On Sat, 27 Apr 2019 at 12:03, Heinrich Schuchardt <xypron.g...@gmx.de> wrote:
> On 4/27/19 7:31 AM, Paolo Bonzini wrote: > > > >>>> I've done porting linux's pkcs7/x509 parsers and they work well > >>>> with my UEFI secure boot patch, but I'm still looking for other > options > >>>> as well. > >>>> > >>>> * openssl > >>>> Most of existing components linked to UEFI secure boot, including > >>>> EDK2, shim and grub, reply on this library. Why not for U-Boot? > >>>> The size of U-Boot UEFI code in U-Boot is already quite big, and > >>>> so the size of openssl won't be a big issue. > >>>> * mbedTLS > >>>> which is maintained by ARM and used with Zephyr, I guess it should > >>>> have small footprint. But it currently lacks pkcs7 parser. > >>>> > >>>> Any thoughts? > >>> > >>> > >>> Paolo, Laszlo, Ard, if you could write a new secure boot implementation > >>> today, which of the options above would you pick and why so? :) > >> > >> Difficult question. Ideally you'd want a library where three aspects > met: > >> > >> - widely used (so that there is a diverse community that's interested in > >> vulnerabilities, and fixing them too) > >> > >> - easy to cross-compile for your free-standing environment (optimally > >> the upstream project would support being cross-compiled and packaged > >> stand-alone, for that free-standing environment) > >> > >> - cares about API stability > >> > >> OpenSSL is very widely used... > >> ...and that's where we can stop in the list :) > > > > It's also license-incompatible with U-Boot's GPLv2 I think. I guess > > grub can use it because GPLv3 and Apache v2 can be combined just fine. > > Reusing Linux's code seems like the best match. > > > > Paolo > > > > You could have a look at GnuTLS available at > https://gitlab.com/gnutls/gnutls/ . > > PKCS7 is supported, cf. > https://www.gnutls.org/manual/html_node/PKCS-7-API.html > > There seem to be four main contributors to GnuTLS adding two patches a day: > > https://github.com/gnutls/gnutls/graphs/contributors?from=2018-04-28&to=2019-04-27&type=a There is LibreSSL as well which is a fork of openssl. Guess that too should be fine. What would be the more preferred solution here. The relevant bits can be imported from the kernel code into u-boot, or there can be a solution with linking of ssl/tls library with u-boot. Which would be the more preferred solution. It'd be great if the maintainers can comment on this. Thanks. -sughosh _______________________________________________ U-Boot mailing list U-Boot@lists.denx.de https://lists.denx.de/listinfo/u-boot
