| Message ID | 20230613160621.100974-1-beniaminsandu@gmail.com |
|---|---|
| State | New |
| Headers | show |
| Series | [meta-networking,kirkstone] mbedtls: add support for v3.x | expand |
On 13 Jun 2023, at 17:06, Beniamin Sandu via lists.openembedded.org <beniaminsandu=gmail.com@lists.openembedded.org> wrote: > > +# Export source files/headers needed by Arm Trusted Firmware > +sysroot_stage_all:append() { > + sysroot_stage_dir "${S}/library" "${SYSROOT_DESTDIR}/usr/share/mbedtls-source/library" > + sysroot_stage_dir "${S}/include" "${SYSROOT_DESTDIR}/usr/share/mbedtls-source/include" > +} You might be able to delete this: the canonical TF-A recipe fetches its own copy of the mbedtls source. Ross
On 6/13/23 12:06 PM, Beniamin Sandu wrote: > Version 3.4.0 adds a lot of improvements and fixes (a notable one > being initial support for PKCS7 CMS), but since this is a pretty > big jump, let's keep both versions for a while, so the v2.x users > can upgrade to 3.x in a timely manner if needed. The Stable branch maintenance policy is not to allow package update unless they are bugfix or its an LTS version. Master as at an older version so it should be updated first. - armin > > Signed-off-by: Beniamin Sandu <beniaminsandu@gmail.com> > --- > .../mbedtls/mbedtls/run-ptest | 17 +++++ > .../mbedtls/mbedtls_3.4.0.bb | 76 +++++++++++++++++++ > 2 files changed, 93 insertions(+) > create mode 100644 meta-networking/recipes-connectivity/mbedtls/mbedtls/run-ptest > create mode 100644 meta-networking/recipes-connectivity/mbedtls/mbedtls_3.4.0.bb > > diff --git a/meta-networking/recipes-connectivity/mbedtls/mbedtls/run-ptest b/meta-networking/recipes-connectivity/mbedtls/mbedtls/run-ptest > new file mode 100644 > index 000000000..059ab4ecb > --- /dev/null > +++ b/meta-networking/recipes-connectivity/mbedtls/mbedtls/run-ptest > @@ -0,0 +1,17 @@ > +#!/bin/sh > + > +ptestdir=$(dirname "$(readlink -f "$0")") > +cd "$ptestdir"/tests || exit > + > +tests=$(find * -type f -name 'test_suite_*') > + > +for f in $tests > +do > + if test -x ./"$f"; then > + if ./"$f" > ./"$f".out 2> ./"$f".err; then > + echo "PASS: $f" > + else > + echo "FAIL: $f" > + fi > + fi > +done > diff --git a/meta-networking/recipes-connectivity/mbedtls/mbedtls_3.4.0.bb b/meta-networking/recipes-connectivity/mbedtls/mbedtls_3.4.0.bb > new file mode 100644 > index 000000000..351aa43ac > --- /dev/null > +++ b/meta-networking/recipes-connectivity/mbedtls/mbedtls_3.4.0.bb > @@ -0,0 +1,76 @@ > +SUMMARY = "Lightweight crypto and SSL/TLS library" > +DESCRIPTION = "mbedtls is a lean open source crypto library \ > +for providing SSL and TLS support in your programs. It offers \ > +an intuitive API and documented header files, so you can actually \ > +understand what the code does. It features: \ > + \ > + - Symmetric algorithms, like AES, Blowfish, Triple-DES, DES, ARC4, \ > + Camellia and XTEA \ > + - Hash algorithms, like SHA-1, SHA-2, RIPEMD-160 and MD5 \ > + - Entropy pool and random generators, like CTR-DRBG and HMAC-DRBG \ > + - Public key algorithms, like RSA, Elliptic Curves, Diffie-Hellman, \ > + ECDSA and ECDH \ > + - SSL v3 and TLS 1.0, 1.1 and 1.2 \ > + - Abstraction layers for ciphers, hashes, public key operations, \ > + platform abstraction and threading \ > +" > + > +HOMEPAGE = "https://tls.mbed.org/" > + > +LICENSE = "Apache-2.0" > +LIC_FILES_CHKSUM = "file://LICENSE;md5=3b83ef96387f14655fc854ddc3c6bd57" > + > +SECTION = "libs" > + > +S = "${WORKDIR}/git" > +SRCREV = "1873d3bfc2da771672bd8e7e8f41f57e0af77f33" > +SRC_URI = "git://github.com/ARMmbed/mbedtls.git;protocol=https;branch=master \ > + file://run-ptest \ > + " > + > +inherit cmake update-alternatives ptest > + > +PACKAGECONFIG ??= "shared-libs programs ${@bb.utils.contains('PTEST_ENABLED', '1', 'tests', '', d)}" > +PACKAGECONFIG[shared-libs] = "-DUSE_SHARED_MBEDTLS_LIBRARY=ON,-DUSE_SHARED_MBEDTLS_LIBRARY=OFF" > +PACKAGECONFIG[programs] = "-DENABLE_PROGRAMS=ON,-DENABLE_PROGRAMS=OFF" > +PACKAGECONFIG[werror] = "-DMBEDTLS_FATAL_WARNINGS=ON,-DMBEDTLS_FATAL_WARNINGS=OFF" > +# Make X.509 and TLS calls use PSA > +# https://github.com/Mbed-TLS/mbedtls/blob/development/docs/use-psa-crypto.md > +PACKAGECONFIG[psa] = "" > +PACKAGECONFIG[tests] = "-DENABLE_TESTING=ON,-DENABLE_TESTING=OFF" > + > +EXTRA_OECMAKE = "-DLIB_INSTALL_DIR:STRING=${libdir}" > + > +# For now the only way to enable PSA is to explicitly pass a -D via CFLAGS > +CFLAGS:append = "${@bb.utils.contains('PACKAGECONFIG', 'psa', ' -DMBEDTLS_USE_PSA_CRYPTO', '', d)}" > + > +PROVIDES += "polarssl" > +RPROVIDES:${PN} = "polarssl" > + > +PACKAGES =+ "${PN}-programs" > +FILES:${PN}-programs = "${bindir}/" > + > +ALTERNATIVE:${PN}-programs = "hello" > +ALTERNATIVE_LINK_NAME[hello] = "${bindir}/hello" > + > +BBCLASSEXTEND = "native nativesdk" > + > +CVE_PRODUCT = "mbed_tls" > + > +# Fix merged upstream https://github.com/Mbed-TLS/mbedtls/pull/5310 > +CVE_CHECK_IGNORE += "CVE-2021-43666" > +# Fix merged upstream https://github.com/Mbed-TLS/mbedtls/commit/9a4a9c66a48edfe9ece03c7e4a53310adf73a86c > +CVE_CHECK_IGNORE += "CVE-2021-45451" > + > +# Export source files/headers needed by Arm Trusted Firmware > +sysroot_stage_all:append() { > + sysroot_stage_dir "${S}/library" "${SYSROOT_DESTDIR}/usr/share/mbedtls-source/library" > + sysroot_stage_dir "${S}/include" "${SYSROOT_DESTDIR}/usr/share/mbedtls-source/include" > +} > + > +do_install_ptest () { > + install -d ${D}${PTEST_PATH}/tests > + cp -f ${B}/tests/test_suite_* ${D}${PTEST_PATH}/tests/ > + find ${D}${PTEST_PATH}/tests/ -type f -name "*.c" -delete > + cp -fR ${S}/tests/data_files ${D}${PTEST_PATH}/tests/ > +} > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#103271): https://lists.openembedded.org/g/openembedded-devel/message/103271 > Mute This Topic: https://lists.openembedded.org/mt/99508857/3616698 > Group Owner: openembedded-devel+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [akuster808@gmail.com] > -=-=-=-=-=-=-=-=-=-=-=- >
Thanks for the feedback, I was about to follow up with a similar patch on the master branch. Is there any chance we can include it on kirkstone too after it gets on master? Cheers, Beni On Tue, Jun 13, 2023 at 9:50 PM akuster808 <akuster808@gmail.com> wrote: > > > > On 6/13/23 12:06 PM, Beniamin Sandu wrote: > > Version 3.4.0 adds a lot of improvements and fixes (a notable one > > being initial support for PKCS7 CMS), but since this is a pretty > > big jump, let's keep both versions for a while, so the v2.x users > > can upgrade to 3.x in a timely manner if needed. > > The Stable branch maintenance policy is not to allow package update > unless they are bugfix or its an LTS version. > > Master as at an older version so it should be updated first. > > - armin > > > > Signed-off-by: Beniamin Sandu <beniaminsandu@gmail.com> > > --- > > .../mbedtls/mbedtls/run-ptest | 17 +++++ > > .../mbedtls/mbedtls_3.4.0.bb | 76 +++++++++++++++++++ > > 2 files changed, 93 insertions(+) > > create mode 100644 meta-networking/recipes-connectivity/mbedtls/mbedtls/run-ptest > > create mode 100644 meta-networking/recipes-connectivity/mbedtls/mbedtls_3.4.0.bb > > > > diff --git a/meta-networking/recipes-connectivity/mbedtls/mbedtls/run-ptest b/meta-networking/recipes-connectivity/mbedtls/mbedtls/run-ptest > > new file mode 100644 > > index 000000000..059ab4ecb > > --- /dev/null > > +++ b/meta-networking/recipes-connectivity/mbedtls/mbedtls/run-ptest > > @@ -0,0 +1,17 @@ > > +#!/bin/sh > > + > > +ptestdir=$(dirname "$(readlink -f "$0")") > > +cd "$ptestdir"/tests || exit > > + > > +tests=$(find * -type f -name 'test_suite_*') > > + > > +for f in $tests > > +do > > + if test -x ./"$f"; then > > + if ./"$f" > ./"$f".out 2> ./"$f".err; then > > + echo "PASS: $f" > > + else > > + echo "FAIL: $f" > > + fi > > + fi > > +done > > diff --git a/meta-networking/recipes-connectivity/mbedtls/mbedtls_3.4.0.bb b/meta-networking/recipes-connectivity/mbedtls/mbedtls_3.4.0.bb > > new file mode 100644 > > index 000000000..351aa43ac > > --- /dev/null > > +++ b/meta-networking/recipes-connectivity/mbedtls/mbedtls_3.4.0.bb > > @@ -0,0 +1,76 @@ > > +SUMMARY = "Lightweight crypto and SSL/TLS library" > > +DESCRIPTION = "mbedtls is a lean open source crypto library \ > > +for providing SSL and TLS support in your programs. It offers \ > > +an intuitive API and documented header files, so you can actually \ > > +understand what the code does. It features: \ > > + \ > > + - Symmetric algorithms, like AES, Blowfish, Triple-DES, DES, ARC4, \ > > + Camellia and XTEA \ > > + - Hash algorithms, like SHA-1, SHA-2, RIPEMD-160 and MD5 \ > > + - Entropy pool and random generators, like CTR-DRBG and HMAC-DRBG \ > > + - Public key algorithms, like RSA, Elliptic Curves, Diffie-Hellman, \ > > + ECDSA and ECDH \ > > + - SSL v3 and TLS 1.0, 1.1 and 1.2 \ > > + - Abstraction layers for ciphers, hashes, public key operations, \ > > + platform abstraction and threading \ > > +" > > + > > +HOMEPAGE = "https://tls.mbed.org/" > > + > > +LICENSE = "Apache-2.0" > > +LIC_FILES_CHKSUM = "file://LICENSE;md5=3b83ef96387f14655fc854ddc3c6bd57" > > + > > +SECTION = "libs" > > + > > +S = "${WORKDIR}/git" > > +SRCREV = "1873d3bfc2da771672bd8e7e8f41f57e0af77f33" > > +SRC_URI = "git://github.com/ARMmbed/mbedtls.git;protocol=https;branch=master \ > > + file://run-ptest \ > > + " > > + > > +inherit cmake update-alternatives ptest > > + > > +PACKAGECONFIG ??= "shared-libs programs ${@bb.utils.contains('PTEST_ENABLED', '1', 'tests', '', d)}" > > +PACKAGECONFIG[shared-libs] = "-DUSE_SHARED_MBEDTLS_LIBRARY=ON,-DUSE_SHARED_MBEDTLS_LIBRARY=OFF" > > +PACKAGECONFIG[programs] = "-DENABLE_PROGRAMS=ON,-DENABLE_PROGRAMS=OFF" > > +PACKAGECONFIG[werror] = "-DMBEDTLS_FATAL_WARNINGS=ON,-DMBEDTLS_FATAL_WARNINGS=OFF" > > +# Make X.509 and TLS calls use PSA > > +# https://github.com/Mbed-TLS/mbedtls/blob/development/docs/use-psa-crypto.md > > +PACKAGECONFIG[psa] = "" > > +PACKAGECONFIG[tests] = "-DENABLE_TESTING=ON,-DENABLE_TESTING=OFF" > > + > > +EXTRA_OECMAKE = "-DLIB_INSTALL_DIR:STRING=${libdir}" > > + > > +# For now the only way to enable PSA is to explicitly pass a -D via CFLAGS > > +CFLAGS:append = "${@bb.utils.contains('PACKAGECONFIG', 'psa', ' -DMBEDTLS_USE_PSA_CRYPTO', '', d)}" > > + > > +PROVIDES += "polarssl" > > +RPROVIDES:${PN} = "polarssl" > > + > > +PACKAGES =+ "${PN}-programs" > > +FILES:${PN}-programs = "${bindir}/" > > + > > +ALTERNATIVE:${PN}-programs = "hello" > > +ALTERNATIVE_LINK_NAME[hello] = "${bindir}/hello" > > + > > +BBCLASSEXTEND = "native nativesdk" > > + > > +CVE_PRODUCT = "mbed_tls" > > + > > +# Fix merged upstream https://github.com/Mbed-TLS/mbedtls/pull/5310 > > +CVE_CHECK_IGNORE += "CVE-2021-43666" > > +# Fix merged upstream https://github.com/Mbed-TLS/mbedtls/commit/9a4a9c66a48edfe9ece03c7e4a53310adf73a86c > > +CVE_CHECK_IGNORE += "CVE-2021-45451" > > + > > +# Export source files/headers needed by Arm Trusted Firmware > > +sysroot_stage_all:append() { > > + sysroot_stage_dir "${S}/library" "${SYSROOT_DESTDIR}/usr/share/mbedtls-source/library" > > + sysroot_stage_dir "${S}/include" "${SYSROOT_DESTDIR}/usr/share/mbedtls-source/include" > > +} > > + > > +do_install_ptest () { > > + install -d ${D}${PTEST_PATH}/tests > > + cp -f ${B}/tests/test_suite_* ${D}${PTEST_PATH}/tests/ > > + find ${D}${PTEST_PATH}/tests/ -type f -name "*.c" -delete > > + cp -fR ${S}/tests/data_files ${D}${PTEST_PATH}/tests/ > > +} > > > > -=-=-=-=-=-=-=-=-=-=-=- > > Links: You receive all messages sent to this group. > > View/Reply Online (#103271): https://lists.openembedded.org/g/openembedded-devel/message/103271 > > Mute This Topic: https://lists.openembedded.org/mt/99508857/3616698 > > Group Owner: openembedded-devel+owner@lists.openembedded.org > > Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [akuster808@gmail.com] > > -=-=-=-=-=-=-=-=-=-=-=- > > >
On 13 Jun 2023, at 20:03, Beniamin Sandu via lists.openembedded.org <beniaminsandu=gmail.com@lists.openembedded.org> wrote: > > Thanks for the feedback, I was about to follow up with a similar patch > on the master branch. > > Is there any chance we can include it on kirkstone too after it gets on master? Stable policy is it goes master -> mickledore -> kirkstone. Ross
diff --git a/meta-networking/recipes-connectivity/mbedtls/mbedtls/run-ptest b/meta-networking/recipes-connectivity/mbedtls/mbedtls/run-ptest new file mode 100644 index 000000000..059ab4ecb --- /dev/null +++ b/meta-networking/recipes-connectivity/mbedtls/mbedtls/run-ptest @@ -0,0 +1,17 @@ +#!/bin/sh + +ptestdir=$(dirname "$(readlink -f "$0")") +cd "$ptestdir"/tests || exit + +tests=$(find * -type f -name 'test_suite_*') + +for f in $tests +do + if test -x ./"$f"; then + if ./"$f" > ./"$f".out 2> ./"$f".err; then + echo "PASS: $f" + else + echo "FAIL: $f" + fi + fi +done diff --git a/meta-networking/recipes-connectivity/mbedtls/mbedtls_3.4.0.bb b/meta-networking/recipes-connectivity/mbedtls/mbedtls_3.4.0.bb new file mode 100644 index 000000000..351aa43ac --- /dev/null +++ b/meta-networking/recipes-connectivity/mbedtls/mbedtls_3.4.0.bb @@ -0,0 +1,76 @@ +SUMMARY = "Lightweight crypto and SSL/TLS library" +DESCRIPTION = "mbedtls is a lean open source crypto library \ +for providing SSL and TLS support in your programs. It offers \ +an intuitive API and documented header files, so you can actually \ +understand what the code does. It features: \ + \ + - Symmetric algorithms, like AES, Blowfish, Triple-DES, DES, ARC4, \ + Camellia and XTEA \ + - Hash algorithms, like SHA-1, SHA-2, RIPEMD-160 and MD5 \ + - Entropy pool and random generators, like CTR-DRBG and HMAC-DRBG \ + - Public key algorithms, like RSA, Elliptic Curves, Diffie-Hellman, \ + ECDSA and ECDH \ + - SSL v3 and TLS 1.0, 1.1 and 1.2 \ + - Abstraction layers for ciphers, hashes, public key operations, \ + platform abstraction and threading \ +" + +HOMEPAGE = "https://tls.mbed.org/" + +LICENSE = "Apache-2.0" +LIC_FILES_CHKSUM = "file://LICENSE;md5=3b83ef96387f14655fc854ddc3c6bd57" + +SECTION = "libs" + +S = "${WORKDIR}/git" +SRCREV = "1873d3bfc2da771672bd8e7e8f41f57e0af77f33" +SRC_URI = "git://github.com/ARMmbed/mbedtls.git;protocol=https;branch=master \ + file://run-ptest \ + " + +inherit cmake update-alternatives ptest + +PACKAGECONFIG ??= "shared-libs programs ${@bb.utils.contains('PTEST_ENABLED', '1', 'tests', '', d)}" +PACKAGECONFIG[shared-libs] = "-DUSE_SHARED_MBEDTLS_LIBRARY=ON,-DUSE_SHARED_MBEDTLS_LIBRARY=OFF" +PACKAGECONFIG[programs] = "-DENABLE_PROGRAMS=ON,-DENABLE_PROGRAMS=OFF" +PACKAGECONFIG[werror] = "-DMBEDTLS_FATAL_WARNINGS=ON,-DMBEDTLS_FATAL_WARNINGS=OFF" +# Make X.509 and TLS calls use PSA +# https://github.com/Mbed-TLS/mbedtls/blob/development/docs/use-psa-crypto.md +PACKAGECONFIG[psa] = "" +PACKAGECONFIG[tests] = "-DENABLE_TESTING=ON,-DENABLE_TESTING=OFF" + +EXTRA_OECMAKE = "-DLIB_INSTALL_DIR:STRING=${libdir}" + +# For now the only way to enable PSA is to explicitly pass a -D via CFLAGS +CFLAGS:append = "${@bb.utils.contains('PACKAGECONFIG', 'psa', ' -DMBEDTLS_USE_PSA_CRYPTO', '', d)}" + +PROVIDES += "polarssl" +RPROVIDES:${PN} = "polarssl" + +PACKAGES =+ "${PN}-programs" +FILES:${PN}-programs = "${bindir}/" + +ALTERNATIVE:${PN}-programs = "hello" +ALTERNATIVE_LINK_NAME[hello] = "${bindir}/hello" + +BBCLASSEXTEND = "native nativesdk" + +CVE_PRODUCT = "mbed_tls" + +# Fix merged upstream https://github.com/Mbed-TLS/mbedtls/pull/5310 +CVE_CHECK_IGNORE += "CVE-2021-43666" +# Fix merged upstream https://github.com/Mbed-TLS/mbedtls/commit/9a4a9c66a48edfe9ece03c7e4a53310adf73a86c +CVE_CHECK_IGNORE += "CVE-2021-45451" + +# Export source files/headers needed by Arm Trusted Firmware +sysroot_stage_all:append() { + sysroot_stage_dir "${S}/library" "${SYSROOT_DESTDIR}/usr/share/mbedtls-source/library" + sysroot_stage_dir "${S}/include" "${SYSROOT_DESTDIR}/usr/share/mbedtls-source/include" +} + +do_install_ptest () { + install -d ${D}${PTEST_PATH}/tests + cp -f ${B}/tests/test_suite_* ${D}${PTEST_PATH}/tests/ + find ${D}${PTEST_PATH}/tests/ -type f -name "*.c" -delete + cp -fR ${S}/tests/data_files ${D}${PTEST_PATH}/tests/ +}
Version 3.4.0 adds a lot of improvements and fixes (a notable one being initial support for PKCS7 CMS), but since this is a pretty big jump, let's keep both versions for a while, so the v2.x users can upgrade to 3.x in a timely manner if needed. Signed-off-by: Beniamin Sandu <beniaminsandu@gmail.com> --- .../mbedtls/mbedtls/run-ptest | 17 +++++ .../mbedtls/mbedtls_3.4.0.bb | 76 +++++++++++++++++++ 2 files changed, 93 insertions(+) create mode 100644 meta-networking/recipes-connectivity/mbedtls/mbedtls/run-ptest create mode 100644 meta-networking/recipes-connectivity/mbedtls/mbedtls_3.4.0.bb