From: Sascha Hauer <s.hauer@pengutronix.de>
To: BAREBOX <barebox@lists.infradead.org>
Subject: [PATCH 0/6] crypto: keys: Some work for public keys
Date: Thu, 21 Aug 2025 15:18:23 +0200 [thread overview]
Message-ID: <20250821-keynames-v1-0-8144af76d0ab@pengutronix.de> (raw)
Traditionally we included public keys in form of dts snippets generated
by U-Boot mkImage and compiled into the barebox device trees. We can now
include public keys directly as C structs from the public key PEM files
or PKCS#11 uris which is easier to integrate. Nevertheless the dts
snippet way is still present which makes the configuration slightly
confusing. Remove this old way for good to make configuration easier
and to get rid of some maintenance burden.
Another point tackled in this series is that we can compile multiple
keys into the binary, but the user is left without a clue which key
is finally used. This series adds a sha256 hash over the public keys
to struct public_key which can be printed along the key to identify it.
Finally Pengutronix created a set of well known development keys for
convenient testing of secure boot chains. This series adds a new option
to compile the public key parts into the barebox binary with a single
knob. With this images signed with these keys can esaily be tested
without the need of a BSP or adding the paths to the keys into Kconfig.
Finally the output of the FIT image code is improved. It has become very
verbose when used with FIT images containing multiple device tree
overlays. The information is now hidden behind the verbose option which
can be activated with bootm -v or global.bootm.verbose=1.
Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
---
Sascha Hauer (6):
crypto: drop BOOTM_FITIMAGE_PUBKEY
crypto: Allow to include development keys in build
crypto: include public key hashes
commands: add keys command
fit: consistently pass around fit_handle
fit: improve diagnostics
Documentation/user/security.rst | 5 ++
arch/arm/dts/imx6dl-phytec-pbab01.dts | 3 --
arch/arm/dts/imx6dl-phytec-phyboard-subra.dts | 3 --
arch/arm/dts/imx6dl-phytec-phycore-som-emmc.dts | 3 --
arch/arm/dts/imx6dl-phytec-phycore-som-lc-emmc.dts | 3 --
arch/arm/dts/imx6dl-phytec-phycore-som-lc-nand.dts | 3 --
arch/arm/dts/imx6dl-phytec-phycore-som-nand.dts | 3 --
arch/arm/dts/imx6q-phytec-pbab01.dts | 3 --
arch/arm/dts/imx6q-phytec-phyboard-alcor.dts | 3 --
arch/arm/dts/imx6q-phytec-phyboard-subra.dts | 3 --
arch/arm/dts/imx6q-phytec-phycard.dts | 4 --
arch/arm/dts/imx6q-phytec-phycore-som-emmc.dts | 3 --
arch/arm/dts/imx6q-phytec-phycore-som-nand.dts | 3 --
arch/arm/dts/imx6qp-phytec-phycore-som-nand.dts | 3 --
arch/arm/dts/imx6s-phytec-pbab01.dts | 3 --
arch/arm/dts/imx6ul-phytec-phycore-som-emmc.dts | 3 --
arch/arm/dts/imx6ul-phytec-phycore-som-nand.dts | 3 --
arch/arm/dts/imx6ul-tqma6ul-common.dtsi | 4 --
arch/arm/dts/imx6ul-webasto-ccbv2.dts | 4 --
arch/arm/dts/imx6ul-webasto-marvel.dts | 4 --
arch/arm/dts/imx6ull-phytec-phycore-som-emmc.dts | 3 --
.../arm/dts/imx6ull-phytec-phycore-som-lc-nand.dts | 3 --
arch/arm/dts/imx6ull-phytec-phycore-som-nand.dts | 3 --
arch/arm/dts/stm32mp133c-mect1s.dts | 4 --
arch/arm/dts/stm32mp133c-prihmb.dts | 4 --
arch/arm/dts/stm32mp151c-plyaqm.dts | 4 --
commands/Kconfig | 7 +++
commands/Makefile | 1 +
commands/keys.c | 30 +++++++++++
common/Kconfig | 32 ------------
common/boards/qemu-virt/fitimage-pubkey.dts | 4 --
common/image-fit.c | 40 ++++++++++-----
crypto/Kconfig | 7 +--
crypto/Makefile | 9 ++++
crypto/fit-4096-development.crt | 33 ++++++++++++
crypto/fit-ecdsa-development.crt | 13 +++++
crypto/public-keys.c | 6 ++-
include/crypto/public_key.h | 2 +
scripts/Makefile.lib | 12 -----
scripts/keytoc.c | 59 ++++++++++++++++++++++
40 files changed, 194 insertions(+), 148 deletions(-)
---
base-commit: 525ccfb5ac381c06898e6403e12ec8c34c42c0f8
change-id: 20250821-keynames-95b43a99e8c5
Best regards,
--
Sascha Hauer <s.hauer@pengutronix.de>
next reply other threads:[~2025-08-21 17:52 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-08-21 13:18 Sascha Hauer [this message]
2025-08-21 13:18 ` [PATCH 1/6] crypto: drop BOOTM_FITIMAGE_PUBKEY Sascha Hauer
2025-08-21 13:18 ` [PATCH 2/6] crypto: Allow to include development keys in build Sascha Hauer
2025-08-21 13:18 ` [PATCH 3/6] crypto: include public key hashes Sascha Hauer
2025-08-21 13:18 ` [PATCH 4/6] commands: add keys command Sascha Hauer
2025-08-21 13:18 ` [PATCH 5/6] fit: consistently pass around fit_handle Sascha Hauer
2025-08-21 13:18 ` [PATCH 6/6] fit: improve diagnostics Sascha Hauer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250821-keynames-v1-0-8144af76d0ab@pengutronix.de \
--to=s.hauer@pengutronix.de \
--cc=barebox@lists.infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox