[Skiboot] [PATCH 1/3] crypto: add mbedtls build integration

Eric Richter erichte at linux.ibm.com
Fri Jul 19 07:29:47 AEST 2019 

This patch integrates a new directory for holding the various crypto
libraries needed within libstb. This may be a candidate for moving
to the root of the project if it is useful beyond libstb.

This patch also includes the Makefile integration to build mbedtls
as a subcomponent of the crypto directory. As upstream mbedtls ships
with its own Makefile, the crypto Makefile calls the mbedtls
Makefile.

Signed-off-by: Eric Richter <erichte at linux.ibm.com>
---
 Makefile.main                       |  1 +
 libstb/Makefile.inc                 |  5 +-
 libstb/crypto/Makefile.inc          | 22 +++++++
 libstb/crypto/mbedtls-config.h      | 98 +++++++++++++++++++++++++++++
 libstb/crypto/mbedtls/OP_README.txt |  5 ++
 5 files changed, 130 insertions(+), 1 deletion(-)
 create mode 100644 libstb/crypto/Makefile.inc
 create mode 100644 libstb/crypto/mbedtls-config.h
 create mode 100644 libstb/crypto/mbedtls/OP_README.txt

diff --git a/Makefile.main b/Makefile.main
index fac6e448..28c089f7 100644
--- a/Makefile.main
+++ b/Makefile.main
@@ -354,6 +354,7 @@ clean:
 	$(RM) include/asm-offsets.h version.c .version
 	$(RM) skiboot.info external/gard/gard.info external/pflash/pflash.info
 	$(RM) extract-gcov $(TARGET).lid.stb $(TARGET).lid.xz.stb
+	$(MAKE) -C libstb/crypto/mbedtls/library clean
 
 distclean: clean
 	$(RM) *~ $(SUBDIRS:%=%/*~) include/*~
diff --git a/libstb/Makefile.inc b/libstb/Makefile.inc
index 87311f1b..30904df0 100644
--- a/libstb/Makefile.inc
+++ b/libstb/Makefile.inc
@@ -10,8 +10,11 @@ LIBSTB = $(LIBSTB_DIR)/built-in.a
 
 include $(SRC)/$(LIBSTB_DIR)/drivers/Makefile.inc
 include $(SRC)/$(LIBSTB_DIR)/tss/Makefile.inc
+include $(SRC)/$(LIBSTB_DIR)/crypto/Makefile.inc
 
-$(LIBSTB): $(LIBSTB_OBJS:%=$(LIBSTB_DIR)/%) $(DRIVERS) $(TSS) $(MBEDTLS)
+CPPFLAGS += -I$(SRC)/$(LIBSTB_DIR)/crypto/mbedtls/include
+
+$(LIBSTB): $(LIBSTB_OBJS:%=$(LIBSTB_DIR)/%) $(DRIVERS) $(TSS) $(CRYPTO)
 
 libstb/create-container: libstb/create-container.c libstb/container-utils.c
 	$(call Q, HOSTCC ,$(HOSTCC) $(HOSTCFLAGS) \
diff --git a/libstb/crypto/Makefile.inc b/libstb/crypto/Makefile.inc
new file mode 100644
index 00000000..3d71b236
--- /dev/null
+++ b/libstb/crypto/Makefile.inc
@@ -0,0 +1,22 @@
+CRYPTO_DIR = $(LIBSTB_DIR)/crypto
+
+SUBDIRS += $(CRYPTO_DIR)
+
+MBEDTLS_CONFIG=
+
+MBEDTLS=$(SRC)/$(LIBSTB_DIR)/crypto/mbedtls/library/libmbedcrypto.a
+MBEDTLS+= $(SRC)/$(LIBSTB_DIR)/crypto/mbedtls/library/libmbedx509.a
+
+MBEDTLS_CFLAGS = $(CFLAGS)
+MBEDTLS_CFLAGS += -I$(SRC)/$(LIBSTB_DIR)
+MBEDTLS_CFLAGS += -I$(SRC)/$(LIBSTB_DIR)/crypto -DMBEDTLS_CONFIG_FILE='<mbedtls-config.h>'
+MBEDTLS_CFLAGS += -Wno-suggest-attribute=const
+MBEDTLS_CFLAGS += -I$(SRC)/$(LIBSTB_DIR)/crypto/mbedtls/include
+MBEDTLS_CFLAGS += $(CPPFLAGS)
+
+$(MBEDTLS):
+	@$(MAKE) -C $(SRC)/$(LIBSTB_DIR)/crypto/mbedtls/library/ CFLAGS="$(MBEDTLS_CFLAGS)" CC=$(CC) AR=$(AR) libmbedcrypto.a libmbedx509.a
+
+CRYPTO = $(CRYPTO_DIR)/built-in.a
+
+$(CRYPTO): $(MBEDTLS)
diff --git a/libstb/crypto/mbedtls-config.h b/libstb/crypto/mbedtls-config.h
new file mode 100644
index 00000000..edf4acc2
--- /dev/null
+++ b/libstb/crypto/mbedtls-config.h
@@ -0,0 +1,98 @@
+/**
+ * \file config-no-entropy.h
+ *
+ * \brief Minimal configuration of features that do not require an entropy source
+ */
+/*
+ *  Copyright (C) 2016, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+/*
+ * Minimal configuration of features that do not require an entropy source
+ * Distinguishing reatures:
+ * - no entropy module
+ * - no TLS protocol implementation available due to absence of an entropy
+ *   source
+ *
+ * See README.txt for usage instructions.
+ */
+
+#ifndef MBEDTLS_CONFIG_H
+#define MBEDTLS_CONFIG_H
+
+/* System support */
+#define MBEDTLS_HAVE_ASM
+#define MBEDTLS_HAVE_TIME
+
+/* mbed TLS feature support */
+#define MBEDTLS_CIPHER_MODE_CBC
+#define MBEDTLS_CIPHER_PADDING_PKCS7
+#define MBEDTLS_REMOVE_ARC4_CIPHERSUITES
+#define MBEDTLS_ECP_DP_SECP256R1_ENABLED
+#define MBEDTLS_ECP_DP_SECP384R1_ENABLED
+#define MBEDTLS_ECP_DP_CURVE25519_ENABLED
+#define MBEDTLS_ECP_NIST_OPTIM
+#define MBEDTLS_ECDSA_DETERMINISTIC
+#define MBEDTLS_PK_RSA_ALT_SUPPORT
+#define MBEDTLS_PKCS1_V15
+#define MBEDTLS_PKCS1_V21
+#define MBEDTLS_SELF_TEST
+#define MBEDTLS_VERSION_FEATURES
+#define MBEDTLS_X509_CHECK_KEY_USAGE
+#define MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE
+
+/* mbed TLS modules */
+#define MBEDTLS_AES_C
+#define MBEDTLS_ASN1_PARSE_C
+#define MBEDTLS_BASE64_C
+#define MBEDTLS_BIGNUM_C
+#define MBEDTLS_CCM_C
+#define MBEDTLS_CIPHER_C
+#define MBEDTLS_ECDSA_C
+#define MBEDTLS_ECP_C
+#define MBEDTLS_ERROR_C
+#define MBEDTLS_GCM_C
+#define MBEDTLS_MD_C
+#define MBEDTLS_OID_C
+#define MBEDTLS_PEM_PARSE_C
+#define MBEDTLS_PK_C
+#define MBEDTLS_PK_PARSE_C
+#define MBEDTLS_PK_WRITE_C
+#define MBEDTLS_PLATFORM_C
+#define MBEDTLS_RSA_C
+#define MBEDTLS_SHA256_C
+#define MBEDTLS_SHA512_C
+#define MBEDTLS_X509_USE_C
+#define MBEDTLS_X509_CRT_PARSE_C
+#define MBEDTLS_X509_CRL_PARSE_C
+//#define MBEDTLS_CMAC_C
+
+/* Settings to reduce/remove warnings */
+#define MBEDTLS_MPI_WINDOW_SIZE	3	// (max/default is 6) Increase for speed, may introduce warnings
+#define MBEDTLS_MPI_MAX_SIZE	512	// (default is 1024) increase for more bits in user-MPIs
+#define SIZE_MAX		65535	// this might need to be in libc?
+
+/* Disableable to mitigate warnings */
+#define MBEDTLS_ASN1_WRITE_C  // Expects SIZE_MAX
+#define MBEDTLS_VERSION_C     // Possible 'const' function
+#define MBEDTLS_HMAC_DRBG_C
+
+/* Miscellaneous options and fixes*/
+#define MBEDTLS_AES_ROM_TABLES
+#define MBEDTLS_NO_UDBL_DIVISION	// Disabled due to unsupported operation
+
+#endif /* MBEDTLS_CONFIG_H */
diff --git a/libstb/crypto/mbedtls/OP_README.txt b/libstb/crypto/mbedtls/OP_README.txt
new file mode 100644
index 00000000..9373a048
--- /dev/null
+++ b/libstb/crypto/mbedtls/OP_README.txt
@@ -0,0 +1,5 @@
+This is a trimmed-down version of mbed TLS as retrieved from
+https://github.com/ARMmbed/mbedtls
+
+Only the necessary files are tracked by git. To update, copy or clone over this
+directory, and `git add library/` and `git add include/`.
-- 
2.20.1

More information about the Skiboot mailing list