From: Sascha Hauer <s.hauer@pengutronix.de>
To: Ahmad Fatoum <a.fatoum@pengutronix.de>
Cc: Barebox List <barebox@lists.infradead.org>
Subject: Re: [PATCH v3 07/15] crypto: rsa: include key name hint into CONFIG_CRYPTO_RSA_KEY
Date: Fri, 13 Sep 2024 09:05:45 +0200 [thread overview]
Message-ID: <ZuPkSftbPOJQP4TG@pengutronix.de> (raw)
In-Reply-To: <f1f058a9-c2a9-4113-a1f2-920452686194@pengutronix.de>
On Wed, Sep 11, 2024 at 10:27:42AM +0200, Ahmad Fatoum wrote:
> Hello Sascha,
>
> On 06.09.24 12:40, Sascha Hauer wrote:
> > Set the key name hint in CONFIG_CRYPTO_RSA_KEY. CONFIG_CRYPTO_RSA_KEY
> > now has the form:
> >
> > <key_name_hint>:<filename/uri>
> >
> > This is done in preparation to make CONFIG_CRYPTO_RSA_KEY a list of
> > keys.
>
> IIUC, existing users that do make oldconfig will:
>
> - either lose the key hint and need to add it back or just live with
> an iteration of the list
>
> - have pkcs11:$uri URIs which will be interpreted as key hint and
> result on some error message that the URI is not a valid path.
When a URI starts with "pkcs11:" then keytoc will take this as a pkcs11
URI, it won't interpret it as a key name hint. In other words, "pkcs11"
is not a valid key name hint. You will get an error in this case.
> > diff --git a/crypto/Makefile b/crypto/Makefile
> > index d7a06a721d..f3e49ab7ba 100644
> > --- a/crypto/Makefile
> > +++ b/crypto/Makefile
> > @@ -29,10 +29,9 @@ $(obj)/rsa.o: $(obj)/rsa-keys.h
> >
> > CONFIG_CRYPTO_RSA_KEY := $(CONFIG_CRYPTO_RSA_KEY:"%"=%)
> >
> > -ifneq ($(filter-out pkcs11:% __ENV__%, $(CONFIG_CRYPTO_RSA_KEY)),)
> > -RSA_DEP := $(CONFIG_CRYPTO_RSA_KEY)
> > -endif
> > +RSA_DEP := $(filter-out pkcs11:% __ENV__%, $(CONFIG_CRYPTO_RSA_KEY))
> > +RSA_DEP := $(shell echo $(RSA_DEP) | sed -e "s/[[:alnum:]]*://g")
There still is a bug here though. The dependencies are wrong for pkcs11
URIs which have a key name hint, i.e. something like "hint:pkcs:foo". In
this case RSA_DEP contains 'foo' and we get:
make[2]: *** No rule to make target 'foo', needed by 'crypto/public-keys.h'. Stop.
We can remove the dependencies altogether and just keep the FORCE. The
dependencies were introduced to avoid unnecessary rebuilds. However, the
public_keys cmd will only produce output when it actually changes, so
no rebuilds will occur even without the dependencies.
> >
> > $(obj)/rsa-keys.h: $(RSA_DEP) FORCE
> > - $(call cmd,public_keys,$(CONFIG_CRYPTO_RSA_KEY_NAME_HINT):$(CONFIG_CRYPTO_RSA_KEY))
> > + $(call cmd,public_keys,$(CONFIG_CRYPTO_RSA_KEY))
> > endif
Sascha
--
Pengutronix e.K. | |
Steuerwalder Str. 21 | http://www.pengutronix.de/ |
31137 Hildesheim, Germany | Phone: +49-5121-206917-0 |
Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
next prev parent reply other threads:[~2024-09-13 7:06 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-09-06 10:40 [PATCH v3 00/15] Add ECDSA support for FIT image verification Sascha Hauer
2024-09-06 10:40 ` [PATCH v3 01/15] keytoc: remove ECDSA dts support Sascha Hauer
2024-09-06 10:40 ` [PATCH v3 02/15] keytoc: fail in case gen_key() fails Sascha Hauer
2024-09-06 10:40 ` [PATCH v3 03/15] keytoc: fix ECDSA endianess problems Sascha Hauer
2024-09-06 10:40 ` [PATCH v3 04/15] keytoc: remove duplicate __ENV__ check Sascha Hauer
2024-09-06 10:40 ` [PATCH v3 05/15] crypto: Makefile: make simpler Sascha Hauer
2024-09-06 10:40 ` [PATCH v3 06/15] keytoc: make key name hint optional Sascha Hauer
2024-09-06 10:40 ` [PATCH v3 07/15] crypto: rsa: include key name hint into CONFIG_CRYPTO_RSA_KEY Sascha Hauer
2024-09-11 8:27 ` Ahmad Fatoum
2024-09-13 7:05 ` Sascha Hauer [this message]
2024-09-06 10:40 ` [PATCH v3 08/15] crypto: rsa: encapsulate rsa keys in public keys struct Sascha Hauer
2024-09-11 8:33 ` Ahmad Fatoum
2024-09-13 7:06 ` Sascha Hauer
2024-09-06 10:40 ` [PATCH v3 09/15] crypto: add public_key functions Sascha Hauer
2024-09-06 10:40 ` [PATCH v3 10/15] crypto: builtin_keys: Allow to specify multiple keys in CONFIG_CRYPTO_PUBLIC_KEYS Sascha Hauer
2024-09-11 8:34 ` Ahmad Fatoum
2024-09-06 10:40 ` [PATCH v3 11/15] crypto: public-keys: use array of public_keys Sascha Hauer
2024-09-11 8:38 ` Ahmad Fatoum
2024-09-06 10:40 ` [PATCH v3 12/15] crypto: rsa: create static inline wrapper for rsa_verify() Sascha Hauer
2024-09-06 10:40 ` [PATCH v3 13/15] Add elliptic curve cryptography (ECC) helper functions Sascha Hauer
2024-09-06 10:40 ` [PATCH v3 14/15] crypto: add ECDSA support Sascha Hauer
2024-09-06 10:40 ` [PATCH v3 15/15] crypto: make RSA a visible option Sascha Hauer
2024-09-11 8:43 ` [PATCH v3 00/15] Add ECDSA support for FIT image verification Ahmad Fatoum
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZuPkSftbPOJQP4TG@pengutronix.de \
--to=s.hauer@pengutronix.de \
--cc=a.fatoum@pengutronix.de \
--cc=barebox@lists.infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox