From: Sascha Hauer <s.hauer@pengutronix.de>
To: Barebox List <barebox@lists.infradead.org>
Subject: [PATCH v4 11/16] crypto: builtin_keys: Allow to specify multiple keys in CONFIG_CRYPTO_PUBLIC_KEYS
Date: Fri, 13 Sep 2024 09:59:19 +0200 [thread overview]
Message-ID: <20240913075924.1652866-12-s.hauer@pengutronix.de> (raw)
In-Reply-To: <20240913075924.1652866-1-s.hauer@pengutronix.de>
This adds the missing pieces to make CONFIG_CRYPTO_PUBLIC_KEYS
a list of keys rather than a single key only.
We have to remove the quotes from the key argument in cmd_keys to
pass the keys as multiple arguments to keytoc.
For removing the quotes from CONFIG_CRYPTO_PUBLIC_KEYS "%"=% no longer
matches when the string contains multiple words, so we utilize shell
to remove the quotes.
Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
---
crypto/Kconfig | 11 ++++++-----
crypto/Makefile | 2 +-
scripts/Makefile.lib | 2 +-
3 files changed, 8 insertions(+), 7 deletions(-)
diff --git a/crypto/Kconfig b/crypto/Kconfig
index 612e6f33fc..6b2e73c503 100644
--- a/crypto/Kconfig
+++ b/crypto/Kconfig
@@ -126,11 +126,12 @@ config CRYPTO_PUBLIC_KEYS
depends on CRYPTO_BUILTIN_KEYS
string "public keys to compile in"
help
- This option should be a filename of a PEM-formatted file containing
- X.509 certificates to be included into barebox. If the string starts
- with "pkcs11:" it is interpreted as a PKCS#11 URI rather than a file.
- If the string starts with a <hint>: prefix, <hint> is used as a key
- name hint to find a key without iterating over all keys.
+ This option should be a space separated list of filenames of
+ PEM-formatted files containing X.509 certificates to be included into
+ barebox. If an entry starts with "pkcs11:" it is interpreted as a
+ PKCS#11 URI rather than a file. If an entry starts with a <hint>:
+ prefix, <hint> is used as a key name hint to find a key without
+ iterating over all keys.
This avoids the mkimage dependency of CONFIG_BOOTM_FITIMAGE_PUBKEY
at the cost of an openssl build-time dependency.
diff --git a/crypto/Makefile b/crypto/Makefile
index d6ce50b386..1c5709c90a 100644
--- a/crypto/Makefile
+++ b/crypto/Makefile
@@ -28,7 +28,7 @@ ifdef CONFIG_CRYPTO_BUILTIN_KEYS
$(obj)/public-keys.o: $(obj)/public-keys.h
-CONFIG_CRYPTO_PUBLIC_KEYS := $(CONFIG_CRYPTO_PUBLIC_KEYS:"%"=%)
+CONFIG_CRYPTO_PUBLIC_KEYS := $(shell echo $(CONFIG_CRYPTO_PUBLIC_KEYS))
$(obj)/public-keys.h: FORCE
$(call cmd,public_keys,$(CONFIG_CRYPTO_PUBLIC_KEYS))
diff --git a/scripts/Makefile.lib b/scripts/Makefile.lib
index 1881e3c139..3d0a260804 100644
--- a/scripts/Makefile.lib
+++ b/scripts/Makefile.lib
@@ -614,7 +614,7 @@ quiet_cmd_b64dec = B64DEC $@
# target file.
quiet_cmd_public_keys = KEY $@
cmd_public_keys = \
- $(objtree)/scripts/keytoc -o $@.tmp "$(2)" $(3) && \
+ $(objtree)/scripts/keytoc -o $@.tmp $(2) $(3) && \
if cmp -s $@.tmp $@; then \
rm $@.tmp; \
else \
--
2.39.2
next prev parent reply other threads:[~2024-09-13 8:28 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-09-13 7:59 [PATCH v4 00/16] Add ECDSA support for FIT image verification Sascha Hauer
2024-09-13 7:59 ` [PATCH v4 01/16] keytoc: remove ECDSA dts support Sascha Hauer
2024-09-13 7:59 ` [PATCH v4 02/16] keytoc: fail in case gen_key() fails Sascha Hauer
2024-09-13 7:59 ` [PATCH v4 03/16] keytoc: fix ECDSA endianess problems Sascha Hauer
2024-09-13 7:59 ` [PATCH v4 04/16] keytoc: remove duplicate __ENV__ check Sascha Hauer
2024-09-13 7:59 ` [PATCH v4 05/16] crypto: Makefile: make simpler Sascha Hauer
2024-09-13 7:59 ` [PATCH v4 06/16] crypto/Makefile: Drop unnecessary dependencies Sascha Hauer
2024-09-13 7:59 ` [PATCH v4 07/16] keytoc: make key name hint optional Sascha Hauer
2024-09-13 7:59 ` [PATCH v4 08/16] crypto: rsa: include key name hint into CONFIG_CRYPTO_RSA_KEY Sascha Hauer
2024-09-13 7:59 ` [PATCH v4 09/16] crypto: rsa: encapsulate rsa keys in public keys struct Sascha Hauer
2024-09-13 7:59 ` [PATCH v4 10/16] crypto: add public_key functions Sascha Hauer
2024-09-13 7:59 ` Sascha Hauer [this message]
2024-09-13 7:59 ` [PATCH v4 12/16] crypto: public-keys: use array of public_keys Sascha Hauer
2024-09-13 7:59 ` [PATCH v4 13/16] crypto: rsa: create static inline wrapper for rsa_verify() Sascha Hauer
2024-09-13 7:59 ` [PATCH v4 14/16] Add elliptic curve cryptography (ECC) helper functions Sascha Hauer
2024-09-13 7:59 ` [PATCH v4 15/16] crypto: add ECDSA support Sascha Hauer
2024-09-13 7:59 ` [PATCH v4 16/16] crypto: make RSA a visible option Sascha Hauer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240913075924.1652866-12-s.hauer@pengutronix.de \
--to=s.hauer@pengutronix.de \
--cc=barebox@lists.infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox