* [PATCH master] security: hide CRYPTO_BUILTIN_DEVELOPMENT_KEYS behind INSECURE
@ 2025-10-15 9:09 Ahmad Fatoum
2025-10-20 10:51 ` Sascha Hauer
0 siblings, 1 reply; 2+ messages in thread
From: Ahmad Fatoum @ 2025-10-15 9:09 UTC (permalink / raw)
To: barebox; +Cc: Jonas Rebmann, Ahmad Fatoum
CONFIG_HAS_INSECURE_DEFAULTS is meant for options that may be insecure
by default and need extra care when used in secure deployments.
CONFIG_CRYPTO_BUILTIN_DEVELOPMENT_KEYS can't be used in a secure manner
at all and the help text spells it out, so it's more appropriate to have
it explicitly depending on INSECURE.
Cc: Jonas Rebmann <jre@pengutronix.de>
Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
---
security/Kconfig | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/security/Kconfig b/security/Kconfig
index 7ac92e4af760..40d468ae07d2 100644
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -16,6 +16,7 @@ config INSECURE
This option is a moving target. Currently it:
- changes the default of global.env.autoprobe to 1
+ - allows enablement of CRYPTO_BUILTIN_DEVELOPMENT_KEYS
source "security/Kconfig.policy"
@@ -79,7 +80,7 @@ endchoice
endif
config CRYPTO_BUILTIN_DEVELOPMENT_KEYS
- select HAS_INSECURE_DEFAULTS
+ depends on INSECURE
depends on CRYPTO_BUILTIN_KEYS
bool "Include development keys in build"
help
--
2.47.3
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2025-10-20 12:59 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2025-10-15 9:09 [PATCH master] security: hide CRYPTO_BUILTIN_DEVELOPMENT_KEYS behind INSECURE Ahmad Fatoum
2025-10-20 10:51 ` Sascha Hauer
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox