From: Sergey Matyukevich <geomatsi@gmail.com>
To: Lars Wikman <lars@underjord.io>
Cc: buildroot@buildroot.org
Subject: Re: [Buildroot] [PATCH 1/1] package/wpa_supplicant: add OpenSSL engine option
Date: Mon, 2 Sep 2024 20:47:17 +0300 [thread overview]
Message-ID: <ZtX6JflghSYtxST2@curiosity> (raw)
In-Reply-To: <20240902074527.2908996-1-lars@underjord.io>
Hello Lars,
On Mon, Sep 02, 2024 at 09:45:27AM +0200, Lars Wikman wrote:
> CONFIG_SMARTCARD was unconditionally disabled which has meant that
> even if OpenSSL is compiled with engine support and the supplicant
> is configured to use an engine it would warn that it was compiled
> without engine support.
>
> This mechanism is used to enable the more secure forms of 802.1x
> networking authentication such as EAP-TLS with hardware-delegated
> cryptography and private keys protected in hardware.
>
> It is still disabled by default in case there was an original reason.
>
> Enabling the option will allow delegating private key access to TPM2,
> ARM TrustZone and other specialized secure hardware for establishing
> a network connection.
>
> Signed-off-by: Lars Wikman <lars@underjord.io>
> ---
> package/wpa_supplicant/Config.in | 6 ++++++
> package/wpa_supplicant/wpa_supplicant.mk | 7 +++++--
> 2 files changed, 11 insertions(+), 2 deletions(-)
>
> diff --git a/package/wpa_supplicant/Config.in b/package/wpa_supplicant/Config.in
> index 92953f69f0..5ed5828bb1 100644
> --- a/package/wpa_supplicant/Config.in
> +++ b/package/wpa_supplicant/Config.in
> @@ -175,4 +175,10 @@ config BR2_PACKAGE_WPA_SUPPLICANT_DBUS_INTROSPECTION
> help
> Add introspection support for the DBus control interface.
>
> +config BR2_PACKAGE_WPA_SUPPLICANT_OPENSSL_ENGINE
> + bool "OpenSSL engine support"
> + help
> + Enable the smart card support which enables OpenSSL engines
> + using PKCS11 and 802.1x
> +
> endif
IIUC this option is used to enable smartcard support in wpa_supplicant,
not to select TLS engine. So suggested name looks a bit confusing in
this context. Maybe just 'BR2_PACKAGE_WPA_SUPPLICANT_SMART_CARD' or
something like that ?
Buildroot allows to use two TLS engines in wpa_supplicant: OpenSSL and
internal experimental TLSv1 implementation. Does smartcard support in
wpa_supplicant requires OpenSSL ? If so, then it should be explicitly
selected, e.g. see WPA3 or MESH_NETWORKING options in Config.in.
Regards,
Sergey
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
next prev parent reply other threads:[~2024-09-02 17:47 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-09-02 7:45 [Buildroot] [PATCH 1/1] package/wpa_supplicant: add OpenSSL engine option Lars Wikman
2024-09-02 17:47 ` Sergey Matyukevich [this message]
2024-09-02 18:25 ` Lars Wikman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZtX6JflghSYtxST2@curiosity \
--to=geomatsi@gmail.com \
--cc=buildroot@buildroot.org \
--cc=lars@underjord.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox