mbedtls: Move local mbedtls to v3.6.0 #1987
Conversation
d3zd3z
requested review from
utzig,
tamasban,
nordicjm,
davidvincze and
de-nordic
|
Some of the code depends on internal fields in Mbed TLS which have been made inaccessible. There will need to be some code rewrites to make this work. |
|
Try updating: https://github.com/mcu-tools/mcuboot/blob/main/boot/bootutil/include/bootutil/crypto/common.h#L14 To: And leave the |
|
Otherwise you could also update |
|
I've tried updating mbedtls-asn1 to 3.6.0. However, mynewt fails to build with this. There are two issues. One is that |
d3zd3z
force-pushed
the
update-mbedtls
branch
2 times, most recently
from
6427f58
to
7250c07
Compare
|
@almir-okato I'm trying to figure out the best way to get espressif working with the newest Mbed TLS. It is arguable that this is actually broken in upstream, but it will take a while to get a fix in. It might make sense to just remove Thoughts? |
|
Mynewt does not define the date macros in tree; this config is coming from |
|
LOL, one possible hack! Change https://github.com/mcu-tools/mcuboot/blob/main/ext/mbedtls-asn1/include/mbedtls/private_access.h from: to:
|
Those are the minimal files I was able to bring in to get it to build. There is just a lot of include promiscuity in their header files, and a lot gets pulled in. Honestly, I'd like to get rid of the directory entirely, and just depend on the mbed TLS tree. |
Unfortunately, that doesn't fix the things that rely on the full upstream Mbed TLS, where we can't change the definition. It also doesn't work, because the removal of private is only for the ASN.1 headers, and the structs used for some of the keys still have private fields. That is going to have to get fixed soon, anyway, because they are removing the ability to access private fields at all in the next release. But, they know are needs, so hopefully there will be accessors for what is needed. Mostly, it involves constructing the keys with import functions instead of just assembling them manually. |
Better to just use or adapt something like the hack I suggested above. This library has nothing to do with MbedTLS apart from the name, and files copied over, but it's not to be used when MbedTLS is defined, only for Tinycrypt/fiat/whatever. |
d3zd3z
changed the title
|
I have moved the mcuboot change to allow newer mbed TLS into #1989 so it can be merged separately, and that will fix Zephyr, for example. This looks like it will need some work with espressif and mynewt. |
Mynewt passed. For Espressif try commenting out these lines: https://github.com/mcu-tools/mcuboot/blob/main/boot/espressif/include/crypto_config/mbedtls_custom_config.h#L136 I believe this should allow it to also pass the tests. I don't think those should be enabled anyway, but @almir-okato can approve later. |
I tried this, and at least locally, it doesn't seem to pass. There seem to be declarations within the ESP32 Mynewt works because it doesn't pull in the submodule, but pulls in the mbedtls directly. Espressif uses the submodules, and runs into the issues. Ideally, we should possibly migrate mynewt to a newer mbed TLS at some point, but at least that can be done independent of mcuboot. One workaround would be to just go grab the old version of mbedtls in the test. |
|
I have added some code to the espressif ci script to revert mbedtls to a known working version. The real fix probably needs to happen in mbed TLS, so will probably come with a newer version. The time macro check in mbed TLS assumes either POSIX or Windows, and hits an |
|
Rebased this. I think this is a good first step to migrating to newer mbed TLS. We upgrade the version in our tree, but hold back mynewt and espressif, since fixing those involves changes outside of the mcuboot tree.
|
Mynewt always had explicitly disabled this option, I will test locally but this should already be at the NOT set config. |
Confirmed, Mynewt does not set |
|
I think this is fine but I am quite sure the Espressif changed will be reverted, I still believe that changing the configs I pointed above would solve the issues! :-P |
Sorry I didn't notice that I was tagged here. I'll take a better look into this. |
|
@d3zd3z can you rebase and remove the final commit? Should be fixed now |
The in-tree mbedtls (used for the simulator and some targets) is a few years old, and currently is unable to pass the rsa tests when built with clang. Update this mbed TLS to the v3.6.0 release. This fixes clang support in the simulator. There are a few minor changes to configuration and what files are needed to support newer version of Mbed TLS. Fixes mcu-tools#1986 Signed-off-by: David Brown <david.brown@linaro.org>
Until espressif builds can be updated to work with recent versions of mbedtls, explicitly revert the version used to one that is known to work. Signed-off-by: David Brown <david.brown@linaro.org>
d3zd3z
force-pushed
the
update-mbedtls
branch
from
bc744e9
to
d302151
Compare
This will almost certainly break with future versions of MbedTLS, though. Their intent is to make these fields impossible to access, not just more difficult. There will probably always be a way to work around it, but it will likely just get messier. |
The in-tree mbedtls (used for the simulator and some targets) is a few years old, and currently is unable to pass the rsa tests when built with clang. Update this mbed TLS to the v3.5.2 release. This fixes clang support in the simulator.
Fixes #1986