Hi Raymond, On Fri, 18 Oct 2024 at 18:26, Raymond Mao <[email protected]> wrote: > > Hi Ilias, > > On Fri, 18 Oct 2024 at 10:55, Ilias Apalodimas <[email protected]> > wrote: >> >> Hi Raymond, >> >> On Fri, 18 Oct 2024 at 17:39, Raymond Mao <[email protected]> wrote: >> > >> > Hi Ilias, >> > >> > On Fri, 18 Oct 2024 at 10:22, Ilias Apalodimas >> > <[email protected]> wrote: >> >> >> >> Since lwIP and mbedTLS have been merged we can tweak the config options >> >> and enable TLS1.2 support. Add RSA and ECDSA by default and enable >> >> enough block cipher modes of operation to be comatible with modern >> >> TLS requirements and webservers >> >> >> >> Signed-off-by: Ilias Apalodimas <[email protected]> >> >> --- >> >> lib/mbedtls/Kconfig | 12 ++++++++ >> >> lib/mbedtls/Makefile | 33 +++++++++++++++++++- >> >> lib/mbedtls/mbedtls_def_config.h | 52 ++++++++++++++++++++++++++++++++ >> >> 3 files changed, 96 insertions(+), 1 deletion(-) >> >> >> >> diff --git a/lib/mbedtls/Kconfig b/lib/mbedtls/Kconfig >> >> index d71adc3648ad..f3e172633999 100644 >> >> --- a/lib/mbedtls/Kconfig >> >> +++ b/lib/mbedtls/Kconfig >> >> @@ -430,4 +430,16 @@ endif # SPL >> >> >> >> endif # MBEDTLS_LIB_X509 >> >> >> >> +config MBEDTLS_LIB_TLS >> >> + bool "MbedTLS TLS library" >> >> + depends on RSA_PUBLIC_KEY_PARSER_MBEDTLS >> >> + depends on X509_CERTIFICATE_PARSER_MBEDTLS >> >> + depends on ASYMMETRIC_PUBLIC_KEY_MBEDTLS >> >> + depends on ASN1_DECODER_MBEDTLS >> >> + depends on ASYMMETRIC_PUBLIC_KEY_MBEDTLS >> >> + depends on MBEDTLS_LIB_CRYPTO >> >> + help >> >> + Enable MbedTLS TLS library. If enabled HTTPs support will be >> >> enabled >> >> + in wget >> >> + >> >> endif # MBEDTLS_LIB >> >> diff --git a/lib/mbedtls/Makefile b/lib/mbedtls/Makefile >> >> index 83cb3c2fa705..845284799a11 100644 >> >> --- a/lib/mbedtls/Makefile >> >> +++ b/lib/mbedtls/Makefile >> >> @@ -25,7 +25,19 @@ obj-$(CONFIG_MBEDTLS_LIB) += mbedtls_lib_crypto.o >> >> mbedtls_lib_crypto-y := \ >> >> $(MBEDTLS_LIB_DIR)/platform_util.o \ >> >> $(MBEDTLS_LIB_DIR)/constant_time.o \ >> >> - $(MBEDTLS_LIB_DIR)/md.o >> >> + $(MBEDTLS_LIB_DIR)/md.o \ >> >> + $(MBEDTLS_LIB_DIR)/entropy.o \ >> >> + $(MBEDTLS_LIB_DIR)/entropy_poll.o \ >> >> + $(MBEDTLS_LIB_DIR)/aes.o \ >> >> + $(MBEDTLS_LIB_DIR)/cipher.o \ >> >> + $(MBEDTLS_LIB_DIR)/cipher_wrap.o \ >> >> + $(MBEDTLS_LIB_DIR)/ecdh.o \ >> >> + $(MBEDTLS_LIB_DIR)/ecdsa.o \ >> >> + $(MBEDTLS_LIB_DIR)/ecp.o \ >> >> + $(MBEDTLS_LIB_DIR)/ecp_curves.o \ >> >> + $(MBEDTLS_LIB_DIR)/ecp_curves_new.o \ >> >> + $(MBEDTLS_LIB_DIR)/gcm.o \ >> >> + >> > >> > I think we should move these to mbedtls_lib_tls.o and add the U-Boot >> > Kconfig >> > control if it exists. >> > Take ECDSA for example: >> > mbedtls_lib_tls-$(CONFIG_$(SPL_)ECDSA) += $(MBEDTLS_LIB_DIR)/ecdsa.o >> >> Fair enough, but ECDSA is the only one that exists atm. I can move >> that there, but I don't think we should create a Kconfig option per >> object file. >> Those are mbedTLS internals dependencies to enable TLS1.2. Perhaps >> only ECDSA, AES and ECDH? OTOH the existing md5 doesn't follow that. >> > I agree. We can move ECDSA and AES with Kconfig control and keep others as-is > at the moment.
Ok I had a closer look at this. ECDSA and AES currently have Kconfig options for the legacy crypto libs. As a result, we need to define mbedtls variants etc which is ok. We only have one board using AES atm and sandbox using ECDSA. Since I want efi https for 2025.01, we can move the new .o files under CONFIG_MBEDTLS_LIB_TLS and then send a patch on top cleaning up the Kconfigs for all crypto which is a bit messy atm. Are you ok with this? > >> >> > >> >> >> >> mbedtls_lib_crypto-$(CONFIG_$(SPL_)MD5_MBEDTLS) += >> >> $(MBEDTLS_LIB_DIR)/md5.o >> >> mbedtls_lib_crypto-$(CONFIG_$(SPL_)SHA1_MBEDTLS) += >> >> $(MBEDTLS_LIB_DIR)/sha1.o >> >> mbedtls_lib_crypto-$(CONFIG_$(SPL_)SHA256_MBEDTLS) += \ >> >> @@ -54,3 +66,22 @@ >> >> mbedtls_lib_x509-$(CONFIG_$(SPL_)X509_CERTIFICATE_PARSER_MBEDTLS) += \ >> >> $(MBEDTLS_LIB_DIR)/x509_crt.o >> >> mbedtls_lib_x509-$(CONFIG_$(SPL_)PKCS7_MESSAGE_PARSER_MBEDTLS) += \ >> >> $(MBEDTLS_LIB_DIR)/pkcs7.o >> >> + >> >> +#mbedTLS TLS support >> >> +obj-$(CONFIG_MBEDTLS_LIB_TLS) += mbedtls_lib_tls.o >> >> +mbedtls_lib_tls-y := \ >> >> + $(MBEDTLS_LIB_DIR)/mps_reader.o \ >> >> + $(MBEDTLS_LIB_DIR)/mps_trace.o \ >> >> + $(MBEDTLS_LIB_DIR)/net_sockets.o \ >> >> + $(MBEDTLS_LIB_DIR)/pk_ecc.o \ >> >> + $(MBEDTLS_LIB_DIR)/ssl_cache.o \ >> >> + $(MBEDTLS_LIB_DIR)/ssl_ciphersuites.o \ >> >> + $(MBEDTLS_LIB_DIR)/ssl_client.o \ >> >> + $(MBEDTLS_LIB_DIR)/ssl_cookie.o \ >> >> + $(MBEDTLS_LIB_DIR)/ssl_debug_helpers_generated.o \ >> >> + $(MBEDTLS_LIB_DIR)/ssl_msg.o \ >> >> + $(MBEDTLS_LIB_DIR)/ssl_ticket.o \ >> >> + $(MBEDTLS_LIB_DIR)/ssl_tls.o \ >> >> + $(MBEDTLS_LIB_DIR)/ssl_tls12_client.o \ >> >> + $(MBEDTLS_LIB_DIR)/hmac_drbg.o \ >> >> + $(MBEDTLS_LIB_DIR)/ctr_drbg.o \ >> > >> > Ditto, add the U-Boot Kconfig control if it exists. >> >> None of these don't make sense to be a U-Boot Kconfig. They are >> mbedTLS internal to enable TLS1.2 support. > > > I saw Jerome added CONFIG_NET and CONFIG_NET_LWIP in his LWIP series. > I think the net_sockets, ssl_# and ssl_tls12_# can be under this control. I would prefer having TLS as a separate Kconfig option. We might need to use it without wget and binding mbedTLS to lwIP doesn't make that much sense. It does *currently* because that's the only code that uses it Thanks /Ilias > > [snip] > > Regards, > Raymond
