From 8fb478b7c42dce58b0ee597b356e0761973592c9 Mon Sep 17 00:00:00 2001 From: Raymond Mao Date: Mon, 3 Feb 2025 14:08:13 -0800 Subject: [PATCH] mbedtls: access mbedtls private members in mscode and pkcs7 parser U-Boot requires to access x509_internal.h, mbedtls_sha256_context and mbedtls_sha1_context in the porting layer, and this requires to enable MBEDTLS_ALLOW_PRIVATE_ACCESS. Enable it to mscode and pkcs7_parser to fix a mbedtls internal building error when X509 is selected. Moreover, Move it to a separate file to avoid enabling it in multiple places. Signed-off-by: Raymond Mao Acked-by: Ilias Apalodimas --- include/crypto/mscode.h | 1 + include/crypto/pkcs7_parser.h | 1 + include/u-boot/sha1.h | 17 +++---------- include/u-boot/sha256.h | 41 ++++++++++++++++++++---------- lib/mbedtls/port/mbedtls_options.h | 23 +++++++++++++++++ lib/sha1.c | 6 +++-- 6 files changed, 61 insertions(+), 28 deletions(-) create mode 100644 lib/mbedtls/port/mbedtls_options.h diff --git a/include/crypto/mscode.h b/include/crypto/mscode.h index 678e69001b9..55501c22acb 100644 --- a/include/crypto/mscode.h +++ b/include/crypto/mscode.h @@ -10,6 +10,7 @@ #include #endif #if CONFIG_IS_ENABLED(MBEDTLS_LIB_X509) +#include "mbedtls_options.h" #include #include #endif diff --git a/include/crypto/pkcs7_parser.h b/include/crypto/pkcs7_parser.h index 469c2711fa6..fd1e48da09e 100644 --- a/include/crypto/pkcs7_parser.h +++ b/include/crypto/pkcs7_parser.h @@ -12,6 +12,7 @@ #include #include #if CONFIG_IS_ENABLED(MBEDTLS_LIB_X509) +#include "mbedtls_options.h" #include #include #include diff --git a/include/u-boot/sha1.h b/include/u-boot/sha1.h index 2fca7f1be16..c2d62e9cf0f 100644 --- a/include/u-boot/sha1.h +++ b/include/u-boot/sha1.h @@ -14,20 +14,11 @@ #ifndef _SHA1_H #define _SHA1_H +#include #include -#if defined(CONFIG_MBEDTLS_LIB_CRYPTO) -/* - * FIXME: - * MbedTLS define the members of "mbedtls_sha256_context" as private, - * but "state" needs to be access by arch/arm/cpu/armv8/sha1_ce_glue. - * MBEDTLS_ALLOW_PRIVATE_ACCESS needs to be enabled to allow the external - * access. - * Directly including is not allowed, - * since this will include and break the sandbox test. - */ -#define MBEDTLS_ALLOW_PRIVATE_ACCESS - +#if CONFIG_IS_ENABLED(MBEDTLS_LIB_CRYPTO) +#include "mbedtls_options.h" #include #endif @@ -47,7 +38,7 @@ extern "C" { extern const uint8_t sha1_der_prefix[]; -#if defined(CONFIG_MBEDTLS_LIB_CRYPTO) +#if CONFIG_IS_ENABLED(MBEDTLS_LIB_CRYPTO) typedef mbedtls_sha1_context sha1_context; #else /** diff --git a/include/u-boot/sha256.h b/include/u-boot/sha256.h index b58d5b58d39..2d86508332e 100644 --- a/include/u-boot/sha256.h +++ b/include/u-boot/sha256.h @@ -1,20 +1,13 @@ #ifndef _SHA256_H #define _SHA256_H +#include +#include +#include #include -#if defined(CONFIG_MBEDTLS_LIB_CRYPTO) -/* - * FIXME: - * MbedTLS define the members of "mbedtls_sha256_context" as private, - * but "state" needs to be access by arch/arm/cpu/armv8/sha256_ce_glue. - * MBEDTLS_ALLOW_PRIVATE_ACCESS needs to be enabled to allow the external - * access. - * Directly including is not allowed, - * since this will include and break the sandbox test. - */ -#define MBEDTLS_ALLOW_PRIVATE_ACCESS - +#if CONFIG_IS_ENABLED(MBEDTLS_LIB_CRYPTO) +#include "mbedtls_options.h" #include #endif @@ -27,7 +20,7 @@ extern const uint8_t sha256_der_prefix[]; /* Reset watchdog each time we process this many bytes */ #define CHUNKSZ_SHA256 (64 * 1024) -#if defined(CONFIG_MBEDTLS_LIB_CRYPTO) +#if CONFIG_IS_ENABLED(MBEDTLS_LIB_CRYPTO) typedef mbedtls_sha256_context sha256_context; #else typedef struct { @@ -44,4 +37,26 @@ void sha256_finish(sha256_context * ctx, uint8_t digest[SHA256_SUM_LEN]); void sha256_csum_wd(const unsigned char *input, unsigned int ilen, unsigned char *output, unsigned int chunk_sz); +int sha256_hmac(const unsigned char *key, int keylen, + const unsigned char *input, unsigned int ilen, + unsigned char *output); + +#if CONFIG_IS_ENABLED(HKDF_MBEDTLS) +int sha256_hkdf(const unsigned char *salt, int saltlen, + const unsigned char *ikm, int ikmlen, + const unsigned char *info, int infolen, + unsigned char *output, int outputlen); +#else +static inline int sha256_hkdf(const unsigned char __always_unused *salt, + int __always_unused saltlen, + const unsigned char __always_unused *ikm, + int __always_unused ikmlen, + const unsigned char __always_unused *info, + int __always_unused infolen, + unsigned char __always_unused *output, + int __always_unused outputlen) { + return -EOPNOTSUPP; +} +#endif + #endif /* _SHA256_H */ diff --git a/lib/mbedtls/port/mbedtls_options.h b/lib/mbedtls/port/mbedtls_options.h new file mode 100644 index 00000000000..885ed6990b6 --- /dev/null +++ b/lib/mbedtls/port/mbedtls_options.h @@ -0,0 +1,23 @@ +/* SPDX-License-Identifier: GPL-2.0+ */ +/* + * Internal build options for MbedTLS + * + * Copyright (c) 2025 Linaro Limited + * Author: Raymond Mao + */ + +#ifndef _MBEDTLS_OPT_H +#define _MBEDTLS_OPT_H + +/* + * FIXME: + * U-Boot/MbedTLS port requires to access a few of members which are defined + * as private in MbedTLS context. + * E.g: x509_internal.h, mbedtls_sha256_context and mbedtls_sha1_context. + * MBEDTLS_ALLOW_PRIVATE_ACCESS needs to be enabled to allow the external + * access, but directly including is not + * allowed, since this will include and break the sandbox test. + */ +#define MBEDTLS_ALLOW_PRIVATE_ACCESS + +#endif /* _MBEDTLS_OPT_H */ diff --git a/lib/sha1.c b/lib/sha1.c index a9d6497c4ce..be502c6126b 100644 --- a/lib/sha1.c +++ b/lib/sha1.c @@ -312,14 +312,16 @@ void sha1_csum_wd(const unsigned char *input, unsigned int ilen, unsigned char *output, unsigned int chunk_sz) { sha1_context ctx; -#if defined(CONFIG_HW_WATCHDOG) || defined(CONFIG_WATCHDOG) +#if !defined(USE_HOSTCC) && \ + (defined(CONFIG_HW_WATCHDOG) || defined(CONFIG_WATCHDOG)) const unsigned char *end, *curr; int chunk; #endif sha1_starts (&ctx); -#if defined(CONFIG_HW_WATCHDOG) || defined(CONFIG_WATCHDOG) +#if !defined(USE_HOSTCC) && \ + (defined(CONFIG_HW_WATCHDOG) || defined(CONFIG_WATCHDOG)) curr = input; end = input + ilen; while (curr < end) {