Re: [RFC] Keystore design - Marc Kleine-Budde

From: Marc Kleine-Budde <mkl@pengutronix.de>
To: Jean-Christophe PLAGNIOL-VILLARD <plagnioj@jcrosoft.com>,
	barebox@lists.infradead.org
Subject: Re: [RFC] Keystore design
Date: Mon, 13 Apr 2015 11:48:26 +0200	[thread overview]
Message-ID: <552B90EA.40801@pengutronix.de> (raw)
In-Reply-To: <20150318095930.GT26127@ns203013.ovh.net>

[-- Attachment #1.1: Type: text/plain, Size: 2411 bytes --]

On 03/18/2015 10:59 AM, Jean-Christophe PLAGNIOL-VILLARD wrote:
> 	I'm curently looking the implementation for the PKI keystore
> 
> 	I was thinking to simply do a FS
> 
> 	The idea is this one
> 
> 	we will use envfs as storing format.
> 
> 	Contraint:
> 
> 	 - Multiple RO env
> 	 - one RW env
> 	 - as less as possible API to add a key
> 
> 	1) Builtin
> 
> 	 We will allow to have multiple keystore for boards
> 	 we need to be hanble to drop a keystore if not valid for this board
> 	 we need to be able to have global keystore
> 
> 	2) SoC Keytore
> 	 - RO
> 
> 	3) RW
> 
> 	 a key will be store in the keystore on if valid (signed by a master
> 	 key or CA)
> 
> 	We will use the fs api
> 
> 	to put a key a simple cp will be enough

Jan and me were discussing you approach to implement a keystore with the
filesystem API. For us it was hard to imagine the benefits of accessing
the keystore by fs API, but our usecases are rather minimal compared to
"full" x509 PKI support.

We don't see the advantage of having a FS, does it makes a huge
difference to add a cert by "cp /path/to/cert /barebox/pki" or by
"keystore --add /path/to/cert". This can be done via a simple lined
list, too. With x509 you can have nested certs, do you want to map this
to directories?

We see the following usecases:

- add certificate and mark that cert as trusted (i.e. add a new CA)
- add certificate (only succeeds of store trusts that cert)
- lockdown store, so that only trusted certs can be added
- add cert/public key from DT (DT compiled into barebox)
- add cert/public key compiled into barebox (e.g. via section magic)
- add cert/public key from file and/or directory
- you probably want x509
- possibility to go without x509
- add/get/use cert/public key by name
- validate file, mem region against a public key in store

Our big picture use case is:
- validate fit image against RSA public key in DT

We think a keystore can be implemented by a linked list of certs/public
keys, some iterator functions to find key by name, for x509 probably CN,
etc...

regards,
Marc

-- 
Pengutronix e.K.                  | Marc Kleine-Budde           |
Industrial Linux Solutions        | Phone: +49-231-2826-924     |
Vertretung West/Dortmund          | Fax:   +49-5121-206917-5555 |
Amtsgericht Hildesheim, HRA 2686  | http://www.pengutronix.de   |

[-- Attachment #1.2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 801 bytes --]

[-- Attachment #2: Type: text/plain, Size: 149 bytes --]

_______________________________________________
barebox mailing list
barebox@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/barebox