| Message ID | 20230619182559.104504-1-beniaminsandu@gmail.com |
|---|---|
| State | Under Review |
| Headers | show |
| Series | [meta-networking,v2] mbedtls: add support for v3.x | expand |
Could you please test together with this one? https://lists.openembedded.org/g/openembedded-devel/topic/meta_networking_patch/99629056?p=,,,20,0,0,0::recentpostdate/sticky,,,20,2,0,99629056,previd%3D1687199177764126333,nextid%3D1687180982017382829&previd=1687199177764126333&nextid=1687180982017382829 It should fix the mdns build. Thanks, Beni On Mon, Jun 19, 2023 at 9:26 PM Beniamin Sandu <beniaminsandu@gmail.com> wrote: > > Version 3.4.0 adds a lot of improvements and fixes (a notable one > being initial support for PKCS7 CMS), but since this is a pretty > big jump, let's keep both versions for a while, so the v2.x users > can upgrade to 3.x in a timely manner if needed. > > Signed-off-by: Beniamin Sandu <beniaminsandu@gmail.com> > --- > .../mbedtls/mbedtls_3.4.0.bb | 85 +++++++++++++++++++ > 1 file changed, 85 insertions(+) > create mode 100644 meta-networking/recipes-connectivity/mbedtls/mbedtls_3.4.0.bb > > diff --git a/meta-networking/recipes-connectivity/mbedtls/mbedtls_3.4.0.bb b/meta-networking/recipes-connectivity/mbedtls/mbedtls_3.4.0.bb > new file mode 100644 > index 000000000..ebc6ba573 > --- /dev/null > +++ b/meta-networking/recipes-connectivity/mbedtls/mbedtls_3.4.0.bb > @@ -0,0 +1,85 @@ > +SUMMARY = "Lightweight crypto and SSL/TLS library" > +DESCRIPTION = "mbedtls is a lean open source crypto library \ > +for providing SSL and TLS support in your programs. It offers \ > +an intuitive API and documented header files, so you can actually \ > +understand what the code does. It features: \ > + \ > + - Symmetric algorithms, like AES, Blowfish, Triple-DES, DES, ARC4, \ > + Camellia and XTEA \ > + - Hash algorithms, like SHA-1, SHA-2, RIPEMD-160 and MD5 \ > + - Entropy pool and random generators, like CTR-DRBG and HMAC-DRBG \ > + - Public key algorithms, like RSA, Elliptic Curves, Diffie-Hellman, \ > + ECDSA and ECDH \ > + - SSL v3 and TLS 1.0, 1.1 and 1.2 \ > + - Abstraction layers for ciphers, hashes, public key operations, \ > + platform abstraction and threading \ > +" > + > +HOMEPAGE = "https://tls.mbed.org/" > + > +LICENSE = "Apache-2.0" > +LIC_FILES_CHKSUM = "file://LICENSE;md5=3b83ef96387f14655fc854ddc3c6bd57" > + > +SECTION = "libs" > + > +S = "${WORKDIR}/git" > +SRCREV = "1873d3bfc2da771672bd8e7e8f41f57e0af77f33" > +SRC_URI = "git://github.com/ARMmbed/mbedtls.git;protocol=https;branch=master \ > + file://run-ptest \ > + " > + > +inherit cmake update-alternatives ptest > + > +PACKAGECONFIG ??= "shared-libs programs ${@bb.utils.contains('PTEST_ENABLED', '1', 'tests', '', d)}" > +PACKAGECONFIG[shared-libs] = "-DUSE_SHARED_MBEDTLS_LIBRARY=ON,-DUSE_SHARED_MBEDTLS_LIBRARY=OFF" > +PACKAGECONFIG[programs] = "-DENABLE_PROGRAMS=ON,-DENABLE_PROGRAMS=OFF" > +PACKAGECONFIG[werror] = "-DMBEDTLS_FATAL_WARNINGS=ON,-DMBEDTLS_FATAL_WARNINGS=OFF" > +# Make X.509 and TLS calls use PSA > +# https://github.com/Mbed-TLS/mbedtls/blob/development/docs/use-psa-crypto.md > +PACKAGECONFIG[psa] = "" > +PACKAGECONFIG[tests] = "-DENABLE_TESTING=ON,-DENABLE_TESTING=OFF" > + > +EXTRA_OECMAKE = "-DLIB_INSTALL_DIR:STRING=${libdir}" > + > +# Needs crypto instructions on aarch64 > +TUNE_CCARGS_MARCH_OPTS:append:aarch64 = "${@bb.utils.contains('TUNE_FEATURES', 'crypto', '', '+crypto', d)}" > + > +# For now the only way to enable PSA is to explicitly pass a -D via CFLAGS > +CFLAGS:append = "${@bb.utils.contains('PACKAGECONFIG', 'psa', ' -DMBEDTLS_USE_PSA_CRYPTO', '', d)}" > + > +PROVIDES += "polarssl" > +RPROVIDES:${PN} = "polarssl" > + > +PACKAGES =+ "${PN}-programs" > +FILES:${PN}-programs = "${bindir}/" > + > +ALTERNATIVE:${PN}-programs = "hello" > +ALTERNATIVE_LINK_NAME[hello] = "${bindir}/hello" > + > +BBCLASSEXTEND = "native nativesdk" > + > +CVE_PRODUCT = "mbed_tls" > + > +# Fix merged upstream https://github.com/Mbed-TLS/mbedtls/pull/5310 > +CVE_CHECK_IGNORE += "CVE-2021-43666" > +# Fix merged upstream https://github.com/Mbed-TLS/mbedtls/commit/9a4a9c66a48edfe9ece03c7e4a53310adf73a86c > +CVE_CHECK_IGNORE += "CVE-2021-45451" > + > +# Strip host paths from autogenerated test files > +do_compile:append() { > + sed -i 's+${S}/++g' ${B}/tests/*.c 2>/dev/null || : > + sed -i 's+${B}/++g' ${B}/tests/*.c 2>/dev/null || : > +} > + > +# Export source files/headers needed by Arm Trusted Firmware > +sysroot_stage_all:append() { > + sysroot_stage_dir "${S}/library" "${SYSROOT_DESTDIR}/usr/share/mbedtls-source/library" > + sysroot_stage_dir "${S}/include" "${SYSROOT_DESTDIR}/usr/share/mbedtls-source/include" > +} > + > +do_install_ptest () { > + install -d ${D}${PTEST_PATH}/tests > + cp -f ${B}/tests/test_suite_* ${D}${PTEST_PATH}/tests/ > + find ${D}${PTEST_PATH}/tests/ -type f -name "*.c" -delete > + cp -fR ${S}/tests/data_files ${D}${PTEST_PATH}/tests/ > +} > -- > 2.25.1 >
On Mon, Jun 19, 2023 at 8:26 PM Beniamin Sandu <beniaminsandu@gmail.com> wrote: > Version 3.4.0 adds a lot of improvements and fixes (a notable one > being initial support for PKCS7 CMS), but since this is a pretty > big jump, let's keep both versions for a while, so the v2.x users > can upgrade to 3.x in a timely manner if needed. > > Signed-off-by: Beniamin Sandu <beniaminsandu@gmail.com> > --- > .../mbedtls/mbedtls_3.4.0.bb | 85 +++++++++++++++++++ > 1 file changed, 85 insertions(+) > create mode 100644 meta-networking/recipes-connectivity/mbedtls/ > mbedtls_3.4.0.bb > > diff --git a/meta-networking/recipes-connectivity/mbedtls/mbedtls_3.4.0.bb > b/meta-networking/recipes-connectivity/mbedtls/mbedtls_3.4.0.bb > new file mode 100644 > index 000000000..ebc6ba573 > --- /dev/null > +++ b/meta-networking/recipes-connectivity/mbedtls/mbedtls_3.4.0.bb .... +# Needs crypto instructions on aarch64 > +TUNE_CCARGS_MARCH_OPTS:append:aarch64 = > "${@bb.utils.contains('TUNE_FEATURES', 'crypto', '', '+crypto', d)}" > This assumes too much about TUNE_CCARGS_MARCH_OPTS structure and in some multilib builds I'm seeing: # $TUNE_CCARGS_MARCH_OPTS [4 operations] # set oe-core/meta/conf/machine/include/arm/arch-arm.inc:19 # [_defaultval] "" # postdot oe-core/meta/conf/machine/include/arm/feature-arm-neon.inc:26 # "${@bb.utils.contains('TUNE_FEATURES', [ 'vfpv3d16', 'vfpv5spd16' ], '+fp', '', d)}" # postdot oe-core/meta/conf/machine/include/arm/feature-arm-simd.inc:5 # "${@bb.utils.contains('TUNE_FEATURES', 'simd', '+simd', '', d)}" # :append[aarch64] meta-oe/meta-networking/recipes-connectivity/mbedtls/ mbedtls_3.4.0.bb:45 # "${@bb.utils.contains('TUNE_FEATURES', 'crypto', '', '+crypto', d)}" # pre-expansion value: # "${@bb.utils.contains('TUNE_FEATURES', [ 'vfpv3d16', 'vfpv5spd16' ], '+fp', '', d)}${@bb.utils.contains('TUNE_FEATURES', 'simd', '+simd', '', d)}${@bb.utils.contains('TUNE_FEATURES', 'crypto', '', '+crypto', d)}" TUNE_CCARGS_MARCH_OPTS="+crypto" And empty TUNE_CCARGS_MARCH, because TUNE_FEATURES has only aarch64 # $TUNE_CCARGS_MARCH [4 operations] # postdot oe-core/meta/conf/machine/include/arm/arch-armv7a.inc:6 # "${@bb.utils.contains('TUNE_FEATURES', 'armv7a', ' -march=armv7-a', '', d)}" # postdot oe-core/meta/conf/machine/include/arm/arch-armv6.inc:5 # "${@bb.utils.contains('TUNE_FEATURES', 'armv6', ' -march=armv6', '', d)}" # postdot oe-core/meta/conf/machine/include/arm/arch-armv5.inc:5 # "${@bb.utils.contains('TUNE_FEATURES', 'armv5', ' -march=armv5t${ARMPKGSFX_DSP}', '', d)}" # postdot oe-core/meta/conf/machine/include/arm/arch-armv4.inc:5 # "${@bb.utils.contains('TUNE_FEATURES', 'armv4', ' -march=armv4${ARMPKGSFX_THUMB}', '', d)}" # pre-expansion value: # "${@bb.utils.contains('TUNE_FEATURES', 'armv7a', ' -march=armv7-a', '', d)}${@bb.utils.contains('TUNE_FEATURES', 'armv6', ' -march=armv6', '', d)}${@bb.utils.contains('TUNE_FEATURES', 'armv5', ' -march=armv5t${ARMPKGSFX_DSP}', '', d)}${@bb.utils.contains('TUNE_FEATURES', 'armv4', ' -march=armv4${ARMPKGSFX_THUMB}', '', d)}" TUNE_CCARGS_MARCH="" causing do_configure failure: aarch64-oe-linux-gcc: warning: +crypto: linker input file unused because linking not done aarch64-oe-linux-gcc: error: +crypto: linker input file not found: No such file or directory ninja: build stopped: subcommand failed. + > +# For now the only way to enable PSA is to explicitly pass a -D via CFLAGS > +CFLAGS:append = "${@bb.utils.contains('PACKAGECONFIG', 'psa', ' > -DMBEDTLS_USE_PSA_CRYPTO', '', d)}" > + > +PROVIDES += "polarssl" > +RPROVIDES:${PN} = "polarssl" > + > +PACKAGES =+ "${PN}-programs" > +FILES:${PN}-programs = "${bindir}/" > + > +ALTERNATIVE:${PN}-programs = "hello" > +ALTERNATIVE_LINK_NAME[hello] = "${bindir}/hello" > + > +BBCLASSEXTEND = "native nativesdk" > + > +CVE_PRODUCT = "mbed_tls" > + > +# Fix merged upstream https://github.com/Mbed-TLS/mbedtls/pull/5310 > +CVE_CHECK_IGNORE += "CVE-2021-43666" > +# Fix merged upstream > https://github.com/Mbed-TLS/mbedtls/commit/9a4a9c66a48edfe9ece03c7e4a53310adf73a86c > +CVE_CHECK_IGNORE += "CVE-2021-45451" > + > +# Strip host paths from autogenerated test files > +do_compile:append() { > + sed -i 's+${S}/++g' ${B}/tests/*.c 2>/dev/null || : > + sed -i 's+${B}/++g' ${B}/tests/*.c 2>/dev/null || : > +} > + > +# Export source files/headers needed by Arm Trusted Firmware > +sysroot_stage_all:append() { > + sysroot_stage_dir "${S}/library" > "${SYSROOT_DESTDIR}/usr/share/mbedtls-source/library" > + sysroot_stage_dir "${S}/include" > "${SYSROOT_DESTDIR}/usr/share/mbedtls-source/include" > +} > + > +do_install_ptest () { > + install -d ${D}${PTEST_PATH}/tests > + cp -f ${B}/tests/test_suite_* ${D}${PTEST_PATH}/tests/ > + find ${D}${PTEST_PATH}/tests/ -type f -name "*.c" -delete > + cp -fR ${S}/tests/data_files ${D}${PTEST_PATH}/tests/ > +} > -- > 2.25.1 > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#103441): > https://lists.openembedded.org/g/openembedded-devel/message/103441 > Mute This Topic: https://lists.openembedded.org/mt/99629175/3617156 > Group Owner: openembedded-devel+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [ > Martin.Jansa@gmail.com] > -=-=-=-=-=-=-=-=-=-=-=- > >
On Sun, Jun 25, 2023 at 1:53 PM Martin Jansa <martin.jansa@gmail.com> wrote: > > On Mon, Jun 19, 2023 at 8:26 PM Beniamin Sandu <beniaminsandu@gmail.com> wrote: >> >> Version 3.4.0 adds a lot of improvements and fixes (a notable one >> being initial support for PKCS7 CMS), but since this is a pretty >> big jump, let's keep both versions for a while, so the v2.x users >> can upgrade to 3.x in a timely manner if needed. >> >> Signed-off-by: Beniamin Sandu <beniaminsandu@gmail.com> >> --- >> .../mbedtls/mbedtls_3.4.0.bb | 85 +++++++++++++++++++ >> 1 file changed, 85 insertions(+) >> create mode 100644 meta-networking/recipes-connectivity/mbedtls/mbedtls_3.4.0.bb >> >> diff --git a/meta-networking/recipes-connectivity/mbedtls/mbedtls_3.4.0.bb b/meta-networking/recipes-connectivity/mbedtls/mbedtls_3.4.0.bb >> new file mode 100644 >> index 000000000..ebc6ba573 >> --- /dev/null >> +++ b/meta-networking/recipes-connectivity/mbedtls/mbedtls_3.4.0.bb > > > .... > >> +# Needs crypto instructions on aarch64 >> +TUNE_CCARGS_MARCH_OPTS:append:aarch64 = "${@bb.utils.contains('TUNE_FEATURES', 'crypto', '', '+crypto', d)}" > > > This assumes too much about TUNE_CCARGS_MARCH_OPTS structure and in some multilib builds I'm seeing: > > # $TUNE_CCARGS_MARCH_OPTS [4 operations] > # set oe-core/meta/conf/machine/include/arm/arch-arm.inc:19 > # [_defaultval] "" > # postdot oe-core/meta/conf/machine/include/arm/feature-arm-neon.inc:26 > # "${@bb.utils.contains('TUNE_FEATURES', [ 'vfpv3d16', 'vfpv5spd16' ], '+fp', '', d)}" > # postdot oe-core/meta/conf/machine/include/arm/feature-arm-simd.inc:5 > # "${@bb.utils.contains('TUNE_FEATURES', 'simd', '+simd', '', d)}" > # :append[aarch64] meta-oe/meta-networking/recipes-connectivity/mbedtls/mbedtls_3.4.0.bb:45 > # "${@bb.utils.contains('TUNE_FEATURES', 'crypto', '', '+crypto', d)}" > # pre-expansion value: > # "${@bb.utils.contains('TUNE_FEATURES', [ 'vfpv3d16', 'vfpv5spd16' ], '+fp', '', d)}${@bb.utils.contains('TUNE_FEATURES', 'simd', '+simd', '', d)}${@bb.utils.contains('TUNE_FEATURES', 'crypto', '', '+crypto', d)}" > TUNE_CCARGS_MARCH_OPTS="+crypto" > > And empty TUNE_CCARGS_MARCH, because TUNE_FEATURES has only aarch64 > > # $TUNE_CCARGS_MARCH [4 operations] > # postdot oe-core/meta/conf/machine/include/arm/arch-armv7a.inc:6 > # "${@bb.utils.contains('TUNE_FEATURES', 'armv7a', ' -march=armv7-a', '', d)}" > # postdot oe-core/meta/conf/machine/include/arm/arch-armv6.inc:5 > # "${@bb.utils.contains('TUNE_FEATURES', 'armv6', ' -march=armv6', '', d)}" > # postdot oe-core/meta/conf/machine/include/arm/arch-armv5.inc:5 > # "${@bb.utils.contains('TUNE_FEATURES', 'armv5', ' -march=armv5t${ARMPKGSFX_DSP}', '', d)}" > # postdot oe-core/meta/conf/machine/include/arm/arch-armv4.inc:5 > # "${@bb.utils.contains('TUNE_FEATURES', 'armv4', ' -march=armv4${ARMPKGSFX_THUMB}', '', d)}" > # pre-expansion value: > # "${@bb.utils.contains('TUNE_FEATURES', 'armv7a', ' -march=armv7-a', '', d)}${@bb.utils.contains('TUNE_FEATURES', 'armv6', ' -march=armv6', '', d)}${@bb.utils.contains('TUNE_FEATURES', 'armv5', ' -march=armv5t${ARMPKGSFX_DSP}', '', d)}${@bb.utils.contains('TUNE_FEATURES', 'armv4', ' -march=armv4${ARMPKGSFX_THUMB}', '', d)}" > TUNE_CCARGS_MARCH="" > > causing do_configure failure: > > aarch64-oe-linux-gcc: warning: +crypto: linker input file unused because linking not done > aarch64-oe-linux-gcc: error: +crypto: linker input file not found: No such file or directory > ninja: build stopped: subcommand failed. As I understand, you are building a lib64 multilib variant with a pure aarch64 tune (no core specifications or optimizations whatsoever)? I have tested with a bunch of different machines and tuning variations on my side, but I never encountered a build in the real world with arm64 instructions enabled and nothing else, so did not think trying out this one would be useful. Building with crypto instructions on arm64 machines was the path with the least resistance in getting rid of compilation errors because of target specific option mismatches, but I will look if there is better way to handle this when I get the chance. > >> + >> +# For now the only way to enable PSA is to explicitly pass a -D via CFLAGS >> +CFLAGS:append = "${@bb.utils.contains('PACKAGECONFIG', 'psa', ' -DMBEDTLS_USE_PSA_CRYPTO', '', d)}" >> + >> +PROVIDES += "polarssl" >> +RPROVIDES:${PN} = "polarssl" >> + >> +PACKAGES =+ "${PN}-programs" >> +FILES:${PN}-programs = "${bindir}/" >> + >> +ALTERNATIVE:${PN}-programs = "hello" >> +ALTERNATIVE_LINK_NAME[hello] = "${bindir}/hello" >> + >> +BBCLASSEXTEND = "native nativesdk" >> + >> +CVE_PRODUCT = "mbed_tls" >> + >> +# Fix merged upstream https://github.com/Mbed-TLS/mbedtls/pull/5310 >> +CVE_CHECK_IGNORE += "CVE-2021-43666" >> +# Fix merged upstream https://github.com/Mbed-TLS/mbedtls/commit/9a4a9c66a48edfe9ece03c7e4a53310adf73a86c >> +CVE_CHECK_IGNORE += "CVE-2021-45451" >> + >> +# Strip host paths from autogenerated test files >> +do_compile:append() { >> + sed -i 's+${S}/++g' ${B}/tests/*.c 2>/dev/null || : >> + sed -i 's+${B}/++g' ${B}/tests/*.c 2>/dev/null || : >> +} >> + >> +# Export source files/headers needed by Arm Trusted Firmware >> +sysroot_stage_all:append() { >> + sysroot_stage_dir "${S}/library" "${SYSROOT_DESTDIR}/usr/share/mbedtls-source/library" >> + sysroot_stage_dir "${S}/include" "${SYSROOT_DESTDIR}/usr/share/mbedtls-source/include" >> +} >> + >> +do_install_ptest () { >> + install -d ${D}${PTEST_PATH}/tests >> + cp -f ${B}/tests/test_suite_* ${D}${PTEST_PATH}/tests/ >> + find ${D}${PTEST_PATH}/tests/ -type f -name "*.c" -delete >> + cp -fR ${S}/tests/data_files ${D}${PTEST_PATH}/tests/ >> +} >> -- >> 2.25.1 >> >> >> -=-=-=-=-=-=-=-=-=-=-=- >> Links: You receive all messages sent to this group. >> View/Reply Online (#103441): https://lists.openembedded.org/g/openembedded-devel/message/103441 >> Mute This Topic: https://lists.openembedded.org/mt/99629175/3617156 >> Group Owner: openembedded-devel+owner@lists.openembedded.org >> Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [Martin.Jansa@gmail.com] >> -=-=-=-=-=-=-=-=-=-=-=- >>
Maybe just skip the recipe when building without crypto? If someone uses tune without crypto for whatever reason, then it might be better to show an error that crypto is mandatory for this recipe instead of silently changing the decision not to use crypto with DEFAULTTUNE. I've noticed it just in world builds, don't really need 64bit mbedtls build in this multilib setup (which uses just 64bit kernel and external modules, whole userspace is 32bit). Regards, On Sun, Jun 25, 2023 at 3:42 PM Beniamin Sandu <beniaminsandu@gmail.com> wrote: > On Sun, Jun 25, 2023 at 1:53 PM Martin Jansa <martin.jansa@gmail.com> > wrote: > > > > On Mon, Jun 19, 2023 at 8:26 PM Beniamin Sandu <beniaminsandu@gmail.com> > wrote: > >> > >> Version 3.4.0 adds a lot of improvements and fixes (a notable one > >> being initial support for PKCS7 CMS), but since this is a pretty > >> big jump, let's keep both versions for a while, so the v2.x users > >> can upgrade to 3.x in a timely manner if needed. > >> > >> Signed-off-by: Beniamin Sandu <beniaminsandu@gmail.com> > >> --- > >> .../mbedtls/mbedtls_3.4.0.bb | 85 +++++++++++++++++++ > >> 1 file changed, 85 insertions(+) > >> create mode 100644 meta-networking/recipes-connectivity/mbedtls/ > mbedtls_3.4.0.bb > >> > >> diff --git a/meta-networking/recipes-connectivity/mbedtls/ > mbedtls_3.4.0.bb b/meta-networking/recipes-connectivity/mbedtls/ > mbedtls_3.4.0.bb > >> new file mode 100644 > >> index 000000000..ebc6ba573 > >> --- /dev/null > >> +++ b/meta-networking/recipes-connectivity/mbedtls/mbedtls_3.4.0.bb > > > > > > .... > > > >> +# Needs crypto instructions on aarch64 > >> +TUNE_CCARGS_MARCH_OPTS:append:aarch64 = > "${@bb.utils.contains('TUNE_FEATURES', 'crypto', '', '+crypto', d)}" > > > > > > This assumes too much about TUNE_CCARGS_MARCH_OPTS structure and in some > multilib builds I'm seeing: > > > > # $TUNE_CCARGS_MARCH_OPTS [4 operations] > > # set oe-core/meta/conf/machine/include/arm/arch-arm.inc:19 > > # [_defaultval] "" > > # postdot oe-core/meta/conf/machine/include/arm/feature-arm-neon.inc:26 > > # "${@bb.utils.contains('TUNE_FEATURES', [ 'vfpv3d16', 'vfpv5spd16' > ], '+fp', '', d)}" > > # postdot oe-core/meta/conf/machine/include/arm/feature-arm-simd.inc:5 > > # "${@bb.utils.contains('TUNE_FEATURES', 'simd', '+simd', '', d)}" > > # :append[aarch64] > meta-oe/meta-networking/recipes-connectivity/mbedtls/mbedtls_3.4.0.bb:45 > > # "${@bb.utils.contains('TUNE_FEATURES', 'crypto', '', '+crypto', > d)}" > > # pre-expansion value: > > # "${@bb.utils.contains('TUNE_FEATURES', [ 'vfpv3d16', 'vfpv5spd16' ], > '+fp', '', d)}${@bb.utils.contains('TUNE_FEATURES', 'simd', '+simd', '', > d)}${@bb.utils.contains('TUNE_FEATURES', 'crypto', '', '+crypto', d)}" > > TUNE_CCARGS_MARCH_OPTS="+crypto" > > > > And empty TUNE_CCARGS_MARCH, because TUNE_FEATURES has only aarch64 > > > > # $TUNE_CCARGS_MARCH [4 operations] > > # postdot oe-core/meta/conf/machine/include/arm/arch-armv7a.inc:6 > > # "${@bb.utils.contains('TUNE_FEATURES', 'armv7a', ' > -march=armv7-a', '', d)}" > > # postdot oe-core/meta/conf/machine/include/arm/arch-armv6.inc:5 > > # "${@bb.utils.contains('TUNE_FEATURES', 'armv6', ' -march=armv6', > '', d)}" > > # postdot oe-core/meta/conf/machine/include/arm/arch-armv5.inc:5 > > # "${@bb.utils.contains('TUNE_FEATURES', 'armv5', ' > -march=armv5t${ARMPKGSFX_DSP}', '', d)}" > > # postdot oe-core/meta/conf/machine/include/arm/arch-armv4.inc:5 > > # "${@bb.utils.contains('TUNE_FEATURES', 'armv4', ' > -march=armv4${ARMPKGSFX_THUMB}', '', d)}" > > # pre-expansion value: > > # "${@bb.utils.contains('TUNE_FEATURES', 'armv7a', ' -march=armv7-a', > '', d)}${@bb.utils.contains('TUNE_FEATURES', 'armv6', ' -march=armv6', '', > d)}${@bb.utils.contains('TUNE_FEATURES', 'armv5', ' > -march=armv5t${ARMPKGSFX_DSP}', '', > d)}${@bb.utils.contains('TUNE_FEATURES', 'armv4', ' > -march=armv4${ARMPKGSFX_THUMB}', '', d)}" > > TUNE_CCARGS_MARCH="" > > > > causing do_configure failure: > > > > aarch64-oe-linux-gcc: warning: +crypto: linker input file unused because > linking not done > > aarch64-oe-linux-gcc: error: +crypto: linker input file not found: No > such file or directory > > ninja: build stopped: subcommand failed. > > As I understand, you are building a lib64 multilib variant with a pure > aarch64 tune (no core specifications or optimizations whatsoever)? > I have tested with a bunch of different machines and tuning variations > on my side, but I never encountered a build in the real world with > arm64 instructions enabled and nothing else, so did not think trying > out this one would be useful. > Building with crypto instructions on arm64 machines was the path with > the least resistance in getting rid of compilation errors because of > target specific option mismatches, but I will look if there is better > way to handle this when I get the chance. > > > > >> + > >> +# For now the only way to enable PSA is to explicitly pass a -D via > CFLAGS > >> +CFLAGS:append = "${@bb.utils.contains('PACKAGECONFIG', 'psa', ' > -DMBEDTLS_USE_PSA_CRYPTO', '', d)}" > >> + > >> +PROVIDES += "polarssl" > >> +RPROVIDES:${PN} = "polarssl" > >> + > >> +PACKAGES =+ "${PN}-programs" > >> +FILES:${PN}-programs = "${bindir}/" > >> + > >> +ALTERNATIVE:${PN}-programs = "hello" > >> +ALTERNATIVE_LINK_NAME[hello] = "${bindir}/hello" > >> + > >> +BBCLASSEXTEND = "native nativesdk" > >> + > >> +CVE_PRODUCT = "mbed_tls" > >> + > >> +# Fix merged upstream https://github.com/Mbed-TLS/mbedtls/pull/5310 > >> +CVE_CHECK_IGNORE += "CVE-2021-43666" > >> +# Fix merged upstream > https://github.com/Mbed-TLS/mbedtls/commit/9a4a9c66a48edfe9ece03c7e4a53310adf73a86c > >> +CVE_CHECK_IGNORE += "CVE-2021-45451" > >> + > >> +# Strip host paths from autogenerated test files > >> +do_compile:append() { > >> + sed -i 's+${S}/++g' ${B}/tests/*.c 2>/dev/null || : > >> + sed -i 's+${B}/++g' ${B}/tests/*.c 2>/dev/null || : > >> +} > >> + > >> +# Export source files/headers needed by Arm Trusted Firmware > >> +sysroot_stage_all:append() { > >> + sysroot_stage_dir "${S}/library" > "${SYSROOT_DESTDIR}/usr/share/mbedtls-source/library" > >> + sysroot_stage_dir "${S}/include" > "${SYSROOT_DESTDIR}/usr/share/mbedtls-source/include" > >> +} > >> + > >> +do_install_ptest () { > >> + install -d ${D}${PTEST_PATH}/tests > >> + cp -f ${B}/tests/test_suite_* ${D}${PTEST_PATH}/tests/ > >> + find ${D}${PTEST_PATH}/tests/ -type f -name "*.c" -delete > >> + cp -fR ${S}/tests/data_files ${D}${PTEST_PATH}/tests/ > >> +} > >> -- > >> 2.25.1 > >> > >> > >> -=-=-=-=-=-=-=-=-=-=-=- > >> Links: You receive all messages sent to this group. > >> View/Reply Online (#103441): > https://lists.openembedded.org/g/openembedded-devel/message/103441 > >> Mute This Topic: https://lists.openembedded.org/mt/99629175/3617156 > >> Group Owner: openembedded-devel+owner@lists.openembedded.org > >> Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub > [Martin.Jansa@gmail.com] > >> -=-=-=-=-=-=-=-=-=-=-=- > >> >
On Sun, Jun 25, 2023 at 5:38 PM Martin Jansa <martin.jansa@gmail.com> wrote: > > Maybe just skip the recipe when building without crypto? If someone uses tune without crypto for whatever reason, then it might be better to show an error that crypto is mandatory for this recipe instead of silently changing the decision not to use crypto with DEFAULTTUNE. I was considering it, but doing it like this seemed a bit less ugly at the time. The issue is not with the 64bit build itself, just building with a tune that has arm64 instructions only enabled, without any other core specs. Any other arm64 tune variation should work. I will have a closer look at the mbedtls code, might be fixable there. > > I've noticed it just in world builds, don't really need 64bit mbedtls build in this multilib setup (which uses just 64bit kernel and external modules, whole userspace is 32bit). > > Regards, > > On Sun, Jun 25, 2023 at 3:42 PM Beniamin Sandu <beniaminsandu@gmail.com> wrote: >> >> On Sun, Jun 25, 2023 at 1:53 PM Martin Jansa <martin.jansa@gmail.com> wrote: >> > >> > On Mon, Jun 19, 2023 at 8:26 PM Beniamin Sandu <beniaminsandu@gmail.com> wrote: >> >> >> >> Version 3.4.0 adds a lot of improvements and fixes (a notable one >> >> being initial support for PKCS7 CMS), but since this is a pretty >> >> big jump, let's keep both versions for a while, so the v2.x users >> >> can upgrade to 3.x in a timely manner if needed. >> >> >> >> Signed-off-by: Beniamin Sandu <beniaminsandu@gmail.com> >> >> --- >> >> .../mbedtls/mbedtls_3.4.0.bb | 85 +++++++++++++++++++ >> >> 1 file changed, 85 insertions(+) >> >> create mode 100644 meta-networking/recipes-connectivity/mbedtls/mbedtls_3.4.0.bb >> >> >> >> diff --git a/meta-networking/recipes-connectivity/mbedtls/mbedtls_3.4.0.bb b/meta-networking/recipes-connectivity/mbedtls/mbedtls_3.4.0.bb >> >> new file mode 100644 >> >> index 000000000..ebc6ba573 >> >> --- /dev/null >> >> +++ b/meta-networking/recipes-connectivity/mbedtls/mbedtls_3.4.0.bb >> > >> > >> > .... >> > >> >> +# Needs crypto instructions on aarch64 >> >> +TUNE_CCARGS_MARCH_OPTS:append:aarch64 = "${@bb.utils.contains('TUNE_FEATURES', 'crypto', '', '+crypto', d)}" >> > >> > >> > This assumes too much about TUNE_CCARGS_MARCH_OPTS structure and in some multilib builds I'm seeing: >> > >> > # $TUNE_CCARGS_MARCH_OPTS [4 operations] >> > # set oe-core/meta/conf/machine/include/arm/arch-arm.inc:19 >> > # [_defaultval] "" >> > # postdot oe-core/meta/conf/machine/include/arm/feature-arm-neon.inc:26 >> > # "${@bb.utils.contains('TUNE_FEATURES', [ 'vfpv3d16', 'vfpv5spd16' ], '+fp', '', d)}" >> > # postdot oe-core/meta/conf/machine/include/arm/feature-arm-simd.inc:5 >> > # "${@bb.utils.contains('TUNE_FEATURES', 'simd', '+simd', '', d)}" >> > # :append[aarch64] meta-oe/meta-networking/recipes-connectivity/mbedtls/mbedtls_3.4.0.bb:45 >> > # "${@bb.utils.contains('TUNE_FEATURES', 'crypto', '', '+crypto', d)}" >> > # pre-expansion value: >> > # "${@bb.utils.contains('TUNE_FEATURES', [ 'vfpv3d16', 'vfpv5spd16' ], '+fp', '', d)}${@bb.utils.contains('TUNE_FEATURES', 'simd', '+simd', '', d)}${@bb.utils.contains('TUNE_FEATURES', 'crypto', '', '+crypto', d)}" >> > TUNE_CCARGS_MARCH_OPTS="+crypto" >> > >> > And empty TUNE_CCARGS_MARCH, because TUNE_FEATURES has only aarch64 >> > >> > # $TUNE_CCARGS_MARCH [4 operations] >> > # postdot oe-core/meta/conf/machine/include/arm/arch-armv7a.inc:6 >> > # "${@bb.utils.contains('TUNE_FEATURES', 'armv7a', ' -march=armv7-a', '', d)}" >> > # postdot oe-core/meta/conf/machine/include/arm/arch-armv6.inc:5 >> > # "${@bb.utils.contains('TUNE_FEATURES', 'armv6', ' -march=armv6', '', d)}" >> > # postdot oe-core/meta/conf/machine/include/arm/arch-armv5.inc:5 >> > # "${@bb.utils.contains('TUNE_FEATURES', 'armv5', ' -march=armv5t${ARMPKGSFX_DSP}', '', d)}" >> > # postdot oe-core/meta/conf/machine/include/arm/arch-armv4.inc:5 >> > # "${@bb.utils.contains('TUNE_FEATURES', 'armv4', ' -march=armv4${ARMPKGSFX_THUMB}', '', d)}" >> > # pre-expansion value: >> > # "${@bb.utils.contains('TUNE_FEATURES', 'armv7a', ' -march=armv7-a', '', d)}${@bb.utils.contains('TUNE_FEATURES', 'armv6', ' -march=armv6', '', d)}${@bb.utils.contains('TUNE_FEATURES', 'armv5', ' -march=armv5t${ARMPKGSFX_DSP}', '', d)}${@bb.utils.contains('TUNE_FEATURES', 'armv4', ' -march=armv4${ARMPKGSFX_THUMB}', '', d)}" >> > TUNE_CCARGS_MARCH="" >> > >> > causing do_configure failure: >> > >> > aarch64-oe-linux-gcc: warning: +crypto: linker input file unused because linking not done >> > aarch64-oe-linux-gcc: error: +crypto: linker input file not found: No such file or directory >> > ninja: build stopped: subcommand failed. >> >> As I understand, you are building a lib64 multilib variant with a pure >> aarch64 tune (no core specifications or optimizations whatsoever)? >> I have tested with a bunch of different machines and tuning variations >> on my side, but I never encountered a build in the real world with >> arm64 instructions enabled and nothing else, so did not think trying >> out this one would be useful. >> Building with crypto instructions on arm64 machines was the path with >> the least resistance in getting rid of compilation errors because of >> target specific option mismatches, but I will look if there is better >> way to handle this when I get the chance. >> >> > >> >> + >> >> +# For now the only way to enable PSA is to explicitly pass a -D via CFLAGS >> >> +CFLAGS:append = "${@bb.utils.contains('PACKAGECONFIG', 'psa', ' -DMBEDTLS_USE_PSA_CRYPTO', '', d)}" >> >> + >> >> +PROVIDES += "polarssl" >> >> +RPROVIDES:${PN} = "polarssl" >> >> + >> >> +PACKAGES =+ "${PN}-programs" >> >> +FILES:${PN}-programs = "${bindir}/" >> >> + >> >> +ALTERNATIVE:${PN}-programs = "hello" >> >> +ALTERNATIVE_LINK_NAME[hello] = "${bindir}/hello" >> >> + >> >> +BBCLASSEXTEND = "native nativesdk" >> >> + >> >> +CVE_PRODUCT = "mbed_tls" >> >> + >> >> +# Fix merged upstream https://github.com/Mbed-TLS/mbedtls/pull/5310 >> >> +CVE_CHECK_IGNORE += "CVE-2021-43666" >> >> +# Fix merged upstream https://github.com/Mbed-TLS/mbedtls/commit/9a4a9c66a48edfe9ece03c7e4a53310adf73a86c >> >> +CVE_CHECK_IGNORE += "CVE-2021-45451" >> >> + >> >> +# Strip host paths from autogenerated test files >> >> +do_compile:append() { >> >> + sed -i 's+${S}/++g' ${B}/tests/*.c 2>/dev/null || : >> >> + sed -i 's+${B}/++g' ${B}/tests/*.c 2>/dev/null || : >> >> +} >> >> + >> >> +# Export source files/headers needed by Arm Trusted Firmware >> >> +sysroot_stage_all:append() { >> >> + sysroot_stage_dir "${S}/library" "${SYSROOT_DESTDIR}/usr/share/mbedtls-source/library" >> >> + sysroot_stage_dir "${S}/include" "${SYSROOT_DESTDIR}/usr/share/mbedtls-source/include" >> >> +} >> >> + >> >> +do_install_ptest () { >> >> + install -d ${D}${PTEST_PATH}/tests >> >> + cp -f ${B}/tests/test_suite_* ${D}${PTEST_PATH}/tests/ >> >> + find ${D}${PTEST_PATH}/tests/ -type f -name "*.c" -delete >> >> + cp -fR ${S}/tests/data_files ${D}${PTEST_PATH}/tests/ >> >> +} >> >> -- >> >> 2.25.1 >> >> >> >> >> >> -=-=-=-=-=-=-=-=-=-=-=- >> >> Links: You receive all messages sent to this group. >> >> View/Reply Online (#103441): https://lists.openembedded.org/g/openembedded-devel/message/103441 >> >> Mute This Topic: https://lists.openembedded.org/mt/99629175/3617156 >> >> Group Owner: openembedded-devel+owner@lists.openembedded.org >> >> Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [Martin.Jansa@gmail.com] >> >> -=-=-=-=-=-=-=-=-=-=-=- >> >>
diff --git a/meta-networking/recipes-connectivity/mbedtls/mbedtls_3.4.0.bb b/meta-networking/recipes-connectivity/mbedtls/mbedtls_3.4.0.bb new file mode 100644 index 000000000..ebc6ba573 --- /dev/null +++ b/meta-networking/recipes-connectivity/mbedtls/mbedtls_3.4.0.bb @@ -0,0 +1,85 @@ +SUMMARY = "Lightweight crypto and SSL/TLS library" +DESCRIPTION = "mbedtls is a lean open source crypto library \ +for providing SSL and TLS support in your programs. It offers \ +an intuitive API and documented header files, so you can actually \ +understand what the code does. It features: \ + \ + - Symmetric algorithms, like AES, Blowfish, Triple-DES, DES, ARC4, \ + Camellia and XTEA \ + - Hash algorithms, like SHA-1, SHA-2, RIPEMD-160 and MD5 \ + - Entropy pool and random generators, like CTR-DRBG and HMAC-DRBG \ + - Public key algorithms, like RSA, Elliptic Curves, Diffie-Hellman, \ + ECDSA and ECDH \ + - SSL v3 and TLS 1.0, 1.1 and 1.2 \ + - Abstraction layers for ciphers, hashes, public key operations, \ + platform abstraction and threading \ +" + +HOMEPAGE = "https://tls.mbed.org/" + +LICENSE = "Apache-2.0" +LIC_FILES_CHKSUM = "file://LICENSE;md5=3b83ef96387f14655fc854ddc3c6bd57" + +SECTION = "libs" + +S = "${WORKDIR}/git" +SRCREV = "1873d3bfc2da771672bd8e7e8f41f57e0af77f33" +SRC_URI = "git://github.com/ARMmbed/mbedtls.git;protocol=https;branch=master \ + file://run-ptest \ + " + +inherit cmake update-alternatives ptest + +PACKAGECONFIG ??= "shared-libs programs ${@bb.utils.contains('PTEST_ENABLED', '1', 'tests', '', d)}" +PACKAGECONFIG[shared-libs] = "-DUSE_SHARED_MBEDTLS_LIBRARY=ON,-DUSE_SHARED_MBEDTLS_LIBRARY=OFF" +PACKAGECONFIG[programs] = "-DENABLE_PROGRAMS=ON,-DENABLE_PROGRAMS=OFF" +PACKAGECONFIG[werror] = "-DMBEDTLS_FATAL_WARNINGS=ON,-DMBEDTLS_FATAL_WARNINGS=OFF" +# Make X.509 and TLS calls use PSA +# https://github.com/Mbed-TLS/mbedtls/blob/development/docs/use-psa-crypto.md +PACKAGECONFIG[psa] = "" +PACKAGECONFIG[tests] = "-DENABLE_TESTING=ON,-DENABLE_TESTING=OFF" + +EXTRA_OECMAKE = "-DLIB_INSTALL_DIR:STRING=${libdir}" + +# Needs crypto instructions on aarch64 +TUNE_CCARGS_MARCH_OPTS:append:aarch64 = "${@bb.utils.contains('TUNE_FEATURES', 'crypto', '', '+crypto', d)}" + +# For now the only way to enable PSA is to explicitly pass a -D via CFLAGS +CFLAGS:append = "${@bb.utils.contains('PACKAGECONFIG', 'psa', ' -DMBEDTLS_USE_PSA_CRYPTO', '', d)}" + +PROVIDES += "polarssl" +RPROVIDES:${PN} = "polarssl" + +PACKAGES =+ "${PN}-programs" +FILES:${PN}-programs = "${bindir}/" + +ALTERNATIVE:${PN}-programs = "hello" +ALTERNATIVE_LINK_NAME[hello] = "${bindir}/hello" + +BBCLASSEXTEND = "native nativesdk" + +CVE_PRODUCT = "mbed_tls" + +# Fix merged upstream https://github.com/Mbed-TLS/mbedtls/pull/5310 +CVE_CHECK_IGNORE += "CVE-2021-43666" +# Fix merged upstream https://github.com/Mbed-TLS/mbedtls/commit/9a4a9c66a48edfe9ece03c7e4a53310adf73a86c +CVE_CHECK_IGNORE += "CVE-2021-45451" + +# Strip host paths from autogenerated test files +do_compile:append() { + sed -i 's+${S}/++g' ${B}/tests/*.c 2>/dev/null || : + sed -i 's+${B}/++g' ${B}/tests/*.c 2>/dev/null || : +} + +# Export source files/headers needed by Arm Trusted Firmware +sysroot_stage_all:append() { + sysroot_stage_dir "${S}/library" "${SYSROOT_DESTDIR}/usr/share/mbedtls-source/library" + sysroot_stage_dir "${S}/include" "${SYSROOT_DESTDIR}/usr/share/mbedtls-source/include" +} + +do_install_ptest () { + install -d ${D}${PTEST_PATH}/tests + cp -f ${B}/tests/test_suite_* ${D}${PTEST_PATH}/tests/ + find ${D}${PTEST_PATH}/tests/ -type f -name "*.c" -delete + cp -fR ${S}/tests/data_files ${D}${PTEST_PATH}/tests/ +}
Version 3.4.0 adds a lot of improvements and fixes (a notable one being initial support for PKCS7 CMS), but since this is a pretty big jump, let's keep both versions for a while, so the v2.x users can upgrade to 3.x in a timely manner if needed. Signed-off-by: Beniamin Sandu <beniaminsandu@gmail.com> --- .../mbedtls/mbedtls_3.4.0.bb | 85 +++++++++++++++++++ 1 file changed, 85 insertions(+) create mode 100644 meta-networking/recipes-connectivity/mbedtls/mbedtls_3.4.0.bb