From mboxrd@z Thu Jan 1 00:00:00 1970 From: Paolo Bonzini Date: Sat, 27 Apr 2019 01:31:37 -0400 (EDT) Subject: [U-Boot] RSA in U-Boot In-Reply-To: <747471f3-4490-bfe7-7369-68846f2b4ea3@redhat.com> References: <20190318021712.GC9937@linaro.org> <20190425021223.GH7158@linaro.org> <99c1f624-be7f-b6ab-10be-420129670dbf@csgraf.de> <747471f3-4490-bfe7-7369-68846f2b4ea3@redhat.com> Message-ID: <422971965.15677087.1556343097301.JavaMail.zimbra@redhat.com> List-Id: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: u-boot@lists.denx.de > >> I've done porting linux's pkcs7/x509 parsers and they work well > >> with my UEFI secure boot patch, but I'm still looking for other options > >> as well. > >> > >> * openssl > >> Most of existing components linked to UEFI secure boot, including > >> EDK2, shim and grub, reply on this library. Why not for U-Boot? > >> The size of U-Boot UEFI code in U-Boot is already quite big, and > >> so the size of openssl won't be a big issue. > >> * mbedTLS > >> which is maintained by ARM and used with Zephyr, I guess it should > >> have small footprint. But it currently lacks pkcs7 parser. > >> > >> Any thoughts? > > > > > > Paolo, Laszlo, Ard, if you could write a new secure boot implementation > > today, which of the options above would you pick and why so? :) > > Difficult question. Ideally you'd want a library where three aspects met: > > - widely used (so that there is a diverse community that's interested in > vulnerabilities, and fixing them too) > > - easy to cross-compile for your free-standing environment (optimally > the upstream project would support being cross-compiled and packaged > stand-alone, for that free-standing environment) > > - cares about API stability > > OpenSSL is very widely used... > ...and that's where we can stop in the list :) It's also license-incompatible with U-Boot's GPLv2 I think. I guess grub can use it because GPLv3 and Apache v2 can be combined just fine. Reusing Linux's code seems like the best match. Paolo