[RFC 2/4] Add rsa support

Jean-Christophe PLAGNIOL-VILLARD plagnioj at jcrosoft.com
Fri Mar 13 02:56:54 PDT 2015


On 10:35 Fri 13 Mar     , Jan Lübbe wrote:
> On Do, 2015-03-12 at 18:47 +0100, Jean-Christophe PLAGNIOL-VILLARD wrote:
> > as state in my previous e-mail I will a keystore support
> > 
> > but this dt format to handle no please
> > 
> > we need to use the standard format as in the kernel or openssl
> > 
> > DER and x509
> > 
> > specially x509 as if we want to be able to add key at runtime we need
> > to sign them we the trusted RO keys
> > 
> > For the implementation of RSA I use the polarssl one and plan to add
> > the kernel one
> > 
> > and this implementation is limited to 4096 the polarssl one is not
> 
> Having an ASN1 parser for DER/x509 is a huge amount of complexity I
> would not want in a bootloader. Just take a look at the problems the
> SSL-CAs and browsers had with different interpretations of the same
> cert.

der is nothing few under lines

x509 a few more as it's based on DER
> 
> The FIT format (and corresponding public key in the bootloader's DT) has
> been adopted by depthcharge and u-boot, because it handles the
> requirements and nothing more.

if you want to add this format you can but via the keychain loader not in the
code as today you do have soc such as imx that store the key in OTP as DER

and u-boot is not the best reference EVER.
> 
> What is your use-case for which you need to add keys at runtime?

simple you want to allow user to put their own key
or use a CA to handle allowed key

if you want to replace grub this is critical

Best Regards,
J.
> 
> Regards,
> Jan
> -- 
> Pengutronix e.K.                           |                             |
> Industrial Linux Solutions                 | http://www.pengutronix.de/  |
> Peiner Str. 6-8, 31137 Hildesheim, Germany | Phone: +49-5121-206917-0    |
> Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |
> 



More information about the barebox mailing list