According to mbedTLS' Changelog "Mbed TLS 3.0.0 branch released
2021-07-07" -> "Removals":
MBEDTLS_ECP_MAX_BITS is no longer a configuration option because it
is now determined automatically based on supported curves.
Hence remove MBEDTLS_ECP_MAX_BITS from configuration files to fix build
issues with Zephyr when there is unfortunate order of include
statements, like:
/__w/zephyr/zephyr/modules/mbedtls/zephyr_init.c
In file included from /__w/zephyr/modules/crypto/mbedtls/include/mbedtls/ssl.h:30,
from /__w/zephyr/modules/crypto/mbedtls/include/mbedtls/debug.h:27,
from /__w/zephyr/zephyr/modules/mbedtls/zephyr_init.c:16:
/__w/zephyr/modules/crypto/mbedtls/include/mbedtls/ecp.h:314: error: "MBEDTLS_ECP_MAX_BITS" redefined [-Werror]
314 | #define MBEDTLS_ECP_MAX_BITS 1
|
In file included from /__w/zephyr/bootloader/mcuboot/boot/zephyr/include/mcuboot-mbedtls-cfg.h:25,
from /__w/zephyr/modules/crypto/mbedtls/include/mbedtls/build_info.h:59,
from /__w/zephyr/modules/crypto/mbedtls/include/mbedtls/debug.h:25,
from /__w/zephyr/zephyr/modules/mbedtls/zephyr_init.c:16:
/__w/zephyr/bootloader/mcuboot/boot/zephyr/include/config-rsa.h:72: note: this is the location of the previous definition
72 | #define MBEDTLS_ECP_MAX_BITS 2048
|
cc1: all warnings being treated as errors
Signed-off-by: Marcin Niestroj <m.niestroj@emb.dev>
Reduce the size of the sha256 implementation by 1300 bytes by using a
slower implementation.
Signed-off-by: Sebastian Bøe <sebastian.boe@nordicsemi.no>
Fix#10990.
A warning is triggered when snprintf is used because it is being
declared / configured incorrectly. The MBEDTLS configuration is
defaulting to disabling all of LIBC, and then explicitly enabling the
LIBC functions in use, this has been done for printf with
MBEDTLS_PLATFORM_STD_PRINTF, but not for
MBEDTLS_PLATFORM_STD_SNPRINTF.
Signed-off-by: Sebastian Bøe <sebastian.boe@nordicsemi.no>
MCUboot doesn't need mbedTLS's entropy code (you don't need random
numbers to check a digital signature), but it enables it. This causes
really scary warnings when building entropy.c, since the test entropy
source is enabled:
[113/197] Building C object zephyr/ext/lib/crypto/mbedtls/CMakeFiles/ext__lib__crypto__mbedtls.dir/library/entropy.c.obj
/home/mbolivar/src/zephyr/ext/lib/crypto/mbedtls/library/entropy.c:31:2: warning: #warning "**** WARNING! MBEDTLS_TEST_NULL_ENTROPY defined! " [-Wcpp]
#warning "**** WARNING! MBEDTLS_TEST_NULL_ENTROPY defined! "
^~~~~~~
/home/mbolivar/src/zephyr/ext/lib/crypto/mbedtls/library/entropy.c:32:2: warning: #warning "**** THIS BUILD HAS NO DEFINED ENTROPY SOURCES " [-Wcpp]
#warning "**** THIS BUILD HAS NO DEFINED ENTROPY SOURCES "
^~~~~~~
/home/mbolivar/src/zephyr/ext/lib/crypto/mbedtls/library/entropy.c:33:2: warning: #warning "**** THIS BUILD IS *NOT* SUITABLE FOR PRODUCTION USE " [-Wcpp]
#warning "**** THIS BUILD IS *NOT* SUITABLE FOR PRODUCTION USE "
^~~~~~~
Delete the bits of the mbedTLS configuration that compile this
file (along with some testing code we don't care about either) to
clean up the warning. This looks like copy/paste code from the initial
mbedTLS config import into MCUboot.
Signed-off-by: Marti Bolivar <marti@foundries.io>
Handle the CONFIG_BOOT_SIGNATURE_TYPE_xxx values in Zephyr's
mcuboot_config.h by converting them into the platform-agnostic MCUboot
definitions.
This requires some changes to the way the release test Makefile is
structured, since Kconfig symbols cannot be set from the command line.
Instead, use the OVERLAY_CONFIG feature of the Zephyr build system,
which allows specifying extra fragments to merge into the final
.config. (This is an orthogonal mechanism to setting CONF_FILE; it is
used by Zephyr's CI script sanitycheck to add additional fragments, so
it's appropriate for use by MCUboot's testing scripts as well.)
We additionally need to move to a single prj.conf file due to a
dependency issue. We can no longer determine CONF_FILE from the
signature type, since that is now determined from the final .config or
autoconf.h, which is a build output that depends on CONF_FILE.
To move to a single prj.conf:
- delete prj-p256.conf and adjust prj.conf to serve both signature types
- add a top-level mbedTLS configuration file which dispatches to
the right sub-header depending on the key type
- as a side effect, have the simulator pick the right config file
depending on the case
This fixes and cleans up quite a bit of the signature type handling,
which had become something of a mess over time. For example, it fixes
a bug in ECDSA mode's configuration that wasn't actually selecting
config-asn1.h, and forces the simulator to use the same mbedTLS
configuration file as builds for real hardware.
Finally, we also have to move the mbedTLS vs. TinyCrypt choice into
mcuboot_config.h at the same time as well, since CMakeLists.txt was
making that decision based on the signature type.
Signed-off-by: Marti Bolivar <marti@opensourcefoundries.com>
Marcin Niestroj