64 associativity:10;
+ u64 numsets:15;
+ u64 unknown:4;
+ u64 reserved:32;
+ } no_ccidx;
+ struct {
+ u64 linesize:3;
+ u64 associativity:21;
+ u64 reserved1:8;
+ u64 numsets:24;
+ u64 reserved2:8;
+ } ccidx_aarch64;
+ struct {
+ u64 linesize:3;
+ u64 associativity:21;
+ u64 reserved:8;
+ u64 unallocated:32;
+ } ccidx_aarch32;
+ u64 data;
+};
+
union midr_el1 {
struct {
u64 revision:4;
@@ -25,6 +49,28 @@ union midr_el1 {
u64 data;
};
+enum {
+ CACHE_NONE,
+ CACHE_INST_ONLY,
+ CACHE_DATA_ONLY,
+ CACHE_INST_WITH_DATA,
+ CACHE_UNIFIED,
+};
+
+enum {
+ CACHE_ASSOC_DIRECT_MAPPED = 1,
+ CACHE_ASSOC_2WAY = 2,
+ CACHE_ASSOC_4WAY = 4,
+ CACHE_ASSOC_8WAY = 8,
+ CACHE_ASSOC_16WAY = 16,
+ CACHE_ASSOC_12WAY = 12,
+ CACHE_ASSOC_24WAY = 24,
+ CACHE_ASSOC_32WAY = 32,
+ CACHE_ASSOC_48WAY = 48,
+ CACHE_ASSOC_64WAY = 64,
+ CACHE_ASSOC_20WAY = 20,
+};
+
enum {
VENDOR_RESERVED = 0,
VENDOR_ARM = 0x41,
@@ -47,6 +93,7 @@ struct __packed enclosure_element_record {
u8 data[ELEMENT_RECORD_DATA_LEN];
};
+struct cache_info cache_info_armv8[SYSINFO_CACHE_LVL_MAX];
struct processor_info processor_info_armv8;
/* Default data for the enclosure contained elements */
@@ -65,6 +112,144 @@ struct enclosure_element_record
contained_elements[ELEMENT_RECORD_NUM] = {
},
};
+/*
+ * TODO:
+ * To support ARMv8.3, we need to read "CCIDX, bits [23:20]" from
+ * ID_AA64MMFR2_EL1 to get the format of CCSIDR_EL1:
+ *
+ * 0b - 32-bit format implemented for all levels of the CCSIDR_EL1.
+ * 0b0001 - 64-bit format implemented for all levels of the CCSIDR_EL1.
+ *
+ * Here we assume to use CCSIDR_EL1 in no CCIDX layout:
+ * NumSets, bits [27:13]: (Number of sets in cache) - 1
+ * Associativity, bits [12:3]: (Associativity of cache) - 1
+ * LineSize, bits [2:0]: (Log2(Number of bytes in cache line)) - 4
+ */
+int sysinfo_get_cache_info(u8 level, struct cache_info *cinfo)
+{
+ u64 clidr_el1;
+ u32 csselr_el1;
+ u32 num_sets;
+ union ccsidr_el1 creg;
+ int cache_type;
+
+ sysinfo_cache_info_default(cinfo);
+
+ /* Read CLIDR_EL1 */
+ asm volatile("mrs %0, clidr_el1" : "=r" (clidr_el1));
+ log_debug("CLIDR_EL1: 0x%llx\n", clidr_el1);
+
+ cache_type = (clidr_el1 >> (3 * level)) & 0x7;
+ log_debug("cache_type:%d\n", cache_type);
+
+ if (cache_type == CACHE_NONE) /* level does not exist */
+ return -1;
+
+ switch (cache_type) {
+ case CACHE_INST_ONLY:
+ cinfo->cache_type = SMBIOS_CACHE_SYSCACHE_TYPE_INSTRUCTION;
+ break;
+ case CACHE_DATA_ONLY:
+ cinfo->cache_type = SMBIOS_CACHE_SYSCACHE_TYPE_DATA;
+ break;
+ case CACHE_UNIFIED:
+ cinfo->cache_type = SMBIOS_CACHE_SYSCACHE_TYPE_UNIFIED;
+ break;
+ case CACHE_INST_WITH_DATA:
+ cinfo->cache_type = SMBIOS_CACHE_SYSCACHE_TYPE_OTHER;
+ break;
+ default:
+ cinfo->cache_type = SMBIOS_CACHE_SYSCACHE_TYPE_UNKNOWN;
+ break;
+ }
+
+ /* Select cache level */
+ csselr_el1 = (level << 1);
+ asm volatile("msr csselr_el1, %0" : : "r" (csselr_el1));
+
+ /* Read CCSIDR_EL1 */
+ asm volatile("mrs %0, ccsidr_el1" : "=r" (creg.data));
+ log_debug("CCSIDR_EL1 (Level %d): 0x%llx\n", level + 1, creg.data);
+
+ /* Extract cache size and associativity */
+ cinfo->line_size = 1 << (creg.no_ccidx.linesize + 4);
+
+ /* Map the associativity value */
+ switch (creg.no_ccidx.associativity + 1) {
+ case CACHE_ASSOC_DIRECT_MAPPED:
+ cinfo->associativity = SMBIOS_CACHE_ASSOC_DMAPPED;
+ break;
+ case CACHE_ASSOC_2WAY:
+ cinfo->associativity = SMBIOS_CACHE_ASSOC_2WAY;
+ break;
+ case CACHE_ASSOC_4WAY:
+
[PATCH 07/10] smbios: Add support to SMBIOS type 7
Add SMBIOS type 7 (cache information) write functions.
Link cache handles from type 7 to type 4.
Add SMBIOS command print functions for type 7.
Signed-off-by: Raymond Mao
---
cmd/smbios.c | 82 +++
lib/smbios.c | 106 +--
2 files changed, 185 insertions(+), 3 deletions(-)
diff --git a/cmd/smbios.c b/cmd/smbios.c
index 8e2bf46a09c..38651740451 100644
--- a/cmd/smbios.c
+++ b/cmd/smbios.c
@@ -91,6 +91,43 @@ static const char * const processor_upgrade_strings[] = {
[7 ... 80] = "Other", /* skip these definitions from now */
};
+static const char * const err_corr_type_strings[] = {
+ "Reserved", /* 0x00 */
+ "Other",/* 0x01 */
+ "Unknown", /* 0x02 */
+ "None", /* 0x03 */
+ "Parity", /* 0x04 */
+ "Single-bit ECC", /* 0x05 */
+ "Multi-bit ECC",/* 0x06 */
+};
+
+static const char * const sys_cache_type_strings[] = {
+ "Reserved", /* 0x00 */
+ "Other",/* 0x01 */
+ "Unknown", /* 0x02 */
+ "Instruction", /* 0x03 */
+ "Data", /* 0x04 */
+ "Unified", /* 0x05 */
+};
+
+static const char * const associativity_strings[] = {
+ "Reserved", /* 0x00 */
+ "Other",/* 0x01 */
+ "Unknown", /* 0x02 */
+ "Direct Mapped",/* 0x03 */
+ "2-way Set-Associative",/* 0x04 */
+ "4-way Set-Associative",/* 0x05 */
+ "Fully Associative",/* 0x06 */
+ "8-way Set-Associative",/* 0x07 */
+ "16-way Set-Associative", /* 0x08 */
+ "12-way Set-Associative", /* 0x09 */
+ "24-way Set-Associative", /* 0x0a */
+ "32-way Set-Associative", /* 0x0b */
+ "48-way Set-Associative", /* 0x0c */
+ "64-way Set-Associative", /* 0x0d */
+ "20-way Set-Associative", /* 0x0e */
+};
+
/**
* smbios_get_string() - get SMBIOS string from table
*
@@ -364,6 +401,48 @@ static void smbios_print_type4(struct smbios_type4 *table)
printf("\tThread Enabled: 0x%04x\n", table->thread_enabled);
}
+const char *smbios_cache_err_corr_type_str(u8 err_corr_type)
+{
+ if (err_corr_type >= ARRAY_SIZE(err_corr_type_strings))
+ err_corr_type = 0;
+ return err_corr_type_strings[err_corr_type];
+}
+
+const char *smbios_cache_sys_cache_type_str(u8 sys_cache_type)
+{
+ if (sys_cache_type >= ARRAY_SIZE(sys_cache_type_strings))
+ sys_cache_type = 0;
+ return sys_cache_type_strings[sys_cache_type];
+}
+
+const char *smbios_cache_associativity_str(u8 associativity)
+{
+ if (associativity >= ARRAY_SIZE(associativity_strings))
+ associativity = 0;
+ return associativity_strings[associativity];
+}
+
+static void smbios_print_type7(struct smbios_type7 *table)
+{
+ printf("Cache Information:\n");
+ smbios_print_str("Socket Designation", table,
+table->socket_design);
+ printf("\tCache Configuration: 0x%04x\n", table->config.data);
+ printf("\tMaximum Cache Size: 0x%04x\n", table->max_size.data);
+ printf("\tInstalled Size: 0x%04x\n", table->inst_size.data);
+ printf("\tSupported SRAM Type: 0x%04x\n", table->supp_sram_type.data);
+ printf("\tCurrent SRAM Type: 0x%04x\n", table->curr_sram_type.data);
+ printf("\tCache Speed: 0x%02x\n", table->speed);
+ printf("\tError Correction Type: %s\n",
+ smbios_cache_err_corr_type_str(table->err_corr_type));
+ printf("\tSystem Cache Type: %s\n",
+ smbios_cache_sys_cache_type_str(table->sys_cache_type));
+ printf("\tAssociativity: %s\n",
+ smbios_cache_associativity_str(table->associativity));
+ printf("\tMaximum Cache Size 2: 0x%08x\n", table->max_size2.data);
+ printf("\tInstalled Cache Size 2: 0x%08x\n", table->inst_size2.data);
+}
+
static void smbios_print_type127(struct smbios_type127 *table)
{
printf("End Of Table\n");
@@ -440,6 +519,9 @@ static int do_smbios(struct cmd_tbl *cmdtp, int flag, int
argc,
case SMBIOS_PROCESSOR_INFORMATION:
smbios_print_type4((struct smbios_type4 *)pos);
break;
+
[PATCH 06/10] sysinfo: Add sysinfo driver for SMBIOS type 7
Add sysinfo interface and data structures for cache information
required by SMBIOS type 7.
Signed-off-by: Raymond Mao
---
drivers/sysinfo/smbios_plat.c | 172 ++
drivers/sysinfo/smbios_plat.h | 27 ++
include/smbios.h | 112 ++
include/sysinfo.h | 36 +++
4 files changed, 347 insertions(+)
diff --git a/drivers/sysinfo/smbios_plat.c b/drivers/sysinfo/smbios_plat.c
index adbc8cf3cf2..e225b42d672 100644
--- a/drivers/sysinfo/smbios_plat.c
+++ b/drivers/sysinfo/smbios_plat.c
@@ -12,14 +12,60 @@ struct sysinfo_plat_priv {
struct baseboard_info *t2;
struct enclosure_info *t3;
struct processor_info *t4;
+ struct smbios_type7 t7[SYSINFO_CACHE_LVL_MAX];
+ char *cache_socket_design[SYSINFO_CACHE_LVL_MAX];
+ u16 cache_handles[SYSINFO_CACHE_LVL_MAX];
+ u8 cache_level;
+ /*
+* TODO: add other types here:
+* Type 9 - System Slots
+* Type 16 - Physical Memory Array
+* Type 17 - Memory Device
+* Type 19 - Memory Array Mapped Address
+*/
};
+static void smbios_cache_info_dump(struct smbios_type7 *cache_info)
+{
+ log_debug("SMBIOS Type 7 (Cache Information):\n");
+ log_debug("Cache Configuration: 0x%04x\n", cache_info->config.data);
+ log_debug("Maximum Cache Size: %u KB\n", cache_info->max_size.data);
+ log_debug("Installed Size: %u KB\n", cache_info->inst_size.data);
+ log_debug("Supported SRAM Type: 0x%04x\n",
+ cache_info->supp_sram_type.data);
+ log_debug("Current SRAM Type: 0x%04x\n",
+ cache_info->curr_sram_type.data);
+ log_debug("Cache Speed: %u\n", cache_info->speed);
+ log_debug("Error Correction Type: %u\n", cache_info->err_corr_type);
+ log_debug("System Cache Type: %u\n", cache_info->sys_cache_type);
+ log_debug("Associativity: %u\n", cache_info->associativity);
+ log_debug("Maximum Cache Size 2: %u KB\n", cache_info->max_size2.data);
+ log_debug("Installed Cache Size 2: %u KB\n",
+ cache_info->inst_size2.data);
+}
+
/* weak function for the platforms not yet supported */
+__weak int sysinfo_get_cache_info(u8 level, struct cache_info *cache_info)
+{
+ return -ENOSYS;
+}
__weak int sysinfo_get_processor_info(struct processor_info *pinfo)
{
return -ENOSYS;
}
+void sysinfo_cache_info_default(struct cache_info *ci)
+{
+ memset(ci, 0, sizeof(*ci));
+ ci->config.fields.locate = SMBIOS_CACHE_LOCATE_UNKNOWN;
+ ci->config.fields.opmode = SMBIOS_CACHE_OP_UND;
+ ci->supp_sram_type.fields.unknown = 1;
+ ci->curr_sram_type.fields.unknown = 1;
+ ci->speed = SMBIOS_CACHE_SPEED_UNKNOWN;
+ ci->err_corr_type = SMBIOS_CACHE_ERRCORR_UNKNOWN;
+ ci->cache_type = SMBIOS_CACHE_SYSCACHE_TYPE_UNKNOWN;
+}
+
static int sysinfo_plat_detect(struct udevice *dev)
{
return 0;
@@ -30,6 +76,22 @@ static int sysinfo_plat_get_str(struct udevice *dev, int id,
{
struct sysinfo_plat_priv *priv = dev_get_priv(dev);
const char *str = NULL;
+ u8 i;
+
+ if (id >= SYSINFO_ID_SMBIOS_CACHE_INFO_START &&
+ id <= SYSINFO_ID_SMBIOS_CACHE_INFO_END) {
+ /* For smbios type 7 */
+ for (i = 0; i < priv->cache_level; i++) {
+ switch (id - i) {
+ case SYSINFO_ID_SMBIOS_CACHE_SOCKET:
+ str = priv->cache_socket_design[i];
+ break;
+ default:
+ break;
+ }
+ }
+ goto handle_str;
+ }
switch (id) {
case SYSINFO_ID_SMBIOS_SYSTEM_MANUFACTURER:
@@ -105,6 +167,7 @@ static int sysinfo_plat_get_str(struct udevice *dev, int id,
break;
}
+handle_str:
if (!str)
return -ENOSYS;
@@ -116,6 +179,52 @@ static int sysinfo_plat_get_str(struct udevice *dev, int
id,
static int sysinfo_plat_get_int(struct udevice *dev, int id, int *val)
{
struct sysinfo_plat_priv *priv = dev_get_priv(dev);
+ u8 i;
+
+ if (id >= SYSINFO_ID_SMBIOS_CACHE_INFO_START &&
+ id <= SYSINFO_ID_SMBIOS_CACHE_INFO_END) {
+ /* For smbios type 7 */
+ for (i = 0; i < priv->cache_level; i++) {
+ switch (id - i) {
+ case SYSINFO_ID_SMBIOS_CACHE_CONFIG:
+ *val = priv->t7[i].config.data;
+ break;
+ case SYSINFO_ID_SMBIOS_CACHE_MAX_SIZE:
+ *val = priv->t7[i]
[PATCH 05/10] armv8: Add arch-specific sysinfo driver
Add common sysinfo driver for armv8 platforms containing all
necessary SMBIOS information (Type 1 to 4).
Signed-off-by: Raymond Mao
---
arch/arm/cpu/armv8/Makefile | 5 +
arch/arm/cpu/armv8/sysinfo.c | 203 +++
2 files changed, 208 insertions(+)
create mode 100644 arch/arm/cpu/armv8/sysinfo.c
diff --git a/arch/arm/cpu/armv8/Makefile b/arch/arm/cpu/armv8/Makefile
index bba4f570dbb..374f20d455d 100644
--- a/arch/arm/cpu/armv8/Makefile
+++ b/arch/arm/cpu/armv8/Makefile
@@ -45,3 +45,8 @@ obj-$(CONFIG_TARGET_BCMNS3) += bcmns3/
obj-$(CONFIG_XEN) += xen/
obj-$(CONFIG_ARMV8_CE_SHA1) += sha1_ce_glue.o sha1_ce_core.o
obj-$(CONFIG_ARMV8_CE_SHA256) += sha256_ce_glue.o sha256_ce_core.o
+
+ifndef CONFIG_SPL_BUILD
+obj-$(CONFIG_SYSINFO_SMBIOS) += sysinfo.o
+ccflags-$(CONFIG_SYSINFO_SMBIOS) += -I$(srctree)/drivers/sysinfo
+endif
\ No newline at end of file
diff --git a/arch/arm/cpu/armv8/sysinfo.c b/arch/arm/cpu/armv8/sysinfo.c
new file mode 100644
index 000..a8e17d654be
--- /dev/null
+++ b/arch/arm/cpu/armv8/sysinfo.c
@@ -0,0 +1,203 @@
+// SPDX-License-Identifier: GPL-2.0+
+/*
+ * Copyright (c) 2024 Linaro Limited
+ * Author: Raymond Mao
+ */
+#include
+#if CONFIG_IS_ENABLED(SYSINFO_SMBIOS)
+#include
+#endif
+#include
+#include
+
+#define ELEMENT_RECORD_DATA_LEN 8
+#define ELEMENT_RECORD_NUM 2
+
+union midr_el1 {
+ struct {
+ u64 revision:4;
+ u64 partnum:12;
+ u64 architecture:4;
+ u64 variant:4;
+ u64 implementer:8;
+ u64 reserved:32;
+ } fields;
+ u64 data;
+};
+
+enum {
+ VENDOR_RESERVED = 0,
+ VENDOR_ARM = 0x41,
+ VENDOR_BROADCOM = 0x42,
+ VENDOR_CAVIUM = 0x43,
+ VENDOR_DEC = 0x44,
+ VENDOR_FUJITSU = 0x46,
+ VENDOR_INFINEON = 0x49,
+ VENDOR_FREESCALE = 0x4d,
+ VENDOR_NVIDIA = 0x4e,
+ VENDOR_AMCC = 0x50,
+ VENDOR_QUALCOMM = 0x51,
+ VENDOR_MARVELL = 0x56,
+ VENDOR_INTEL = 0x69,
+ VENDOR_AMPERE = 0xc0,
+};
+
+struct __packed enclosure_element_record {
+ struct elem_hdr hdr;
+ u8 data[ELEMENT_RECORD_DATA_LEN];
+};
+
+struct processor_info processor_info_armv8;
+
+/* Default data for the enclosure contained elements */
+struct enclosure_element_record contained_elements[ELEMENT_RECORD_NUM] = {
+ {
+ .hdr.type = SMBIOS_BOARD_MOTHERBOARD,
+ .hdr.minimum = 0,
+ .hdr.maximum = 0xff,
+ .data = {0},
+ },
+ {
+ .hdr.type = SMBIOS_BOARD_MOTHERBOARD,
+ .hdr.minimum = 0,
+ .hdr.maximum = 0xff,
+ .data = {0},
+ },
+};
+
+int sysinfo_get_processor_info(struct processor_info *pinfo)
+{
+ u64 mpidr, core_count;
+ union midr_el1 midr;
+
+ /* Read the MIDR_EL1 register */
+ asm volatile("mrs %0, MIDR_EL1" : "=r"(midr.data));
+ /* Read the MPIDR_EL1 register */
+ asm volatile("mrs %0, MPIDR_EL1" : "=r"(mpidr));
+
+ log_debug("MIDR: 0x%016llx\n", midr.data);
+ log_debug("MPIDR: 0x%016llx\n", mpidr);
+ log_debug("CPU Implementer: 0x%02x\n", midr.fields.implementer);
+
+ switch (midr.fields.implementer) {
+ case VENDOR_ARM:
+ pinfo->manufacturer = "ARM Limited";
+ break;
+ case VENDOR_BROADCOM:
+ pinfo->manufacturer = "Broadcom Corporation";
+ break;
+ case VENDOR_CAVIUM:
+ pinfo->manufacturer = "Cavium Inc";
+ break;
+ case VENDOR_DEC:
+ pinfo->manufacturer = "Digital Equipment Corporation";
+ break;
+ case VENDOR_FUJITSU:
+ pinfo->manufacturer = "Fujitsu Ltd";
+ break;
+ case VENDOR_INFINEON:
+ pinfo->manufacturer = "Infineon Technologies AG";
+ break;
+ case VENDOR_FREESCALE:
+ pinfo->manufacturer = "Freescale Semiconductor Inc";
+ break;
+ case VENDOR_NVIDIA:
+ pinfo->manufacturer = "NVIDIA Corporation";
+ break;
+ case VENDOR_AMCC:
+ pinfo->manufacturer =
+ "Applied Micro Circuits Corporation";
+ break;
+ case VENDOR_QUALCOMM:
+ pinfo->manufacturer = "Qualcomm Inc";
+ break;
+ case VENDOR_MARVELL:
+ pinfo->manufacturer = "Marvell International Ltd";
+ break;
+ case VENDOR_INTEL:
+ pinfo->manufacturer = "Intel Corporation";
+ break;
+ case VENDOR_AMPERE:
+ pinfo->manufacturer = "Ampere Computing";
+
[PATCH 04/10] smbios: ignore the non-existence of platform sysinfo detect
During writing SMBIOS table, implementation of sysinfo detect
function for a specific platform is not mandatory.
Thus we should not return an error when platform sysinfo
detect function does not exist.
Signed-off-by: Raymond Mao
---
lib/smbios.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/lib/smbios.c b/lib/smbios.c
index 8e481365165..2f1759d419e 100644
--- a/lib/smbios.c
+++ b/lib/smbios.c
@@ -825,10 +825,9 @@ ulong write_smbios_table(ulong addr)
if (CONFIG_IS_ENABLED(SYSINFO)) {
uclass_first_device(UCLASS_SYSINFO, &ctx.dev);
if (ctx.dev) {
- int ret;
+ int ret = sysinfo_detect(ctx.dev);
parent_node = dev_read_subnode(ctx.dev, "smbios");
- ret = sysinfo_detect(ctx.dev);
/*
* ignore the error since many boards don't implement
--
2.25.1
[PATCH 03/10] smbios: Refactor SMBIOS library
Current SMBIOS library does not fully match to the specification.
It hardcodes values instead of exposing values from the device.
It does not support dynamic length for contained object handles
or elements and misses the handling of a few fields.
The refactoring of this patch includes:
1. Expose values from device via sysinfo interface.
2. Replace smbios_add_prop with smbios_add_prop_si to allow getting
string values from sysinfo.
3. Add smbios_get_val_si to get int values from sysinfo.
4. Use sysinfo_get_data to get data area like contained object
handles, elements or processor id.
5. Refactor SMBIOS cmd print functions to match the command output
with the specification
6. Add new print functions for Type 0, 3 and 4.
7. Miscellaneous fixes in SMBIOS.
Signed-off-by: Raymond Mao
---
cmd/smbios.c | 268 +--
include/smbios.h | 116 +++
lib/smbios.c | 358 ++-
3 files changed, 632 insertions(+), 110 deletions(-)
diff --git a/cmd/smbios.c b/cmd/smbios.c
index d3bd8b12a67..8e2bf46a09c 100644
--- a/cmd/smbios.c
+++ b/cmd/smbios.c
@@ -26,6 +26,71 @@ static const char * const wakeup_type_strings[] = {
"AC Power Restored",/* 0x08 */
};
+static const char * const boardtype_strings[] = {
+ "Reserved", /* 0x00 */
+ "Unknown", /* 0x01 */
+ "Other",/* 0x02 */
+ "Server Blade", /* 0x03 */
+ "Connectivity Switch", /* 0x04 */
+ "System Management Module", /* 0x05 */
+ "Processor Module", /* 0x06 */
+ "I/O Module", /* 0x07 */
+ "Memory Module",/* 0x08 */
+ "Daughter board", /* 0x09 */
+ "Motherboard", /* 0x0a */
+ "Processor/Memory Module", /* 0x0b */
+ "Processor/IO Module", /* 0x0c */
+ "Interconnect board", /* 0x0d */
+};
+
+static const char * const chassis_state_strings[] = {
+ "Reserved", /* 0x00 */
+ "Other",/* 0x01 */
+ "Unknown", /* 0x02 */
+ "Safe", /* 0x03 */
+ "Warning", /* 0x04 */
+ "Critical", /* 0x05 */
+ "Non-recoverable", /* 0x06 */
+};
+
+static const char * const chassis_security_strings[] = {
+ "Reserved", /* 0x00 */
+ "Other",/* 0x01 */
+ "Unknown", /* 0x02 */
+ "None", /* 0x03 */
+ "External interface locked out",/* 0x04 */
+ "External interface enabled", /* 0x05 */
+};
+
+static const char * const processor_type_strings[] = {
+ "Reserved", /* 0x00 */
+ "Other",/* 0x01 */
+ "Unknown", /* 0x02 */
+ "Central Processor",/* 0x03 */
+ "Math Processor", /* 0x04 */
+ "DSP Processor",/* 0x05 */
+ "Video Processor", /* 0x06 */
+};
+
+static const char * const processor_family_strings[] = {
+ [0] = "Other",
+ [1] = "Unknown",
+ [2 ... 253] = "Other", /* skip these definitions from now */
+ [254] = "Refer to 'Processor Family 2'",
+ [255] = "Reserved",
+ [256] = "ARMv7",
+ [257] = "ARMv8",
+};
+
+static const char * const processor_upgrade_strings[] = {
+ [0] = "Reserved",
+ [1] = "Other",
+ [2] = "Unknown",
+ [3 ... 5] = "Other", /* skip these definitions from now */
+ [6] = "None",
+ [7 ... 80] = "Other", /* skip these definitions from now */
+};
+
/**
* smbios_get_string() - get SMBIOS string from table
*
@@ -92,6 +157,32 @@ const char *smbios_wakeup_type_str(u8 wakeup_type)
return wakeup_type_strings[wakeup_type];
}
+static void smbios_print_type0(struct smbios_type0 *table)
+{
+ printf("BIOS Information\n");
+ smbios_print_str("Vendor", table, table->vendor);
+ smbios_print_str("BIOS Version", table, table->bios_ver);
+ /* Keep table->bios_start_segment as 0 for UEFI-based systems */
+ smbios_print_str("BIOS Release Date", table, table->bios_release_date);
+ printf("\tBIOS ROM Siz
[PATCH 02/10] sysinfo: Add sysinfo driver and data structure for SMBIOS
Add sysinfo interface and definitions to support SMBIOS type 0 to
type 4.
Signed-off-by: Raymond Mao
---
drivers/sysinfo/Makefile | 1 +
drivers/sysinfo/smbios_plat.c | 270 ++
drivers/sysinfo/smbios_plat.h | 104 +
include/smbios.h | 12 ++
include/sysinfo.h | 58 +++-
lib/Makefile | 2 +
6 files changed, 446 insertions(+), 1 deletion(-)
create mode 100644 drivers/sysinfo/smbios_plat.c
create mode 100644 drivers/sysinfo/smbios_plat.h
diff --git a/drivers/sysinfo/Makefile b/drivers/sysinfo/Makefile
index 680dde77fe8..3e478f87c23 100644
--- a/drivers/sysinfo/Makefile
+++ b/drivers/sysinfo/Makefile
@@ -8,3 +8,4 @@ obj-$(CONFIG_SYSINFO_GPIO) += gpio.o
obj-$(CONFIG_SYSINFO_RCAR3) += rcar3.o
obj-$(CONFIG_SYSINFO_SANDBOX) += sandbox.o
obj-$(CONFIG_SYSINFO_SMBIOS) += smbios.o
+obj-$(CONFIG_SYSINFO_SMBIOS) += smbios_plat.o
\ No newline at end of file
diff --git a/drivers/sysinfo/smbios_plat.c b/drivers/sysinfo/smbios_plat.c
new file mode 100644
index 000..adbc8cf3cf2
--- /dev/null
+++ b/drivers/sysinfo/smbios_plat.c
@@ -0,0 +1,270 @@
+// SPDX-License-Identifier: GPL-2.0+
+/*
+ * Copyright (c) 2024 Linaro Limited
+ * Author: Raymond Mao
+ */
+#include
+#include
+#include
+
+struct sysinfo_plat_priv {
+ struct sys_info *t1;
+ struct baseboard_info *t2;
+ struct enclosure_info *t3;
+ struct processor_info *t4;
+};
+
+/* weak function for the platforms not yet supported */
+__weak int sysinfo_get_processor_info(struct processor_info *pinfo)
+{
+ return -ENOSYS;
+}
+
+static int sysinfo_plat_detect(struct udevice *dev)
+{
+ return 0;
+}
+
+static int sysinfo_plat_get_str(struct udevice *dev, int id,
+ size_t size, char *val)
+{
+ struct sysinfo_plat_priv *priv = dev_get_priv(dev);
+ const char *str = NULL;
+
+ switch (id) {
+ case SYSINFO_ID_SMBIOS_SYSTEM_MANUFACTURER:
+ str = priv->t1->manufacturer;
+ break;
+ case SYSINFO_ID_SMBIOS_SYSTEM_PRODUCT:
+ str = priv->t1->prod_name;
+ break;
+ case SYSINFO_ID_SMBIOS_SYSTEM_VERSION:
+ str = priv->t1->version;
+ break;
+ case SYSINFO_ID_SMBIOS_SYSTEM_SERIAL:
+ str = priv->t1->sn;
+ break;
+ case SYSINFO_ID_SMBIOS_SYSTEM_SKU:
+ str = priv->t1->sku_num;
+ break;
+ case SYSINFO_ID_SMBIOS_SYSTEM_FAMILY:
+ str = priv->t1->family;
+ break;
+ case SYSINFO_ID_SMBIOS_BASEBOARD_MANUFACTURER:
+ str = priv->t2->manufacturer;
+ break;
+ case SYSINFO_ID_SMBIOS_BASEBOARD_PRODUCT:
+ str = priv->t2->prod_name;
+ break;
+ case SYSINFO_ID_SMBIOS_BASEBOARD_VERSION:
+ str = priv->t2->version;
+ break;
+ case SYSINFO_ID_SMBIOS_BASEBOARD_SERIAL:
+ str = priv->t2->sn;
+ break;
+ case SYSINFO_ID_SMBIOS_BASEBOARD_ASSET_TAG:
+ str = priv->t2->asset_tag;
+ break;
+ case SYSINFO_ID_SMBIOS_BASEBOARD_CHASSIS_LOCAT:
+ str = priv->t2->chassis_locat;
+ break;
+ case SYSINFO_ID_SMBIOS_ENCLOSURE_MANUFACTURER:
+ str = priv->t3->manufacturer;
+ break;
+ case SYSINFO_ID_SMBIOS_ENCLOSURE_VERSION:
+ str = priv->t3->version;
+ break;
+ case SYSINFO_ID_SMBIOS_ENCLOSURE_SERIAL:
+ str = priv->t3->sn;
+ break;
+ case SYSINFO_ID_SMBIOS_ENCLOSURE_ASSET_TAG:
+ str = priv->t3->asset_tag;
+ break;
+ case SYSINFO_ID_SMBIOS_ENCLOSURE_SKU:
+ str = priv->t3->sku_num;
+ break;
+ case SYSINFO_ID_SMBIOS_PROCESSOR_SOCKET:
+ str = priv->t4->socket_design;
+ break;
+ case SYSINFO_ID_SMBIOS_PROCESSOR_MANUFACT:
+ str = priv->t4->manufacturer;
+ break;
+ case SYSINFO_ID_SMBIOS_PROCESSOR_VERSION:
+ str = priv->t4->version;
+ break;
+ case SYSINFO_ID_SMBIOS_PROCESSOR_SN:
+ str = priv->t4->sn;
+ break;
+ case SYSINFO_ID_SMBIOS_PROCESSOR_ASSET_TAG:
+ str = priv->t4->asset_tag;
+ break;
+ case SYSINFO_ID_SMBIOS_PROCESSOR_PN:
+ str = priv->t4->pn;
+ break;
+ default:
+ break;
+ }
+
+ if (!str)
+ return -ENOSYS;
+
+ strlcpy(val, str, size);
+
+ return 0;
+}
+
+static int sysinfo_plat_get_int(struct udevice *dev, int id, int *val)
+{
+ struct sysinfo_plat_priv *pr
[PATCH 01/10] sysinfo: Add sysinfo API for accessing data area
Add interface for sysinfo to access a data area from the platform.
This is useful to save/read a memory region of platform-specific
data.
Signed-off-by: Raymond Mao
---
drivers/sysinfo/sysinfo-uclass.c | 20
include/sysinfo.h| 30 ++
2 files changed, 50 insertions(+)
diff --git a/drivers/sysinfo/sysinfo-uclass.c b/drivers/sysinfo/sysinfo-uclass.c
index d77d1e3ee44..04a7748834a 100644
--- a/drivers/sysinfo/sysinfo-uclass.c
+++ b/drivers/sysinfo/sysinfo-uclass.c
@@ -99,6 +99,26 @@ int sysinfo_get_str(struct udevice *dev, int id, size_t
size, char *val)
return ops->get_str(dev, id, size, val);
}
+int sysinfo_get_data(struct udevice *dev, int id, uchar **data, size_t *size)
+{
+ struct sysinfo_priv *priv;
+ struct sysinfo_ops *ops;
+
+ if (!dev)
+ return -ENOSYS;
+
+ priv = dev_get_uclass_priv(dev);
+ ops = sysinfo_get_ops(dev);
+
+ if (!priv->detected)
+ return -EPERM;
+
+ if (!ops->get_data)
+ return -ENOSYS;
+
+ return ops->get_data(dev, id, data, size);
+}
+
UCLASS_DRIVER(sysinfo) = {
.id = UCLASS_SYSINFO,
.name = "sysinfo",
diff --git a/include/sysinfo.h b/include/sysinfo.h
index 8a77ef44856..17b2b9c7111 100644
--- a/include/sysinfo.h
+++ b/include/sysinfo.h
@@ -115,6 +115,18 @@ struct sysinfo_ops {
*/
int (*get_str)(struct udevice *dev, int id, size_t size, char *val);
+ /**
+* get_data() - Read a specific string data value that describes the
+* hardware setup.
+* @dev:The sysinfo instance to gather the data.
+* @id: A unique identifier for the data area to be get.
+* @data: Pointer to the address of the data area.
+* @size: Pointer to the size of the data area.
+*
+* Return: 0 if OK, -ve on error.
+*/
+ int (*get_data)(struct udevice *dev, int id, uchar **data, size_t
*size);
+
/**
* get_fit_loadable - Get the name of an image to load from FIT
* This function can be used to provide the image names based on runtime
@@ -186,6 +198,18 @@ int sysinfo_get_int(struct udevice *dev, int id, int *val);
*/
int sysinfo_get_str(struct udevice *dev, int id, size_t size, char *val);
+/**
+ * sysinfo_get_data() - Get a data area from the platform.
+ * @dev: The sysinfo instance to gather the data.
+ * @id:A unique identifier for the data area to be get.
+ * @data: Pointer to the address of the data area.
+ * @size: Pointer to the size of the data area.
+ *
+ * Return: 0 if OK, -EPERM if called before sysinfo_detect(), else -ve on
+ * error.
+ */
+int sysinfo_get_data(struct udevice *dev, int id, uchar **data, size_t *size);
+
/**
* sysinfo_get() - Return the sysinfo device for the sysinfo in question.
* @devp: Pointer to structure to receive the sysinfo device.
@@ -241,6 +265,12 @@ static inline int sysinfo_get_str(struct udevice *dev, int
id, size_t size,
return -ENOSYS;
}
+static inline int sysinfo_get_data(struct udevice *dev, int id, uchar **data,
+ size_t *size)
+{
+ return -ENOSYS;
+}
+
static inline int sysinfo_get(struct udevice **devp)
{
return -ENOSYS;
--
2.25.1
[PATCH 00/10] SMBIOS improvements
Motivations for changes: Current SMBIOS library and command-line tool is not fully matching with the requirements: 1. Missing support for other mandatory types (#7, #9, #16, #17, #19). 2. Only a few platforms support SMBIOS node from the device tree. 3. Values of some fields are hardcoded in the library other than fetching from the device hardware. 4. Embedded data with dynamic length is not supported (E.g. Contained Object Handles in Type #2 and Contained Elements in Type #3) Changes: 1. Refactor the SMBIOS library and command-line tool to better align with the SMBIOS spec. 2. Create an arch-specific driver for all aarch64-based platforms to fetch SMBIOS private data from the device hardware. 3. Create a sysinfo driver to poppulate platform SMBIOS private data. 4. Put device tree SMBIOS node as a fallback solution when SMBIOS data is missing from sysinfo driver. 5. Add support for Type #7 (Cache Information) and link its handles to Type #4. Once this patch is acceptted, subsequent patch sets will add other missing types (#9, #16, #17, #19). Raymond Mao (10): sysinfo: Add sysinfo API for accessing data area sysinfo: Add sysinfo driver and data structure for SMBIOS smbios: Refactor SMBIOS library smbios: ignore the non-existence of platform sysinfo detect armv8: Add arch-specific sysinfo driver sysinfo: Add sysinfo driver for SMBIOS type 7 smbios: Add support to SMBIOS type 7 armv8: Add sysinfo driver for cache information configs: Enable sysinfo for QEMU Arm64 tests: update smbios pytest arch/arm/cpu/armv8/Makefile | 5 + arch/arm/cpu/armv8/sysinfo.c | 391 ++ cmd/smbios.c | 350 ++- configs/qemu_arm64_defconfig | 2 + drivers/misc/Kconfig | 2 +- drivers/sysinfo/Makefile | 1 + drivers/sysinfo/smbios_plat.c| 442 + drivers/sysinfo/smbios_plat.h| 131 + drivers/sysinfo/sysinfo-uclass.c | 20 ++ include/smbios.h | 240 ++-- include/sysinfo.h| 124 - lib/Makefile | 2 + lib/smbios.c | 461 ++- test/py/tests/test_smbios.py | 2 +- 14 files changed, 2058 insertions(+), 115 deletions(-) create mode 100644 arch/arm/cpu/armv8/sysinfo.c create mode 100644 drivers/sysinfo/smbios_plat.c create mode 100644 drivers/sysinfo/smbios_plat.h -- 2.25.1
Re: [PATCH v5 00/27] Integrate MbedTLS v3.6 LTS with U-Boot
Hi Tom, On Wed, 14 Aug 2024 at 11:07, Tom Rini wrote: > On Wed, Aug 14, 2024 at 09:42:08AM -0400, Raymond Mao wrote: > > Hi Tom, > > > > On Fri, 2 Aug 2024 at 11:34, Raymond Mao wrote: > > > > > Hi Tom, > > > > > > On Thu, 1 Aug 2024 at 16:46, Tom Rini wrote: > > > > > >> On Wed, Jul 31, 2024 at 10:25:10AM -0700, Raymond Mao wrote: > > >> > > > >> > Integrate MbedTLS v3.6 LTS (currently v3.6.0) with U-Boot. > > >> > > > >> > Motivations: > > >> > > > >> > > > >> > 1. MbedTLS is well maintained with LTS versions. > > >> > 2. LWIP is integrated with MbedTLS and easily to enable HTTPS. > > >> > 3. MbedTLS recently switched license back to GPLv2. > > >> > > > >> > Prerequisite: > > >> > - > > >> > > > >> > This patch series requires mbedtls git repo to be added as a > > >> > subtree to the main U-Boot repo via: > > >> > $ git subtree add --prefix lib/mbedtls/external/mbedtls \ > > >> > https://github.com/Mbed-TLS/mbedtls.git \ > > >> > v3.6.0 --squash > > >> > Moreover, due to the Windows-style files from mbedtls git repo, > > >> > we need to convert the CRLF endings to LF and do a commit manually: > > >> > $ git add --renormalize . > > >> > $ git commit > > >> > > > >> > New Kconfig options: > > >> > > > >> > > > >> > `MBEDTLS_LIB` is for MbedTLS general switch. > > >> > `MBEDTLS_LIB_CRYPTO` is for replacing original digest and crypto > libs > > >> with > > >> > MbedTLS. > > >> > `MBEDTLS_LIB_X509` is for replacing original X509, PKCS7, MSCode, > ASN1, > > >> > and Pubkey parser with MbedTLS. > > >> > `LEGACY_CRYPTO` is introduced as a main switch for legacy crypto > > >> library. > > >> > `LEGACY_CRYPTO_BASIC` is for the basic crypto functionalities and > > >> > `LEGACY_CRYPTO_CERT` is for the certificate related functionalities. > > >> > For each of the algorithm, a pair of `_LEGACY` and > `_MBEDTLS` > > >> > Kconfig options are introduced. Meanwhile, `SPL_` Kconfig options > are > > >> > introduced. > > >> > > > >> > In this patch set, MBEDTLS_LIB, MBEDTLS_LIB_CRYPTO and > MBEDTLS_LIB_X509 > > >> > are by default enabled in qemu_arm64_defconfig and sandbox_defconfig > > >> > for testing purpose. > > >> > > > >> > Patches for external MbedTLS project: > > >> > - > > >> > > > >> > Since U-Boot uses Microsoft Authentication Code to verify PE/COFFs > > >> > executables which is not supported by MbedTLS at the moment, > > >> > addtional patches for MbedTLS are created to adapt with the EFI > loader: > > >> > 1. Decoding of Microsoft Authentication Code. > > >> > 2. Decoding of PKCS#9 Authenticate Attributes. > > >> > 3. Extending MbedTLS PKCS#7 lib to support multiple signer's > > >> certificates. > > >> > 4. MbedTLS native test suites for PKCS#7 signer's info. > > >> > > > >> > All above 4 patches (tagged with `mbedtls/external`) are submitted > to > > >> > MbedTLS project and being reviewed, eventually they should be part > of > > >> > MbedTLS LTS release. > > >> > But before that, please merge them into U-Boot, otherwise the > building > > >> > will be broken when MBEDTLS_LIB_X509 is enabled. > > >> > > > >> > See below PR link for the reference: > > >> > https://github.com/Mbed-TLS/mbedtls/pull/9001 > > >> > > > >> > Miscellaneous: > > >> > -- > > >> > > > >> > Optimized MbedTLS library size by tailoring the config file > > >> > and disabling all unnecessary features for EFI loader. > > >> > From v2, original libs (rsa, asn1_decoder, rsa_helper, md5, sha1, > > >> sha256, > > >> > sha512) are completely replaced when MbedTLS is enabled. > > >> > From v3, the size-growth is slightly reduced by refactoring Hash > > >> functions. > > >> > > > >&g
Re: [PATCH v5 00/27] Integrate MbedTLS v3.6 LTS with U-Boot
Hi Tom, On Fri, 2 Aug 2024 at 11:34, Raymond Mao wrote: > Hi Tom, > > On Thu, 1 Aug 2024 at 16:46, Tom Rini wrote: > >> On Wed, Jul 31, 2024 at 10:25:10AM -0700, Raymond Mao wrote: >> > >> > Integrate MbedTLS v3.6 LTS (currently v3.6.0) with U-Boot. >> > >> > Motivations: >> > >> > >> > 1. MbedTLS is well maintained with LTS versions. >> > 2. LWIP is integrated with MbedTLS and easily to enable HTTPS. >> > 3. MbedTLS recently switched license back to GPLv2. >> > >> > Prerequisite: >> > - >> > >> > This patch series requires mbedtls git repo to be added as a >> > subtree to the main U-Boot repo via: >> > $ git subtree add --prefix lib/mbedtls/external/mbedtls \ >> > https://github.com/Mbed-TLS/mbedtls.git \ >> > v3.6.0 --squash >> > Moreover, due to the Windows-style files from mbedtls git repo, >> > we need to convert the CRLF endings to LF and do a commit manually: >> > $ git add --renormalize . >> > $ git commit >> > >> > New Kconfig options: >> > >> > >> > `MBEDTLS_LIB` is for MbedTLS general switch. >> > `MBEDTLS_LIB_CRYPTO` is for replacing original digest and crypto libs >> with >> > MbedTLS. >> > `MBEDTLS_LIB_X509` is for replacing original X509, PKCS7, MSCode, ASN1, >> > and Pubkey parser with MbedTLS. >> > `LEGACY_CRYPTO` is introduced as a main switch for legacy crypto >> library. >> > `LEGACY_CRYPTO_BASIC` is for the basic crypto functionalities and >> > `LEGACY_CRYPTO_CERT` is for the certificate related functionalities. >> > For each of the algorithm, a pair of `_LEGACY` and `_MBEDTLS` >> > Kconfig options are introduced. Meanwhile, `SPL_` Kconfig options are >> > introduced. >> > >> > In this patch set, MBEDTLS_LIB, MBEDTLS_LIB_CRYPTO and MBEDTLS_LIB_X509 >> > are by default enabled in qemu_arm64_defconfig and sandbox_defconfig >> > for testing purpose. >> > >> > Patches for external MbedTLS project: >> > - >> > >> > Since U-Boot uses Microsoft Authentication Code to verify PE/COFFs >> > executables which is not supported by MbedTLS at the moment, >> > addtional patches for MbedTLS are created to adapt with the EFI loader: >> > 1. Decoding of Microsoft Authentication Code. >> > 2. Decoding of PKCS#9 Authenticate Attributes. >> > 3. Extending MbedTLS PKCS#7 lib to support multiple signer's >> certificates. >> > 4. MbedTLS native test suites for PKCS#7 signer's info. >> > >> > All above 4 patches (tagged with `mbedtls/external`) are submitted to >> > MbedTLS project and being reviewed, eventually they should be part of >> > MbedTLS LTS release. >> > But before that, please merge them into U-Boot, otherwise the building >> > will be broken when MBEDTLS_LIB_X509 is enabled. >> > >> > See below PR link for the reference: >> > https://github.com/Mbed-TLS/mbedtls/pull/9001 >> > >> > Miscellaneous: >> > -- >> > >> > Optimized MbedTLS library size by tailoring the config file >> > and disabling all unnecessary features for EFI loader. >> > From v2, original libs (rsa, asn1_decoder, rsa_helper, md5, sha1, >> sha256, >> > sha512) are completely replaced when MbedTLS is enabled. >> > From v3, the size-growth is slightly reduced by refactoring Hash >> functions. >> > >> > Target(QEMU arm64) size-growth when enabling MbedTLS: >> > v1: 6.03% >> > v2: 4.66% >> > From v3: 4.55% >> > >> > Please see the latest output from buildman for size-growth on QEMU >> arm64, >> > Sandbox and Nanopi A64. [1] >> >> Let us inline the growth on qemu_arm64 for a moment: >>aarch64: (for 1/1 boards) all +6916.0 bss -32.0 data -64.0 rodata >> +200.0 text +6812.0 >> qemu_arm64 : all +6916 bss -32 data -64 rodata +200 text >> +6812 >>u-boot: add: 28/-17, grow: 12/-16 bytes: 15492/-8304 (7188) >> function old new >> delta >> mbedtls_internal_sha1_process-4540 >> +4540 >> mbedtls_internal_md5_process -2928 >> +2928 >> mbedtls_internal_sha256_process -2052 >>
Re: [PATCH v5 02/27] mbedtls: add mbedtls into the build system
Hi Ilias, On Wed, 14 Aug 2024 at 08:08, Ilias Apalodimas wrote: > Hi Raymond, > > On Wed, 31 Jul 2024 at 20:27, Raymond Mao wrote: > > > > Port mbedtls with adapted libc header files. > > Add mbedtls default config header file. > > Optimize mbedtls default config by disabling unused features to > > reduce the target size. > > Add mbedtls kbuild makefile. > > Add Kconfig skeleton and config submenu entry for selecting > > crypto libraries between mbedtls and legacy ones. > > Add the mbedtls include directories into the build system. > > > > Subsequent patches will separate those Kconfigs into pairs of > > _LEGACY and _MBEDTLS for controlling the implementations of legacy > > crypto libraries and MbedTLS ones respectively. > > > > The motivation of moving and adapting *INT* macros from kernel.h > > to limits.h is to fullfill the MbedTLS building requirement. > > The conditional compilation statements in MbedTLS expects the > > *INT* macros as constant expressions, thus expressions like > > `((int)(~0U >> 1))` will not work. > > > > Prerequisite > > > > > > This patch series requires mbedtls git repo to be added as a > > subtree to the main U-Boot repo via: > > > > $ git subtree add --prefix lib/mbedtls/external/mbedtls \ > > https://github.com/Mbed-TLS/mbedtls.git \ > > v3.6.0 --squash > > > > Moreover, due to the Windows-style files from mbedtls git repo, > > we need to convert the CRLF endings to LF and do a commit manually: > > > > $ git add --renormalize . > > $ git commit > > > > Signed-off-by: Raymond Mao > > --- > > Changes in v2 > > - Disabled unused MbedTLS features to optimize the target size. > > Changes in v3 > > - Removed changes in stdio.h. > > Changes in v4 > > - Move limits.h as a common header file that is included by kernel.h. > > - Refactor the Kconfig to support legacy and MbedTLS options for each > > algorithm. > > - Refactor MbedTLS makefile and default config file to remove unused > > config options and objects. > > Changes in v5 > > - Merged patch #9 of v4 into this patch. > > - Removed unused config MBEDTLS_LIB_TLS. > > - Refactored MbedTLS Makefile and default config file. > > > > Makefile | 6 +++ > > include/limits.h | 29 ++ > > include/linux/kernel.h | 13 +- > > include/stdlib.h | 1 + > > lib/Kconfig | 4 ++ > > lib/Makefile | 2 + > > lib/mbedtls/Kconfig | 47 ++ > > lib/mbedtls/Makefile | 41 +++ > > lib/mbedtls/mbedtls_def_config.h | 69 > > lib/mbedtls/port/assert.h| 12 ++ > > 10 files changed, 212 insertions(+), 12 deletions(-) > > create mode 100644 include/limits.h > > create mode 100644 lib/mbedtls/Kconfig > > create mode 100644 lib/mbedtls/Makefile > > create mode 100644 lib/mbedtls/mbedtls_def_config.h > > create mode 100644 lib/mbedtls/port/assert.h > > > > diff --git a/Makefile b/Makefile > > index 07d7947c8af..fd855dbd5c9 100644 > > --- a/Makefile > > +++ b/Makefile > > @@ -829,6 +829,12 @@ KBUILD_HOSTCFLAGS += $(if $(CONFIG_TOOLS_DEBUG),-g) > > UBOOTINCLUDE:= \ > > -Iinclude \ > > $(if $(KBUILD_SRC), -I$(srctree)/include) \ > > + $(if $(CONFIG_MBEDTLS_LIB), \ > > + "-DMBEDTLS_CONFIG_FILE=\"mbedtls_def_config.h\"" \ > > + -I$(srctree)/lib/mbedtls \ > > + -I$(srctree)/lib/mbedtls/port \ > > + -I$(srctree)/lib/mbedtls/external/mbedtls \ > > + -I$(srctree)/lib/mbedtls/external/mbedtls/include) \ > > $(if $(CONFIG_$(SPL_)SYS_THUMB_BUILD), \ > > $(if $(CONFIG_HAS_THUMB2), \ > > $(if $(CONFIG_CPU_V7M), \ > > diff --git a/include/limits.h b/include/limits.h > > new file mode 100644 > > index 000..cc691d15650 > > --- /dev/null > > +++ b/include/limits.h > > @@ -0,0 +1,29 @@ > > +/* SPDX-License-Identifier: GPL-2.0+ */ > > +/* > > + * Copyright (c) 2023 Linaro Limited > > + * Author: Raymond Mao > > + */ > > + > > +#ifndef _LIMITS_H > > +#define _LIMITS_H > > + > > +#define INT_MAX 0x7fff > > +#define UINT_MAX 0xUL > > +#define CHAR_BIT8 > > +#define UINT32_MAX 0xUL > > +#define UINT64_MAX 0xUL > > Some of these seem wrong e.g UINT64_MAX should be ULL, etc > Can you keep the original definitions? > > The original definitions cannot work with building MbedTLS. As I stated in the commit message: ``` The conditional compilation statements in MbedTLS expects the *INT* macros as constant expressions, thus expressions like `((int)(~0U >> 1))` will not work. ``` [snip] Raymond
Re: [PATCH v5 00/27] Integrate MbedTLS v3.6 LTS with U-Boot
Hi Tom, On Thu, 1 Aug 2024 at 16:46, Tom Rini wrote: > On Wed, Jul 31, 2024 at 10:25:10AM -0700, Raymond Mao wrote: > > > > Integrate MbedTLS v3.6 LTS (currently v3.6.0) with U-Boot. > > > > Motivations: > > > > > > 1. MbedTLS is well maintained with LTS versions. > > 2. LWIP is integrated with MbedTLS and easily to enable HTTPS. > > 3. MbedTLS recently switched license back to GPLv2. > > > > Prerequisite: > > - > > > > This patch series requires mbedtls git repo to be added as a > > subtree to the main U-Boot repo via: > > $ git subtree add --prefix lib/mbedtls/external/mbedtls \ > > https://github.com/Mbed-TLS/mbedtls.git \ > > v3.6.0 --squash > > Moreover, due to the Windows-style files from mbedtls git repo, > > we need to convert the CRLF endings to LF and do a commit manually: > > $ git add --renormalize . > > $ git commit > > > > New Kconfig options: > > > > > > `MBEDTLS_LIB` is for MbedTLS general switch. > > `MBEDTLS_LIB_CRYPTO` is for replacing original digest and crypto libs > with > > MbedTLS. > > `MBEDTLS_LIB_X509` is for replacing original X509, PKCS7, MSCode, ASN1, > > and Pubkey parser with MbedTLS. > > `LEGACY_CRYPTO` is introduced as a main switch for legacy crypto library. > > `LEGACY_CRYPTO_BASIC` is for the basic crypto functionalities and > > `LEGACY_CRYPTO_CERT` is for the certificate related functionalities. > > For each of the algorithm, a pair of `_LEGACY` and `_MBEDTLS` > > Kconfig options are introduced. Meanwhile, `SPL_` Kconfig options are > > introduced. > > > > In this patch set, MBEDTLS_LIB, MBEDTLS_LIB_CRYPTO and MBEDTLS_LIB_X509 > > are by default enabled in qemu_arm64_defconfig and sandbox_defconfig > > for testing purpose. > > > > Patches for external MbedTLS project: > > - > > > > Since U-Boot uses Microsoft Authentication Code to verify PE/COFFs > > executables which is not supported by MbedTLS at the moment, > > addtional patches for MbedTLS are created to adapt with the EFI loader: > > 1. Decoding of Microsoft Authentication Code. > > 2. Decoding of PKCS#9 Authenticate Attributes. > > 3. Extending MbedTLS PKCS#7 lib to support multiple signer's > certificates. > > 4. MbedTLS native test suites for PKCS#7 signer's info. > > > > All above 4 patches (tagged with `mbedtls/external`) are submitted to > > MbedTLS project and being reviewed, eventually they should be part of > > MbedTLS LTS release. > > But before that, please merge them into U-Boot, otherwise the building > > will be broken when MBEDTLS_LIB_X509 is enabled. > > > > See below PR link for the reference: > > https://github.com/Mbed-TLS/mbedtls/pull/9001 > > > > Miscellaneous: > > -- > > > > Optimized MbedTLS library size by tailoring the config file > > and disabling all unnecessary features for EFI loader. > > From v2, original libs (rsa, asn1_decoder, rsa_helper, md5, sha1, sha256, > > sha512) are completely replaced when MbedTLS is enabled. > > From v3, the size-growth is slightly reduced by refactoring Hash > functions. > > > > Target(QEMU arm64) size-growth when enabling MbedTLS: > > v1: 6.03% > > v2: 4.66% > > From v3: 4.55% > > > > Please see the latest output from buildman for size-growth on QEMU arm64, > > Sandbox and Nanopi A64. [1] > > Let us inline the growth on qemu_arm64 for a moment: >aarch64: (for 1/1 boards) all +6916.0 bss -32.0 data -64.0 rodata > +200.0 text +6812.0 > qemu_arm64 : all +6916 bss -32 data -64 rodata +200 text > +6812 >u-boot: add: 28/-17, grow: 12/-16 bytes: 15492/-8304 (7188) > function old new > delta > mbedtls_internal_sha1_process-4540 > +4540 > mbedtls_internal_md5_process -2928 > +2928 > mbedtls_internal_sha256_process -2052 > +2052 > mbedtls_internal_sha512_process -1056 > +1056 > K- 896 > +896 > mbedtls_sha512_finish- 556 > +556 > mbedtls_sha256_finish- 484 > +484 > mbedtls_sha1_finish - 420 > +420 > mbedtls_sha512_start
[PATCH v5 27/27] configs: enable MbedTLS as default setting
Enable MbedTLS as default setting for qemu arm64 Signed-off-by: Raymond Mao --- Changes in v2 - None. Changes in v3 - None. Changes in v4 - None. Changes in v5 - Remove unused config MBEDTLS_LIB_TLS. - Remove EFI_SECURE_BOOT from the default config. configs/qemu_arm64_defconfig | 3 +++ configs/sandbox_defconfig| 3 +++ 2 files changed, 6 insertions(+) diff --git a/configs/qemu_arm64_defconfig b/configs/qemu_arm64_defconfig index 7e166f43908..22d38608842 100644 --- a/configs/qemu_arm64_defconfig +++ b/configs/qemu_arm64_defconfig @@ -67,4 +67,7 @@ CONFIG_TPM2_MMIO=y CONFIG_USB_EHCI_HCD=y CONFIG_USB_EHCI_PCI=y CONFIG_SEMIHOSTING=y +CONFIG_MBEDTLS_LIB=y +CONFIG_MBEDTLS_LIB_CRYPTO=y +CONFIG_MBEDTLS_LIB_X509=y CONFIG_TPM=y diff --git a/configs/sandbox_defconfig b/configs/sandbox_defconfig index 93b52f2de5c..679bbf69936 100644 --- a/configs/sandbox_defconfig +++ b/configs/sandbox_defconfig @@ -343,6 +343,9 @@ CONFIG_FS_CBFS=y CONFIG_FS_CRAMFS=y CONFIG_ADDR_MAP=y CONFIG_CMD_DHRYSTONE=y +CONFIG_MBEDTLS_LIB=y +CONFIG_MBEDTLS_LIB_CRYPTO=y +CONFIG_MBEDTLS_LIB_X509=y CONFIG_ECDSA=y CONFIG_ECDSA_VERIFY=y CONFIG_TPM=y -- 2.25.1
[PATCH v5 26/27] test: Remove ASN1 library test
With MBEDTLS_LIB_X509 enabled, we don't build the original ASN1 lib, So remove it from test. Signed-off-by: Raymond Mao Reviewed-by: Ilias Apalodimas --- Changes in v2 - Initial patch. Changes in v3 - None. Changes in v4 - None. Changes in v5 - None. test/Kconfig | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/Kconfig b/test/Kconfig index e2ec0994a2e..558a9cd49b4 100644 --- a/test/Kconfig +++ b/test/Kconfig @@ -32,7 +32,7 @@ if UT_LIB config UT_LIB_ASN1 bool "Unit test for asn1 compiler and decoder function" - depends on SANDBOX + depends on SANDBOX && !MBEDTLS_LIB_X509 default y imply ASYMMETRIC_KEY_TYPE imply ASYMMETRIC_PUBLIC_KEY_SUBTYPE -- 2.25.1
[PATCH v5 25/27] asn1_decoder: add build options for ASN1 decoder
When building with MbedTLS, we are using MbedTLS to decode ASN1 data for x509, pkcs7 and mscode. Introduce _LEGACY and _MBEDTLS kconfigs for ASN1 decoder legacy and MbedTLS implementations respectively. Signed-off-by: Raymond Mao --- Changes in v2 - Initial patch. Changes in v3 - None. Changes in v4 - Introduce _LEGACY and _MBEDTLS kconfigs for ASN1 decoder legacy and MbedTLS implementations respectively. - Update the commit subject. Changes in v5 - Correct kconfig dependence. - Refactored MbedTLS makefile. lib/Makefile | 2 +- lib/mbedtls/Kconfig | 30 ++ lib/mbedtls/Makefile | 2 +- 3 files changed, 32 insertions(+), 2 deletions(-) diff --git a/lib/Makefile b/lib/Makefile index 35b73d8d00c..f0c5b9a9bb4 100644 --- a/lib/Makefile +++ b/lib/Makefile @@ -82,7 +82,7 @@ obj-$(CONFIG_$(SPL_)SHA256_LEGACY) += sha256.o obj-$(CONFIG_$(SPL_)SHA512_LEGACY) += sha512.o obj-$(CONFIG_CRYPT_PW) += crypt/ -obj-$(CONFIG_$(SPL_)ASN1_DECODER) += asn1_decoder.o +obj-$(CONFIG_$(SPL_)ASN1_DECODER_LEGACY) += asn1_decoder.o obj-$(CONFIG_$(SPL_)ZLIB) += zlib/ obj-$(CONFIG_$(SPL_)ZSTD) += zstd/ diff --git a/lib/mbedtls/Kconfig b/lib/mbedtls/Kconfig index ea306e07ee4..336c5220805 100644 --- a/lib/mbedtls/Kconfig +++ b/lib/mbedtls/Kconfig @@ -117,12 +117,14 @@ endif # LEGACY_CRYPTO_BASIC config LEGACY_CRYPTO_CERT bool "legacy certificate libraries" + select ASN1_DECODER_LEGACY if ASN1_DECODER select ASYMMETRIC_PUBLIC_KEY_LEGACY if \ ASYMMETRIC_PUBLIC_KEY_SUBTYPE select RSA_PUBLIC_KEY_PARSER_LEGACY if RSA_PUBLIC_KEY_PARSER select X509_CERTIFICATE_PARSER_LEGACY if X509_CERTIFICATE_PARSER select PKCS7_MESSAGE_PARSER_LEGACY if PKCS7_MESSAGE_PARSER select MSCODE_PARSER_LEGACY if MSCODE_PARSER + select SPL_ASN1_DECODER_LEGACY if SPL_ASN1_DECODER select SPL_ASYMMETRIC_PUBLIC_KEY_LEGACY if \ SPL_ASYMMETRIC_PUBLIC_KEY_SUBTYPE select SPL_RSA_PUBLIC_KEY_PARSER_LEGACY if SPL_RSA_PUBLIC_KEY_PARSER @@ -131,6 +133,12 @@ config LEGACY_CRYPTO_CERT if LEGACY_CRYPTO_CERT +config ASN1_DECODER_LEGACY + bool "ASN1 decoder with legacy certificate library" + depends on LEGACY_CRYPTO_CERT && ASN1_DECODER + help + This option chooses legacy certificate library for ASN1 decoder. + config ASYMMETRIC_PUBLIC_KEY_LEGACY bool "Asymmetric public key crypto with legacy certificate library" depends on LEGACY_CRYPTO_CERT && ASYMMETRIC_PUBLIC_KEY_SUBTYPE @@ -172,6 +180,13 @@ config MSCODE_PARSER_LEGACY if SPL +config SPL_ASN1_DECODER_LEGACY + bool "ASN1 decoder with legacy certificate library in SPL" + depends on LEGACY_CRYPTO_CERT && SPL_ASN1_DECODER + help + This option chooses legacy certificate library for ASN1 decoder in + SPL. + config SPL_ASYMMETRIC_PUBLIC_KEY_LEGACY bool "Asymmetric public key crypto with legacy certificate library in SPL" depends on LEGACY_CRYPTO_CERT && SPL_ASYMMETRIC_PUBLIC_KEY_SUBTYPE @@ -293,12 +308,14 @@ endif # MBEDTLS_LIB_CRYPTO config MBEDTLS_LIB_X509 bool "MbedTLS certificate libraries" + select ASN1_DECODER_MBEDTLS if ASN1_DECODER select ASYMMETRIC_PUBLIC_KEY_MBEDTLS if \ ASYMMETRIC_PUBLIC_KEY_SUBTYPE select RSA_PUBLIC_KEY_PARSER_MBEDTLS if RSA_PUBLIC_KEY_PARSER select X509_CERTIFICATE_PARSER_MBEDTLS if X509_CERTIFICATE_PARSER select PKCS7_MESSAGE_PARSER_MBEDTLS if PKCS7_MESSAGE_PARSER select MSCODE_PARSER_MBEDTLS if MSCODE_PARSER + select SPL_ASN1_DECODER_MBEDTLS if SPL_ASN1_DECODER select SPL_ASYMMETRIC_PUBLIC_KEY_MBEDTLS if \ SPL_ASYMMETRIC_PUBLIC_KEY_SUBTYPE select SPL_RSA_PUBLIC_KEY_PARSER_MBEDTLS if SPL_RSA_PUBLIC_KEY_PARSER @@ -307,6 +324,12 @@ config MBEDTLS_LIB_X509 if MBEDTLS_LIB_X509 +config ASN1_DECODER_MBEDTLS + bool "ASN1 decoder with MbedTLS certificate library" + depends on MBEDTLS_LIB_X509 && ASN1_DECODER + help + This option chooses MbedTLS certificate library for ASN1 decoder. + config ASYMMETRIC_PUBLIC_KEY_MBEDTLS bool "Asymmetric public key crypto with MbedTLS certificate library" depends on MBEDTLS_LIB_X509 && ASYMMETRIC_PUBLIC_KEY_SUBTYPE @@ -348,6 +371,13 @@ config MSCODE_PARSER_MBEDTLS if SPL +config SPL_ASN1_DECODER_MBEDTLS + bool "ASN1 decoder with MbedTLS certificate library in SPL" + depends on MBEDTLS_LIB_X509 && SPL_ASN1_DECODER + help + This option chooses MbedTLS certificate library for ASN1 decoder in + SPL. + config SPL_ASYMMETRIC_PUBLIC_KEY_MBEDTLS bool "Asymmetric public key crypto with MbedTLS certificate library in SPL" depends on MBEDTLS_LIB_X509 && S
[PATCH v5 24/27] lib/rypto: Adapt rsa_helper to MbedTLS
Previous patch has introduced MbedTLS porting layer for RSA helper, here to adjust the makefile accordingly. Signed-off-by: Raymond Mao Reviewed-by: Ilias Apalodimas --- Changes in v2 - Initial patch. Changes in v3 - Update commit message. Changes in v4 - Control building legacy library via '_LEGACY' Kconfig. Changes in v5 - None. lib/crypto/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/crypto/Makefile b/lib/crypto/Makefile index 3caa45dc2a8..72b413d85a9 100644 --- a/lib/crypto/Makefile +++ b/lib/crypto/Makefile @@ -13,7 +13,7 @@ obj-$(CONFIG_$(SPL_)ASYMMETRIC_PUBLIC_KEY_LEGACY) += public_key.o # # RSA public key parser # -obj-$(CONFIG_$(SPL_)RSA_PUBLIC_KEY_PARSER) += rsa_public_key.o +obj-$(CONFIG_$(SPL_)RSA_PUBLIC_KEY_PARSER_LEGACY) += rsa_public_key.o rsa_public_key-y := \ rsapubkey.asn1.o \ rsa_helper.o -- 2.25.1
[PATCH v5 23/27] mbedtls: add RSA helper layer on MbedTLS
Add RSA helper layer on top on MbedTLS PK and RSA library. Introduce _LEGACY and _MBEDTLS kconfigs for RSA helper legacy and MbedTLS implementations respectively. Signed-off-by: Raymond Mao --- Changes in v2 - Initial patch. Changes in v3 - None. Changes in v4 - Introduce _LEGACY and _MBEDTLS kconfigs for RSA helper legacy and MbedTLS implementations respectively. - Remove unnecessary type casting. Changes in v5 - Correct header file include directories. - Correct kconfig dependence. - Kconfig rename. - Refactored MbedTLS makefile. lib/mbedtls/Kconfig | 36 +++ lib/mbedtls/Makefile | 3 +- lib/mbedtls/rsa_helper.c | 95 3 files changed, 133 insertions(+), 1 deletion(-) create mode 100644 lib/mbedtls/rsa_helper.c diff --git a/lib/mbedtls/Kconfig b/lib/mbedtls/Kconfig index 436fd7d1f94..ea306e07ee4 100644 --- a/lib/mbedtls/Kconfig +++ b/lib/mbedtls/Kconfig @@ -119,11 +119,13 @@ config LEGACY_CRYPTO_CERT bool "legacy certificate libraries" select ASYMMETRIC_PUBLIC_KEY_LEGACY if \ ASYMMETRIC_PUBLIC_KEY_SUBTYPE + select RSA_PUBLIC_KEY_PARSER_LEGACY if RSA_PUBLIC_KEY_PARSER select X509_CERTIFICATE_PARSER_LEGACY if X509_CERTIFICATE_PARSER select PKCS7_MESSAGE_PARSER_LEGACY if PKCS7_MESSAGE_PARSER select MSCODE_PARSER_LEGACY if MSCODE_PARSER select SPL_ASYMMETRIC_PUBLIC_KEY_LEGACY if \ SPL_ASYMMETRIC_PUBLIC_KEY_SUBTYPE + select SPL_RSA_PUBLIC_KEY_PARSER_LEGACY if SPL_RSA_PUBLIC_KEY_PARSER help Enable legacy certificate libraries. @@ -136,6 +138,14 @@ config ASYMMETRIC_PUBLIC_KEY_LEGACY This option chooses legacy certificate library for asymmetric public key crypto algorithm. +config RSA_PUBLIC_KEY_PARSER_LEGACY + bool "RSA public key parser with legacy certificate library" + depends on ASYMMETRIC_PUBLIC_KEY_LEGACY + select ASN1_DECODER_LEGACY + help + This option chooses legacy certificate library for RSA public key + parser. + config X509_CERTIFICATE_PARSER_LEGACY bool "X.509 certificate parser with legacy certificate library" depends on ASYMMETRIC_PUBLIC_KEY_LEGACY @@ -169,6 +179,14 @@ config SPL_ASYMMETRIC_PUBLIC_KEY_LEGACY This option chooses legacy certificate library for asymmetric public key crypto algorithm in SPL. +config SPL_RSA_PUBLIC_KEY_PARSER_LEGACY + bool "RSA public key parser with legacy certificate library in SPL" + depends on SPL_ASYMMETRIC_PUBLIC_KEY_LEGACY + select SPL_ASN1_DECODER_LEGACY + help + This option chooses legacy certificate library for RSA public key + parser in SPL. + endif # SPL endif # LEGACY_CRYPTO_CERT @@ -277,11 +295,13 @@ config MBEDTLS_LIB_X509 bool "MbedTLS certificate libraries" select ASYMMETRIC_PUBLIC_KEY_MBEDTLS if \ ASYMMETRIC_PUBLIC_KEY_SUBTYPE + select RSA_PUBLIC_KEY_PARSER_MBEDTLS if RSA_PUBLIC_KEY_PARSER select X509_CERTIFICATE_PARSER_MBEDTLS if X509_CERTIFICATE_PARSER select PKCS7_MESSAGE_PARSER_MBEDTLS if PKCS7_MESSAGE_PARSER select MSCODE_PARSER_MBEDTLS if MSCODE_PARSER select SPL_ASYMMETRIC_PUBLIC_KEY_MBEDTLS if \ SPL_ASYMMETRIC_PUBLIC_KEY_SUBTYPE + select SPL_RSA_PUBLIC_KEY_PARSER_MBEDTLS if SPL_RSA_PUBLIC_KEY_PARSER help Enable MbedTLS certificate libraries. @@ -294,6 +314,14 @@ config ASYMMETRIC_PUBLIC_KEY_MBEDTLS This option chooses MbedTLS certificate library for asymmetric public key crypto algorithm. +config RSA_PUBLIC_KEY_PARSER_MBEDTLS + bool "RSA public key parser with MbedTLS certificate library" + depends on ASYMMETRIC_PUBLIC_KEY_MBEDTLS + select ASN1_DECODER_MBEDTLS + help + This option chooses MbedTLS certificate library for RSA public key + parser. + config X509_CERTIFICATE_PARSER_MBEDTLS bool "X.509 certificate parser with MbedTLS certificate library" depends on ASYMMETRIC_PUBLIC_KEY_MBEDTLS @@ -327,6 +355,14 @@ config SPL_ASYMMETRIC_PUBLIC_KEY_MBEDTLS This option chooses MbedTLS certificate library for asymmetric public key crypto algorithm in SPL. +config SPL_RSA_PUBLIC_KEY_PARSER_MBEDTLS + bool "RSA public key parser with MbedTLS certificate library in SPL" + depends on SPL_ASYMMETRIC_PUBLIC_KEY_MBEDTLS + select SPL_ASN1_DECODER_MBEDTLS + help + This option chooses MbedTLS certificate library for RSA public key + parser in SPL. + endif # SPL endif # MBEDTLS_LIB_X509 diff --git a/lib/mbedtls/Makefile b/lib/mbedtls/Makefile index 8b1b6a5..40031994708 100644 --- a/lib/mbedtls/Makefile +++ b/lib/mbedtls/Makefile @@ -18,6 +18,7 @@ obj-$(CONFIG_$(SPL_)X509_CERTIFICATE_PARSER_MBEDTLS) +
[PATCH v5 22/27] lib/crypto: Adapt mscode_parser to MbedTLS
Previous patch has introduced MbedTLS porting layer for mscode parser,
here to adjust the header and makefiles accordingly.
Adding _LEGACY Kconfig for legacy mscode implementation.
Signed-off-by: Raymond Mao
---
Changes in v2
- Move the porting layer to MbedTLS dir.
Changes in v3
- Update commit message.
Changes in v4
- Control building legacy library via '_LEGACY' Kconfig.
Changes in v5
- Add kconfig for legacy mscode parser.
- Correct header file include directories.
include/crypto/mscode.h | 4
lib/crypto/Makefile | 2 +-
lib/mbedtls/Kconfig | 9 +
3 files changed, 14 insertions(+), 1 deletion(-)
diff --git a/include/crypto/mscode.h b/include/crypto/mscode.h
index 551058b96e6..678e69001b9 100644
--- a/include/crypto/mscode.h
+++ b/include/crypto/mscode.h
@@ -9,6 +9,10 @@
#ifndef __UBOOT__
#include
#endif
+#if CONFIG_IS_ENABLED(MBEDTLS_LIB_X509)
+#include
+#include
+#endif
struct pefile_context {
#ifndef __UBOOT__
diff --git a/lib/crypto/Makefile b/lib/crypto/Makefile
index 7129315393f..3caa45dc2a8 100644
--- a/lib/crypto/Makefile
+++ b/lib/crypto/Makefile
@@ -63,7 +63,7 @@ obj-$(CONFIG_$(SPL_)PKCS7_VERIFY) += pkcs7_verify.o
#
# Signed PE binary-wrapped key handling
#
-obj-$(CONFIG_$(SPL_)MSCODE_PARSER) += mscode.o
+obj-$(CONFIG_$(SPL_)MSCODE_PARSER_LEGACY) += mscode.o
mscode-y := \
mscode_parser.o \
diff --git a/lib/mbedtls/Kconfig b/lib/mbedtls/Kconfig
index a80e996fe90..436fd7d1f94 100644
--- a/lib/mbedtls/Kconfig
+++ b/lib/mbedtls/Kconfig
@@ -121,6 +121,7 @@ config LEGACY_CRYPTO_CERT
ASYMMETRIC_PUBLIC_KEY_SUBTYPE
select X509_CERTIFICATE_PARSER_LEGACY if X509_CERTIFICATE_PARSER
select PKCS7_MESSAGE_PARSER_LEGACY if PKCS7_MESSAGE_PARSER
+ select MSCODE_PARSER_LEGACY if MSCODE_PARSER
select SPL_ASYMMETRIC_PUBLIC_KEY_LEGACY if \
SPL_ASYMMETRIC_PUBLIC_KEY_SUBTYPE
help
@@ -151,6 +152,14 @@ config PKCS7_MESSAGE_PARSER_LEGACY
This option chooses legacy certificate library for PKCS7 message
parser.
+config MSCODE_PARSER_LEGACY
+ bool "MS authenticode parser with legacy certificate library"
+ depends on LEGACY_CRYPTO_CERT && MSCODE_PARSER
+ select ASN1_DECODER_LEGACY
+ help
+ This option chooses legacy certificate library for MS authenticode
+ parser.
+
if SPL
config SPL_ASYMMETRIC_PUBLIC_KEY_LEGACY
--
2.25.1
[PATCH v5 21/27] mbedtls: add MSCode parser porting layer
Add porting layer for MSCode on top of MbedTLS ASN1 library.
Introduce _MBEDTLS kconfigs for MSCode MbedTLS implementation.
Signed-off-by: Raymond Mao
---
Changes in v2
- Move the porting layer to MbedTLS dir.
Changes in v3
- None.
Changes in v4
- Introduce _LEGACY and _MBEDTLS kconfigs for MSCode legacy and
MbedTLS implementations respectively.
- Fix a few code style.
Changes in v5
- Correct kconfig dependence.
- Refactored MbedTLS makefile.
- Move mscode legacy kconfig to the next patch.
lib/mbedtls/Kconfig | 9 +++
lib/mbedtls/Makefile| 1 +
lib/mbedtls/mscode_parser.c | 123
3 files changed, 133 insertions(+)
create mode 100644 lib/mbedtls/mscode_parser.c
diff --git a/lib/mbedtls/Kconfig b/lib/mbedtls/Kconfig
index 4a65f6ab488..a80e996fe90 100644
--- a/lib/mbedtls/Kconfig
+++ b/lib/mbedtls/Kconfig
@@ -270,6 +270,7 @@ config MBEDTLS_LIB_X509
ASYMMETRIC_PUBLIC_KEY_SUBTYPE
select X509_CERTIFICATE_PARSER_MBEDTLS if X509_CERTIFICATE_PARSER
select PKCS7_MESSAGE_PARSER_MBEDTLS if PKCS7_MESSAGE_PARSER
+ select MSCODE_PARSER_MBEDTLS if MSCODE_PARSER
select SPL_ASYMMETRIC_PUBLIC_KEY_MBEDTLS if \
SPL_ASYMMETRIC_PUBLIC_KEY_SUBTYPE
help
@@ -300,6 +301,14 @@ config PKCS7_MESSAGE_PARSER_MBEDTLS
This option chooses MbedTLS certificate library for PKCS7 message
parser.
+config MSCODE_PARSER_MBEDTLS
+ bool "MS authenticode parser with MbedTLS certificate library"
+ depends on MBEDTLS_LIB_X509 && MSCODE_PARSER
+ select ASN1_DECODER_MBEDTLS
+ help
+ This option chooses MbedTLS certificate library for MS authenticode
+ parser.
+
if SPL
config SPL_ASYMMETRIC_PUBLIC_KEY_MBEDTLS
diff --git a/lib/mbedtls/Makefile b/lib/mbedtls/Makefile
index 36eba07bf43..8b1b6a5 100644
--- a/lib/mbedtls/Makefile
+++ b/lib/mbedtls/Makefile
@@ -17,6 +17,7 @@ obj-$(CONFIG_$(SPL_)ASYMMETRIC_PUBLIC_KEY_MBEDTLS) += \
obj-$(CONFIG_$(SPL_)X509_CERTIFICATE_PARSER_MBEDTLS) += \
x509_cert_parser.o
obj-$(CONFIG_$(SPL_)PKCS7_MESSAGE_PARSER_MBEDTLS) += pkcs7_parser.o
+obj-$(CONFIG_$(SPL_)MSCODE_PARSER_MBEDTLS) += mscode_parser.o
# MbedTLS crypto library
obj-$(CONFIG_MBEDTLS_LIB_CRYPTO) += mbedtls_lib_crypto.o
diff --git a/lib/mbedtls/mscode_parser.c b/lib/mbedtls/mscode_parser.c
new file mode 100644
index 000..c3805c6503c
--- /dev/null
+++ b/lib/mbedtls/mscode_parser.c
@@ -0,0 +1,123 @@
+// SPDX-License-Identifier: GPL-2.0+
+/*
+ * MSCode parser using MbedTLS ASN1 library
+ *
+ * Copyright (c) 2024 Linaro Limited
+ * Author: Raymond Mao
+ */
+
+#include
+#include
+#include
+#include
+
+/*
+ * Parse a Microsoft Individual Code Signing blob
+ *
+ * U.P.SEQUENCE {
+ *U.P.OBJECTIDENTIFIER 1.3.6.1.4.1.311.2.1.15 (SPC_PE_IMAGE_DATA_OBJID)
+ *U.P.SEQUENCE {
+ * U.P.BITSTRING NaN : 0 unused bit(s);
+ * [C.P.0] {
+ * [C.P.2] {
+ * [C.P.0]
+ * }
+ * }
+ *}
+ * }
+ * U.P.SEQUENCE {
+ *U.P.SEQUENCE {
+ * U.P.OBJECTIDENTIFIER
+ * U.P.NULL
+ *}
+ *U.P.OCTETSTRING
+ * }
+ *
+ * @ctx: PE file context.
+ * @content_data: content data pointer.
+ * @data_len: content data length.
+ * @asn1hdrlen: ASN1 header length.
+ */
+int mscode_parse(void *ctx, const void *content_data, size_t data_len,
+size_t asn1hdrlen)
+{
+ struct pefile_context *_ctx = ctx;
+ unsigned char *p = (unsigned char *)content_data;
+ unsigned char *end = (unsigned char *)content_data + data_len;
+ size_t len = 0;
+ int ret;
+ unsigned char *inner_p;
+ size_t seq_len = 0;
+
+ ret = mbedtls_asn1_get_tag(&p, end, &seq_len,
+ MBEDTLS_ASN1_CONSTRUCTED |
+ MBEDTLS_ASN1_SEQUENCE);
+ if (ret)
+ return ret;
+
+ inner_p = p;
+ ret = mbedtls_asn1_get_tag(&inner_p, inner_p + seq_len, &len,
+ MBEDTLS_ASN1_OID);
+ if (ret)
+ return ret;
+
+ /* Sanity check on the PE Image Data OID (1.3.6.1.4.1.311.2.1.15) */
+ if (MBEDTLS_OID_CMP_RAW(MBEDTLS_OID_MICROSOFT_PEIMAGEDATA, inner_p,
+ len))
+ return -EINVAL;
+
+ p += seq_len;
+ ret = mbedtls_asn1_get_tag(&p, end, &seq_len,
+ MBEDTLS_ASN1_CONSTRUCTED |
+ MBEDTLS_ASN1_SEQUENCE);
+ if (ret)
+ return ret;
+
+ ret = mbedtls_asn1_get_tag(&p, p + seq_len, &seq_len,
+ MBEDTLS_ASN1_CONSTRUCTED |
+ MBEDTLS_ASN1_SEQUENCE);
+ if (ret)
+ return ret;
+
+ inner_p = p;
+
+ /*
+* Check if the inner sequence contains a supported hash
+* algorithm
[PATCH v5 20/27] lib/crypto: Adapt PKCS7 parser to MbedTLS
Previous patch has introduced MbedTLS porting layer for PKCS7 parser,
here to adjust the header and makefiles accordingly.
Signed-off-by: Raymond Mao
---
Changes in v2
- Move the porting layer to MbedTLS dir.
Changes in v3
- Update commit message.
Changes in v4
- Control building legacy library via '_LEGACY' Kconfig.
Changes in v5
- Correct header file include directories.
include/crypto/pkcs7_parser.h | 56 +++
lib/crypto/Makefile | 7 +++--
2 files changed, 60 insertions(+), 3 deletions(-)
diff --git a/include/crypto/pkcs7_parser.h b/include/crypto/pkcs7_parser.h
index 2c45cce5234..469c2711fa6 100644
--- a/include/crypto/pkcs7_parser.h
+++ b/include/crypto/pkcs7_parser.h
@@ -11,6 +11,12 @@
#include
#include
#include
+#if CONFIG_IS_ENABLED(MBEDTLS_LIB_X509)
+#include
+#include
+#include
+#include
+#endif
#include
#define kenter(FMT, ...) \
@@ -18,7 +24,54 @@
#define kleave(FMT, ...) \
pr_devel("<== %s()"FMT"\n", __func__, ##__VA_ARGS__)
+/* Backup the parsed MedTLS context that we need */
+#if CONFIG_IS_ENABLED(MBEDTLS_LIB_X509)
+struct pkcs7_mbedtls_ctx {
+ void *content_data;
+};
+
+struct pkcs7_sinfo_mbedtls_ctx {
+ void *authattrs_data;
+ void *content_data_digest;
+};
+#endif
+
+/*
+ * MbedTLS integration Notes:
+ *
+ * MbedTLS PKCS#7 library does not originally support parsing MicroSoft
+ * Authentication Code which is used for verifying the PE image digest.
+ *
+ * 1. Authenticated Attributes (authenticatedAttributes)
+ * MbedTLS assumes unauthenticatedAttributes and authenticatedAttributes
+ * fields not exist.
+ * See MbedTLS function 'pkcs7_get_signer_info' for details.
+ *
+ * 2. MicroSoft Authentication Code (mscode)
+ * MbedTLS only supports Content Data type defined as 1.2.840.113549.1.7.1
+ * (MBEDTLS_OID_PKCS7_DATA, aka OID_data).
+ * 1.3.6.1.4.1.311.2.1.4 (MicroSoft Authentication Code, aka
+ * OID_msIndirectData) is not supported.
+ * See MbedTLS function 'pkcs7_get_content_info_type' for details.
+ *
+ * But the EFI loader assumes that a PKCS#7 message with an EFI image always
+ * contains MicroSoft Authentication Code as Content Data (msg->data is NOT
+ * NULL), see function 'efi_signature_verify'.
+ *
+ * MbedTLS patch
"0002-support-MicroSoft-authentication-code-in-PKCS7-lib.patch"
+ * is to support both above features by parsing the Content Data and
+ * Authenticate Attributes from a given PKCS#7 message.
+ *
+ * Other fields we don't need to populate from MbedTLS, which are used
+ * internally by pkcs7_verify:
+ * 'signer', 'unsupported_crypto', 'blacklisted'
+ * 'sig->digest' is used internally by pkcs7_digest to calculate the hash of
+ * Content Data or Authenticate Attributes.
+ */
struct pkcs7_signed_info {
+#if CONFIG_IS_ENABLED(MBEDTLS_LIB_X509)
+ struct pkcs7_sinfo_mbedtls_ctx *mbedtls_ctx;
+#endif
struct pkcs7_signed_info *next;
struct x509_certificate *signer; /* Signing certificate (in msg->certs)
*/
unsignedindex;
@@ -55,6 +108,9 @@ struct pkcs7_signed_info {
};
struct pkcs7_message {
+#if CONFIG_IS_ENABLED(MBEDTLS_LIB_X509)
+ struct pkcs7_mbedtls_ctx *mbedtls_ctx;
+#endif
struct x509_certificate *certs; /* Certificate list */
struct x509_certificate *crl; /* Revocation list */
struct pkcs7_signed_info *signed_infos;
diff --git a/lib/crypto/Makefile b/lib/crypto/Makefile
index 4302f197297..7129315393f 100644
--- a/lib/crypto/Makefile
+++ b/lib/crypto/Makefile
@@ -50,15 +50,16 @@ $(obj)/x509_akid.asn1.o: $(obj)/x509_akid.asn1.c
$(obj)/x509_akid.asn1.h
# PKCS#7 message handling
#
obj-$(CONFIG_$(SPL_)PKCS7_MESSAGE_PARSER) += pkcs7_message.o
-pkcs7_message-y := \
+pkcs7_message-y := pkcs7_helper.o
+pkcs7_message-$(CONFIG_$(SPL_)PKCS7_MESSAGE_PARSER_LEGACY) += \
pkcs7.asn1.o \
- pkcs7_helper.o \
pkcs7_parser.o
-obj-$(CONFIG_$(SPL_)PKCS7_VERIFY) += pkcs7_verify.o
$(obj)/pkcs7_parser.o: $(obj)/pkcs7.asn1.h
$(obj)/pkcs7.asn1.o: $(obj)/pkcs7.asn1.c $(obj)/pkcs7.asn1.h
+obj-$(CONFIG_$(SPL_)PKCS7_VERIFY) += pkcs7_verify.o
+
#
# Signed PE binary-wrapped key handling
#
--
2.25.1
[PATCH v5 19/27] mbedtls: add PKCS7 parser porting layer
Add porting layer for PKCS7 parser on top of MbedTLS PKCS7 library.
Introduce _LEGACY and _MBEDTLS kconfigs for PKCS7 parser legacy and
MbedTLS implementations respectively.
Signed-off-by: Raymond Mao
---
Changes in v2
- Move the porting layer to MbedTLS dir.
- Fix EFI Capsule CI test failures.
Changes in v3
- None.
Changes in v4
- Introduce _LEGACY and _MBEDTLS kconfigs for PKCS7 parser legacy and
MbedTLS implementations respectively.
- Move common functions to helper.
- Fix an unnecessary pointer casting.
Changes in v5
- Refactored MbedTLS makefile.
lib/mbedtls/Kconfig| 18 ++
lib/mbedtls/Makefile | 3 +-
lib/mbedtls/pkcs7_parser.c | 506 +
3 files changed, 526 insertions(+), 1 deletion(-)
create mode 100644 lib/mbedtls/pkcs7_parser.c
diff --git a/lib/mbedtls/Kconfig b/lib/mbedtls/Kconfig
index 66de9d1c15f..4a65f6ab488 100644
--- a/lib/mbedtls/Kconfig
+++ b/lib/mbedtls/Kconfig
@@ -120,6 +120,7 @@ config LEGACY_CRYPTO_CERT
select ASYMMETRIC_PUBLIC_KEY_LEGACY if \
ASYMMETRIC_PUBLIC_KEY_SUBTYPE
select X509_CERTIFICATE_PARSER_LEGACY if X509_CERTIFICATE_PARSER
+ select PKCS7_MESSAGE_PARSER_LEGACY if PKCS7_MESSAGE_PARSER
select SPL_ASYMMETRIC_PUBLIC_KEY_LEGACY if \
SPL_ASYMMETRIC_PUBLIC_KEY_SUBTYPE
help
@@ -142,6 +143,14 @@ config X509_CERTIFICATE_PARSER_LEGACY
This option chooses legacy certificate library for X509 certificate
parser.
+config PKCS7_MESSAGE_PARSER_LEGACY
+ bool "PKCS#7 message parser with legacy certificate library"
+ depends on X509_CERTIFICATE_PARSER_LEGACY
+ select ASN1_DECODER_LEGACY
+ help
+ This option chooses legacy certificate library for PKCS7 message
+ parser.
+
if SPL
config SPL_ASYMMETRIC_PUBLIC_KEY_LEGACY
@@ -260,6 +269,7 @@ config MBEDTLS_LIB_X509
select ASYMMETRIC_PUBLIC_KEY_MBEDTLS if \
ASYMMETRIC_PUBLIC_KEY_SUBTYPE
select X509_CERTIFICATE_PARSER_MBEDTLS if X509_CERTIFICATE_PARSER
+ select PKCS7_MESSAGE_PARSER_MBEDTLS if PKCS7_MESSAGE_PARSER
select SPL_ASYMMETRIC_PUBLIC_KEY_MBEDTLS if \
SPL_ASYMMETRIC_PUBLIC_KEY_SUBTYPE
help
@@ -282,6 +292,14 @@ config X509_CERTIFICATE_PARSER_MBEDTLS
This option chooses MbedTLS certificate library for X509 certificate
parser.
+config PKCS7_MESSAGE_PARSER_MBEDTLS
+ bool "PKCS#7 message parser with MbedTLS certificate library"
+ depends on X509_CERTIFICATE_PARSER_MBEDTLS
+ select ASN1_DECODER_MBEDTLS
+ help
+ This option chooses MbedTLS certificate library for PKCS7 message
+ parser.
+
if SPL
config SPL_ASYMMETRIC_PUBLIC_KEY_MBEDTLS
diff --git a/lib/mbedtls/Makefile b/lib/mbedtls/Makefile
index ab64365a99a..36eba07bf43 100644
--- a/lib/mbedtls/Makefile
+++ b/lib/mbedtls/Makefile
@@ -16,6 +16,7 @@ obj-$(CONFIG_$(SPL_)ASYMMETRIC_PUBLIC_KEY_MBEDTLS) += \
public_key.o
obj-$(CONFIG_$(SPL_)X509_CERTIFICATE_PARSER_MBEDTLS) += \
x509_cert_parser.o
+obj-$(CONFIG_$(SPL_)PKCS7_MESSAGE_PARSER_MBEDTLS) += pkcs7_parser.o
# MbedTLS crypto library
obj-$(CONFIG_MBEDTLS_LIB_CRYPTO) += mbedtls_lib_crypto.o
@@ -49,5 +50,5 @@
mbedtls_lib_x509-$(CONFIG_$(SPL_)ASYMMETRIC_PUBLIC_KEY_MBEDTLS) += \
mbedtls_lib_x509-$(CONFIG_$(SPL_)X509_CERTIFICATE_PARSER_MBEDTLS) += \
$(MBEDTLS_LIB_DIR)/x509_crl.o \
$(MBEDTLS_LIB_DIR)/x509_crt.o
-mbedtls_lib_x509-$(CONFIG_$(SPL_)PKCS7_MESSAGE_PARSER) += \
+mbedtls_lib_x509-$(CONFIG_$(SPL_)PKCS7_MESSAGE_PARSER_MBEDTLS) += \
$(MBEDTLS_LIB_DIR)/pkcs7.o
diff --git a/lib/mbedtls/pkcs7_parser.c b/lib/mbedtls/pkcs7_parser.c
new file mode 100644
index 000..69ca784858e
--- /dev/null
+++ b/lib/mbedtls/pkcs7_parser.c
@@ -0,0 +1,506 @@
+// SPDX-License-Identifier: GPL-2.0+
+/*
+ * PKCS#7 parser using MbedTLS PKCS#7 library
+ *
+ * Copyright (c) 2024 Linaro Limited
+ * Author: Raymond Mao
+ */
+
+#include
+#include
+#include
+#include
+#include
+
+static void pkcs7_free_mbedtls_ctx(struct pkcs7_mbedtls_ctx *ctx)
+{
+ if (ctx) {
+ kfree(ctx->content_data);
+ kfree(ctx);
+ }
+}
+
+static void pkcs7_free_sinfo_mbedtls_ctx(struct pkcs7_sinfo_mbedtls_ctx *ctx)
+{
+ if (ctx) {
+ kfree(ctx->authattrs_data);
+ kfree(ctx->content_data_digest);
+ kfree(ctx);
+ }
+}
+
+/*
+ * Parse Authenticate Attributes
+ * TODO: Shall we consider to integrate decoding of authenticate attribute into
+ * MbedTLS library?
+ *
+ * There are two kinds of structure for the Authenticate Attributes being used
+ * in U-Boot.
+ *
+ * Type 1 - contains in a PE/COFF EFI image:
+ *
+ * [C.P.0] {
+ * U.P.SEQUENCE {
+ * U.P.OBJECTIDENTIFIER 1.2.840.113549.1.9.3 (OID_contentType)
+ * U.P.SET {
+ *U.P.OBJECTIDENTIFIER 1.3.6.1.4.1.
[PATCH v5 18/27] lib/crypto: Adapt x509_cert_parser to MbedTLS
Previous patch has introduced MbedTLS porting layer for x509 cert parser,
here to adjust the header and makefiles accordingly.
Signed-off-by: Raymond Mao
---
Changes in v2
- Move the porting layer to MbedTLS dir.
Changes in v3
- Update commit message.
Changes in v4
- Control building legacy library via '_LEGACY' Kconfig.
- Add function comments for the new APIs.
Changes in v5
- Correct kconfig dependence.
- Correct header file include directories.
- Adjust a few inline comments.
include/crypto/x509_parser.h | 55
lib/crypto/Kconfig | 2 +-
lib/crypto/Makefile | 4 +--
lib/crypto/x509_public_key.c | 2 ++
4 files changed, 60 insertions(+), 3 deletions(-)
diff --git a/include/crypto/x509_parser.h b/include/crypto/x509_parser.h
index 4cbdc1d6612..0e22e33f66b 100644
--- a/include/crypto/x509_parser.h
+++ b/include/crypto/x509_parser.h
@@ -11,8 +11,35 @@
#include
#include
#include
+#if CONFIG_IS_ENABLED(MBEDTLS_LIB_X509)
+#include
+#include
+#include
+#endif
+#if CONFIG_IS_ENABLED(MBEDTLS_LIB_X509)
+struct x509_cert_mbedtls_ctx {
+ void*tbs; /* Signed data */
+ void*raw_serial;/* Raw serial number in ASN.1 */
+ void*raw_issuer;/* Raw issuer name in ASN.1 */
+ void*raw_subject; /* Raw subject name in ASN.1 */
+ void*raw_skid; /* Raw subjectKeyId in ASN.1 */
+};
+#endif
+
+/*
+ * MbedTLS integration Notes:
+ *
+ * Fields we don't need to populate from MbedTLS context:
+ * 'raw_sig' and 'raw_sig_size' are buffer for x509_parse_context,
+ * not needed for MbedTLS.
+ * 'signer' and 'seen' are used internally by pkcs7_verify.
+ * 'verified' is not in use.
+ */
struct x509_certificate {
+#if CONFIG_IS_ENABLED(MBEDTLS_LIB_X509)
+ struct x509_cert_mbedtls_ctx *mbedtls_ctx;
+#endif
struct x509_certificate *next;
struct x509_certificate *signer;/* Certificate that signed this
one */
struct public_key *pub; /* Public key details */
@@ -48,6 +75,32 @@ struct x509_certificate {
* x509_cert_parser.c
*/
extern void x509_free_certificate(struct x509_certificate *cert);
+#if CONFIG_IS_ENABLED(MBEDTLS_LIB_X509)
+/**
+ * x509_populate_pubkey() - Populate public key from MbedTLS context
+ *
+ * @cert: Pointer to MbedTLS X509 cert
+ * @pub_key: Pointer to the populated public key handle
+ * Return: 0 on succcess, error code on failure
+ */
+int x509_populate_pubkey(mbedtls_x509_crt *cert, struct public_key **pub_key);
+/**
+ * x509_populate_cert() - Populate X509 cert from MbedTLS context
+ *
+ * @mbedtls_cert: Pointer to MbedTLS X509 cert
+ * @pcert: Pointer to the populated X509 cert handle
+ * Return: 0 on succcess, error code on failure
+ */
+int x509_populate_cert(mbedtls_x509_crt *mbedtls_cert,
+ struct x509_certificate **pcert);
+/**
+ * x509_get_timestamp() - Translate timestamp from MbedTLS context
+ *
+ * @x509_time: Pointer to MbedTLS time
+ * Return: Time in time64_t format
+ */
+time64_t x509_get_timestamp(const mbedtls_x509_time *x509_time);
+#endif
extern struct x509_certificate *x509_cert_parse(const void *data, size_t
datalen);
extern int x509_decode_time(time64_t *_t, size_t hdrlen,
unsigned char tag,
@@ -56,6 +109,8 @@ extern int x509_decode_time(time64_t *_t, size_t hdrlen,
/*
* x509_public_key.c
*/
+#if !CONFIG_IS_ENABLED(MBEDTLS_LIB_X509)
extern int x509_get_sig_params(struct x509_certificate *cert);
+#endif
extern int x509_check_for_self_signed(struct x509_certificate *cert);
#endif /* _X509_PARSER_H */
diff --git a/lib/crypto/Kconfig b/lib/crypto/Kconfig
index 6e0656ad1c5..6106190677e 100644
--- a/lib/crypto/Kconfig
+++ b/lib/crypto/Kconfig
@@ -1,6 +1,6 @@
menuconfig ASYMMETRIC_KEY_TYPE
bool "Asymmetric (public-key cryptographic) key Support"
- depends on FIT_SIGNATURE
+ depends on LEGACY_CRYPTO_CERT || MBEDTLS_LIB_X509
help
This option provides support for a key type that holds the data for
the asymmetric keys used for public key cryptographic operations such
diff --git a/lib/crypto/Makefile b/lib/crypto/Makefile
index 7e877214aa8..4302f197297 100644
--- a/lib/crypto/Makefile
+++ b/lib/crypto/Makefile
@@ -32,11 +32,11 @@ endif
# X.509 Certificate handling
#
obj-$(CONFIG_$(SPL_)X509_CERTIFICATE_PARSER) += x509_key_parser.o
-x509_key_parser-y := \
+x509_key_parser-y := x509_helper.o
+x509_key_parser-$(CONFIG_$(SPL_)X509_CERTIFICATE_PARSER_LEGACY) += \
x509.asn1.o \
x509_akid.asn1.o \
x509_cert_parser.o \
- x509_helper.o \
x509_public_key.o
$(obj)/x509_cert_parser.o: \
diff --git a/lib/crypto/x509_public_key.c b/lib/crypto/x509_public_key.c
index 4ba13c1adc3..310edbd21be 100644
--- a/lib/crypto/x509_public_key.c
++
[PATCH v5 17/27] mbedtls: add X509 cert parser porting layer
Add porting layer for X509 cert parser on top of MbedTLS X509
library.
Introduce _LEGACY and _MBEDTLS kconfigs for X509 cert parser legacy
and MbedTLS implementations respectively.
Signed-off-by: Raymond Mao
---
Changes in v2
- Move the porting layer to MbedTLS dir.
Changes in v3
- None.
Changes in v4
- Introduce _LEGACY and _MBEDTLS kconfigs for X509 cert parser legacy
and MbedTLS implementations respectively.
- Move common functions to helper.
Changes in v5
- Kconfig rename.
- Adjust a few inline comments.
lib/mbedtls/Kconfig| 18 ++
lib/mbedtls/Makefile | 4 +-
lib/mbedtls/x509_cert_parser.c | 447 +
3 files changed, 468 insertions(+), 1 deletion(-)
create mode 100644 lib/mbedtls/x509_cert_parser.c
diff --git a/lib/mbedtls/Kconfig b/lib/mbedtls/Kconfig
index e95b722c6e8..66de9d1c15f 100644
--- a/lib/mbedtls/Kconfig
+++ b/lib/mbedtls/Kconfig
@@ -119,6 +119,7 @@ config LEGACY_CRYPTO_CERT
bool "legacy certificate libraries"
select ASYMMETRIC_PUBLIC_KEY_LEGACY if \
ASYMMETRIC_PUBLIC_KEY_SUBTYPE
+ select X509_CERTIFICATE_PARSER_LEGACY if X509_CERTIFICATE_PARSER
select SPL_ASYMMETRIC_PUBLIC_KEY_LEGACY if \
SPL_ASYMMETRIC_PUBLIC_KEY_SUBTYPE
help
@@ -133,6 +134,14 @@ config ASYMMETRIC_PUBLIC_KEY_LEGACY
This option chooses legacy certificate library for asymmetric public
key crypto algorithm.
+config X509_CERTIFICATE_PARSER_LEGACY
+ bool "X.509 certificate parser with legacy certificate library"
+ depends on ASYMMETRIC_PUBLIC_KEY_LEGACY
+ select ASN1_DECODER_LEGACY
+ help
+ This option chooses legacy certificate library for X509 certificate
+ parser.
+
if SPL
config SPL_ASYMMETRIC_PUBLIC_KEY_LEGACY
@@ -250,6 +259,7 @@ config MBEDTLS_LIB_X509
bool "MbedTLS certificate libraries"
select ASYMMETRIC_PUBLIC_KEY_MBEDTLS if \
ASYMMETRIC_PUBLIC_KEY_SUBTYPE
+ select X509_CERTIFICATE_PARSER_MBEDTLS if X509_CERTIFICATE_PARSER
select SPL_ASYMMETRIC_PUBLIC_KEY_MBEDTLS if \
SPL_ASYMMETRIC_PUBLIC_KEY_SUBTYPE
help
@@ -264,6 +274,14 @@ config ASYMMETRIC_PUBLIC_KEY_MBEDTLS
This option chooses MbedTLS certificate library for asymmetric public
key crypto algorithm.
+config X509_CERTIFICATE_PARSER_MBEDTLS
+ bool "X.509 certificate parser with MbedTLS certificate library"
+ depends on ASYMMETRIC_PUBLIC_KEY_MBEDTLS
+ select ASN1_DECODER_MBEDTLS
+ help
+ This option chooses MbedTLS certificate library for X509 certificate
+ parser.
+
if SPL
config SPL_ASYMMETRIC_PUBLIC_KEY_MBEDTLS
diff --git a/lib/mbedtls/Makefile b/lib/mbedtls/Makefile
index 2d2220dd4fd..ab64365a99a 100644
--- a/lib/mbedtls/Makefile
+++ b/lib/mbedtls/Makefile
@@ -14,6 +14,8 @@ obj-$(CONFIG_$(SPL_)SHA512_MBEDTLS) += sha512.o
# x509 libraries
obj-$(CONFIG_$(SPL_)ASYMMETRIC_PUBLIC_KEY_MBEDTLS) += \
public_key.o
+obj-$(CONFIG_$(SPL_)X509_CERTIFICATE_PARSER_MBEDTLS) += \
+ x509_cert_parser.o
# MbedTLS crypto library
obj-$(CONFIG_MBEDTLS_LIB_CRYPTO) += mbedtls_lib_crypto.o
@@ -44,7 +46,7 @@
mbedtls_lib_x509-$(CONFIG_$(SPL_)ASYMMETRIC_PUBLIC_KEY_MBEDTLS) += \
$(MBEDTLS_LIB_DIR)/pk.o \
$(MBEDTLS_LIB_DIR)/pk_wrap.o \
$(MBEDTLS_LIB_DIR)/pkparse.o
-mbedtls_lib_x509-$(CONFIG_$(SPL_)X509_CERTIFICATE_PARSER) += \
+mbedtls_lib_x509-$(CONFIG_$(SPL_)X509_CERTIFICATE_PARSER_MBEDTLS) += \
$(MBEDTLS_LIB_DIR)/x509_crl.o \
$(MBEDTLS_LIB_DIR)/x509_crt.o
mbedtls_lib_x509-$(CONFIG_$(SPL_)PKCS7_MESSAGE_PARSER) += \
diff --git a/lib/mbedtls/x509_cert_parser.c b/lib/mbedtls/x509_cert_parser.c
new file mode 100644
index 000..cb42018695c
--- /dev/null
+++ b/lib/mbedtls/x509_cert_parser.c
@@ -0,0 +1,447 @@
+// SPDX-License-Identifier: GPL-2.0+
+/*
+ * X509 cert parser using MbedTLS X509 library
+ *
+ * Copyright (c) 2024 Linaro Limited
+ * Author: Raymond Mao
+ */
+
+#include
+#include
+#include
+
+static void x509_free_mbedtls_ctx(struct x509_cert_mbedtls_ctx *ctx)
+{
+ if (!ctx)
+ return;
+
+ kfree(ctx->tbs);
+ kfree(ctx->raw_serial);
+ kfree(ctx->raw_issuer);
+ kfree(ctx->raw_subject);
+ kfree(ctx->raw_skid);
+ kfree(ctx);
+}
+
+static int x509_set_cert_flags(struct x509_certificate *cert)
+{
+ struct public_key_signature *sig = cert->sig;
+
+ if (!sig || !cert->pub) {
+ pr_err("Signature or public key is not initialized\n");
+ return -ENOPKG;
+ }
+
+ if (!cert->pub->pkey_algo)
+ cert->unsupported_key = true;
+
+ if (!sig->pkey_algo)
+ cert->unsupported_sig = true;
+
+ if (!sig->hash_algo)
+ cert->unsupported_sig = true;
+
+ /* TODO
[PATCH v5 16/27] lib/crypto: Adapt public_key header with MbedTLS
Previous patch has introduced MbedTLS porting layer for public key, here to adjust the header and makefiles accordingly. Signed-off-by: Raymond Mao --- Changes in v2 - Move the porting layer to MbedTLS dir. Changes in v3 - Update commit message. Changes in v4 - Control building legacy library via '_LEGACY' Kconfig. Changes in v5 - Correct header file include directories. - Kconfig rename. include/crypto/public_key.h | 6 ++ lib/crypto/Makefile | 5 ++--- lib/crypto/asymmetric_type.c | 2 +- 3 files changed, 9 insertions(+), 4 deletions(-) diff --git a/include/crypto/public_key.h b/include/crypto/public_key.h index 3ba90fcc348..25cfb68adce 100644 --- a/include/crypto/public_key.h +++ b/include/crypto/public_key.h @@ -12,6 +12,12 @@ #ifdef __UBOOT__ #include +#if CONFIG_IS_ENABLED(MBEDTLS_LIB_X509) +#include +#include +#include +#include +#endif #else #include #endif diff --git a/lib/crypto/Makefile b/lib/crypto/Makefile index 16059088f26..7e877214aa8 100644 --- a/lib/crypto/Makefile +++ b/lib/crypto/Makefile @@ -7,9 +7,8 @@ obj-$(CONFIG_$(SPL_)ASYMMETRIC_KEY_TYPE) += asymmetric_keys.o asymmetric_keys-y := asymmetric_type.o -obj-$(CONFIG_$(SPL_)ASYMMETRIC_PUBLIC_KEY_SUBTYPE) += \ - public_key_helper.o \ - public_key.o +obj-$(CONFIG_$(SPL_)ASYMMETRIC_PUBLIC_KEY_SUBTYPE) += public_key_helper.o +obj-$(CONFIG_$(SPL_)ASYMMETRIC_PUBLIC_KEY_LEGACY) += public_key.o # # RSA public key parser diff --git a/lib/crypto/asymmetric_type.c b/lib/crypto/asymmetric_type.c index 24c2d15ef97..95b82cd8e84 100644 --- a/lib/crypto/asymmetric_type.c +++ b/lib/crypto/asymmetric_type.c @@ -12,7 +12,6 @@ #include #include #endif -#include #ifdef __UBOOT__ #include #include @@ -26,6 +25,7 @@ #include #include #endif +#include #ifdef __UBOOT__ #include #else -- 2.25.1
