Re: [PATCH v8 02/27] mbedtls: add mbedtls into the build system

11 Oct 2024

Hi Ilias,
On Wed, 9 Oct 2024 at 06:14, Ilias Apalodimas ilias.apalodimas@linaro.org
wrote:
...
Hi Raymond
On Fri, 4 Oct 2024 at 00:52, Raymond Mao raymond.mao@linaro.org wrote:
...
Port mbedtls with adapted libc header files.
Add mbedtls default config header file.
Optimize mbedtls default config by disabling unused features to
reduce the target size.
Add mbedtls kbuild makefile.
Add Kconfig skeleton and config submenu entry for selecting
crypto libraries between mbedtls and legacy ones.
Add the mbedtls include directories into the build system.
Port u-boot hash functions as MbedTLS crypto alternatives and set
it as default.
Subsequent patches will separate those Kconfigs into pairs of
_LEGACY and _MBEDTLS for controlling the implementations of legacy
crypto libraries and MbedTLS ones respectively.
The motivation of moving and adapting *INT* macros from kernel.h
to limits.h is to fullfill the MbedTLS building requirement.
The conditional compilation statements in MbedTLS expects the
*INT* macros as constant expressions, thus expressions like
`((int)(~0U >> 1))` will not work.
Prerequisite
This patch series requires mbedtls git repo to be added as a
subtree to the main U-Boot repo via:
$ git subtree add --prefix lib/mbedtls/external/mbedtls \
      https://github.com/Mbed-TLS/mbedtls.git \
      v3.6.0 --squash
Moreover, due to the Windows-style files from mbedtls git repo,
we need to convert the CRLF endings to LF and do a commit manually:
$ git add --renormalize .
$ git commit
Signed-off-by: Raymond Mao raymond.mao@linaro.org
Changes in v2

Disabled unused MbedTLS features to optimize the target size.

Changes in v3

Removed changes in stdio.h.

Changes in v4

Move limits.h as a common header file that is included by kernel.h.
Refactor the Kconfig to support legacy and MbedTLS options for each
algorithm.
Refactor MbedTLS makefile and default config file to remove unused
config options and objects.

Changes in v5

Merged patch #9 of v4 into this patch.
Removed unused config MBEDTLS_LIB_TLS.
Refactored MbedTLS Makefile and default config file.

Changes in v6

Fixed UINT64_MAX.
Removed copy right statement from limits.h

Changes in v7

Fixed CI world build failures due to config dependencies.
Fixed values of UINT_MAX and UINT32_MAX.

Changes in v8

Port u-boot hash functions as MbedTLS crypto alternatives and set
it as default.

Makefile                         |  6 +++
 include/limits.h                 | 25 ++++++++++
 include/linux/kernel.h           | 13 +----
 include/stdlib.h                 |  1 +
 lib/Kconfig                      |  4 ++
 lib/Makefile                     |  2 +
 lib/mbedtls/Kconfig              | 56 +++++++++++++++++++++
 lib/mbedtls/Makefile             | 41 ++++++++++++++++
 lib/mbedtls/mbedtls_def_config.h | 84 ++++++++++++++++++++++++++++++++
 lib/mbedtls/port/assert.h        | 12 +++++
 lib/mbedtls/port/md5_alt.h       | 57 ++++++++++++++++++++++
 lib/mbedtls/port/sha1_alt.h      | 57 ++++++++++++++++++++++
 lib/mbedtls/port/sha256_alt.h    | 64 ++++++++++++++++++++++++
 lib/mbedtls/port/sha512_alt.h    | 78 +++++++++++++++++++++++++++++
 14 files changed, 488 insertions(+), 12 deletions(-)
 create mode 100644 include/limits.h
 create mode 100644 lib/mbedtls/Kconfig
 create mode 100644 lib/mbedtls/Makefile
 create mode 100644 lib/mbedtls/mbedtls_def_config.h
 create mode 100644 lib/mbedtls/port/assert.h
 create mode 100644 lib/mbedtls/port/md5_alt.h
 create mode 100644 lib/mbedtls/port/sha1_alt.h
 create mode 100644 lib/mbedtls/port/sha256_alt.h
 create mode 100644 lib/mbedtls/port/sha512_alt.h

diff --git a/Makefile b/Makefile
index 525576f987d..f4659f9493a 100644
--- a/Makefile
+++ b/Makefile
@@ -829,6 +829,12 @@ KBUILD_HOSTCFLAGS += $(if $(CONFIG_TOOLS_DEBUG),-g)
 UBOOTINCLUDE    := \
        -Iinclude \
        $(if $(KBUILD_SRC), -I$(srctree)/include) \

  $(if $(CONFIG_MBEDTLS_LIB), \


          "-DMBEDTLS_CONFIG_FILE=\"mbedtls_def_config.h\"" \


          -I$(srctree)/lib/mbedtls \


          -I$(srctree)/lib/mbedtls/port \


          -I$(srctree)/lib/mbedtls/external/mbedtls \


          -I$(srctree)/lib/mbedtls/external/mbedtls/include) \
  $(if $(CONFIG_$(SPL_)SYS_THUMB_BUILD), \
          $(if $(CONFIG_HAS_THUMB2), \
                  $(if $(CONFIG_CPU_V7M), \



diff --git a/include/limits.h b/include/limits.h
new file mode 100644
index 00000000000..4700cc7a59f
--- /dev/null
+++ b/include/limits.h
@@ -0,0 +1,25 @@
+/* SPDX-License-Identifier: GPL-2.0+ */



+#ifndef _LIMITS_H
+#define _LIMITS_H



+#define INT_MAX     0x7fffffff
+#define UINT_MAX    0xffffffffU
+#define CHAR_BIT    8
+#define UINT32_MAX  0xffffffffU
+#define UINT64_MAX  0xffffffffffffffffULL



+#ifdef CONFIG_64BIT

#define UINTPTR_MAX UINT64_MAX

+#else

#define UINTPTR_MAX UINT32_MAX

+#endif



+#ifndef SIZE_MAX
+#define SIZE_MAX    UINTPTR_MAX
+#endif
+#ifndef SSIZE_MAX
+#define SSIZE_MAX   ((ssize_t)(SIZE_MAX >> 1))
+#endif



+#endif /* _LIMITS_H */
diff --git a/include/linux/kernel.h b/include/linux/kernel.h
index 939465f372b..9467edd65ab 100644
--- a/include/linux/kernel.h
+++ b/include/linux/kernel.h
@@ -3,25 +3,18 @@
#include <linux/types.h>
 #include <linux/printk.h> /* for printf/pr_* utilities */
+#include <limits.h>
#define USHRT_MAX      ((u16)(~0U))
 #define SHRT_MAX       ((s16)(USHRT_MAX>>1))
 #define SHRT_MIN       ((s16)(-SHRT_MAX - 1))
-#define INT_MAX                ((int)(~0U>>1))
 #define INT_MIN                (-INT_MAX - 1)
-#define UINT_MAX       (~0U)
 #define LONG_MAX       ((long)(~0UL>>1))
 #define LONG_MIN       (-LONG_MAX - 1)
 #define ULONG_MAX      (~0UL)
 #define LLONG_MAX      ((long long)(~0ULL>>1))
 #define LLONG_MIN      (-LLONG_MAX - 1)
 #define ULLONG_MAX     (~0ULL)
-#ifndef SIZE_MAX
-#define SIZE_MAX       (~(size_t)0)
-#endif
-#ifndef SSIZE_MAX
-#define SSIZE_MAX      ((ssize_t)(SIZE_MAX >> 1))
-#endif
#define U8_MAX         ((u8)~0U)
 #define S8_MAX         ((s8)(U8_MAX>>1))
@@ -36,10 +29,6 @@
 #define S64_MAX                ((s64)(U64_MAX>>1))
 #define S64_MIN                ((s64)(-S64_MAX - 1))
-/* Aliases defined by stdint.h */
-#define UINT32_MAX     U32_MAX
-#define UINT64_MAX     U64_MAX



#define INT32_MAX      S32_MAX
#define STACK_MAGIC    0xdeadbeef
diff --git a/include/stdlib.h b/include/stdlib.h
index 9c175d4d74c..dedfd52a144 100644
--- a/include/stdlib.h
+++ b/include/stdlib.h
@@ -7,5 +7,6 @@
 #define __STDLIB_H_
#include <malloc.h>
+#include <rand.h>
#endif /* __STDLIB_H_ */
diff --git a/lib/Kconfig b/lib/Kconfig
index 1dd4f271595..67a60160dac 100644
--- a/lib/Kconfig
+++ b/lib/Kconfig
@@ -419,6 +419,10 @@ config CIRCBUF
source "lib/dhry/Kconfig"
+menu "Alternative crypto libraries"
+source lib/mbedtls/Kconfig
+endmenu



menu "Security support"
config AES
diff --git a/lib/Makefile b/lib/Makefile
index d300249f57c..c4950b78a29 100644
--- a/lib/Makefile
+++ b/lib/Makefile
@@ -96,6 +96,8 @@ obj-$(CONFIG_LIBAVB) += libavb/
 obj-$(CONFIG_$(SPL_TPL_)OF_LIBFDT) += libfdt/
 obj-$(CONFIG_$(SPL_TPL_)OF_REAL) += fdtdec_common.o fdtdec.o
+obj-$(CONFIG_MBEDTLS_LIB) += mbedtls/



ifdef CONFIG_SPL_BUILD
 obj-$(CONFIG_SPL_YMODEM_SUPPORT) += crc16-ccitt.o
 obj-$(CONFIG_$(SPL_TPL_)HASH) += crc16-ccitt.o
diff --git a/lib/mbedtls/Kconfig b/lib/mbedtls/Kconfig
new file mode 100644
index 00000000000..9d1a63c1ca6
--- /dev/null
+++ b/lib/mbedtls/Kconfig
@@ -0,0 +1,56 @@
+choice

  prompt "Select crypto libraries"


  default LEGACY_CRYPTO


  help


    Select crypto libraries.


    LEGACY_CRYPTO for legacy crypto libraries,


    MBEDTLS_LIB for MbedTLS libraries.




+config LEGACY_CRYPTO

  bool "legacy crypto libraries"


  select LEGACY_CRYPTO_BASIC


  select LEGACY_CRYPTO_CERT




This overall llooks ok, but the native mbedTLS hashing should depend
on !CONFIG_SHA_HW_ACCEL.
If everyone thinks the series is good enough to merge, I don't mind
this going on a followup commit
I will add this into v9 with other changes.
[snip]
Raymond

    