mirror of
https://github.com/u-boot/u-boot.git
synced 2025-04-27 16:01:27 +00:00
d467f359c4
Raymond Mao <raymond.mao@linaro.org> says:
Integrate MbedTLS v3.6 LTS (currently v3.6.0) with U-Boot.
Motivations:
------------
1. MbedTLS is well maintained with LTS versions.
2. LWIP is integrated with MbedTLS and easily to enable HTTPS.
3. MbedTLS recently switched license back to GPLv2.
Prerequisite:
-------------
This patch series requires mbedtls git repo to be added as a
subtree to the main U-Boot repo via:
$ git subtree add --prefix lib/mbedtls/external/mbedtls \
https://github.com/Mbed-TLS/mbedtls.git \
v3.6.0 --squash
Moreover, due to the Windows-style files from mbedtls git repo,
we need to convert the CRLF endings to LF and do a commit manually:
$ git add --renormalize .
$ git commit
New Kconfig options:
--------------------
`MBEDTLS_LIB` is for MbedTLS general switch.
`MBEDTLS_LIB_CRYPTO` is for replacing original digest and crypto libs with
MbedTLS.
`MBEDTLS_LIB_CRYPTO_ALT` is for using original U-Boot crypto libs as
MbedTLS crypto alternatives.
`MBEDTLS_LIB_X509` is for replacing original X509, PKCS7, MSCode, ASN1,
and Pubkey parser with MbedTLS.
By default `MBEDTLS_LIB_CRYPTO_ALT` and `MBEDTLS_LIB_X509` are selected
when `MBEDTLS_LIB` is enabled.
`LEGACY_CRYPTO` is introduced as a main switch for legacy crypto library.
`LEGACY_CRYPTO_BASIC` is for the basic crypto functionalities and
`LEGACY_CRYPTO_CERT` is for the certificate related functionalities.
For each of the algorithm, a pair of `<alg>_LEGACY` and `<alg>_MBEDTLS`
Kconfig options are introduced. Meanwhile, `SPL_` Kconfig options are
introduced.
In this patch set, MBEDTLS_LIB, MBEDTLS_LIB_CRYPTO and MBEDTLS_LIB_X509
are by default enabled in qemu_arm64_defconfig and sandbox_defconfig
for testing purpose.
Patches for external MbedTLS project:
-------------------------------------
Since U-Boot uses Microsoft Authentication Code to verify PE/COFFs
executables which is not supported by MbedTLS at the moment,
addtional patches for MbedTLS are created to adapt with the EFI loader:
1. Decoding of Microsoft Authentication Code.
2. Decoding of PKCS#9 Authenticate Attributes.
3. Extending MbedTLS PKCS#7 lib to support multiple signer's certificates.
4. MbedTLS native test suites for PKCS#7 signer's info.
All above 4 patches (tagged with `mbedtls/external`) are submitted to
MbedTLS project and being reviewed, eventually they should be part of
MbedTLS LTS release.
But before that, please merge them into U-Boot, otherwise the building
will be broken when MBEDTLS_LIB_X509 is enabled.
See below PR link for the reference:
https://github.com/Mbed-TLS/mbedtls/pull/9001
Miscellaneous:
--------------
Optimized MbedTLS library size by tailoring the config file
and disabling all unnecessary features for EFI loader.
From v2, original libs (rsa, asn1_decoder, rsa_helper, md5, sha1, sha256,
sha512) are completely replaced when MbedTLS is enabled.
From v3, the size-growth is slightly reduced by refactoring Hash functions.
From v6, smaller implementations for SHA256 and SHA512 are enabled and
target size reduce significantly.
Target(QEMU arm64) size-growth when enabling MbedTLS:
v1: 6.03%
v2: 4.66%
v3 - v5: 4.55%
v6: 2.90%
Tests done:
-----------
EFI Secure Boot test (EFI variables loading and verifying, EFI signed image
verifying and booting) via U-Boot console.
EFI Secure Boot and Capsule sandbox test passed.
Known issues:
-------------
None.
Link: https://lore.kernel.org/u-boot/20241003215112.3103601-1-raymond.mao@linaro.org/
|
||
|---|---|---|
| .. | ||
| byteorder | ||
| clk | ||
| mfd/syscon | ||
| mtd | ||
| soc/ti | ||
| unaligned | ||
| usb | ||
| apm_bios.h | ||
| apple-mailbox.h | ||
| arm-smccc.h | ||
| asn1.h | ||
| asn1_ber_bytecode.h | ||
| asn1_decoder.h | ||
| bch.h | ||
| bitfield.h | ||
| bitmap.h | ||
| bitops.h | ||
| bitrev.h | ||
| bug.h | ||
| build_bug.h | ||
| clk-provider.h | ||
| compat.h | ||
| compiler-clang.h | ||
| compiler-gcc.h | ||
| compiler-intel.h | ||
| compiler.h | ||
| compiler_attributes.h | ||
| compiler_types.h | ||
| completion.h | ||
| const.h | ||
| crc7.h | ||
| crc16.h | ||
| crc32.h | ||
| ctype.h | ||
| delay.h | ||
| dma-direction.h | ||
| dma-mapping.h | ||
| drm_dp_helper.h | ||
| edd.h | ||
| err.h | ||
| errno.h | ||
| ethtool.h | ||
| fb.h | ||
| if_ether.h | ||
| if_vlan.h | ||
| immap_qe.h | ||
| input.h | ||
| intel-smc.h | ||
| io.h | ||
| ioctl.h | ||
| iopoll.h | ||
| ioport.h | ||
| kbuild.h | ||
| kconfig.h | ||
| kernel.h | ||
| libfdt.h | ||
| libfdt_env.h | ||
| linkage.h | ||
| linux_string.h | ||
| list.h | ||
| list_sort.h | ||
| litex.h | ||
| log2.h | ||
| lzo.h | ||
| math64.h | ||
| mbus.h | ||
| mdio.h | ||
| mii.h | ||
| netdevice.h | ||
| oid_registry.h | ||
| poison.h | ||
| posix_types.h | ||
| printk.h | ||
| pruss_driver.h | ||
| psci.h | ||
| rational.h | ||
| rbtree.h | ||
| rbtree_augmented.h | ||
| screen_info.h | ||
| serial_reg.h | ||
| sizes.h | ||
| stat.h | ||
| stddef.h | ||
| string.h | ||
| stringify.h | ||
| time.h | ||
| typecheck.h | ||
| types.h | ||
| utf.h | ||
| xxhash.h | ||
| zstd.h | ||
| zstd_errors.h | ||
| zstd_lib.h | ||