[Skiboot] [PATCH 1/3] crypto: add mbedtls build integration
Eric Richter
erichte at linux.ibm.com
Fri Jul 19 07:29:47 AEST 2019
This patch integrates a new directory for holding the various crypto
libraries needed within libstb. This may be a candidate for moving
to the root of the project if it is useful beyond libstb.
This patch also includes the Makefile integration to build mbedtls
as a subcomponent of the crypto directory. As upstream mbedtls ships
with its own Makefile, the crypto Makefile calls the mbedtls
Makefile.
Signed-off-by: Eric Richter <erichte at linux.ibm.com>
---
Makefile.main | 1 +
libstb/Makefile.inc | 5 +-
libstb/crypto/Makefile.inc | 22 +++++++
libstb/crypto/mbedtls-config.h | 98 +++++++++++++++++++++++++++++
libstb/crypto/mbedtls/OP_README.txt | 5 ++
5 files changed, 130 insertions(+), 1 deletion(-)
create mode 100644 libstb/crypto/Makefile.inc
create mode 100644 libstb/crypto/mbedtls-config.h
create mode 100644 libstb/crypto/mbedtls/OP_README.txt
diff --git a/Makefile.main b/Makefile.main
index fac6e448..28c089f7 100644
--- a/Makefile.main
+++ b/Makefile.main
@@ -354,6 +354,7 @@ clean:
$(RM) include/asm-offsets.h version.c .version
$(RM) skiboot.info external/gard/gard.info external/pflash/pflash.info
$(RM) extract-gcov $(TARGET).lid.stb $(TARGET).lid.xz.stb
+ $(MAKE) -C libstb/crypto/mbedtls/library clean
distclean: clean
$(RM) *~ $(SUBDIRS:%=%/*~) include/*~
diff --git a/libstb/Makefile.inc b/libstb/Makefile.inc
index 87311f1b..30904df0 100644
--- a/libstb/Makefile.inc
+++ b/libstb/Makefile.inc
@@ -10,8 +10,11 @@ LIBSTB = $(LIBSTB_DIR)/built-in.a
include $(SRC)/$(LIBSTB_DIR)/drivers/Makefile.inc
include $(SRC)/$(LIBSTB_DIR)/tss/Makefile.inc
+include $(SRC)/$(LIBSTB_DIR)/crypto/Makefile.inc
-$(LIBSTB): $(LIBSTB_OBJS:%=$(LIBSTB_DIR)/%) $(DRIVERS) $(TSS) $(MBEDTLS)
+CPPFLAGS += -I$(SRC)/$(LIBSTB_DIR)/crypto/mbedtls/include
+
+$(LIBSTB): $(LIBSTB_OBJS:%=$(LIBSTB_DIR)/%) $(DRIVERS) $(TSS) $(CRYPTO)
libstb/create-container: libstb/create-container.c libstb/container-utils.c
$(call Q, HOSTCC ,$(HOSTCC) $(HOSTCFLAGS) \
diff --git a/libstb/crypto/Makefile.inc b/libstb/crypto/Makefile.inc
new file mode 100644
index 00000000..3d71b236
--- /dev/null
+++ b/libstb/crypto/Makefile.inc
@@ -0,0 +1,22 @@
+CRYPTO_DIR = $(LIBSTB_DIR)/crypto
+
+SUBDIRS += $(CRYPTO_DIR)
+
+MBEDTLS_CONFIG=
+
+MBEDTLS=$(SRC)/$(LIBSTB_DIR)/crypto/mbedtls/library/libmbedcrypto.a
+MBEDTLS+= $(SRC)/$(LIBSTB_DIR)/crypto/mbedtls/library/libmbedx509.a
+
+MBEDTLS_CFLAGS = $(CFLAGS)
+MBEDTLS_CFLAGS += -I$(SRC)/$(LIBSTB_DIR)
+MBEDTLS_CFLAGS += -I$(SRC)/$(LIBSTB_DIR)/crypto -DMBEDTLS_CONFIG_FILE='<mbedtls-config.h>'
+MBEDTLS_CFLAGS += -Wno-suggest-attribute=const
+MBEDTLS_CFLAGS += -I$(SRC)/$(LIBSTB_DIR)/crypto/mbedtls/include
+MBEDTLS_CFLAGS += $(CPPFLAGS)
+
+$(MBEDTLS):
+ @$(MAKE) -C $(SRC)/$(LIBSTB_DIR)/crypto/mbedtls/library/ CFLAGS="$(MBEDTLS_CFLAGS)" CC=$(CC) AR=$(AR) libmbedcrypto.a libmbedx509.a
+
+CRYPTO = $(CRYPTO_DIR)/built-in.a
+
+$(CRYPTO): $(MBEDTLS)
diff --git a/libstb/crypto/mbedtls-config.h b/libstb/crypto/mbedtls-config.h
new file mode 100644
index 00000000..edf4acc2
--- /dev/null
+++ b/libstb/crypto/mbedtls-config.h
@@ -0,0 +1,98 @@
+/**
+ * \file config-no-entropy.h
+ *
+ * \brief Minimal configuration of features that do not require an entropy source
+ */
+/*
+ * Copyright (C) 2016, ARM Limited, All Rights Reserved
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may
+ * not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * This file is part of mbed TLS (https://tls.mbed.org)
+ */
+/*
+ * Minimal configuration of features that do not require an entropy source
+ * Distinguishing reatures:
+ * - no entropy module
+ * - no TLS protocol implementation available due to absence of an entropy
+ * source
+ *
+ * See README.txt for usage instructions.
+ */
+
+#ifndef MBEDTLS_CONFIG_H
+#define MBEDTLS_CONFIG_H
+
+/* System support */
+#define MBEDTLS_HAVE_ASM
+#define MBEDTLS_HAVE_TIME
+
+/* mbed TLS feature support */
+#define MBEDTLS_CIPHER_MODE_CBC
+#define MBEDTLS_CIPHER_PADDING_PKCS7
+#define MBEDTLS_REMOVE_ARC4_CIPHERSUITES
+#define MBEDTLS_ECP_DP_SECP256R1_ENABLED
+#define MBEDTLS_ECP_DP_SECP384R1_ENABLED
+#define MBEDTLS_ECP_DP_CURVE25519_ENABLED
+#define MBEDTLS_ECP_NIST_OPTIM
+#define MBEDTLS_ECDSA_DETERMINISTIC
+#define MBEDTLS_PK_RSA_ALT_SUPPORT
+#define MBEDTLS_PKCS1_V15
+#define MBEDTLS_PKCS1_V21
+#define MBEDTLS_SELF_TEST
+#define MBEDTLS_VERSION_FEATURES
+#define MBEDTLS_X509_CHECK_KEY_USAGE
+#define MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE
+
+/* mbed TLS modules */
+#define MBEDTLS_AES_C
+#define MBEDTLS_ASN1_PARSE_C
+#define MBEDTLS_BASE64_C
+#define MBEDTLS_BIGNUM_C
+#define MBEDTLS_CCM_C
+#define MBEDTLS_CIPHER_C
+#define MBEDTLS_ECDSA_C
+#define MBEDTLS_ECP_C
+#define MBEDTLS_ERROR_C
+#define MBEDTLS_GCM_C
+#define MBEDTLS_MD_C
+#define MBEDTLS_OID_C
+#define MBEDTLS_PEM_PARSE_C
+#define MBEDTLS_PK_C
+#define MBEDTLS_PK_PARSE_C
+#define MBEDTLS_PK_WRITE_C
+#define MBEDTLS_PLATFORM_C
+#define MBEDTLS_RSA_C
+#define MBEDTLS_SHA256_C
+#define MBEDTLS_SHA512_C
+#define MBEDTLS_X509_USE_C
+#define MBEDTLS_X509_CRT_PARSE_C
+#define MBEDTLS_X509_CRL_PARSE_C
+//#define MBEDTLS_CMAC_C
+
+/* Settings to reduce/remove warnings */
+#define MBEDTLS_MPI_WINDOW_SIZE 3 // (max/default is 6) Increase for speed, may introduce warnings
+#define MBEDTLS_MPI_MAX_SIZE 512 // (default is 1024) increase for more bits in user-MPIs
+#define SIZE_MAX 65535 // this might need to be in libc?
+
+/* Disableable to mitigate warnings */
+#define MBEDTLS_ASN1_WRITE_C // Expects SIZE_MAX
+#define MBEDTLS_VERSION_C // Possible 'const' function
+#define MBEDTLS_HMAC_DRBG_C
+
+/* Miscellaneous options and fixes*/
+#define MBEDTLS_AES_ROM_TABLES
+#define MBEDTLS_NO_UDBL_DIVISION // Disabled due to unsupported operation
+
+#endif /* MBEDTLS_CONFIG_H */
diff --git a/libstb/crypto/mbedtls/OP_README.txt b/libstb/crypto/mbedtls/OP_README.txt
new file mode 100644
index 00000000..9373a048
--- /dev/null
+++ b/libstb/crypto/mbedtls/OP_README.txt
@@ -0,0 +1,5 @@
+This is a trimmed-down version of mbed TLS as retrieved from
+https://github.com/ARMmbed/mbedtls
+
+Only the necessary files are tracked by git. To update, copy or clone over this
+directory, and `git add library/` and `git add include/`.
--
2.20.1
More information about the Skiboot
mailing list