Re: [PATCH v4 04/29] lib: Adapt digest header files to MbedTLS
On Tue, Jul 02, 2024 at 08:02:37PM -0400, Raymond Mao wrote: > Hi Tom, > > On Tue, 2 Jul 2024 at 18:48, Tom Rini wrote: > > > On Tue, Jul 02, 2024 at 11:22:40AM -0700, Raymond Mao wrote: > > > > > Adapt digest header files to support both original libs and MbedTLS > > > by switching on/off MBEDTLS_LIB_CRYPTO. > > > Introduce _LEGACY kconfig for legacy hash implementations. > > [snip] > > > diff --git a/lib/mbedtls/Kconfig b/lib/mbedtls/Kconfig > > > index 3e9057f1acf..6662a9d20f1 100644 > > > --- a/lib/mbedtls/Kconfig > > > +++ b/lib/mbedtls/Kconfig > > > @@ -21,9 +21,105 @@ if LEGACY_CRYPTO > > > > > > config LEGACY_CRYPTO_BASIC > > > bool "legacy basic crypto libraries" > > > + select MD5_LEGACY if MD5 > > > + select SHA1_LEGACY if SHA1 > > > + select SHA256_LEGACY if SHA256 > > > + select SHA512_LEGACY if SHA512 > > > + select SHA384_LEGACY if SHA384 > > > + select SPL_MD5_LEGACY if MD5 && SPL > > > + select SPL_SHA1_LEGACY if SHA1 && SPL > > > + select SPL_SHA256_LEGACY if SHA256 && SPL > > > + select SPL_SHA512_LEGACY if SHA512 && SPL > > > + select SPL_SHA384_LEGACY if SHA384 && SPL > > > help > > > Enable legacy basic crypto libraries. > > > > > > +if LEGACY_CRYPTO_BASIC > > > + > > > +config SHA1_LEGACY > > > + bool "Enable SHA1 support with legacy crypto library" > > > + depends on LEGACY_CRYPTO_BASIC && SHA1 > > > + help > > > + This option enables support of hashing using SHA1 algorithm > > > + with legacy crypto library. > > > + > > > +config SHA256_LEGACY > > > + bool "Enable SHA256 support with legacy crypto library" > > > + depends on LEGACY_CRYPTO_BASIC && SHA256 > > > + help > > > + This option enables support of hashing using SHA256 algorithm > > > + with legacy crypto library. > > > + > > > +config SHA512_LEGACY > > > + bool "Enable SHA512 support with legacy crypto library" > > > + depends on LEGACY_CRYPTO_BASIC && SHA512 > > > + default y if TI_SECURE_DEVICE && FIT_SIGNATURE > > > + help > > > + This option enables support of hashing using SHA512 algorithm > > > + with legacy crypto library. > > > + > > > +config SHA384_LEGACY > > > + bool "Enable SHA384 support with legacy crypto library" > > > + depends on LEGACY_CRYPTO_BASIC && SHA384 > > > + select SHA512_LEGACY > > > + help > > > + This option enables support of hashing using SHA384 algorithm > > > + with legacy crypto library. > > > + > > > +config MD5_LEGACY > > > + bool "Enable MD5 support with legacy crypto library" > > > + depends on LEGACY_CRYPTO_BASIC && MD5 > > > + help > > > + This option enables support of hashing using MD5 algorithm > > > + with legacy crypto library. > > > + > > > +if SPL > > > + > > > +config SPL_SHA1_LEGACY > > > + bool "Enable SHA1 support in SPL with legacy crypto library" > > > + depends on LEGACY_CRYPTO_BASIC && SPL_SHA1 > > > + default y if SHA1 && LEGACY_CRYPTO_BASIC > > > + help > > > + This option enables support of hashing using SHA1 algorithm > > > + with legacy crypto library. > > > + > > > +config SPL_SHA256_LEGACY > > > + bool "Enable SHA256 support in SPL with legacy crypto library" > > > + depends on LEGACY_CRYPTO_BASIC && SPL_SHA256 > > > + default y if SHA256 && LEGACY_CRYPTO_BASIC > > > + help > > > + This option enables support of hashing using SHA256 algorithm > > > + with legacy crypto library. > > > + > > > +config SPL_SHA512_LEGACY > > > + bool "Enable SHA512 support in SPL with legacy crypto library" > > > + depends on LEGACY_CRYPTO_BASIC && SPL_SHA512 > > > + default y if SHA512 && LEGACY_CRYPTO_BASIC > > > + help > > > + This option enables support of hashing using SHA512 algorithm > > > + with legacy crypto library. > > > + > > > +config SPL_SHA384_LEGACY > > > + bool "Enable SHA384 support in SPL with legacy crypto library" > > > + depends on LEGACY_CRYPTO_BASIC && SPL_SHA384 > > > + default y if SHA384 && LEGACY_CRYPTO_BASIC > > > + select SPL_SHA512 > > > + help > > > + This option enables support of hashing using SHA384 algorithm > > > + with legacy crypto library. > > > + > > > +config SPL_MD5_LEGACY > > > + bool "Enable MD5 support in SPL with legacy crypto library" > > > + depends on LEGACY_CRYPTO_BASIC && SPL_MD5 > > > + default y if MD5 && LEGACY_CRYPTO_BASIC > > > + help > > > + This option enables support of hashing using MD5 algorithm > > > + with legacy crypto library. > > > + > > > +endif # SPL > > > + > > > +endif # LEGACY_CRYPTO_BASIC > > > + > > > config LEGACY_CRYPTO_CERT > > > bool "legacy certificate libraries" > > > help > > > > This is all certainly moving in the right direction, but there's > > dependency issues: > >aarch64: w+ xilinx_zynqmp_kria > > +(xilinx_zynqmp_kria) > > +(xilinx_zynqmp_kria)
Re: [PATCH v4 04/29] lib: Adapt digest header files to MbedTLS
Hi Tom, On Tue, 2 Jul 2024 at 18:48, Tom Rini wrote: > On Tue, Jul 02, 2024 at 11:22:40AM -0700, Raymond Mao wrote: > > > Adapt digest header files to support both original libs and MbedTLS > > by switching on/off MBEDTLS_LIB_CRYPTO. > > Introduce _LEGACY kconfig for legacy hash implementations. > [snip] > > diff --git a/lib/mbedtls/Kconfig b/lib/mbedtls/Kconfig > > index 3e9057f1acf..6662a9d20f1 100644 > > --- a/lib/mbedtls/Kconfig > > +++ b/lib/mbedtls/Kconfig > > @@ -21,9 +21,105 @@ if LEGACY_CRYPTO > > > > config LEGACY_CRYPTO_BASIC > > bool "legacy basic crypto libraries" > > + select MD5_LEGACY if MD5 > > + select SHA1_LEGACY if SHA1 > > + select SHA256_LEGACY if SHA256 > > + select SHA512_LEGACY if SHA512 > > + select SHA384_LEGACY if SHA384 > > + select SPL_MD5_LEGACY if MD5 && SPL > > + select SPL_SHA1_LEGACY if SHA1 && SPL > > + select SPL_SHA256_LEGACY if SHA256 && SPL > > + select SPL_SHA512_LEGACY if SHA512 && SPL > > + select SPL_SHA384_LEGACY if SHA384 && SPL > > help > > Enable legacy basic crypto libraries. > > > > +if LEGACY_CRYPTO_BASIC > > + > > +config SHA1_LEGACY > > + bool "Enable SHA1 support with legacy crypto library" > > + depends on LEGACY_CRYPTO_BASIC && SHA1 > > + help > > + This option enables support of hashing using SHA1 algorithm > > + with legacy crypto library. > > + > > +config SHA256_LEGACY > > + bool "Enable SHA256 support with legacy crypto library" > > + depends on LEGACY_CRYPTO_BASIC && SHA256 > > + help > > + This option enables support of hashing using SHA256 algorithm > > + with legacy crypto library. > > + > > +config SHA512_LEGACY > > + bool "Enable SHA512 support with legacy crypto library" > > + depends on LEGACY_CRYPTO_BASIC && SHA512 > > + default y if TI_SECURE_DEVICE && FIT_SIGNATURE > > + help > > + This option enables support of hashing using SHA512 algorithm > > + with legacy crypto library. > > + > > +config SHA384_LEGACY > > + bool "Enable SHA384 support with legacy crypto library" > > + depends on LEGACY_CRYPTO_BASIC && SHA384 > > + select SHA512_LEGACY > > + help > > + This option enables support of hashing using SHA384 algorithm > > + with legacy crypto library. > > + > > +config MD5_LEGACY > > + bool "Enable MD5 support with legacy crypto library" > > + depends on LEGACY_CRYPTO_BASIC && MD5 > > + help > > + This option enables support of hashing using MD5 algorithm > > + with legacy crypto library. > > + > > +if SPL > > + > > +config SPL_SHA1_LEGACY > > + bool "Enable SHA1 support in SPL with legacy crypto library" > > + depends on LEGACY_CRYPTO_BASIC && SPL_SHA1 > > + default y if SHA1 && LEGACY_CRYPTO_BASIC > > + help > > + This option enables support of hashing using SHA1 algorithm > > + with legacy crypto library. > > + > > +config SPL_SHA256_LEGACY > > + bool "Enable SHA256 support in SPL with legacy crypto library" > > + depends on LEGACY_CRYPTO_BASIC && SPL_SHA256 > > + default y if SHA256 && LEGACY_CRYPTO_BASIC > > + help > > + This option enables support of hashing using SHA256 algorithm > > + with legacy crypto library. > > + > > +config SPL_SHA512_LEGACY > > + bool "Enable SHA512 support in SPL with legacy crypto library" > > + depends on LEGACY_CRYPTO_BASIC && SPL_SHA512 > > + default y if SHA512 && LEGACY_CRYPTO_BASIC > > + help > > + This option enables support of hashing using SHA512 algorithm > > + with legacy crypto library. > > + > > +config SPL_SHA384_LEGACY > > + bool "Enable SHA384 support in SPL with legacy crypto library" > > + depends on LEGACY_CRYPTO_BASIC && SPL_SHA384 > > + default y if SHA384 && LEGACY_CRYPTO_BASIC > > + select SPL_SHA512 > > + help > > + This option enables support of hashing using SHA384 algorithm > > + with legacy crypto library. > > + > > +config SPL_MD5_LEGACY > > + bool "Enable MD5 support in SPL with legacy crypto library" > > + depends on LEGACY_CRYPTO_BASIC && SPL_MD5 > > + default y if MD5 && LEGACY_CRYPTO_BASIC > > + help > > + This option enables support of hashing using MD5 algorithm > > + with legacy crypto library. > > + > > +endif # SPL > > + > > +endif # LEGACY_CRYPTO_BASIC > > + > > config LEGACY_CRYPTO_CERT > > bool "legacy certificate libraries" > > help > > This is all certainly moving in the right direction, but there's > dependency issues: >aarch64: w+ xilinx_zynqmp_kria > +(xilinx_zynqmp_kria) > +(xilinx_zynqmp_kria) WARNING: unmet direct dependencies detected for > SPL_MD5_LEGACY > +(xilinx_zynqmp_kria) Depends on [n]: LEGACY_CRYPTO [=y] && SPL [=y] && > LEGACY_CRYPTO_BASIC [=y] && SPL_MD5 [=n] > +(xilinx_zynqmp_kria) Selected by [y]: > +(xilinx_zynqmp_kria) - LEGACY_CRYPTO_BASIC [=y] && LEGACY_CRYPTO [=y] > && MD5 [=y]
Re: [PATCH v4 04/29] lib: Adapt digest header files to MbedTLS
On Tue, Jul 02, 2024 at 11:22:40AM -0700, Raymond Mao wrote: > Adapt digest header files to support both original libs and MbedTLS > by switching on/off MBEDTLS_LIB_CRYPTO. > Introduce _LEGACY kconfig for legacy hash implementations. [snip] > diff --git a/lib/mbedtls/Kconfig b/lib/mbedtls/Kconfig > index 3e9057f1acf..6662a9d20f1 100644 > --- a/lib/mbedtls/Kconfig > +++ b/lib/mbedtls/Kconfig > @@ -21,9 +21,105 @@ if LEGACY_CRYPTO > > config LEGACY_CRYPTO_BASIC > bool "legacy basic crypto libraries" > + select MD5_LEGACY if MD5 > + select SHA1_LEGACY if SHA1 > + select SHA256_LEGACY if SHA256 > + select SHA512_LEGACY if SHA512 > + select SHA384_LEGACY if SHA384 > + select SPL_MD5_LEGACY if MD5 && SPL > + select SPL_SHA1_LEGACY if SHA1 && SPL > + select SPL_SHA256_LEGACY if SHA256 && SPL > + select SPL_SHA512_LEGACY if SHA512 && SPL > + select SPL_SHA384_LEGACY if SHA384 && SPL > help > Enable legacy basic crypto libraries. > > +if LEGACY_CRYPTO_BASIC > + > +config SHA1_LEGACY > + bool "Enable SHA1 support with legacy crypto library" > + depends on LEGACY_CRYPTO_BASIC && SHA1 > + help > + This option enables support of hashing using SHA1 algorithm > + with legacy crypto library. > + > +config SHA256_LEGACY > + bool "Enable SHA256 support with legacy crypto library" > + depends on LEGACY_CRYPTO_BASIC && SHA256 > + help > + This option enables support of hashing using SHA256 algorithm > + with legacy crypto library. > + > +config SHA512_LEGACY > + bool "Enable SHA512 support with legacy crypto library" > + depends on LEGACY_CRYPTO_BASIC && SHA512 > + default y if TI_SECURE_DEVICE && FIT_SIGNATURE > + help > + This option enables support of hashing using SHA512 algorithm > + with legacy crypto library. > + > +config SHA384_LEGACY > + bool "Enable SHA384 support with legacy crypto library" > + depends on LEGACY_CRYPTO_BASIC && SHA384 > + select SHA512_LEGACY > + help > + This option enables support of hashing using SHA384 algorithm > + with legacy crypto library. > + > +config MD5_LEGACY > + bool "Enable MD5 support with legacy crypto library" > + depends on LEGACY_CRYPTO_BASIC && MD5 > + help > + This option enables support of hashing using MD5 algorithm > + with legacy crypto library. > + > +if SPL > + > +config SPL_SHA1_LEGACY > + bool "Enable SHA1 support in SPL with legacy crypto library" > + depends on LEGACY_CRYPTO_BASIC && SPL_SHA1 > + default y if SHA1 && LEGACY_CRYPTO_BASIC > + help > + This option enables support of hashing using SHA1 algorithm > + with legacy crypto library. > + > +config SPL_SHA256_LEGACY > + bool "Enable SHA256 support in SPL with legacy crypto library" > + depends on LEGACY_CRYPTO_BASIC && SPL_SHA256 > + default y if SHA256 && LEGACY_CRYPTO_BASIC > + help > + This option enables support of hashing using SHA256 algorithm > + with legacy crypto library. > + > +config SPL_SHA512_LEGACY > + bool "Enable SHA512 support in SPL with legacy crypto library" > + depends on LEGACY_CRYPTO_BASIC && SPL_SHA512 > + default y if SHA512 && LEGACY_CRYPTO_BASIC > + help > + This option enables support of hashing using SHA512 algorithm > + with legacy crypto library. > + > +config SPL_SHA384_LEGACY > + bool "Enable SHA384 support in SPL with legacy crypto library" > + depends on LEGACY_CRYPTO_BASIC && SPL_SHA384 > + default y if SHA384 && LEGACY_CRYPTO_BASIC > + select SPL_SHA512 > + help > + This option enables support of hashing using SHA384 algorithm > + with legacy crypto library. > + > +config SPL_MD5_LEGACY > + bool "Enable MD5 support in SPL with legacy crypto library" > + depends on LEGACY_CRYPTO_BASIC && SPL_MD5 > + default y if MD5 && LEGACY_CRYPTO_BASIC > + help > + This option enables support of hashing using MD5 algorithm > + with legacy crypto library. > + > +endif # SPL > + > +endif # LEGACY_CRYPTO_BASIC > + > config LEGACY_CRYPTO_CERT > bool "legacy certificate libraries" > help This is all certainly moving in the right direction, but there's dependency issues: aarch64: w+ xilinx_zynqmp_kria +(xilinx_zynqmp_kria) +(xilinx_zynqmp_kria) WARNING: unmet direct dependencies detected for SPL_MD5_LEGACY +(xilinx_zynqmp_kria) Depends on [n]: LEGACY_CRYPTO [=y] && SPL [=y] && LEGACY_CRYPTO_BASIC [=y] && SPL_MD5 [=n] +(xilinx_zynqmp_kria) Selected by [y]: +(xilinx_zynqmp_kria) - LEGACY_CRYPTO_BASIC [=y] && LEGACY_CRYPTO [=y] && MD5 [=y] && SPL [=y] Annoyingly I was not able to previously figure out how to make such problems a fatal error, but if you look at the output from each of the world build CI steps you'll see a lot of hits for "WARNING: unmet direct dependencies" and that'll help you track down which are where and what to do
[PATCH v4 04/29] lib: Adapt digest header files to MbedTLS
Adapt digest header files to support both original libs and MbedTLS by switching on/off MBEDTLS_LIB_CRYPTO. Introduce _LEGACY kconfig for legacy hash implementations. FIXME: `IS_ENABLED` or `CONFIG_IS_ENABLED` is not applicable here, since including causes undefined reference on schedule() with sandbox build. As includes which enables `CONFIG_HW_WATCHDOG` and `CONFIG_WATCHDOG` but no schedule() are defined in sandbox build. `#if defined(CONFIG_MBEDTLS_LIB_CRYPTO)` is a workaround. Signed-off-by: Raymond Mao --- Changes in v2 - Initial patch. Changes in v3 - Remove the changes that were done in previous clean-up patch set. Changes in v4 - Introduce _LEGACY kconfig for legacy hash implementations. - Minor fix of the include directories. include/u-boot/md5.h| 7 +++ include/u-boot/sha1.h | 21 - include/u-boot/sha256.h | 20 + include/u-boot/sha512.h | 22 -- lib/Makefile| 10 +++-- lib/mbedtls/Kconfig | 96 + 6 files changed, 168 insertions(+), 8 deletions(-) diff --git a/include/u-boot/md5.h b/include/u-boot/md5.h index c465925ea8d..69898fcbe49 100644 --- a/include/u-boot/md5.h +++ b/include/u-boot/md5.h @@ -6,10 +6,16 @@ #ifndef _MD5_H #define _MD5_H +#if defined(CONFIG_MBEDTLS_LIB_CRYPTO) +#include +#endif #include "compiler.h" #define MD5_SUM_LEN16 +#if defined(CONFIG_MBEDTLS_LIB_CRYPTO) +typedef mbedtls_md5_context MD5Context; +#else typedef struct MD5Context { __u32 buf[4]; __u32 bits[2]; @@ -18,6 +24,7 @@ typedef struct MD5Context { __u32 in32[16]; }; } MD5Context; +#endif void MD5Init(MD5Context *ctx); void MD5Update(MD5Context *ctx, unsigned char const *buf, unsigned int len); diff --git a/include/u-boot/sha1.h b/include/u-boot/sha1.h index c1e9f67068d..ab88134fb98 100644 --- a/include/u-boot/sha1.h +++ b/include/u-boot/sha1.h @@ -16,6 +16,21 @@ #include +#if defined(CONFIG_MBEDTLS_LIB_CRYPTO) +/* + * FIXME: + * MbedTLS define the members of "mbedtls_sha256_context" as private, + * but "state" needs to be access by arch/arm/cpu/armv8/sha1_ce_glue. + * MBEDTLS_ALLOW_PRIVATE_ACCESS needs to be enabled to allow the external + * access. + * Directly including is not allowed, + * since this will include and break the sandbox test. + */ +#define MBEDTLS_ALLOW_PRIVATE_ACCESS + +#include +#endif + #ifdef __cplusplus extern "C" { #endif @@ -26,6 +41,9 @@ extern "C" { extern const uint8_t sha1_der_prefix[]; +#if defined(CONFIG_MBEDTLS_LIB_CRYPTO) +typedef mbedtls_sha1_context sha1_context; +#else /** * \brief SHA-1 context structure */ @@ -36,13 +54,14 @@ typedef struct unsigned char buffer[64]; /*!< data block being processed */ } sha1_context; +#endif /** * \brief SHA-1 context setup * * \param ctx SHA-1 context to be initialized */ -void sha1_starts( sha1_context *ctx ); +void sha1_starts(sha1_context *ctx); /** * \brief SHA-1 process buffer diff --git a/include/u-boot/sha256.h b/include/u-boot/sha256.h index a4fe176c0b4..b58d5b58d39 100644 --- a/include/u-boot/sha256.h +++ b/include/u-boot/sha256.h @@ -3,6 +3,22 @@ #include +#if defined(CONFIG_MBEDTLS_LIB_CRYPTO) +/* + * FIXME: + * MbedTLS define the members of "mbedtls_sha256_context" as private, + * but "state" needs to be access by arch/arm/cpu/armv8/sha256_ce_glue. + * MBEDTLS_ALLOW_PRIVATE_ACCESS needs to be enabled to allow the external + * access. + * Directly including is not allowed, + * since this will include and break the sandbox test. + */ +#define MBEDTLS_ALLOW_PRIVATE_ACCESS + +#include +#endif + +#define SHA224_SUM_LEN 28 #define SHA256_SUM_LEN 32 #define SHA256_DER_LEN 19 @@ -11,11 +27,15 @@ extern const uint8_t sha256_der_prefix[]; /* Reset watchdog each time we process this many bytes */ #define CHUNKSZ_SHA256 (64 * 1024) +#if defined(CONFIG_MBEDTLS_LIB_CRYPTO) +typedef mbedtls_sha256_context sha256_context; +#else typedef struct { uint32_t total[2]; uint32_t state[8]; uint8_t buffer[64]; } sha256_context; +#endif void sha256_starts(sha256_context * ctx); void sha256_update(sha256_context *ctx, const uint8_t *input, uint32_t length); diff --git a/include/u-boot/sha512.h b/include/u-boot/sha512.h index 90bd96a3f8c..2b5a21a7c70 100644 --- a/include/u-boot/sha512.h +++ b/include/u-boot/sha512.h @@ -3,6 +3,10 @@ #include +#if defined(CONFIG_MBEDTLS_LIB_CRYPTO) +#include +#endif + #define SHA384_SUM_LEN 48 #define SHA384_DER_LEN 19 #define SHA512_SUM_LEN 64 @@ -12,11 +16,16 @@ #define CHUNKSZ_SHA384 (16 * 1024) #define CHUNKSZ_SHA512 (16 * 1024) +#if defined(CONFIG_MBEDTLS_LIB_CRYPTO) +typedef mbedtls_sha512_context sha384_context; +typedef mbedtls_sha512_context sha512_context; +#else typedef struct { uint64_t state[SHA512_SUM_LEN / 8]; uint64_t count[2]; uint8_t buf[SHA512_BLOCK_SIZE]; }