[PATCH 0/4] public keys: rework keyrings as nested containers

Sascha Hauer s.hauer at pengutronix.de
Wed May 27 03:54:40 PDT 2026 

So far a public key had a char *keyring meaning that a key can only be
part of a single keyring. This series overcomes this, with it keys can
be contained in multiple keyrings and keyrings can be part of other
keyrings. To get there a new struct keyring_link is introduced which
is instanciated per link and links a key/keyring to a keyring. The
keys command is updated to reflect that, so an example output could
be:

RING: fit
    KEY:    9160ff3ab26e1842d1fbfaca48befce2664f57245048856e779531bb260cbc20	TYPE: ECDSA	HINT:
    RING:   snakeoil
    RING:   fit-devel
RING: tlv-generic
    RING:   snakeoil
RING: snakeoil
    KEY:    4f48c67c9a28be596931de5b137f8207f15a505d1b7a742731014dbcd4c799d9	TYPE: ECDSA	HINT: ecdsa-devel
    KEY:    7fbcb3b2ddfab044ef874550c7cbd1b357afeed55fb6f48be9c22b2cbef72856	TYPE: RSA	HINT: rsa-devel
RING: fit-devel
    KEY:    7fbcb3b2ddfab044ef874550c7cbd1b357afeed55fb6f48be9c22b2cbef72856	TYPE: RSA	HINT:
RING: tlv-feature
    KEY:    54b7b9c040cd81dd1e495832b8a2724a8f48e75f90fcd982631695669a805dd0	TYPE: RSA	HINT:
RING: tlv-base
    KEY:    2f908960b1d74b3a8d0076376870020f8d6504ebb7a1c68c1c383ac8140690e5	TYPE: RSA	HINT:

The FIT image authentication code still uses the "fit" keyring as
before, but now we can link new keys to the keyring during runtime as
needed. Furthermore a key can be used for multiple purposes without
duplicating it.

As a nice side effect the keys themselves become readonly and the
compiled in keys can be moved to the RO data segment.

Signed-off-by: Sascha Hauer <s.hauer at pengutronix.de>
---
Sascha Hauer (4):
      public keys: make error message more informative
      public keys: make key_name_hint optional
      public keys: rework keyrings as nested containers
      public keys: allow keys to be members of multiple keyrings

 commands/keys.c                   |  21 +++-
 common/image-fit.c                |  15 ++-
 common/tlv/parser.c               |  13 ++-
 crypto/Makefile                   |   6 +-
 crypto/public-keys.c              | 221 ++++++++++++++++++++++++++++++++++----
 crypto/rsa.c                      |   3 +-
 include/asm-generic/barebox.lds.h |  11 ++
 include/crypto/public_key.h       |  87 ++++++++++++---
 scripts/keytoc.c                  |  79 +++++++++-----
 9 files changed, 381 insertions(+), 75 deletions(-)
---
base-commit: 19ce0bdebf4856cfe6d0610a6e4d8d917d658ec3
change-id: 20260522-public-keys-ba609c65c114

Best regards,
-- 
Sascha Hauer <s.hauer at pengutronix.de>

More information about the barebox mailing list