diff mbox series

[Concept,08/24] mbedtls: Allow use of PKCS#5 functions

Message ID	20251031065439.3251464-9-sjg@u-boot.org
State	New
Headers	From: Simon Glass <sjg@u-boot.org> To: U-Boot Concept <concept@u-boot.org> Date: Fri, 31 Oct 2025 00:54:04 -0600 Message-ID: <20251031065439.3251464-9-sjg@u-boot.org> In-Reply-To: <20251031065439.3251464-1-sjg@u-boot.org> References: <20251031065439.3251464-1-sjg@u-boot.org> MIME-Version: 1.0 Message-ID-Hash: QYQTI6NTBOP2QZJHD6H5ARYKSMDFXN4C CC: Simon Glass <sjg@chromium.org>, Claude <noreply@anthropic.com> Precedence: list Subject: [Concept] [PATCH 08/24] mbedtls: Allow use of PKCS#5 functions Archived-At: <https://lists.u-boot.org/archives/list/concept@u-boot.org/message/QYQTI6NTBOP2QZJHD6H5ARYKSMDFXN4C/> Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit
Series	luks: Provide basic support for unlocking a LUKS1 partition \| [Concept,00/24] luks: Provide basic support for unlocking a LUKS1 partition [Concept,01/24] aes: Fix key size handling for AES-192 and AES-256 [Concept,02/24] doc: Provide documentation for the blkmap command [Concept,03/24] log: Provide a macro to log a hex string [Concept,04/24] panic: Provide a way to poweroff on panic [Concept,05/24] sandbox: Enable CONFIG_PANIC_POWEROFF [Concept,06/24] sandbox: Add devon and devoff subcommands to sb command [Concept,07/24] mbedtls: hash: Provide the mbedtls hash type in the hash interface [Concept,08/24] mbedtls: Allow use of PKCS#5 functions [Concept,09/24] test/py: Support creating space after a filesystem [Concept,10/24] test/py: Support FDE with the extlinux image [Concept,11/24] test/py: Set up an Ubuntu image with space for FDE [Concept,12/24] docker: Add cryptsetup package for LUKS testing [Concept,13/24] CI: Update Docker image to including luks tools [Concept,14/24] luks: Add a way to create an encrypted partition [Concept,15/24] luks: Encrypt the mmc11 test image [Concept,16/24] luks: Add the beginning of LUKS support [Concept,17/24] luks: Add a simple command [Concept,18/24] luks: Create a very simple JSON library [Concept,19/24] luks: Create a disk image with LUKS2 encryption [Concept,20/24] luks: Show the JSON information for LUKSv2 [Concept,21/24] luks: Enhance blkmap to support LUKSv1 [Concept,22/24] luks: Provide a way to unlock and map encrypted partitions [Concept,23/24] luks: Add a subcommand to unlock an encrypted partition

Commit Message

Simon Glass Oct. 31, 2025, 6:54 a.m. UTC

  From: Simon Glass <sjg@chromium.org>

Add a few Kconfig options to allow PKCS#5 (PBKDF2) to be used within
U-Boot

Co-developed-by: Claude <noreply@anthropic.com>
Signed-off-by: Simon Glass <sjg@chromium.org>
---

 lib/mbedtls/Kconfig              | 14 ++++++++++++++
 lib/mbedtls/Makefile             |  2 ++
 lib/mbedtls/mbedtls_def_config.h |  4 ++++
 3 files changed, 20 insertions(+)

diff mbox series

Patch

diff --git a/lib/mbedtls/Kconfig b/lib/mbedtls/Kconfig
index 789721ee6cd..2af043ba5b1 100644
--- a/lib/mbedtls/Kconfig
+++ b/lib/mbedtls/Kconfig
@@ -231,6 +231,13 @@  config HKDF_MBEDTLS
 	  This option enables support of key derivation using HKDF algorithm
 	  with MbedTLS crypto library.
 
+config PKCS5_MBEDTLS
+	bool "Enable PKCS#5 support with MbedTLS crypto library"
+	depends on MBEDTLS_LIB_CRYPTO
+	help
+	  This option enables support of PKCS#5 functions (PBKDF2) with
+	  MbedTLS crypto library. Required for LUKS decryption.
+
 endif # MBEDTLS_LIB_CRYPTO
 
 config MBEDTLS_LIB_X509
@@ -489,6 +496,13 @@  config SPL_HKDF_MBEDTLS
 	  This option enables support of key derivation using HKDF algorithm
 	  with MbedTLS crypto library in SPL.
 
+config SPL_PKCS5_MBEDTLS
+	bool "Enable PKCS#5 support with MbedTLS crypto library (SPL)"
+	depends on SPL_MBEDTLS_LIB_CRYPTO
+	help
+	  This option enables support of PKCS#5 functions (PBKDF2) with
+	  MbedTLS crypto library in SPL. Required for LUKS decryption.
+
 endif # SPL_MBEDTLS_LIB_CRYPTO
 
 config SPL_MBEDTLS_LIB_X509
diff --git a/lib/mbedtls/Makefile b/lib/mbedtls/Makefile
index c5b445bd85c..0506a5a6b3e 100644
--- a/lib/mbedtls/Makefile
+++ b/lib/mbedtls/Makefile
@@ -35,6 +35,8 @@  mbedtls_lib_crypto-$(CONFIG_$(PHASE_)SHA512_MBEDTLS) += \
 	$(MBEDTLS_LIB_DIR)/sha512.o
 mbedtls_lib_crypto-$(CONFIG_$(PHASE_)HKDF_MBEDTLS) += \
 	$(MBEDTLS_LIB_DIR)/hkdf.o
+mbedtls_lib_crypto-$(CONFIG_$(PHASE_)PKCS5_MBEDTLS) += \
+	$(MBEDTLS_LIB_DIR)/pkcs5.o
 
 # MbedTLS X509 library
 obj-$(CONFIG_$(XPL_)MBEDTLS_LIB_X509) += mbedtls_lib_x509.o
diff --git a/lib/mbedtls/mbedtls_def_config.h b/lib/mbedtls/mbedtls_def_config.h
index dda3f4dd6e4..9e3beed07f4 100644
--- a/lib/mbedtls/mbedtls_def_config.h
+++ b/lib/mbedtls/mbedtls_def_config.h
@@ -60,6 +60,10 @@ 
 #define MBEDTLS_HKDF_C
 #endif
 
+#if CONFIG_IS_ENABLED(PKCS5_MBEDTLS)
+#define MBEDTLS_PKCS5_C
+#endif
+
 #if CONFIG_IS_ENABLED(MBEDTLS_LIB_X509)
 
 #if CONFIG_IS_ENABLED(X509_CERTIFICATE_PARSER)