mail archive of the barebox mailing list
 help / color / mirror / Atom feed
From: Marc Kleine-Budde <mkl@pengutronix.de>
To: Jean-Christophe PLAGNIOL-VILLARD <plagnioj@jcrosoft.com>,
	barebox@lists.infradead.org
Subject: Re: [RFC] Keystore design
Date: Mon, 13 Apr 2015 11:48:26 +0200	[thread overview]
Message-ID: <552B90EA.40801@pengutronix.de> (raw)
In-Reply-To: <20150318095930.GT26127@ns203013.ovh.net>


[-- Attachment #1.1: Type: text/plain, Size: 2411 bytes --]

On 03/18/2015 10:59 AM, Jean-Christophe PLAGNIOL-VILLARD wrote:
> 	I'm curently looking the implementation for the PKI keystore
> 
> 	I was thinking to simply do a FS
> 
> 	The idea is this one
> 
> 	we will use envfs as storing format.
> 
> 	Contraint:
> 
> 	 - Multiple RO env
> 	 - one RW env
> 	 - as less as possible API to add a key
> 
> 	1) Builtin
> 
> 	 We will allow to have multiple keystore for boards
> 	 we need to be hanble to drop a keystore if not valid for this board
> 	 we need to be able to have global keystore
> 
> 	2) SoC Keytore
> 	 - RO
> 
> 	3) RW
> 
> 	 a key will be store in the keystore on if valid (signed by a master
> 	 key or CA)
> 
> 	We will use the fs api
> 
> 	to put a key a simple cp will be enough

Jan and me were discussing you approach to implement a keystore with the
filesystem API. For us it was hard to imagine the benefits of accessing
the keystore by fs API, but our usecases are rather minimal compared to
"full" x509 PKI support.

We don't see the advantage of having a FS, does it makes a huge
difference to add a cert by "cp /path/to/cert /barebox/pki" or by
"keystore --add /path/to/cert". This can be done via a simple lined
list, too. With x509 you can have nested certs, do you want to map this
to directories?

We see the following usecases:

- add certificate and mark that cert as trusted (i.e. add a new CA)
- add certificate (only succeeds of store trusts that cert)
- lockdown store, so that only trusted certs can be added
- add cert/public key from DT (DT compiled into barebox)
- add cert/public key compiled into barebox (e.g. via section magic)
- add cert/public key from file and/or directory
- you probably want x509
- possibility to go without x509
- add/get/use cert/public key by name
- validate file, mem region against a public key in store

Our big picture use case is:
- validate fit image against RSA public key in DT

We think a keystore can be implemented by a linked list of certs/public
keys, some iterator functions to find key by name, for x509 probably CN,
etc...

regards,
Marc

-- 
Pengutronix e.K.                  | Marc Kleine-Budde           |
Industrial Linux Solutions        | Phone: +49-231-2826-924     |
Vertretung West/Dortmund          | Fax:   +49-5121-206917-5555 |
Amtsgericht Hildesheim, HRA 2686  | http://www.pengutronix.de   |



[-- Attachment #1.2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 801 bytes --]

[-- Attachment #2: Type: text/plain, Size: 149 bytes --]

_______________________________________________
barebox mailing list
barebox@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/barebox

  reply	other threads:[~2015-04-13  9:48 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-03-18  9:59 Jean-Christophe PLAGNIOL-VILLARD
2015-04-13  9:48 ` Marc Kleine-Budde [this message]
2015-05-24 15:46   ` Marc Kleine-Budde

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=552B90EA.40801@pengutronix.de \
    --to=mkl@pengutronix.de \
    --cc=barebox@lists.infradead.org \
    --cc=plagnioj@jcrosoft.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox