Mbedtls integration v9 #530
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
git-subtree-dir: lib/mbedtls/external/mbedtls git-subtree-split: 67dc8f869a2ef39b1f19f6a6d3a34965bc50097e
…ls/external/mbedtls'
Convert the line endings from CRLF to LF for those Windows-style files. Signed-off-by: Raymond Mao <raymond.mao@linaro.org>
Since MbedTLS is an external repo with its own coding style, exclude it from Azure and gitlab CI CONFIG checks. Signed-off-by: Raymond Mao <raymond.mao@linaro.org>
lib/mbedtls/update-mbedtls-subtree.sh is a wrapper of git subtree commands. Usage from U-Boot top directory, run: $ ./lib/mbedtls/update-mbedtls-subtree.sh pull <release-tag> $ ./lib/mbedtls/update-mbedtls-subtree.sh pick <commit-id> Signed-off-by: Raymond Mao <raymond.mao@linaro.org>
Port mbedtls with dummy libc header files.
Add mbedtls default config header file.
Optimize mbedtls default config by disabling unused features to
reduce the target size.
Add mbedtls kbuild makefile.
Add Kconfig and mbedtls config submenu.
Prerequisite
------------
This patch series requires mbedtls git repo to be added as a
subtree to the main U-Boot repo via:
$ git subtree add --prefix lib/mbedtls/external/mbedtls \
https://github.com/Mbed-TLS/mbedtls.git \
v3.6.0 --squash
Moreover, due to the Windows-style files from mbedtls git repo,
we need to convert the CRLF endings to LF and do a commit manually:
$ git add --renormalize .
$ git commit
Signed-off-by: Raymond Mao <raymond.mao@linaro.org>
Add text section alignment to fix sbsign signing warning 'gaps in the section table may result in different checksums' which causes a failure of efi_image_verify_diges() Signed-off-by: Raymond Mao <raymond.mao@linaro.org>
Remove the redundant includes of u-boot/md5.h, u-boot/sha1.h, u-boot/sha256.h and u-boot/sha512.h Signed-off-by: Raymond Mao <raymond.mao@linaro.org>
Remove the redundant includes of u-boot/sha1.h, u-boot/sha256.h and u-boot/sha512.h Signed-off-by: Raymond Mao <raymond.mao@linaro.org>
Adapt digest header files to support both original libs and MbedTLS by switching on/off MBEDTLS_LIB_CRYPTO FIXME: `IS_ENABLED` or `CONFIG_IS_ENABLED` is not applicable here, since including <linux/kconfig.h> causes undefined reference on schedule() with sandbox build. As <linux/kconfig.h> includes <generated/autoconf.h> which enables `CONFIG_HW_WATCHDOG` and `CONFIG_WATCHDOG` but no schedule() are defined in sandbox build. `#if defined(CONFIG_MBEDTLS_LIB_CRYPTO)` is a workaround. Signed-off-by: Raymond Mao <raymond.mao@linaro.org>
The md5 header is updated to adapt to both original lib and MbedTLS. Now we need to change the API callers accordingly. Signed-off-by: Raymond Mao <raymond.mao@linaro.org>
Implement digest shim layer on top of MbedTLS crypto library. Signed-off-by: Raymond Mao <raymond.mao@linaro.org>
Integrate common/hash.c on the hash shim layer so that hash APIs from mbedtls can be leveraged by boot/image and efi_loader. Signed-off-by: Raymond Mao <raymond.mao@linaro.org>
Add the mbedtls include directories into the build system. Signed-off-by: Raymond Mao <raymond.mao@linaro.org>
Populate MicroSoft Authentication Code from the content data into PKCS7 decoding context if it exists in a PKCS7 message. Add OIDs for describing objects using for MicroSoft Authentication Code. Signed-off-by: Raymond Mao <raymond.mao@linaro.org>
Populate PKCS9 Authenticate Attributes from signer info if it exists in a PKCS7 message. Add OIDs for describing objects using for Authenticate Attributes. Signed-off-by: Raymond Mao <raymond.mao@linaro.org>
Support decoding multiple signer's cert in the signed data within a PKCS7 message. Signed-off-by: Raymond Mao <raymond.mao@linaro.org>
Update the PKCS7 test suites for multiple certs. Signed-off-by: Raymond Mao <raymond.mao@linaro.org>
Add porting layer for public key on top of MbedTLS X509 library. Signed-off-by: Raymond Mao <raymond.mao@linaro.org>
Adapt the public_key header file with MbedTLS Signed-off-by: Raymond Mao <raymond.mao@linaro.org>
Add porting layer for X509 cert parser on top of MbedTLS X509 library. Signed-off-by: Raymond Mao <raymond.mao@linaro.org>
Adapt x509_cert_parser and x509_public_key for building with MbedTLS Signed-off-by: Raymond Mao <raymond.mao@linaro.org>
Add porting layer for PKCS7 parser on top of MbedTLS PKCS7 library. Signed-off-by: Raymond Mao <raymond.mao@linaro.org>
Adapt PKCS7 parser to build with MbedTLS Signed-off-by: Raymond Mao <raymond.mao@linaro.org>
Add porting layer for MSCode on top of MbedTLS ASN1 library. Signed-off-by: Raymond Mao <raymond.mao@linaro.org>
Adapt mscode_parser to build with MbedTLS Signed-off-by: Raymond Mao <raymond.mao@linaro.org>
Add RSA helper layer on top on MbedTLS PK and RSA library. Signed-off-by: Raymond Mao <raymond.mao@linaro.org>
Adapt rsa_helper to build with MbedTLS Signed-off-by: Raymond Mao <raymond.mao@linaro.org>
When building with MbedTLS, we are using MbedTLS to decode ASN1 data for x509, pkcs7 and mscode. So we can remove asn1_decoder when MBEDTLS_LIB_X509 is enabled. Signed-off-by: Raymond Mao <raymond.mao@linaro.org>
With MBEDTLS_LIB_X509 enabled, we don't build the original ASN1 lib, So remove it from test. Signed-off-by: Raymond Mao <raymond.mao@linaro.org>
Enable MbedTLS as default setting for qemu arm64 Signed-off-by: Raymond Mao <raymond.mao@linaro.org>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Please do not submit a Pull Request via github. Our project makes use of
mailing lists for patch submission and review. For more details please
see https://u-boot.readthedocs.io/en/latest/develop/sending_patches.html
The only exception to this is in order to trigger a CI loop on Azure prior
to posting of patches.