mbedtls: access mbedtls private members in mscode and pkcs7 parser

U-Boot requires to access x509_internal.h, mbedtls_sha256_context and
mbedtls_sha1_context in the porting layer, and this requires to
enable MBEDTLS_ALLOW_PRIVATE_ACCESS.

Enable it to mscode and pkcs7_parser to fix a mbedtls internal building
error when X509 is selected.

Moreover, Move it to a separate file to avoid enabling it in multiple
places.

Signed-off-by: Raymond Mao <raymond.mao@linaro.org>
Acked-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>

diff --git a/include/crypto/mscode.h b/include/crypto/mscode.h
index 678e69001b9eeaf19fdd59247deac157aed53d68..55501c22acbabb841d49135efaa2cc6af379334c 100644 (file)
--- a/include/crypto/mscode.h
+++ b/include/crypto/mscode.h
@@ -10,6 +10,7 @@
 #include <crypto/hash_info.h>
 #endif
 #if CONFIG_IS_ENABLED(MBEDTLS_LIB_X509)
+#include "mbedtls_options.h"
 #include <mbedtls/asn1.h>
 #include <mbedtls/oid.h>
 #endif

diff --git a/include/crypto/pkcs7_parser.h b/include/crypto/pkcs7_parser.h
index 469c2711fa6272d4f122d282837448d710fc4060..fd1e48da09e4b901ec0093546b4885bd4523c072 100644 (file)
--- a/include/crypto/pkcs7_parser.h
+++ b/include/crypto/pkcs7_parser.h
@@ -12,6 +12,7 @@
 #include <crypto/pkcs7.h>
 #include <crypto/x509_parser.h>
 #if CONFIG_IS_ENABLED(MBEDTLS_LIB_X509)
+#include "mbedtls_options.h"
 #include <mbedtls/pkcs7.h>
 #include <library/x509_internal.h>
 #include <mbedtls/asn1.h>

diff --git a/include/u-boot/sha1.h b/include/u-boot/sha1.h
index dd66258bbe94ac4c3cee4267bf89b0dc2d663b20..c2d62e9cf0f500301f3dcaf21aad9a82ca88b631 100644 (file)
--- a/include/u-boot/sha1.h
+++ b/include/u-boot/sha1.h
@@ -18,17 +18,7 @@
 #include <linux/types.h>
 
 #if CONFIG_IS_ENABLED(MBEDTLS_LIB_CRYPTO)
-/*
- * FIXME:
- * MbedTLS define the members of "mbedtls_sha256_context" as private,
- * but "state" needs to be access by arch/arm/cpu/armv8/sha1_ce_glue.
- * MBEDTLS_ALLOW_PRIVATE_ACCESS needs to be enabled to allow the external
- * access.
- * Directly including <external/mbedtls/library/common.h> is not allowed,
- * since this will include <malloc.h> and break the sandbox test.
- */
-#define MBEDTLS_ALLOW_PRIVATE_ACCESS
-
+#include "mbedtls_options.h"
 #include <mbedtls/sha1.h>
 #endif
 

diff --git a/include/u-boot/sha256.h b/include/u-boot/sha256.h
index d7a3403270b65c5c066921fccdefe9c6cd50328a..2d86508332e56b4d6636ebf9ec95d445b144c4a9 100644 (file)
--- a/include/u-boot/sha256.h
+++ b/include/u-boot/sha256.h
@@ -7,17 +7,7 @@
 #include <linux/types.h>
 
 #if CONFIG_IS_ENABLED(MBEDTLS_LIB_CRYPTO)
-/*
- * FIXME:
- * MbedTLS define the members of "mbedtls_sha256_context" as private,
- * but "state" needs to be access by arch/arm/cpu/armv8/sha256_ce_glue.
- * MBEDTLS_ALLOW_PRIVATE_ACCESS needs to be enabled to allow the external
- * access.
- * Directly including <external/mbedtls/library/common.h> is not allowed,
- * since this will include <malloc.h> and break the sandbox test.
- */
-#define MBEDTLS_ALLOW_PRIVATE_ACCESS
-
+#include "mbedtls_options.h"
 #include <mbedtls/sha256.h>
 #endif
 

diff --git a/lib/mbedtls/port/mbedtls_options.h b/lib/mbedtls/port/mbedtls_options.h
new file mode 100644 (file)
index 0000000..885ed69
--- /dev/null
+++ b/lib/mbedtls/port/mbedtls_options.h
@@ -0,0 +1,23 @@
+/* SPDX-License-Identifier: GPL-2.0+ */
+/*
+ * Internal build options for MbedTLS
+ *
+ * Copyright (c) 2025 Linaro Limited
+ * Author: Raymond Mao <raymond.mao@linaro.org>
+ */
+
+#ifndef _MBEDTLS_OPT_H
+#define _MBEDTLS_OPT_H
+
+/*
+ * FIXME:
+ * U-Boot/MbedTLS port requires to access a few of members which are defined
+ * as private in MbedTLS context.
+ * E.g: x509_internal.h, mbedtls_sha256_context and mbedtls_sha1_context.
+ * MBEDTLS_ALLOW_PRIVATE_ACCESS needs to be enabled to allow the external
+ * access, but directly including <external/mbedtls/library/common.h> is not
+ * allowed, since this will include <malloc.h> and break the sandbox test.
+ */
+#define MBEDTLS_ALLOW_PRIVATE_ACCESS
+
+#endif /* _MBEDTLS_OPT_H */