From patchwork Tue Nov 11 12:41:13 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Simon Glass X-Patchwork-Id: 678 Return-Path: X-Original-To: u-boot-concept@u-boot.org Delivered-To: u-boot-concept@u-boot.org DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=u-boot.org; s=default; t=1762864947; bh=Rv7sNc1ZZyW9IdM1VXW3xf2deX3NNJwnjiVZH207auI=; h=From:To:Date:In-Reply-To:References:CC:Subject:List-Id: List-Archive:List-Help:List-Owner:List-Post:List-Subscribe: List-Unsubscribe:From; b=SRiiFD/Daizp9JARxKcHqken/A1IwWg7sZ7jBW9Dt1JTYj2Rmc4iRCoXGH81Qywzb iz2eK9VLRnRdMZIiTO04qAFctcsRq+OeCdADrXrBp5GFYX8c3AS8/ppnIW3I9/gQ6h SHC88ax/Lwb4I/H5ao+ENx1Eo7SnJQ1EtoTMp7eb7KfZUwbyCVcdFUfwry/iNpILMN OBtZex1qUq+FnTPzm3ROgJTW8H54rRpXiliYjWdBBYeCd9trbPpx4xFqe2BeDN1LCY 2ugv21BpX1QBOD8b06H763TSV7sgmg5IDc34d15DqInQ7DLFLIpjC7Vr1XnjN9rX0h BFaN4WjtltRXA== Received: from localhost (localhost [127.0.0.1]) by mail.u-boot.org (Postfix) with ESMTP id 31794684E5 for ; Tue, 11 Nov 2025 05:42:27 -0700 (MST) X-Virus-Scanned: Debian amavis at Received: from mail.u-boot.org ([127.0.0.1]) by localhost (mail.u-boot.org [127.0.0.1]) (amavis, port 10024) with ESMTP id 5rsBWzoMQq3k for ; Tue, 11 Nov 2025 05:42:27 -0700 (MST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=u-boot.org; s=default; t=1762864947; bh=Rv7sNc1ZZyW9IdM1VXW3xf2deX3NNJwnjiVZH207auI=; h=From:To:Date:In-Reply-To:References:CC:Subject:List-Id: List-Archive:List-Help:List-Owner:List-Post:List-Subscribe: List-Unsubscribe:From; b=SRiiFD/Daizp9JARxKcHqken/A1IwWg7sZ7jBW9Dt1JTYj2Rmc4iRCoXGH81Qywzb iz2eK9VLRnRdMZIiTO04qAFctcsRq+OeCdADrXrBp5GFYX8c3AS8/ppnIW3I9/gQ6h SHC88ax/Lwb4I/H5ao+ENx1Eo7SnJQ1EtoTMp7eb7KfZUwbyCVcdFUfwry/iNpILMN OBtZex1qUq+FnTPzm3ROgJTW8H54rRpXiliYjWdBBYeCd9trbPpx4xFqe2BeDN1LCY 2ugv21BpX1QBOD8b06H763TSV7sgmg5IDc34d15DqInQ7DLFLIpjC7Vr1XnjN9rX0h BFaN4WjtltRXA== Received: from mail.u-boot.org (localhost [127.0.0.1]) by mail.u-boot.org (Postfix) with ESMTP id 20C6D68472 for ; Tue, 11 Nov 2025 05:42:27 -0700 (MST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=u-boot.org; s=default; t=1762864945; bh=yHh4NR6nF6anO53//t6mBrR9w+RNY8fGJq9fX85M55E=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=kJ6lKyPedwYNmE/KRwvP19O89m0OYcknDlD6MIxIRfYGKZrhNKR3C4RORGUUvYgUC SVEMsfpfyzMuaYFr3CGPd0ZA7IvvhM9HNXWCOjkCpbj8tt1VLE5faXXq8ZvzyCn18O Ebdkn4tySlbjGb/p6eECx8SYwOBC+639Lpyn7fVbrGNnikBoUkA+1Si7SQnRN0oOrG 145yly3e8EwhftPdsY/1kQY4w5t43/nH4zRJLYooaAl7JLAteQHN55HOaTByZYtnjN VGKXGx+WMwqFAsYHDHYZg5eYvCPlNcbbVQH/DjNggX7KoWNj0DQ0hOTCl+j+Q0JpnX 5q0eXy7JTPI5g== Received: from localhost (localhost [127.0.0.1]) by mail.u-boot.org (Postfix) with ESMTP id 8AA7868378; Tue, 11 Nov 2025 05:42:25 -0700 (MST) X-Virus-Scanned: Debian amavis at Received: from mail.u-boot.org ([127.0.0.1]) by localhost (mail.u-boot.org [127.0.0.1]) (amavis, port 10026) with ESMTP id QJvE1RRqkSDK; Tue, 11 Nov 2025 05:42:25 -0700 (MST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=u-boot.org; s=default; t=1762864941; bh=Y1nR77+k+XBhBd0Y6j6iW5TDIS6roGz9V6fYSMvYSMk=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=TVBU1G7cWM/FcllWgZF1G7RlU3JnhjSyOeOL5G3ye85OHbQApvprv900IQeVHFlm4 dlMNNqOrEa3XnZCctVMmloeWSkVFn3CwOeB6VrzL5dm3goj1LUbTPIZXQf+d7hTiGO TrJsLcJnChN2qxXTQjoMBtD1ZLRuW2xiBkN1D4XtSRQ9CB8sDOfwmG7oAdSjp+cEc4 7GUliF+vyVkAAfQPHmw35sr8rp6tvhdPkXMntfYWFlHudxQnK+5QcoRrIQTEPbJgJC 9B+ljhQdSFkKHEvIfgcImUesRx3ZT9yB877z0FIxmBzRDMCq70tadoKf5a0WSD9iNy Bs1LUW0rfIb1w== Received: from u-boot.org (unknown [73.34.74.121]) by mail.u-boot.org (Postfix) with ESMTPSA id 34D326841A; Tue, 11 Nov 2025 05:42:21 -0700 (MST) From: Simon Glass To: U-Boot Concept Date: Tue, 11 Nov 2025 05:41:13 -0700 Message-ID: <20251111124131.1198930-8-sjg@u-boot.org> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20251111124131.1198930-1-sjg@u-boot.org> References: <20251111124131.1198930-1-sjg@u-boot.org> MIME-Version: 1.0 Message-ID-Hash: JWSBUUWOBGMEXGRCELN35OS6TKZXDA3O X-Message-ID-Hash: JWSBUUWOBGMEXGRCELN35OS6TKZXDA3O X-MailFrom: sjg@u-boot.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: Heinrich Schuchardt , Simon Glass , Claude X-Mailman-Version: 3.3.10 Precedence: list Subject: [Concept] [PATCH 07/15] lib: Plumb in argon2 library List-Id: Discussion and patches related to U-Boot Concept Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: From: Simon Glass Add a Kconfig optiion to enable this library and add it to the lib/ Makefile, being careful to avoid a conflict with the existing blake2b implementation. Co-developed-by: Claude Signed-off-by: Simon Glass --- drivers/misc/Kconfig | 2 +- fs/btrfs/Kconfig | 2 +- lib/Kconfig | 14 +++++++++++++- lib/Makefile | 4 ++++ 4 files changed, 19 insertions(+), 3 deletions(-) diff --git a/drivers/misc/Kconfig b/drivers/misc/Kconfig index a352fa5fee0..7a217ad055d 100644 --- a/drivers/misc/Kconfig +++ b/drivers/misc/Kconfig @@ -37,7 +37,7 @@ config TKEY bool "TKey security token support" depends on DM default y if SANDBOX - select BLAKE2 + select BLAKE2 if !ARGON2 help Enable driver model support for Tillitis TKey security tokens. This provides a common interface for TKey operations including diff --git a/fs/btrfs/Kconfig b/fs/btrfs/Kconfig index e31afe595f3..c6430f83452 100644 --- a/fs/btrfs/Kconfig +++ b/fs/btrfs/Kconfig @@ -6,7 +6,7 @@ config FS_BTRFS select ZSTD select RBTREE select SHA256 - select BLAKE2 + select BLAKE2 if !ARGON2 help This provides a single-device read-only BTRFS support. BTRFS is a next-generation Linux file system based on the copy-on-write diff --git a/lib/Kconfig b/lib/Kconfig index c8bf4b4b049..662b1a44d45 100644 --- a/lib/Kconfig +++ b/lib/Kconfig @@ -542,11 +542,12 @@ menu "Hashing Support" config BLAKE2 bool "Enable BLAKE2 support" + depends on !ARGON2 help This option enables support of hashing using BLAKE2B algorithm. The hash is calculated in software. The BLAKE2 algorithm produces a hash value (digest) between 1 and - 64 bytes. + 64 bytes. Note: ARGON2 includes its own BLAKE2 implementation. config SHA1 bool "Enable SHA1 support" @@ -983,6 +984,17 @@ config JSON printing functions. JSON is used for structured data representation, such as LUKS2 metadata. +config ARGON2 + bool "Enable Argon2 password hashing" + help + This enables the Argon2 password hashing algorithm, winner of the + Password Hashing Competition (PHC). Argon2 is used for key derivation + in LUKS2 encrypted volumes. It provides better resistance to GPU + cracking attacks compared to PBKDF2. + + Note: This option includes its own BLAKE2 implementation and is + mutually exclusive with CONFIG_BLAKE2. + config OF_LIBFDT bool "Enable the FDT library" default y if OF_CONTROL diff --git a/lib/Makefile b/lib/Makefile index 71c9c0d1766..5cbf3071f96 100644 --- a/lib/Makefile +++ b/lib/Makefile @@ -80,7 +80,10 @@ obj-$(CONFIG_$(PHASE_)ACPI) += acpi/ obj-$(CONFIG_ECDSA) += ecdsa/ obj-$(CONFIG_$(PHASE_)RSA) += rsa/ obj-$(CONFIG_HASH) += hash-checksum.o + +# argon2 provides its own blake2b; just build blake2s when ARGON2 is enabled obj-$(CONFIG_BLAKE2) += blake2/blake2b.o blake2/blake2s.o +obj-$(CONFIG_ARGON2) += blake2/blake2s.o obj-$(CONFIG_$(PHASE_)MD5_LEGACY) += md5.o obj-$(CONFIG_$(PHASE_)SHA1_LEGACY) += sha1.o @@ -89,6 +92,7 @@ obj-$(CONFIG_$(PHASE_)SHA256_LEGACY) += sha256.o obj-$(CONFIG_$(PHASE_)SHA512_LEGACY) += sha512.o obj-$(CONFIG_CRYPT_PW) += crypt/ +obj-$(CONFIG_ARGON2) += argon2/ obj-$(CONFIG_$(PHASE_)ASN1_DECODER_LEGACY) += asn1_decoder.o obj-$(CONFIG_$(PHASE_)ZLIB) += zlib/