Hi Raymond, On Fri, 18 Oct 2024 at 17:39, Raymond Mao <raymond....@linaro.org> wrote: > > Hi Ilias, > > On Fri, 18 Oct 2024 at 10:22, Ilias Apalodimas <ilias.apalodi...@linaro.org> > wrote: >> >> Since lwIP and mbedTLS have been merged we can tweak the config options >> and enable TLS1.2 support. Add RSA and ECDSA by default and enable >> enough block cipher modes of operation to be comatible with modern >> TLS requirements and webservers >> >> Signed-off-by: Ilias Apalodimas <ilias.apalodi...@linaro.org> >> --- >> lib/mbedtls/Kconfig | 12 ++++++++ >> lib/mbedtls/Makefile | 33 +++++++++++++++++++- >> lib/mbedtls/mbedtls_def_config.h | 52 ++++++++++++++++++++++++++++++++ >> 3 files changed, 96 insertions(+), 1 deletion(-) >> >> diff --git a/lib/mbedtls/Kconfig b/lib/mbedtls/Kconfig >> index d71adc3648ad..f3e172633999 100644 >> --- a/lib/mbedtls/Kconfig >> +++ b/lib/mbedtls/Kconfig >> @@ -430,4 +430,16 @@ endif # SPL >> >> endif # MBEDTLS_LIB_X509 >> >> +config MBEDTLS_LIB_TLS >> + bool "MbedTLS TLS library" >> + depends on RSA_PUBLIC_KEY_PARSER_MBEDTLS >> + depends on X509_CERTIFICATE_PARSER_MBEDTLS >> + depends on ASYMMETRIC_PUBLIC_KEY_MBEDTLS >> + depends on ASN1_DECODER_MBEDTLS >> + depends on ASYMMETRIC_PUBLIC_KEY_MBEDTLS >> + depends on MBEDTLS_LIB_CRYPTO >> + help >> + Enable MbedTLS TLS library. If enabled HTTPs support will be >> enabled >> + in wget >> + >> endif # MBEDTLS_LIB >> diff --git a/lib/mbedtls/Makefile b/lib/mbedtls/Makefile >> index 83cb3c2fa705..845284799a11 100644 >> --- a/lib/mbedtls/Makefile >> +++ b/lib/mbedtls/Makefile >> @@ -25,7 +25,19 @@ obj-$(CONFIG_MBEDTLS_LIB) += mbedtls_lib_crypto.o >> mbedtls_lib_crypto-y := \ >> $(MBEDTLS_LIB_DIR)/platform_util.o \ >> $(MBEDTLS_LIB_DIR)/constant_time.o \ >> - $(MBEDTLS_LIB_DIR)/md.o >> + $(MBEDTLS_LIB_DIR)/md.o \ >> + $(MBEDTLS_LIB_DIR)/entropy.o \ >> + $(MBEDTLS_LIB_DIR)/entropy_poll.o \ >> + $(MBEDTLS_LIB_DIR)/aes.o \ >> + $(MBEDTLS_LIB_DIR)/cipher.o \ >> + $(MBEDTLS_LIB_DIR)/cipher_wrap.o \ >> + $(MBEDTLS_LIB_DIR)/ecdh.o \ >> + $(MBEDTLS_LIB_DIR)/ecdsa.o \ >> + $(MBEDTLS_LIB_DIR)/ecp.o \ >> + $(MBEDTLS_LIB_DIR)/ecp_curves.o \ >> + $(MBEDTLS_LIB_DIR)/ecp_curves_new.o \ >> + $(MBEDTLS_LIB_DIR)/gcm.o \ >> + > > I think we should move these to mbedtls_lib_tls.o and add the U-Boot Kconfig > control if it exists. > Take ECDSA for example: > mbedtls_lib_tls-$(CONFIG_$(SPL_)ECDSA) += $(MBEDTLS_LIB_DIR)/ecdsa.o
Fair enough, but ECDSA is the only one that exists atm. I can move that there, but I don't think we should create a Kconfig option per object file. Those are mbedTLS internals dependencies to enable TLS1.2. Perhaps only ECDSA, AES and ECDH? OTOH the existing md5 doesn't follow that. > >> >> mbedtls_lib_crypto-$(CONFIG_$(SPL_)MD5_MBEDTLS) += $(MBEDTLS_LIB_DIR)/md5.o >> mbedtls_lib_crypto-$(CONFIG_$(SPL_)SHA1_MBEDTLS) += >> $(MBEDTLS_LIB_DIR)/sha1.o >> mbedtls_lib_crypto-$(CONFIG_$(SPL_)SHA256_MBEDTLS) += \ >> @@ -54,3 +66,22 @@ >> mbedtls_lib_x509-$(CONFIG_$(SPL_)X509_CERTIFICATE_PARSER_MBEDTLS) += \ >> $(MBEDTLS_LIB_DIR)/x509_crt.o >> mbedtls_lib_x509-$(CONFIG_$(SPL_)PKCS7_MESSAGE_PARSER_MBEDTLS) += \ >> $(MBEDTLS_LIB_DIR)/pkcs7.o >> + >> +#mbedTLS TLS support >> +obj-$(CONFIG_MBEDTLS_LIB_TLS) += mbedtls_lib_tls.o >> +mbedtls_lib_tls-y := \ >> + $(MBEDTLS_LIB_DIR)/mps_reader.o \ >> + $(MBEDTLS_LIB_DIR)/mps_trace.o \ >> + $(MBEDTLS_LIB_DIR)/net_sockets.o \ >> + $(MBEDTLS_LIB_DIR)/pk_ecc.o \ >> + $(MBEDTLS_LIB_DIR)/ssl_cache.o \ >> + $(MBEDTLS_LIB_DIR)/ssl_ciphersuites.o \ >> + $(MBEDTLS_LIB_DIR)/ssl_client.o \ >> + $(MBEDTLS_LIB_DIR)/ssl_cookie.o \ >> + $(MBEDTLS_LIB_DIR)/ssl_debug_helpers_generated.o \ >> + $(MBEDTLS_LIB_DIR)/ssl_msg.o \ >> + $(MBEDTLS_LIB_DIR)/ssl_ticket.o \ >> + $(MBEDTLS_LIB_DIR)/ssl_tls.o \ >> + $(MBEDTLS_LIB_DIR)/ssl_tls12_client.o \ >> + $(MBEDTLS_LIB_DIR)/hmac_drbg.o \ >> + $(MBEDTLS_LIB_DIR)/ctr_drbg.o \ > > Ditto, add the U-Boot Kconfig control if it exists. None of these don't make sense to be a U-Boot Kconfig. They are mbedTLS internal to enable TLS1.2 support. Thanks /Ilias > >> >> diff --git a/lib/mbedtls/mbedtls_def_config.h >> b/lib/mbedtls/mbedtls_def_config.h >> index 1af911c2003f..ac8f0bbf2c0e 100644 >> --- a/lib/mbedtls/mbedtls_def_config.h >> +++ b/lib/mbedtls/mbedtls_def_config.h >> @@ -87,4 +87,56 @@ >> >> #endif /* #if defined CONFIG_MBEDTLS_LIB_X509 */ >> >> +#if CONFIG_IS_ENABLED(MBEDTLS_LIB_TLS) >> +#include "rtc.h" >> + >> +/* Generic options */ >> +#define MBEDTLS_ENTROPY_HARDWARE_ALT >> +#define MBEDTLS_HAVE_TIME >> +#define MBEDTLS_PLATFORM_MS_TIME_ALT >> +#define MBEDTLS_PLATFORM_TIME_MACRO rtc_mktime >> +#define MBEDTLS_PLATFORM_C >> +#define MBEDTLS_SSL_CLI_C >> +#define MBEDTLS_SSL_TLS_C >> +#define MBEDTLS_CIPHER_C >> +#define MBEDTLS_MD_C >> +#define MBEDTLS_CTR_DRBG_C >> +#define MBEDTLS_AES_C >> +#define MBEDTLS_ENTROPY_C >> +#define MBEDTLS_NO_PLATFORM_ENTROPY >> +#define MBEDTLS_SSL_PROTO_TLS1_2 >> +#define MBEDTLS_SSL_SERVER_NAME_INDICATION >> +#define MBEDTLS_KEY_EXCHANGE_PSK_ENABLED >> + >> +/* RSA */ >> +#define MBEDTLS_KEY_EXCHANGE_RSA_ENABLED >> +#define MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED >> +#define MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED >> +#define MBEDTLS_GCM_C >> + >> +/* ECDSA */ >> +#define MBEDTLS_ECDSA_C >> +#define MBEDTLS_ECDH_C >> +#define MBEDTLS_ECDSA_DETERMINISTIC >> +#define MBEDTLS_HMAC_DRBG_C >> +#define MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED >> +#define MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED >> +#define MBEDTLS_CAN_ECDH >> +#define MBEDTLS_PK_CAN_ECDSA_SIGN >> +#define MBEDTLS_ECP_C >> +#define MBEDTLS_ECP_DP_SECP256K1_ENABLED >> +#define MBEDTLS_ECP_DP_SECP192R1_ENABLED >> +#define MBEDTLS_ECP_DP_SECP224R1_ENABLED >> +#define MBEDTLS_ECP_DP_SECP256R1_ENABLED >> +#define MBEDTLS_ECP_DP_SECP384R1_ENABLED >> +#define MBEDTLS_ECP_DP_SECP521R1_ENABLED >> +#define MBEDTLS_ECP_DP_SECP192K1_ENABLED >> +#define MBEDTLS_ECP_DP_SECP224K1_ENABLED >> +#define MBEDTLS_ECP_DP_SECP256K1_ENABLED >> +#define MBEDTLS_ECP_DP_BP256R1_ENABLED >> +#define MBEDTLS_ECP_DP_BP384R1_ENABLED >> +#define MBEDTLS_ECP_DP_BP512R1_ENABLED >> + >> +#endif /* #if defined CONFIG_MBEDTLS_LIB_TLS */ >> + >> #endif /* #if defined CONFIG_MBEDTLS_LIB */ >> -- >> 2.45.2 >>
