From: Sergey Matyukevich <geomatsi@gmail.com>
To: Lars Wikman <lars@underjord.io>
Cc: buildroot@buildroot.org
Subject: Re: [Buildroot] [PATCH 1/1] package/wpa_supplicant: add OpenSSL engine option
Date: Mon, 2 Sep 2024 20:47:17 +0300 [thread overview]
Message-ID: <ZtX6JflghSYtxST2@curiosity> (raw)
In-Reply-To: <20240902074527.2908996-1-lars@underjord.io>
Hello Lars,
On Mon, Sep 02, 2024 at 09:45:27AM +0200, Lars Wikman wrote:
> CONFIG_SMARTCARD was unconditionally disabled which has meant that
> even if OpenSSL is compiled with engine support and the supplicant
> is configured to use an engine it would warn that it was compiled
> without engine support.
>
> This mechanism is used to enable the more secure forms of 802.1x
> networking authentication such as EAP-TLS with hardware-delegated
> cryptography and private keys protected in hardware.
>
> It is still disabled by default in case there was an original reason.
>
> Enabling the option will allow delegating private key access to TPM2,
> ARM TrustZone and other specialized secure hardware for establishing
> a network connection.
>
> Signed-off-by: Lars Wikman <lars@underjord.io>
> ---
> package/wpa_supplicant/Config.in | 6 ++++++
> package/wpa_supplicant/wpa_supplicant.mk | 7 +++++--
> 2 files changed, 11 insertions(+), 2 deletions(-)
>
> diff --git a/package/wpa_supplicant/Config.in b/package/wpa_supplicant/Config.in
> index 92953f69f0..5ed5828bb1 100644
> --- a/package/wpa_supplicant/Config.in
> +++ b/package/wpa_supplicant/Config.in
> @@ -175,4 +175,10 @@ config BR2_PACKAGE_WPA_SUPPLICANT_DBUS_INTROSPECTION
> help
> Add introspection support for the DBus control interface.
>
> +config BR2_PACKAGE_WPA_SUPPLICANT_OPENSSL_ENGINE
> + bool "OpenSSL engine support"
> + help
> + Enable the smart card support which enables OpenSSL engines
> + using PKCS11 and 802.1x
> +
> endif
IIUC this option is used to enable smartcard support in wpa_supplicant,
not to select TLS engine. So suggested name looks a bit confusing in
this context. Maybe just 'BR2_PACKAGE_WPA_SUPPLICANT_SMART_CARD' or
something like that ?
Buildroot allows to use two TLS engines in wpa_supplicant: OpenSSL and
internal experimental TLSv1 implementation. Does smartcard support in
wpa_supplicant requires OpenSSL ? If so, then it should be explicitly
selected, e.g. see WPA3 or MESH_NETWORKING options in Config.in.
Regards,
Sergey
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
next prev parent reply other threads:[~2024-09-02 17:47 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-09-02 7:45 [Buildroot] [PATCH 1/1] package/wpa_supplicant: add OpenSSL engine option Lars Wikman
2024-09-02 17:47 ` Sergey Matyukevich [this message]
2024-09-02 18:25 ` Lars Wikman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZtX6JflghSYtxST2@curiosity \
--to=geomatsi@gmail.com \
--cc=buildroot@buildroot.org \
--cc=lars@underjord.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.