From: Sascha Hauer <s.hauer@pengutronix.de>
To: BAREBOX <barebox@lists.infradead.org>
Subject: [PATCH 2/6] crypto: Allow to include development keys in build
Date: Thu, 21 Aug 2025 15:18:25 +0200 [thread overview]
Message-ID: <20250821-keynames-v1-2-8144af76d0ab@pengutronix.de> (raw)
In-Reply-To: <20250821-keynames-v1-0-8144af76d0ab@pengutronix.de>
Pengutronix has published well known RSA and ECDSA keys for development
purposes. This adds the public keys to the tree and adds
CONFIG_CRYPTO_BUILTIN_DEVELOPMENT_KEYS. By enabling this option these
keys will be built into the barebox binary to allow for easy signing
tests.
As these keys obviously should not show up in a production build this
option selects HAS_INSECURE_DEFAULTS.
The private keys for the well known development keys can be found at
[1].
[1] https://git.pengutronix.de/cgit/ptx-code-signing-dev/
Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
---
Documentation/user/security.rst | 5 +++++
crypto/Kconfig | 4 ++++
crypto/Makefile | 9 +++++++++
crypto/fit-4096-development.crt | 33 +++++++++++++++++++++++++++++++++
crypto/fit-ecdsa-development.crt | 13 +++++++++++++
5 files changed, 64 insertions(+)
diff --git a/Documentation/user/security.rst b/Documentation/user/security.rst
index cc15c8b512b277dc4480b67d5e378958ac916a1a..357ea86a1d9abcc49b0d01ad24981e90d1e3fc45 100644
--- a/Documentation/user/security.rst
+++ b/Documentation/user/security.rst
@@ -81,6 +81,11 @@ be allowed to boot any images that have not been signed by the correct key.
This can be enforced by setting ``CONFIG_BOOTM_FORCE_SIGNED_IMAGES=y``
and disabling any ways that could use used to override this.
+For development convenience ``CONFIG_CRYPTO_BUILTIN_DEVELOPMENT_KEYS`` keys
+can be used to compile in well known development keys into the barebox binary.
+The private keys for these keys can be found
+`[here] <https://git.pengutronix.de/cgit/ptx-code-signing-dev>`__
+
Disabling the shell
^^^^^^^^^^^^^^^^^^^
diff --git a/crypto/Kconfig b/crypto/Kconfig
index 4f9cc3e6a560b653225efd70246ad1d79a451f78..f1f9b9bb80cfc88836c6b6b384bd8b089108b412 100644
--- a/crypto/Kconfig
+++ b/crypto/Kconfig
@@ -145,6 +145,10 @@ config CRYPTO_PUBLIC_KEYS
corresponding value in the environment variable VAR_NAME for both
public key paths/URIs as well as key name hints.
+config CRYPTO_BUILTIN_DEVELOPMENT_KEYS
+ select HAS_INSECURE_DEFAULTS
+ bool "Include development keys in build"
+
config CRYPTO_KEYSTORE
bool "Keystore"
help
diff --git a/crypto/Makefile b/crypto/Makefile
index 7148aecb4a8e2275a62b25c834b1743c156a7f91..481bbec81bb2da3fbaea20c6e4eb32d6c79be4b0 100644
--- a/crypto/Makefile
+++ b/crypto/Makefile
@@ -33,6 +33,15 @@ $(obj)/public-keys.o: $(obj)/public-keys.h
CONFIG_CRYPTO_PUBLIC_KEYS := $(shell echo $(CONFIG_CRYPTO_PUBLIC_KEYS))
CONFIG_CRYPTO_PUBLIC_KEYS := $(foreach d,$(CONFIG_CRYPTO_PUBLIC_KEYS),"$(d)")
+ifdef CONFIG_CRYPTO_BUILTIN_DEVELOPMENT_KEYS
+ifdef CONFIG_CRYPTO_RSA
+CONFIG_CRYPTO_PUBLIC_KEYS += rsa-devel:$(srctree)/crypto/fit-4096-development.crt
+endif
+ifdef CONFIG_CRYPTO_ECDSA
+CONFIG_CRYPTO_PUBLIC_KEYS += ecdsa-devel:$(srctree)/crypto/fit-ecdsa-development.crt
+endif
+endif
+
filechk_public_keys_dummy = echo
$(obj)/public-keys.h: FORCE
diff --git a/crypto/fit-4096-development.crt b/crypto/fit-4096-development.crt
new file mode 100644
index 0000000000000000000000000000000000000000..dffba216b9c671899bb7c12fb1560e2431b9aa6e
--- /dev/null
+++ b/crypto/fit-4096-development.crt
@@ -0,0 +1,33 @@
+-----BEGIN CERTIFICATE-----
+MIIFpzCCA4+gAwIBAgIUFUQCZBUFYriH8+8jb1A9eJv5N30wDQYJKoZIhvcNAQEL
+BQAwXTEUMBIGA1UECgwLUGVuZ3V0cm9uaXgxIDAeBgNVBAMMF0RldmVsb3BtZW50
+IHNpZ25pbmcga2V5MSMwIQYJKoZIhvcNAQkBFhRkZWJ1Z0BwZW5ndXRyb25peC5k
+ZTAgFw0xOTEwMDExMzA1MThaGA8yMTE5MDkwNzEzMDUxOFowXTEUMBIGA1UECgwL
+UGVuZ3V0cm9uaXgxIDAeBgNVBAMMF0RldmVsb3BtZW50IHNpZ25pbmcga2V5MSMw
+IQYJKoZIhvcNAQkBFhRkZWJ1Z0BwZW5ndXRyb25peC5kZTCCAiIwDQYJKoZIhvcN
+AQEBBQADggIPADCCAgoCggIBAMmR5Io1H6qALxBC2sUi548qoU6axIpZ3+yar0gj
+A1FF79nRJZNa+EcIgaMCaf+Ft7DseIAEhBzNsZQ1sj2GVEf9W7WXlSbziET1n8PC
+aC097W20kziMNOAZOjFIdy24AbcW2yhhpBXsKtzm9V0DlnGN2QM3yxbqKD1iUOl/
+iInM5KwNKxp8KboR5W/LTnUGUYw3ryFVbxJEY0YqqwMOaSk8vzLf0iSf8gu6iabS
+ELJEONst0ah3glZj+mRelVdbHDZh6/PpEQ9fQ4QqLOgy1qtqQhT8J0poDOE9BVnC
+bDIjbWvq7UavpBu0YzjmG26r7pN75DK0E0UHgGH3Z7jhophkGMYlYfarjjFRujSd
+ocpU2tEvxDykFELyvQPG5w7pedtlz5jFRzrS11RrcCsfcUFMf9g+2qKpZlSUhkHg
+DDYtDRBYam7hnV7if9nCsLaGwpZM9Fm2zJSOFATO1eKj9yUpMYqI0SobTR7XRNyr
+Rd66J0SWlPsg4IDaG1i4ieE7UNDgAtURBCRqu7PZPAEovurPlV+8lbZRljCI2wRg
+JfJaoF17AKa0a5raH2kIBD1b3EgCG7nIfyaqR4bPLxwYlm/ymXTnv7zImEBP3ffy
+mPK8m2Wtw4Sr8ze1+fcpjmCyCxwe918YuW0AOtQ2nmBOCpz4iWhA61HHK5RYzASM
+Bq6LAgMBAAGjXTBbMAwGA1UdEwEB/wQCMAAwCwYDVR0PBAQDAgeAMB0GA1UdDgQW
+BBRscfq3jG3UfwhRTQyiWoStdF/WFzAfBgNVHSMEGDAWgBRscfq3jG3UfwhRTQyi
+WoStdF/WFzANBgkqhkiG9w0BAQsFAAOCAgEAp6suTnOCSormgkuhopR5Sk0nl1ME
++DSxB56E6HVOgP2lXfNAYtfjdZwPtD2cCMyZD9m0w5usXUb+XFzW4L4AFsBnwbuu
+3/082u/qF21v7sEhdi83p3ordHnevc5HTTN0mfUNlqsCG+sCL+w+IQEWvHii4Hnc
+MPv6xbEhxU0ahTpByFwj0+YFPMq4nwQi6pqZCCP7qm0UV+T5+W8CnCivDq9laX+g
+RyJIPgH67ZFQlnnhjSqNq+7yF3Ac0U3IcMKSMaCOCIxuh+QfgHqE9jP62pRblpJx
+UPX5WF9/tBQ7757UEj+nHRKpgnJQzQ6Ks8/7FVmvbY9g9KWEIfeULsT8M1qMdW1E
+bZqleKhEySQbqUyIM29SpIfqd8unBecKFELfVf47TTEbWQRSExRMDGs31MXnvsiP
+jCSW7+BZNBwRXAyR3jB2ludw7DpZJk/VzTf2tja/FPl0sGSG0ggdmGHDnvHApQn5
+RidvJEyQSv+hfn6x+wE0nWpY2/+bV9RvOPwZnLsYkb9falnLwBlTpwa2uX6o4LP1
+8orfuQn3SrfRRKuaVwzjRvkb2fw15745mmOWK/VVtrHD8B3kA6cmTW3JEace+wma
+qCeFbwawz4vZpYCV4hQm06YefDRwZ4zBnkPnkN8i0Wqnb2kJUk5YrWKMZyFagAFU
+Yu8PytQLFKL1pZU=
+-----END CERTIFICATE-----
diff --git a/crypto/fit-ecdsa-development.crt b/crypto/fit-ecdsa-development.crt
new file mode 100644
index 0000000000000000000000000000000000000000..490d48b93a094ca5ed6fe507193a19eeb35683ae
--- /dev/null
+++ b/crypto/fit-ecdsa-development.crt
@@ -0,0 +1,13 @@
+-----BEGIN CERTIFICATE-----
+MIIB+jCCAaCgAwIBAgIUPWGk8K75jmaLrLI7VkbZQwbJuU4wCgYIKoZIzj0EAwIw
+XTEUMBIGA1UECgwLUGVuZ3V0cm9uaXgxIDAeBgNVBAMMF0RldmVsb3BtZW50IHNp
+Z25pbmcga2V5MSMwIQYJKoZIhvcNAQkBFhRkZWJ1Z0BwZW5ndXRyb25peC5kZTAg
+Fw0yNDA3MjYwOTM5NTZaGA8yMTI0MDcwMjA5Mzk1NlowXTEUMBIGA1UECgwLUGVu
+Z3V0cm9uaXgxIDAeBgNVBAMMF0RldmVsb3BtZW50IHNpZ25pbmcga2V5MSMwIQYJ
+KoZIhvcNAQkBFhRkZWJ1Z0BwZW5ndXRyb25peC5kZTBZMBMGByqGSM49AgEGCCqG
+SM49AwEHA0IABKMAmtjmHz3Rka9SaUmDjTgNzdo8CYxmz23xurgcyoNVajjpNGv1
+XwXxG0Hr+l/ehwnes77wtrYwYLyAlvFAdE2jPDA6MAwGA1UdEwEB/wQCMAAwCwYD
+VR0PBAQDAgeAMB0GA1UdDgQWBBQ5gyCsUddXXclJHHRUH+w2+R0N2jAKBggqhkjO
+PQQDAgNIADBFAiAfMkyM1n7JYCYqvYq4YdbWD8q2kZvVYhRK7gKIRZNUjAIhAKng
+1plXACT2UcKDQV9+o3qbve9LDV3aASRmZz47DX+0
+-----END CERTIFICATE-----
--
2.39.5
next prev parent reply other threads:[~2025-08-21 17:52 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-08-21 13:18 [PATCH 0/6] crypto: keys: Some work for public keys Sascha Hauer
2025-08-21 13:18 ` [PATCH 1/6] crypto: drop BOOTM_FITIMAGE_PUBKEY Sascha Hauer
2025-08-21 13:18 ` Sascha Hauer [this message]
2025-08-21 13:18 ` [PATCH 3/6] crypto: include public key hashes Sascha Hauer
2025-08-21 13:18 ` [PATCH 4/6] commands: add keys command Sascha Hauer
2025-08-21 13:18 ` [PATCH 5/6] fit: consistently pass around fit_handle Sascha Hauer
2025-08-21 13:18 ` [PATCH 6/6] fit: improve diagnostics Sascha Hauer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250821-keynames-v1-2-8144af76d0ab@pengutronix.de \
--to=s.hauer@pengutronix.de \
--cc=barebox@lists.infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox