Re: [PATCH v6 03/28] lib: Adapt digest header files to MbedTLS

On Sat, 17 Aug 2024 at 00:46, Raymond Mao raymond.mao@linaro.org wrote:

Adapt digest header files to support both original libs and MbedTLS by switching on/off MBEDTLS_LIB_CRYPTO. Introduce <alg>_LEGACY kconfig for legacy hash implementations.

`IS_ENABLED` or `CONFIG_IS_ENABLED` is not applicable here, since including <linux/kconfig.h> causes undefined reference on schedule() with sandbox build, as <linux/kconfig.h> includes <generated/autoconf.h> which enables `CONFIG_HW_WATCHDOG` and `CONFIG_WATCHDOG` but no schedule() are defined in sandbox build, Thus we use `#if defined(CONFIG_MBEDTLS_LIB_CRYPTO)` instead.

Signed-off-by: Raymond Mao raymond.mao@linaro.org

Changes in v2

• Initial patch.

Changes in v3

• Remove the changes that were done in previous clean-up patch set.

Changes in v4

• Introduce <alg>_LEGACY kconfig for legacy hash implementations.

Changes in v5

• Correct header file include directories.
• Correct kconfig dependence.

Changes in v6

• Update commit message.
• Rebased on next branch.

include/u-boot/md5.h | 7 ++++ include/u-boot/sha1.h | 21 +++++++++- include/u-boot/sha256.h | 20 +++++++++ include/u-boot/sha512.h | 9 ++++ lib/Makefile | 10 +++-- lib/mbedtls/Kconfig | 91 +++++++++++++++++++++++++++++++++++++++++ 6 files changed, 153 insertions(+), 5 deletions(-)

diff --git a/include/u-boot/md5.h b/include/u-boot/md5.h index c465925ea8d..69898fcbe49 100644 --- a/include/u-boot/md5.h +++ b/include/u-boot/md5.h @@ -6,10 +6,16 @@ #ifndef _MD5_H #define _MD5_H

+#if defined(CONFIG_MBEDTLS_LIB_CRYPTO) +#include <mbedtls/md5.h> +#endif #include "compiler.h"

#define MD5_SUM_LEN 16

+#if defined(CONFIG_MBEDTLS_LIB_CRYPTO) +typedef mbedtls_md5_context MD5Context; +#else typedef struct MD5Context { __u32 buf[4]; __u32 bits[2]; @@ -18,6 +24,7 @@ typedef struct MD5Context { __u32 in32[16]; }; } MD5Context; +#endif

void MD5Init(MD5Context *ctx); void MD5Update(MD5Context *ctx, unsigned char const *buf, unsigned int len); diff --git a/include/u-boot/sha1.h b/include/u-boot/sha1.h index c1e9f67068d..ab88134fb98 100644 --- a/include/u-boot/sha1.h +++ b/include/u-boot/sha1.h @@ -16,6 +16,21 @@

#include <linux/types.h>

+#if defined(CONFIG_MBEDTLS_LIB_CRYPTO) +/*

• • FIXME:
• • MbedTLS define the members of "mbedtls_sha256_context" as private,
• • but "state" needs to be access by arch/arm/cpu/armv8/sha1_ce_glue.
• • MBEDTLS_ALLOW_PRIVATE_ACCESS needs to be enabled to allow the external
• • access.
• • Directly including <external/mbedtls/library/common.h> is not allowed,
• • since this will include <malloc.h> and break the sandbox test.
• */

+#define MBEDTLS_ALLOW_PRIVATE_ACCESS

nit, this probably belongs on the mbedTLS config file, so you wont have to define for all checksum algorithms

+#include <mbedtls/sha1.h> +#endif

#ifdef __cplusplus extern "C" { #endif @@ -26,6 +41,9 @@ extern "C" {

extern const uint8_t sha1_der_prefix[];

+#if defined(CONFIG_MBEDTLS_LIB_CRYPTO) +typedef mbedtls_sha1_context sha1_context; +#else /**

• \brief SHA-1 context structure

*/ @@ -36,13 +54,14 @@ typedef struct unsigned char buffer[64]; /*!< data block being processed */ } sha1_context; +#endif

/**

• \brief SHA-1 context setup
• \param ctx SHA-1 context to be initialized

*/ -void sha1_starts( sha1_context *ctx ); +void sha1_starts(sha1_context *ctx);

/**

• \brief SHA-1 process buffer

diff --git a/include/u-boot/sha256.h b/include/u-boot/sha256.h index a4fe176c0b4..b58d5b58d39 100644 --- a/include/u-boot/sha256.h +++ b/include/u-boot/sha256.h @@ -3,6 +3,22 @@

#include <linux/types.h>

+#if defined(CONFIG_MBEDTLS_LIB_CRYPTO) +/*

• • FIXME:
• • MbedTLS define the members of "mbedtls_sha256_context" as private,
• • but "state" needs to be access by arch/arm/cpu/armv8/sha256_ce_glue.
• • MBEDTLS_ALLOW_PRIVATE_ACCESS needs to be enabled to allow the external
• • access.
• • Directly including <external/mbedtls/library/common.h> is not allowed,
• • since this will include <malloc.h> and break the sandbox test.
• */

+#define MBEDTLS_ALLOW_PRIVATE_ACCESS

+#include <mbedtls/sha256.h> +#endif

+#define SHA224_SUM_LEN 28 #define SHA256_SUM_LEN 32 #define SHA256_DER_LEN 19

@@ -11,11 +27,15 @@ extern const uint8_t sha256_der_prefix[]; /* Reset watchdog each time we process this many bytes */ #define CHUNKSZ_SHA256 (64 * 1024)

+#if defined(CONFIG_MBEDTLS_LIB_CRYPTO) +typedef mbedtls_sha256_context sha256_context; +#else typedef struct { uint32_t total[2]; uint32_t state[8]; uint8_t buffer[64]; } sha256_context; +#endif

void sha256_starts(sha256_context * ctx); void sha256_update(sha256_context *ctx, const uint8_t *input, uint32_t length); diff --git a/include/u-boot/sha512.h b/include/u-boot/sha512.h index 83c2119cd26..7e10f590a1d 100644 --- a/include/u-boot/sha512.h +++ b/include/u-boot/sha512.h @@ -3,6 +3,10 @@

#include <linux/types.h>

+#if defined(CONFIG_MBEDTLS_LIB_CRYPTO) +#include <mbedtls/sha512.h> +#endif

#define SHA384_SUM_LEN 48 #define SHA384_DER_LEN 19 #define SHA512_SUM_LEN 64 @@ -12,11 +16,16 @@ #define CHUNKSZ_SHA384 (16 * 1024) #define CHUNKSZ_SHA512 (16 * 1024)

+#if defined(CONFIG_MBEDTLS_LIB_CRYPTO) +typedef mbedtls_sha512_context sha384_context; +typedef mbedtls_sha512_context sha512_context; +#else typedef struct { uint64_t state[SHA512_SUM_LEN / 8]; uint64_t count[2]; uint8_t buf[SHA512_BLOCK_SIZE]; } sha512_context; +#endif

extern const uint8_t sha512_der_prefix[];

diff --git a/lib/Makefile b/lib/Makefile index e1ab8dfd503..617f5a55de0 100644 --- a/lib/Makefile +++ b/lib/Makefile @@ -71,14 +71,16 @@ obj-$(CONFIG_$(SPL_TPL_)CRC16) += crc16.o obj-y += crypto/

obj-$(CONFIG_$(SPL_TPL_)ACPI) += acpi/ -obj-$(CONFIG_$(SPL_)MD5) += md5.o obj-$(CONFIG_ECDSA) += ecdsa/ obj-$(CONFIG_$(SPL_)RSA) += rsa/ obj-$(CONFIG_HASH) += hash-checksum.o obj-$(CONFIG_BLAKE2) += blake2/blake2b.o -obj-$(CONFIG_$(SPL_)SHA1) += sha1.o -obj-$(CONFIG_$(SPL_)SHA256) += sha256.o -obj-$(CONFIG_$(SPL_)SHA512) += sha512.o

+obj-$(CONFIG_$(SPL_)MD5_LEGACY) += md5.o +obj-$(CONFIG_$(SPL_)SHA1_LEGACY) += sha1.o +obj-$(CONFIG_$(SPL_)SHA256_LEGACY) += sha256.o +obj-$(CONFIG_$(SPL_)SHA512_LEGACY) += sha512.o

obj-$(CONFIG_CRYPT_PW) += crypt/ obj-$(CONFIG_$(SPL_)ASN1_DECODER) += asn1_decoder.o

diff --git a/lib/mbedtls/Kconfig b/lib/mbedtls/Kconfig index 3e9057f1acf..efae2c4fd72 100644 --- a/lib/mbedtls/Kconfig +++ b/lib/mbedtls/Kconfig @@ -21,9 +21,100 @@ if LEGACY_CRYPTO

config LEGACY_CRYPTO_BASIC bool "legacy basic crypto libraries"

•   select MD5_LEGACY if MD5
  

•   select SHA1_LEGACY if SHA1
  

•   select SHA256_LEGACY if SHA256
  

•   select SHA512_LEGACY if SHA512
  

•   select SHA384_LEGACY if SHA384
  

•   select SPL_MD5_LEGACY if SPL_MD5
  

•   select SPL_SHA1_LEGACY if SPL_SHA1
  

•   select SPL_SHA256_LEGACY if SPL_SHA256
  

•   select SPL_SHA512_LEGACY if SPL_SHA512
  

•   select SPL_SHA384_LEGACY if SPL_SHA384
    help
      Enable legacy basic crypto libraries.
  
  

+if LEGACY_CRYPTO_BASIC

+config SHA1_LEGACY

•   bool "Enable SHA1 support with legacy crypto library"
  

•   depends on LEGACY_CRYPTO_BASIC && SHA1
  

•   help
  

•     This option enables support of hashing using SHA1 algorithm
  

•     with legacy crypto library.
  

+config SHA256_LEGACY

•   bool "Enable SHA256 support with legacy crypto library"
  

•   depends on LEGACY_CRYPTO_BASIC && SHA256
  

•   help
  

•     This option enables support of hashing using SHA256 algorithm
  

•     with legacy crypto library.
  

+config SHA512_LEGACY

•   bool "Enable SHA512 support with legacy crypto library"
  

•   depends on LEGACY_CRYPTO_BASIC && SHA512
  

•   default y if TI_SECURE_DEVICE && FIT_SIGNATURE
  

•   help
  

•     This option enables support of hashing using SHA512 algorithm
  

•     with legacy crypto library.
  

+config SHA384_LEGACY

•   bool "Enable SHA384 support with legacy crypto library"
  

•   depends on LEGACY_CRYPTO_BASIC && SHA384
  

•   select SHA512_LEGACY
  

•   help
  

•     This option enables support of hashing using SHA384 algorithm
  

•     with legacy crypto library.
  

+config MD5_LEGACY

•   bool "Enable MD5 support with legacy crypto library"
  

•   depends on LEGACY_CRYPTO_BASIC && MD5
  

•   help
  

•     This option enables support of hashing using MD5 algorithm
  

•     with legacy crypto library.
  

+if SPL

+config SPL_SHA1_LEGACY

•   bool "Enable SHA1 support in SPL with legacy crypto library"
  

•   depends on LEGACY_CRYPTO_BASIC && SPL_SHA1
  

•   help
  

•     This option enables support of hashing using SHA1 algorithm
  

•     with legacy crypto library.
  

+config SPL_SHA256_LEGACY

•   bool "Enable SHA256 support in SPL with legacy crypto library"
  

•   depends on LEGACY_CRYPTO_BASIC && SPL_SHA256
  

•   help
  

•     This option enables support of hashing using SHA256 algorithm
  

•     with legacy crypto library.
  

+config SPL_SHA512_LEGACY

•   bool "Enable SHA512 support in SPL with legacy crypto library"
  

•   depends on LEGACY_CRYPTO_BASIC && SPL_SHA512
  

•   help
  

•     This option enables support of hashing using SHA512 algorithm
  

•     with legacy crypto library.
  

+config SPL_SHA384_LEGACY

•   bool "Enable SHA384 support in SPL with legacy crypto library"
  

•   depends on LEGACY_CRYPTO_BASIC && SPL_SHA384
  

•   select SPL_SHA512_LEGACY
  

•   help
  

•     This option enables support of hashing using SHA384 algorithm
  

•     with legacy crypto library.
  

+config SPL_MD5_LEGACY

•   bool "Enable MD5 support in SPL with legacy crypto library"
  

•   depends on LEGACY_CRYPTO_BASIC && SPL_MD5
  

•   help
  

•     This option enables support of hashing using MD5 algorithm
  

•     with legacy crypto library.
  

+endif # SPL

+endif # LEGACY_CRYPTO_BASIC

config LEGACY_CRYPTO_CERT bool "legacy certificate libraries" help -- 2.25.1

Reviewed-by: Ilias Apalodimas ilias.apalodimas@linaro.org