[PATCH 26/41] Support for multiple crypto libraries and algs
4 views
Skip to first unread message
Stefano Babic
Jul 22, 2025, 2:08:43 AM7/22/25
to swup...@googlegroups.com, Stefano Babic
Enable support of multiple crypto libraries at once and multiple
algorithms.
Signed-off-by: Stefano Babic <stefan...@swupdate.org>
---
Kconfig | 37 +++++++++++++++++--------------------
Makefile.deps | 4 ++++
Makefile.flags | 16 ++++++++--------
crypto/Makefile | 21 ++++++++-------------
4 files changed, 37 insertions(+), 41 deletions(-)
diff --git a/Kconfig b/Kconfig
index 1dead664..9171a7b2 100644
--- a/Kconfig
+++ b/Kconfig
@@ -105,6 +105,10 @@ config HAVE_MBEDTLS
bool
option env="HAVE_MBEDTLS"
+config HAVE_GPGME
+ bool
+ option env="HAVE_GPGME"
+
config HAVE_P11KIT
bool
option env="HAVE_P11KIT"
@@ -395,17 +399,10 @@ source "mongoose/Kconfig"
comment "Security"
-choice
- prompt "SSL implementation to use"
- default SSL_IMPL_OPENSSL
- help
- Select SSL implementation for hashing, verifying and decrypting images.
-
- config SSL_IMPL_NONE
- bool "None"
-
+menu "Cryoto libraries"
config SSL_IMPL_OPENSSL
bool "OpenSSL"
+ default y
depends on HAVE_LIBSSL
config SSL_IMPL_WOLFSSL
@@ -413,12 +410,16 @@ choice
depends on HAVE_WOLFSSL
select CMS_IGNORE_CERTIFICATE_PURPOSE if SIGALG_CMS
select CMS_SKIP_UNKNOWN_SIGNERS if SIGALG_CMS
+ select PKCS11
config SSL_IMPL_MBEDTLS
bool "mbedTLS"
depends on HAVE_MBEDTLS
-endchoice
+ config SSL_IMPL_GPGME
+ bool "gpgme"
+ depends on HAVE_GPGME
+endmenu
config CHANNEL_CURL_SSL
bool
@@ -442,22 +443,17 @@ config SIGNED_IMAGES
comment "Image signature verification needs an SSL implementation"
depends on !SSL_IMPL_OPENSSL && !SSL_IMPL_WOLFSSL && !SSL_IMPL_MBEDTLS
-choice
- prompt "Signature verification algorithm"
+menu "Signature verification algorithm"
depends on SIGNED_IMAGES
- default SIGALG_RAWRSA
- help
- Select if the signature algorithm for signed images is a raw RSA signature
- (following PKCS#1.5) or if it uses Cryptographic Message Syntax (CMS) with
- OpenSSL/LibreSSL or PKCS#7 with wolfSSL.
- wolfSSL's PKCS#7 implementation can only deal with one signature and cannot
- deal with X509 purposes.
config SIGALG_RAWRSA
bool "RSA PKCS#1.5"
+ default y
+ depends on SSL_IMPL_OPENSSL || SSL_IMPL_WOLFSSL || SSL_IMPL_MBEDTLS
config SIGALG_RSAPSS
bool "RSA PSS"
+ depends on SSL_IMPL_OPENSSL || SSL_IMPL_WOLFSSL
config SIGALG_CMS
bool "Cryptographic Message Syntax (CMS) / PKCS#7"
@@ -465,7 +461,8 @@ choice
config SIGALG_GPG
bool "GPG signing"
-endchoice
+ depends on SSL_IMPL_GPGME
+endmenu
menu "CMS / PKCS#7 signature verification options"
depends on SIGALG_CMS
diff --git a/Makefile.deps b/Makefile.deps
index 4b03b335..c759f687 100644
--- a/Makefile.deps
+++ b/Makefile.deps
@@ -98,6 +98,10 @@ ifeq ($(HAVE_MBEDTLS),)
export HAVE_MBEDTLS = y
endif
+ifeq ($(HAVE_GPGME),)
+export HAVE_GPGME = y
+endif
+
ifeq ($(HAVE_P11KIT),)
export HAVE_P11KIT = y
endif
diff --git a/Makefile.flags b/Makefile.flags
index dac73a36..65f112e8 100644
--- a/Makefile.flags
+++ b/Makefile.flags
@@ -167,6 +167,14 @@ else ifeq ($(CONFIG_PKCS11),y)
LDLIBS += wolfssl
endif
+ifeq ($(CONFIG_SSL_IMPL_MBEDTLS),y)
+LDLIBS += mbedcrypto mbedtls mbedx509
+endif
+
+ifeq ($(CONFIG_SSL_IMPL_GPGME),y)
+LDLIBS += gpgme
+endif
+
ifeq ($(CONFIG_PKCS11),y)
$(eval $(call pkg_check_modules, P11BUILD, "p11-kit-1"))
KBUILD_CFLAGS += $(P11BUILD_CFLAGS)
@@ -174,10 +182,6 @@ KBUILD_LIBS += $(P11BUILD_LIBS)
LDLIBS += p11-kit
endif
-ifeq ($(CONFIG_SSL_IMPL_MBEDTLS),y)
-LDLIBS += mbedcrypto mbedtls mbedx509
-endif
-
# MTD
ifeq ($(CONFIG_MTD),y)
LDLIBS += ubi mtd
@@ -325,7 +329,3 @@ endif
# (we stole scripts/checkstack.pl from the kernel... thanks guys!)
# Reduced from 20k to 16k in 1.9.0.
FLTFLAGS += -s 16000
-
-ifeq ($(CONFIG_SIGALG_GPG),y)
-LDLIBS += gpgme
-endif
diff --git a/crypto/Makefile b/crypto/Makefile
index c55af4e4..62775a50 100644
--- a/crypto/Makefile
+++ b/crypto/Makefile
@@ -2,31 +2,26 @@
#
# SPDX-License-Identifier: GPL-2.0-only
-ifeq ($(CONFIG_SSL_IMPL_OPENSSL)$(CONFIG_SSL_IMPL_WOLFSSL),y)
-ifeq ($(CONFIG_PKCS11),y)
-obj-$(CONFIG_ENCRYPTED_IMAGES) += swupdate_decrypt_pkcs11.o
-else
-obj-$(CONFIG_ENCRYPTED_IMAGES) += swupdate_decrypt_openssl.o
-endif
-obj-$(CONFIG_SIGALG_RAWRSA) += swupdate_rsa_verify_openssl.o
-obj-$(CONFIG_SIGALG_RSAPSS) += swupdate_rsa_verify_openssl.o
-endif
ifeq ($(CONFIG_SSL_IMPL_OPENSSL),y)
obj-$(CONFIG_HASH_VERIFY) += swupdate_HASH_openssl.o
+obj-$(CONFIG_SIGALG_RAWRSA) += swupdate_rsa_verify_openssl.o
+obj-$(CONFIG_SIGALG_RSAPSS) += swupdate_rsa_verify_openssl.o
obj-$(CONFIG_SIGALG_CMS) += swupdate_cms_verify_openssl.o
+obj-$(CONFIG_ENCRYPTED_IMAGES) += swupdate_decrypt_openssl.o
endif
+
ifeq ($(CONFIG_SSL_IMPL_WOLFSSL),y)
obj-$(CONFIG_HASH_VERIFY) += swupdate_HASH_wolfssl.o
obj-$(CONFIG_SIGALG_CMS) += swupdate_pkcs7_verify_wolfssl.o
+obj-$(CONFIG_ENCRYPTED_IMAGES) += swupdate_decrypt_pkcs11.o
endif
+
ifeq ($(CONFIG_SSL_IMPL_MBEDTLS),y)
obj-$(CONFIG_HASH_VERIFY) += swupdate_HASH_mbedtls.o
-ifeq ($(CONFIG_PKCS11),y)
-obj-$(CONFIG_ENCRYPTED_IMAGES) += swupdate_decrypt_pkcs11.o
-else
obj-$(CONFIG_ENCRYPTED_IMAGES) += swupdate_decrypt_mbedtls.o
-endif
obj-$(CONFIG_SIGALG_RAWRSA) += swupdate_rsa_verify_mbedtls.o
obj-$(CONFIG_SIGALG_RSAPSS) += swupdate_rsa_verify_mbedtls.o
endif
+ifeq ($(CONFIG_SSL_IMPL_GPGME),y)
obj-$(CONFIG_SIGALG_GPG) += swupdate_gpg_verify.o
+endif
--
2.43.0
algorithms.
Signed-off-by: Stefano Babic <stefan...@swupdate.org>
---
Kconfig | 37 +++++++++++++++++--------------------
Makefile.deps | 4 ++++
Makefile.flags | 16 ++++++++--------
crypto/Makefile | 21 ++++++++-------------
4 files changed, 37 insertions(+), 41 deletions(-)
diff --git a/Kconfig b/Kconfig
index 1dead664..9171a7b2 100644
--- a/Kconfig
+++ b/Kconfig
@@ -105,6 +105,10 @@ config HAVE_MBEDTLS
bool
option env="HAVE_MBEDTLS"
+config HAVE_GPGME
+ bool
+ option env="HAVE_GPGME"
+
config HAVE_P11KIT
bool
option env="HAVE_P11KIT"
@@ -395,17 +399,10 @@ source "mongoose/Kconfig"
comment "Security"
-choice
- prompt "SSL implementation to use"
- default SSL_IMPL_OPENSSL
- help
- Select SSL implementation for hashing, verifying and decrypting images.
-
- config SSL_IMPL_NONE
- bool "None"
-
+menu "Cryoto libraries"
config SSL_IMPL_OPENSSL
bool "OpenSSL"
+ default y
depends on HAVE_LIBSSL
config SSL_IMPL_WOLFSSL
@@ -413,12 +410,16 @@ choice
depends on HAVE_WOLFSSL
select CMS_IGNORE_CERTIFICATE_PURPOSE if SIGALG_CMS
select CMS_SKIP_UNKNOWN_SIGNERS if SIGALG_CMS
+ select PKCS11
config SSL_IMPL_MBEDTLS
bool "mbedTLS"
depends on HAVE_MBEDTLS
-endchoice
+ config SSL_IMPL_GPGME
+ bool "gpgme"
+ depends on HAVE_GPGME
+endmenu
config CHANNEL_CURL_SSL
bool
@@ -442,22 +443,17 @@ config SIGNED_IMAGES
comment "Image signature verification needs an SSL implementation"
depends on !SSL_IMPL_OPENSSL && !SSL_IMPL_WOLFSSL && !SSL_IMPL_MBEDTLS
-choice
- prompt "Signature verification algorithm"
+menu "Signature verification algorithm"
depends on SIGNED_IMAGES
- default SIGALG_RAWRSA
- help
- Select if the signature algorithm for signed images is a raw RSA signature
- (following PKCS#1.5) or if it uses Cryptographic Message Syntax (CMS) with
- OpenSSL/LibreSSL or PKCS#7 with wolfSSL.
- wolfSSL's PKCS#7 implementation can only deal with one signature and cannot
- deal with X509 purposes.
config SIGALG_RAWRSA
bool "RSA PKCS#1.5"
+ default y
+ depends on SSL_IMPL_OPENSSL || SSL_IMPL_WOLFSSL || SSL_IMPL_MBEDTLS
config SIGALG_RSAPSS
bool "RSA PSS"
+ depends on SSL_IMPL_OPENSSL || SSL_IMPL_WOLFSSL
config SIGALG_CMS
bool "Cryptographic Message Syntax (CMS) / PKCS#7"
@@ -465,7 +461,8 @@ choice
config SIGALG_GPG
bool "GPG signing"
-endchoice
+ depends on SSL_IMPL_GPGME
+endmenu
menu "CMS / PKCS#7 signature verification options"
depends on SIGALG_CMS
diff --git a/Makefile.deps b/Makefile.deps
index 4b03b335..c759f687 100644
--- a/Makefile.deps
+++ b/Makefile.deps
@@ -98,6 +98,10 @@ ifeq ($(HAVE_MBEDTLS),)
export HAVE_MBEDTLS = y
endif
+ifeq ($(HAVE_GPGME),)
+export HAVE_GPGME = y
+endif
+
ifeq ($(HAVE_P11KIT),)
export HAVE_P11KIT = y
endif
diff --git a/Makefile.flags b/Makefile.flags
index dac73a36..65f112e8 100644
--- a/Makefile.flags
+++ b/Makefile.flags
@@ -167,6 +167,14 @@ else ifeq ($(CONFIG_PKCS11),y)
LDLIBS += wolfssl
endif
+ifeq ($(CONFIG_SSL_IMPL_MBEDTLS),y)
+LDLIBS += mbedcrypto mbedtls mbedx509
+endif
+
+ifeq ($(CONFIG_SSL_IMPL_GPGME),y)
+LDLIBS += gpgme
+endif
+
ifeq ($(CONFIG_PKCS11),y)
$(eval $(call pkg_check_modules, P11BUILD, "p11-kit-1"))
KBUILD_CFLAGS += $(P11BUILD_CFLAGS)
@@ -174,10 +182,6 @@ KBUILD_LIBS += $(P11BUILD_LIBS)
LDLIBS += p11-kit
endif
-ifeq ($(CONFIG_SSL_IMPL_MBEDTLS),y)
-LDLIBS += mbedcrypto mbedtls mbedx509
-endif
-
# MTD
ifeq ($(CONFIG_MTD),y)
LDLIBS += ubi mtd
@@ -325,7 +329,3 @@ endif
# (we stole scripts/checkstack.pl from the kernel... thanks guys!)
# Reduced from 20k to 16k in 1.9.0.
FLTFLAGS += -s 16000
-
-ifeq ($(CONFIG_SIGALG_GPG),y)
-LDLIBS += gpgme
-endif
diff --git a/crypto/Makefile b/crypto/Makefile
index c55af4e4..62775a50 100644
--- a/crypto/Makefile
+++ b/crypto/Makefile
@@ -2,31 +2,26 @@
#
# SPDX-License-Identifier: GPL-2.0-only
-ifeq ($(CONFIG_SSL_IMPL_OPENSSL)$(CONFIG_SSL_IMPL_WOLFSSL),y)
-ifeq ($(CONFIG_PKCS11),y)
-obj-$(CONFIG_ENCRYPTED_IMAGES) += swupdate_decrypt_pkcs11.o
-else
-obj-$(CONFIG_ENCRYPTED_IMAGES) += swupdate_decrypt_openssl.o
-endif
-obj-$(CONFIG_SIGALG_RAWRSA) += swupdate_rsa_verify_openssl.o
-obj-$(CONFIG_SIGALG_RSAPSS) += swupdate_rsa_verify_openssl.o
-endif
ifeq ($(CONFIG_SSL_IMPL_OPENSSL),y)
obj-$(CONFIG_HASH_VERIFY) += swupdate_HASH_openssl.o
+obj-$(CONFIG_SIGALG_RAWRSA) += swupdate_rsa_verify_openssl.o
+obj-$(CONFIG_SIGALG_RSAPSS) += swupdate_rsa_verify_openssl.o
obj-$(CONFIG_SIGALG_CMS) += swupdate_cms_verify_openssl.o
+obj-$(CONFIG_ENCRYPTED_IMAGES) += swupdate_decrypt_openssl.o
endif
+
ifeq ($(CONFIG_SSL_IMPL_WOLFSSL),y)
obj-$(CONFIG_HASH_VERIFY) += swupdate_HASH_wolfssl.o
obj-$(CONFIG_SIGALG_CMS) += swupdate_pkcs7_verify_wolfssl.o
+obj-$(CONFIG_ENCRYPTED_IMAGES) += swupdate_decrypt_pkcs11.o
endif
+
ifeq ($(CONFIG_SSL_IMPL_MBEDTLS),y)
obj-$(CONFIG_HASH_VERIFY) += swupdate_HASH_mbedtls.o
-ifeq ($(CONFIG_PKCS11),y)
-obj-$(CONFIG_ENCRYPTED_IMAGES) += swupdate_decrypt_pkcs11.o
-else
obj-$(CONFIG_ENCRYPTED_IMAGES) += swupdate_decrypt_mbedtls.o
-endif
obj-$(CONFIG_SIGALG_RAWRSA) += swupdate_rsa_verify_mbedtls.o
obj-$(CONFIG_SIGALG_RSAPSS) += swupdate_rsa_verify_mbedtls.o
endif
+ifeq ($(CONFIG_SSL_IMPL_GPGME),y)
obj-$(CONFIG_SIGALG_GPG) += swupdate_gpg_verify.o
+endif
--
2.43.0
Stefano Babic
Jul 24, 2025, 9:22:20 AM7/24/25
to swup...@googlegroups.com, Stefano Babic, Michael Glembotzki
Enable support of multiple crypto libraries at once and multiple
algorithms.
Signed-off-by: Stefano Babic <stefan...@swupdate.org>
Tested-by: Michael Glembotzki <Michael.G...@iris-sensing.com>
algorithms.
Signed-off-by: Stefano Babic <stefan...@swupdate.org>
Reply all
Reply to author
Forward
0 new messages