* [PATCH] crypto: clarify relationship of CONFIG_{BOOTM_FITIMAGE_PUBKEY,RSA_KEY}
@ 2023-07-27 9:47 Ahmad Fatoum
2023-07-28 5:37 ` Sascha Hauer
0 siblings, 1 reply; 2+ messages in thread
From: Ahmad Fatoum @ 2023-07-27 9:47 UTC (permalink / raw)
To: barebox; +Cc: rcz
CONFIG_RSA_KEY and CONFIG_BOOTM_FITIMAGE_PUBKEY can both point at the
RSA public key, but with different formats. CONFIG_RSA_KEY is probably
easier to integrate, so reference it from CONFIG_BOOTM_FITIMAGE_PUBKEY
and be explicit about the different formatting.
---
common/Kconfig | 11 ++++++++---
crypto/Kconfig | 3 +++
2 files changed, 11 insertions(+), 3 deletions(-)
diff --git a/common/Kconfig b/common/Kconfig
index 3a57e16b3be6..0c7ba6a63685 100644
--- a/common/Kconfig
+++ b/common/Kconfig
@@ -644,9 +644,10 @@ config BOOTM_FITIMAGE_PUBKEY_ENV
bool "Specify path to public key in environment"
depends on BOOTM_FITIMAGE_SIGNATURE
help
- If this option is enabled the path to the public key for verifying
- FIT images signature is taken from environment which allows for
- better integration with build systems.
+ If this option is enabled the path to the device tree snippet
+ containing the public key for verifying FIT images signature is taken
+ from make's build-time environment, which can allow for better
+ integration with some build systems.
The environment variable has the same name as the corresponding
Kconfig variable:
@@ -664,6 +665,10 @@ config BOOTM_FITIMAGE_PUBKEY
snippet can then be included in a device tree with
"#include CONFIG_BOOTM_FITIMAGE_PUBKEY".
+ This snippet is usually generated by decompiling a device tree produced
+ by mkimage. An alternative is CONFIG_CRYPTO_RSA_KEY, which takes a PEM
+ file or a PKCS#11 URI.
+
endif
config BOOTM_FORCE_SIGNED_IMAGES
diff --git a/crypto/Kconfig b/crypto/Kconfig
index 629f615de1af..04e5ef43705b 100644
--- a/crypto/Kconfig
+++ b/crypto/Kconfig
@@ -130,6 +130,9 @@ config CRYPTO_RSA_KEY
X.509 certificates to be included into barebox. If the string starts
with "pkcs11:" it is interpreted as a PKCS#11 URI rather than a file.
+ This avoids the mkimage dependency of CONFIG_BOOTM_FITIMAGE_PUBKEY
+ at the cost of an openssl build-time dependency.
+
config CRYPTO_RSA_KEY_NAME_HINT
depends on CRYPTO_RSA
string "FIT image key name hint"
--
2.39.2
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: [PATCH] crypto: clarify relationship of CONFIG_{BOOTM_FITIMAGE_PUBKEY,RSA_KEY}
2023-07-27 9:47 [PATCH] crypto: clarify relationship of CONFIG_{BOOTM_FITIMAGE_PUBKEY,RSA_KEY} Ahmad Fatoum
@ 2023-07-28 5:37 ` Sascha Hauer
0 siblings, 0 replies; 2+ messages in thread
From: Sascha Hauer @ 2023-07-28 5:37 UTC (permalink / raw)
To: Ahmad Fatoum; +Cc: barebox, rcz
On Thu, Jul 27, 2023 at 11:47:48AM +0200, Ahmad Fatoum wrote:
> CONFIG_RSA_KEY and CONFIG_BOOTM_FITIMAGE_PUBKEY can both point at the
> RSA public key, but with different formats. CONFIG_RSA_KEY is probably
> easier to integrate, so reference it from CONFIG_BOOTM_FITIMAGE_PUBKEY
> and be explicit about the different formatting.
> ---
> common/Kconfig | 11 ++++++++---
> crypto/Kconfig | 3 +++
> 2 files changed, 11 insertions(+), 3 deletions(-)
Applied, thanks
Sascha
>
> diff --git a/common/Kconfig b/common/Kconfig
> index 3a57e16b3be6..0c7ba6a63685 100644
> --- a/common/Kconfig
> +++ b/common/Kconfig
> @@ -644,9 +644,10 @@ config BOOTM_FITIMAGE_PUBKEY_ENV
> bool "Specify path to public key in environment"
> depends on BOOTM_FITIMAGE_SIGNATURE
> help
> - If this option is enabled the path to the public key for verifying
> - FIT images signature is taken from environment which allows for
> - better integration with build systems.
> + If this option is enabled the path to the device tree snippet
> + containing the public key for verifying FIT images signature is taken
> + from make's build-time environment, which can allow for better
> + integration with some build systems.
>
> The environment variable has the same name as the corresponding
> Kconfig variable:
> @@ -664,6 +665,10 @@ config BOOTM_FITIMAGE_PUBKEY
> snippet can then be included in a device tree with
> "#include CONFIG_BOOTM_FITIMAGE_PUBKEY".
>
> + This snippet is usually generated by decompiling a device tree produced
> + by mkimage. An alternative is CONFIG_CRYPTO_RSA_KEY, which takes a PEM
> + file or a PKCS#11 URI.
> +
> endif
>
> config BOOTM_FORCE_SIGNED_IMAGES
> diff --git a/crypto/Kconfig b/crypto/Kconfig
> index 629f615de1af..04e5ef43705b 100644
> --- a/crypto/Kconfig
> +++ b/crypto/Kconfig
> @@ -130,6 +130,9 @@ config CRYPTO_RSA_KEY
> X.509 certificates to be included into barebox. If the string starts
> with "pkcs11:" it is interpreted as a PKCS#11 URI rather than a file.
>
> + This avoids the mkimage dependency of CONFIG_BOOTM_FITIMAGE_PUBKEY
> + at the cost of an openssl build-time dependency.
> +
> config CRYPTO_RSA_KEY_NAME_HINT
> depends on CRYPTO_RSA
> string "FIT image key name hint"
> --
> 2.39.2
>
>
>
--
Pengutronix e.K. | |
Steuerwalder Str. 21 | http://www.pengutronix.de/ |
31137 Hildesheim, Germany | Phone: +49-5121-206917-0 |
Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2023-07-28 5:39 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-07-27 9:47 [PATCH] crypto: clarify relationship of CONFIG_{BOOTM_FITIMAGE_PUBKEY,RSA_KEY} Ahmad Fatoum
2023-07-28 5:37 ` Sascha Hauer
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox