[RFC 2/4] Add rsa support
Jan Lübbe
jlu at pengutronix.de
Fri Mar 13 02:35:35 PDT 2015
On Do, 2015-03-12 at 18:47 +0100, Jean-Christophe PLAGNIOL-VILLARD wrote:
> as state in my previous e-mail I will a keystore support
>
> but this dt format to handle no please
>
> we need to use the standard format as in the kernel or openssl
>
> DER and x509
>
> specially x509 as if we want to be able to add key at runtime we need
> to sign them we the trusted RO keys
>
> For the implementation of RSA I use the polarssl one and plan to add
> the kernel one
>
> and this implementation is limited to 4096 the polarssl one is not
Having an ASN1 parser for DER/x509 is a huge amount of complexity I
would not want in a bootloader. Just take a look at the problems the
SSL-CAs and browsers had with different interpretations of the same
cert.
The FIT format (and corresponding public key in the bootloader's DT) has
been adopted by depthcharge and u-boot, because it handles the
requirements and nothing more.
What is your use-case for which you need to add keys at runtime?
Regards,
Jan
--
Pengutronix e.K. | |
Industrial Linux Solutions | http://www.pengutronix.de/ |
Peiner Str. 6-8, 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 |
Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
More information about the barebox
mailing list