On Mon, 27 Jan 2025 at 17:17, Raymond Mao <raymond....@linaro.org> wrote: > > U-Boot requires to access x509_internal.h, mbedtls_sha256_context and > mbedtls_sha1_context in the porting layer, and this requires to > enable MBEDTLS_ALLOW_PRIVATE_ACCESS. > > Enable it to mscode and pkcs7_parser to fix a mbedtls internal building > error when X509 is selected. > > Moreover, Move it to a separate file to avoid enabling it in multiple > places. > > Signed-off-by: Raymond Mao <raymond....@linaro.org> > --- > include/crypto/mscode.h | 1 + > include/crypto/pkcs7_parser.h | 1 + > include/u-boot/sha1.h | 12 +----------- > include/u-boot/sha256.h | 12 +----------- > lib/mbedtls/port/mbedtls_options.h | 23 +++++++++++++++++++++++ > 5 files changed, 27 insertions(+), 22 deletions(-) > create mode 100644 lib/mbedtls/port/mbedtls_options.h > > diff --git a/include/crypto/mscode.h b/include/crypto/mscode.h > index 678e69001b9..55501c22acb 100644 > --- a/include/crypto/mscode.h > +++ b/include/crypto/mscode.h > @@ -10,6 +10,7 @@ > #include <crypto/hash_info.h> > #endif > #if CONFIG_IS_ENABLED(MBEDTLS_LIB_X509) > +#include "mbedtls_options.h" > #include <mbedtls/asn1.h> > #include <mbedtls/oid.h> > #endif > diff --git a/include/crypto/pkcs7_parser.h b/include/crypto/pkcs7_parser.h > index 469c2711fa6..fd1e48da09e 100644 > --- a/include/crypto/pkcs7_parser.h > +++ b/include/crypto/pkcs7_parser.h > @@ -12,6 +12,7 @@ > #include <crypto/pkcs7.h> > #include <crypto/x509_parser.h> > #if CONFIG_IS_ENABLED(MBEDTLS_LIB_X509) > +#include "mbedtls_options.h" > #include <mbedtls/pkcs7.h> > #include <library/x509_internal.h> > #include <mbedtls/asn1.h> > diff --git a/include/u-boot/sha1.h b/include/u-boot/sha1.h > index dd66258bbe9..c2d62e9cf0f 100644 > --- a/include/u-boot/sha1.h > +++ b/include/u-boot/sha1.h > @@ -18,17 +18,7 @@ > #include <linux/types.h> > > #if CONFIG_IS_ENABLED(MBEDTLS_LIB_CRYPTO) > -/* > - * FIXME: > - * MbedTLS define the members of "mbedtls_sha256_context" as private, > - * but "state" needs to be access by arch/arm/cpu/armv8/sha1_ce_glue. > - * MBEDTLS_ALLOW_PRIVATE_ACCESS needs to be enabled to allow the external > - * access. > - * Directly including <external/mbedtls/library/common.h> is not allowed, > - * since this will include <malloc.h> and break the sandbox test. > - */ > -#define MBEDTLS_ALLOW_PRIVATE_ACCESS > - > +#include "mbedtls_options.h" > #include <mbedtls/sha1.h> > #endif > > diff --git a/include/u-boot/sha256.h b/include/u-boot/sha256.h > index d7a3403270b..2d86508332e 100644 > --- a/include/u-boot/sha256.h > +++ b/include/u-boot/sha256.h > @@ -7,17 +7,7 @@ > #include <linux/types.h> > > #if CONFIG_IS_ENABLED(MBEDTLS_LIB_CRYPTO) > -/* > - * FIXME: > - * MbedTLS define the members of "mbedtls_sha256_context" as private, > - * but "state" needs to be access by arch/arm/cpu/armv8/sha256_ce_glue. > - * MBEDTLS_ALLOW_PRIVATE_ACCESS needs to be enabled to allow the external > - * access. > - * Directly including <external/mbedtls/library/common.h> is not allowed, > - * since this will include <malloc.h> and break the sandbox test. > - */ > -#define MBEDTLS_ALLOW_PRIVATE_ACCESS > - > +#include "mbedtls_options.h" > #include <mbedtls/sha256.h> > #endif > > diff --git a/lib/mbedtls/port/mbedtls_options.h > b/lib/mbedtls/port/mbedtls_options.h > new file mode 100644 > index 00000000000..885ed6990b6 > --- /dev/null > +++ b/lib/mbedtls/port/mbedtls_options.h > @@ -0,0 +1,23 @@ > +/* SPDX-License-Identifier: GPL-2.0+ */ > +/* > + * Internal build options for MbedTLS > + * > + * Copyright (c) 2025 Linaro Limited > + * Author: Raymond Mao <raymond....@linaro.org> > + */ > + > +#ifndef _MBEDTLS_OPT_H > +#define _MBEDTLS_OPT_H > + > +/* > + * FIXME: > + * U-Boot/MbedTLS port requires to access a few of members which are defined > + * as private in MbedTLS context. > + * E.g: x509_internal.h, mbedtls_sha256_context and mbedtls_sha1_context. > + * MBEDTLS_ALLOW_PRIVATE_ACCESS needs to be enabled to allow the external > + * access, but directly including <external/mbedtls/library/common.h> is not > + * allowed, since this will include <malloc.h> and break the sandbox test. > + */ > +#define MBEDTLS_ALLOW_PRIVATE_ACCESS > + > +#endif /* _MBEDTLS_OPT_H */ > -- > 2.25.1 >
Acked-by: Ilias Apalodimas <ilias.apalodi...@linaro.org>
