Re: [PATCH] crypto: clarify relationship of CONFIG_{BOOTM_FITIMAGE_PUBKEY,RSA_KEY}

Thu, 27 Jul 2023 22:39:33 -0700 

On Thu, Jul 27, 2023 at 11:47:48AM +0200, Ahmad Fatoum wrote:
> CONFIG_RSA_KEY and CONFIG_BOOTM_FITIMAGE_PUBKEY can both point at the
> RSA public key, but with different formats. CONFIG_RSA_KEY is probably
> easier to integrate, so reference it from CONFIG_BOOTM_FITIMAGE_PUBKEY
> and be explicit about the different formatting.
> ---
>  common/Kconfig | 11 ++++++++---
>  crypto/Kconfig |  3 +++
>  2 files changed, 11 insertions(+), 3 deletions(-)

Applied, thanks

Sascha

> 
> diff --git a/common/Kconfig b/common/Kconfig
> index 3a57e16b3be6..0c7ba6a63685 100644
> --- a/common/Kconfig
> +++ b/common/Kconfig
> @@ -644,9 +644,10 @@ config BOOTM_FITIMAGE_PUBKEY_ENV
>       bool "Specify path to public key in environment"
>       depends on BOOTM_FITIMAGE_SIGNATURE
>       help
> -       If this option is enabled the path to the public key for verifying
> -       FIT images signature is taken from environment which allows for
> -       better integration with build systems.
> +       If this option is enabled the path to the device tree snippet
> +       containing the public key for verifying FIT images signature is taken
> +       from make's build-time environment, which can allow for better
> +       integration with some build systems.
>  
>         The environment variable has the same name as the corresponding
>         Kconfig variable:
> @@ -664,6 +665,10 @@ config BOOTM_FITIMAGE_PUBKEY
>         snippet can then be included in a device tree with
>         "#include CONFIG_BOOTM_FITIMAGE_PUBKEY".
>  
> +       This snippet is usually generated by decompiling a device tree 
> produced
> +       by mkimage. An alternative is CONFIG_CRYPTO_RSA_KEY, which takes a PEM
> +       file or a PKCS#11 URI.
> +
>  endif
>  
>  config BOOTM_FORCE_SIGNED_IMAGES
> diff --git a/crypto/Kconfig b/crypto/Kconfig
> index 629f615de1af..04e5ef43705b 100644
> --- a/crypto/Kconfig
> +++ b/crypto/Kconfig
> @@ -130,6 +130,9 @@ config CRYPTO_RSA_KEY
>         X.509 certificates to be included into barebox. If the string starts
>         with "pkcs11:" it is interpreted as a PKCS#11 URI rather than a file.
>  
> +       This avoids the mkimage dependency of CONFIG_BOOTM_FITIMAGE_PUBKEY
> +       at the cost of an openssl build-time dependency.
> +
>  config CRYPTO_RSA_KEY_NAME_HINT
>       depends on CRYPTO_RSA
>       string "FIT image key name hint"
> -- 
> 2.39.2
> 
> 
> 

-- 
Pengutronix e.K.                           |                             |
Steuerwalder Str. 21                       | http://www.pengutronix.de/  |
31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |

Reply via email to