[PATCH 0/6] Enable https for wget

[PATCH 0/6] Enable https for wget

[Ilias Apalodimas]

Since lwIP and mbedTLS have been merged turning on https:// support is
relatively easy. We need to enable the missing algorithms and modes of
operation in mbedTLS and enable TLS in lwIP. Someof the lwIP patches
are in their github as PRS, but since they haven't been merged yet, we
need to carry them for a while

patch#1 enables the crypto algorithms we need in mbedTLS
patches#2, #3 enable anf fix the lwIP part we need
patch#4 is adding https:// parsing support in our wget
patch#5 is making https:// the default for QEMU lwip defconfig so
people can easily test
and finaly patch#6 updates our documentation

Ilias Apalodimas (4):
  mbedtls: Enable TLS 1.2 support
  net: lwip: Enable https:// support for wget
  configs: Enable htts for wget on qemu arm64
  doc: uefi: Describe UEFI HTTPs boot

Javier Tia (2):
  net: lwip: Update lwIP for mbedTLS > 3.0 support and enable https
  net: lwip: Add Support Server Name Indication support

 cmd/Kconfig                                   | 19 +++++
 configs/qemu_arm64_lwip_defconfig             |  1 +
 doc/develop/uefi/uefi.rst                     | 45 ++++++++++-
 lib/lwip/Makefile                             |  3 +
 .../src/apps/altcp_tls/altcp_tls_mbedtls.c    | 50 +++++++-----
 lib/lwip/lwip/src/core/tcp_out.c              | 10 +--
 lib/lwip/lwip/src/include/lwip/altcp_tls.h    |  2 +-
 lib/lwip/u-boot/lwipopts.h                    |  6 ++
 lib/mbedtls/Kconfig                           | 12 +++
 lib/mbedtls/Makefile                          | 33 +++++++-
 lib/mbedtls/mbedtls_def_config.h              | 52 +++++++++++++
 net/lwip/Kconfig                              |  2 +-
 net/lwip/wget.c                               | 78 +++++++++++++++++--
 13 files changed, 273 insertions(+), 40 deletions(-)

--
2.45.2

[PATCH 1/6] mbedtls: Enable TLS 1.2 support

[Ilias Apalodimas]

Since lwIP and mbedTLS have been merged we can tweak the config options
and enable TLS1.2 support. Add RSA and ECDSA by default and enable
enough block cipher modes of operation to be comatible with modern
TLS requirements and webservers

Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
---
 lib/mbedtls/Kconfig              | 12 ++++++++
 lib/mbedtls/Makefile             | 33 +++++++++++++++++++-
 lib/mbedtls/mbedtls_def_config.h | 52 ++++++++++++++++++++++++++++++++
 3 files changed, 96 insertions(+), 1 deletion(-)

diff --git a/lib/mbedtls/Kconfig b/lib/mbedtls/Kconfig
index d71adc3648ad..f3e172633999 100644
--- a/lib/mbedtls/Kconfig
+++ b/lib/mbedtls/Kconfig
@@ -430,4 +430,16 @@ endif # SPL
 
 endif # MBEDTLS_LIB_X509
 
+config MBEDTLS_LIB_TLS
+	bool "MbedTLS TLS library"
+	depends on RSA_PUBLIC_KEY_PARSER_MBEDTLS
+	depends on X509_CERTIFICATE_PARSER_MBEDTLS
+	depends on ASYMMETRIC_PUBLIC_KEY_MBEDTLS
+	depends on ASN1_DECODER_MBEDTLS
+	depends on ASYMMETRIC_PUBLIC_KEY_MBEDTLS
+	depends on MBEDTLS_LIB_CRYPTO
+	help
+	  Enable MbedTLS TLS library. If enabled HTTPs support will be enabled
+	  in wget
+
 endif # MBEDTLS_LIB
diff --git a/lib/mbedtls/Makefile b/lib/mbedtls/Makefile
index 83cb3c2fa705..845284799a11 100644
--- a/lib/mbedtls/Makefile
+++ b/lib/mbedtls/Makefile
@@ -25,7 +25,19 @@ obj-$(CONFIG_MBEDTLS_LIB) += mbedtls_lib_crypto.o
 mbedtls_lib_crypto-y := \
 	$(MBEDTLS_LIB_DIR)/platform_util.o \
 	$(MBEDTLS_LIB_DIR)/constant_time.o \
-	$(MBEDTLS_LIB_DIR)/md.o
+	$(MBEDTLS_LIB_DIR)/md.o \
+	$(MBEDTLS_LIB_DIR)/entropy.o \
+	$(MBEDTLS_LIB_DIR)/entropy_poll.o \
+	$(MBEDTLS_LIB_DIR)/aes.o \
+	$(MBEDTLS_LIB_DIR)/cipher.o \
+	$(MBEDTLS_LIB_DIR)/cipher_wrap.o \
+	$(MBEDTLS_LIB_DIR)/ecdh.o \
+	$(MBEDTLS_LIB_DIR)/ecdsa.o \
+	$(MBEDTLS_LIB_DIR)/ecp.o \
+	$(MBEDTLS_LIB_DIR)/ecp_curves.o \
+	$(MBEDTLS_LIB_DIR)/ecp_curves_new.o \
+	$(MBEDTLS_LIB_DIR)/gcm.o \
+
 mbedtls_lib_crypto-$(CONFIG_$(SPL_)MD5_MBEDTLS) += $(MBEDTLS_LIB_DIR)/md5.o
 mbedtls_lib_crypto-$(CONFIG_$(SPL_)SHA1_MBEDTLS) += $(MBEDTLS_LIB_DIR)/sha1.o
 mbedtls_lib_crypto-$(CONFIG_$(SPL_)SHA256_MBEDTLS) += \
@@ -54,3 +66,22 @@ mbedtls_lib_x509-$(CONFIG_$(SPL_)X509_CERTIFICATE_PARSER_MBEDTLS) += \
 	$(MBEDTLS_LIB_DIR)/x509_crt.o
 mbedtls_lib_x509-$(CONFIG_$(SPL_)PKCS7_MESSAGE_PARSER_MBEDTLS) += \
 	$(MBEDTLS_LIB_DIR)/pkcs7.o
+
+#mbedTLS TLS support
+obj-$(CONFIG_MBEDTLS_LIB_TLS) += mbedtls_lib_tls.o
+mbedtls_lib_tls-y := \
+	$(MBEDTLS_LIB_DIR)/mps_reader.o \
+	$(MBEDTLS_LIB_DIR)/mps_trace.o \
+	$(MBEDTLS_LIB_DIR)/net_sockets.o \
+	$(MBEDTLS_LIB_DIR)/pk_ecc.o \
+	$(MBEDTLS_LIB_DIR)/ssl_cache.o \
+	$(MBEDTLS_LIB_DIR)/ssl_ciphersuites.o \
+	$(MBEDTLS_LIB_DIR)/ssl_client.o \
+	$(MBEDTLS_LIB_DIR)/ssl_cookie.o \
+	$(MBEDTLS_LIB_DIR)/ssl_debug_helpers_generated.o \
+	$(MBEDTLS_LIB_DIR)/ssl_msg.o \
+	$(MBEDTLS_LIB_DIR)/ssl_ticket.o \
+	$(MBEDTLS_LIB_DIR)/ssl_tls.o \
+	$(MBEDTLS_LIB_DIR)/ssl_tls12_client.o \
+	$(MBEDTLS_LIB_DIR)/hmac_drbg.o \
+	$(MBEDTLS_LIB_DIR)/ctr_drbg.o \
diff --git a/lib/mbedtls/mbedtls_def_config.h b/lib/mbedtls/mbedtls_def_config.h
index 1af911c2003f..ac8f0bbf2c0e 100644
--- a/lib/mbedtls/mbedtls_def_config.h
+++ b/lib/mbedtls/mbedtls_def_config.h
@@ -87,4 +87,56 @@
 
 #endif /* #if defined CONFIG_MBEDTLS_LIB_X509 */
 
+#if CONFIG_IS_ENABLED(MBEDTLS_LIB_TLS)
+#include "rtc.h"
+
+/* Generic options */
+#define MBEDTLS_ENTROPY_HARDWARE_ALT
+#define MBEDTLS_HAVE_TIME
+#define MBEDTLS_PLATFORM_MS_TIME_ALT
+#define MBEDTLS_PLATFORM_TIME_MACRO rtc_mktime
+#define MBEDTLS_PLATFORM_C
+#define MBEDTLS_SSL_CLI_C
+#define MBEDTLS_SSL_TLS_C
+#define MBEDTLS_CIPHER_C
+#define MBEDTLS_MD_C
+#define MBEDTLS_CTR_DRBG_C
+#define MBEDTLS_AES_C
+#define MBEDTLS_ENTROPY_C
+#define MBEDTLS_NO_PLATFORM_ENTROPY
+#define MBEDTLS_SSL_PROTO_TLS1_2
+#define MBEDTLS_SSL_SERVER_NAME_INDICATION
+#define MBEDTLS_KEY_EXCHANGE_PSK_ENABLED
+
+/* RSA */
+#define MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
+#define MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
+#define MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
+#define MBEDTLS_GCM_C
+
+/* ECDSA */
+#define MBEDTLS_ECDSA_C
+#define MBEDTLS_ECDH_C
+#define MBEDTLS_ECDSA_DETERMINISTIC
+#define MBEDTLS_HMAC_DRBG_C
+#define MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
+#define MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED
+#define MBEDTLS_CAN_ECDH
+#define MBEDTLS_PK_CAN_ECDSA_SIGN
+#define MBEDTLS_ECP_C
+#define MBEDTLS_ECP_DP_SECP256K1_ENABLED
+#define MBEDTLS_ECP_DP_SECP192R1_ENABLED
+#define MBEDTLS_ECP_DP_SECP224R1_ENABLED
+#define MBEDTLS_ECP_DP_SECP256R1_ENABLED
+#define MBEDTLS_ECP_DP_SECP384R1_ENABLED
+#define MBEDTLS_ECP_DP_SECP521R1_ENABLED
+#define MBEDTLS_ECP_DP_SECP192K1_ENABLED
+#define MBEDTLS_ECP_DP_SECP224K1_ENABLED
+#define MBEDTLS_ECP_DP_SECP256K1_ENABLED
+#define MBEDTLS_ECP_DP_BP256R1_ENABLED
+#define MBEDTLS_ECP_DP_BP384R1_ENABLED
+#define MBEDTLS_ECP_DP_BP512R1_ENABLED
+
+#endif /* #if defined CONFIG_MBEDTLS_LIB_TLS */
+
 #endif /* #if defined CONFIG_MBEDTLS_LIB */
-- 
2.45.2

[PATCH 2/6] net: lwip: Update lwIP for mbedTLS > 3.0 support and enable https

[Ilias Apalodimas]

From: Javier Tia <javier.tia@linaro.org>

The current code support mbedTLS 2.28. Since we are using a newer
version in U-Boot, update the necessary accessors and the lwIP codebase
to work with mbedTLS 3.6.0. It's worth noting that the patches are
already sent to lwIP [0]

While at it enable LWIP_ALTCP_TLS and enable TLS support in lwIP

[0] https://github.com/lwip-tcpip/lwip/pull/47

Signed-off-by: Javier Tia <javier.tia@linaro.org>
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
---
 lib/lwip/Makefile                             |  3 ++
 .../src/apps/altcp_tls/altcp_tls_mbedtls.c    | 39 ++++++++++++-------
 lib/lwip/lwip/src/core/tcp_out.c              | 10 +----
 lib/lwip/u-boot/lwipopts.h                    |  6 +++
 4 files changed, 34 insertions(+), 24 deletions(-)

diff --git a/lib/lwip/Makefile b/lib/lwip/Makefile
index dfcd700ca474..19e5c6897f5a 100644
--- a/lib/lwip/Makefile
+++ b/lib/lwip/Makefile
@@ -53,3 +53,6 @@ obj-y += \
 	lwip/src/core/timeouts.o \
 	lwip/src/core/udp.o \
 	lwip/src/netif/ethernet.o
+
+obj-$(CONFIG_MBEDTLS_LIB_TLS) += lwip/src/apps/altcp_tls/altcp_tls_mbedtls.o \
+	lwip/src/apps/altcp_tls/altcp_tls_mbedtls_mem.o
diff --git a/lib/lwip/lwip/src/apps/altcp_tls/altcp_tls_mbedtls.c b/lib/lwip/lwip/src/apps/altcp_tls/altcp_tls_mbedtls.c
index a8c2fc2ee2cd..ef19821b89e0 100644
--- a/lib/lwip/lwip/src/apps/altcp_tls/altcp_tls_mbedtls.c
+++ b/lib/lwip/lwip/src/apps/altcp_tls/altcp_tls_mbedtls.c
@@ -3,7 +3,7 @@
  * Application layered TCP/TLS connection API (to be used from TCPIP thread)
  *
  * This file provides a TLS layer using mbedTLS
- * 
+ *
  * This version is currently compatible with the 2.x.x branch (current LTS).
  */
 
@@ -70,7 +70,6 @@
 /* @todo: which includes are really needed? */
 #include "mbedtls/entropy.h"
 #include "mbedtls/ctr_drbg.h"
-#include "mbedtls/certs.h"
 #include "mbedtls/x509.h"
 #include "mbedtls/ssl.h"
 #include "mbedtls/net_sockets.h"
@@ -81,8 +80,6 @@
 #include "mbedtls/ssl_cache.h"
 #include "mbedtls/ssl_ticket.h"
 
-#include "mbedtls/ssl_internal.h" /* to call mbedtls_flush_output after ERR_MEM */
-
 #include <string.h>
 
 #ifndef ALTCP_MBEDTLS_ENTROPY_PTR
@@ -132,6 +129,16 @@ static err_t altcp_mbedtls_lower_recv_process(struct altcp_pcb *conn, altcp_mbed
 static err_t altcp_mbedtls_handle_rx_appldata(struct altcp_pcb *conn, altcp_mbedtls_state_t *state);
 static int altcp_mbedtls_bio_send(void *ctx, const unsigned char *dataptr, size_t size);
 
+static void
+altcp_mbedtls_flush_output(altcp_mbedtls_state_t *state)
+{
+  if (state->ssl_context.MBEDTLS_PRIVATE(out_left) != 0) {
+    int flushed = mbedtls_ssl_send_alert_message(&state->ssl_context, 0, 0);
+    if (flushed) {
+      LWIP_DEBUGF(ALTCP_MBEDTLS_DEBUG, ("mbedtls_ssl_send_alert_message failed: %d\n", flushed));
+    }
+  }
+}
 
 /* callback functions from inner/lower connection: */
 
@@ -524,14 +531,14 @@ altcp_mbedtls_lower_sent(void *arg, struct altcp_pcb *inner_conn, u16_t len)
     LWIP_ASSERT("state", state != NULL);
     LWIP_ASSERT("pcb mismatch", conn->inner_conn == inner_conn);
     /* calculate TLS overhead part to not send it to application */
-    overhead = state->overhead_bytes_adjust + state->ssl_context.out_left;
+    overhead = state->overhead_bytes_adjust + state->ssl_context.MBEDTLS_PRIVATE(out_left);
     if ((unsigned)overhead > len) {
       overhead = len;
     }
     /* remove ACKed bytes from overhead adjust counter */
     state->overhead_bytes_adjust -= len;
     /* try to send more if we failed before (may increase overhead adjust counter) */
-    mbedtls_ssl_flush_output(&state->ssl_context);
+    altcp_mbedtls_flush_output(state);
     /* remove calculated overhead from ACKed bytes len */
     app_len = len - (u16_t)overhead;
     /* update application write counter and inform application */
@@ -559,7 +566,7 @@ altcp_mbedtls_lower_poll(void *arg, struct altcp_pcb *inner_conn)
     if (conn->state) {
       altcp_mbedtls_state_t *state = (altcp_mbedtls_state_t *)conn->state;
       /* try to send more if we failed before */
-      mbedtls_ssl_flush_output(&state->ssl_context);
+      altcp_mbedtls_flush_output(state);
       if (altcp_mbedtls_handle_rx_appldata(conn, state) == ERR_ABRT) {
         return ERR_ABRT;
       }
@@ -683,7 +690,7 @@ altcp_tls_set_session(struct altcp_pcb *conn, struct altcp_tls_session *session)
   if (session && conn && conn->state) {
     altcp_mbedtls_state_t *state = (altcp_mbedtls_state_t *)conn->state;
     int ret = -1;
-    if (session->data.start)
+    if (session->data.MBEDTLS_PRIVATE(start))
       ret = mbedtls_ssl_set_session(&state->ssl_context, &session->data);
     return ret < 0 ? ERR_VAL : ERR_OK;
   }
@@ -776,7 +783,7 @@ altcp_tls_create_config(int is_server, u8_t cert_count, u8_t pkey_count, int hav
   struct altcp_tls_config *conf;
   mbedtls_x509_crt *mem;
 
-  if (TCP_WND < MBEDTLS_SSL_MAX_CONTENT_LEN) {
+  if (TCP_WND < MBEDTLS_SSL_IN_CONTENT_LEN || TCP_WND < MBEDTLS_SSL_OUT_CONTENT_LEN) {
     LWIP_DEBUGF(ALTCP_MBEDTLS_DEBUG|LWIP_DBG_LEVEL_SERIOUS,
       ("altcp_tls: TCP_WND is smaller than the RX decrypion buffer, connection RX might stall!\n"));
   }
@@ -900,7 +907,7 @@ err_t altcp_tls_config_server_add_privkey_cert(struct altcp_tls_config *config,
     return ERR_VAL;
   }
 
-  ret = mbedtls_pk_parse_key(pkey, (const unsigned char *) privkey, privkey_len, privkey_pass, privkey_pass_len);
+  ret = mbedtls_pk_parse_key(pkey, (const unsigned char *) privkey, privkey_len, privkey_pass, privkey_pass_len, mbedtls_ctr_drbg_random, &altcp_tls_entropy_rng->ctr_drbg);
   if (ret != 0) {
     LWIP_DEBUGF(ALTCP_MBEDTLS_DEBUG, ("mbedtls_pk_parse_public_key failed: %d\n", ret));
     mbedtls_x509_crt_free(srvcert);
@@ -1003,7 +1010,7 @@ altcp_tls_create_config_client_2wayauth(const u8_t *ca, size_t ca_len, const u8_
   }
 
   mbedtls_pk_init(conf->pkey);
-  ret = mbedtls_pk_parse_key(conf->pkey, privkey, privkey_len, privkey_pass, privkey_pass_len);
+  ret = mbedtls_pk_parse_key(conf->pkey, privkey, privkey_len, privkey_pass, privkey_pass_len, mbedtls_ctr_drbg_random, &altcp_tls_entropy_rng->ctr_drbg);
   if (ret != 0) {
     LWIP_DEBUGF(ALTCP_MBEDTLS_DEBUG, ("mbedtls_pk_parse_key failed: %d 0x%x\n", ret, -1*ret));
     altcp_tls_free_config(conf);
@@ -1189,7 +1196,7 @@ altcp_mbedtls_sndbuf(struct altcp_pcb *conn)
           size_t ret;
 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
           /* @todo: adjust ssl_added to real value related to negotiated cipher */
-          size_t max_frag_len = mbedtls_ssl_get_max_frag_len(&state->ssl_context);
+          size_t max_frag_len = mbedtls_ssl_get_max_in_record_payload(&state->ssl_context);
           max_len = LWIP_MIN(max_frag_len, max_len);
 #endif
           /* Adjust sndbuf of inner_conn with what added by SSL */
@@ -1232,9 +1239,9 @@ altcp_mbedtls_write(struct altcp_pcb *conn, const void *dataptr, u16_t len, u8_t
   /* HACK: if there is something left to send, try to flush it and only
      allow sending more if this succeeded (this is a hack because neither
      returning 0 nor MBEDTLS_ERR_SSL_WANT_WRITE worked for me) */
-  if (state->ssl_context.out_left) {
-    mbedtls_ssl_flush_output(&state->ssl_context);
-    if (state->ssl_context.out_left) {
+  if (state->ssl_context.MBEDTLS_PRIVATE(out_left)) {
+    altcp_mbedtls_flush_output(state);
+    if (state->ssl_context.MBEDTLS_PRIVATE(out_left)) {
       return ERR_MEM;
     }
   }
@@ -1284,6 +1291,8 @@ altcp_mbedtls_bio_send(void *ctx, const unsigned char *dataptr, size_t size)
   while (size_left) {
     u16_t write_len = (u16_t)LWIP_MIN(size_left, 0xFFFF);
     err_t err = altcp_write(conn->inner_conn, (const void *)dataptr, write_len, apiflags);
+    /* try to send data... */
+    altcp_output(conn->inner_conn);
     if (err == ERR_OK) {
       written += write_len;
       size_left -= write_len;
diff --git a/lib/lwip/lwip/src/core/tcp_out.c b/lib/lwip/lwip/src/core/tcp_out.c
index 64579ee5cbd8..b5d312137368 100644
--- a/lib/lwip/lwip/src/core/tcp_out.c
+++ b/lib/lwip/lwip/src/core/tcp_out.c
@@ -1255,14 +1255,6 @@ tcp_output(struct tcp_pcb *pcb)
   LWIP_ASSERT("don't call tcp_output for listen-pcbs",
               pcb->state != LISTEN);
 
-  /* First, check if we are invoked by the TCP input processing
-     code. If so, we do not output anything. Instead, we rely on the
-     input processing code to call us when input processing is done
-     with. */
-  if (tcp_input_pcb == pcb) {
-    return ERR_OK;
-  }
-
   wnd = LWIP_MIN(pcb->snd_wnd, pcb->cwnd);
 
   seg = pcb->unsent;
@@ -2036,7 +2028,7 @@ tcp_rst(const struct tcp_pcb *pcb, u32_t seqno, u32_t ackno,
         u16_t local_port, u16_t remote_port)
 {
   struct pbuf *p;
-  
+
   p = tcp_rst_common(pcb, seqno, ackno, local_ip, remote_ip, local_port, remote_port);
   if (p != NULL) {
     tcp_output_control_segment(pcb, p, local_ip, remote_ip);
diff --git a/lib/lwip/u-boot/lwipopts.h b/lib/lwip/u-boot/lwipopts.h
index 9d618625facb..88d6faf327ae 100644
--- a/lib/lwip/u-boot/lwipopts.h
+++ b/lib/lwip/u-boot/lwipopts.h
@@ -154,4 +154,10 @@
 #define MEMP_MEM_INIT			1
 #define MEM_LIBC_MALLOC			1
 
+#if defined(CONFIG_MBEDTLS_LIB_TLS)
+#define LWIP_ALTCP                      1
+#define LWIP_ALTCP_TLS                  1
+#define LWIP_ALTCP_TLS_MBEDTLS          1
+#endif
+
 #endif /* LWIP_UBOOT_LWIPOPTS_H */
-- 
2.45.2

[PATCH 3/6] net: lwip: Add Support Server Name Indication support

[Ilias Apalodimas]

From: Javier Tia <javier.tia@linaro.org>

SNI, or Server Name Indication, is an addition to the TLS encryption
protocol that enables a client device to specify the domain name it is
trying to reach in the first step of the TLS handshake, preventing
common name mismatch errors and not reaching to HTTPS server that
enforce this condition. Since most of the websites require it nowadays
add support for it.

It's worth noting that this is already sent to lwIP [0]

[0] https://github.com/lwip-tcpip/lwip/pull/47

Signed-off-by: Javier Tia <javier.tia@linaro.org>
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
---
 lib/lwip/lwip/src/apps/altcp_tls/altcp_tls_mbedtls.c | 11 +++++++----
 lib/lwip/lwip/src/include/lwip/altcp_tls.h           |  2 +-
 2 files changed, 8 insertions(+), 5 deletions(-)

diff --git a/lib/lwip/lwip/src/apps/altcp_tls/altcp_tls_mbedtls.c b/lib/lwip/lwip/src/apps/altcp_tls/altcp_tls_mbedtls.c
index ef19821b89e0..24b432966312 100644
--- a/lib/lwip/lwip/src/apps/altcp_tls/altcp_tls_mbedtls.c
+++ b/lib/lwip/lwip/src/apps/altcp_tls/altcp_tls_mbedtls.c
@@ -106,6 +106,7 @@ struct altcp_tls_config {
   u8_t pkey_count;
   u8_t pkey_max;
   mbedtls_x509_crt *ca;
+  char host[256];
 #if defined(MBEDTLS_SSL_CACHE_C) && ALTCP_MBEDTLS_USE_SESSION_CACHE
   /** Inter-connection cache for fast connection startup */
   struct mbedtls_ssl_cache_context cache;
@@ -642,6 +643,7 @@ altcp_mbedtls_setup(void *conf, struct altcp_pcb *conn, struct altcp_pcb *inner_
   /* tell mbedtls about our I/O functions */
   mbedtls_ssl_set_bio(&state->ssl_context, conn, altcp_mbedtls_bio_send, altcp_mbedtls_bio_recv, NULL);
 
+  mbedtls_ssl_set_hostname(&state->ssl_context, config->host);
   altcp_mbedtls_setup_callbacks(conn, inner_conn);
   conn->inner_conn = inner_conn;
   conn->fns = &altcp_mbedtls_functions;
@@ -951,7 +953,7 @@ altcp_tls_create_config_server_privkey_cert(const u8_t *privkey, size_t privkey_
 }
 
 static struct altcp_tls_config *
-altcp_tls_create_config_client_common(const u8_t *ca, size_t ca_len, int is_2wayauth)
+altcp_tls_create_config_client_common(const u8_t *ca, size_t ca_len, int is_2wayauth, char *host)
 {
   int ret;
   struct altcp_tls_config *conf = altcp_tls_create_config(0, (is_2wayauth) ? 1 : 0, (is_2wayauth) ? 1 : 0, ca != NULL);
@@ -973,13 +975,14 @@ altcp_tls_create_config_client_common(const u8_t *ca, size_t ca_len, int is_2way
 
     mbedtls_ssl_conf_ca_chain(&conf->conf, conf->ca, NULL);
   }
+  memcpy(conf->host, host, sizeof(conf->host));
   return conf;
 }
 
 struct altcp_tls_config *
-altcp_tls_create_config_client(const u8_t *ca, size_t ca_len)
+altcp_tls_create_config_client(const u8_t *ca, size_t ca_len, char *host)
 {
-  return altcp_tls_create_config_client_common(ca, ca_len, 0);
+  return altcp_tls_create_config_client_common(ca, ca_len, 0, host);
 }
 
 struct altcp_tls_config *
@@ -995,7 +998,7 @@ altcp_tls_create_config_client_2wayauth(const u8_t *ca, size_t ca_len, const u8_
     return NULL;
   }
 
-  conf = altcp_tls_create_config_client_common(ca, ca_len, 1);
+  conf = altcp_tls_create_config_client_common(ca, ca_len, 1, NULL);
   if (conf == NULL) {
     return NULL;
   }
diff --git a/lib/lwip/lwip/src/include/lwip/altcp_tls.h b/lib/lwip/lwip/src/include/lwip/altcp_tls.h
index fcb784d89d70..fb0618234481 100644
--- a/lib/lwip/lwip/src/include/lwip/altcp_tls.h
+++ b/lib/lwip/lwip/src/include/lwip/altcp_tls.h
@@ -92,7 +92,7 @@ struct altcp_tls_config *altcp_tls_create_config_server_privkey_cert(const u8_t
 /** @ingroup altcp_tls
  * Create an ALTCP_TLS client configuration handle
  */
-struct altcp_tls_config *altcp_tls_create_config_client(const u8_t *cert, size_t cert_len);
+struct altcp_tls_config *altcp_tls_create_config_client(const u8_t *cert, size_t cert_len, char *host);
 
 /** @ingroup altcp_tls
  * Create an ALTCP_TLS client configuration handle with two-way server/client authentication
-- 
2.45.2

[PATCH 4/6] net: lwip: Enable https:// support for wget

[Ilias Apalodimas]

With the recent changes of lwip & mbedTLS we can now download from
https:// urls instead of just http://.
Adjust our wget lwip version parsing to support both URLs.
While at it adjust the default TCP window for QEMU since https seems to
requite at least 16384

Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
---
 cmd/Kconfig      | 19 ++++++++++++
 net/lwip/Kconfig |  2 +-
 net/lwip/wget.c  | 78 +++++++++++++++++++++++++++++++++++++++++++-----
 3 files changed, 91 insertions(+), 8 deletions(-)

diff --git a/cmd/Kconfig b/cmd/Kconfig
index 8c677b1e4864..e58566a9ba34 100644
--- a/cmd/Kconfig
+++ b/cmd/Kconfig
@@ -2118,6 +2118,25 @@ config CMD_WGET
 	  wget is a simple command to download kernel, or other files,
 	  from a http server over TCP.
 
+config WGET_HTTPS
+	bool "wget https"
+	depends on CMD_WGET
+	depends on PROT_TCP_LWIP
+	depends on MBEDTLS_LIB
+        select SHA256
+        select RSA
+        select ASYMMETRIC_KEY_TYPE
+        select ASYMMETRIC_PUBLIC_KEY_SUBTYPE
+        select X509_CERTIFICATE_PARSER
+        select PKCS7_MESSAGE_PARSER
+	select MBEDTLS_LIB_CRYPTO
+	select MBEDTLS_LIB_TLS
+	select RSA_VERIFY_WITH_PKEY
+	select X509_CERTIFICATE_PARSER
+	select PKCS7_MESSAGE_PARSER
+	help
+	  Enable TLS over http for wget.
+
 endif  # if CMD_NET
 
 config CMD_PXE
diff --git a/net/lwip/Kconfig b/net/lwip/Kconfig
index 8a67de4cf335..a9ae9bf7fa2a 100644
--- a/net/lwip/Kconfig
+++ b/net/lwip/Kconfig
@@ -37,7 +37,7 @@ config PROT_UDP_LWIP
 
 config LWIP_TCP_WND
 	int "Value of TCP_WND"
-	default 8000 if ARCH_QEMU
+	default 32768 if ARCH_QEMU
 	default 3000000
 	help
 	  Default value for TCP_WND in the lwIP configuration
diff --git a/net/lwip/wget.c b/net/lwip/wget.c
index b495ebd1aa96..b4f039d38962 100644
--- a/net/lwip/wget.c
+++ b/net/lwip/wget.c
@@ -7,13 +7,17 @@
 #include <efi_loader.h>
 #include <image.h>
 #include <lwip/apps/http_client.h>
+#include "lwip/altcp_tls.h"
 #include <lwip/timeouts.h>
+#include <rng.h>
 #include <mapmem.h>
 #include <net.h>
 #include <time.h>
+#include <dm/uclass.h>
 
 #define SERVER_NAME_SIZE 200
 #define HTTP_PORT_DEFAULT 80
+#define HTTPS_PORT_DEFAULT 443
 #define PROGRESS_PRINT_STEP_BYTES (100 * 1024)
 
 enum done_state {
@@ -32,18 +36,53 @@ struct wget_ctx {
 	enum done_state done;
 };
 
+bool wget_validate_uri(char *uri);
+
+int mbedtls_hardware_poll(void *data, unsigned char *output, size_t len,
+			  size_t *olen)
+{
+	struct udevice *dev;
+	u64 rng = 0;
+	int err;
+
+	*olen = 0;
+
+	err = uclass_get_device(UCLASS_RNG, 0, &dev);
+	if (err)
+		return err;
+	err = dm_rng_read(dev, &rng, sizeof(rng));
+	if (err) {
+		log_err("Failed to get an rng: %d\n", err);
+		return err;
+	}
+
+	memcpy(output, &rng, len);
+	*olen = sizeof(rng);
+
+	return 0;
+}
+
 static int parse_url(char *url, char *host, u16 *port, char **path)
 {
 	char *p, *pp;
 	long lport;
+	size_t prefix_len = 0;
+
+	if (!wget_validate_uri(url)) {
+		log_err("Invalid URL. Use http(s)://\n");
+		return -EINVAL;
+	}
 
+	*port = HTTP_PORT_DEFAULT;
+	prefix_len = strlen("http://");
 	p = strstr(url, "http://");
 	if (!p) {
-		log_err("only http:// is supported\n");
-		return -EINVAL;
+		p = strstr(url, "https://");
+		prefix_len = strlen("https://");
+		*port = HTTPS_PORT_DEFAULT;
 	}
 
-	p += strlen("http://");
+	p += prefix_len;
 
 	/* Parse hostname */
 	pp = strchr(p, ':');
@@ -67,9 +106,8 @@ static int parse_url(char *url, char *host, u16 *port, char **path)
 		if (lport > 65535)
 			return -EINVAL;
 		*port = (u16)lport;
-	} else {
-		*port = HTTP_PORT_DEFAULT;
 	}
+
 	if (*pp != '/')
 		return -EINVAL;
 	*path = pp;
@@ -210,6 +248,9 @@ static void httpc_result_cb(void *arg, httpc_result_t httpc_result,
 static int wget_loop(struct udevice *udev, ulong dst_addr, char *uri)
 {
 	char server_name[SERVER_NAME_SIZE];
+#if defined CONFIG_WGET_HTTPS
+	altcp_allocator_t tls_allocator;
+#endif
 	httpc_connection_t conn;
 	httpc_state_t *state;
 	struct netif *netif;
@@ -232,6 +273,22 @@ static int wget_loop(struct udevice *udev, ulong dst_addr, char *uri)
 		return -1;
 
 	memset(&conn, 0, sizeof(conn));
+#if defined CONFIG_WGET_HTTPS
+	if (port == HTTPS_PORT_DEFAULT) {
+		tls_allocator.alloc = &altcp_tls_alloc;
+		tls_allocator.arg =
+			altcp_tls_create_config_client(NULL, 0, server_name);
+
+		if (!tls_allocator.arg) {
+			log_err("error: Cannot create a TLS connection\n");
+			net_lwip_remove_netif(netif);
+			return -1;
+		}
+
+		conn.altcp_allocator = &tls_allocator;
+	}
+#endif
+
 	conn.result_fn = httpc_result_cb;
 	ctx.path = path;
 	if (httpc_get_file_dns(server_name, port, path, &conn, httpc_recv_cb,
@@ -316,6 +373,7 @@ bool wget_validate_uri(char *uri)
 	char c;
 	bool ret = true;
 	char *str_copy, *s, *authority;
+	size_t prefix_len = 0;
 
 	for (c = 0x1; c < 0x21; c++) {
 		if (strchr(uri, c)) {
@@ -323,15 +381,21 @@ bool wget_validate_uri(char *uri)
 			return false;
 		}
 	}
+
 	if (strchr(uri, 0x7f)) {
 		log_err("invalid character is used\n");
 		return false;
 	}
 
-	if (strncmp(uri, "http://", 7)) {
-		log_err("only http:// is supported\n");
+	if (!strncmp(uri, "http://", strlen("http://"))) {
+		prefix_len = strlen("http://");
+	} else if (!strncmp(uri, "https://", strlen("https://"))) {
+		prefix_len = strlen("https://");
+	} else {
+		log_err("only http(s):// is supported\n");
 		return false;
 	}
+
 	str_copy = strdup(uri);
 	if (!str_copy)
 		return false;
-- 
2.45.2

[PATCH 5/6] configs: Enable htts for wget on qemu arm64

[Ilias Apalodimas]

QEMU already has an lwip variant of a defconfig. That defconfig
is also configured with mbedTLS by default. So let's enable the
remaining config options to enable wget for https:// as well
and test that codepath in the CI

Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
---
 configs/qemu_arm64_lwip_defconfig | 1 +
 1 file changed, 1 insertion(+)

diff --git a/configs/qemu_arm64_lwip_defconfig b/configs/qemu_arm64_lwip_defconfig
index d3d8ef16e668..754c770c33fc 100644
--- a/configs/qemu_arm64_lwip_defconfig
+++ b/configs/qemu_arm64_lwip_defconfig
@@ -7,3 +7,4 @@ CONFIG_NET_LWIP=y
 CONFIG_CMD_DNS=y
 CONFIG_CMD_WGET=y
 CONFIG_EFI_HTTP_BOOT=y
+CONFIG_WGET_HTTPS=y
-- 
2.45.2

[PATCH 6/6] doc: uefi: Describe UEFI HTTPs boot

[Ilias Apalodimas]

We now can use a combination og lwIP & mbedTLS and download from
https://. Describe the config options needed to enable it as well
as some limitations

Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
---
 doc/develop/uefi/uefi.rst | 45 +++++++++++++++++++++++++++++++++++++--
 1 file changed, 43 insertions(+), 2 deletions(-)

diff --git a/doc/develop/uefi/uefi.rst b/doc/develop/uefi/uefi.rst
index 0760ca91d4fc..198288a6889f 100644
--- a/doc/develop/uefi/uefi.rst
+++ b/doc/develop/uefi/uefi.rst
@@ -681,8 +681,8 @@ UEFI variables. Booting according to these variables is possible via::
 As of U-Boot v2020.10 UEFI variables cannot be set at runtime. The U-Boot
 command 'efidebug' can be used to set the variables.
 
-UEFI HTTP Boot
-~~~~~~~~~~~~~~
+UEFI HTTP Boot using the legacy TCP stack
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 HTTP Boot provides the capability for system deployment and configuration
 over the network. HTTP Boot can be activated by specifying::
@@ -715,6 +715,47 @@ We need to preset the "httpserverip" environment variable to proceed the wget::
 
     setenv httpserverip 192.168.1.1
 
+UEFI HTTP(s) Boot using lwIP
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+Similar to the above U-Boot can do EFI HTTP boot using lwIP. If we combine this
+with mbedTLS we can also download from https://
+
+HTTP(s) Boot can be activated by specifying::
+
+    CONFIG_EFI_HTTP_BOOT
+    CONFIG_NET_LWIP
+    CONFIG_MBEDTLS_LIB_TLS
+
+For QEMU targets there's a Kconfig that supports this by default::
+
+    make qemu_arm64_lwip_defconfig
+
+The commands and functionality are similar to the legacy stack, with the notable
+exception of not having to define an "httpserverip" if you are trying to resolve
+an IP. However, lwIP code doesn't yet support redirects::
+
+    => efidebug boot add -u 1 netinst https://cdimage.debian.org/cdimage/weekly-builds/arm64/iso-cd/debian-testing-arm64-netinst.iso
+    => dhcp
+    DHCP client bound to address 10.0.2.15 (3 ms)
+    => efidebug boot order 1
+    => bootefi bootmgr
+
+    HTTP server error 302
+    Loading Boot0001 'netinst' failed
+    EFI boot manager: Cannot load any image
+
+If the url you specified isn't a redirect::
+
+    => efidebug boot add -u 1 netinst https://download.rockylinux.org/pub/rocky/9/isos/aarch64/Rocky-9.4-aarch64-minimal.iso
+    => dhcp
+    => bootefi bootmgr
+    #######################################
+
+If the downloaded file extension is .iso or .img file, efibootmgr tries to
+mount the image and boot with the default file(e.g. EFI/BOOT/BOOTAA64.EFI).
+If the downloaded file is PE-COFF image, load the downloaded file and
+start it.
+
 Executing the built in hello world application
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-- 
2.45.2

Re: [PATCH 1/6] mbedtls: Enable TLS 1.2 support

[Raymond Mao]

Hi Ilias,

On Fri, 18 Oct 2024 at 10:22, Ilias Apalodimas <ilias.apalodimas@linaro.org>
wrote:

> Since lwIP and mbedTLS have been merged we can tweak the config options
> and enable TLS1.2 support. Add RSA and ECDSA by default and enable
> enough block cipher modes of operation to be comatible with modern
> TLS requirements and webservers
>
> Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
> ---
>  lib/mbedtls/Kconfig              | 12 ++++++++
>  lib/mbedtls/Makefile             | 33 +++++++++++++++++++-
>  lib/mbedtls/mbedtls_def_config.h | 52 ++++++++++++++++++++++++++++++++
>  3 files changed, 96 insertions(+), 1 deletion(-)
>
> diff --git a/lib/mbedtls/Kconfig b/lib/mbedtls/Kconfig
> index d71adc3648ad..f3e172633999 100644
> --- a/lib/mbedtls/Kconfig
> +++ b/lib/mbedtls/Kconfig
> @@ -430,4 +430,16 @@ endif # SPL
>
>  endif # MBEDTLS_LIB_X509
>
> +config MBEDTLS_LIB_TLS
> +       bool "MbedTLS TLS library"
> +       depends on RSA_PUBLIC_KEY_PARSER_MBEDTLS
> +       depends on X509_CERTIFICATE_PARSER_MBEDTLS
> +       depends on ASYMMETRIC_PUBLIC_KEY_MBEDTLS
> +       depends on ASN1_DECODER_MBEDTLS
> +       depends on ASYMMETRIC_PUBLIC_KEY_MBEDTLS
> +       depends on MBEDTLS_LIB_CRYPTO
> +       help
> +         Enable MbedTLS TLS library. If enabled HTTPs support will be
> enabled
> +         in wget
> +
>  endif # MBEDTLS_LIB
> diff --git a/lib/mbedtls/Makefile b/lib/mbedtls/Makefile
> index 83cb3c2fa705..845284799a11 100644
> --- a/lib/mbedtls/Makefile
> +++ b/lib/mbedtls/Makefile
> @@ -25,7 +25,19 @@ obj-$(CONFIG_MBEDTLS_LIB) += mbedtls_lib_crypto.o
>  mbedtls_lib_crypto-y := \
>         $(MBEDTLS_LIB_DIR)/platform_util.o \
>         $(MBEDTLS_LIB_DIR)/constant_time.o \
> -       $(MBEDTLS_LIB_DIR)/md.o
> +       $(MBEDTLS_LIB_DIR)/md.o \
> +       $(MBEDTLS_LIB_DIR)/entropy.o \
> +       $(MBEDTLS_LIB_DIR)/entropy_poll.o \
> +       $(MBEDTLS_LIB_DIR)/aes.o \
> +       $(MBEDTLS_LIB_DIR)/cipher.o \
> +       $(MBEDTLS_LIB_DIR)/cipher_wrap.o \
> +       $(MBEDTLS_LIB_DIR)/ecdh.o \
> +       $(MBEDTLS_LIB_DIR)/ecdsa.o \
> +       $(MBEDTLS_LIB_DIR)/ecp.o \
> +       $(MBEDTLS_LIB_DIR)/ecp_curves.o \
> +       $(MBEDTLS_LIB_DIR)/ecp_curves_new.o \
> +       $(MBEDTLS_LIB_DIR)/gcm.o \
> +
>
I think we should move these to mbedtls_lib_tls.o and add the U-Boot Kconfig
control if it exists.
Take ECDSA for example:
mbedtls_lib_tls-$(CONFIG_$(SPL_)ECDSA) += $(MBEDTLS_LIB_DIR)/ecdsa.o


>  mbedtls_lib_crypto-$(CONFIG_$(SPL_)MD5_MBEDTLS) +=
> $(MBEDTLS_LIB_DIR)/md5.o
>  mbedtls_lib_crypto-$(CONFIG_$(SPL_)SHA1_MBEDTLS) +=
> $(MBEDTLS_LIB_DIR)/sha1.o
>  mbedtls_lib_crypto-$(CONFIG_$(SPL_)SHA256_MBEDTLS) += \
> @@ -54,3 +66,22 @@
> mbedtls_lib_x509-$(CONFIG_$(SPL_)X509_CERTIFICATE_PARSER_MBEDTLS) += \
>         $(MBEDTLS_LIB_DIR)/x509_crt.o
>  mbedtls_lib_x509-$(CONFIG_$(SPL_)PKCS7_MESSAGE_PARSER_MBEDTLS) += \
>         $(MBEDTLS_LIB_DIR)/pkcs7.o
> +
> +#mbedTLS TLS support
> +obj-$(CONFIG_MBEDTLS_LIB_TLS) += mbedtls_lib_tls.o
> +mbedtls_lib_tls-y := \
> +       $(MBEDTLS_LIB_DIR)/mps_reader.o \
> +       $(MBEDTLS_LIB_DIR)/mps_trace.o \
> +       $(MBEDTLS_LIB_DIR)/net_sockets.o \
> +       $(MBEDTLS_LIB_DIR)/pk_ecc.o \
> +       $(MBEDTLS_LIB_DIR)/ssl_cache.o \
> +       $(MBEDTLS_LIB_DIR)/ssl_ciphersuites.o \
> +       $(MBEDTLS_LIB_DIR)/ssl_client.o \
> +       $(MBEDTLS_LIB_DIR)/ssl_cookie.o \
> +       $(MBEDTLS_LIB_DIR)/ssl_debug_helpers_generated.o \
> +       $(MBEDTLS_LIB_DIR)/ssl_msg.o \
> +       $(MBEDTLS_LIB_DIR)/ssl_ticket.o \
> +       $(MBEDTLS_LIB_DIR)/ssl_tls.o \
> +       $(MBEDTLS_LIB_DIR)/ssl_tls12_client.o \
> +       $(MBEDTLS_LIB_DIR)/hmac_drbg.o \
> +       $(MBEDTLS_LIB_DIR)/ctr_drbg.o \
>
Ditto, add the U-Boot Kconfig control if it exists.


> diff --git a/lib/mbedtls/mbedtls_def_config.h
> b/lib/mbedtls/mbedtls_def_config.h
> index 1af911c2003f..ac8f0bbf2c0e 100644
> --- a/lib/mbedtls/mbedtls_def_config.h
> +++ b/lib/mbedtls/mbedtls_def_config.h
> @@ -87,4 +87,56 @@
>
>  #endif /* #if defined CONFIG_MBEDTLS_LIB_X509 */
>
> +#if CONFIG_IS_ENABLED(MBEDTLS_LIB_TLS)
> +#include "rtc.h"
> +
> +/* Generic options */
> +#define MBEDTLS_ENTROPY_HARDWARE_ALT
> +#define MBEDTLS_HAVE_TIME
> +#define MBEDTLS_PLATFORM_MS_TIME_ALT
> +#define MBEDTLS_PLATFORM_TIME_MACRO rtc_mktime
> +#define MBEDTLS_PLATFORM_C
> +#define MBEDTLS_SSL_CLI_C
> +#define MBEDTLS_SSL_TLS_C
> +#define MBEDTLS_CIPHER_C
> +#define MBEDTLS_MD_C
> +#define MBEDTLS_CTR_DRBG_C
> +#define MBEDTLS_AES_C
> +#define MBEDTLS_ENTROPY_C
> +#define MBEDTLS_NO_PLATFORM_ENTROPY
> +#define MBEDTLS_SSL_PROTO_TLS1_2
> +#define MBEDTLS_SSL_SERVER_NAME_INDICATION
> +#define MBEDTLS_KEY_EXCHANGE_PSK_ENABLED
> +
> +/* RSA */
> +#define MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
> +#define MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
> +#define MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
> +#define MBEDTLS_GCM_C
> +
> +/* ECDSA */
> +#define MBEDTLS_ECDSA_C
> +#define MBEDTLS_ECDH_C
> +#define MBEDTLS_ECDSA_DETERMINISTIC
> +#define MBEDTLS_HMAC_DRBG_C
> +#define MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
> +#define MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED
> +#define MBEDTLS_CAN_ECDH
> +#define MBEDTLS_PK_CAN_ECDSA_SIGN
> +#define MBEDTLS_ECP_C
> +#define MBEDTLS_ECP_DP_SECP256K1_ENABLED
> +#define MBEDTLS_ECP_DP_SECP192R1_ENABLED
> +#define MBEDTLS_ECP_DP_SECP224R1_ENABLED
> +#define MBEDTLS_ECP_DP_SECP256R1_ENABLED
> +#define MBEDTLS_ECP_DP_SECP384R1_ENABLED
> +#define MBEDTLS_ECP_DP_SECP521R1_ENABLED
> +#define MBEDTLS_ECP_DP_SECP192K1_ENABLED
> +#define MBEDTLS_ECP_DP_SECP224K1_ENABLED
> +#define MBEDTLS_ECP_DP_SECP256K1_ENABLED
> +#define MBEDTLS_ECP_DP_BP256R1_ENABLED
> +#define MBEDTLS_ECP_DP_BP384R1_ENABLED
> +#define MBEDTLS_ECP_DP_BP512R1_ENABLED
> +
> +#endif /* #if defined CONFIG_MBEDTLS_LIB_TLS */
> +
>  #endif /* #if defined CONFIG_MBEDTLS_LIB */
> --
> 2.45.2
>
>

Re: [PATCH 1/6] mbedtls: Enable TLS 1.2 support

[Ilias Apalodimas]

Hi Raymond,

On Fri, 18 Oct 2024 at 17:39, Raymond Mao <raymond.mao@linaro.org> wrote:
>
> Hi Ilias,
>
> On Fri, 18 Oct 2024 at 10:22, Ilias Apalodimas <ilias.apalodimas@linaro.org> wrote:
>>
>> Since lwIP and mbedTLS have been merged we can tweak the config options
>> and enable TLS1.2 support. Add RSA and ECDSA by default and enable
>> enough block cipher modes of operation to be comatible with modern
>> TLS requirements and webservers
>>
>> Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
>> ---
>>  lib/mbedtls/Kconfig              | 12 ++++++++
>>  lib/mbedtls/Makefile             | 33 +++++++++++++++++++-
>>  lib/mbedtls/mbedtls_def_config.h | 52 ++++++++++++++++++++++++++++++++
>>  3 files changed, 96 insertions(+), 1 deletion(-)
>>
>> diff --git a/lib/mbedtls/Kconfig b/lib/mbedtls/Kconfig
>> index d71adc3648ad..f3e172633999 100644
>> --- a/lib/mbedtls/Kconfig
>> +++ b/lib/mbedtls/Kconfig
>> @@ -430,4 +430,16 @@ endif # SPL
>>
>>  endif # MBEDTLS_LIB_X509
>>
>> +config MBEDTLS_LIB_TLS
>> +       bool "MbedTLS TLS library"
>> +       depends on RSA_PUBLIC_KEY_PARSER_MBEDTLS
>> +       depends on X509_CERTIFICATE_PARSER_MBEDTLS
>> +       depends on ASYMMETRIC_PUBLIC_KEY_MBEDTLS
>> +       depends on ASN1_DECODER_MBEDTLS
>> +       depends on ASYMMETRIC_PUBLIC_KEY_MBEDTLS
>> +       depends on MBEDTLS_LIB_CRYPTO
>> +       help
>> +         Enable MbedTLS TLS library. If enabled HTTPs support will be enabled
>> +         in wget
>> +
>>  endif # MBEDTLS_LIB
>> diff --git a/lib/mbedtls/Makefile b/lib/mbedtls/Makefile
>> index 83cb3c2fa705..845284799a11 100644
>> --- a/lib/mbedtls/Makefile
>> +++ b/lib/mbedtls/Makefile
>> @@ -25,7 +25,19 @@ obj-$(CONFIG_MBEDTLS_LIB) += mbedtls_lib_crypto.o
>>  mbedtls_lib_crypto-y := \
>>         $(MBEDTLS_LIB_DIR)/platform_util.o \
>>         $(MBEDTLS_LIB_DIR)/constant_time.o \
>> -       $(MBEDTLS_LIB_DIR)/md.o
>> +       $(MBEDTLS_LIB_DIR)/md.o \
>> +       $(MBEDTLS_LIB_DIR)/entropy.o \
>> +       $(MBEDTLS_LIB_DIR)/entropy_poll.o \
>> +       $(MBEDTLS_LIB_DIR)/aes.o \
>> +       $(MBEDTLS_LIB_DIR)/cipher.o \
>> +       $(MBEDTLS_LIB_DIR)/cipher_wrap.o \
>> +       $(MBEDTLS_LIB_DIR)/ecdh.o \
>> +       $(MBEDTLS_LIB_DIR)/ecdsa.o \
>> +       $(MBEDTLS_LIB_DIR)/ecp.o \
>> +       $(MBEDTLS_LIB_DIR)/ecp_curves.o \
>> +       $(MBEDTLS_LIB_DIR)/ecp_curves_new.o \
>> +       $(MBEDTLS_LIB_DIR)/gcm.o \
>> +
>
> I think we should move these to mbedtls_lib_tls.o and add the U-Boot Kconfig
> control if it exists.
> Take ECDSA for example:
> mbedtls_lib_tls-$(CONFIG_$(SPL_)ECDSA) += $(MBEDTLS_LIB_DIR)/ecdsa.o

Fair enough, but ECDSA is the only one that exists atm. I can move
that there, but I don't think we should create a Kconfig option per
object file.
Those are mbedTLS internals dependencies to enable TLS1.2.  Perhaps
only ECDSA, AES and ECDH? OTOH the existing md5 doesn't follow that.

>
>>
>>  mbedtls_lib_crypto-$(CONFIG_$(SPL_)MD5_MBEDTLS) += $(MBEDTLS_LIB_DIR)/md5.o
>>  mbedtls_lib_crypto-$(CONFIG_$(SPL_)SHA1_MBEDTLS) += $(MBEDTLS_LIB_DIR)/sha1.o
>>  mbedtls_lib_crypto-$(CONFIG_$(SPL_)SHA256_MBEDTLS) += \
>> @@ -54,3 +66,22 @@ mbedtls_lib_x509-$(CONFIG_$(SPL_)X509_CERTIFICATE_PARSER_MBEDTLS) += \
>>         $(MBEDTLS_LIB_DIR)/x509_crt.o
>>  mbedtls_lib_x509-$(CONFIG_$(SPL_)PKCS7_MESSAGE_PARSER_MBEDTLS) += \
>>         $(MBEDTLS_LIB_DIR)/pkcs7.o
>> +
>> +#mbedTLS TLS support
>> +obj-$(CONFIG_MBEDTLS_LIB_TLS) += mbedtls_lib_tls.o
>> +mbedtls_lib_tls-y := \
>> +       $(MBEDTLS_LIB_DIR)/mps_reader.o \
>> +       $(MBEDTLS_LIB_DIR)/mps_trace.o \
>> +       $(MBEDTLS_LIB_DIR)/net_sockets.o \
>> +       $(MBEDTLS_LIB_DIR)/pk_ecc.o \
>> +       $(MBEDTLS_LIB_DIR)/ssl_cache.o \
>> +       $(MBEDTLS_LIB_DIR)/ssl_ciphersuites.o \
>> +       $(MBEDTLS_LIB_DIR)/ssl_client.o \
>> +       $(MBEDTLS_LIB_DIR)/ssl_cookie.o \
>> +       $(MBEDTLS_LIB_DIR)/ssl_debug_helpers_generated.o \
>> +       $(MBEDTLS_LIB_DIR)/ssl_msg.o \
>> +       $(MBEDTLS_LIB_DIR)/ssl_ticket.o \
>> +       $(MBEDTLS_LIB_DIR)/ssl_tls.o \
>> +       $(MBEDTLS_LIB_DIR)/ssl_tls12_client.o \
>> +       $(MBEDTLS_LIB_DIR)/hmac_drbg.o \
>> +       $(MBEDTLS_LIB_DIR)/ctr_drbg.o \
>
> Ditto, add the U-Boot Kconfig control if it exists.

None of these don't make sense to be a U-Boot Kconfig. They are
mbedTLS internal to enable TLS1.2 support.

Thanks
/Ilias

>
>>
>> diff --git a/lib/mbedtls/mbedtls_def_config.h b/lib/mbedtls/mbedtls_def_config.h
>> index 1af911c2003f..ac8f0bbf2c0e 100644
>> --- a/lib/mbedtls/mbedtls_def_config.h
>> +++ b/lib/mbedtls/mbedtls_def_config.h
>> @@ -87,4 +87,56 @@
>>
>>  #endif /* #if defined CONFIG_MBEDTLS_LIB_X509 */
>>
>> +#if CONFIG_IS_ENABLED(MBEDTLS_LIB_TLS)
>> +#include "rtc.h"
>> +
>> +/* Generic options */
>> +#define MBEDTLS_ENTROPY_HARDWARE_ALT
>> +#define MBEDTLS_HAVE_TIME
>> +#define MBEDTLS_PLATFORM_MS_TIME_ALT
>> +#define MBEDTLS_PLATFORM_TIME_MACRO rtc_mktime
>> +#define MBEDTLS_PLATFORM_C
>> +#define MBEDTLS_SSL_CLI_C
>> +#define MBEDTLS_SSL_TLS_C
>> +#define MBEDTLS_CIPHER_C
>> +#define MBEDTLS_MD_C
>> +#define MBEDTLS_CTR_DRBG_C
>> +#define MBEDTLS_AES_C
>> +#define MBEDTLS_ENTROPY_C
>> +#define MBEDTLS_NO_PLATFORM_ENTROPY
>> +#define MBEDTLS_SSL_PROTO_TLS1_2
>> +#define MBEDTLS_SSL_SERVER_NAME_INDICATION
>> +#define MBEDTLS_KEY_EXCHANGE_PSK_ENABLED
>> +
>> +/* RSA */
>> +#define MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
>> +#define MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
>> +#define MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
>> +#define MBEDTLS_GCM_C
>> +
>> +/* ECDSA */
>> +#define MBEDTLS_ECDSA_C
>> +#define MBEDTLS_ECDH_C
>> +#define MBEDTLS_ECDSA_DETERMINISTIC
>> +#define MBEDTLS_HMAC_DRBG_C
>> +#define MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
>> +#define MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED
>> +#define MBEDTLS_CAN_ECDH
>> +#define MBEDTLS_PK_CAN_ECDSA_SIGN
>> +#define MBEDTLS_ECP_C
>> +#define MBEDTLS_ECP_DP_SECP256K1_ENABLED
>> +#define MBEDTLS_ECP_DP_SECP192R1_ENABLED
>> +#define MBEDTLS_ECP_DP_SECP224R1_ENABLED
>> +#define MBEDTLS_ECP_DP_SECP256R1_ENABLED
>> +#define MBEDTLS_ECP_DP_SECP384R1_ENABLED
>> +#define MBEDTLS_ECP_DP_SECP521R1_ENABLED
>> +#define MBEDTLS_ECP_DP_SECP192K1_ENABLED
>> +#define MBEDTLS_ECP_DP_SECP224K1_ENABLED
>> +#define MBEDTLS_ECP_DP_SECP256K1_ENABLED
>> +#define MBEDTLS_ECP_DP_BP256R1_ENABLED
>> +#define MBEDTLS_ECP_DP_BP384R1_ENABLED
>> +#define MBEDTLS_ECP_DP_BP512R1_ENABLED
>> +
>> +#endif /* #if defined CONFIG_MBEDTLS_LIB_TLS */
>> +
>>  #endif /* #if defined CONFIG_MBEDTLS_LIB */
>> --
>> 2.45.2
>>

Re: [PATCH 0/6] Enable https for wget

[Simon Glass]

Hi Ilias,

On Fri, 18 Oct 2024 at 08:22, Ilias Apalodimas
<ilias.apalodimas@linaro.org> wrote:
>
> Since lwIP and mbedTLS have been merged turning on https:// support is
> relatively easy. We need to enable the missing algorithms and modes of
> operation in mbedTLS and enable TLS in lwIP. Someof the lwIP patches
> are in their github as PRS, but since they haven't been merged yet, we
> need to carry them for a while
>
> patch#1 enables the crypto algorithms we need in mbedTLS
> patches#2, #3 enable anf fix the lwIP part we need
> patch#4 is adding https:// parsing support in our wget
> patch#5 is making https:// the default for QEMU lwip defconfig so
> people can easily test
> and finaly patch#6 updates our documentation
>
> Ilias Apalodimas (4):
>   mbedtls: Enable TLS 1.2 support
>   net: lwip: Enable https:// support for wget
>   configs: Enable htts for wget on qemu arm64
>   doc: uefi: Describe UEFI HTTPs boot
>
> Javier Tia (2):
>   net: lwip: Update lwIP for mbedTLS > 3.0 support and enable https
>   net: lwip: Add Support Server Name Indication support
>
>  cmd/Kconfig                                   | 19 +++++
>  configs/qemu_arm64_lwip_defconfig             |  1 +
>  doc/develop/uefi/uefi.rst                     | 45 ++++++++++-
>  lib/lwip/Makefile                             |  3 +
>  .../src/apps/altcp_tls/altcp_tls_mbedtls.c    | 50 +++++++-----
>  lib/lwip/lwip/src/core/tcp_out.c              | 10 +--
>  lib/lwip/lwip/src/include/lwip/altcp_tls.h    |  2 +-
>  lib/lwip/u-boot/lwipopts.h                    |  6 ++
>  lib/mbedtls/Kconfig                           | 12 +++
>  lib/mbedtls/Makefile                          | 33 +++++++-
>  lib/mbedtls/mbedtls_def_config.h              | 52 +++++++++++++
>  net/lwip/Kconfig                              |  2 +-
>  net/lwip/wget.c                               | 78 +++++++++++++++++--
>  13 files changed, 273 insertions(+), 40 deletions(-)
>
> --
> 2.45.2
>

Can we create a sandbox build with lwip as well? I'd really like to
get that testing moving, so we can test simple networking cases, as we
do without lwip.

Regards,
Simon

Re: [PATCH 0/6] Enable https for wget

[Ilias Apalodimas]

Hi Simon,

On Fri, 18 Oct 2024 at 18:03, Simon Glass <sjg@chromium.org> wrote:
>
> Hi Ilias,
>
> On Fri, 18 Oct 2024 at 08:22, Ilias Apalodimas
> <ilias.apalodimas@linaro.org> wrote:
> >
> > Since lwIP and mbedTLS have been merged turning on https:// support is
> > relatively easy. We need to enable the missing algorithms and modes of
> > operation in mbedTLS and enable TLS in lwIP. Someof the lwIP patches
> > are in their github as PRS, but since they haven't been merged yet, we
> > need to carry them for a while
> >
> > patch#1 enables the crypto algorithms we need in mbedTLS
> > patches#2, #3 enable anf fix the lwIP part we need
> > patch#4 is adding https:// parsing support in our wget
> > patch#5 is making https:// the default for QEMU lwip defconfig so
> > people can easily test
> > and finaly patch#6 updates our documentation
> >
> > Ilias Apalodimas (4):
> >   mbedtls: Enable TLS 1.2 support
> >   net: lwip: Enable https:// support for wget
> >   configs: Enable htts for wget on qemu arm64
> >   doc: uefi: Describe UEFI HTTPs boot
> >
> > Javier Tia (2):
> >   net: lwip: Update lwIP for mbedTLS > 3.0 support and enable https
> >   net: lwip: Add Support Server Name Indication support
> >
> >  cmd/Kconfig                                   | 19 +++++
> >  configs/qemu_arm64_lwip_defconfig             |  1 +
> >  doc/develop/uefi/uefi.rst                     | 45 ++++++++++-
> >  lib/lwip/Makefile                             |  3 +
> >  .../src/apps/altcp_tls/altcp_tls_mbedtls.c    | 50 +++++++-----
> >  lib/lwip/lwip/src/core/tcp_out.c              | 10 +--
> >  lib/lwip/lwip/src/include/lwip/altcp_tls.h    |  2 +-
> >  lib/lwip/u-boot/lwipopts.h                    |  6 ++
> >  lib/mbedtls/Kconfig                           | 12 +++
> >  lib/mbedtls/Makefile                          | 33 +++++++-
> >  lib/mbedtls/mbedtls_def_config.h              | 52 +++++++++++++
> >  net/lwip/Kconfig                              |  2 +-
> >  net/lwip/wget.c                               | 78 +++++++++++++++++--
> >  13 files changed, 273 insertions(+), 40 deletions(-)
> >
> > --
> > 2.45.2
> >
>
> Can we create a sandbox build with lwip as well? I'd really like to
> get that testing moving, so we can test simple networking cases, as we
> do without lwip.
>

Someone is already on it. But it's going to take some time as the
current sandbox stack makes too many assumption for the backing TCP
stack

Thanks
/Ilias
> Regards,
> Simon

Re: [PATCH 1/6] mbedtls: Enable TLS 1.2 support

[Raymond Mao]

Hi Ilias,

On Fri, 18 Oct 2024 at 10:55, Ilias Apalodimas <ilias.apalodimas@linaro.org>
wrote:

> Hi Raymond,
>
> On Fri, 18 Oct 2024 at 17:39, Raymond Mao <raymond.mao@linaro.org> wrote:
> >
> > Hi Ilias,
> >
> > On Fri, 18 Oct 2024 at 10:22, Ilias Apalodimas <
> ilias.apalodimas@linaro.org> wrote:
> >>
> >> Since lwIP and mbedTLS have been merged we can tweak the config options
> >> and enable TLS1.2 support. Add RSA and ECDSA by default and enable
> >> enough block cipher modes of operation to be comatible with modern
> >> TLS requirements and webservers
> >>
> >> Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
> >> ---
> >>  lib/mbedtls/Kconfig              | 12 ++++++++
> >>  lib/mbedtls/Makefile             | 33 +++++++++++++++++++-
> >>  lib/mbedtls/mbedtls_def_config.h | 52 ++++++++++++++++++++++++++++++++
> >>  3 files changed, 96 insertions(+), 1 deletion(-)
> >>
> >> diff --git a/lib/mbedtls/Kconfig b/lib/mbedtls/Kconfig
> >> index d71adc3648ad..f3e172633999 100644
> >> --- a/lib/mbedtls/Kconfig
> >> +++ b/lib/mbedtls/Kconfig
> >> @@ -430,4 +430,16 @@ endif # SPL
> >>
> >>  endif # MBEDTLS_LIB_X509
> >>
> >> +config MBEDTLS_LIB_TLS
> >> +       bool "MbedTLS TLS library"
> >> +       depends on RSA_PUBLIC_KEY_PARSER_MBEDTLS
> >> +       depends on X509_CERTIFICATE_PARSER_MBEDTLS
> >> +       depends on ASYMMETRIC_PUBLIC_KEY_MBEDTLS
> >> +       depends on ASN1_DECODER_MBEDTLS
> >> +       depends on ASYMMETRIC_PUBLIC_KEY_MBEDTLS
> >> +       depends on MBEDTLS_LIB_CRYPTO
> >> +       help
> >> +         Enable MbedTLS TLS library. If enabled HTTPs support will be
> enabled
> >> +         in wget
> >> +
> >>  endif # MBEDTLS_LIB
> >> diff --git a/lib/mbedtls/Makefile b/lib/mbedtls/Makefile
> >> index 83cb3c2fa705..845284799a11 100644
> >> --- a/lib/mbedtls/Makefile
> >> +++ b/lib/mbedtls/Makefile
> >> @@ -25,7 +25,19 @@ obj-$(CONFIG_MBEDTLS_LIB) += mbedtls_lib_crypto.o
> >>  mbedtls_lib_crypto-y := \
> >>         $(MBEDTLS_LIB_DIR)/platform_util.o \
> >>         $(MBEDTLS_LIB_DIR)/constant_time.o \
> >> -       $(MBEDTLS_LIB_DIR)/md.o
> >> +       $(MBEDTLS_LIB_DIR)/md.o \
> >> +       $(MBEDTLS_LIB_DIR)/entropy.o \
> >> +       $(MBEDTLS_LIB_DIR)/entropy_poll.o \
> >> +       $(MBEDTLS_LIB_DIR)/aes.o \
> >> +       $(MBEDTLS_LIB_DIR)/cipher.o \
> >> +       $(MBEDTLS_LIB_DIR)/cipher_wrap.o \
> >> +       $(MBEDTLS_LIB_DIR)/ecdh.o \
> >> +       $(MBEDTLS_LIB_DIR)/ecdsa.o \
> >> +       $(MBEDTLS_LIB_DIR)/ecp.o \
> >> +       $(MBEDTLS_LIB_DIR)/ecp_curves.o \
> >> +       $(MBEDTLS_LIB_DIR)/ecp_curves_new.o \
> >> +       $(MBEDTLS_LIB_DIR)/gcm.o \
> >> +
> >
> > I think we should move these to mbedtls_lib_tls.o and add the U-Boot
> Kconfig
> > control if it exists.
> > Take ECDSA for example:
> > mbedtls_lib_tls-$(CONFIG_$(SPL_)ECDSA) += $(MBEDTLS_LIB_DIR)/ecdsa.o
>
> Fair enough, but ECDSA is the only one that exists atm. I can move
> that there, but I don't think we should create a Kconfig option per
> object file.
> Those are mbedTLS internals dependencies to enable TLS1.2.  Perhaps
> only ECDSA, AES and ECDH? OTOH the existing md5 doesn't follow that.
>
> I agree. We can move ECDSA and AES with Kconfig control and keep others
as-is at the moment.


> >
> >>
> >>  mbedtls_lib_crypto-$(CONFIG_$(SPL_)MD5_MBEDTLS) +=
> $(MBEDTLS_LIB_DIR)/md5.o
> >>  mbedtls_lib_crypto-$(CONFIG_$(SPL_)SHA1_MBEDTLS) +=
> $(MBEDTLS_LIB_DIR)/sha1.o
> >>  mbedtls_lib_crypto-$(CONFIG_$(SPL_)SHA256_MBEDTLS) += \
> >> @@ -54,3 +66,22 @@
> mbedtls_lib_x509-$(CONFIG_$(SPL_)X509_CERTIFICATE_PARSER_MBEDTLS) += \
> >>         $(MBEDTLS_LIB_DIR)/x509_crt.o
> >>  mbedtls_lib_x509-$(CONFIG_$(SPL_)PKCS7_MESSAGE_PARSER_MBEDTLS) += \
> >>         $(MBEDTLS_LIB_DIR)/pkcs7.o
> >> +
> >> +#mbedTLS TLS support
> >> +obj-$(CONFIG_MBEDTLS_LIB_TLS) += mbedtls_lib_tls.o
> >> +mbedtls_lib_tls-y := \
> >> +       $(MBEDTLS_LIB_DIR)/mps_reader.o \
> >> +       $(MBEDTLS_LIB_DIR)/mps_trace.o \
> >> +       $(MBEDTLS_LIB_DIR)/net_sockets.o \
> >> +       $(MBEDTLS_LIB_DIR)/pk_ecc.o \
> >> +       $(MBEDTLS_LIB_DIR)/ssl_cache.o \
> >> +       $(MBEDTLS_LIB_DIR)/ssl_ciphersuites.o \
> >> +       $(MBEDTLS_LIB_DIR)/ssl_client.o \
> >> +       $(MBEDTLS_LIB_DIR)/ssl_cookie.o \
> >> +       $(MBEDTLS_LIB_DIR)/ssl_debug_helpers_generated.o \
> >> +       $(MBEDTLS_LIB_DIR)/ssl_msg.o \
> >> +       $(MBEDTLS_LIB_DIR)/ssl_ticket.o \
> >> +       $(MBEDTLS_LIB_DIR)/ssl_tls.o \
> >> +       $(MBEDTLS_LIB_DIR)/ssl_tls12_client.o \
> >> +       $(MBEDTLS_LIB_DIR)/hmac_drbg.o \
> >> +       $(MBEDTLS_LIB_DIR)/ctr_drbg.o \
> >
> > Ditto, add the U-Boot Kconfig control if it exists.
>
> None of these don't make sense to be a U-Boot Kconfig. They are
> mbedTLS internal to enable TLS1.2 support.
>

I saw Jerome added CONFIG_NET and CONFIG_NET_LWIP in his LWIP series.
I think the net_sockets, ssl_# and ssl_tls12_# can be under this control.

[snip]

Regards,
Raymond

Re: [PATCH 0/6] Enable https for wget

[Simon Glass]

Hi Ilias,

On Fri, 18 Oct 2024 at 09:06, Ilias Apalodimas
<ilias.apalodimas@linaro.org> wrote:
>
> Hi Simon,
>
> On Fri, 18 Oct 2024 at 18:03, Simon Glass <sjg@chromium.org> wrote:
> >
> > Hi Ilias,
> >
> > On Fri, 18 Oct 2024 at 08:22, Ilias Apalodimas
> > <ilias.apalodimas@linaro.org> wrote:
> > >
> > > Since lwIP and mbedTLS have been merged turning on https:// support is
> > > relatively easy. We need to enable the missing algorithms and modes of
> > > operation in mbedTLS and enable TLS in lwIP. Someof the lwIP patches
> > > are in their github as PRS, but since they haven't been merged yet, we
> > > need to carry them for a while
> > >
> > > patch#1 enables the crypto algorithms we need in mbedTLS
> > > patches#2, #3 enable anf fix the lwIP part we need
> > > patch#4 is adding https:// parsing support in our wget
> > > patch#5 is making https:// the default for QEMU lwip defconfig so
> > > people can easily test
> > > and finaly patch#6 updates our documentation
> > >
> > > Ilias Apalodimas (4):
> > >   mbedtls: Enable TLS 1.2 support
> > >   net: lwip: Enable https:// support for wget
> > >   configs: Enable htts for wget on qemu arm64
> > >   doc: uefi: Describe UEFI HTTPs boot
> > >
> > > Javier Tia (2):
> > >   net: lwip: Update lwIP for mbedTLS > 3.0 support and enable https
> > >   net: lwip: Add Support Server Name Indication support
> > >
> > >  cmd/Kconfig                                   | 19 +++++
> > >  configs/qemu_arm64_lwip_defconfig             |  1 +
> > >  doc/develop/uefi/uefi.rst                     | 45 ++++++++++-
> > >  lib/lwip/Makefile                             |  3 +
> > >  .../src/apps/altcp_tls/altcp_tls_mbedtls.c    | 50 +++++++-----
> > >  lib/lwip/lwip/src/core/tcp_out.c              | 10 +--
> > >  lib/lwip/lwip/src/include/lwip/altcp_tls.h    |  2 +-
> > >  lib/lwip/u-boot/lwipopts.h                    |  6 ++
> > >  lib/mbedtls/Kconfig                           | 12 +++
> > >  lib/mbedtls/Makefile                          | 33 +++++++-
> > >  lib/mbedtls/mbedtls_def_config.h              | 52 +++++++++++++
> > >  net/lwip/Kconfig                              |  2 +-
> > >  net/lwip/wget.c                               | 78 +++++++++++++++++--
> > >  13 files changed, 273 insertions(+), 40 deletions(-)
> > >
> > > --
> > > 2.45.2
> > >
> >
> > Can we create a sandbox build with lwip as well? I'd really like to
> > get that testing moving, so we can test simple networking cases, as we
> > do without lwip.
> >
>
> Someone is already on it. But it's going to take some time as the
> current sandbox stack makes too many assumption for the backing TCP
> stack

That's great, thank you!


- SImon

Re: [PATCH 4/6] net: lwip: Enable https:// support for wget

[Simon Glass]

Hi Ilias,

On Fri, 18 Oct 2024 at 08:23, Ilias Apalodimas
<ilias.apalodimas@linaro.org> wrote:
>
> With the recent changes of lwip & mbedTLS we can now download from
> https:// urls instead of just http://.
> Adjust our wget lwip version parsing to support both URLs.
> While at it adjust the default TCP window for QEMU since https seems to
> requite at least 16384
>
> Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
> ---
>  cmd/Kconfig      | 19 ++++++++++++
>  net/lwip/Kconfig |  2 +-
>  net/lwip/wget.c  | 78 +++++++++++++++++++++++++++++++++++++++++++-----
>  3 files changed, 91 insertions(+), 8 deletions(-)
>
> diff --git a/cmd/Kconfig b/cmd/Kconfig
> index 8c677b1e4864..e58566a9ba34 100644
> --- a/cmd/Kconfig
> +++ b/cmd/Kconfig
> @@ -2118,6 +2118,25 @@ config CMD_WGET
>           wget is a simple command to download kernel, or other files,
>           from a http server over TCP.
>
> +config WGET_HTTPS
> +       bool "wget https"
> +       depends on CMD_WGET

Is it possible to do wget programmatically, i.e. without CMDLINE?

> +       depends on PROT_TCP_LWIP
> +       depends on MBEDTLS_LIB
> +        select SHA256
> +        select RSA
> +        select ASYMMETRIC_KEY_TYPE
> +        select ASYMMETRIC_PUBLIC_KEY_SUBTYPE
> +        select X509_CERTIFICATE_PARSER
> +        select PKCS7_MESSAGE_PARSER
> +       select MBEDTLS_LIB_CRYPTO
> +       select MBEDTLS_LIB_TLS
> +       select RSA_VERIFY_WITH_PKEY
> +       select X509_CERTIFICATE_PARSER
> +       select PKCS7_MESSAGE_PARSER
> +       help
> +         Enable TLS over http for wget.
> +
>  endif  # if CMD_NET
>
>  config CMD_PXE
> diff --git a/net/lwip/Kconfig b/net/lwip/Kconfig
> index 8a67de4cf335..a9ae9bf7fa2a 100644
> --- a/net/lwip/Kconfig
> +++ b/net/lwip/Kconfig
> @@ -37,7 +37,7 @@ config PROT_UDP_LWIP
>
>  config LWIP_TCP_WND
>         int "Value of TCP_WND"
> -       default 8000 if ARCH_QEMU
> +       default 32768 if ARCH_QEMU
>         default 3000000
>         help
>           Default value for TCP_WND in the lwIP configuration
> diff --git a/net/lwip/wget.c b/net/lwip/wget.c
> index b495ebd1aa96..b4f039d38962 100644
> --- a/net/lwip/wget.c
> +++ b/net/lwip/wget.c
> @@ -7,13 +7,17 @@
>  #include <efi_loader.h>
>  #include <image.h>
>  #include <lwip/apps/http_client.h>
> +#include "lwip/altcp_tls.h"
>  #include <lwip/timeouts.h>
> +#include <rng.h>
>  #include <mapmem.h>
>  #include <net.h>
>  #include <time.h>
> +#include <dm/uclass.h>
>
>  #define SERVER_NAME_SIZE 200
>  #define HTTP_PORT_DEFAULT 80
> +#define HTTPS_PORT_DEFAULT 443
>  #define PROGRESS_PRINT_STEP_BYTES (100 * 1024)
>
>  enum done_state {
> @@ -32,18 +36,53 @@ struct wget_ctx {
>         enum done_state done;
>  };
>
> +bool wget_validate_uri(char *uri);
> +
> +int mbedtls_hardware_poll(void *data, unsigned char *output, size_t len,
> +                         size_t *olen)
> +{
> +       struct udevice *dev;
> +       u64 rng = 0;
> +       int err;

ret

> +
> +       *olen = 0;
> +
> +       err = uclass_get_device(UCLASS_RNG, 0, &dev);

Using uclass_get_device_by_seq() would allow aliases to select which
device is used.

> +       if (err)
> +               return err;
> +       err = dm_rng_read(dev, &rng, sizeof(rng));
> +       if (err) {
> +               log_err("Failed to get an rng: %d\n", err);

If you are showing an error, I think it is more likely to happen when
trying to find the device, so perhaps do this on the
uclass_get_device() call?

> +               return err;
> +       }
> +
> +       memcpy(output, &rng, len);
> +       *olen = sizeof(rng);

But then why not dm_rng_read() into output and avoid the u64?
Actually, dm_rng_ops-read() should return the number of bytes,
perhaps?

> +
> +       return 0;
> +}
> +
>  static int parse_url(char *url, char *host, u16 *port, char **path)
>  {
>         char *p, *pp;
>         long lport;
> +       size_t prefix_len = 0;
> +
> +       if (!wget_validate_uri(url)) {
> +               log_err("Invalid URL. Use http(s)://\n");
> +               return -EINVAL;
> +       }
>
> +       *port = HTTP_PORT_DEFAULT;
> +       prefix_len = strlen("http://");
>         p = strstr(url, "http://");
>         if (!p) {
> -               log_err("only http:// is supported\n");
> -               return -EINVAL;
> +               p = strstr(url, "https://");
> +               prefix_len = strlen("https://");
> +               *port = HTTPS_PORT_DEFAULT;
>         }
>
> -       p += strlen("http://");
> +       p += prefix_len;
>
>         /* Parse hostname */
>         pp = strchr(p, ':');
> @@ -67,9 +106,8 @@ static int parse_url(char *url, char *host, u16 *port, char **path)
>                 if (lport > 65535)
>                         return -EINVAL;
>                 *port = (u16)lport;
> -       } else {
> -               *port = HTTP_PORT_DEFAULT;
>         }
> +
>         if (*pp != '/')
>                 return -EINVAL;
>         *path = pp;
> @@ -210,6 +248,9 @@ static void httpc_result_cb(void *arg, httpc_result_t httpc_result,
>  static int wget_loop(struct udevice *udev, ulong dst_addr, char *uri)
>  {
>         char server_name[SERVER_NAME_SIZE];
> +#if defined CONFIG_WGET_HTTPS
> +       altcp_allocator_t tls_allocator;
> +#endif
>         httpc_connection_t conn;
>         httpc_state_t *state;
>         struct netif *netif;
> @@ -232,6 +273,22 @@ static int wget_loop(struct udevice *udev, ulong dst_addr, char *uri)
>                 return -1;
>
>         memset(&conn, 0, sizeof(conn));
> +#if defined CONFIG_WGET_HTTPS

if (IS_ENABLED(CONFIG_WGET_HTTPS))

> +       if (port == HTTPS_PORT_DEFAULT) {
> +               tls_allocator.alloc = &altcp_tls_alloc;
> +               tls_allocator.arg =
> +                       altcp_tls_create_config_client(NULL, 0, server_name);
> +
> +               if (!tls_allocator.arg) {
> +                       log_err("error: Cannot create a TLS connection\n");
> +                       net_lwip_remove_netif(netif);
> +                       return -1;
> +               }
> +
> +               conn.altcp_allocator = &tls_allocator;
> +       }
> +#endif
> +
>         conn.result_fn = httpc_result_cb;
>         ctx.path = path;
>         if (httpc_get_file_dns(server_name, port, path, &conn, httpc_recv_cb,
> @@ -316,6 +373,7 @@ bool wget_validate_uri(char *uri)
>         char c;
>         bool ret = true;
>         char *str_copy, *s, *authority;
> +       size_t prefix_len = 0;
>
>         for (c = 0x1; c < 0x21; c++) {
>                 if (strchr(uri, c)) {
> @@ -323,15 +381,21 @@ bool wget_validate_uri(char *uri)
>                         return false;
>                 }
>         }
> +
>         if (strchr(uri, 0x7f)) {
>                 log_err("invalid character is used\n");
>                 return false;
>         }
>
> -       if (strncmp(uri, "http://", 7)) {
> -               log_err("only http:// is supported\n");
> +       if (!strncmp(uri, "http://", strlen("http://"))) {
> +               prefix_len = strlen("http://");
> +       } else if (!strncmp(uri, "https://", strlen("https://"))) {
> +               prefix_len = strlen("https://");
> +       } else {
> +               log_err("only http(s):// is supported\n");
>                 return false;
>         }
> +
>         str_copy = strdup(uri);
>         if (!str_copy)
>                 return false;
> --
> 2.45.2
>

Regards,
Simon

Re: [PATCH 5/6] configs: Enable htts for wget on qemu arm64

[Simon Glass]

On Fri, 18 Oct 2024 at 08:23, Ilias Apalodimas
<ilias.apalodimas@linaro.org> wrote:
>
> QEMU already has an lwip variant of a defconfig. That defconfig
> is also configured with mbedTLS by default. So let's enable the
> remaining config options to enable wget for https:// as well
> and test that codepath in the CI
>
> Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
> ---
>  configs/qemu_arm64_lwip_defconfig | 1 +
>  1 file changed, 1 insertion(+)
>

Reviewed-by: Simon Glass <sjg@chromium.org>


> diff --git a/configs/qemu_arm64_lwip_defconfig b/configs/qemu_arm64_lwip_defconfig
> index d3d8ef16e668..754c770c33fc 100644
> --- a/configs/qemu_arm64_lwip_defconfig
> +++ b/configs/qemu_arm64_lwip_defconfig
> @@ -7,3 +7,4 @@ CONFIG_NET_LWIP=y
>  CONFIG_CMD_DNS=y
>  CONFIG_CMD_WGET=y
>  CONFIG_EFI_HTTP_BOOT=y
> +CONFIG_WGET_HTTPS=y
> --
> 2.45.2
>

Re: [PATCH 6/6] doc: uefi: Describe UEFI HTTPs boot

[Simon Glass]

On Fri, 18 Oct 2024 at 08:23, Ilias Apalodimas
<ilias.apalodimas@linaro.org> wrote:
>
> We now can use a combination og lwIP & mbedTLS and download from
> https://. Describe the config options needed to enable it as well
> as some limitations
>
> Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
> ---
>  doc/develop/uefi/uefi.rst | 45 +++++++++++++++++++++++++++++++++++++--
>  1 file changed, 43 insertions(+), 2 deletions(-)
>

Reviewed-by: Simon Glass <sjg@chromium.org>


> diff --git a/doc/develop/uefi/uefi.rst b/doc/develop/uefi/uefi.rst
> index 0760ca91d4fc..198288a6889f 100644
> --- a/doc/develop/uefi/uefi.rst
> +++ b/doc/develop/uefi/uefi.rst
> @@ -681,8 +681,8 @@ UEFI variables. Booting according to these variables is possible via::
>  As of U-Boot v2020.10 UEFI variables cannot be set at runtime. The U-Boot
>  command 'efidebug' can be used to set the variables.
>
> -UEFI HTTP Boot
> -~~~~~~~~~~~~~~
> +UEFI HTTP Boot using the legacy TCP stack
> +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
>  HTTP Boot provides the capability for system deployment and configuration
>  over the network. HTTP Boot can be activated by specifying::
> @@ -715,6 +715,47 @@ We need to preset the "httpserverip" environment variable to proceed the wget::
>
>      setenv httpserverip 192.168.1.1
>
> +UEFI HTTP(s) Boot using lwIP
> +~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> +Similar to the above U-Boot can do EFI HTTP boot using lwIP. If we combine this
> +with mbedTLS we can also download from https://
> +
> +HTTP(s) Boot can be activated by specifying::
> +
> +    CONFIG_EFI_HTTP_BOOT
> +    CONFIG_NET_LWIP
> +    CONFIG_MBEDTLS_LIB_TLS
> +
> +For QEMU targets there's a Kconfig that supports this by default::
> +
> +    make qemu_arm64_lwip_defconfig
> +
> +The commands and functionality are similar to the legacy stack, with the notable
> +exception of not having to define an "httpserverip" if you are trying to resolve
> +an IP. However, lwIP code doesn't yet support redirects::
> +
> +    => efidebug boot add -u 1 netinst https://cdimage.debian.org/cdimage/weekly-builds/arm64/iso-cd/debian-testing-arm64-netinst.iso
> +    => dhcp
> +    DHCP client bound to address 10.0.2.15 (3 ms)
> +    => efidebug boot order 1
> +    => bootefi bootmgr
> +
> +    HTTP server error 302
> +    Loading Boot0001 'netinst' failed
> +    EFI boot manager: Cannot load any image
> +
> +If the url you specified isn't a redirect::
> +
> +    => efidebug boot add -u 1 netinst https://download.rockylinux.org/pub/rocky/9/isos/aarch64/Rocky-9.4-aarch64-minimal.iso
> +    => dhcp
> +    => bootefi bootmgr
> +    #######################################
> +
> +If the downloaded file extension is .iso or .img file, efibootmgr tries to
> +mount the image and boot with the default file(e.g. EFI/BOOT/BOOTAA64.EFI).
> +If the downloaded file is PE-COFF image, load the downloaded file and
> +start it.
> +
>  Executing the built in hello world application
>  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
> --
> 2.45.2
>

Re: [PATCH 1/6] mbedtls: Enable TLS 1.2 support

[Ilias Apalodimas]

Hi Raymond,

On Fri, 18 Oct 2024 at 18:26, Raymond Mao <raymond.mao@linaro.org> wrote:
>
> Hi Ilias,
>
> On Fri, 18 Oct 2024 at 10:55, Ilias Apalodimas <ilias.apalodimas@linaro.org> wrote:
>>
>> Hi Raymond,
>>
>> On Fri, 18 Oct 2024 at 17:39, Raymond Mao <raymond.mao@linaro.org> wrote:
>> >
>> > Hi Ilias,
>> >
>> > On Fri, 18 Oct 2024 at 10:22, Ilias Apalodimas <ilias.apalodimas@linaro.org> wrote:
>> >>
>> >> Since lwIP and mbedTLS have been merged we can tweak the config options
>> >> and enable TLS1.2 support. Add RSA and ECDSA by default and enable
>> >> enough block cipher modes of operation to be comatible with modern
>> >> TLS requirements and webservers
>> >>
>> >> Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
>> >> ---
>> >>  lib/mbedtls/Kconfig              | 12 ++++++++
>> >>  lib/mbedtls/Makefile             | 33 +++++++++++++++++++-
>> >>  lib/mbedtls/mbedtls_def_config.h | 52 ++++++++++++++++++++++++++++++++
>> >>  3 files changed, 96 insertions(+), 1 deletion(-)
>> >>
>> >> diff --git a/lib/mbedtls/Kconfig b/lib/mbedtls/Kconfig
>> >> index d71adc3648ad..f3e172633999 100644
>> >> --- a/lib/mbedtls/Kconfig
>> >> +++ b/lib/mbedtls/Kconfig
>> >> @@ -430,4 +430,16 @@ endif # SPL
>> >>
>> >>  endif # MBEDTLS_LIB_X509
>> >>
>> >> +config MBEDTLS_LIB_TLS
>> >> +       bool "MbedTLS TLS library"
>> >> +       depends on RSA_PUBLIC_KEY_PARSER_MBEDTLS
>> >> +       depends on X509_CERTIFICATE_PARSER_MBEDTLS
>> >> +       depends on ASYMMETRIC_PUBLIC_KEY_MBEDTLS
>> >> +       depends on ASN1_DECODER_MBEDTLS
>> >> +       depends on ASYMMETRIC_PUBLIC_KEY_MBEDTLS
>> >> +       depends on MBEDTLS_LIB_CRYPTO
>> >> +       help
>> >> +         Enable MbedTLS TLS library. If enabled HTTPs support will be enabled
>> >> +         in wget
>> >> +
>> >>  endif # MBEDTLS_LIB
>> >> diff --git a/lib/mbedtls/Makefile b/lib/mbedtls/Makefile
>> >> index 83cb3c2fa705..845284799a11 100644
>> >> --- a/lib/mbedtls/Makefile
>> >> +++ b/lib/mbedtls/Makefile
>> >> @@ -25,7 +25,19 @@ obj-$(CONFIG_MBEDTLS_LIB) += mbedtls_lib_crypto.o
>> >>  mbedtls_lib_crypto-y := \
>> >>         $(MBEDTLS_LIB_DIR)/platform_util.o \
>> >>         $(MBEDTLS_LIB_DIR)/constant_time.o \
>> >> -       $(MBEDTLS_LIB_DIR)/md.o
>> >> +       $(MBEDTLS_LIB_DIR)/md.o \
>> >> +       $(MBEDTLS_LIB_DIR)/entropy.o \
>> >> +       $(MBEDTLS_LIB_DIR)/entropy_poll.o \
>> >> +       $(MBEDTLS_LIB_DIR)/aes.o \
>> >> +       $(MBEDTLS_LIB_DIR)/cipher.o \
>> >> +       $(MBEDTLS_LIB_DIR)/cipher_wrap.o \
>> >> +       $(MBEDTLS_LIB_DIR)/ecdh.o \
>> >> +       $(MBEDTLS_LIB_DIR)/ecdsa.o \
>> >> +       $(MBEDTLS_LIB_DIR)/ecp.o \
>> >> +       $(MBEDTLS_LIB_DIR)/ecp_curves.o \
>> >> +       $(MBEDTLS_LIB_DIR)/ecp_curves_new.o \
>> >> +       $(MBEDTLS_LIB_DIR)/gcm.o \
>> >> +
>> >
>> > I think we should move these to mbedtls_lib_tls.o and add the U-Boot Kconfig
>> > control if it exists.
>> > Take ECDSA for example:
>> > mbedtls_lib_tls-$(CONFIG_$(SPL_)ECDSA) += $(MBEDTLS_LIB_DIR)/ecdsa.o
>>
>> Fair enough, but ECDSA is the only one that exists atm. I can move
>> that there, but I don't think we should create a Kconfig option per
>> object file.
>> Those are mbedTLS internals dependencies to enable TLS1.2.  Perhaps
>> only ECDSA, AES and ECDH? OTOH the existing md5 doesn't follow that.
>>
> I agree. We can move ECDSA and AES with Kconfig control and keep others as-is at the moment.

Ok I had a closer look at this. ECDSA and AES currently have Kconfig
options for the legacy crypto libs. As a result, we need to define
mbedtls variants etc which is ok.
We only have one board using AES atm and sandbox using ECDSA. Since I
want efi https for 2025.01, we can move the new .o files under
CONFIG_MBEDTLS_LIB_TLS and then send a patch on top cleaning up the
Kconfigs for all crypto which is a bit messy atm.

Are you ok with this?

>
>>
>> >
>> >>
>> >>  mbedtls_lib_crypto-$(CONFIG_$(SPL_)MD5_MBEDTLS) += $(MBEDTLS_LIB_DIR)/md5.o
>> >>  mbedtls_lib_crypto-$(CONFIG_$(SPL_)SHA1_MBEDTLS) += $(MBEDTLS_LIB_DIR)/sha1.o
>> >>  mbedtls_lib_crypto-$(CONFIG_$(SPL_)SHA256_MBEDTLS) += \
>> >> @@ -54,3 +66,22 @@ mbedtls_lib_x509-$(CONFIG_$(SPL_)X509_CERTIFICATE_PARSER_MBEDTLS) += \
>> >>         $(MBEDTLS_LIB_DIR)/x509_crt.o
>> >>  mbedtls_lib_x509-$(CONFIG_$(SPL_)PKCS7_MESSAGE_PARSER_MBEDTLS) += \
>> >>         $(MBEDTLS_LIB_DIR)/pkcs7.o
>> >> +
>> >> +#mbedTLS TLS support
>> >> +obj-$(CONFIG_MBEDTLS_LIB_TLS) += mbedtls_lib_tls.o
>> >> +mbedtls_lib_tls-y := \
>> >> +       $(MBEDTLS_LIB_DIR)/mps_reader.o \
>> >> +       $(MBEDTLS_LIB_DIR)/mps_trace.o \
>> >> +       $(MBEDTLS_LIB_DIR)/net_sockets.o \
>> >> +       $(MBEDTLS_LIB_DIR)/pk_ecc.o \
>> >> +       $(MBEDTLS_LIB_DIR)/ssl_cache.o \
>> >> +       $(MBEDTLS_LIB_DIR)/ssl_ciphersuites.o \
>> >> +       $(MBEDTLS_LIB_DIR)/ssl_client.o \
>> >> +       $(MBEDTLS_LIB_DIR)/ssl_cookie.o \
>> >> +       $(MBEDTLS_LIB_DIR)/ssl_debug_helpers_generated.o \
>> >> +       $(MBEDTLS_LIB_DIR)/ssl_msg.o \
>> >> +       $(MBEDTLS_LIB_DIR)/ssl_ticket.o \
>> >> +       $(MBEDTLS_LIB_DIR)/ssl_tls.o \
>> >> +       $(MBEDTLS_LIB_DIR)/ssl_tls12_client.o \
>> >> +       $(MBEDTLS_LIB_DIR)/hmac_drbg.o \
>> >> +       $(MBEDTLS_LIB_DIR)/ctr_drbg.o \
>> >
>> > Ditto, add the U-Boot Kconfig control if it exists.
>>
>> None of these don't make sense to be a U-Boot Kconfig. They are
>> mbedTLS internal to enable TLS1.2 support.
>
>
> I saw Jerome added CONFIG_NET and CONFIG_NET_LWIP in his LWIP series.
> I think the net_sockets, ssl_# and ssl_tls12_# can be under this control.

I would prefer having TLS as a separate Kconfig option. We might need
to use it without wget and binding mbedTLS to lwIP doesn't make that
much sense. It does *currently* because that's the only code that uses
it

Thanks
/Ilias
>
> [snip]
>
> Regards,
> Raymond

Re: [PATCH 4/6] net: lwip: Enable https:// support for wget

[Ilias Apalodimas]

Hi Simon,

On Sat, 19 Oct 2024 at 14:50, Simon Glass <sjg@chromium.org> wrote:
>
> Hi Ilias,
>
> On Fri, 18 Oct 2024 at 08:23, Ilias Apalodimas
> <ilias.apalodimas@linaro.org> wrote:
> >
> > With the recent changes of lwip & mbedTLS we can now download from
> > https:// urls instead of just http://.
> > Adjust our wget lwip version parsing to support both URLs.
> > While at it adjust the default TCP window for QEMU since https seems to
> > requite at least 16384
> >
> > Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
> > ---
> >  cmd/Kconfig      | 19 ++++++++++++
> >  net/lwip/Kconfig |  2 +-
> >  net/lwip/wget.c  | 78 +++++++++++++++++++++++++++++++++++++++++++-----
> >  3 files changed, 91 insertions(+), 8 deletions(-)
> >
> > diff --git a/cmd/Kconfig b/cmd/Kconfig
> > index 8c677b1e4864..e58566a9ba34 100644
> > --- a/cmd/Kconfig
> > +++ b/cmd/Kconfig
> > @@ -2118,6 +2118,25 @@ config CMD_WGET
> >           wget is a simple command to download kernel, or other files,
> >           from a http server over TCP.
> >
> > +config WGET_HTTPS
> > +       bool "wget https"
> > +       depends on CMD_WGET
>
> Is it possible to do wget programmatically, i.e. without CMDLINE?

Yes. But that would require more untangling of wget. I'll look into
that once we are done with features.

>
> > +       depends on PROT_TCP_LWIP
> > +       depends on MBEDTLS_LIB
> > +        select SHA256
> > +        select RSA
> > +        select ASYMMETRIC_KEY_TYPE
> > +        select ASYMMETRIC_PUBLIC_KEY_SUBTYPE
> > +        select X509_CERTIFICATE_PARSER
> > +        select PKCS7_MESSAGE_PARSER
> > +       select MBEDTLS_LIB_CRYPTO
> > +       select MBEDTLS_LIB_TLS
> > +       select RSA_VERIFY_WITH_PKEY
> > +       select X509_CERTIFICATE_PARSER
> > +       select PKCS7_MESSAGE_PARSER
> > +       help
> > +         Enable TLS over http for wget.
> > +
> >  endif  # if CMD_NET
> >
> >  config CMD_PXE
> > diff --git a/net/lwip/Kconfig b/net/lwip/Kconfig
> > index 8a67de4cf335..a9ae9bf7fa2a 100644
> > --- a/net/lwip/Kconfig
> > +++ b/net/lwip/Kconfig
> > @@ -37,7 +37,7 @@ config PROT_UDP_LWIP
> >
> >  config LWIP_TCP_WND
> >         int "Value of TCP_WND"
> > -       default 8000 if ARCH_QEMU
> > +       default 32768 if ARCH_QEMU
> >         default 3000000
> >         help
> >           Default value for TCP_WND in the lwIP configuration
> > diff --git a/net/lwip/wget.c b/net/lwip/wget.c
> > index b495ebd1aa96..b4f039d38962 100644
> > --- a/net/lwip/wget.c
> > +++ b/net/lwip/wget.c
> > @@ -7,13 +7,17 @@
> >  #include <efi_loader.h>
> >  #include <image.h>
> >  #include <lwip/apps/http_client.h>
> > +#include "lwip/altcp_tls.h"
> >  #include <lwip/timeouts.h>
> > +#include <rng.h>
> >  #include <mapmem.h>
> >  #include <net.h>
> >  #include <time.h>
> > +#include <dm/uclass.h>
> >
> >  #define SERVER_NAME_SIZE 200
> >  #define HTTP_PORT_DEFAULT 80
> > +#define HTTPS_PORT_DEFAULT 443
> >  #define PROGRESS_PRINT_STEP_BYTES (100 * 1024)
> >
> >  enum done_state {
> > @@ -32,18 +36,53 @@ struct wget_ctx {
> >         enum done_state done;
> >  };
> >
> > +bool wget_validate_uri(char *uri);
> > +
> > +int mbedtls_hardware_poll(void *data, unsigned char *output, size_t len,
> > +                         size_t *olen)
> > +{
> > +       struct udevice *dev;
> > +       u64 rng = 0;
> > +       int err;
>
> ret
>
> > +
> > +       *olen = 0;
> > +
> > +       err = uclass_get_device(UCLASS_RNG, 0, &dev);
>
> Using uclass_get_device_by_seq() would allow aliases to select which
> device is used.

Ok, but I don't think we need it here. We just need a random number
from any device that can send us one no?

>
> > +       if (err)
> > +               return err;
> > +       err = dm_rng_read(dev, &rng, sizeof(rng));
> > +       if (err) {
> > +               log_err("Failed to get an rng: %d\n", err);
>
> If you are showing an error, I think it is more likely to happen when
> trying to find the device, so perhaps do this on the
> uclass_get_device() call?

Sure

>
> > +               return err;
> > +       }
> > +
> > +       memcpy(output, &rng, len);
> > +       *olen = sizeof(rng);
>
> But then why not dm_rng_read() into output and avoid the u64?
> Actually, dm_rng_ops-read() should return the number of bytes,
> perhaps?

The caller defines the length. Copying blindly a u64 might overflow.
But the current code should be
*olen = len

>
> > +
> > +       return 0;
> > +}
> > +
> >  static int parse_url(char *url, char *host, u16 *port, char **path)
> >  {
> >         char *p, *pp;
> >         long lport;
> > +       size_t prefix_len = 0;
> > +
> > +       if (!wget_validate_uri(url)) {
> > +               log_err("Invalid URL. Use http(s)://\n");
> > +               return -EINVAL;
> > +       }
> >
> > +       *port = HTTP_PORT_DEFAULT;
> > +       prefix_len = strlen("http://");
> >         p = strstr(url, "http://");
> >         if (!p) {
> > -               log_err("only http:// is supported\n");
> > -               return -EINVAL;
> > +               p = strstr(url, "https://");
> > +               prefix_len = strlen("https://");
> > +               *port = HTTPS_PORT_DEFAULT;
> >         }
> >
> > -       p += strlen("http://");
> > +       p += prefix_len;
> >
> >         /* Parse hostname */
> >         pp = strchr(p, ':');
> > @@ -67,9 +106,8 @@ static int parse_url(char *url, char *host, u16 *port, char **path)
> >                 if (lport > 65535)
> >                         return -EINVAL;
> >                 *port = (u16)lport;
> > -       } else {
> > -               *port = HTTP_PORT_DEFAULT;
> >         }
> > +
> >         if (*pp != '/')
> >                 return -EINVAL;
> >         *path = pp;
> > @@ -210,6 +248,9 @@ static void httpc_result_cb(void *arg, httpc_result_t httpc_result,
> >  static int wget_loop(struct udevice *udev, ulong dst_addr, char *uri)
> >  {
> >         char server_name[SERVER_NAME_SIZE];
> > +#if defined CONFIG_WGET_HTTPS
> > +       altcp_allocator_t tls_allocator;
> > +#endif
> >         httpc_connection_t conn;
> >         httpc_state_t *state;
> >         struct netif *netif;
> > @@ -232,6 +273,22 @@ static int wget_loop(struct udevice *udev, ulong dst_addr, char *uri)
> >                 return -1;
> >
> >         memset(&conn, 0, sizeof(conn));
> > +#if defined CONFIG_WGET_HTTPS
>
> if (IS_ENABLED(CONFIG_WGET_HTTPS))
>

Unfortunately, I don't think we can use that here. If
CONFIG_WGET_HTTPS is not enabled LWIP_ALTCP will not be defined, and
the altcp_allocator_t field will be missing from the struct leading to
a compilation error

Thanks
/Ilias

> > +       if (port == HTTPS_PORT_DEFAULT) {
> > +               tls_allocator.alloc = &altcp_tls_alloc;
> > +               tls_allocator.arg =
> > +                       altcp_tls_create_config_client(NULL, 0, server_name);
> > +
> > +               if (!tls_allocator.arg) {
> > +                       log_err("error: Cannot create a TLS connection\n");
> > +                       net_lwip_remove_netif(netif);
> > +                       return -1;
> > +               }
> > +
> > +               conn.altcp_allocator = &tls_allocator;
> > +       }
> > +#endif
> > +
> >         conn.result_fn = httpc_result_cb;
> >         ctx.path = path;
> >         if (httpc_get_file_dns(server_name, port, path, &conn, httpc_recv_cb,
> > @@ -316,6 +373,7 @@ bool wget_validate_uri(char *uri)
> >         char c;
> >         bool ret = true;
> >         char *str_copy, *s, *authority;
> > +       size_t prefix_len = 0;
> >
> >         for (c = 0x1; c < 0x21; c++) {
> >                 if (strchr(uri, c)) {
> > @@ -323,15 +381,21 @@ bool wget_validate_uri(char *uri)
> >                         return false;
> >                 }
> >         }
> > +
> >         if (strchr(uri, 0x7f)) {
> >                 log_err("invalid character is used\n");
> >                 return false;
> >         }
> >
> > -       if (strncmp(uri, "http://", 7)) {
> > -               log_err("only http:// is supported\n");
> > +       if (!strncmp(uri, "http://", strlen("http://"))) {
> > +               prefix_len = strlen("http://");
> > +       } else if (!strncmp(uri, "https://", strlen("https://"))) {
> > +               prefix_len = strlen("https://");
> > +       } else {
> > +               log_err("only http(s):// is supported\n");
> >                 return false;
> >         }
> > +
> >         str_copy = strdup(uri);
> >         if (!str_copy)
> >                 return false;
> > --
> > 2.45.2
> >
>
> Regards,
> Simon

Re: [PATCH 1/6] mbedtls: Enable TLS 1.2 support

[Raymond Mao]

Hi Ilias,

On Mon, 21 Oct 2024 at 06:32, Ilias Apalodimas <ilias.apalodimas@linaro.org>
wrote:

> Hi Raymond,
>
> On Fri, 18 Oct 2024 at 18:26, Raymond Mao <raymond.mao@linaro.org> wrote:
> >
> > Hi Ilias,
> >
> > On Fri, 18 Oct 2024 at 10:55, Ilias Apalodimas <
> ilias.apalodimas@linaro.org> wrote:
> >>
> >> Hi Raymond,
> >>
> >> On Fri, 18 Oct 2024 at 17:39, Raymond Mao <raymond.mao@linaro.org>
> wrote:
> >> >
> >> > Hi Ilias,
> >> >
> >> > On Fri, 18 Oct 2024 at 10:22, Ilias Apalodimas <
> ilias.apalodimas@linaro.org> wrote:
> >> >>
> >> >> Since lwIP and mbedTLS have been merged we can tweak the config
> options
> >> >> and enable TLS1.2 support. Add RSA and ECDSA by default and enable
> >> >> enough block cipher modes of operation to be comatible with modern
> >> >> TLS requirements and webservers
> >> >>
> >> >> Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
> >> >> ---
> >> >>  lib/mbedtls/Kconfig              | 12 ++++++++
> >> >>  lib/mbedtls/Makefile             | 33 +++++++++++++++++++-
> >> >>  lib/mbedtls/mbedtls_def_config.h | 52
> ++++++++++++++++++++++++++++++++
> >> >>  3 files changed, 96 insertions(+), 1 deletion(-)
> >> >>
> >> >> diff --git a/lib/mbedtls/Kconfig b/lib/mbedtls/Kconfig
> >> >> index d71adc3648ad..f3e172633999 100644
> >> >> --- a/lib/mbedtls/Kconfig
> >> >> +++ b/lib/mbedtls/Kconfig
> >> >> @@ -430,4 +430,16 @@ endif # SPL
> >> >>
> >> >>  endif # MBEDTLS_LIB_X509
> >> >>
> >> >> +config MBEDTLS_LIB_TLS
> >> >> +       bool "MbedTLS TLS library"
> >> >> +       depends on RSA_PUBLIC_KEY_PARSER_MBEDTLS
> >> >> +       depends on X509_CERTIFICATE_PARSER_MBEDTLS
> >> >> +       depends on ASYMMETRIC_PUBLIC_KEY_MBEDTLS
> >> >> +       depends on ASN1_DECODER_MBEDTLS
> >> >> +       depends on ASYMMETRIC_PUBLIC_KEY_MBEDTLS
> >> >> +       depends on MBEDTLS_LIB_CRYPTO
> >> >> +       help
> >> >> +         Enable MbedTLS TLS library. If enabled HTTPs support will
> be enabled
> >> >> +         in wget
> >> >> +
> >> >>  endif # MBEDTLS_LIB
> >> >> diff --git a/lib/mbedtls/Makefile b/lib/mbedtls/Makefile
> >> >> index 83cb3c2fa705..845284799a11 100644
> >> >> --- a/lib/mbedtls/Makefile
> >> >> +++ b/lib/mbedtls/Makefile
> >> >> @@ -25,7 +25,19 @@ obj-$(CONFIG_MBEDTLS_LIB) += mbedtls_lib_crypto.o
> >> >>  mbedtls_lib_crypto-y := \
> >> >>         $(MBEDTLS_LIB_DIR)/platform_util.o \
> >> >>         $(MBEDTLS_LIB_DIR)/constant_time.o \
> >> >> -       $(MBEDTLS_LIB_DIR)/md.o
> >> >> +       $(MBEDTLS_LIB_DIR)/md.o \
> >> >> +       $(MBEDTLS_LIB_DIR)/entropy.o \
> >> >> +       $(MBEDTLS_LIB_DIR)/entropy_poll.o \
> >> >> +       $(MBEDTLS_LIB_DIR)/aes.o \
> >> >> +       $(MBEDTLS_LIB_DIR)/cipher.o \
> >> >> +       $(MBEDTLS_LIB_DIR)/cipher_wrap.o \
> >> >> +       $(MBEDTLS_LIB_DIR)/ecdh.o \
> >> >> +       $(MBEDTLS_LIB_DIR)/ecdsa.o \
> >> >> +       $(MBEDTLS_LIB_DIR)/ecp.o \
> >> >> +       $(MBEDTLS_LIB_DIR)/ecp_curves.o \
> >> >> +       $(MBEDTLS_LIB_DIR)/ecp_curves_new.o \
> >> >> +       $(MBEDTLS_LIB_DIR)/gcm.o \
> >> >> +
> >> >
> >> > I think we should move these to mbedtls_lib_tls.o and add the U-Boot
> Kconfig
> >> > control if it exists.
> >> > Take ECDSA for example:
> >> > mbedtls_lib_tls-$(CONFIG_$(SPL_)ECDSA) += $(MBEDTLS_LIB_DIR)/ecdsa.o
> >>
> >> Fair enough, but ECDSA is the only one that exists atm. I can move
> >> that there, but I don't think we should create a Kconfig option per
> >> object file.
> >> Those are mbedTLS internals dependencies to enable TLS1.2.  Perhaps
> >> only ECDSA, AES and ECDH? OTOH the existing md5 doesn't follow that.
> >>
> > I agree. We can move ECDSA and AES with Kconfig control and keep others
> as-is at the moment.
>
> Ok I had a closer look at this. ECDSA and AES currently have Kconfig
> options for the legacy crypto libs. As a result, we need to define
> mbedtls variants etc which is ok.
> We only have one board using AES atm and sandbox using ECDSA. Since I
> want efi https for 2025.01, we can move the new .o files under
> CONFIG_MBEDTLS_LIB_TLS and then send a patch on top cleaning up the
> Kconfigs for all crypto which is a bit messy atm.
>
> Are you ok with this?
>
> Yes, I agree. We can do this after all related patches are merged.


> >
> >>
> >> >
> >> >>
> >> >>  mbedtls_lib_crypto-$(CONFIG_$(SPL_)MD5_MBEDTLS) +=
> $(MBEDTLS_LIB_DIR)/md5.o
> >> >>  mbedtls_lib_crypto-$(CONFIG_$(SPL_)SHA1_MBEDTLS) +=
> $(MBEDTLS_LIB_DIR)/sha1.o
> >> >>  mbedtls_lib_crypto-$(CONFIG_$(SPL_)SHA256_MBEDTLS) += \
> >> >> @@ -54,3 +66,22 @@
> mbedtls_lib_x509-$(CONFIG_$(SPL_)X509_CERTIFICATE_PARSER_MBEDTLS) += \
> >> >>         $(MBEDTLS_LIB_DIR)/x509_crt.o
> >> >>  mbedtls_lib_x509-$(CONFIG_$(SPL_)PKCS7_MESSAGE_PARSER_MBEDTLS) += \
> >> >>         $(MBEDTLS_LIB_DIR)/pkcs7.o
> >> >> +
> >> >> +#mbedTLS TLS support
> >> >> +obj-$(CONFIG_MBEDTLS_LIB_TLS) += mbedtls_lib_tls.o
> >> >> +mbedtls_lib_tls-y := \
> >> >> +       $(MBEDTLS_LIB_DIR)/mps_reader.o \
> >> >> +       $(MBEDTLS_LIB_DIR)/mps_trace.o \
> >> >> +       $(MBEDTLS_LIB_DIR)/net_sockets.o \
> >> >> +       $(MBEDTLS_LIB_DIR)/pk_ecc.o \
> >> >> +       $(MBEDTLS_LIB_DIR)/ssl_cache.o \
> >> >> +       $(MBEDTLS_LIB_DIR)/ssl_ciphersuites.o \
> >> >> +       $(MBEDTLS_LIB_DIR)/ssl_client.o \
> >> >> +       $(MBEDTLS_LIB_DIR)/ssl_cookie.o \
> >> >> +       $(MBEDTLS_LIB_DIR)/ssl_debug_helpers_generated.o \
> >> >> +       $(MBEDTLS_LIB_DIR)/ssl_msg.o \
> >> >> +       $(MBEDTLS_LIB_DIR)/ssl_ticket.o \
> >> >> +       $(MBEDTLS_LIB_DIR)/ssl_tls.o \
> >> >> +       $(MBEDTLS_LIB_DIR)/ssl_tls12_client.o \
> >> >> +       $(MBEDTLS_LIB_DIR)/hmac_drbg.o \
> >> >> +       $(MBEDTLS_LIB_DIR)/ctr_drbg.o \
> >> >
> >> > Ditto, add the U-Boot Kconfig control if it exists.
> >>
> >> None of these don't make sense to be a U-Boot Kconfig. They are
> >> mbedTLS internal to enable TLS1.2 support.
> >
> >
> > I saw Jerome added CONFIG_NET and CONFIG_NET_LWIP in his LWIP series.
> > I think the net_sockets, ssl_# and ssl_tls12_# can be under this control.
>
> I would prefer having TLS as a separate Kconfig option. We might need
> to use it without wget and binding mbedTLS to lwIP doesn't make that
> much sense. It does *currently* because that's the only code that uses
> it
>
> That is fine. Thanks.

Regards,
Raymond

Re: [PATCH 5/6] configs: Enable htts for wget on qemu arm64

[Peter Robinson]

s/htts/https for the subject.

> QEMU already has an lwip variant of a defconfig. That defconfig
> is also configured with mbedTLS by default. So let's enable the
> remaining config options to enable wget for https:// as well
> and test that codepath in the CI
>
> Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Reviewed-by: Peter Robinson <pbrobinson@gmail.com>
> ---
>  configs/qemu_arm64_lwip_defconfig | 1 +
>  1 file changed, 1 insertion(+)
>
> diff --git a/configs/qemu_arm64_lwip_defconfig b/configs/qemu_arm64_lwip_defconfig
> index d3d8ef16e668..754c770c33fc 100644
> --- a/configs/qemu_arm64_lwip_defconfig
> +++ b/configs/qemu_arm64_lwip_defconfig
> @@ -7,3 +7,4 @@ CONFIG_NET_LWIP=y
>  CONFIG_CMD_DNS=y
>  CONFIG_CMD_WGET=y
>  CONFIG_EFI_HTTP_BOOT=y
> +CONFIG_WGET_HTTPS=y
> --
> 2.45.2
>

Re: [PATCH 5/6] configs: Enable htts for wget on qemu arm64

[Jérôme Forissier]

Le ven. 18 oct. 2024, 16:23, Ilias Apalodimas <ilias.apalodimas@linaro.org>
a écrit :

> QEMU already has an lwip variant of a defconfig. That defconfig
> is also configured with mbedTLS by default. So let's enable the
> remaining config options to enable wget for https:// as well
> and test that codepath in the CI
>
> Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
> ---
>  configs/qemu_arm64_lwip_defconfig | 1 +
>  1 file changed, 1 insertion(+)
>
> diff --git a/configs/qemu_arm64_lwip_defconfig
> b/configs/qemu_arm64_lwip_defconfig
> index d3d8ef16e668..754c770c33fc 100644
> --- a/configs/qemu_arm64_lwip_defconfig
> +++ b/configs/qemu_arm64_lwip_defconfig
> @@ -7,3 +7,4 @@ CONFIG_NET_LWIP=y
>  CONFIG_CMD_DNS=y
>  CONFIG_CMD_WGET=y
>  CONFIG_EFI_HTTP_BOOT=y
> +CONFIG_WGET_HTTPS=y
> --
> 2.45.2
>

Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>

>

Re: [PATCH 4/6] net: lwip: Enable https:// support for wget

[Ilias Apalodimas]

Hi Simon,

[...]

> > >         memset(&conn, 0, sizeof(conn));
> > > +#if defined CONFIG_WGET_HTTPS
> >
> > if (IS_ENABLED(CONFIG_WGET_HTTPS))
> >
>
> Unfortunately, I don't think we can use that here. If
> CONFIG_WGET_HTTPS is not enabled LWIP_ALTCP will not be defined, and
> the altcp_allocator_t field will be missing from the struct leading to
> a compilation error

I forgot to update this in v2 [0].
I'll send a v3 regardless and will change this to
#if IS_ENABLED(CONFIG_MBEDTLS_LIB_TLS)

which is a better fit anyway

[...]

Cheers
/Ilias