[U-Boot] RSA in U-Boot

Heinrich Schuchardt xypron.glpk at gmx.de
Sat Apr 27 06:33:22 UTC 2019


On 4/27/19 7:31 AM, Paolo Bonzini wrote:
>
>>>> I've done porting linux's pkcs7/x509 parsers and they work well
>>>> with my UEFI secure boot patch, but I'm still looking for other options
>>>> as well.
>>>>
>>>> * openssl
>>>>    Most of existing components linked to UEFI secure boot, including
>>>>    EDK2, shim and grub, reply on this library. Why not for U-Boot?
>>>>    The size of U-Boot UEFI code in U-Boot is already quite big, and
>>>>    so the size of openssl won't be a big issue.
>>>> * mbedTLS
>>>>    which is maintained by ARM and used with Zephyr, I guess it should
>>>>    have small footprint. But it currently lacks pkcs7 parser.
>>>>
>>>> Any thoughts?
>>>
>>>
>>> Paolo, Laszlo, Ard, if you could write a new secure boot implementation
>>> today, which of the options above would you pick and why so? :)
>>
>> Difficult question. Ideally you'd want a library where three aspects met:
>>
>> - widely used (so that there is a diverse community that's interested in
>> vulnerabilities, and fixing them too)
>>
>> - easy to cross-compile for your free-standing environment (optimally
>> the upstream project would support being cross-compiled and packaged
>> stand-alone, for that free-standing environment)
>>
>> - cares about API stability
>>
>> OpenSSL is very widely used...
>> ...and that's where we can stop in the list :)
>
> It's also license-incompatible with U-Boot's GPLv2 I think.  I guess
> grub can use it because GPLv3 and Apache v2 can be combined just fine.
> Reusing Linux's code seems like the best match.
>
> Paolo
>

You could have a look at GnuTLS available at
https://gitlab.com/gnutls/gnutls/ .

PKCS7 is supported, cf.
https://www.gnutls.org/manual/html_node/PKCS-7-API.html

There seem to be four main contributors to GnuTLS adding two patches a day:
https://github.com/gnutls/gnutls/graphs/contributors?from=2018-04-28&to=2019-04-27&type=a

Best regards

Heinrich


More information about the U-Boot mailing list