Hi Ilias,
On Fri, 18 Oct 2024 at 10:55, Ilias Apalodimas ilias.apalodimas@linaro.org wrote:
Hi Raymond,
On Fri, 18 Oct 2024 at 17:39, Raymond Mao raymond.mao@linaro.org wrote:
Hi Ilias,
On Fri, 18 Oct 2024 at 10:22, Ilias Apalodimas <
ilias.apalodimas@linaro.org> wrote:
Since lwIP and mbedTLS have been merged we can tweak the config options and enable TLS1.2 support. Add RSA and ECDSA by default and enable enough block cipher modes of operation to be comatible with modern TLS requirements and webservers
Signed-off-by: Ilias Apalodimas ilias.apalodimas@linaro.org
lib/mbedtls/Kconfig | 12 ++++++++ lib/mbedtls/Makefile | 33 +++++++++++++++++++- lib/mbedtls/mbedtls_def_config.h | 52 ++++++++++++++++++++++++++++++++ 3 files changed, 96 insertions(+), 1 deletion(-)
diff --git a/lib/mbedtls/Kconfig b/lib/mbedtls/Kconfig index d71adc3648ad..f3e172633999 100644 --- a/lib/mbedtls/Kconfig +++ b/lib/mbedtls/Kconfig @@ -430,4 +430,16 @@ endif # SPL
endif # MBEDTLS_LIB_X509
+config MBEDTLS_LIB_TLS
bool "MbedTLS TLS library"depends on RSA_PUBLIC_KEY_PARSER_MBEDTLSdepends on X509_CERTIFICATE_PARSER_MBEDTLSdepends on ASYMMETRIC_PUBLIC_KEY_MBEDTLSdepends on ASN1_DECODER_MBEDTLSdepends on ASYMMETRIC_PUBLIC_KEY_MBEDTLSdepends on MBEDTLS_LIB_CRYPTOhelpEnable MbedTLS TLS library. If enabled HTTPs support will beenabled
in wgetendif # MBEDTLS_LIB diff --git a/lib/mbedtls/Makefile b/lib/mbedtls/Makefile index 83cb3c2fa705..845284799a11 100644 --- a/lib/mbedtls/Makefile +++ b/lib/mbedtls/Makefile @@ -25,7 +25,19 @@ obj-$(CONFIG_MBEDTLS_LIB) += mbedtls_lib_crypto.o mbedtls_lib_crypto-y := \ $(MBEDTLS_LIB_DIR)/platform_util.o \ $(MBEDTLS_LIB_DIR)/constant_time.o \
$(MBEDTLS_LIB_DIR)/md.o
$(MBEDTLS_LIB_DIR)/md.o \$(MBEDTLS_LIB_DIR)/entropy.o \$(MBEDTLS_LIB_DIR)/entropy_poll.o \$(MBEDTLS_LIB_DIR)/aes.o \$(MBEDTLS_LIB_DIR)/cipher.o \$(MBEDTLS_LIB_DIR)/cipher_wrap.o \$(MBEDTLS_LIB_DIR)/ecdh.o \$(MBEDTLS_LIB_DIR)/ecdsa.o \$(MBEDTLS_LIB_DIR)/ecp.o \$(MBEDTLS_LIB_DIR)/ecp_curves.o \$(MBEDTLS_LIB_DIR)/ecp_curves_new.o \$(MBEDTLS_LIB_DIR)/gcm.o \I think we should move these to mbedtls_lib_tls.o and add the U-Boot
Kconfig
control if it exists. Take ECDSA for example: mbedtls_lib_tls-$(CONFIG_$(SPL_)ECDSA) += $(MBEDTLS_LIB_DIR)/ecdsa.o
Fair enough, but ECDSA is the only one that exists atm. I can move that there, but I don't think we should create a Kconfig option per object file. Those are mbedTLS internals dependencies to enable TLS1.2. Perhaps only ECDSA, AES and ECDH? OTOH the existing md5 doesn't follow that.
I agree. We can move ECDSA and AES with Kconfig control and keep others
as-is at the moment.
mbedtls_lib_crypto-$(CONFIG_$(SPL_)MD5_MBEDTLS) +=
$(MBEDTLS_LIB_DIR)/md5.o
mbedtls_lib_crypto-$(CONFIG_$(SPL_)SHA1_MBEDTLS) +=
$(MBEDTLS_LIB_DIR)/sha1.o
mbedtls_lib_crypto-$(CONFIG_$(SPL_)SHA256_MBEDTLS) += \ @@ -54,3 +66,22 @@
mbedtls_lib_x509-$(CONFIG_$(SPL_)X509_CERTIFICATE_PARSER_MBEDTLS) += \
$(MBEDTLS_LIB_DIR)/x509_crt.ombedtls_lib_x509-$(CONFIG_$(SPL_)PKCS7_MESSAGE_PARSER_MBEDTLS) += \ $(MBEDTLS_LIB_DIR)/pkcs7.o
+#mbedTLS TLS support +obj-$(CONFIG_MBEDTLS_LIB_TLS) += mbedtls_lib_tls.o +mbedtls_lib_tls-y := \
$(MBEDTLS_LIB_DIR)/mps_reader.o \$(MBEDTLS_LIB_DIR)/mps_trace.o \$(MBEDTLS_LIB_DIR)/net_sockets.o \$(MBEDTLS_LIB_DIR)/pk_ecc.o \$(MBEDTLS_LIB_DIR)/ssl_cache.o \$(MBEDTLS_LIB_DIR)/ssl_ciphersuites.o \$(MBEDTLS_LIB_DIR)/ssl_client.o \$(MBEDTLS_LIB_DIR)/ssl_cookie.o \$(MBEDTLS_LIB_DIR)/ssl_debug_helpers_generated.o \$(MBEDTLS_LIB_DIR)/ssl_msg.o \$(MBEDTLS_LIB_DIR)/ssl_ticket.o \$(MBEDTLS_LIB_DIR)/ssl_tls.o \$(MBEDTLS_LIB_DIR)/ssl_tls12_client.o \$(MBEDTLS_LIB_DIR)/hmac_drbg.o \$(MBEDTLS_LIB_DIR)/ctr_drbg.o \Ditto, add the U-Boot Kconfig control if it exists.
None of these don't make sense to be a U-Boot Kconfig. They are mbedTLS internal to enable TLS1.2 support.
I saw Jerome added CONFIG_NET and CONFIG_NET_LWIP in his LWIP series. I think the net_sockets, ssl_# and ssl_tls12_# can be under this control.
[snip]
Regards, Raymond