[RFC 2/4] Add rsa support

Jan Lübbe jlu at pengutronix.de
Fri Mar 13 02:35:35 PDT 2015


On Do, 2015-03-12 at 18:47 +0100, Jean-Christophe PLAGNIOL-VILLARD wrote:
> as state in my previous e-mail I will a keystore support
> 
> but this dt format to handle no please
> 
> we need to use the standard format as in the kernel or openssl
> 
> DER and x509
> 
> specially x509 as if we want to be able to add key at runtime we need
> to sign them we the trusted RO keys
> 
> For the implementation of RSA I use the polarssl one and plan to add
> the kernel one
> 
> and this implementation is limited to 4096 the polarssl one is not

Having an ASN1 parser for DER/x509 is a huge amount of complexity I
would not want in a bootloader. Just take a look at the problems the
SSL-CAs and browsers had with different interpretations of the same
cert.

The FIT format (and corresponding public key in the bootloader's DT) has
been adopted by depthcharge and u-boot, because it handles the
requirements and nothing more.

What is your use-case for which you need to add keys at runtime?

Regards,
Jan
-- 
Pengutronix e.K.                           |                             |
Industrial Linux Solutions                 | http://www.pengutronix.de/  |
Peiner Str. 6-8, 31137 Hildesheim, Germany | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |




More information about the barebox mailing list