[PATCH v3 1/3] keytoc: mark keyspec user input as readonly

[PATCH v3 1/3] keytoc: mark keyspec user input as readonly

[Marco Felsch]

Don't manipulate the user input and intead allocate the keyname and path
always to drop the usage of freep. Move the keyspec parsing code into a
helper to increase the readability further while on it.

This prepares keytoc handle a keyspec provided by a single environment
variable.

Signed-off-by: Marco Felsch <m.felsch@pengutronix.de>
---
Changelog:
v3:
- no changes
v2:
- new patch

 scripts/keytoc.c | 54 +++++++++++++++++++++++++++++++++---------------
 1 file changed, 37 insertions(+), 17 deletions(-)

diff --git a/scripts/keytoc.c b/scripts/keytoc.c
index c92465707f65..617317d6607e 100644
--- a/scripts/keytoc.c
+++ b/scripts/keytoc.c
@@ -653,6 +653,34 @@ static int gen_key(const char *keyname, const char *path)
 	return ret;
 }
 
+static void get_name_path(const char *keyspec, char **keyname, char **path)
+{
+	char *sep, *spec;
+
+	spec = strdup(keyspec);
+	if (!spec)
+		enomem_exit(__func__);
+
+	/* Split <key-hint>:<key-path> pair, <key-hint> is optional */
+	sep = strchr(spec, ':');
+	if (!sep) {
+		*path = spec;
+		return;
+	}
+
+	*sep = 0;
+	*keyname = strdup(spec);
+	if (!*keyname)
+		enomem_exit(__func__);
+
+	sep++;
+	*path = strdup(sep);
+	if (!*path)
+		enomem_exit(__func__);
+
+	free(spec);
+}
+
 int main(int argc, char *argv[])
 {
 	int i, opt, ret;
@@ -705,35 +733,27 @@ int main(int argc, char *argv[])
 	}
 
 	for (i = optind; i < argc; i++) {
-		char *keyspec = argv[i];
+		const char *keyspec = argv[i];
 		char *keyname = NULL;
-		char *path, *freep = NULL;
+		char *path = NULL;
 
-		if (!strncmp(keyspec, "pkcs11:", 7)) {
-			path = keyspec;
-		} else {
-			path = strchr(keyspec, ':');
-			if (path) {
-				*path = 0;
-				path++;
-				keyname = keyspec;
-			} else {
-				path = keyspec;
-			}
-		}
+		if (!strncmp(keyspec, "pkcs11:", 7))
+			path = strdup(keyspec);
+		else
+			get_name_path(keyspec, &keyname, &path);
 
 		if (!keyname) {
-			ret = asprintf(&freep, "key_%d", keynum++);
+			ret = asprintf(&keyname, "key_%d", keynum++);
 			if (ret < 0)
 				enomem_exit("asprintf");
-			keyname = freep;
 		}
 
 		ret = gen_key(keyname, path);
 		if (ret)
 			exit(1);
 
-		free(freep);
+		free(keyname);
+		free(path);
 	}
 
 	if (dts) {
-- 
2.39.5

[PATCH v3 2/3] keytoc: add support to handle single env keyspec

[Marco Felsch]

Since commit 685cc602e0ad ("keytoc: allow __ENV__ lookup for keyname
hint") the hint and key can be specified via two environment variables.

Using two environment variables for a single keyspec is not very
intuitive. Therefore this commit adds the support to specify the keyspec
via a single environment variable:

For example:

   FITKEY = "<hint>:<key>"
   CONFIG_CRYPTO_PUBLIC_KEYS="__ENV__FITKEY"

Signed-off-by: Marco Felsch <m.felsch@pengutronix.de>
---
Changelog:
v3:
- keep Basti's use-case to provide the keyhint+key via two env-variables
v2:
- no changes

 scripts/keytoc.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/scripts/keytoc.c b/scripts/keytoc.c
index 617317d6607e..67e2db3386db 100644
--- a/scripts/keytoc.c
+++ b/scripts/keytoc.c
@@ -737,6 +737,10 @@ int main(int argc, char *argv[])
 		char *keyname = NULL;
 		char *path = NULL;
 
+		keyspec = try_resolve_env(keyspec);
+		if (!keyspec)
+			exit(1);
+
 		if (!strncmp(keyspec, "pkcs11:", 7))
 			path = strdup(keyspec);
 		else
-- 
2.39.5

[PATCH v3 3/3] crypto: add examples to CRYPTO_PUBLIC_KEYS

[Marco Felsch]

It's pretty easy to get the documentation for the __ENV__ handling
wrong. Therefore add a few examples which are currently supported.

Signed-off-by: Marco Felsch <m.felsch@pengutronix.de>
---
Changelog:
v3:
- new patch

 crypto/Kconfig | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/crypto/Kconfig b/crypto/Kconfig
index 14728be4aa91..97836a75ce5a 100644
--- a/crypto/Kconfig
+++ b/crypto/Kconfig
@@ -148,6 +148,24 @@ config CRYPTO_PUBLIC_KEYS
 	  corresponding value in the environment variable VAR_NAME for both
 	  public key paths/URIs as well as key name hints.
 
+	  Examples specified directly:
+
+	  - CONFIG_CRYPTO_PUBLIC_KEYS="pkcs11:object=foo"
+	  - CONFIG_CRYPTO_PUBLIC_KEYS="myhint:pkcs11:object=foo"
+	  - CONFIG_CRYPTO_PUBLIC_KEYS="myhint:pkcs11:object=foo /foobar/baz.der"
+	  - CONFIG_CRYPTO_PUBLIC_KEYS="myhint:pkcs11:object=foo myotherhint:/foobar/baz.der"
+
+	  Example specified indirectly by two environment variables:
+
+	  - myhint="myhint"
+	  - myname="pkcs11:object=foo" (.der could be used too)
+	  - CONFIG_CRYPTO_PUBLIC_KEYS="__ENV__myhint:__ENV__myname"
+
+	  Example specified indirectly by a single environment variable:
+
+	  - mykey="myhint:pkcs11:object=foo" (.der could be used too)
+	  - CONFIG_CRYPTO_PUBLIC_KEYS="__ENV__mykey"
+
 config CRYPTO_KEYSTORE
 	bool "Keystore"
 	help
-- 
2.39.5

Re: [PATCH v3 1/3] keytoc: mark keyspec user input as readonly

[Sascha Hauer]

On Mon, 18 Aug 2025 19:08:13 +0200, Marco Felsch wrote:
> Don't manipulate the user input and intead allocate the keyname and path
> always to drop the usage of freep. Move the keyspec parsing code into a
> helper to increase the readability further while on it.
> 
> This prepares keytoc handle a keyspec provided by a single environment
> variable.
> 
> [...]

Applied, thanks!

[1/3] keytoc: mark keyspec user input as readonly
      https://git.pengutronix.de/cgit/barebox/commit/?id=ca644bd8867b (link may not be stable)
[2/3] keytoc: add support to handle single env keyspec
      https://git.pengutronix.de/cgit/barebox/commit/?id=230bf888f296 (link may not be stable)
[3/3] crypto: add examples to CRYPTO_PUBLIC_KEYS
      https://git.pengutronix.de/cgit/barebox/commit/?id=cbe0ca3dc123 (link may not be stable)

Best regards,
-- 
Sascha Hauer <s.hauer@pengutronix.de>