From: Paolo Bonzini <pbonzini@redhat.com>
To: u-boot@lists.denx.de
Subject: [U-Boot] RSA in U-Boot
Date: Sat, 27 Apr 2019 01:31:37 -0400 (EDT) [thread overview]
Message-ID: <422971965.15677087.1556343097301.JavaMail.zimbra@redhat.com> (raw)
In-Reply-To: <747471f3-4490-bfe7-7369-68846f2b4ea3@redhat.com>
> >> I've done porting linux's pkcs7/x509 parsers and they work well
> >> with my UEFI secure boot patch, but I'm still looking for other options
> >> as well.
> >>
> >> * openssl
> >> Most of existing components linked to UEFI secure boot, including
> >> EDK2, shim and grub, reply on this library. Why not for U-Boot?
> >> The size of U-Boot UEFI code in U-Boot is already quite big, and
> >> so the size of openssl won't be a big issue.
> >> * mbedTLS
> >> which is maintained by ARM and used with Zephyr, I guess it should
> >> have small footprint. But it currently lacks pkcs7 parser.
> >>
> >> Any thoughts?
> >
> >
> > Paolo, Laszlo, Ard, if you could write a new secure boot implementation
> > today, which of the options above would you pick and why so? :)
>
> Difficult question. Ideally you'd want a library where three aspects met:
>
> - widely used (so that there is a diverse community that's interested in
> vulnerabilities, and fixing them too)
>
> - easy to cross-compile for your free-standing environment (optimally
> the upstream project would support being cross-compiled and packaged
> stand-alone, for that free-standing environment)
>
> - cares about API stability
>
> OpenSSL is very widely used...
> ...and that's where we can stop in the list :)
It's also license-incompatible with U-Boot's GPLv2 I think. I guess
grub can use it because GPLv3 and Apache v2 can be combined just fine.
Reusing Linux's code seems like the best match.
Paolo
next prev parent reply other threads:[~2019-04-27 5:31 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-03-18 2:17 [U-Boot] RSA in U-Boot AKASHI, Takahiro
2019-04-25 2:12 ` AKASHI, Takahiro
2019-04-26 9:05 ` Alexander Graf
2019-04-26 20:16 ` Laszlo Ersek
2019-04-27 5:31 ` Paolo Bonzini [this message]
2019-04-27 6:33 ` Heinrich Schuchardt
2019-05-16 7:23 ` Sughosh Ganu
2019-05-16 10:39 ` Wolfgang Denk
2019-05-16 10:45 ` Ilias Apalodimas
2019-05-16 11:13 ` Tom Rini
2019-05-16 11:19 ` Ilias Apalodimas
2019-05-16 11:56 ` AKASHI Takahiro
2019-05-16 12:07 ` Tom Rini
2019-05-16 12:18 ` Wolfgang Denk
2019-05-17 0:12 ` AKASHI Takahiro
2019-05-17 8:47 ` Wolfgang Denk
2019-05-22 5:48 ` AKASHI Takahiro
2019-06-05 5:27 ` AKASHI Takahiro
2019-06-05 14:04 ` Tom Rini
2019-08-27 10:35 ` Grant Likely
2019-08-27 23:55 ` AKASHI Takahiro
2019-05-16 17:57 ` Paolo Bonzini
2019-05-17 0:26 ` AKASHI, Takahiro
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=422971965.15677087.1556343097301.JavaMail.zimbra@redhat.com \
--to=pbonzini@redhat.com \
--cc=u-boot@lists.denx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.