From: Ahmad Fatoum <a.fatoum@pengutronix.de>
To: barebox@lists.infradead.org
Cc: rcz@pengutronix.de
Subject: [PATCH] crypto: clarify relationship of CONFIG_{BOOTM_FITIMAGE_PUBKEY,RSA_KEY}
Date: Thu, 27 Jul 2023 11:47:48 +0200 [thread overview]
Message-ID: <20230727094748.1152484-1-a.fatoum@pengutronix.de> (raw)
CONFIG_RSA_KEY and CONFIG_BOOTM_FITIMAGE_PUBKEY can both point at the
RSA public key, but with different formats. CONFIG_RSA_KEY is probably
easier to integrate, so reference it from CONFIG_BOOTM_FITIMAGE_PUBKEY
and be explicit about the different formatting.
---
common/Kconfig | 11 ++++++++---
crypto/Kconfig | 3 +++
2 files changed, 11 insertions(+), 3 deletions(-)
diff --git a/common/Kconfig b/common/Kconfig
index 3a57e16b3be6..0c7ba6a63685 100644
--- a/common/Kconfig
+++ b/common/Kconfig
@@ -644,9 +644,10 @@ config BOOTM_FITIMAGE_PUBKEY_ENV
bool "Specify path to public key in environment"
depends on BOOTM_FITIMAGE_SIGNATURE
help
- If this option is enabled the path to the public key for verifying
- FIT images signature is taken from environment which allows for
- better integration with build systems.
+ If this option is enabled the path to the device tree snippet
+ containing the public key for verifying FIT images signature is taken
+ from make's build-time environment, which can allow for better
+ integration with some build systems.
The environment variable has the same name as the corresponding
Kconfig variable:
@@ -664,6 +665,10 @@ config BOOTM_FITIMAGE_PUBKEY
snippet can then be included in a device tree with
"#include CONFIG_BOOTM_FITIMAGE_PUBKEY".
+ This snippet is usually generated by decompiling a device tree produced
+ by mkimage. An alternative is CONFIG_CRYPTO_RSA_KEY, which takes a PEM
+ file or a PKCS#11 URI.
+
endif
config BOOTM_FORCE_SIGNED_IMAGES
diff --git a/crypto/Kconfig b/crypto/Kconfig
index 629f615de1af..04e5ef43705b 100644
--- a/crypto/Kconfig
+++ b/crypto/Kconfig
@@ -130,6 +130,9 @@ config CRYPTO_RSA_KEY
X.509 certificates to be included into barebox. If the string starts
with "pkcs11:" it is interpreted as a PKCS#11 URI rather than a file.
+ This avoids the mkimage dependency of CONFIG_BOOTM_FITIMAGE_PUBKEY
+ at the cost of an openssl build-time dependency.
+
config CRYPTO_RSA_KEY_NAME_HINT
depends on CRYPTO_RSA
string "FIT image key name hint"
--
2.39.2
next reply other threads:[~2023-07-27 9:50 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-07-27 9:47 Ahmad Fatoum [this message]
2023-07-28 5:37 ` Sascha Hauer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230727094748.1152484-1-a.fatoum@pengutronix.de \
--to=a.fatoum@pengutronix.de \
--cc=barebox@lists.infradead.org \
--cc=rcz@pengutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox