Hi Ilias, On Thu, 24 Oct 2024 at 10:44, Ilias Apalodimas <ilias.apalodi...@linaro.org> wrote:
> Hi Raymond > > On Thu, 24 Oct 2024 at 17:13, Raymond Mao <raymond....@linaro.org> wrote: > > > > Hi Ilias, > > > > On Thu, 24 Oct 2024 at 07:25, Ilias Apalodimas < > ilias.apalodi...@linaro.org> wrote: > >> > >> Since lwIP and mbedTLS have been merged we can tweak the config options > >> and enable TLS1.2 support. Add RSA and ECDSA by default and enable > >> enough block cipher modes of operation to be comatible with modern > >> TLS requirements and webservers > >> > >> Signed-off-by: Ilias Apalodimas <ilias.apalodi...@linaro.org> > >> --- > >> lib/mbedtls/Kconfig | 12 ++++++++ > >> lib/mbedtls/Makefile | 31 +++++++++++++++++++ > >> lib/mbedtls/mbedtls_def_config.h | 52 ++++++++++++++++++++++++++++++++ > >> 3 files changed, 95 insertions(+) > >> > >> diff --git a/lib/mbedtls/Kconfig b/lib/mbedtls/Kconfig > >> index d71adc3648ad..f3e172633999 100644 > >> --- a/lib/mbedtls/Kconfig > >> +++ b/lib/mbedtls/Kconfig > >> @@ -430,4 +430,16 @@ endif # SPL > >> > >> endif # MBEDTLS_LIB_X509 > >> > >> +config MBEDTLS_LIB_TLS > >> + bool "MbedTLS TLS library" > >> + depends on RSA_PUBLIC_KEY_PARSER_MBEDTLS > >> + depends on X509_CERTIFICATE_PARSER_MBEDTLS > >> + depends on ASYMMETRIC_PUBLIC_KEY_MBEDTLS > >> + depends on ASN1_DECODER_MBEDTLS > >> + depends on ASYMMETRIC_PUBLIC_KEY_MBEDTLS > >> + depends on MBEDTLS_LIB_CRYPTO > >> + help > >> + Enable MbedTLS TLS library. If enabled HTTPs support will be > enabled > >> + in wget > >> + > >> endif # MBEDTLS_LIB > >> diff --git a/lib/mbedtls/Makefile b/lib/mbedtls/Makefile > >> index 83cb3c2fa705..ce0a61e40541 100644 > >> --- a/lib/mbedtls/Makefile > >> +++ b/lib/mbedtls/Makefile > >> @@ -26,6 +26,7 @@ mbedtls_lib_crypto-y := \ > >> $(MBEDTLS_LIB_DIR)/platform_util.o \ > >> $(MBEDTLS_LIB_DIR)/constant_time.o \ > >> $(MBEDTLS_LIB_DIR)/md.o > >> + > >> mbedtls_lib_crypto-$(CONFIG_$(SPL_)MD5_MBEDTLS) += > $(MBEDTLS_LIB_DIR)/md5.o > >> mbedtls_lib_crypto-$(CONFIG_$(SPL_)SHA1_MBEDTLS) += > $(MBEDTLS_LIB_DIR)/sha1.o > >> mbedtls_lib_crypto-$(CONFIG_$(SPL_)SHA256_MBEDTLS) += \ > >> @@ -54,3 +55,33 @@ > mbedtls_lib_x509-$(CONFIG_$(SPL_)X509_CERTIFICATE_PARSER_MBEDTLS) += \ > >> $(MBEDTLS_LIB_DIR)/x509_crt.o > >> mbedtls_lib_x509-$(CONFIG_$(SPL_)PKCS7_MESSAGE_PARSER_MBEDTLS) += \ > >> $(MBEDTLS_LIB_DIR)/pkcs7.o > >> + > >> +#mbedTLS TLS support > >> +obj-$(CONFIG_MBEDTLS_LIB_TLS) += mbedtls_lib_tls.o > >> +mbedtls_lib_tls-y := \ > >> + $(MBEDTLS_LIB_DIR)/mps_reader.o \ > >> + $(MBEDTLS_LIB_DIR)/mps_trace.o \ > >> + $(MBEDTLS_LIB_DIR)/net_sockets.o \ > >> + $(MBEDTLS_LIB_DIR)/pk_ecc.o \ > >> + $(MBEDTLS_LIB_DIR)/ssl_cache.o \ > >> + $(MBEDTLS_LIB_DIR)/ssl_ciphersuites.o \ > >> + $(MBEDTLS_LIB_DIR)/ssl_client.o \ > >> + $(MBEDTLS_LIB_DIR)/ssl_cookie.o \ > >> + $(MBEDTLS_LIB_DIR)/ssl_debug_helpers_generated.o \ > >> + $(MBEDTLS_LIB_DIR)/ssl_msg.o \ > >> + $(MBEDTLS_LIB_DIR)/ssl_ticket.o \ > >> + $(MBEDTLS_LIB_DIR)/ssl_tls.o \ > >> + $(MBEDTLS_LIB_DIR)/ssl_tls12_client.o \ > >> + $(MBEDTLS_LIB_DIR)/hmac_drbg.o \ > >> + $(MBEDTLS_LIB_DIR)/ctr_drbg.o \ > >> + $(MBEDTLS_LIB_DIR)/entropy.o \ > >> + $(MBEDTLS_LIB_DIR)/entropy_poll.o \ > >> + $(MBEDTLS_LIB_DIR)/aes.o \ > >> + $(MBEDTLS_LIB_DIR)/cipher.o \ > >> + $(MBEDTLS_LIB_DIR)/cipher_wrap.o \ > >> + $(MBEDTLS_LIB_DIR)/ecdh.o \ > >> + $(MBEDTLS_LIB_DIR)/ecdsa.o \ > >> + $(MBEDTLS_LIB_DIR)/ecp.o \ > >> + $(MBEDTLS_LIB_DIR)/ecp_curves.o \ > >> + $(MBEDTLS_LIB_DIR)/ecp_curves_new.o \ > >> + $(MBEDTLS_LIB_DIR)/gcm.o \ > >> diff --git a/lib/mbedtls/mbedtls_def_config.h > b/lib/mbedtls/mbedtls_def_config.h > >> index 1af911c2003f..ac8f0bbf2c0e 100644 > >> --- a/lib/mbedtls/mbedtls_def_config.h > >> +++ b/lib/mbedtls/mbedtls_def_config.h > >> @@ -87,4 +87,56 @@ > >> > >> #endif /* #if defined CONFIG_MBEDTLS_LIB_X509 */ > >> > >> +#if CONFIG_IS_ENABLED(MBEDTLS_LIB_TLS) > > > > > > It would be better to use "#if defined CONFIG_MBEDTLS_LIB_TLS" here, > > as in SPL build it implicitly expects a "CONFIG_SPL_MBEDTLS_LIB_TLS" > > which we don't have. > > > > We usually prefer CONFIG_IS_ENABLED(MBEDTLS_LIB_TLS) regardless of an > SPL flag or not. > > If the flag is never expected to be enabled in SPL build, that is OK. Because in SPL, CONFIG_IS_ENABLED(MBEDTLS_LIB_TLS) will be always false without a CONFIG_SPL_MBEDTLS_LIB_TLS. Regards, Raymond
