Hi, On 10/22/25 1:17 PM, Jonas Rebmann wrote: > Hi, > > On 2025-10-22 12:02, Ahmad Fatoum wrote: >> >> >> On 10/14/25 1:03 PM, Jonas Rebmann wrote: >>> All users of the CONFIG_CRYPTO_PUBLIC_KEYS feature should update to the >>> new syntax making keyring selection mandatory. >>> >>> Instead of just making the addition of the builtin snakeoil keys >>> explicit for the "fit" key, also add them to the "tlv" key to use them >>> as a testing set for TLV keys too. >>> >>> Signed-off-by: Jonas Rebmann <[email protected]> >>> --- >>> crypto/Makefile | 6 ++++-- >>> 1 file changed, 4 insertions(+), 2 deletions(-) >>> >>> diff --git a/crypto/Makefile b/crypto/Makefile >>> index 08b9a46e4c..076ba4f686 100644 >>> --- a/crypto/Makefile >>> +++ b/crypto/Makefile >>> @@ -33,10 +33,12 @@ CONFIG_CRYPTO_PUBLIC_KEYS := $(foreach d, >>> $(CONFIG_CRYPTO_PUBLIC_KEYS),"$(d)") >>> ifdef CONFIG_CRYPTO_BUILTIN_DEVELOPMENT_KEYS >>> ifdef CONFIG_CRYPTO_RSA >>> -CONFIG_CRYPTO_PUBLIC_KEYS += rsa-devel:$(srctree)/crypto/fit-4096- >>> development.crt >>> +CONFIG_CRYPTO_PUBLIC_KEYS += keyring=fit,fit-hint=rsa-devel: >>> $(srctree)/crypto/fit-4096-development.crt >>> +CONFIG_CRYPTO_PUBLIC_KEYS += keyring=tlv:$(srctree)/crypto/fit-4096- >>> development.crt >>> endif >>> ifdef CONFIG_CRYPTO_ECDSA >>> -CONFIG_CRYPTO_PUBLIC_KEYS += ecdsa-devel:$(srctree)/crypto/fit- >>> ecdsa-development.crt >>> +CONFIG_CRYPTO_PUBLIC_KEYS += keyring=fit,fit-hint=ecdsa-devel: >>> $(srctree)/crypto/fit-ecdsa-development.crt >>> +CONFIG_CRYPTO_PUBLIC_KEYS += keyring=tlv:$(srctree)/crypto/fit- >>> ecdsa-development.crt >> >> We don't want people to overload tlv and instead use their own keyring >> names. This is already too late for fit, but for this, let's call it >> tlv-example? > > This would mean in the previous patch for `struct tlv_decoder > barebox_tlv_v1_signed` to also set the keyring to "tlv-example". My > understanding of the decoders in common/tlv/barebox.c is that they are > more than an example, rather an offer that for somewhat generic use, > somewhat generic decoders are provided. Hence the very generic keyring > name "tlv". > > I need to use the barebox_tlv_v1_signed in the tests and I want to make > use of CONFIG_CRYPTO_PUBLIC_KEYS for that. I'm not sure if I understand > the role of CONFIG_CRYPTO_PUBLIC_KEYS and the decoders in > common/tlv/barebox.c correctly though. > > Maybe we rename this keyring to "tlv-generic"?
Ok. > If it helps, I could update the commit message to discourage use of a > catchall keyring in more sophisticated setups. You can do that, but it probably should be in the docs or in the Kconfig help text to have a chance of being read. Cheers, Ahmad > > Regards, > Jonas > -- Pengutronix e.K. | | Steuerwalder Str. 21 | http://www.pengutronix.de/ | 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 | Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
