On Sat, 17 Aug 2024 at 00:46, Raymond Mao <raymond....@linaro.org> wrote:
>
> Adapt digest header files to support both original libs and MbedTLS
> by switching on/off MBEDTLS_LIB_CRYPTO.
> Introduce <alg>_LEGACY kconfig for legacy hash implementations.
>
> `IS_ENABLED` or `CONFIG_IS_ENABLED` is not applicable here, since
> including <linux/kconfig.h> causes undefined reference on schedule()
> with sandbox build, as <linux/kconfig.h> includes <generated/autoconf.h>
> which enables `CONFIG_HW_WATCHDOG` and `CONFIG_WATCHDOG` but no schedule()
> are defined in sandbox build,
> Thus we use `#if defined(CONFIG_MBEDTLS_LIB_CRYPTO)` instead.
>
> Signed-off-by: Raymond Mao <raymond....@linaro.org>
> ---
> Changes in v2
> - Initial patch.
> Changes in v3
> - Remove the changes that were done in previous clean-up patch set.
> Changes in v4
> - Introduce <alg>_LEGACY kconfig for legacy hash implementations.
> Changes in v5
> - Correct header file include directories.
> - Correct kconfig dependence.
> Changes in v6
> - Update commit message.
> - Rebased on next branch.
>
> include/u-boot/md5.h | 7 ++++
> include/u-boot/sha1.h | 21 +++++++++-
> include/u-boot/sha256.h | 20 +++++++++
> include/u-boot/sha512.h | 9 ++++
> lib/Makefile | 10 +++--
> lib/mbedtls/Kconfig | 91 +++++++++++++++++++++++++++++++++++++++++
> 6 files changed, 153 insertions(+), 5 deletions(-)
>
> diff --git a/include/u-boot/md5.h b/include/u-boot/md5.h
> index c465925ea8d..69898fcbe49 100644
> --- a/include/u-boot/md5.h
> +++ b/include/u-boot/md5.h
> @@ -6,10 +6,16 @@
> #ifndef _MD5_H
> #define _MD5_H
>
> +#if defined(CONFIG_MBEDTLS_LIB_CRYPTO)
> +#include <mbedtls/md5.h>
> +#endif
> #include "compiler.h"
>
> #define MD5_SUM_LEN 16
>
> +#if defined(CONFIG_MBEDTLS_LIB_CRYPTO)
> +typedef mbedtls_md5_context MD5Context;
> +#else
> typedef struct MD5Context {
> __u32 buf[4];
> __u32 bits[2];
> @@ -18,6 +24,7 @@ typedef struct MD5Context {
> __u32 in32[16];
> };
> } MD5Context;
> +#endif
>
> void MD5Init(MD5Context *ctx);
> void MD5Update(MD5Context *ctx, unsigned char const *buf, unsigned int len);
> diff --git a/include/u-boot/sha1.h b/include/u-boot/sha1.h
> index c1e9f67068d..ab88134fb98 100644
> --- a/include/u-boot/sha1.h
> +++ b/include/u-boot/sha1.h
> @@ -16,6 +16,21 @@
>
> #include <linux/types.h>
>
> +#if defined(CONFIG_MBEDTLS_LIB_CRYPTO)
> +/*
> + * FIXME:
> + * MbedTLS define the members of "mbedtls_sha256_context" as private,
> + * but "state" needs to be access by arch/arm/cpu/armv8/sha1_ce_glue.
> + * MBEDTLS_ALLOW_PRIVATE_ACCESS needs to be enabled to allow the external
> + * access.
> + * Directly including <external/mbedtls/library/common.h> is not allowed,
> + * since this will include <malloc.h> and break the sandbox test.
> + */
> +#define MBEDTLS_ALLOW_PRIVATE_ACCESS
nit, this probably belongs on the mbedTLS config file, so you wont
have to define for all checksum algorithms
> +
> +#include <mbedtls/sha1.h>
> +#endif
> +
> #ifdef __cplusplus
> extern "C" {
> #endif
> @@ -26,6 +41,9 @@ extern "C" {
>
> extern const uint8_t sha1_der_prefix[];
>
> +#if defined(CONFIG_MBEDTLS_LIB_CRYPTO)
> +typedef mbedtls_sha1_context sha1_context;
> +#else
> /**
> * \brief SHA-1 context structure
> */
> @@ -36,13 +54,14 @@ typedef struct
> unsigned char buffer[64]; /*!< data block being processed */
> }
> sha1_context;
> +#endif
>
> /**
> * \brief SHA-1 context setup
> *
> * \param ctx SHA-1 context to be initialized
> */
> -void sha1_starts( sha1_context *ctx );
> +void sha1_starts(sha1_context *ctx);
>
> /**
> * \brief SHA-1 process buffer
> diff --git a/include/u-boot/sha256.h b/include/u-boot/sha256.h
> index a4fe176c0b4..b58d5b58d39 100644
> --- a/include/u-boot/sha256.h
> +++ b/include/u-boot/sha256.h
> @@ -3,6 +3,22 @@
>
> #include <linux/types.h>
>
> +#if defined(CONFIG_MBEDTLS_LIB_CRYPTO)
> +/*
> + * FIXME:
> + * MbedTLS define the members of "mbedtls_sha256_context" as private,
> + * but "state" needs to be access by arch/arm/cpu/armv8/sha256_ce_glue.
> + * MBEDTLS_ALLOW_PRIVATE_ACCESS needs to be enabled to allow the external
> + * access.
> + * Directly including <external/mbedtls/library/common.h> is not allowed,
> + * since this will include <malloc.h> and break the sandbox test.
> + */
> +#define MBEDTLS_ALLOW_PRIVATE_ACCESS
> +
> +#include <mbedtls/sha256.h>
> +#endif
> +
> +#define SHA224_SUM_LEN 28
> #define SHA256_SUM_LEN 32
> #define SHA256_DER_LEN 19
>
> @@ -11,11 +27,15 @@ extern const uint8_t sha256_der_prefix[];
> /* Reset watchdog each time we process this many bytes */
> #define CHUNKSZ_SHA256 (64 * 1024)
>
> +#if defined(CONFIG_MBEDTLS_LIB_CRYPTO)
> +typedef mbedtls_sha256_context sha256_context;
> +#else
> typedef struct {
> uint32_t total[2];
> uint32_t state[8];
> uint8_t buffer[64];
> } sha256_context;
> +#endif
>
> void sha256_starts(sha256_context * ctx);
> void sha256_update(sha256_context *ctx, const uint8_t *input, uint32_t
> length);
> diff --git a/include/u-boot/sha512.h b/include/u-boot/sha512.h
> index 83c2119cd26..7e10f590a1d 100644
> --- a/include/u-boot/sha512.h
> +++ b/include/u-boot/sha512.h
> @@ -3,6 +3,10 @@
>
> #include <linux/types.h>
>
> +#if defined(CONFIG_MBEDTLS_LIB_CRYPTO)
> +#include <mbedtls/sha512.h>
> +#endif
> +
> #define SHA384_SUM_LEN 48
> #define SHA384_DER_LEN 19
> #define SHA512_SUM_LEN 64
> @@ -12,11 +16,16 @@
> #define CHUNKSZ_SHA384 (16 * 1024)
> #define CHUNKSZ_SHA512 (16 * 1024)
>
> +#if defined(CONFIG_MBEDTLS_LIB_CRYPTO)
> +typedef mbedtls_sha512_context sha384_context;
> +typedef mbedtls_sha512_context sha512_context;
> +#else
> typedef struct {
> uint64_t state[SHA512_SUM_LEN / 8];
> uint64_t count[2];
> uint8_t buf[SHA512_BLOCK_SIZE];
> } sha512_context;
> +#endif
>
> extern const uint8_t sha512_der_prefix[];
>
> diff --git a/lib/Makefile b/lib/Makefile
> index e1ab8dfd503..617f5a55de0 100644
> --- a/lib/Makefile
> +++ b/lib/Makefile
> @@ -71,14 +71,16 @@ obj-$(CONFIG_$(SPL_TPL_)CRC16) += crc16.o
> obj-y += crypto/
>
> obj-$(CONFIG_$(SPL_TPL_)ACPI) += acpi/
> -obj-$(CONFIG_$(SPL_)MD5) += md5.o
> obj-$(CONFIG_ECDSA) += ecdsa/
> obj-$(CONFIG_$(SPL_)RSA) += rsa/
> obj-$(CONFIG_HASH) += hash-checksum.o
> obj-$(CONFIG_BLAKE2) += blake2/blake2b.o
> -obj-$(CONFIG_$(SPL_)SHA1) += sha1.o
> -obj-$(CONFIG_$(SPL_)SHA256) += sha256.o
> -obj-$(CONFIG_$(SPL_)SHA512) += sha512.o
> +
> +obj-$(CONFIG_$(SPL_)MD5_LEGACY) += md5.o
> +obj-$(CONFIG_$(SPL_)SHA1_LEGACY) += sha1.o
> +obj-$(CONFIG_$(SPL_)SHA256_LEGACY) += sha256.o
> +obj-$(CONFIG_$(SPL_)SHA512_LEGACY) += sha512.o
> +
> obj-$(CONFIG_CRYPT_PW) += crypt/
> obj-$(CONFIG_$(SPL_)ASN1_DECODER) += asn1_decoder.o
>
> diff --git a/lib/mbedtls/Kconfig b/lib/mbedtls/Kconfig
> index 3e9057f1acf..efae2c4fd72 100644
> --- a/lib/mbedtls/Kconfig
> +++ b/lib/mbedtls/Kconfig
> @@ -21,9 +21,100 @@ if LEGACY_CRYPTO
>
> config LEGACY_CRYPTO_BASIC
> bool "legacy basic crypto libraries"
> + select MD5_LEGACY if MD5
> + select SHA1_LEGACY if SHA1
> + select SHA256_LEGACY if SHA256
> + select SHA512_LEGACY if SHA512
> + select SHA384_LEGACY if SHA384
> + select SPL_MD5_LEGACY if SPL_MD5
> + select SPL_SHA1_LEGACY if SPL_SHA1
> + select SPL_SHA256_LEGACY if SPL_SHA256
> + select SPL_SHA512_LEGACY if SPL_SHA512
> + select SPL_SHA384_LEGACY if SPL_SHA384
> help
> Enable legacy basic crypto libraries.
>
> +if LEGACY_CRYPTO_BASIC
> +
> +config SHA1_LEGACY
> + bool "Enable SHA1 support with legacy crypto library"
> + depends on LEGACY_CRYPTO_BASIC && SHA1
> + help
> + This option enables support of hashing using SHA1 algorithm
> + with legacy crypto library.
> +
> +config SHA256_LEGACY
> + bool "Enable SHA256 support with legacy crypto library"
> + depends on LEGACY_CRYPTO_BASIC && SHA256
> + help
> + This option enables support of hashing using SHA256 algorithm
> + with legacy crypto library.
> +
> +config SHA512_LEGACY
> + bool "Enable SHA512 support with legacy crypto library"
> + depends on LEGACY_CRYPTO_BASIC && SHA512
> + default y if TI_SECURE_DEVICE && FIT_SIGNATURE
> + help
> + This option enables support of hashing using SHA512 algorithm
> + with legacy crypto library.
> +
> +config SHA384_LEGACY
> + bool "Enable SHA384 support with legacy crypto library"
> + depends on LEGACY_CRYPTO_BASIC && SHA384
> + select SHA512_LEGACY
> + help
> + This option enables support of hashing using SHA384 algorithm
> + with legacy crypto library.
> +
> +config MD5_LEGACY
> + bool "Enable MD5 support with legacy crypto library"
> + depends on LEGACY_CRYPTO_BASIC && MD5
> + help
> + This option enables support of hashing using MD5 algorithm
> + with legacy crypto library.
> +
> +if SPL
> +
> +config SPL_SHA1_LEGACY
> + bool "Enable SHA1 support in SPL with legacy crypto library"
> + depends on LEGACY_CRYPTO_BASIC && SPL_SHA1
> + help
> + This option enables support of hashing using SHA1 algorithm
> + with legacy crypto library.
> +
> +config SPL_SHA256_LEGACY
> + bool "Enable SHA256 support in SPL with legacy crypto library"
> + depends on LEGACY_CRYPTO_BASIC && SPL_SHA256
> + help
> + This option enables support of hashing using SHA256 algorithm
> + with legacy crypto library.
> +
> +config SPL_SHA512_LEGACY
> + bool "Enable SHA512 support in SPL with legacy crypto library"
> + depends on LEGACY_CRYPTO_BASIC && SPL_SHA512
> + help
> + This option enables support of hashing using SHA512 algorithm
> + with legacy crypto library.
> +
> +config SPL_SHA384_LEGACY
> + bool "Enable SHA384 support in SPL with legacy crypto library"
> + depends on LEGACY_CRYPTO_BASIC && SPL_SHA384
> + select SPL_SHA512_LEGACY
> + help
> + This option enables support of hashing using SHA384 algorithm
> + with legacy crypto library.
> +
> +config SPL_MD5_LEGACY
> + bool "Enable MD5 support in SPL with legacy crypto library"
> + depends on LEGACY_CRYPTO_BASIC && SPL_MD5
> + help
> + This option enables support of hashing using MD5 algorithm
> + with legacy crypto library.
> +
> +endif # SPL
> +
> +endif # LEGACY_CRYPTO_BASIC
> +
> config LEGACY_CRYPTO_CERT
> bool "legacy certificate libraries"
> help
> --
> 2.25.1
>
Reviewed-by: Ilias Apalodimas <ilias.apalodi...@linaro.org>
