From: Sascha Hauer <s.hauer@pengutronix.de>
To: BAREBOX <barebox@lists.infradead.org>
Subject: [PATCH 0/4] public keys: rework keyrings as nested containers
Date: Wed, 27 May 2026 12:54:40 +0200 [thread overview]
Message-ID: <20260527-public-keys-v1-0-c87a1cc61d1b@pengutronix.de> (raw)
So far a public key had a char *keyring meaning that a key can only be
part of a single keyring. This series overcomes this, with it keys can
be contained in multiple keyrings and keyrings can be part of other
keyrings. To get there a new struct keyring_link is introduced which
is instanciated per link and links a key/keyring to a keyring. The
keys command is updated to reflect that, so an example output could
be:
RING: fit
KEY: 9160ff3ab26e1842d1fbfaca48befce2664f57245048856e779531bb260cbc20 TYPE: ECDSA HINT:
RING: snakeoil
RING: fit-devel
RING: tlv-generic
RING: snakeoil
RING: snakeoil
KEY: 4f48c67c9a28be596931de5b137f8207f15a505d1b7a742731014dbcd4c799d9 TYPE: ECDSA HINT: ecdsa-devel
KEY: 7fbcb3b2ddfab044ef874550c7cbd1b357afeed55fb6f48be9c22b2cbef72856 TYPE: RSA HINT: rsa-devel
RING: fit-devel
KEY: 7fbcb3b2ddfab044ef874550c7cbd1b357afeed55fb6f48be9c22b2cbef72856 TYPE: RSA HINT:
RING: tlv-feature
KEY: 54b7b9c040cd81dd1e495832b8a2724a8f48e75f90fcd982631695669a805dd0 TYPE: RSA HINT:
RING: tlv-base
KEY: 2f908960b1d74b3a8d0076376870020f8d6504ebb7a1c68c1c383ac8140690e5 TYPE: RSA HINT:
The FIT image authentication code still uses the "fit" keyring as
before, but now we can link new keys to the keyring during runtime as
needed. Furthermore a key can be used for multiple purposes without
duplicating it.
As a nice side effect the keys themselves become readonly and the
compiled in keys can be moved to the RO data segment.
Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
---
Sascha Hauer (4):
public keys: make error message more informative
public keys: make key_name_hint optional
public keys: rework keyrings as nested containers
public keys: allow keys to be members of multiple keyrings
commands/keys.c | 21 +++-
common/image-fit.c | 15 ++-
common/tlv/parser.c | 13 ++-
crypto/Makefile | 6 +-
crypto/public-keys.c | 221 ++++++++++++++++++++++++++++++++++----
crypto/rsa.c | 3 +-
include/asm-generic/barebox.lds.h | 11 ++
include/crypto/public_key.h | 87 ++++++++++++---
scripts/keytoc.c | 79 +++++++++-----
9 files changed, 381 insertions(+), 75 deletions(-)
---
base-commit: 19ce0bdebf4856cfe6d0610a6e4d8d917d658ec3
change-id: 20260522-public-keys-ba609c65c114
Best regards,
--
Sascha Hauer <s.hauer@pengutronix.de>
next reply other threads:[~2026-05-27 10:56 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-27 10:54 Sascha Hauer [this message]
2026-05-27 10:54 ` [PATCH 1/4] public keys: make error message more informative Sascha Hauer
2026-05-27 10:54 ` [PATCH 2/4] public keys: make key_name_hint optional Sascha Hauer
2026-05-27 10:54 ` [PATCH 3/4] public keys: rework keyrings as nested containers Sascha Hauer
2026-05-27 10:54 ` [PATCH 4/4] public keys: allow keys to be members of multiple keyrings Sascha Hauer
2026-05-29 11:43 ` [PATCH 0/4] public keys: rework keyrings as nested containers Sascha Hauer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260527-public-keys-v1-0-c87a1cc61d1b@pengutronix.de \
--to=s.hauer@pengutronix.de \
--cc=barebox@lists.infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox