diff mbox series

[Concept,07/15] lib: Plumb in argon2 library

Message ID	20251111124131.1198930-8-sjg@u-boot.org
State	New
Headers	From: Simon Glass <sjg@u-boot.org> To: U-Boot Concept <concept@u-boot.org> Date: Tue, 11 Nov 2025 05:41:13 -0700 Message-ID: <20251111124131.1198930-8-sjg@u-boot.org> In-Reply-To: <20251111124131.1198930-1-sjg@u-boot.org> References: <20251111124131.1198930-1-sjg@u-boot.org> MIME-Version: 1.0 Message-ID-Hash: JWSBUUWOBGMEXGRCELN35OS6TKZXDA3O CC: Heinrich Schuchardt <xypron.glpk@gmx.de>, Simon Glass <simon.glass@canonical.com>, Claude <noreply@anthropic.com> Precedence: list Subject: [Concept] [PATCH 07/15] lib: Plumb in argon2 library Archived-At: <https://lists.u-boot.org/archives/list/concept@u-boot.org/message/JWSBUUWOBGMEXGRCELN35OS6TKZXDA3O/> Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit
Series	luks: Provide support for LUKSv2 \| [Concept,00/15] luks: Provide support for LUKSv2 [Concept,01/15] mbedtls: Allow use of XTS functions [Concept,02/15] mbedtls: Allow use of base64 [Concept,03/15] test: Check for null string in assert functions [Concept,05/15] lib: Bring in argon2 library [Concept,06/15] lib: Adapt argon2 library for U-Boot [Concept,07/15] lib: Plumb in argon2 library [Concept,08/15] test: Shorten the encrypt_passphrase parameter for FsHelper [Concept,09/15] test: Add a way to create a LUKS2 partition with XTS [Concept,10/15] test: Switch mmc12 over to use argon2id [Concept,11/15] luks: Export the af_merge() function [Concept,12/15] luks: Tidy up the code style in the block driver [Concept,13/15] luks: Provide an implementation of luks2 [Concept,14/15] luks: Enable LUKSv2 support in the luks command

Commit Message

Simon Glass Nov. 11, 2025, 12:41 p.m. UTC

  From: Simon Glass <simon.glass@canonical.com>

Add a Kconfig optiion to enable this library and add it to the lib/
Makefile, being careful to avoid a conflict with the existing blake2b
implementation.

Co-developed-by: Claude <noreply@anthropic.com>
Signed-off-by: Simon Glass <simon.glass@canonical.com>
---

 drivers/misc/Kconfig |  2 +-
 fs/btrfs/Kconfig     |  2 +-
 lib/Kconfig          | 14 +++++++++++++-
 lib/Makefile         |  4 ++++
 4 files changed, 19 insertions(+), 3 deletions(-)

diff mbox series

Patch

diff --git a/drivers/misc/Kconfig b/drivers/misc/Kconfig
index a352fa5fee0..7a217ad055d 100644
--- a/drivers/misc/Kconfig
+++ b/drivers/misc/Kconfig
@@ -37,7 +37,7 @@  config TKEY
 	bool "TKey security token support"
 	depends on DM
 	default y if SANDBOX
-	select BLAKE2
+	select BLAKE2 if !ARGON2
 	help
 	  Enable driver model support for Tillitis TKey security tokens.
 	  This provides a common interface for TKey operations including
diff --git a/fs/btrfs/Kconfig b/fs/btrfs/Kconfig
index e31afe595f3..c6430f83452 100644
--- a/fs/btrfs/Kconfig
+++ b/fs/btrfs/Kconfig
@@ -6,7 +6,7 @@  config FS_BTRFS
 	select ZSTD
 	select RBTREE
 	select SHA256
-	select BLAKE2
+	select BLAKE2 if !ARGON2
 	help
 	  This provides a single-device read-only BTRFS support. BTRFS is a
 	  next-generation Linux file system based on the copy-on-write
diff --git a/lib/Kconfig b/lib/Kconfig
index c8bf4b4b049..662b1a44d45 100644
--- a/lib/Kconfig
+++ b/lib/Kconfig
@@ -542,11 +542,12 @@  menu "Hashing Support"
 
 config BLAKE2
 	bool "Enable BLAKE2 support"
+	depends on !ARGON2
 	help
 	  This option enables support of hashing using BLAKE2B algorithm.
 	  The hash is calculated in software.
 	  The BLAKE2 algorithm produces a hash value (digest) between 1 and
-	  64 bytes.
+	  64 bytes. Note: ARGON2 includes its own BLAKE2 implementation.
 
 config SHA1
 	bool "Enable SHA1 support"
@@ -983,6 +984,17 @@  config JSON
 	  printing functions. JSON is used for structured data representation,
 	  such as LUKS2 metadata.
 
+config ARGON2
+	bool "Enable Argon2 password hashing"
+	help
+	  This enables the Argon2 password hashing algorithm, winner of the
+	  Password Hashing Competition (PHC). Argon2 is used for key derivation
+	  in LUKS2 encrypted volumes. It provides better resistance to GPU
+	  cracking attacks compared to PBKDF2.
+
+	  Note: This option includes its own BLAKE2 implementation and is
+	  mutually exclusive with CONFIG_BLAKE2.
+
 config OF_LIBFDT
 	bool "Enable the FDT library"
 	default y if OF_CONTROL
diff --git a/lib/Makefile b/lib/Makefile
index 71c9c0d1766..5cbf3071f96 100644
--- a/lib/Makefile
+++ b/lib/Makefile
@@ -80,7 +80,10 @@  obj-$(CONFIG_$(PHASE_)ACPI) += acpi/
 obj-$(CONFIG_ECDSA) += ecdsa/
 obj-$(CONFIG_$(PHASE_)RSA) += rsa/
 obj-$(CONFIG_HASH) += hash-checksum.o
+
+# argon2 provides its own blake2b; just build blake2s when ARGON2 is enabled
 obj-$(CONFIG_BLAKE2) += blake2/blake2b.o blake2/blake2s.o
+obj-$(CONFIG_ARGON2) += blake2/blake2s.o
 
 obj-$(CONFIG_$(PHASE_)MD5_LEGACY) += md5.o
 obj-$(CONFIG_$(PHASE_)SHA1_LEGACY) += sha1.o
@@ -89,6 +92,7 @@  obj-$(CONFIG_$(PHASE_)SHA256_LEGACY) += sha256.o
 obj-$(CONFIG_$(PHASE_)SHA512_LEGACY) += sha512.o
 
 obj-$(CONFIG_CRYPT_PW) += crypt/
+obj-$(CONFIG_ARGON2) += argon2/
 obj-$(CONFIG_$(PHASE_)ASN1_DECODER_LEGACY) += asn1_decoder.o
 
 obj-$(CONFIG_$(PHASE_)ZLIB) += zlib/