From patchwork Fri Oct 31 06:54:04 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Simon Glass <sjg@u-boot.org>
X-Patchwork-Id: 658
Return-Path: <concept-bounces+u-boot-concept=u-boot.org@u-boot.org>
X-Original-To: u-boot-concept@u-boot.org
Delivered-To: u-boot-concept@u-boot.org
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=u-boot.org;
	s=default; t=1761893736;
	bh=FgswktyNpXkNy1P+PHmra8TpT6J/5YeaK4ALxYPu3gc=;
	h=From:To:Date:In-Reply-To:References:CC:Subject:List-Id:
	 List-Archive:List-Help:List-Owner:List-Post:List-Subscribe:
	 List-Unsubscribe:From;
	b=Mv7MmyKKYscB2NQG+oqQSbLQfwCMNTdaQ6b3/RO62JnQwJ6HXIqFomMeRcrGyNL/f
	 /uVmCMlgpRL/IW2eTeDUMfmvvA6sGulOjJZQXO7pTTN/BmhS/yGmOWs88FpHGDEo/a
	 qEbmUs+Z7Bniuv8uwFezstGTg2qi1d7KdoZfFxTvihXFXMBeSXxl3BX+g9ZR/8O8Yp
	 Wg2H+vC2qbX220wTNtmgNRJ6Ivh7GtKD8mDC3Nk7Q1oaYFX/faU2PQcPrBREWzQ2Wg
	 UDh6yvuIU97+VBQbeHRGYSJnnokvIDLdDCUFsYys2jtpXTnk0NIBc70P9g4+YLOaH7
	 aJZiRshwVAlLg==
Received: from localhost (localhost [127.0.0.1])
	by mail.u-boot.org (Postfix) with ESMTP id 5073E68362
	for <u-boot-concept@u-boot.org>; Fri, 31 Oct 2025 00:55:36 -0600 (MDT)
X-Virus-Scanned: Debian amavis at 
Received: from mail.u-boot.org ([127.0.0.1])
 by localhost (mail.u-boot.org [127.0.0.1]) (amavis, port 10024) with ESMTP
 id cd6Qa0bFNyk0 for <u-boot-concept@u-boot.org>;
 Fri, 31 Oct 2025 00:55:36 -0600 (MDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=u-boot.org;
	s=default; t=1761893736;
	bh=FgswktyNpXkNy1P+PHmra8TpT6J/5YeaK4ALxYPu3gc=;
	h=From:To:Date:In-Reply-To:References:CC:Subject:List-Id:
	 List-Archive:List-Help:List-Owner:List-Post:List-Subscribe:
	 List-Unsubscribe:From;
	b=Mv7MmyKKYscB2NQG+oqQSbLQfwCMNTdaQ6b3/RO62JnQwJ6HXIqFomMeRcrGyNL/f
	 /uVmCMlgpRL/IW2eTeDUMfmvvA6sGulOjJZQXO7pTTN/BmhS/yGmOWs88FpHGDEo/a
	 qEbmUs+Z7Bniuv8uwFezstGTg2qi1d7KdoZfFxTvihXFXMBeSXxl3BX+g9ZR/8O8Yp
	 Wg2H+vC2qbX220wTNtmgNRJ6Ivh7GtKD8mDC3Nk7Q1oaYFX/faU2PQcPrBREWzQ2Wg
	 UDh6yvuIU97+VBQbeHRGYSJnnokvIDLdDCUFsYys2jtpXTnk0NIBc70P9g4+YLOaH7
	 aJZiRshwVAlLg==
Received: from mail.u-boot.org (localhost [127.0.0.1])
	by mail.u-boot.org (Postfix) with ESMTP id 4025E68321
	for <u-boot-concept@u-boot.org>; Fri, 31 Oct 2025 00:55:36 -0600 (MDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=u-boot.org;
	s=default; t=1761893734;
	bh=beBtAKnF6ygP1KtsgFuAEBkK7BcHRBrVUT4ZAzLJWZ4=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
	b=Dj+BeS2rY2471M95ojF6OHp77O09Y624uRgyI6MU3VC6LbyoJGDGNdePAieltX7XW
	 uC/u/RJPc2WPG1v/pRyReknkHaHyd1UmUdwSi8kU/7B1ikpYhUu1j5Q3TGAV3G9gzV
	 Jg9jjcxqg1WIeaLut1iw5U7rrDFznAZiv0KFgTNZnw18XTi2rHfFKt5wHxfbtNmALd
	 7X0N63ROLV2hxFkQ33NjJ72OWFFEj1/uakOCYUMHrjO9liplcellTid0b6kSnVo6ig
	 pkiw4slYn+IMUqrk9Tp5UMpmPtNUz8abNdlEhdbtEhLD7FxrpDCvM7wkMIAes0MtBM
	 v2DkZ5HH3Fv2A==
Received: from localhost (localhost [127.0.0.1])
	by mail.u-boot.org (Postfix) with ESMTP id DD0A968321;
	Fri, 31 Oct 2025 00:55:34 -0600 (MDT)
X-Virus-Scanned: Debian amavis at 
Received: from mail.u-boot.org ([127.0.0.1])
 by localhost (mail.u-boot.org [127.0.0.1]) (amavis, port 10026) with ESMTP
 id og7YVk-YIetO; Fri, 31 Oct 2025 00:55:34 -0600 (MDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=u-boot.org;
	s=default; t=1761893730;
	bh=CXriC3nx9LoK4pSPRJ46vMqJiBtsNp9EE8tgQ2zYAqo=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
	b=KGt9pjxIArMVlBvJo3jZ9saDDq+3lSx+/rxBe3lJ7ekAMUfMr9w+wDDDEnsNb0FcD
	 DLUwuvJpryDOD82yzGlfc5ECfO5c/oC7EASYwgvHAmit8d8nPaeRYwIipi9fd3Wc3U
	 zs0jT+3CYDOR3B/8XpSJYMryOCO1LBGJgxksjBN42yJS+v47KcSqnVDiOkQa/I8WZO
	 VR7SKRULL4iql6kRgetrU27z7dx0r3SVg3FwxyiKNjPstUtcYlJE34/Z0otf3EuiH6
	 YLO8/ZbPDi8STtDm2Ro9ZSJqLkitoJ+OEFtRYgtgGvStC48hP4VitnkvN5egpzBGGB
	 AFUtiJwRUuVMg==
Received: from u-boot.org (unknown [73.34.74.121])
	by mail.u-boot.org (Postfix) with ESMTPSA id 8B4B7682CD;
	Fri, 31 Oct 2025 00:55:30 -0600 (MDT)
From: Simon Glass <sjg@u-boot.org>
To: U-Boot Concept <concept@u-boot.org>
Date: Fri, 31 Oct 2025 00:54:04 -0600
Message-ID: <20251031065439.3251464-9-sjg@u-boot.org>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20251031065439.3251464-1-sjg@u-boot.org>
References: <20251031065439.3251464-1-sjg@u-boot.org>
MIME-Version: 1.0
Message-ID-Hash: QYQTI6NTBOP2QZJHD6H5ARYKSMDFXN4C
X-Message-ID-Hash: QYQTI6NTBOP2QZJHD6H5ARYKSMDFXN4C
X-MailFrom: sjg@u-boot.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop;
 banned-address; emergency; member-moderation; nonmember-moderation;
 administrivia; implicit-dest; max-recipients; max-size; news-moderation;
 no-subject; digests; suspicious-header
CC: Simon Glass <sjg@chromium.org>, Claude <noreply@anthropic.com>
X-Mailman-Version: 3.3.10
Precedence: list
Subject: [Concept] [PATCH 08/24] mbedtls: Allow use of PKCS#5 functions
List-Id: Discussion and patches related to U-Boot Concept <concept.u-boot.org>
Archived-At: 
 <https://lists.u-boot.org/archives/list/concept@u-boot.org/message/QYQTI6NTBOP2QZJHD6H5ARYKSMDFXN4C/>
List-Archive: <https://lists.u-boot.org/archives/list/concept@u-boot.org/>
List-Help: <mailto:concept-request@u-boot.org?subject=help>
List-Owner: <mailto:concept-owner@u-boot.org>
List-Post: <mailto:concept@u-boot.org>
List-Subscribe: <mailto:concept-join@u-boot.org>
List-Unsubscribe: <mailto:concept-leave@u-boot.org>

From: Simon Glass <sjg@chromium.org>

Add a few Kconfig options to allow PKCS#5 (PBKDF2) to be used within
U-Boot

Co-developed-by: Claude <noreply@anthropic.com>
Signed-off-by: Simon Glass <sjg@chromium.org>
---

 lib/mbedtls/Kconfig              | 14 ++++++++++++++
 lib/mbedtls/Makefile             |  2 ++
 lib/mbedtls/mbedtls_def_config.h |  4 ++++
 3 files changed, 20 insertions(+)

diff --git a/lib/mbedtls/Kconfig b/lib/mbedtls/Kconfig
index 789721ee6cd..2af043ba5b1 100644
--- a/lib/mbedtls/Kconfig
+++ b/lib/mbedtls/Kconfig
@@ -231,6 +231,13 @@ config HKDF_MBEDTLS
 	  This option enables support of key derivation using HKDF algorithm
 	  with MbedTLS crypto library.
 
+config PKCS5_MBEDTLS
+	bool "Enable PKCS#5 support with MbedTLS crypto library"
+	depends on MBEDTLS_LIB_CRYPTO
+	help
+	  This option enables support of PKCS#5 functions (PBKDF2) with
+	  MbedTLS crypto library. Required for LUKS decryption.
+
 endif # MBEDTLS_LIB_CRYPTO
 
 config MBEDTLS_LIB_X509
@@ -489,6 +496,13 @@ config SPL_HKDF_MBEDTLS
 	  This option enables support of key derivation using HKDF algorithm
 	  with MbedTLS crypto library in SPL.
 
+config SPL_PKCS5_MBEDTLS
+	bool "Enable PKCS#5 support with MbedTLS crypto library (SPL)"
+	depends on SPL_MBEDTLS_LIB_CRYPTO
+	help
+	  This option enables support of PKCS#5 functions (PBKDF2) with
+	  MbedTLS crypto library in SPL. Required for LUKS decryption.
+
 endif # SPL_MBEDTLS_LIB_CRYPTO
 
 config SPL_MBEDTLS_LIB_X509
diff --git a/lib/mbedtls/Makefile b/lib/mbedtls/Makefile
index c5b445bd85c..0506a5a6b3e 100644
--- a/lib/mbedtls/Makefile
+++ b/lib/mbedtls/Makefile
@@ -35,6 +35,8 @@ mbedtls_lib_crypto-$(CONFIG_$(PHASE_)SHA512_MBEDTLS) += \
 	$(MBEDTLS_LIB_DIR)/sha512.o
 mbedtls_lib_crypto-$(CONFIG_$(PHASE_)HKDF_MBEDTLS) += \
 	$(MBEDTLS_LIB_DIR)/hkdf.o
+mbedtls_lib_crypto-$(CONFIG_$(PHASE_)PKCS5_MBEDTLS) += \
+	$(MBEDTLS_LIB_DIR)/pkcs5.o
 
 # MbedTLS X509 library
 obj-$(CONFIG_$(XPL_)MBEDTLS_LIB_X509) += mbedtls_lib_x509.o
diff --git a/lib/mbedtls/mbedtls_def_config.h b/lib/mbedtls/mbedtls_def_config.h
index dda3f4dd6e4..9e3beed07f4 100644
--- a/lib/mbedtls/mbedtls_def_config.h
+++ b/lib/mbedtls/mbedtls_def_config.h
@@ -60,6 +60,10 @@
 #define MBEDTLS_HKDF_C
 #endif
 
+#if CONFIG_IS_ENABLED(PKCS5_MBEDTLS)
+#define MBEDTLS_PKCS5_C
+#endif
+
 #if CONFIG_IS_ENABLED(MBEDTLS_LIB_X509)
 
 #if CONFIG_IS_ENABLED(X509_CERTIFICATE_PARSER)