diff mbox series

[1/6] mbedtls: Enable TLS 1.2 support

Message ID 20241018142235.715571-2-ilias.apalodimas@linaro.org
State Superseded
Headers show
Series Enable https for wget | expand

Commit Message

Ilias Apalodimas Oct. 18, 2024, 2:21 p.m. UTC
Since lwIP and mbedTLS have been merged we can tweak the config options
and enable TLS1.2 support. Add RSA and ECDSA by default and enable
enough block cipher modes of operation to be comatible with modern
TLS requirements and webservers

Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
---
 lib/mbedtls/Kconfig              | 12 ++++++++
 lib/mbedtls/Makefile             | 33 +++++++++++++++++++-
 lib/mbedtls/mbedtls_def_config.h | 52 ++++++++++++++++++++++++++++++++
 3 files changed, 96 insertions(+), 1 deletion(-)

Comments

Raymond Mao Oct. 18, 2024, 2:38 p.m. UTC | #1
Hi Ilias,

On Fri, 18 Oct 2024 at 10:22, Ilias Apalodimas <ilias.apalodimas@linaro.org>
wrote:

> Since lwIP and mbedTLS have been merged we can tweak the config options
> and enable TLS1.2 support. Add RSA and ECDSA by default and enable
> enough block cipher modes of operation to be comatible with modern
> TLS requirements and webservers
>
> Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
> ---
>  lib/mbedtls/Kconfig              | 12 ++++++++
>  lib/mbedtls/Makefile             | 33 +++++++++++++++++++-
>  lib/mbedtls/mbedtls_def_config.h | 52 ++++++++++++++++++++++++++++++++
>  3 files changed, 96 insertions(+), 1 deletion(-)
>
> diff --git a/lib/mbedtls/Kconfig b/lib/mbedtls/Kconfig
> index d71adc3648ad..f3e172633999 100644
> --- a/lib/mbedtls/Kconfig
> +++ b/lib/mbedtls/Kconfig
> @@ -430,4 +430,16 @@ endif # SPL
>
>  endif # MBEDTLS_LIB_X509
>
> +config MBEDTLS_LIB_TLS
> +       bool "MbedTLS TLS library"
> +       depends on RSA_PUBLIC_KEY_PARSER_MBEDTLS
> +       depends on X509_CERTIFICATE_PARSER_MBEDTLS
> +       depends on ASYMMETRIC_PUBLIC_KEY_MBEDTLS
> +       depends on ASN1_DECODER_MBEDTLS
> +       depends on ASYMMETRIC_PUBLIC_KEY_MBEDTLS
> +       depends on MBEDTLS_LIB_CRYPTO
> +       help
> +         Enable MbedTLS TLS library. If enabled HTTPs support will be
> enabled
> +         in wget
> +
>  endif # MBEDTLS_LIB
> diff --git a/lib/mbedtls/Makefile b/lib/mbedtls/Makefile
> index 83cb3c2fa705..845284799a11 100644
> --- a/lib/mbedtls/Makefile
> +++ b/lib/mbedtls/Makefile
> @@ -25,7 +25,19 @@ obj-$(CONFIG_MBEDTLS_LIB) += mbedtls_lib_crypto.o
>  mbedtls_lib_crypto-y := \
>         $(MBEDTLS_LIB_DIR)/platform_util.o \
>         $(MBEDTLS_LIB_DIR)/constant_time.o \
> -       $(MBEDTLS_LIB_DIR)/md.o
> +       $(MBEDTLS_LIB_DIR)/md.o \
> +       $(MBEDTLS_LIB_DIR)/entropy.o \
> +       $(MBEDTLS_LIB_DIR)/entropy_poll.o \
> +       $(MBEDTLS_LIB_DIR)/aes.o \
> +       $(MBEDTLS_LIB_DIR)/cipher.o \
> +       $(MBEDTLS_LIB_DIR)/cipher_wrap.o \
> +       $(MBEDTLS_LIB_DIR)/ecdh.o \
> +       $(MBEDTLS_LIB_DIR)/ecdsa.o \
> +       $(MBEDTLS_LIB_DIR)/ecp.o \
> +       $(MBEDTLS_LIB_DIR)/ecp_curves.o \
> +       $(MBEDTLS_LIB_DIR)/ecp_curves_new.o \
> +       $(MBEDTLS_LIB_DIR)/gcm.o \
> +
>
I think we should move these to mbedtls_lib_tls.o and add the U-Boot Kconfig
control if it exists.
Take ECDSA for example:
mbedtls_lib_tls-$(CONFIG_$(SPL_)ECDSA) += $(MBEDTLS_LIB_DIR)/ecdsa.o


>  mbedtls_lib_crypto-$(CONFIG_$(SPL_)MD5_MBEDTLS) +=
> $(MBEDTLS_LIB_DIR)/md5.o
>  mbedtls_lib_crypto-$(CONFIG_$(SPL_)SHA1_MBEDTLS) +=
> $(MBEDTLS_LIB_DIR)/sha1.o
>  mbedtls_lib_crypto-$(CONFIG_$(SPL_)SHA256_MBEDTLS) += \
> @@ -54,3 +66,22 @@
> mbedtls_lib_x509-$(CONFIG_$(SPL_)X509_CERTIFICATE_PARSER_MBEDTLS) += \
>         $(MBEDTLS_LIB_DIR)/x509_crt.o
>  mbedtls_lib_x509-$(CONFIG_$(SPL_)PKCS7_MESSAGE_PARSER_MBEDTLS) += \
>         $(MBEDTLS_LIB_DIR)/pkcs7.o
> +
> +#mbedTLS TLS support
> +obj-$(CONFIG_MBEDTLS_LIB_TLS) += mbedtls_lib_tls.o
> +mbedtls_lib_tls-y := \
> +       $(MBEDTLS_LIB_DIR)/mps_reader.o \
> +       $(MBEDTLS_LIB_DIR)/mps_trace.o \
> +       $(MBEDTLS_LIB_DIR)/net_sockets.o \
> +       $(MBEDTLS_LIB_DIR)/pk_ecc.o \
> +       $(MBEDTLS_LIB_DIR)/ssl_cache.o \
> +       $(MBEDTLS_LIB_DIR)/ssl_ciphersuites.o \
> +       $(MBEDTLS_LIB_DIR)/ssl_client.o \
> +       $(MBEDTLS_LIB_DIR)/ssl_cookie.o \
> +       $(MBEDTLS_LIB_DIR)/ssl_debug_helpers_generated.o \
> +       $(MBEDTLS_LIB_DIR)/ssl_msg.o \
> +       $(MBEDTLS_LIB_DIR)/ssl_ticket.o \
> +       $(MBEDTLS_LIB_DIR)/ssl_tls.o \
> +       $(MBEDTLS_LIB_DIR)/ssl_tls12_client.o \
> +       $(MBEDTLS_LIB_DIR)/hmac_drbg.o \
> +       $(MBEDTLS_LIB_DIR)/ctr_drbg.o \
>
Ditto, add the U-Boot Kconfig control if it exists.


> diff --git a/lib/mbedtls/mbedtls_def_config.h
> b/lib/mbedtls/mbedtls_def_config.h
> index 1af911c2003f..ac8f0bbf2c0e 100644
> --- a/lib/mbedtls/mbedtls_def_config.h
> +++ b/lib/mbedtls/mbedtls_def_config.h
> @@ -87,4 +87,56 @@
>
>  #endif /* #if defined CONFIG_MBEDTLS_LIB_X509 */
>
> +#if CONFIG_IS_ENABLED(MBEDTLS_LIB_TLS)
> +#include "rtc.h"
> +
> +/* Generic options */
> +#define MBEDTLS_ENTROPY_HARDWARE_ALT
> +#define MBEDTLS_HAVE_TIME
> +#define MBEDTLS_PLATFORM_MS_TIME_ALT
> +#define MBEDTLS_PLATFORM_TIME_MACRO rtc_mktime
> +#define MBEDTLS_PLATFORM_C
> +#define MBEDTLS_SSL_CLI_C
> +#define MBEDTLS_SSL_TLS_C
> +#define MBEDTLS_CIPHER_C
> +#define MBEDTLS_MD_C
> +#define MBEDTLS_CTR_DRBG_C
> +#define MBEDTLS_AES_C
> +#define MBEDTLS_ENTROPY_C
> +#define MBEDTLS_NO_PLATFORM_ENTROPY
> +#define MBEDTLS_SSL_PROTO_TLS1_2
> +#define MBEDTLS_SSL_SERVER_NAME_INDICATION
> +#define MBEDTLS_KEY_EXCHANGE_PSK_ENABLED
> +
> +/* RSA */
> +#define MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
> +#define MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
> +#define MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
> +#define MBEDTLS_GCM_C
> +
> +/* ECDSA */
> +#define MBEDTLS_ECDSA_C
> +#define MBEDTLS_ECDH_C
> +#define MBEDTLS_ECDSA_DETERMINISTIC
> +#define MBEDTLS_HMAC_DRBG_C
> +#define MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
> +#define MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED
> +#define MBEDTLS_CAN_ECDH
> +#define MBEDTLS_PK_CAN_ECDSA_SIGN
> +#define MBEDTLS_ECP_C
> +#define MBEDTLS_ECP_DP_SECP256K1_ENABLED
> +#define MBEDTLS_ECP_DP_SECP192R1_ENABLED
> +#define MBEDTLS_ECP_DP_SECP224R1_ENABLED
> +#define MBEDTLS_ECP_DP_SECP256R1_ENABLED
> +#define MBEDTLS_ECP_DP_SECP384R1_ENABLED
> +#define MBEDTLS_ECP_DP_SECP521R1_ENABLED
> +#define MBEDTLS_ECP_DP_SECP192K1_ENABLED
> +#define MBEDTLS_ECP_DP_SECP224K1_ENABLED
> +#define MBEDTLS_ECP_DP_SECP256K1_ENABLED
> +#define MBEDTLS_ECP_DP_BP256R1_ENABLED
> +#define MBEDTLS_ECP_DP_BP384R1_ENABLED
> +#define MBEDTLS_ECP_DP_BP512R1_ENABLED
> +
> +#endif /* #if defined CONFIG_MBEDTLS_LIB_TLS */
> +
>  #endif /* #if defined CONFIG_MBEDTLS_LIB */
> --
> 2.45.2
>
>
Ilias Apalodimas Oct. 18, 2024, 2:54 p.m. UTC | #2
Hi Raymond,

On Fri, 18 Oct 2024 at 17:39, Raymond Mao <raymond.mao@linaro.org> wrote:
>
> Hi Ilias,
>
> On Fri, 18 Oct 2024 at 10:22, Ilias Apalodimas <ilias.apalodimas@linaro.org> wrote:
>>
>> Since lwIP and mbedTLS have been merged we can tweak the config options
>> and enable TLS1.2 support. Add RSA and ECDSA by default and enable
>> enough block cipher modes of operation to be comatible with modern
>> TLS requirements and webservers
>>
>> Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
>> ---
>>  lib/mbedtls/Kconfig              | 12 ++++++++
>>  lib/mbedtls/Makefile             | 33 +++++++++++++++++++-
>>  lib/mbedtls/mbedtls_def_config.h | 52 ++++++++++++++++++++++++++++++++
>>  3 files changed, 96 insertions(+), 1 deletion(-)
>>
>> diff --git a/lib/mbedtls/Kconfig b/lib/mbedtls/Kconfig
>> index d71adc3648ad..f3e172633999 100644
>> --- a/lib/mbedtls/Kconfig
>> +++ b/lib/mbedtls/Kconfig
>> @@ -430,4 +430,16 @@ endif # SPL
>>
>>  endif # MBEDTLS_LIB_X509
>>
>> +config MBEDTLS_LIB_TLS
>> +       bool "MbedTLS TLS library"
>> +       depends on RSA_PUBLIC_KEY_PARSER_MBEDTLS
>> +       depends on X509_CERTIFICATE_PARSER_MBEDTLS
>> +       depends on ASYMMETRIC_PUBLIC_KEY_MBEDTLS
>> +       depends on ASN1_DECODER_MBEDTLS
>> +       depends on ASYMMETRIC_PUBLIC_KEY_MBEDTLS
>> +       depends on MBEDTLS_LIB_CRYPTO
>> +       help
>> +         Enable MbedTLS TLS library. If enabled HTTPs support will be enabled
>> +         in wget
>> +
>>  endif # MBEDTLS_LIB
>> diff --git a/lib/mbedtls/Makefile b/lib/mbedtls/Makefile
>> index 83cb3c2fa705..845284799a11 100644
>> --- a/lib/mbedtls/Makefile
>> +++ b/lib/mbedtls/Makefile
>> @@ -25,7 +25,19 @@ obj-$(CONFIG_MBEDTLS_LIB) += mbedtls_lib_crypto.o
>>  mbedtls_lib_crypto-y := \
>>         $(MBEDTLS_LIB_DIR)/platform_util.o \
>>         $(MBEDTLS_LIB_DIR)/constant_time.o \
>> -       $(MBEDTLS_LIB_DIR)/md.o
>> +       $(MBEDTLS_LIB_DIR)/md.o \
>> +       $(MBEDTLS_LIB_DIR)/entropy.o \
>> +       $(MBEDTLS_LIB_DIR)/entropy_poll.o \
>> +       $(MBEDTLS_LIB_DIR)/aes.o \
>> +       $(MBEDTLS_LIB_DIR)/cipher.o \
>> +       $(MBEDTLS_LIB_DIR)/cipher_wrap.o \
>> +       $(MBEDTLS_LIB_DIR)/ecdh.o \
>> +       $(MBEDTLS_LIB_DIR)/ecdsa.o \
>> +       $(MBEDTLS_LIB_DIR)/ecp.o \
>> +       $(MBEDTLS_LIB_DIR)/ecp_curves.o \
>> +       $(MBEDTLS_LIB_DIR)/ecp_curves_new.o \
>> +       $(MBEDTLS_LIB_DIR)/gcm.o \
>> +
>
> I think we should move these to mbedtls_lib_tls.o and add the U-Boot Kconfig
> control if it exists.
> Take ECDSA for example:
> mbedtls_lib_tls-$(CONFIG_$(SPL_)ECDSA) += $(MBEDTLS_LIB_DIR)/ecdsa.o

Fair enough, but ECDSA is the only one that exists atm. I can move
that there, but I don't think we should create a Kconfig option per
object file.
Those are mbedTLS internals dependencies to enable TLS1.2.  Perhaps
only ECDSA, AES and ECDH? OTOH the existing md5 doesn't follow that.

>
>>
>>  mbedtls_lib_crypto-$(CONFIG_$(SPL_)MD5_MBEDTLS) += $(MBEDTLS_LIB_DIR)/md5.o
>>  mbedtls_lib_crypto-$(CONFIG_$(SPL_)SHA1_MBEDTLS) += $(MBEDTLS_LIB_DIR)/sha1.o
>>  mbedtls_lib_crypto-$(CONFIG_$(SPL_)SHA256_MBEDTLS) += \
>> @@ -54,3 +66,22 @@ mbedtls_lib_x509-$(CONFIG_$(SPL_)X509_CERTIFICATE_PARSER_MBEDTLS) += \
>>         $(MBEDTLS_LIB_DIR)/x509_crt.o
>>  mbedtls_lib_x509-$(CONFIG_$(SPL_)PKCS7_MESSAGE_PARSER_MBEDTLS) += \
>>         $(MBEDTLS_LIB_DIR)/pkcs7.o
>> +
>> +#mbedTLS TLS support
>> +obj-$(CONFIG_MBEDTLS_LIB_TLS) += mbedtls_lib_tls.o
>> +mbedtls_lib_tls-y := \
>> +       $(MBEDTLS_LIB_DIR)/mps_reader.o \
>> +       $(MBEDTLS_LIB_DIR)/mps_trace.o \
>> +       $(MBEDTLS_LIB_DIR)/net_sockets.o \
>> +       $(MBEDTLS_LIB_DIR)/pk_ecc.o \
>> +       $(MBEDTLS_LIB_DIR)/ssl_cache.o \
>> +       $(MBEDTLS_LIB_DIR)/ssl_ciphersuites.o \
>> +       $(MBEDTLS_LIB_DIR)/ssl_client.o \
>> +       $(MBEDTLS_LIB_DIR)/ssl_cookie.o \
>> +       $(MBEDTLS_LIB_DIR)/ssl_debug_helpers_generated.o \
>> +       $(MBEDTLS_LIB_DIR)/ssl_msg.o \
>> +       $(MBEDTLS_LIB_DIR)/ssl_ticket.o \
>> +       $(MBEDTLS_LIB_DIR)/ssl_tls.o \
>> +       $(MBEDTLS_LIB_DIR)/ssl_tls12_client.o \
>> +       $(MBEDTLS_LIB_DIR)/hmac_drbg.o \
>> +       $(MBEDTLS_LIB_DIR)/ctr_drbg.o \
>
> Ditto, add the U-Boot Kconfig control if it exists.

None of these don't make sense to be a U-Boot Kconfig. They are
mbedTLS internal to enable TLS1.2 support.

Thanks
/Ilias

>
>>
>> diff --git a/lib/mbedtls/mbedtls_def_config.h b/lib/mbedtls/mbedtls_def_config.h
>> index 1af911c2003f..ac8f0bbf2c0e 100644
>> --- a/lib/mbedtls/mbedtls_def_config.h
>> +++ b/lib/mbedtls/mbedtls_def_config.h
>> @@ -87,4 +87,56 @@
>>
>>  #endif /* #if defined CONFIG_MBEDTLS_LIB_X509 */
>>
>> +#if CONFIG_IS_ENABLED(MBEDTLS_LIB_TLS)
>> +#include "rtc.h"
>> +
>> +/* Generic options */
>> +#define MBEDTLS_ENTROPY_HARDWARE_ALT
>> +#define MBEDTLS_HAVE_TIME
>> +#define MBEDTLS_PLATFORM_MS_TIME_ALT
>> +#define MBEDTLS_PLATFORM_TIME_MACRO rtc_mktime
>> +#define MBEDTLS_PLATFORM_C
>> +#define MBEDTLS_SSL_CLI_C
>> +#define MBEDTLS_SSL_TLS_C
>> +#define MBEDTLS_CIPHER_C
>> +#define MBEDTLS_MD_C
>> +#define MBEDTLS_CTR_DRBG_C
>> +#define MBEDTLS_AES_C
>> +#define MBEDTLS_ENTROPY_C
>> +#define MBEDTLS_NO_PLATFORM_ENTROPY
>> +#define MBEDTLS_SSL_PROTO_TLS1_2
>> +#define MBEDTLS_SSL_SERVER_NAME_INDICATION
>> +#define MBEDTLS_KEY_EXCHANGE_PSK_ENABLED
>> +
>> +/* RSA */
>> +#define MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
>> +#define MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
>> +#define MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
>> +#define MBEDTLS_GCM_C
>> +
>> +/* ECDSA */
>> +#define MBEDTLS_ECDSA_C
>> +#define MBEDTLS_ECDH_C
>> +#define MBEDTLS_ECDSA_DETERMINISTIC
>> +#define MBEDTLS_HMAC_DRBG_C
>> +#define MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
>> +#define MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED
>> +#define MBEDTLS_CAN_ECDH
>> +#define MBEDTLS_PK_CAN_ECDSA_SIGN
>> +#define MBEDTLS_ECP_C
>> +#define MBEDTLS_ECP_DP_SECP256K1_ENABLED
>> +#define MBEDTLS_ECP_DP_SECP192R1_ENABLED
>> +#define MBEDTLS_ECP_DP_SECP224R1_ENABLED
>> +#define MBEDTLS_ECP_DP_SECP256R1_ENABLED
>> +#define MBEDTLS_ECP_DP_SECP384R1_ENABLED
>> +#define MBEDTLS_ECP_DP_SECP521R1_ENABLED
>> +#define MBEDTLS_ECP_DP_SECP192K1_ENABLED
>> +#define MBEDTLS_ECP_DP_SECP224K1_ENABLED
>> +#define MBEDTLS_ECP_DP_SECP256K1_ENABLED
>> +#define MBEDTLS_ECP_DP_BP256R1_ENABLED
>> +#define MBEDTLS_ECP_DP_BP384R1_ENABLED
>> +#define MBEDTLS_ECP_DP_BP512R1_ENABLED
>> +
>> +#endif /* #if defined CONFIG_MBEDTLS_LIB_TLS */
>> +
>>  #endif /* #if defined CONFIG_MBEDTLS_LIB */
>> --
>> 2.45.2
>>
Raymond Mao Oct. 18, 2024, 3:26 p.m. UTC | #3
Hi Ilias,

On Fri, 18 Oct 2024 at 10:55, Ilias Apalodimas <ilias.apalodimas@linaro.org>
wrote:

> Hi Raymond,
>
> On Fri, 18 Oct 2024 at 17:39, Raymond Mao <raymond.mao@linaro.org> wrote:
> >
> > Hi Ilias,
> >
> > On Fri, 18 Oct 2024 at 10:22, Ilias Apalodimas <
> ilias.apalodimas@linaro.org> wrote:
> >>
> >> Since lwIP and mbedTLS have been merged we can tweak the config options
> >> and enable TLS1.2 support. Add RSA and ECDSA by default and enable
> >> enough block cipher modes of operation to be comatible with modern
> >> TLS requirements and webservers
> >>
> >> Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
> >> ---
> >>  lib/mbedtls/Kconfig              | 12 ++++++++
> >>  lib/mbedtls/Makefile             | 33 +++++++++++++++++++-
> >>  lib/mbedtls/mbedtls_def_config.h | 52 ++++++++++++++++++++++++++++++++
> >>  3 files changed, 96 insertions(+), 1 deletion(-)
> >>
> >> diff --git a/lib/mbedtls/Kconfig b/lib/mbedtls/Kconfig
> >> index d71adc3648ad..f3e172633999 100644
> >> --- a/lib/mbedtls/Kconfig
> >> +++ b/lib/mbedtls/Kconfig
> >> @@ -430,4 +430,16 @@ endif # SPL
> >>
> >>  endif # MBEDTLS_LIB_X509
> >>
> >> +config MBEDTLS_LIB_TLS
> >> +       bool "MbedTLS TLS library"
> >> +       depends on RSA_PUBLIC_KEY_PARSER_MBEDTLS
> >> +       depends on X509_CERTIFICATE_PARSER_MBEDTLS
> >> +       depends on ASYMMETRIC_PUBLIC_KEY_MBEDTLS
> >> +       depends on ASN1_DECODER_MBEDTLS
> >> +       depends on ASYMMETRIC_PUBLIC_KEY_MBEDTLS
> >> +       depends on MBEDTLS_LIB_CRYPTO
> >> +       help
> >> +         Enable MbedTLS TLS library. If enabled HTTPs support will be
> enabled
> >> +         in wget
> >> +
> >>  endif # MBEDTLS_LIB
> >> diff --git a/lib/mbedtls/Makefile b/lib/mbedtls/Makefile
> >> index 83cb3c2fa705..845284799a11 100644
> >> --- a/lib/mbedtls/Makefile
> >> +++ b/lib/mbedtls/Makefile
> >> @@ -25,7 +25,19 @@ obj-$(CONFIG_MBEDTLS_LIB) += mbedtls_lib_crypto.o
> >>  mbedtls_lib_crypto-y := \
> >>         $(MBEDTLS_LIB_DIR)/platform_util.o \
> >>         $(MBEDTLS_LIB_DIR)/constant_time.o \
> >> -       $(MBEDTLS_LIB_DIR)/md.o
> >> +       $(MBEDTLS_LIB_DIR)/md.o \
> >> +       $(MBEDTLS_LIB_DIR)/entropy.o \
> >> +       $(MBEDTLS_LIB_DIR)/entropy_poll.o \
> >> +       $(MBEDTLS_LIB_DIR)/aes.o \
> >> +       $(MBEDTLS_LIB_DIR)/cipher.o \
> >> +       $(MBEDTLS_LIB_DIR)/cipher_wrap.o \
> >> +       $(MBEDTLS_LIB_DIR)/ecdh.o \
> >> +       $(MBEDTLS_LIB_DIR)/ecdsa.o \
> >> +       $(MBEDTLS_LIB_DIR)/ecp.o \
> >> +       $(MBEDTLS_LIB_DIR)/ecp_curves.o \
> >> +       $(MBEDTLS_LIB_DIR)/ecp_curves_new.o \
> >> +       $(MBEDTLS_LIB_DIR)/gcm.o \
> >> +
> >
> > I think we should move these to mbedtls_lib_tls.o and add the U-Boot
> Kconfig
> > control if it exists.
> > Take ECDSA for example:
> > mbedtls_lib_tls-$(CONFIG_$(SPL_)ECDSA) += $(MBEDTLS_LIB_DIR)/ecdsa.o
>
> Fair enough, but ECDSA is the only one that exists atm. I can move
> that there, but I don't think we should create a Kconfig option per
> object file.
> Those are mbedTLS internals dependencies to enable TLS1.2.  Perhaps
> only ECDSA, AES and ECDH? OTOH the existing md5 doesn't follow that.
>
> I agree. We can move ECDSA and AES with Kconfig control and keep others
as-is at the moment.


> >
> >>
> >>  mbedtls_lib_crypto-$(CONFIG_$(SPL_)MD5_MBEDTLS) +=
> $(MBEDTLS_LIB_DIR)/md5.o
> >>  mbedtls_lib_crypto-$(CONFIG_$(SPL_)SHA1_MBEDTLS) +=
> $(MBEDTLS_LIB_DIR)/sha1.o
> >>  mbedtls_lib_crypto-$(CONFIG_$(SPL_)SHA256_MBEDTLS) += \
> >> @@ -54,3 +66,22 @@
> mbedtls_lib_x509-$(CONFIG_$(SPL_)X509_CERTIFICATE_PARSER_MBEDTLS) += \
> >>         $(MBEDTLS_LIB_DIR)/x509_crt.o
> >>  mbedtls_lib_x509-$(CONFIG_$(SPL_)PKCS7_MESSAGE_PARSER_MBEDTLS) += \
> >>         $(MBEDTLS_LIB_DIR)/pkcs7.o
> >> +
> >> +#mbedTLS TLS support
> >> +obj-$(CONFIG_MBEDTLS_LIB_TLS) += mbedtls_lib_tls.o
> >> +mbedtls_lib_tls-y := \
> >> +       $(MBEDTLS_LIB_DIR)/mps_reader.o \
> >> +       $(MBEDTLS_LIB_DIR)/mps_trace.o \
> >> +       $(MBEDTLS_LIB_DIR)/net_sockets.o \
> >> +       $(MBEDTLS_LIB_DIR)/pk_ecc.o \
> >> +       $(MBEDTLS_LIB_DIR)/ssl_cache.o \
> >> +       $(MBEDTLS_LIB_DIR)/ssl_ciphersuites.o \
> >> +       $(MBEDTLS_LIB_DIR)/ssl_client.o \
> >> +       $(MBEDTLS_LIB_DIR)/ssl_cookie.o \
> >> +       $(MBEDTLS_LIB_DIR)/ssl_debug_helpers_generated.o \
> >> +       $(MBEDTLS_LIB_DIR)/ssl_msg.o \
> >> +       $(MBEDTLS_LIB_DIR)/ssl_ticket.o \
> >> +       $(MBEDTLS_LIB_DIR)/ssl_tls.o \
> >> +       $(MBEDTLS_LIB_DIR)/ssl_tls12_client.o \
> >> +       $(MBEDTLS_LIB_DIR)/hmac_drbg.o \
> >> +       $(MBEDTLS_LIB_DIR)/ctr_drbg.o \
> >
> > Ditto, add the U-Boot Kconfig control if it exists.
>
> None of these don't make sense to be a U-Boot Kconfig. They are
> mbedTLS internal to enable TLS1.2 support.
>

I saw Jerome added CONFIG_NET and CONFIG_NET_LWIP in his LWIP series.
I think the net_sockets, ssl_# and ssl_tls12_# can be under this control.

[snip]

Regards,
Raymond
Ilias Apalodimas Oct. 21, 2024, 10:31 a.m. UTC | #4
Hi Raymond,

On Fri, 18 Oct 2024 at 18:26, Raymond Mao <raymond.mao@linaro.org> wrote:
>
> Hi Ilias,
>
> On Fri, 18 Oct 2024 at 10:55, Ilias Apalodimas <ilias.apalodimas@linaro.org> wrote:
>>
>> Hi Raymond,
>>
>> On Fri, 18 Oct 2024 at 17:39, Raymond Mao <raymond.mao@linaro.org> wrote:
>> >
>> > Hi Ilias,
>> >
>> > On Fri, 18 Oct 2024 at 10:22, Ilias Apalodimas <ilias.apalodimas@linaro.org> wrote:
>> >>
>> >> Since lwIP and mbedTLS have been merged we can tweak the config options
>> >> and enable TLS1.2 support. Add RSA and ECDSA by default and enable
>> >> enough block cipher modes of operation to be comatible with modern
>> >> TLS requirements and webservers
>> >>
>> >> Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
>> >> ---
>> >>  lib/mbedtls/Kconfig              | 12 ++++++++
>> >>  lib/mbedtls/Makefile             | 33 +++++++++++++++++++-
>> >>  lib/mbedtls/mbedtls_def_config.h | 52 ++++++++++++++++++++++++++++++++
>> >>  3 files changed, 96 insertions(+), 1 deletion(-)
>> >>
>> >> diff --git a/lib/mbedtls/Kconfig b/lib/mbedtls/Kconfig
>> >> index d71adc3648ad..f3e172633999 100644
>> >> --- a/lib/mbedtls/Kconfig
>> >> +++ b/lib/mbedtls/Kconfig
>> >> @@ -430,4 +430,16 @@ endif # SPL
>> >>
>> >>  endif # MBEDTLS_LIB_X509
>> >>
>> >> +config MBEDTLS_LIB_TLS
>> >> +       bool "MbedTLS TLS library"
>> >> +       depends on RSA_PUBLIC_KEY_PARSER_MBEDTLS
>> >> +       depends on X509_CERTIFICATE_PARSER_MBEDTLS
>> >> +       depends on ASYMMETRIC_PUBLIC_KEY_MBEDTLS
>> >> +       depends on ASN1_DECODER_MBEDTLS
>> >> +       depends on ASYMMETRIC_PUBLIC_KEY_MBEDTLS
>> >> +       depends on MBEDTLS_LIB_CRYPTO
>> >> +       help
>> >> +         Enable MbedTLS TLS library. If enabled HTTPs support will be enabled
>> >> +         in wget
>> >> +
>> >>  endif # MBEDTLS_LIB
>> >> diff --git a/lib/mbedtls/Makefile b/lib/mbedtls/Makefile
>> >> index 83cb3c2fa705..845284799a11 100644
>> >> --- a/lib/mbedtls/Makefile
>> >> +++ b/lib/mbedtls/Makefile
>> >> @@ -25,7 +25,19 @@ obj-$(CONFIG_MBEDTLS_LIB) += mbedtls_lib_crypto.o
>> >>  mbedtls_lib_crypto-y := \
>> >>         $(MBEDTLS_LIB_DIR)/platform_util.o \
>> >>         $(MBEDTLS_LIB_DIR)/constant_time.o \
>> >> -       $(MBEDTLS_LIB_DIR)/md.o
>> >> +       $(MBEDTLS_LIB_DIR)/md.o \
>> >> +       $(MBEDTLS_LIB_DIR)/entropy.o \
>> >> +       $(MBEDTLS_LIB_DIR)/entropy_poll.o \
>> >> +       $(MBEDTLS_LIB_DIR)/aes.o \
>> >> +       $(MBEDTLS_LIB_DIR)/cipher.o \
>> >> +       $(MBEDTLS_LIB_DIR)/cipher_wrap.o \
>> >> +       $(MBEDTLS_LIB_DIR)/ecdh.o \
>> >> +       $(MBEDTLS_LIB_DIR)/ecdsa.o \
>> >> +       $(MBEDTLS_LIB_DIR)/ecp.o \
>> >> +       $(MBEDTLS_LIB_DIR)/ecp_curves.o \
>> >> +       $(MBEDTLS_LIB_DIR)/ecp_curves_new.o \
>> >> +       $(MBEDTLS_LIB_DIR)/gcm.o \
>> >> +
>> >
>> > I think we should move these to mbedtls_lib_tls.o and add the U-Boot Kconfig
>> > control if it exists.
>> > Take ECDSA for example:
>> > mbedtls_lib_tls-$(CONFIG_$(SPL_)ECDSA) += $(MBEDTLS_LIB_DIR)/ecdsa.o
>>
>> Fair enough, but ECDSA is the only one that exists atm. I can move
>> that there, but I don't think we should create a Kconfig option per
>> object file.
>> Those are mbedTLS internals dependencies to enable TLS1.2.  Perhaps
>> only ECDSA, AES and ECDH? OTOH the existing md5 doesn't follow that.
>>
> I agree. We can move ECDSA and AES with Kconfig control and keep others as-is at the moment.

Ok I had a closer look at this. ECDSA and AES currently have Kconfig
options for the legacy crypto libs. As a result, we need to define
mbedtls variants etc which is ok.
We only have one board using AES atm and sandbox using ECDSA. Since I
want efi https for 2025.01, we can move the new .o files under
CONFIG_MBEDTLS_LIB_TLS and then send a patch on top cleaning up the
Kconfigs for all crypto which is a bit messy atm.

Are you ok with this?

>
>>
>> >
>> >>
>> >>  mbedtls_lib_crypto-$(CONFIG_$(SPL_)MD5_MBEDTLS) += $(MBEDTLS_LIB_DIR)/md5.o
>> >>  mbedtls_lib_crypto-$(CONFIG_$(SPL_)SHA1_MBEDTLS) += $(MBEDTLS_LIB_DIR)/sha1.o
>> >>  mbedtls_lib_crypto-$(CONFIG_$(SPL_)SHA256_MBEDTLS) += \
>> >> @@ -54,3 +66,22 @@ mbedtls_lib_x509-$(CONFIG_$(SPL_)X509_CERTIFICATE_PARSER_MBEDTLS) += \
>> >>         $(MBEDTLS_LIB_DIR)/x509_crt.o
>> >>  mbedtls_lib_x509-$(CONFIG_$(SPL_)PKCS7_MESSAGE_PARSER_MBEDTLS) += \
>> >>         $(MBEDTLS_LIB_DIR)/pkcs7.o
>> >> +
>> >> +#mbedTLS TLS support
>> >> +obj-$(CONFIG_MBEDTLS_LIB_TLS) += mbedtls_lib_tls.o
>> >> +mbedtls_lib_tls-y := \
>> >> +       $(MBEDTLS_LIB_DIR)/mps_reader.o \
>> >> +       $(MBEDTLS_LIB_DIR)/mps_trace.o \
>> >> +       $(MBEDTLS_LIB_DIR)/net_sockets.o \
>> >> +       $(MBEDTLS_LIB_DIR)/pk_ecc.o \
>> >> +       $(MBEDTLS_LIB_DIR)/ssl_cache.o \
>> >> +       $(MBEDTLS_LIB_DIR)/ssl_ciphersuites.o \
>> >> +       $(MBEDTLS_LIB_DIR)/ssl_client.o \
>> >> +       $(MBEDTLS_LIB_DIR)/ssl_cookie.o \
>> >> +       $(MBEDTLS_LIB_DIR)/ssl_debug_helpers_generated.o \
>> >> +       $(MBEDTLS_LIB_DIR)/ssl_msg.o \
>> >> +       $(MBEDTLS_LIB_DIR)/ssl_ticket.o \
>> >> +       $(MBEDTLS_LIB_DIR)/ssl_tls.o \
>> >> +       $(MBEDTLS_LIB_DIR)/ssl_tls12_client.o \
>> >> +       $(MBEDTLS_LIB_DIR)/hmac_drbg.o \
>> >> +       $(MBEDTLS_LIB_DIR)/ctr_drbg.o \
>> >
>> > Ditto, add the U-Boot Kconfig control if it exists.
>>
>> None of these don't make sense to be a U-Boot Kconfig. They are
>> mbedTLS internal to enable TLS1.2 support.
>
>
> I saw Jerome added CONFIG_NET and CONFIG_NET_LWIP in his LWIP series.
> I think the net_sockets, ssl_# and ssl_tls12_# can be under this control.

I would prefer having TLS as a separate Kconfig option. We might need
to use it without wget and binding mbedTLS to lwIP doesn't make that
much sense. It does *currently* because that's the only code that uses
it

Thanks
/Ilias
>
> [snip]
>
> Regards,
> Raymond
Raymond Mao Oct. 21, 2024, 2:03 p.m. UTC | #5
Hi Ilias,

On Mon, 21 Oct 2024 at 06:32, Ilias Apalodimas <ilias.apalodimas@linaro.org>
wrote:

> Hi Raymond,
>
> On Fri, 18 Oct 2024 at 18:26, Raymond Mao <raymond.mao@linaro.org> wrote:
> >
> > Hi Ilias,
> >
> > On Fri, 18 Oct 2024 at 10:55, Ilias Apalodimas <
> ilias.apalodimas@linaro.org> wrote:
> >>
> >> Hi Raymond,
> >>
> >> On Fri, 18 Oct 2024 at 17:39, Raymond Mao <raymond.mao@linaro.org>
> wrote:
> >> >
> >> > Hi Ilias,
> >> >
> >> > On Fri, 18 Oct 2024 at 10:22, Ilias Apalodimas <
> ilias.apalodimas@linaro.org> wrote:
> >> >>
> >> >> Since lwIP and mbedTLS have been merged we can tweak the config
> options
> >> >> and enable TLS1.2 support. Add RSA and ECDSA by default and enable
> >> >> enough block cipher modes of operation to be comatible with modern
> >> >> TLS requirements and webservers
> >> >>
> >> >> Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
> >> >> ---
> >> >>  lib/mbedtls/Kconfig              | 12 ++++++++
> >> >>  lib/mbedtls/Makefile             | 33 +++++++++++++++++++-
> >> >>  lib/mbedtls/mbedtls_def_config.h | 52
> ++++++++++++++++++++++++++++++++
> >> >>  3 files changed, 96 insertions(+), 1 deletion(-)
> >> >>
> >> >> diff --git a/lib/mbedtls/Kconfig b/lib/mbedtls/Kconfig
> >> >> index d71adc3648ad..f3e172633999 100644
> >> >> --- a/lib/mbedtls/Kconfig
> >> >> +++ b/lib/mbedtls/Kconfig
> >> >> @@ -430,4 +430,16 @@ endif # SPL
> >> >>
> >> >>  endif # MBEDTLS_LIB_X509
> >> >>
> >> >> +config MBEDTLS_LIB_TLS
> >> >> +       bool "MbedTLS TLS library"
> >> >> +       depends on RSA_PUBLIC_KEY_PARSER_MBEDTLS
> >> >> +       depends on X509_CERTIFICATE_PARSER_MBEDTLS
> >> >> +       depends on ASYMMETRIC_PUBLIC_KEY_MBEDTLS
> >> >> +       depends on ASN1_DECODER_MBEDTLS
> >> >> +       depends on ASYMMETRIC_PUBLIC_KEY_MBEDTLS
> >> >> +       depends on MBEDTLS_LIB_CRYPTO
> >> >> +       help
> >> >> +         Enable MbedTLS TLS library. If enabled HTTPs support will
> be enabled
> >> >> +         in wget
> >> >> +
> >> >>  endif # MBEDTLS_LIB
> >> >> diff --git a/lib/mbedtls/Makefile b/lib/mbedtls/Makefile
> >> >> index 83cb3c2fa705..845284799a11 100644
> >> >> --- a/lib/mbedtls/Makefile
> >> >> +++ b/lib/mbedtls/Makefile
> >> >> @@ -25,7 +25,19 @@ obj-$(CONFIG_MBEDTLS_LIB) += mbedtls_lib_crypto.o
> >> >>  mbedtls_lib_crypto-y := \
> >> >>         $(MBEDTLS_LIB_DIR)/platform_util.o \
> >> >>         $(MBEDTLS_LIB_DIR)/constant_time.o \
> >> >> -       $(MBEDTLS_LIB_DIR)/md.o
> >> >> +       $(MBEDTLS_LIB_DIR)/md.o \
> >> >> +       $(MBEDTLS_LIB_DIR)/entropy.o \
> >> >> +       $(MBEDTLS_LIB_DIR)/entropy_poll.o \
> >> >> +       $(MBEDTLS_LIB_DIR)/aes.o \
> >> >> +       $(MBEDTLS_LIB_DIR)/cipher.o \
> >> >> +       $(MBEDTLS_LIB_DIR)/cipher_wrap.o \
> >> >> +       $(MBEDTLS_LIB_DIR)/ecdh.o \
> >> >> +       $(MBEDTLS_LIB_DIR)/ecdsa.o \
> >> >> +       $(MBEDTLS_LIB_DIR)/ecp.o \
> >> >> +       $(MBEDTLS_LIB_DIR)/ecp_curves.o \
> >> >> +       $(MBEDTLS_LIB_DIR)/ecp_curves_new.o \
> >> >> +       $(MBEDTLS_LIB_DIR)/gcm.o \
> >> >> +
> >> >
> >> > I think we should move these to mbedtls_lib_tls.o and add the U-Boot
> Kconfig
> >> > control if it exists.
> >> > Take ECDSA for example:
> >> > mbedtls_lib_tls-$(CONFIG_$(SPL_)ECDSA) += $(MBEDTLS_LIB_DIR)/ecdsa.o
> >>
> >> Fair enough, but ECDSA is the only one that exists atm. I can move
> >> that there, but I don't think we should create a Kconfig option per
> >> object file.
> >> Those are mbedTLS internals dependencies to enable TLS1.2.  Perhaps
> >> only ECDSA, AES and ECDH? OTOH the existing md5 doesn't follow that.
> >>
> > I agree. We can move ECDSA and AES with Kconfig control and keep others
> as-is at the moment.
>
> Ok I had a closer look at this. ECDSA and AES currently have Kconfig
> options for the legacy crypto libs. As a result, we need to define
> mbedtls variants etc which is ok.
> We only have one board using AES atm and sandbox using ECDSA. Since I
> want efi https for 2025.01, we can move the new .o files under
> CONFIG_MBEDTLS_LIB_TLS and then send a patch on top cleaning up the
> Kconfigs for all crypto which is a bit messy atm.
>
> Are you ok with this?
>
> Yes, I agree. We can do this after all related patches are merged.


> >
> >>
> >> >
> >> >>
> >> >>  mbedtls_lib_crypto-$(CONFIG_$(SPL_)MD5_MBEDTLS) +=
> $(MBEDTLS_LIB_DIR)/md5.o
> >> >>  mbedtls_lib_crypto-$(CONFIG_$(SPL_)SHA1_MBEDTLS) +=
> $(MBEDTLS_LIB_DIR)/sha1.o
> >> >>  mbedtls_lib_crypto-$(CONFIG_$(SPL_)SHA256_MBEDTLS) += \
> >> >> @@ -54,3 +66,22 @@
> mbedtls_lib_x509-$(CONFIG_$(SPL_)X509_CERTIFICATE_PARSER_MBEDTLS) += \
> >> >>         $(MBEDTLS_LIB_DIR)/x509_crt.o
> >> >>  mbedtls_lib_x509-$(CONFIG_$(SPL_)PKCS7_MESSAGE_PARSER_MBEDTLS) += \
> >> >>         $(MBEDTLS_LIB_DIR)/pkcs7.o
> >> >> +
> >> >> +#mbedTLS TLS support
> >> >> +obj-$(CONFIG_MBEDTLS_LIB_TLS) += mbedtls_lib_tls.o
> >> >> +mbedtls_lib_tls-y := \
> >> >> +       $(MBEDTLS_LIB_DIR)/mps_reader.o \
> >> >> +       $(MBEDTLS_LIB_DIR)/mps_trace.o \
> >> >> +       $(MBEDTLS_LIB_DIR)/net_sockets.o \
> >> >> +       $(MBEDTLS_LIB_DIR)/pk_ecc.o \
> >> >> +       $(MBEDTLS_LIB_DIR)/ssl_cache.o \
> >> >> +       $(MBEDTLS_LIB_DIR)/ssl_ciphersuites.o \
> >> >> +       $(MBEDTLS_LIB_DIR)/ssl_client.o \
> >> >> +       $(MBEDTLS_LIB_DIR)/ssl_cookie.o \
> >> >> +       $(MBEDTLS_LIB_DIR)/ssl_debug_helpers_generated.o \
> >> >> +       $(MBEDTLS_LIB_DIR)/ssl_msg.o \
> >> >> +       $(MBEDTLS_LIB_DIR)/ssl_ticket.o \
> >> >> +       $(MBEDTLS_LIB_DIR)/ssl_tls.o \
> >> >> +       $(MBEDTLS_LIB_DIR)/ssl_tls12_client.o \
> >> >> +       $(MBEDTLS_LIB_DIR)/hmac_drbg.o \
> >> >> +       $(MBEDTLS_LIB_DIR)/ctr_drbg.o \
> >> >
> >> > Ditto, add the U-Boot Kconfig control if it exists.
> >>
> >> None of these don't make sense to be a U-Boot Kconfig. They are
> >> mbedTLS internal to enable TLS1.2 support.
> >
> >
> > I saw Jerome added CONFIG_NET and CONFIG_NET_LWIP in his LWIP series.
> > I think the net_sockets, ssl_# and ssl_tls12_# can be under this control.
>
> I would prefer having TLS as a separate Kconfig option. We might need
> to use it without wget and binding mbedTLS to lwIP doesn't make that
> much sense. It does *currently* because that's the only code that uses
> it
>
> That is fine. Thanks.

Regards,
Raymond
diff mbox series

Patch

diff --git a/lib/mbedtls/Kconfig b/lib/mbedtls/Kconfig
index d71adc3648ad..f3e172633999 100644
--- a/lib/mbedtls/Kconfig
+++ b/lib/mbedtls/Kconfig
@@ -430,4 +430,16 @@  endif # SPL
 
 endif # MBEDTLS_LIB_X509
 
+config MBEDTLS_LIB_TLS
+	bool "MbedTLS TLS library"
+	depends on RSA_PUBLIC_KEY_PARSER_MBEDTLS
+	depends on X509_CERTIFICATE_PARSER_MBEDTLS
+	depends on ASYMMETRIC_PUBLIC_KEY_MBEDTLS
+	depends on ASN1_DECODER_MBEDTLS
+	depends on ASYMMETRIC_PUBLIC_KEY_MBEDTLS
+	depends on MBEDTLS_LIB_CRYPTO
+	help
+	  Enable MbedTLS TLS library. If enabled HTTPs support will be enabled
+	  in wget
+
 endif # MBEDTLS_LIB
diff --git a/lib/mbedtls/Makefile b/lib/mbedtls/Makefile
index 83cb3c2fa705..845284799a11 100644
--- a/lib/mbedtls/Makefile
+++ b/lib/mbedtls/Makefile
@@ -25,7 +25,19 @@  obj-$(CONFIG_MBEDTLS_LIB) += mbedtls_lib_crypto.o
 mbedtls_lib_crypto-y := \
 	$(MBEDTLS_LIB_DIR)/platform_util.o \
 	$(MBEDTLS_LIB_DIR)/constant_time.o \
-	$(MBEDTLS_LIB_DIR)/md.o
+	$(MBEDTLS_LIB_DIR)/md.o \
+	$(MBEDTLS_LIB_DIR)/entropy.o \
+	$(MBEDTLS_LIB_DIR)/entropy_poll.o \
+	$(MBEDTLS_LIB_DIR)/aes.o \
+	$(MBEDTLS_LIB_DIR)/cipher.o \
+	$(MBEDTLS_LIB_DIR)/cipher_wrap.o \
+	$(MBEDTLS_LIB_DIR)/ecdh.o \
+	$(MBEDTLS_LIB_DIR)/ecdsa.o \
+	$(MBEDTLS_LIB_DIR)/ecp.o \
+	$(MBEDTLS_LIB_DIR)/ecp_curves.o \
+	$(MBEDTLS_LIB_DIR)/ecp_curves_new.o \
+	$(MBEDTLS_LIB_DIR)/gcm.o \
+
 mbedtls_lib_crypto-$(CONFIG_$(SPL_)MD5_MBEDTLS) += $(MBEDTLS_LIB_DIR)/md5.o
 mbedtls_lib_crypto-$(CONFIG_$(SPL_)SHA1_MBEDTLS) += $(MBEDTLS_LIB_DIR)/sha1.o
 mbedtls_lib_crypto-$(CONFIG_$(SPL_)SHA256_MBEDTLS) += \
@@ -54,3 +66,22 @@  mbedtls_lib_x509-$(CONFIG_$(SPL_)X509_CERTIFICATE_PARSER_MBEDTLS) += \
 	$(MBEDTLS_LIB_DIR)/x509_crt.o
 mbedtls_lib_x509-$(CONFIG_$(SPL_)PKCS7_MESSAGE_PARSER_MBEDTLS) += \
 	$(MBEDTLS_LIB_DIR)/pkcs7.o
+
+#mbedTLS TLS support
+obj-$(CONFIG_MBEDTLS_LIB_TLS) += mbedtls_lib_tls.o
+mbedtls_lib_tls-y := \
+	$(MBEDTLS_LIB_DIR)/mps_reader.o \
+	$(MBEDTLS_LIB_DIR)/mps_trace.o \
+	$(MBEDTLS_LIB_DIR)/net_sockets.o \
+	$(MBEDTLS_LIB_DIR)/pk_ecc.o \
+	$(MBEDTLS_LIB_DIR)/ssl_cache.o \
+	$(MBEDTLS_LIB_DIR)/ssl_ciphersuites.o \
+	$(MBEDTLS_LIB_DIR)/ssl_client.o \
+	$(MBEDTLS_LIB_DIR)/ssl_cookie.o \
+	$(MBEDTLS_LIB_DIR)/ssl_debug_helpers_generated.o \
+	$(MBEDTLS_LIB_DIR)/ssl_msg.o \
+	$(MBEDTLS_LIB_DIR)/ssl_ticket.o \
+	$(MBEDTLS_LIB_DIR)/ssl_tls.o \
+	$(MBEDTLS_LIB_DIR)/ssl_tls12_client.o \
+	$(MBEDTLS_LIB_DIR)/hmac_drbg.o \
+	$(MBEDTLS_LIB_DIR)/ctr_drbg.o \
diff --git a/lib/mbedtls/mbedtls_def_config.h b/lib/mbedtls/mbedtls_def_config.h
index 1af911c2003f..ac8f0bbf2c0e 100644
--- a/lib/mbedtls/mbedtls_def_config.h
+++ b/lib/mbedtls/mbedtls_def_config.h
@@ -87,4 +87,56 @@ 
 
 #endif /* #if defined CONFIG_MBEDTLS_LIB_X509 */
 
+#if CONFIG_IS_ENABLED(MBEDTLS_LIB_TLS)
+#include "rtc.h"
+
+/* Generic options */
+#define MBEDTLS_ENTROPY_HARDWARE_ALT
+#define MBEDTLS_HAVE_TIME
+#define MBEDTLS_PLATFORM_MS_TIME_ALT
+#define MBEDTLS_PLATFORM_TIME_MACRO rtc_mktime
+#define MBEDTLS_PLATFORM_C
+#define MBEDTLS_SSL_CLI_C
+#define MBEDTLS_SSL_TLS_C
+#define MBEDTLS_CIPHER_C
+#define MBEDTLS_MD_C
+#define MBEDTLS_CTR_DRBG_C
+#define MBEDTLS_AES_C
+#define MBEDTLS_ENTROPY_C
+#define MBEDTLS_NO_PLATFORM_ENTROPY
+#define MBEDTLS_SSL_PROTO_TLS1_2
+#define MBEDTLS_SSL_SERVER_NAME_INDICATION
+#define MBEDTLS_KEY_EXCHANGE_PSK_ENABLED
+
+/* RSA */
+#define MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
+#define MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
+#define MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
+#define MBEDTLS_GCM_C
+
+/* ECDSA */
+#define MBEDTLS_ECDSA_C
+#define MBEDTLS_ECDH_C
+#define MBEDTLS_ECDSA_DETERMINISTIC
+#define MBEDTLS_HMAC_DRBG_C
+#define MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
+#define MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED
+#define MBEDTLS_CAN_ECDH
+#define MBEDTLS_PK_CAN_ECDSA_SIGN
+#define MBEDTLS_ECP_C
+#define MBEDTLS_ECP_DP_SECP256K1_ENABLED
+#define MBEDTLS_ECP_DP_SECP192R1_ENABLED
+#define MBEDTLS_ECP_DP_SECP224R1_ENABLED
+#define MBEDTLS_ECP_DP_SECP256R1_ENABLED
+#define MBEDTLS_ECP_DP_SECP384R1_ENABLED
+#define MBEDTLS_ECP_DP_SECP521R1_ENABLED
+#define MBEDTLS_ECP_DP_SECP192K1_ENABLED
+#define MBEDTLS_ECP_DP_SECP224K1_ENABLED
+#define MBEDTLS_ECP_DP_SECP256K1_ENABLED
+#define MBEDTLS_ECP_DP_BP256R1_ENABLED
+#define MBEDTLS_ECP_DP_BP384R1_ENABLED
+#define MBEDTLS_ECP_DP_BP512R1_ENABLED
+
+#endif /* #if defined CONFIG_MBEDTLS_LIB_TLS */
+
 #endif /* #if defined CONFIG_MBEDTLS_LIB */