Hi Raymond, Tom

This config seems reasonable to me and we can now build a combination
of SPL + older crypto + mbedTLS for u-boot proper which was always the
goal.

I do still think the naming is a bit confusing.

On Mon, 27 Jan 2025 at 17:17, Raymond Mao <raymond....@linaro.org> wrote:
>
> Refactor the entire kconfig page for mbedtls, adapt mbedtls makefile
> and default config file using 'XPL_', in order to have independent
> mbedtls kconfig options in both U-Boot Proper and SPL.
> User can choose legacy or mbedtls libraries in SPL independently.
>
> Set mbedtls native crypto libraries as default when MBEDTLS_LIB or
> SPL_MBEDTLS_LIB is selected.
>
> Signed-off-by: Raymond Mao <raymond....@linaro.org>
> ---
>  Makefile                         |   2 +-
>  lib/mbedtls/Kconfig              | 381 +++++++++++++++++++------------
>  lib/mbedtls/Makefile             |  44 ++--
>  lib/mbedtls/mbedtls_def_config.h |  37 +--
>  4 files changed, 276 insertions(+), 188 deletions(-)
>
> diff --git a/Makefile b/Makefile
> index 5c6f467153c..406cd28595a 100644
> --- a/Makefile
> +++ b/Makefile
> @@ -829,7 +829,7 @@ KBUILD_HOSTCFLAGS += $(if $(CONFIG_TOOLS_DEBUG),-g)
>  UBOOTINCLUDE    := \
>         -Iinclude \
>         $(if $(KBUILD_SRC), -I$(srctree)/include) \
> -       $(if $(CONFIG_MBEDTLS_LIB), \
> +       $(if $(CONFIG_$(XPL_)MBEDTLS_LIB), \
>                 "-DMBEDTLS_CONFIG_FILE=\"mbedtls_def_config.h\"" \
>                 -I$(srctree)/lib/mbedtls \
>                 -I$(srctree)/lib/mbedtls/port \
> diff --git a/lib/mbedtls/Kconfig b/lib/mbedtls/Kconfig
> index 17ed2bc71de..821d13a0dd2 100644
> --- a/lib/mbedtls/Kconfig
> +++ b/lib/mbedtls/Kconfig
> @@ -1,3 +1,5 @@
> +# For U-Boot Proper
> +
>  choice
>         prompt "Select crypto libraries"

I'd remove the 'select here'.

So have a 'Crypto library' support only
and the SPL entry below should become
"SPL Crypto libraries"

>         default LEGACY_CRYPTO
> @@ -25,11 +27,6 @@ config LEGACY_CRYPTO_BASIC
>         select SHA256_LEGACY if SHA256
>         select SHA512_LEGACY if SHA512
>         select SHA384_LEGACY if SHA384
> -       select SPL_MD5_LEGACY if SPL_MD5
> -       select SPL_SHA1_LEGACY if SPL_SHA1
> -       select SPL_SHA256_LEGACY if SPL_SHA256
> -       select SPL_SHA512_LEGACY if SPL_SHA512
> -       select SPL_SHA384_LEGACY if SPL_SHA384
>         help
>           Enable legacy basic crypto libraries.
>
> @@ -72,46 +69,6 @@ config MD5_LEGACY
>           This option enables support of hashing using MD5 algorithm
>           with legacy crypto library.
>
> -if SPL
> -
> -config SPL_SHA1_LEGACY
> -       bool "Enable SHA1 support in SPL with legacy crypto library"
> -       depends on LEGACY_CRYPTO_BASIC && SPL_SHA1
> -       help
> -         This option enables support of hashing using SHA1 algorithm
> -         with legacy crypto library.
> -
> -config SPL_SHA256_LEGACY
> -       bool "Enable SHA256 support in SPL with legacy crypto library"
> -       depends on LEGACY_CRYPTO_BASIC && SPL_SHA256
> -       help
> -         This option enables support of hashing using SHA256 algorithm
> -         with legacy crypto library.
> -
> -config SPL_SHA512_LEGACY
> -       bool "Enable SHA512 support in SPL with legacy crypto library"
> -       depends on LEGACY_CRYPTO_BASIC && SPL_SHA512
> -       help
> -         This option enables support of hashing using SHA512 algorithm
> -         with legacy crypto library.
> -
> -config SPL_SHA384_LEGACY
> -       bool "Enable SHA384 support in SPL with legacy crypto library"
> -       depends on LEGACY_CRYPTO_BASIC && SPL_SHA384
> -       select SPL_SHA512_LEGACY
> -       help
> -         This option enables support of hashing using SHA384 algorithm
> -         with legacy crypto library.
> -
> -config SPL_MD5_LEGACY
> -       bool "Enable MD5 support in SPL with legacy crypto library"
> -       depends on LEGACY_CRYPTO_BASIC && SPL_MD5
> -       help
> -         This option enables support of hashing using MD5 algorithm
> -         with legacy crypto library.
> -
> -endif # SPL
> -
>  endif # LEGACY_CRYPTO_BASIC
>
>  config LEGACY_CRYPTO_CERT
> @@ -124,10 +81,6 @@ config LEGACY_CRYPTO_CERT
>         select X509_CERTIFICATE_PARSER_LEGACY if X509_CERTIFICATE_PARSER
>         select PKCS7_MESSAGE_PARSER_LEGACY if PKCS7_MESSAGE_PARSER
>         select MSCODE_PARSER_LEGACY if MSCODE_PARSER
> -       select SPL_ASN1_DECODER_LEGACY if SPL_ASN1_DECODER
> -       select SPL_ASYMMETRIC_PUBLIC_KEY_LEGACY if \
> -               SPL_ASYMMETRIC_PUBLIC_KEY_SUBTYPE
> -       select SPL_RSA_PUBLIC_KEY_PARSER_LEGACY if SPL_RSA_PUBLIC_KEY_PARSER
>         help
>           Enable legacy certificate libraries.
>
> @@ -178,35 +131,9 @@ config MSCODE_PARSER_LEGACY
>           This option chooses legacy certificate library for MS authenticode
>           parser.
>
> -if SPL
> -
> -config SPL_ASN1_DECODER_LEGACY
> -       bool "ASN1 decoder with legacy certificate library in SPL"
> -       depends on LEGACY_CRYPTO_CERT && SPL_ASN1_DECODER
> -       help
> -         This option chooses legacy certificate library for ASN1 decoder in
> -         SPL.
> -
> -config SPL_ASYMMETRIC_PUBLIC_KEY_LEGACY
> -       bool "Asymmetric public key crypto with legacy certificate library in 
> SPL"
> -       depends on LEGACY_CRYPTO_CERT && SPL_ASYMMETRIC_PUBLIC_KEY_SUBTYPE
> -       help
> -         This option chooses legacy certificate library for asymmetric public
> -         key crypto algorithm in SPL.
> -
> -config SPL_RSA_PUBLIC_KEY_PARSER_LEGACY
> -       bool "RSA public key parser with legacy certificate library in SPL"
> -       depends on SPL_ASYMMETRIC_PUBLIC_KEY_LEGACY
> -       select SPL_ASN1_DECODER_LEGACY
> -       help
> -         This option chooses legacy certificate library for RSA public key
> -         parser in SPL.
> -
> -endif # SPL
> -
>  endif # LEGACY_CRYPTO_CERT
>
> -endif # LEGACY_CRYPTO
> +endif # LEGACY_CRYPTO || MBEDTLS_LIB_CRYPTO_ALT
>
>  if MBEDTLS_LIB
>
> @@ -221,19 +148,15 @@ config MBEDTLS_LIB_CRYPTO_ALT
>           Mutually incompatible with MBEDTLS_LIB_CRYPTO.
>
>  config MBEDTLS_LIB_CRYPTO
> -       bool "MbedTLS crypto libraries"
> +       bool "Use MbedTLS native crypto libraries"
> +       default y if MBEDTLS_LIB
>         select MD5_MBEDTLS if MD5
>         select SHA1_MBEDTLS if SHA1
>         select SHA256_MBEDTLS if SHA256
>         select SHA512_MBEDTLS if SHA512
>         select SHA384_MBEDTLS if SHA384
> -       select SPL_MD5_MBEDTLS if SPL_MD5
> -       select SPL_SHA1_MBEDTLS if SPL_SHA1
> -       select SPL_SHA256_MBEDTLS if SPL_SHA256
> -       select SPL_SHA512_MBEDTLS if SPL_SHA512
> -       select SPL_SHA384_MBEDTLS if SPL_SHA384
>         help
> -         Enable MbedTLS crypto libraries.
> +         Enable MbedTLS native crypto libraries.
>           Mutually incompatible with MBEDTLS_LIB_CRYPTO_ALT.
>
>  if MBEDTLS_LIB_CRYPTO
> @@ -306,53 +229,6 @@ config HKDF_MBEDTLS
>           This option enables support of key derivation using HKDF algorithm
>           with MbedTLS crypto library.
>
> -if SPL
> -
> -config SPL_SHA1_MBEDTLS
> -       bool "Enable SHA1 support in SPL with MbedTLS crypto library"
> -       depends on MBEDTLS_LIB_CRYPTO && SPL_SHA1
> -       help
> -         This option enables support of hashing using SHA1 algorithm
> -         with MbedTLS crypto library.
> -
> -config SPL_SHA256_MBEDTLS
> -       bool "Enable SHA256 support in SPL with MbedTLS crypto library"
> -       depends on MBEDTLS_LIB_CRYPTO && SPL_SHA256
> -       help
> -         This option enables support of hashing using SHA256 algorithm
> -         with MbedTLS crypto library.
> -
> -config SPL_SHA512_MBEDTLS
> -       bool "Enable SHA512 support in SPL with MbedTLS crypto library"
> -       depends on MBEDTLS_LIB_CRYPTO && SPL_SHA512
> -       help
> -         This option enables support of hashing using SHA512 algorithm
> -         with MbedTLS crypto library.
> -
> -config SPL_SHA384_MBEDTLS
> -       bool "Enable SHA384 support in SPL with MbedTLS crypto library"
> -       depends on MBEDTLS_LIB_CRYPTO && SPL_SHA384
> -       select SPL_SHA512
> -       help
> -         This option enables support of hashing using SHA384 algorithm
> -         with MbedTLS crypto library.
> -
> -config SPL_MD5_MBEDTLS
> -       bool "Enable MD5 support in SPL with MbedTLS crypto library"
> -       depends on MBEDTLS_LIB_CRYPTO && SPL_MD5
> -       help
> -         This option enables support of hashing using MD5 algorithm
> -         with MbedTLS crypto library.
> -
> -config SPL_HKDF_MBEDTLS
> -       bool "Enable HKDF support in SPL with MbedTLS crypto library"
> -       depends on MBEDTLS_LIB_CRYPTO
> -       help
> -         This option enables support of key derivation using HKDF algorithm
> -         with MbedTLS crypto library.
> -
> -endif # SPL
> -
>  endif # MBEDTLS_LIB_CRYPTO
>
>  config MBEDTLS_LIB_X509
> @@ -364,10 +240,6 @@ config MBEDTLS_LIB_X509
>         select X509_CERTIFICATE_PARSER_MBEDTLS if X509_CERTIFICATE_PARSER
>         select PKCS7_MESSAGE_PARSER_MBEDTLS if PKCS7_MESSAGE_PARSER
>         select MSCODE_PARSER_MBEDTLS if MSCODE_PARSER
> -       select SPL_ASN1_DECODER_MBEDTLS if SPL_ASN1_DECODER
> -       select SPL_ASYMMETRIC_PUBLIC_KEY_MBEDTLS if \
> -               SPL_ASYMMETRIC_PUBLIC_KEY_SUBTYPE
> -       select SPL_RSA_PUBLIC_KEY_PARSER_MBEDTLS if SPL_RSA_PUBLIC_KEY_PARSER
>         help
>           Enable MbedTLS certificate libraries.
>
> @@ -418,44 +290,249 @@ config MSCODE_PARSER_MBEDTLS
>           This option chooses MbedTLS certificate library for MS authenticode
>           parser.
>
> +endif # MBEDTLS_LIB_X509
> +
> +config MBEDTLS_LIB_TLS
> +       bool "MbedTLS TLS library"
> +       depends on RSA_PUBLIC_KEY_PARSER_MBEDTLS
> +       depends on X509_CERTIFICATE_PARSER_MBEDTLS
> +       depends on ASYMMETRIC_PUBLIC_KEY_MBEDTLS
> +       depends on ASN1_DECODER_MBEDTLS
> +       depends on MBEDTLS_LIB
> +       help
> +         Enable MbedTLS TLS library. Required for HTTPs support
> +         in wget
> +
> +endif # MBEDTLS_LIB
> +
> +# For SPL
> +
>  if SPL
>
> +choice
> +       prompt "Select crypto libraries (SPL)"

'SPL crypto libraries'

> +       default SPL_LEGACY_CRYPTO
> +       help
> +         Select crypto libraries in SPL.
> +         SPL_LEGACY_CRYPTO for legacy crypto libraries,
> +         SPL_MBEDTLS_LIB for MbedTLS libraries.
> +
> +config SPL_LEGACY_CRYPTO
> +       bool "legacy crypto libraries"
> +       select SPL_LEGACY_CRYPTO_BASIC
> +       select SPL_LEGACY_CRYPTO_CERT
> +
> +config SPL_MBEDTLS_LIB
> +       bool "MbedTLS libraries"
> +       select SPL_MBEDTLS_LIB_X509
> +endchoice
> +
> +if SPL_LEGACY_CRYPTO || SPL_MBEDTLS_LIB_CRYPTO_ALT
> +
> +config SPL_LEGACY_CRYPTO_BASIC
> +       bool "legacy basic crypto libraries (SPL)"

This is hashing not crypto.  It should be clear that you can generate
a config with mbedTLS for x509 while using hashing algorithms outside
mbedTLS

> +       select SPL_MD5_LEGACY if SPL_MD5
> +       select SPL_SHA1_LEGACY if SPL_SHA1
> +       select SPL_SHA256_LEGACY if SPL_SHA256
> +       select SPL_SHA512_LEGACY if SPL_SHA512
> +       select SPL_SHA384_LEGACY if SPL_SHA384
> +       help
> +         Enable legacy basic crypto libraries in SPL.
> +
> +if SPL_LEGACY_CRYPTO_BASIC
> +
> +config SPL_SHA1_LEGACY
> +       bool "Enable SHA1 support with legacy crypto library (SPL)"
> +       depends on SPL_LEGACY_CRYPTO_BASIC && SPL_SHA1
> +       help
> +         This option enables support of hashing using SHA1 algorithm
> +         with legacy crypto library in SPL.
> +
> +config SPL_SHA256_LEGACY
> +       bool "Enable SHA256 support with legacy crypto library (SPL)"
> +       depends on SPL_LEGACY_CRYPTO_BASIC && SPL_SHA256
> +       help
> +         This option enables support of hashing using SHA256 algorithm
> +         with legacy crypto library in SPL.
> +
> +config SPL_SHA512_LEGACY
> +       bool "Enable SHA512 support with legacy crypto library (SPL)"
> +       depends on SPL_LEGACY_CRYPTO_BASIC && SPL_SHA512
> +       help
> +         This option enables support of hashing using SHA512 algorithm
> +         with legacy crypto library in SPL.
> +
> +config SPL_SHA384_LEGACY
> +       bool "Enable SHA384 support with legacy crypto library (SPL)"
> +       depends on SPL_LEGACY_CRYPTO_BASIC && SPL_SHA384
> +       select SPL_SHA512_LEGACY
> +       help
> +         This option enables support of hashing using SHA384 algorithm
> +         with legacy crypto library in SPL.
> +
> +config SPL_MD5_LEGACY
> +       bool "Enable MD5 support with legacy crypto library (SPL)"
> +       depends on SPL_LEGACY_CRYPTO_BASIC && SPL_MD5
> +       help
> +         This option enables support of hashing using MD5 algorithm
> +         with legacy crypto library in SPL.
> +
> +endif # SPL_LEGACY_CRYPTO_BASIC
> +
> +config SPL_LEGACY_CRYPTO_CERT
> +       bool "legacy certificate libraries (SPL)"
> +       depends on SPL_LEGACY_CRYPTO
> +       select SPL_ASN1_DECODER_LEGACY if SPL_ASN1_DECODER
> +       select SPL_ASYMMETRIC_PUBLIC_KEY_LEGACY if \
> +               SPL_ASYMMETRIC_PUBLIC_KEY_SUBTYPE
> +       select SPL_RSA_PUBLIC_KEY_PARSER_LEGACY if SPL_RSA_PUBLIC_KEY_PARSER
> +       help
> +         Enable legacy certificate libraries in SPL.
> +
> +if SPL_LEGACY_CRYPTO_CERT
> +
> +config SPL_ASN1_DECODER_LEGACY
> +       bool "ASN1 decoder with legacy certificate library (SPL)"
> +       depends on SPL_LEGACY_CRYPTO_CERT && SPL_ASN1_DECODER
> +       help
> +         This option chooses legacy certificate library for ASN1 decoder in
> +         SPL.
> +
> +config SPL_ASYMMETRIC_PUBLIC_KEY_LEGACY
> +       bool "Asymmetric public key crypto with legacy certificate library 
> (SPL)"
> +       depends on SPL_LEGACY_CRYPTO_CERT && SPL_ASYMMETRIC_PUBLIC_KEY_SUBTYPE
> +       help
> +         This option chooses legacy certificate library for asymmetric public
> +         key crypto algorithm in SPL.
> +
> +config SPL_RSA_PUBLIC_KEY_PARSER_LEGACY
> +       bool "RSA public key parser with legacy certificate library (SPL)"
> +       depends on SPL_ASYMMETRIC_PUBLIC_KEY_LEGACY
> +       select SPL_ASN1_DECODER_LEGACY
> +       help
> +         This option chooses legacy certificate library for RSA public key
> +         parser in SPL.
> +
> +endif # SPL_LEGACY_CRYPTO_CERT
> +
> +endif # SPL_LEGACY_CRYPTO || SPL_MBEDTLS_LIB_CRYPTO_ALT
> +
> +if SPL_MBEDTLS_LIB
> +
> +config SPL_MBEDTLS_LIB_CRYPTO_ALT
> +       bool "Use legacy crypto libraries as MbedTLS alternatives (SPL)"
> +       depends on SPL_MBEDTLS_LIB && !SPL_MBEDTLS_LIB_CRYPTO
> +       select SPL_LEGACY_CRYPTO_BASIC
> +       default y if SPL_MBEDTLS_LIB && !SPL_MBEDTLS_LIB_CRYPTO
> +       help
> +         Enable MbedTLS crypto alternatives and replace it with legacy crypto
> +         libraries in SPL.
> +         Mutually incompatible with SPL_MBEDTLS_LIB_CRYPTO.
> +
> +config SPL_MBEDTLS_LIB_CRYPTO
> +       bool "Use MbedTLS native crypto libraries (SPL)"
> +       default y if SPL_MBEDTLS_LIB
> +       select SPL_MD5_MBEDTLS if SPL_MD5
> +       select SPL_SHA1_MBEDTLS if SPL_SHA1
> +       select SPL_SHA256_MBEDTLS if SPL_SHA256
> +       select SPL_SHA512_MBEDTLS if SPL_SHA512
> +       select SPL_SHA384_MBEDTLS if SPL_SHA384
> +       help
> +         Enable MbedTLS native crypto libraries in SPL.
> +
> +if SPL_MBEDTLS_LIB_CRYPTO
> +
> +config SPL_SHA1_MBEDTLS
> +       bool "Enable SHA1 support with MbedTLS crypto library (SPL)"
> +       depends on SPL_MBEDTLS_LIB_CRYPTO && SPL_SHA1
> +       help
> +         This option enables support of hashing using SHA1 algorithm
> +         with MbedTLS crypto library in SPL.
> +
> +config SPL_SHA256_MBEDTLS
> +       bool "Enable SHA256 support with MbedTLS crypto library (SPL)"
> +       depends on SPL_MBEDTLS_LIB_CRYPTO && SPL_SHA256
> +       help
> +         This option enables support of hashing using SHA256 algorithm
> +         with MbedTLS crypto library in SPL.
> +
> +config SPL_SHA512_MBEDTLS
> +       bool "Enable SHA512 support with MbedTLS crypto library (SPL)"
> +       depends on SPL_MBEDTLS_LIB_CRYPTO && SPL_SHA512
> +       help
> +         This option enables support of hashing using SHA512 algorithm
> +         with MbedTLS crypto library in SPL.
> +
> +config SPL_SHA384_MBEDTLS
> +       bool "Enable SHA384 support with MbedTLS crypto library (SPL)"
> +       depends on SPL_MBEDTLS_LIB_CRYPTO && SPL_SHA384
> +       select SPL_SHA512
> +       help
> +         This option enables support of hashing using SHA384 algorithm
> +         with MbedTLS crypto library in SPL.
> +
> +config SPL_MD5_MBEDTLS
> +       bool "Enable MD5 support with MbedTLS crypto library (SPL)"
> +       depends on SPL_MBEDTLS_LIB_CRYPTO && SPL_MD5
> +       help
> +         This option enables support of hashing using MD5 algorithm
> +         with MbedTLS crypto library in SPL.
> +
> +config SPL_HKDF_MBEDTLS
> +       bool "Enable HKDF support with MbedTLS crypto library (SPL)"
> +       depends on SPL_MBEDTLS_LIB_CRYPTO
> +       help
> +         This option enables support of key derivation using HKDF algorithm
> +         with MbedTLS crypto library in SPL.
> +
> +endif # SPL_MBEDTLS_LIB_CRYPTO
> +
> +config SPL_MBEDTLS_LIB_X509
> +       bool "MbedTLS certificate libraries (SPL)"
> +       select SPL_ASN1_DECODER_MBEDTLS if SPL_ASN1_DECODER
> +       select SPL_ASYMMETRIC_PUBLIC_KEY_MBEDTLS if \
> +               SPL_ASYMMETRIC_PUBLIC_KEY_SUBTYPE
> +       select SPL_RSA_PUBLIC_KEY_PARSER_MBEDTLS if SPL_RSA_PUBLIC_KEY_PARSER
> +       help
> +         Enable MbedTLS certificate libraries in SPL.
> +
> +if SPL_MBEDTLS_LIB_X509
> +
>  config SPL_ASN1_DECODER_MBEDTLS
> -       bool "ASN1 decoder with MbedTLS certificate library in SPL"
> -       depends on MBEDTLS_LIB_X509 && SPL_ASN1_DECODER
> +       bool "ASN1 decoder with MbedTLS certificate library (SPL)"
> +       depends on SPL_MBEDTLS_LIB_X509 && SPL_ASN1_DECODER
>         help
>           This option chooses MbedTLS certificate library for ASN1 decoder in
>           SPL.
>
>  config SPL_ASYMMETRIC_PUBLIC_KEY_MBEDTLS
> -       bool "Asymmetric public key crypto with MbedTLS certificate library 
> in SPL"
> -       depends on MBEDTLS_LIB_X509 && SPL_ASYMMETRIC_PUBLIC_KEY_SUBTYPE
> +       bool "Asymmetric public key crypto with MbedTLS certificate library 
> (SPL)"
> +       depends on SPL_MBEDTLS_LIB_X509 && SPL_ASYMMETRIC_PUBLIC_KEY_SUBTYPE
>         help
>           This option chooses MbedTLS certificate library for asymmetric 
> public
>           key crypto algorithm in SPL.
>
>  config SPL_RSA_PUBLIC_KEY_PARSER_MBEDTLS
> -       bool "RSA public key parser with MbedTLS certificate library in SPL"
> +       bool "RSA public key parser with MbedTLS certificate library (SPL)"
>         depends on SPL_ASYMMETRIC_PUBLIC_KEY_MBEDTLS
>         select SPL_ASN1_DECODER_MBEDTLS
>         help
>           This option chooses MbedTLS certificate library for RSA public key
>           parser in SPL.
>
> -endif # SPL
> +endif # SPL_MBEDTLS_LIB_X509
>
> -endif # MBEDTLS_LIB_X509
> -
> -config MBEDTLS_LIB_TLS
> -       bool "MbedTLS TLS library"
> -       depends on RSA_PUBLIC_KEY_PARSER_MBEDTLS
> -       depends on X509_CERTIFICATE_PARSER_MBEDTLS
> -       depends on ASYMMETRIC_PUBLIC_KEY_MBEDTLS
> -       depends on ASN1_DECODER_MBEDTLS
> -       depends on ASYMMETRIC_PUBLIC_KEY_MBEDTLS
> -       depends on MBEDTLS_LIB
> +config SPL_MBEDTLS_LIB_TLS
> +       bool "MbedTLS TLS library (SPL)"
> +       depends on SPL_RSA_PUBLIC_KEY_PARSER_MBEDTLS
> +       depends on SPL_X509_CERTIFICATE_PARSER_MBEDTLS
> +       depends on SPL_ASYMMETRIC_PUBLIC_KEY_MBEDTLS
> +       depends on SPL_ASN1_DECODER_MBEDTLS
> +       depends on SPL_MBEDTLS_LIB
>         help
> -         Enable MbedTLS TLS library. Required for HTTPs support
> +         Enable MbedTLS TLS library in SPL. Required for HTTPs support
>           in wget
>
> -endif # MBEDTLS_LIB
> +endif # SPL_MBEDTLS_LIB
> +
> +endif # SPL
> diff --git a/lib/mbedtls/Makefile b/lib/mbedtls/Makefile
> index e66c2018d97..4bbe7ceec45 100644
> --- a/lib/mbedtls/Makefile
> +++ b/lib/mbedtls/Makefile
> @@ -6,60 +6,60 @@
>  MBEDTLS_LIB_DIR = external/mbedtls/library
>
>  # shim layer for hash
> -obj-$(CONFIG_$(SPL_)MD5_MBEDTLS) += md5.o
> -obj-$(CONFIG_$(SPL_)SHA1_MBEDTLS) += sha1.o
> -obj-$(CONFIG_$(SPL_)SHA256_MBEDTLS) += sha256.o
> -obj-$(CONFIG_$(SPL_)SHA512_MBEDTLS) += sha512.o
> +obj-$(CONFIG_$(XPL_)MD5_MBEDTLS) += md5.o
> +obj-$(CONFIG_$(XPL_)SHA1_MBEDTLS) += sha1.o
> +obj-$(CONFIG_$(XPL_)SHA256_MBEDTLS) += sha256.o
> +obj-$(CONFIG_$(XPL_)SHA512_MBEDTLS) += sha512.o
>
>  # x509 libraries
> -obj-$(CONFIG_$(SPL_)ASYMMETRIC_PUBLIC_KEY_MBEDTLS) += \
> +obj-$(CONFIG_$(XPL_)ASYMMETRIC_PUBLIC_KEY_MBEDTLS) += \
>         public_key.o
> -obj-$(CONFIG_$(SPL_)X509_CERTIFICATE_PARSER_MBEDTLS) += \
> +obj-$(CONFIG_$(XPL_)X509_CERTIFICATE_PARSER_MBEDTLS) += \
>         x509_cert_parser.o
> -obj-$(CONFIG_$(SPL_)PKCS7_MESSAGE_PARSER_MBEDTLS) += pkcs7_parser.o
> -obj-$(CONFIG_$(SPL_)MSCODE_PARSER_MBEDTLS) += mscode_parser.o
> -obj-$(CONFIG_$(SPL_)RSA_PUBLIC_KEY_PARSER_MBEDTLS) += rsa_helper.o
> +obj-$(CONFIG_$(XPL_)PKCS7_MESSAGE_PARSER_MBEDTLS) += pkcs7_parser.o
> +obj-$(CONFIG_$(XPL_)MSCODE_PARSER_MBEDTLS) += mscode_parser.o
> +obj-$(CONFIG_$(XPL_)RSA_PUBLIC_KEY_PARSER_MBEDTLS) += rsa_helper.o
>
>  # MbedTLS crypto library
> -obj-$(CONFIG_MBEDTLS_LIB) += mbedtls_lib_crypto.o
> +obj-$(CONFIG_$(XPL_)MBEDTLS_LIB) += mbedtls_lib_crypto.o
>  mbedtls_lib_crypto-y := \
>         $(MBEDTLS_LIB_DIR)/platform_util.o \
>         $(MBEDTLS_LIB_DIR)/constant_time.o \
>         $(MBEDTLS_LIB_DIR)/md.o
>
> -mbedtls_lib_crypto-$(CONFIG_$(SPL_)MD5_MBEDTLS) += $(MBEDTLS_LIB_DIR)/md5.o
> -mbedtls_lib_crypto-$(CONFIG_$(SPL_)SHA1_MBEDTLS) += $(MBEDTLS_LIB_DIR)/sha1.o
> -mbedtls_lib_crypto-$(CONFIG_$(SPL_)SHA256_MBEDTLS) += \
> +mbedtls_lib_crypto-$(CONFIG_$(XPL_)MD5_MBEDTLS) += $(MBEDTLS_LIB_DIR)/md5.o
> +mbedtls_lib_crypto-$(CONFIG_$(XPL_)SHA1_MBEDTLS) += $(MBEDTLS_LIB_DIR)/sha1.o
> +mbedtls_lib_crypto-$(CONFIG_$(XPL_)SHA256_MBEDTLS) += \
>         $(MBEDTLS_LIB_DIR)/sha256.o
> -mbedtls_lib_crypto-$(CONFIG_$(SPL_)SHA512_MBEDTLS) += \
> +mbedtls_lib_crypto-$(CONFIG_$(XPL_)SHA512_MBEDTLS) += \
>         $(MBEDTLS_LIB_DIR)/sha512.o
> -mbedtls_lib_crypto-$(CONFIG_$(SPL_)HKDF_MBEDTLS) += \
> +mbedtls_lib_crypto-$(CONFIG_$(XPL_)HKDF_MBEDTLS) += \
>         $(MBEDTLS_LIB_DIR)/hkdf.o
>
>  # MbedTLS X509 library
> -obj-$(CONFIG_MBEDTLS_LIB_X509) += mbedtls_lib_x509.o
> +obj-$(CONFIG_$(XPL_)MBEDTLS_LIB_X509) += mbedtls_lib_x509.o
>  mbedtls_lib_x509-y := $(MBEDTLS_LIB_DIR)/x509.o
> -mbedtls_lib_x509-$(CONFIG_$(SPL_)ASN1_DECODER_MBEDTLS) += \
> +mbedtls_lib_x509-$(CONFIG_$(XPL_)ASN1_DECODER_MBEDTLS) += \
>         $(MBEDTLS_LIB_DIR)/asn1parse.o \
>         $(MBEDTLS_LIB_DIR)/asn1write.o \
>         $(MBEDTLS_LIB_DIR)/oid.o
> -mbedtls_lib_x509-$(CONFIG_$(SPL_)RSA_PUBLIC_KEY_PARSER_MBEDTLS) += \
> +mbedtls_lib_x509-$(CONFIG_$(XPL_)RSA_PUBLIC_KEY_PARSER_MBEDTLS) += \
>         $(MBEDTLS_LIB_DIR)/bignum.o \
>         $(MBEDTLS_LIB_DIR)/bignum_core.o \
>         $(MBEDTLS_LIB_DIR)/rsa.o \
>         $(MBEDTLS_LIB_DIR)/rsa_alt_helpers.o
> -mbedtls_lib_x509-$(CONFIG_$(SPL_)ASYMMETRIC_PUBLIC_KEY_MBEDTLS) += \
> +mbedtls_lib_x509-$(CONFIG_$(XPL_)ASYMMETRIC_PUBLIC_KEY_MBEDTLS) += \
>         $(MBEDTLS_LIB_DIR)/pk.o \
>         $(MBEDTLS_LIB_DIR)/pk_wrap.o \
>         $(MBEDTLS_LIB_DIR)/pkparse.o
> -mbedtls_lib_x509-$(CONFIG_$(SPL_)X509_CERTIFICATE_PARSER_MBEDTLS) += \
> +mbedtls_lib_x509-$(CONFIG_$(XPL_)X509_CERTIFICATE_PARSER_MBEDTLS) += \
>         $(MBEDTLS_LIB_DIR)/x509_crl.o \
>         $(MBEDTLS_LIB_DIR)/x509_crt.o
> -mbedtls_lib_x509-$(CONFIG_$(SPL_)PKCS7_MESSAGE_PARSER_MBEDTLS) += \
> +mbedtls_lib_x509-$(CONFIG_$(XPL_)PKCS7_MESSAGE_PARSER_MBEDTLS) += \
>         $(MBEDTLS_LIB_DIR)/pkcs7.o
>
>  #mbedTLS TLS support
> -obj-$(CONFIG_MBEDTLS_LIB_TLS) += mbedtls_lib_tls.o
> +obj-$(CONFIG_$(XPL_)MBEDTLS_LIB_TLS) += mbedtls_lib_tls.o
>  mbedtls_lib_tls-y := \
>         $(MBEDTLS_LIB_DIR)/mps_reader.o \
>         $(MBEDTLS_LIB_DIR)/mps_trace.o \
> diff --git a/lib/mbedtls/mbedtls_def_config.h 
> b/lib/mbedtls/mbedtls_def_config.h
> index fd440c392f9..2da88c95454 100644
> --- a/lib/mbedtls/mbedtls_def_config.h
> +++ b/lib/mbedtls/mbedtls_def_config.h
> @@ -11,12 +11,12 @@
>   * Author: Raymond Mao <raymond....@linaro.org>
>   */
>
> -#if defined CONFIG_MBEDTLS_LIB
> +#if CONFIG_IS_ENABLED(MBEDTLS_LIB)
>
>  #if CONFIG_IS_ENABLED(MD5)
>  #define MBEDTLS_MD_C
>  #define MBEDTLS_MD5_C
> -#if defined CONFIG_MBEDTLS_LIB_CRYPTO_ALT
> +#if CONFIG_IS_ENABLED(MBEDTLS_LIB_CRYPTO_ALT)
>  #define MBEDTLS_MD5_ALT
>  #endif
>  #endif
> @@ -24,7 +24,7 @@
>  #if CONFIG_IS_ENABLED(SHA1)
>  #define MBEDTLS_MD_C
>  #define MBEDTLS_SHA1_C
> -#if defined CONFIG_MBEDTLS_LIB_CRYPTO_ALT
> +#if CONFIG_IS_ENABLED(MBEDTLS_LIB_CRYPTO_ALT)
>  #define MBEDTLS_SHA1_ALT
>  #endif
>  #endif
> @@ -32,7 +32,7 @@
>  #if CONFIG_IS_ENABLED(SHA256)
>  #define MBEDTLS_MD_C
>  #define MBEDTLS_SHA256_C
> -#if defined CONFIG_MBEDTLS_LIB_CRYPTO_ALT
> +#if CONFIG_IS_ENABLED(MBEDTLS_LIB_CRYPTO_ALT)
>  #define MBEDTLS_SHA256_ALT
>  #endif
>  #if CONFIG_IS_ENABLED(SHA256_SMALLER)
> @@ -48,7 +48,7 @@
>  #if CONFIG_IS_ENABLED(SHA512)
>  #define MBEDTLS_MD_C
>  #define MBEDTLS_SHA512_C
> -#if defined CONFIG_MBEDTLS_LIB_CRYPTO_ALT
> +#if CONFIG_IS_ENABLED(MBEDTLS_LIB_CRYPTO_ALT)
>  #define MBEDTLS_SHA512_ALT
>  #endif
>  #if CONFIG_IS_ENABLED(SHA512_SMALLER)
> @@ -60,7 +60,7 @@
>  #define MBEDTLS_HKDF_C
>  #endif
>
> -#if defined CONFIG_MBEDTLS_LIB_X509
> +#if CONFIG_IS_ENABLED(MBEDTLS_LIB_X509)
>
>  #if CONFIG_IS_ENABLED(X509_CERTIFICATE_PARSER)
>  #define MBEDTLS_X509_USE_C
> @@ -89,9 +89,9 @@
>  #define MBEDTLS_ASN1_WRITE_C
>  #endif
>
> -#endif /* #if defined CONFIG_MBEDTLS_LIB_X509 */
> +#endif /* #if CONFIG_IS_ENABLED(MBEDTLS_LIB_X509) */
>
> -#if IS_ENABLED(CONFIG_MBEDTLS_LIB_TLS)
> +#if CONFIG_IS_ENABLED(MBEDTLS_LIB_TLS)
>  #include "rtc.h"
>
>  /* Generic options */
> @@ -106,25 +106,36 @@
>  #define MBEDTLS_ENTROPY_C
>  #define MBEDTLS_NO_PLATFORM_ENTROPY
>  #define MBEDTLS_SSL_PROTO_TLS1_2
> +#if CONFIG_IS_ENABLED(X509_CERTIFICATE_PARSER)
>  #define MBEDTLS_SSL_SERVER_NAME_INDICATION
> +#endif
>  #define MBEDTLS_KEY_EXCHANGE_PSK_ENABLED
>
>  /* RSA */
> +#if CONFIG_IS_ENABLED(X509_CERTIFICATE_PARSER) && \
> +       CONFIG_IS_ENABLED(RSA_PUBLIC_KEY_PARSER)
>  #define MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
>  #define MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
>  #define MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
> +#endif
>  #define MBEDTLS_GCM_C
>
>  /* ECDSA */
> +#if CONFIG_IS_ENABLED(ASN1_DECODER)
>  #define MBEDTLS_ECDSA_C
> +#define MBEDTLS_ECP_C
>  #define MBEDTLS_ECDH_C
> +#endif
>  #define MBEDTLS_ECDSA_DETERMINISTIC
>  #define MBEDTLS_HMAC_DRBG_C
> -#define MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
> -#define MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED
> +
>  #define MBEDTLS_CAN_ECDH
>  #define MBEDTLS_PK_CAN_ECDSA_SIGN
> -#define MBEDTLS_ECP_C
> +#if CONFIG_IS_ENABLED(X509_CERTIFICATE_PARSER)
> +#define MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED
> +#define MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
> +#endif
> +
>  #define MBEDTLS_ECP_DP_SECP256K1_ENABLED
>  #define MBEDTLS_ECP_DP_SECP192R1_ENABLED
>  #define MBEDTLS_ECP_DP_SECP224R1_ENABLED
> @@ -138,6 +149,6 @@
>  #define MBEDTLS_ECP_DP_BP384R1_ENABLED
>  #define MBEDTLS_ECP_DP_BP512R1_ENABLED
>
> -#endif /* #if defined CONFIG_MBEDTLS_LIB_TLS */
> +#endif /* #if CONFIG_IS_ENABLED(MBEDTLS_LIB_TLS) */
>
> -#endif /* #if defined CONFIG_MBEDTLS_LIB */
> +#endif /* #if CONFIG_IS_ENABLED(MBEDTLS_LIB) */
> --
> 2.25.1
>

Cheers
/Ilias

Reply via email to