Re: [PATCH 11/15] crypto: Use "development" keys for "fit" and "tlv" keyring

Wed, 22 Oct 2025 04:18:23 -0700 

Hi,

On 2025-10-22 12:02, Ahmad Fatoum wrote:



On 10/14/25 1:03 PM, Jonas Rebmann wrote:

All users of the CONFIG_CRYPTO_PUBLIC_KEYS feature should update to the
new syntax making keyring selection mandatory.

Instead of just making the addition of the builtin snakeoil keys
explicit for the "fit" key, also add them to the "tlv" key to use them
as a testing set for TLV keys too.

Signed-off-by: Jonas Rebmann <[email protected]>
---
  crypto/Makefile | 6 ++++--
  1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/crypto/Makefile b/crypto/Makefile
index 08b9a46e4c..076ba4f686 100644
--- a/crypto/Makefile
+++ b/crypto/Makefile
@@ -33,10 +33,12 @@ CONFIG_CRYPTO_PUBLIC_KEYS := $(foreach 
d,$(CONFIG_CRYPTO_PUBLIC_KEYS),"$(d)")

  
  ifdef CONFIG_CRYPTO_BUILTIN_DEVELOPMENT_KEYS

  ifdef CONFIG_CRYPTO_RSA
-CONFIG_CRYPTO_PUBLIC_KEYS += 
rsa-devel:$(srctree)/crypto/fit-4096-development.crt
+CONFIG_CRYPTO_PUBLIC_KEYS += 
keyring=fit,fit-hint=rsa-devel:$(srctree)/crypto/fit-4096-development.crt
+CONFIG_CRYPTO_PUBLIC_KEYS += 
keyring=tlv:$(srctree)/crypto/fit-4096-development.crt
  endif
  ifdef CONFIG_CRYPTO_ECDSA
-CONFIG_CRYPTO_PUBLIC_KEYS += 
ecdsa-devel:$(srctree)/crypto/fit-ecdsa-development.crt
+CONFIG_CRYPTO_PUBLIC_KEYS += 
keyring=fit,fit-hint=ecdsa-devel:$(srctree)/crypto/fit-ecdsa-development.crt
+CONFIG_CRYPTO_PUBLIC_KEYS += 
keyring=tlv:$(srctree)/crypto/fit-ecdsa-development.crt


We don't want people to overload tlv and instead use their own keyring
names. This is already too late for fit, but for this, let's call it
tlv-example?


This would mean in the previous patch for `struct tlv_decoder
barebox_tlv_v1_signed` to also set the keyring to "tlv-example". My
understanding of the decoders in common/tlv/barebox.c is that they are
more than an example, rather an offer that for somewhat generic use,
somewhat generic decoders are provided. Hence the very generic keyring
name "tlv".

I need to use the barebox_tlv_v1_signed in the tests and I want to make
use of CONFIG_CRYPTO_PUBLIC_KEYS for that. I'm not sure if I understand
the role of CONFIG_CRYPTO_PUBLIC_KEYS and the decoders in
common/tlv/barebox.c correctly though.

Maybe we rename this keyring to "tlv-generic"?

If it helps, I could update the commit message to discourage use of a
catchall keyring in more sophisticated setups.

Regards,
Jonas

--
Pengutronix e.K.                           | Jonas Rebmann               |
Steuerwalder Str. 21                       | http://www.pengutronix.de/  |
31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-9    |
























					Reply via email to