[PATCH v4 0/8] Allow multiple keyspecs in one environment variable

[PATCH v4 0/8] Allow multiple keyspecs in one environment variable

[Jonas Rebmann]

This contains the actual change to keytoc as well a migration Note.

Allowing any number of public keys to be provided via a single
environment variable eases integration in more complex setups where
multiple public keys per keyring are managed externally.

During testing, it was found that handling of fit-hint env variables was
broken since 2025.12. Since this is a legacy feature this series
includes a patch that fixes the bug in the handling of fit-hint env
variables as well as a patch that removes the feature.

Before removal of the feature, the following tests where performed and
keytoc output was manually verified:

cd scripts/
gcc -g keytoc.c $(pkg-config --libs --cflags openssl) -o keytoc
export rsakey="../crypto/snakeoil-4096-development.pem"
export ecdsakey="../crypto/snakeoil-ecdsa-development.pem"
export fullspec="keyring=fit,fit-hint=__ENV__hint:$ecdsakey"
export triplekey="$rsakey $ecdsakey $fullspec"

export hint=test

diff -q <(./keytoc $ecdsakey) <(./keytoc __ENV__ecdsakey)
diff -q <(./keytoc $rsakey) <(./keytoc __ENV__rsakey)
diff -q <(./keytoc $fullspec) <(./keytoc __ENV__fullspec)
diff -q <(./keytoc __ENV__triplekey __ENV__ecdsakey __ENV__triplekey) <(./keytoc $triplekey $ecdsakey $triplekey)

Signed-off-by: Jonas Rebmann <jre@pengutronix.de>
---
Changes in v4:
- split out two more preparatory patches
- add patch to remove handling of fit-hint env variables
- add patch to fix handling of fit-hint env variables
- drop unneeded strdup of argv (Thanks, Marco)
- const buffer holding getenv result to prevent modification of
  environment variable (Thanks, Marco)
- adapt commit message to explain why keyspec list is looped before
  writing stdout
- fix bug where hint and path are only expanded when keyspec is provided
  via env variable. Instead move expansion and validation into yet
  another loop over the keyspecs
- error out on empty/undefined environment variable keyspec
- fix potential out of bounds when indexing argv with listi
- use listi index variable when re-interating keys list instead of
  using argi variable earlier used when iterating both keys and args
- Link to v3: https://lore.barebox.org/barebox/20260316-keytoc-multi-env-v3-0-433591ef3198@pengutronix.de

Changes in v3:
- Where possible, split refactoring/cleanup into a preparatory commit
- Split copying strsep_unescape into a separate commit
- Link to v2: https://lore.barebox.org/barebox/20260218-keytoc-multi-env-v2-0-3ea146c95d18@pengutronix.de

Changes in v2:
- Split up the keyspec environment variables when multiple are provided
  too.
- Use strsep_unescape instead of manual split/unescape
- Remove RFC tag
- Link to v1: https://lore.barebox.org/barebox/20260206-keytoc-multi-env-v1-1-638fbf2b3634@pengutronix.de

---
Jonas Rebmann (8):
      scripts: include: Add string_util.h for strsep_unescaped
      crypto: keytoc: Improve readability
      crypto: keytoc: Move special handling of legacy pkcs11 format to parse_keyspec
      crypto: keytoc: Parse all keyspecs before writing to stdout
      crypto: keytoc: Split env-provided full keyspec on spaces
      Documentation: migration-guides: Document change in keyspec env vars
      crypto: keytoc: Allow fields to start with underscore
      crypto: keytoc: Deprecate fit-hint from env variable

 .../migration-guides/migration-master.rst          |  21 ++++
 crypto/Kconfig                                     |   7 +-
 scripts/include/string_util.h                      |  65 ++++++++++++
 scripts/keytoc.c                                   | 113 ++++++++++++++-------
 4 files changed, 165 insertions(+), 41 deletions(-)
---
base-commit: ff814eff55e898037503e942df8e0ba8f1b13222
change-id: 20260206-keytoc-multi-env-4a3300292e4a

Best regards,
--  
Jonas Rebmann <jre@pengutronix.de>

[PATCH v4 1/8] scripts: include: Add string_util.h for strsep_unescaped

[Jonas Rebmann]

lib/string.c has strsep_unescaped() that will be useful for the keytoc
host tool to split ENV specs at spaces not preceded by a backslash in a
future commit.

In preparation, create scripts/include/string_util.h with a copy of that
function as to have it available in host tools.

Signed-off-by: Jonas Rebmann <jre@pengutronix.de>
---
 scripts/include/string_util.h | 65 +++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 65 insertions(+)

diff --git a/scripts/include/string_util.h b/scripts/include/string_util.h
new file mode 100644
index 0000000000..e71aa60d26
--- /dev/null
+++ b/scripts/include/string_util.h
@@ -0,0 +1,65 @@
+#ifndef _TOOLS_STRING_UTIL_H_
+#define _TOOLS_STRING_UTIL_H_
+
+#include <linux/types.h>
+#include <stddef.h>
+
+// SPDX-SnippetBegin
+// SPDX-Snippet-Comment: Origin-URL: https://git.pengutronix.de/cgit/barebox/tree/lib/string.c?id=dfcf686f94a5a5387660f2afab79a714baab828a
+
+/**
+ * strsep_unescaped - Split a string into tokens, while ignoring escaped delimiters
+ * @s: The string to be searched
+ * @ct: The delimiter characters to search for
+ * @delim: optional pointer to store found delimiter into
+ *
+ * strsep_unescaped() behaves like strsep unless it meets an escaped delimiter.
+ * In that case, it shifts the string back in memory to overwrite the escape's
+ * backslash then continues the search until an unescaped delimiter is found.
+ *
+ * On end of string, this function returns NULL. As long as a non-NULL
+ * value is returned and @delim is not NULL, the found delimiter will
+ * be stored into *@delim.
+ */
+static char *strsep_unescaped(char **s, const char *ct, char *delim)
+{
+	char *sbegin = *s, *hay;
+	const char *needle;
+	size_t shift = 0;
+
+	if (sbegin == NULL)
+		return NULL;
+
+	for (hay = sbegin; *hay != '\0'; ++hay) {
+		*hay = hay[shift];
+
+		if (*hay == '\\') {
+			*hay = hay[++shift];
+			if (*hay != '\\')
+				continue;
+		}
+
+		for (needle = ct; *needle != '\0'; ++needle) {
+			if (*hay == *needle)
+				goto match;
+		}
+	}
+
+	*s = NULL;
+	if (delim)
+		*delim = '\0';
+	return sbegin;
+
+match:
+	if (delim)
+		*delim = *hay;
+	*hay = '\0';
+	*s = &hay[shift + 1];
+
+	return sbegin;
+}
+
+// SPDX-SnippetEnd
+
+
+#endif /* _TOOLS_STRING_UTIL_H_ */

-- 
2.53.0.308.g50d063e335

[PATCH v4 2/8] crypto: keytoc: Improve readability

[Jonas Rebmann]

In preparation to a bigger change in the handling of the arguments list,
update variable names, function names and comments to improve
readability.

Signed-off-by: Jonas Rebmann <jre@pengutronix.de>
---
 scripts/keytoc.c | 25 +++++++++++++------------
 1 file changed, 13 insertions(+), 12 deletions(-)

diff --git a/scripts/keytoc.c b/scripts/keytoc.c
index 77ada3af45..135a396d34 100644
--- a/scripts/keytoc.c
+++ b/scripts/keytoc.c
@@ -6,9 +6,10 @@
  * URI to a C struct suitable to compile with barebox.
  *
  * TODO: Find a better way for reimport_key()
- *
  */
-#pragma GCC diagnostic ignored "-Wdeprecated-declarations"
+
+#pragma GCC diagnostic ignored "-Wdeprecated-declarations" /* ENGINE deprecated in OpenSSL 3.0 */
+
 #include <stdio.h>
 #include <string.h>
 #include <time.h>
@@ -784,7 +785,7 @@ static bool parse_info(char *p, struct keyinfo *out)
 	}
 }
 
-static bool get_name_path(const char *keyspec, struct keyinfo *out)
+static bool parse_keyspec(const char *keyspec, struct keyinfo *out)
 {
 	char *sep, *spec;
 
@@ -814,7 +815,7 @@ static bool get_name_path(const char *keyspec, struct keyinfo *out)
 
 int main(int argc, char *argv[])
 {
-	int i, opt, ret;
+	int keys_idx, opt, ret;
 	char *outfile = NULL;
 	int keycount;
 	struct keyinfo *keylist;
@@ -855,9 +856,9 @@ int main(int argc, char *argv[])
 	keycount = argc - optind;
 	keylist = calloc(sizeof(struct keyinfo), keycount);
 
-	for (i = 0; i < keycount; i++) {
-		const char *keyspec = try_resolve_env(argv[optind + i]);
-		struct keyinfo *info = &keylist[i];
+	for (keys_idx = 0; keys_idx < keycount; keys_idx++) {
+		const char *keyspec = try_resolve_env(argv[optind + keys_idx]);
+		struct keyinfo *info = &keylist[keys_idx];
 
 		if (!keyspec)
 			exit(1);
@@ -865,7 +866,7 @@ int main(int argc, char *argv[])
 		if (!strncmp(keyspec, "pkcs11:", 7)) { // legacy format of pkcs11 URI
 			info->path = strdup(keyspec);
 		} else {
-			if (!get_name_path(keyspec, info)) {
+			if (!parse_keyspec(keyspec, info)) {
 				fprintf(stderr, "invalid keyspec %i: %s\n", optind, keyspec);
 				exit(1);
 			}
@@ -885,14 +886,14 @@ int main(int argc, char *argv[])
 	}
 
 
-	for (i = 0; i < keycount; i++) {
-		struct keyinfo *info = &keylist[i];
+	for (keys_idx = 0; keys_idx < keycount; keys_idx++) {
+		struct keyinfo *info = &keylist[keys_idx];
 
 		/* resolve __ENV__ for name_hint and path */
 		info->name_hint = try_resolve_env(info->name_hint);
 		info->path = try_resolve_env(info->path);
 
-		if (asprintf(&info->name_c, "key_%i", i + 1) < 0)
+		if (asprintf(&info->name_c, "key_%i", keys_idx + 1) < 0)
 			enomem_exit("asprintf");
 
 		/* unfortunately, the fit name hint is mandatory in the barebox codebase */
@@ -901,7 +902,7 @@ int main(int argc, char *argv[])
 
 		if (!info->keyring) {
 			info->keyring = strdup("fit");
-			fprintf(stderr, "Warning: No keyring provided in keyspec, defaulting to keyring=fit for %s\n", argv[optind + i]);
+			fprintf(stderr, "Warning: No keyring provided in keyspec, defaulting to keyring=fit for %s\n", argv[optind + keys_idx]);
 		}
 
 		ret = gen_key(info);

-- 
2.53.0.308.g50d063e335

[PATCH v4 3/8] crypto: keytoc: Move special handling of legacy pkcs11 format to parse_keyspec

[Jonas Rebmann]

This is a preparatory cleanup commit

Signed-off-by: Jonas Rebmann <jre@pengutronix.de>
---
 scripts/keytoc.c | 15 ++++++++-------
 1 file changed, 8 insertions(+), 7 deletions(-)

diff --git a/scripts/keytoc.c b/scripts/keytoc.c
index 135a396d34..6d680422a6 100644
--- a/scripts/keytoc.c
+++ b/scripts/keytoc.c
@@ -787,6 +787,11 @@ static bool parse_info(char *p, struct keyinfo *out)
 
 static bool parse_keyspec(const char *keyspec, struct keyinfo *out)
 {
+	if (!strncmp(keyspec, "pkcs11:", 7)) { /* legacy format of pkcs11 URI */
+		out->path = strdup(keyspec);
+		return true;
+	}
+
 	char *sep, *spec;
 
 	spec = strdup(keyspec);
@@ -863,13 +868,9 @@ int main(int argc, char *argv[])
 		if (!keyspec)
 			exit(1);
 
-		if (!strncmp(keyspec, "pkcs11:", 7)) { // legacy format of pkcs11 URI
-			info->path = strdup(keyspec);
-		} else {
-			if (!parse_keyspec(keyspec, info)) {
-				fprintf(stderr, "invalid keyspec %i: %s\n", optind, keyspec);
-				exit(1);
-			}
+		if (!parse_keyspec(keyspec, info)) {
+			fprintf(stderr, "invalid keyspec %i: %s\n", optind, keyspec);
+			exit(1);
 		}
 	}
 

-- 
2.53.0.308.g50d063e335

[PATCH v4 4/8] crypto: keytoc: Parse all keyspecs before writing to stdout

[Jonas Rebmann]

To catch errors before writing (partial) C code and for better overall
code structure, preprocess and convert to C key data in two different
loops.

Signed-off-by: Jonas Rebmann <jre@pengutronix.de>
---
 scripts/keytoc.c | 42 ++++++++++++++++++++++--------------------
 1 file changed, 22 insertions(+), 20 deletions(-)

diff --git a/scripts/keytoc.c b/scripts/keytoc.c
index 6d680422a6..8c3c7d7c3f 100644
--- a/scripts/keytoc.c
+++ b/scripts/keytoc.c
@@ -859,11 +859,15 @@ int main(int argc, char *argv[])
 	}
 
 	keycount = argc - optind;
-	keylist = calloc(sizeof(struct keyinfo), keycount);
+	keylist = calloc(keycount, sizeof(*keylist));
 
+	if (!keylist)
+		enomem_exit("keylist");
+
+	/* parse each keyspec */
 	for (keys_idx = 0; keys_idx < keycount; keys_idx++) {
-		const char *keyspec = try_resolve_env(argv[optind + keys_idx]);
 		struct keyinfo *info = &keylist[keys_idx];
+		const char *keyspec = try_resolve_env(argv[optind + keys_idx]);
 
 		if (!keyspec)
 			exit(1);
@@ -872,23 +876,6 @@ int main(int argc, char *argv[])
 			fprintf(stderr, "invalid keyspec %i: %s\n", optind, keyspec);
 			exit(1);
 		}
-	}
-
-	if (dts) {
-		fprintf(outfilep, "/dts-v1/;\n");
-		fprintf(outfilep, "/ {\n");
-		if (standalone)
-			fprintf(outfilep, "\tsignature-standalone {\n");
-		else
-			fprintf(outfilep, "\tsignature {\n");
-	} else if (standalone) {
-		fprintf(outfilep, "#include <crypto/ecdsa.h>\n");
-		fprintf(outfilep, "#include <crypto/rsa.h>\n");
-	}
-
-
-	for (keys_idx = 0; keys_idx < keycount; keys_idx++) {
-		struct keyinfo *info = &keylist[keys_idx];
 
 		/* resolve __ENV__ for name_hint and path */
 		info->name_hint = try_resolve_env(info->name_hint);
@@ -905,12 +892,27 @@ int main(int argc, char *argv[])
 			info->keyring = strdup("fit");
 			fprintf(stderr, "Warning: No keyring provided in keyspec, defaulting to keyring=fit for %s\n", argv[optind + keys_idx]);
 		}
+	}
+
+	/* write out C representation */
+	if (dts) {
+		fprintf(outfilep, "/dts-v1/;\n");
+		fprintf(outfilep, "/ {\n");
+		if (standalone)
+			fprintf(outfilep, "\tsignature-standalone {\n");
+		else
+			fprintf(outfilep, "\tsignature {\n");
+	} else if (standalone) {
+		fprintf(outfilep, "#include <crypto/ecdsa.h>\n");
+		fprintf(outfilep, "#include <crypto/rsa.h>\n");
+	}
+	for (keys_idx = 0; keys_idx < keycount; keys_idx++) {
+		struct keyinfo *info = &keylist[keys_idx];
 
 		ret = gen_key(info);
 		if (ret)
 			exit(1);
 	}
-
 	if (dts) {
 		fprintf(outfilep, "\t};\n");
 		fprintf(outfilep, "};\n");

-- 
2.53.0.308.g50d063e335

[PATCH v4 5/8] crypto: keytoc: Split env-provided full keyspec on spaces

[Jonas Rebmann]

keytoc/CONFIG_CRYPTO_PUBLIC_KEYS can work with a complete keyspec
provided by an environment variable as opposed to providing single URIs.
This would be a very useful feature if it could also provide any number
of keys. Kconfig however provides keytoc with regular keyspecs already
split at spaces so without furhter measures, the env variable can only
be expanded into a single key.

If a complete argument is provided via __ENV, split it at any space
character that is not escaped with a backslash in front of it.  An
actual backslash in a path needs to be escape with another backslash.

Try to expand and validate input as much as possible before starting to
output any generated C code.

Signed-off-by: Jonas Rebmann <jre@pengutronix.de>
---
 scripts/keytoc.c | 60 ++++++++++++++++++++++++++++++++++++++++++++------------
 1 file changed, 48 insertions(+), 12 deletions(-)

diff --git a/scripts/keytoc.c b/scripts/keytoc.c
index 8c3c7d7c3f..aca6547136 100644
--- a/scripts/keytoc.c
+++ b/scripts/keytoc.c
@@ -10,6 +10,8 @@
 
 #pragma GCC diagnostic ignored "-Wdeprecated-declarations" /* ENGINE deprecated in OpenSSL 3.0 */
 
+#include "include/string_util.h"
+
 #include <stdio.h>
 #include <string.h>
 #include <time.h>
@@ -30,6 +32,7 @@
 #include <ctype.h>
 
 struct keyinfo {
+	char *spec;
 	char *name_hint;
 	char *keyring;
 	char *path;
@@ -785,8 +788,10 @@ static bool parse_info(char *p, struct keyinfo *out)
 	}
 }
 
-static bool parse_keyspec(const char *keyspec, struct keyinfo *out)
+static bool parse_keyspec(struct keyinfo *out)
 {
+	const char *keyspec = out->spec;
+
 	if (!strncmp(keyspec, "pkcs11:", 7)) { /* legacy format of pkcs11 URI */
 		out->path = strdup(keyspec);
 		return true;
@@ -820,9 +825,9 @@ static bool parse_keyspec(const char *keyspec, struct keyinfo *out)
 
 int main(int argc, char *argv[])
 {
-	int keys_idx, opt, ret;
+	int keys_idx, arg_idx, opt, ret;
 	char *outfile = NULL;
-	int keycount;
+	size_t keycount, num_positionals;
 	struct keyinfo *keylist;
 
 	outfilep = stdout;
@@ -858,22 +863,53 @@ int main(int argc, char *argv[])
 		exit(1);
 	}
 
-	keycount = argc - optind;
+
+	num_positionals = argc - optind;
+	keycount = num_positionals;
+
 	keylist = calloc(keycount, sizeof(*keylist));
 
 	if (!keylist)
 		enomem_exit("keylist");
 
+	keys_idx = 0;
+	/* expand arguments given as environment variables into one or multiple keyspecs */
+	for (arg_idx = 0; arg_idx < num_positionals; arg_idx++) {
+		char *arg = argv[optind + arg_idx];
+		const char *resolved = try_resolve_env(arg);
+
+		if (!resolved)
+			exit(1);
+
+		if (arg == resolved) {
+			keylist[keys_idx].spec = strdup(arg);
+			keys_idx++;
+		} else {
+			char *keyspecs = strdup(resolved);
+			char *keyspec;
+
+			/* Keyspec given as env Variable,
+			 * remove it and add an arbitrary number of keyspecs from its contents
+			 */
+			keycount--;
+			while ((keyspec = strsep_unescaped(&keyspecs, " ", NULL))) {
+				keycount++;
+				keylist = reallocarray(keylist, keycount, sizeof(*keylist));
+				if (!keylist)
+					enomem_exit("realloc keylist");
+				bzero(keylist + (keycount - 1), sizeof(*keylist));
+				keylist[keys_idx].spec = keyspec;
+				keys_idx++;
+			}
+		}
+	}
+
 	/* parse each keyspec */
 	for (keys_idx = 0; keys_idx < keycount; keys_idx++) {
 		struct keyinfo *info = &keylist[keys_idx];
-		const char *keyspec = try_resolve_env(argv[optind + keys_idx]);
-
-		if (!keyspec)
-			exit(1);
-
-		if (!parse_keyspec(keyspec, info)) {
-			fprintf(stderr, "invalid keyspec %i: %s\n", optind, keyspec);
+		if (!parse_keyspec(info)) {
+			fprintf(stderr, "invalid keyspec %i: %s\n", optind,
+				info->spec);
 			exit(1);
 		}
 
@@ -890,7 +926,7 @@ int main(int argc, char *argv[])
 
 		if (!info->keyring) {
 			info->keyring = strdup("fit");
-			fprintf(stderr, "Warning: No keyring provided in keyspec, defaulting to keyring=fit for %s\n", argv[optind + keys_idx]);
+			fprintf(stderr, "Warning: No keyring provided in keyspec, defaulting to keyring=fit for %s\n", info->path);
 		}
 	}
 

-- 
2.53.0.308.g50d063e335

[PATCH v4 6/8] Documentation: migration-guides: Document change in keyspec env vars

[Jonas Rebmann]

Only users providing complete keyspecs containing backslashes or spaces
via an environment variable are affected by this change in the handling
of keytoc's command line arguments.

Signed-off-by: Jonas Rebmann <jre@pengutronix.de>
---
 Documentation/migration-guides/migration-master.rst | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/Documentation/migration-guides/migration-master.rst b/Documentation/migration-guides/migration-master.rst
index 42e370d42f..9d1756bdc4 100644
--- a/Documentation/migration-guides/migration-master.rst
+++ b/Documentation/migration-guides/migration-master.rst
@@ -1,5 +1,22 @@
 :orphan:
 
+CONFIG_CRYPTO_PUBLIC_KEYS
+-------------------------
+
+The syntax of keytoc keyspecs when fully provided via an environment variable
+was slightly changed to allow any number of keyspecs to be provided via an
+environment variable. Such environment variables are now split at spaces to be
+interpreted as multiple keyspecs. Any literal spaces and backslashes contained
+in such keyspecs need to be escaped with a backslash.
+
+This only applies to the form:
+
+  CONFIG_CRYPTO_PUBLIC_KEYS="__ENV__A"
+
+While the interpretation of environment variables specifying hint or URI remains unchanged:
+
+  CONFIG_CRYPTO_PUBLIC_KEYS="keyring=kr:__ENV__B"
+
 ARM i.MX HAB
 ------------
 

-- 
2.53.0.308.g50d063e335

[PATCH v4 7/8] crypto: keytoc: Allow fields to start with underscore

[Jonas Rebmann]

During the rewrite of keyspec handling for the new keyring syntax, a
restrictive character set was chosen for keys and values in the comma
separated list of key parameters:

[a-zA-Z][a-zA-Z0-9_-]*

Because __ENV expansion happens in a later step, excluding underscores
from allowed start characters broke the apparently unused feature of
passing only the (now obsolete) "fit-hint" via an environment variable
as documented in crypto/Kconfig:

CONFIG_CRYPTO_PUBLIC_KEYS="keyring=fit,fit-hint=__ENV__myhint:__ENV__myname"

Allow fields to start with an undescore just for now.

Signed-off-by: Jonas Rebmann <jre@pengutronix.de>
---
 scripts/keytoc.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/scripts/keytoc.c b/scripts/keytoc.c
index aca6547136..c4491fbe81 100644
--- a/scripts/keytoc.c
+++ b/scripts/keytoc.c
@@ -720,8 +720,8 @@ static bool is_identifier(char **s)
 {
 	char *p = *s;
 
-	/* [a-zA-Z] */
-	if (!isalpha(*p))
+	/* [a-zA-Z_] */
+	if (!(isalpha(*p) || *p == '_'))
 		return false;
 	p++;
 

-- 
2.53.0.308.g50d063e335

[PATCH v4 8/8] crypto: keytoc: Deprecate fit-hint from env variable

[Jonas Rebmann]

Specification of fit-hints as env variable was broken since identifiers
where forbidden to start with underscores in 2025.12. As the fit-hint
feature is considered legacy, officially deprecate this way of
specifying fit-hints.

Signed-off-by: Jonas Rebmann <jre@pengutronix.de>
---
 Documentation/migration-guides/migration-master.rst | 4 ++++
 crypto/Kconfig                                      | 7 +++----
 scripts/keytoc.c                                    | 7 +++----
 3 files changed, 10 insertions(+), 8 deletions(-)

diff --git a/Documentation/migration-guides/migration-master.rst b/Documentation/migration-guides/migration-master.rst
index 9d1756bdc4..58efc225cb 100644
--- a/Documentation/migration-guides/migration-master.rst
+++ b/Documentation/migration-guides/migration-master.rst
@@ -17,6 +17,10 @@ While the interpretation of environment variables specifying hint or URI remains
 
   CONFIG_CRYPTO_PUBLIC_KEYS="keyring=kr:__ENV__B"
 
+Fit hints can no longer be specified by environment variables using the __ENV__
+syntax. This functionality was broken since the last change to the keyspec
+syntax in 2025.12.
+
 ARM i.MX HAB
 ------------
 
diff --git a/crypto/Kconfig b/crypto/Kconfig
index 528e9a0d22..0a6b5758b7 100644
--- a/crypto/Kconfig
+++ b/crypto/Kconfig
@@ -153,7 +153,7 @@ config CRYPTO_PUBLIC_KEYS
 
 	  Placeholders such as __ENV__VAR_NAME can be used to look up the
 	  corresponding value in the environment variable VAR_NAME for public
-	  key paths/URIs as well as key name hints.
+	  key paths/URIs.
 
 	  Examples specified directly:
 
@@ -162,11 +162,10 @@ config CRYPTO_PUBLIC_KEYS
 	  - CONFIG_CRYPTO_PUBLIC_KEYS="keyring=fit,fit-hint=myhint:pkcs11:object=foo keyring=fit:/foobar/baz.der"
 	  - CONFIG_CRYPTO_PUBLIC_KEYS="keyring=fit,fit-hint=myhint:pkcs11:object=foo keyring=fit,fit-hint=myotherhint:/foobar/baz.der"
 
-	  Example specified indirectly by two environment variables:
+	  Example specifying the path by environment variable:
 
-	  - myhint="myhint"
 	  - myname="pkcs11:object=foo" (.der could be used too)
-	  - CONFIG_CRYPTO_PUBLIC_KEYS="keyring=fit,fit-hint=__ENV__myhint:__ENV__myname"
+	  - CONFIG_CRYPTO_PUBLIC_KEYS="keyring=fit,fit-hint=hint:__ENV__myname"
 
 	  Example specified indirectly by a single environment variable:
 
diff --git a/scripts/keytoc.c b/scripts/keytoc.c
index c4491fbe81..49cb10f3f5 100644
--- a/scripts/keytoc.c
+++ b/scripts/keytoc.c
@@ -720,8 +720,8 @@ static bool is_identifier(char **s)
 {
 	char *p = *s;
 
-	/* [a-zA-Z_] */
-	if (!(isalpha(*p) || *p == '_'))
+	/* [a-zA-Z] */
+	if (!isalpha(*p))
 		return false;
 	p++;
 
@@ -913,8 +913,7 @@ int main(int argc, char *argv[])
 			exit(1);
 		}
 
-		/* resolve __ENV__ for name_hint and path */
-		info->name_hint = try_resolve_env(info->name_hint);
+		/* resolve __ENV__ for the key path */
 		info->path = try_resolve_env(info->path);
 
 		if (asprintf(&info->name_c, "key_%i", keys_idx + 1) < 0)

-- 
2.53.0.308.g50d063e335

Re: [PATCH v4 0/8] Allow multiple keyspecs in one environment variable

[Sascha Hauer]

On Tue, 17 Mar 2026 16:19:44 +0100, Jonas Rebmann wrote:
> This contains the actual change to keytoc as well a migration Note.
> 
> Allowing any number of public keys to be provided via a single
> environment variable eases integration in more complex setups where
> multiple public keys per keyring are managed externally.
> 
> During testing, it was found that handling of fit-hint env variables was
> broken since 2025.12. Since this is a legacy feature this series
> includes a patch that fixes the bug in the handling of fit-hint env
> variables as well as a patch that removes the feature.
> 
> [...]

Applied, thanks!

[1/8] scripts: include: Add string_util.h for strsep_unescaped
      https://git.pengutronix.de/cgit/barebox/commit/?id=7f971d0c543b (link may not be stable)
[2/8] crypto: keytoc: Improve readability
      https://git.pengutronix.de/cgit/barebox/commit/?id=6c863153dcc6 (link may not be stable)
[3/8] crypto: keytoc: Move special handling of legacy pkcs11 format to parse_keyspec
      https://git.pengutronix.de/cgit/barebox/commit/?id=4dbe43c9c0e5 (link may not be stable)
[4/8] crypto: keytoc: Parse all keyspecs before writing to stdout
      https://git.pengutronix.de/cgit/barebox/commit/?id=f63827c7478c (link may not be stable)
[5/8] crypto: keytoc: Split env-provided full keyspec on spaces
      https://git.pengutronix.de/cgit/barebox/commit/?id=bcf316ce1495 (link may not be stable)
[6/8] Documentation: migration-guides: Document change in keyspec env vars
      https://git.pengutronix.de/cgit/barebox/commit/?id=594abefb8251 (link may not be stable)
[7/8] crypto: keytoc: Allow fields to start with underscore
      https://git.pengutronix.de/cgit/barebox/commit/?id=e6e36288c9f2 (link may not be stable)
[8/8] crypto: keytoc: Deprecate fit-hint from env variable
      https://git.pengutronix.de/cgit/barebox/commit/?id=5207773f43a6 (link may not be stable)

Best regards,
-- 
Sascha Hauer <s.hauer@pengutronix.de>